Windows System Enumeration

Gather artifacts

1
reg save HKLM\SAM [LOCATION]\SAM
2
reg save HKLM\SYSTEM [LOCATION]\SYSTEM
3
reg save HKLM\SECURITY [LOCATION]\SECURITY
4
reg save HKLM\SOFTWARE [LOCATION]\SOFTWARE
Copied!

System and User information

1
get-computerinfo
2
echo %DATE% %TIME%
3
date /t
4
time /t
5
reg query "HKLM\System\CurrentControlSet\Control\TimeZoneInformation"
6
systeminfo
7
wmic computersystem list full
8
wmic /node:localhost product list full /format:csv
9
wmic softwarefeature get name,version /format:csv
10
wmic softwareelement get name,version /format:csv
11
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /s
12
echo %PATH%
13
(gci env:path|Select -exp Value).split(';')
14
SET
15
wmic bootconfig get /all /format:List
16
wmic computersystem get name, domain, manufacturer, model, numberofprocessors,primaryownername,username,roles,totalphysicalmemory /format:list
17
wmic timezone get Caption, Bias, DaylightBias, DaylightName, StandardName
18
wmic recoveros get /all /format:List
19
wmic os get /all /format:list
20
wmic partition get /all /format:list
21
wmic logicaldisk get /all /format:list
22
wmic diskdrive get /all /format:list
23
fsutil fsinfo drives
Copied!
(psinfo requires sysinternals psinfo.exe):
1
psinfo -accepteula -s -h -d
Copied!

Model of motherboard and hardware information:

1
wmic baseboard get product,manufacturer
2
wmic desktopmonitor get /all /format:list
3
wmic baseboard get /all /format:list
4
wmic bios get /all /format:list
5
wmic cpu get /all /format:list
Copied!

Installed Updates

(WMI Quick Fix Engineering)
1
wmic qfe
Copied!

Installed Software/Packages

1
reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
2
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
3
wmic product get name,version /format:csv
4
wmic product get /ALL
5
dism /online /get-packages
6
get-WmiObject -Class Win32_Product
7
get-package
Copied!
Powershell: Full List for all users using uninstall keys in registry
1
$(Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*; Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*;New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS| Out-Null;$UserInstalls += gci -Path HKU: | where {$_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+#x27;} | foreach {$_.PSChildName };$(foreach ($User in $UserInstalls){Get-ItemProperty HKU:\$User\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*});$UserInstalls = $null;try{Remove-PSDrive -Name HKU}catch{};)|where {($_.DisplayName -ne $null) -and ($_.Publisher -ne $null)} | Select DisplayName,DisplayVersion,Publisher,InstallDate,UninstallString |FT
Copied!

User and admin information

1
whoami
2
whoami /user
3
net users
4
net localgroup administrators
5
net group /domain [groupname]
6
net user /domain [username]
7
wmic sysaccount
8
wmic useraccount get name,SID
9
wmic useraccount list
Copied!

User accounts and logon information

1
Get-WmiObject Win32_UserProfile
Copied!

Logon information

1
wmic netlogin list /format:List
2
Get-WmiObject Win32_LoggedOnUser
3
Get-WmiObject win32_logonsession
4
query user
5
qwinsta
6
klist sessions
7
klist -li
Copied!

NT Domain/Network Client Information

1
wmic ntdomain get /all /format:List
2
wmic netclient get /all /format:List
3
nltest /trusted_domains
Copied!

Group and access information

(Accesschk requires accesschk64.exe or accesschk.exe from sysinternals):
1
net localgroup
2
accesschk64 -a *
Copied!

Hosts file and service>port mapping

1
type %SystemRoot%\System32\drivers\etc\hosts
2
type %SystemRoot%\System32\drivers\etc\services
Copied!

cmd history

1
doskey /history
Copied!
Linux Subsystem for Windows 10 may have history in a location such as:
1
C:\Users\[User]\AppData\Local\Packages\CanonicalGroupLimited.UbuntuonWindows_79rhkp1fndgsc\LocalState\rootfs\home\[user]
Copied!

Check group policies

1
gpresult /Z /SCOPE COMPUTER
2
gpresult /Z /SCOPE USER
3
gpresult /R /SCOPE COMPUTER
4
gpresult /R /SCOPE USER
5
gpresult /r /z
6
ls C:\Users\[username]\AppData\Local\GroupPolicy\DataStore
7
ls C:\Windows\system32\GroupPolicy\DataStore
Copied!

Obtain mode settings for ports

1
mode
Copied!

