Windows DFIR Checks

Malware Activity

Check disabled task manager (often from malware)

1
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr
Copied!

Mimikatz/Credential Extraction Detection

The below represent registry keys which make it more difficult for Mimikatz to work. Modification of these keys may indicate an attacker trying to execute Mimikatz within an environment if they were set to their more secure state. Always test prior to changing registry keys such as these in a production environment to ensure nothing breaks.
1
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
2
- “UseLogonCredential” should be 0 to prevent the password in LSASS/WDigest
3
HKLM\SYSTEM\CurrentControlSet\Control\Lsa
4
- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS.
5
- Mimikatz can remove these flags using a custom driver called mimidriver.
6
- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.
Copied!
The Mimikatz Yara rule may also prove useful.
Some techniques may involve loading lsasrv.dll or wdigest.dll to extract credentials and may be caught if this is loaded legitimately using:
1
tasklist /m wdigest.dll
2
tasklist /m lsasrv.dll
Copied!
You may be able to detect changes to the below registry keys which can be used to load an arbitrary DLL and extract credentials, more information from Adam Chester
1
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS /v LsaDbExtPt
2
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt
Copied!
An adversary may also tamper with the number of cached logons a system holds (default of 10).
1
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount
Copied!

NetNTLM Downgrade Attack Detection

1
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel
2
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RestrictSendingNTLMTraffic
3
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v NTLMMinClientSec
Copied!

Putty Detection

1
reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s
Copied!

Locate Possible Trickbot

1
gci -path C:\Users\*\AppData\Roaming\*\Data -recurse -force -ea SilentlyContinue
2
gci -path C:\Users\*\AppData\Roaming\*\Modules -recurse -force -ea SilentlyContinue
3
gci -path C:\Users\*\AppData\Local\*\Data -recurse -force -ea SilentlyContinue
4
gci -path C:\Users\*\AppData\Local\*\Modules -recurse -force -ea SilentlyContinue
5
gci -path C:\Users\*\AppData\Roaming\*\*\Data -recurse -force -ea SilentlyContinue
6
gci -path C:\Users\*\AppData\Roaming\*\*\Modules -recurse -force -ea SilentlyContinue
7
gci -path C:\Users\*\AppData\Local\*\*\Data -recurse -force -ea SilentlyContinue
8
gci -path C:\Users\*\AppData\Local\*\*\Modules -recurse -force -ea SilentlyContinue
9
gci -path C:\Windows\System32\config\systemprofile\appdata\roaming -recurse -force -include *.exe
10
schtasks /query /fo LIST /v | findstr "appdata"
11
schtasks /query /fo LIST /v | findstr "programdata"
12
schtasks /query /fo LIST /v | findstr "public"
13
tasklist /svc | findstr "svchost"
Copied!

Check running executables for malware via VirusTotal

Note: VT Has a rate limit for the Public API so this won’t work if you are using the Public API. All 1 liners require VTAPIKey to be set as your VirusTotal API key
1
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"}}
Copied!
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute
1
foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}
Copied!
This query uses a 15 second timeout to ensure only 4 queries are submitted a minute and only unique hashes are queried
1
$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique -AsString; foreach ($process in $A) {Invoke-RestMethod -Method 'POST' -Uri 'https://www.virustotal.com/vtapi/v2/file/report' -Body @{ resource =($process); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}
Copied!

Registry Indicators

Check Registry for IE Enhanced Security Modification

1
gci 'REGISTRY::HKU\*\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
2
gci 'REGISTRY::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
Copied!

Check Registry for disabling of UAC (1=UAC Disabled)

1
gci REGISTRY::HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
2
gci REGISTRY::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA
Copied!

Review Software Keys for malicious entries

1
gci registry::HKLM\Software\*
2
gci registry::HKU\*\Software\*
Copied!

Scan Registry keys for specified text

1
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | where {$_.Name -match 'notepad' -or $_.Name -match 'sql'}
2
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | get-itemproperty | where {$_ -match 'notepad' -or $_ -match 'sql'}
3
reg query HKLM\SOFTWARE /s /f ".exe"
4
reg query HKLM\SYSTEM /s /f ".exe"
5
reg query HKLM\SECURITY /s /f ".exe"
6
reg query HKLM /s /f ".exe"
Copied!

Suspicious Files

Find files without extensions

1
Get-ChildItem -Path C:\Users\[user]\AppData -Recurse -Exclude *.* -File -Force -ea SilentlyContinue
Copied!

Persistent file locations of interest

1
%localappdata%\<random>\<random>.<4-9 file ext>
2
%localappdata%\<random>\<random>.lnk
3
%localappdata%\<random>\<random>.bat
4
%appdata%\<random>\<random>.<4-9 file ext>
5
%appdata%\<random>\<random>.lnk
6
%appdata%\<random>\<random>.bat
7
%appdata%\<random>\<random>.bat
8
%SystemRoot%\<random 4 chars starting with digit>
9
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*
10
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*"
11
%SystemRoot%\System32\<randomnumber>\
12
%SystemRoot%\System32\tasks\<randomname>
13
%SystemRoot%\\<randomname>
14
C:\Users\[user]\appdata\roaming\[random]
15
C:\Users\[user]\appdata\roaming\[random]
16
C:\Users\Public\*
Copied!
You can scan these directories for items of interest e.g. unusual exe, dll, bat, lnk etc files with:
1
dir /s /b %localappdata%\*.exe | findstr /e .exe
2
dir /s /b %appdata%\*.exe | findstr /e .exe
3
dir /s /b %localappdata%\*.dll | findstr /e .dll
4
dir /s /b %appdata%\*.dll | findstr /e .dll
5
dir /s /b %localappdata%\*.bat | findstr /e .bat
6
dir /s /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\" | findstr /e .lnk
7
dir /s /b "C:\Users\Public\" | findstr /e .exe
8
dir /s /b "C:\Users\Public\" | findstr /e .lnk
9
dir /s /b "C:\Users\Public\" | findstr /e .dll
10
dir /s /b "C:\Users\Public\" | findstr /e .bat
11
ls "C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | findstr /e .lnk
Copied!

Locate LNK Files with a particular string (Special thanks to the notorious)

1
Select-String -Path 'C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk' -Pattern "powershell" | Select Path
Copied!

Master File Table

The Master File Table is an incredibly important artifact; however, this can only be read or obtained using low level disk reading. This contains an entry for every file or directory on the filesystem including metadata about these files, and may provide evidence on files which have been removed (MFT entries marked as ‘free’). More information can be found on Microsoft Docs

Determine Timestomping

Within the Master File Table (Located at the Win root) there are 2 elements, $STANDARD_INFORMATION and $FILE_NAME, both of which have values for a file being created, modified, accessed and written.
These are known as MACB times (Modified, Accessed, Changed, Birth). The $STANDARD_INFORMATION element can be modified from a malicious process, but the $FILE_NAME element is left intact and cannot without some extra trickery.
These discrepancies generally indicate Timestomping with the $FILE_NAME entry being the source of truth. This can be determined by obtaining the MFT (e.g. using a tool such as Rawcopy), and comparing timestamps on the file (e.g. using a tool such as MFTExplorer).
Rawcopy
1
RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin
Copied!

Check system directories for executables not signed as part of an operating system release

1
gci C:\windows\*\*.exe -File -force |get-authenticodesignature|?{$_.IsOSBinary -notmatch 'True'}
Copied!
Note: Don’t forget tice Utilities load in user hives.
1
reg query 'HKU\[SID]\Software\Microsoft\Office\[versionnumber]\Word\Security\Trusted Documents\TrustRecords';
2
gci 'REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords' -ea 0 | foreach {reg query $_.Name}
Copied!
Note: This will show the file name/location and metadata in Hex. If the last lot of hex is FFFFFF7F then the user enabled the macro.
Note: Don’t forget to load in user hives.
1
reg query 'HKU\[SID]\Software\Microsoft\Office\[versionnumber]\Word\Security\Trusted Documents\TrustRecords';
2
gci 'REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords' -ea 0 | foreach {reg query $_.Name}
Copied!
Note: This will show the file name/location and metadata in Hex. If the last lot of hex is FFFFFF7F then the user enabled the macro.

Check all Appdata files for unsigned or invalid executables

1
Get-ChildItem -Recurse $env:APPDATA\..\*.exe -ea SilentlyContinue| ForEach-object {Get-AuthenticodeSignature $_ -ea SilentlyContinue} | Where-Object {$_.status -ine "Valid"}|Select Status,Path
Copied!

Check for execuables in Local System User Profile and Files

1
Get-ChildItem C:\Windows\*\config\systemprofile -recurse -force -ea 0 -include *.exe, *.dll *.lnk
Copied!

Find executables and scripts in Path directories ($env:Path)

1
Get-Command * -Type Application | FT -AutoSize
2
Get-Command -Name * | FL FileVersionInfo
Copied!

Find files created/written based on date

1
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Date -match "12/25/2014"}
2
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.LastWriteTime -match "12/25/2014"}
3
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Hour -gt 2 -and $_.CreationTime.Hour -lt 15}
Copied!

Programs specifically set to run as admin

1
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s /f RUNASADMIN
2
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s /f RUNASADMIN
Copied!
Windows Indexing Service
1
C:\ProgramData\Microsoft\Search\Data\Applications\Windows\windows.edb
Copied!

DNS Logs

Scan DNS Logs

1
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3010';} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';} | FL TimeCreated,Message
Copied!

Scan DNS Logs and output unique DNS Queries

1
$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';};
2
$output = @();
3
foreach ($Event in $events){
4
$data = New-Object -TypeName PSObject;
5
$XML = [xml]$Event.ToXml();
6
$query=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryName'} | Select -exp InnerText;
7
$result=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryResults'} | Select -exp InnerText;
8
$data `
9
| Add-Member NoteProperty Query "$query" -PassThru `
10
| Add-Member NoteProperty QueryResults "$result" -PassThru | Out-Null
11
$output += $data;
12
}
13
$output = $output | sort Query | unique -AsString;
14
$output
Copied!

WMI

Detect Persistent WMI Subscriptions

These will appear as children spawning from wmiprvse.
1
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
2
Get-WmiObject -Class __EventFilter -Namespace root\subscription
3
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
Copied!

Investigate WMI Usage

Note: Requires Strings
1
strings -q C:\windows\system32\wbem\repository\objects.data
Copied!

WIndows Defender

Check Windows Defender Block/Quarantine Logs

1
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Windows Defender/Operational'; Data='Severe'} | FL TimeCreated,Messag
Copied!

ACLs and ACE

Check and Set Access Control Lists

1
Get-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'|FL
2
Get-Acl -Path [FileWithRequiredAccess] | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
Copied!

Change ACE for “everyone” on folder and subfiles/folders

Grant everyone full access
1
icacls "C:\{DESIREDFOLDERPATH}" /grant everyone:(CI)(OI)F /T
Copied!

Check Security Descriptor Definition Language (SDDL) and Access Control Entries (ACE) for services

1
sc sdshow <servicename>
2
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name}
3
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*DC"}
4
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WD"}
5
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WO"}
Copied!

Logging Checks

Check audit policies

1
auditpol /get /category:*
Copied!

Check for Windows Security Logging Bypass

Special thanks to Grzegorz Tworek - 0gtweet
1
reg query HKLM\System\CurrentControlSet\Control\MiniNt
Copied!

Vulnerability Checks

Verify EternalBlue Patch (MS17-010) is installed - Microsoft

Note: This impacts the SMB 1.0 Server Driver, if you don’t have the below, then it’s not installed. If you do you can use the above to determine patch level.
1
get-item C:\Windows\system32\drivers\srv.sys | FL VersionInfo
2
get-hotfix -id KB<111111>
Copied!
More information on ACE Strings and the level of access they can provide.

Lateral Movement Checks

Map Network Shares Lateral Movement Detection (Destinations)

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4776';} | FL TimeCreated,Message
4
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4768';} | FL TimeCreated,Message
5
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4769';} | FL TimeCreated,Message
6
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
7
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\C#x27;} | FL TimeCreated,Message
8
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5145';} | FL TimeCreated,Message
9
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
Copied!

PsExec Lateral Movement Detection (Destinations)

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='2'} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
4
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\ADMIN#x27;} | FL TimeCreated,Message
5
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045'; Data='PSEXESVC'} | FL TimeCreated,Message
6
reg query HKLM\SYSTEM\CurrentControlSet\Services\PSEXESVC
7
reg query HKLM\SYSTEM\CurrentControlSet\Services\
8
ls C:\Windows\Prefetch\psexesvc.exe*.pf
Copied!

Scheduled Tasks Lateral Movement Detection (Destinations)

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4698';} | FL TimeCreated,Message
4
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4702';} | FL TimeCreated,Message
5
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4699';} | FL TimeCreated,Message
6
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4700';} | FL TimeCreated,Message
7
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4701';} | FL TimeCreated,Message
8
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='106';} | FL TimeCreated,Message
9
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='140';} | FL TimeCreated,Message
10
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='141';} | FL TimeCreated,Message
11
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='200';} | FL TimeCreated,Message
12
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='201';} | FL TimeCreated,Message
13
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s
14
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s /v Actions
15
Get-ChildItem -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\' | Get-ItemProperty | FL Path, Actions
16
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
17
gci -path C:\Windows\System32\Tasks\ -recurse -File
Copied!

Services Lateral Movement Detection (Destinations)

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7034';} | FL TimeCreated,Message
4
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7035';} | FL TimeCreated,Message
5
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7036';} | FL TimeCreated,Message
6
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7040';} | FL TimeCreated,Message
7
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
8
reg query 'HKLM\SYSTEM\CurrentControlSet\Services\'
Copied!

WMI/WMIC Lateral Movement Detection (Destinations)

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
4
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5857';} | FL TimeCreated,Message
5
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5860';} | FL TimeCreated,Message
6
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5861';} | FL TimeCreated,Message
7
C:\Windows\System32\wbem\Repository
8
ls C:\Windows\Prefetch\wmiprvse.exe*.pf
9
ls C:\Windows\Prefetch\mofcomp.exe*.pf
Copied!

PowerShell Lateral Movement Detection (Destinations)

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
2
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
3
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4103';} | FL TimeCreated,Message
4
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4104';} | FL TimeCreated,Message
5
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='53504';} | FL TimeCreated,Message
6
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='400';} | FL TimeCreated,Message
7
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='403';} | FL TimeCreated,Message
8
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='91';} | FL TimeCreated,Message
9
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='168';} | FL TimeCreated,Message
10
ls C:\Windows\Prefetch\wsmprovhost.exe*.pf
Copied!
Copy link
Contents
Malware Activity
Check disabled task manager (often from malware)
Mimikatz/Credential Extraction Detection
NetNTLM Downgrade Attack Detection
Putty Detection
Locate Possible Trickbot
Check running executables for malware via VirusTotal
Registry Indicators
Check Registry for IE Enhanced Security Modification
Check Registry for disabling of UAC (1=UAC Disabled)
Review Software Keys for malicious entries
Scan Registry keys for specified text
Suspicious Files
Find files without extensions
Persistent file locations of interest
Locate LNK Files with a particular string (Special thanks to the notorious)
Determine Timestomping
Check system directories for executables not signed as part of an operating system release
Check all Appdata files for unsigned or invalid executables
Check for execuables in Local System User Profile and Files
Find executables and scripts in Path directories ($env:Path)
Find files created/written based on date
Programs specifically set to run as admin
DNS Logs
Scan DNS Logs
Scan DNS Logs and output unique DNS Queries
WMI
Detect Persistent WMI Subscriptions
Investigate WMI Usage
WIndows Defender
Check Windows Defender Block/Quarantine Logs
ACLs and ACE
Check and Set Access Control Lists
Check Security Descriptor Definition Language (SDDL) and Access Control Entries (ACE) for services
Logging Checks
Check audit policies
Check for Windows Security Logging Bypass
Vulnerability Checks
Verify EternalBlue Patch (MS17-010) is installed - Microsoft
Lateral Movement Checks
Map Network Shares Lateral Movement Detection (Destinations)
PsExec Lateral Movement Detection (Destinations)
Scheduled Tasks Lateral Movement Detection (Destinations)
Services Lateral Movement Detection (Destinations)
WMI/WMIC Lateral Movement Detection (Destinations)
PowerShell Lateral Movement Detection (Destinations)