Service information

1
Get-WmiObject win32_service | select Name, DisplayName, State, PathName
2
Get-Service
Copied!

View Named Pipes

1
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
2
get-childitem \\.\pipe\
3
dir \\.\pipe\\
Copied!

File Information

Obtain list of all files on a computer

1
tree C:\ /F > output.txt
2
dir C:\ /A:H /-C /Q /R /S /X
Copied!

Share information

1
Get-WmiObject Win32_Share
2
net share
3
wmic share list brief
4
wmic netuse get Caption, DisplayType, LocalName, Name, ProviderName, Status
Copied!

Pagefile information

1
wmic pagefile
Copied!

Cookies

1
C:\Users\*\AppData\Local\Microsoft\Windows\INetCookies
2
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies
3
C:\Users\*\AppData\Roaming\Microsoft\Windows\Cookies\Low
Copied!

RecentDocs Information

*Note: Run with Powershell, get SID and user information with ‘wmic useraccount get name,SID’
1
$SID = "S-1-5-21-1111111111-11111111111-1111111-11111"; $output = @(); Get-Item -Path "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" | Select-Object -ExpandProperty property | ForEach-Object {$i = [System.Text.Encoding]::Unicode.GetString((gp "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" -Name $_).$_); $i = $i -replace '[^a-zA-Z0-9 \.\-_\\/()~ ]', '\^'; $output += $i.split('\^')[0]}; $output | Sort-Object -Unique
Copied!
More information on recent documents may be found:
1
C:\Users\[username]\AppData\Local\Microsoft\Windows\FileHistory\Data
2
gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"
Copied!

Recent execution of programs

  • Prefetch Located at : %SystemRoot%\Prefetch\
  • RecentFileCache.bcf Located at : %SystemRoot%\AppCompat\Programs\
  • Amcache.hve (reg hive) Located at : %SystemRoot%\AppCompat\Programs\
Or query a lot of run programs from program compatibility assistant:
1
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store"
2
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"
Copied!

Show known file extensions and hidden files (excluding OS hidden files)

1
reg add "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d "1" /f
2
reg add "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d "0" /f
3
Stop-Process -processname explorer
Copied!

Files greater than a 10mb

1
FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
Copied!

Temp files greater than 10mb

1
FOR /R C:\Users\[User]\AppData %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
Copied!

Alternate Data Streams

List Alternate Data Streams in current Dir and view them

1
gi * -s *
2
gc [FILENAME] -s [ADSNAME]
Copied!

List Alternate Data Streams in text files within AppData

1
Get-ChildItem -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue|gi -s *|Select Stream -ea SilentlyContinue| Where-Object {$_.Stream -ine ":`$DATA"}
Copied!

Use Alternate Data Streams to find download location

1
get-item * -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
2
get-item C:\Users\Username\Downloads\* -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
3
$a=(gci -rec -path C:\users\user\downloads -ea 0 | gi -s Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
4
$a=(get-item * -stream Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
5
gci -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue |gi -s *| Where-Object {$_.Stream -ine ":`$DATA"}|cat
Copied!

Firewall and AV

Firewall Information

1
netsh Firewall show state
2
netsh advfirewall firewall show rule name=all dir=in type=dynamic
3
netsh advfirewall firewall show rule name=all dir=out type=dynamic
4
netsh advfirewall firewall show rule name=all dir=in type=static
5
netsh advfirewall firewall show rule name=all dir=out type=static
Copied!
1
netsh firewall show config
2
advfirewall firewall show rule name=all verbose
Copied!

Firewall Changes

1
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';} | FL TimeCreated, Message
Copied!

Start-up/Autoruns

Startup process information

1
wmic startup list full
2
wmic startup list brief
3
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | FL
Copied!

Startup process information by path/file name

Note: This will search common persistence areas but not all of them, change the $Malware variable value to a term of your choosing.
1
$Malware = "appdata";
2
$Processes = gps |?{$_.Path -match $Malware -or $_.Name -match $Malware} | FL Name,Path,Id;
3
$Tasks = schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match $Malware}| FL "Taskname","Task To Run","Run As User";
4
$Services = gwmi win32_service | ? {$_.PathName -match $Malware}| FL Name,PathName;
5
$ServiceDLL = reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL" | findstr "$Malware";
6
$RunKey1 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
7
$RunKey2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
8
$UserProfiles = (gwmi Win32_UserProfile | ? { $_.SID -notmatch 'S-1-5-(18|19|20).*' }); $paths = $UserProfiles.localpath; $sids = $UserProfiles.sid; for ($counter=0; $counter -lt $UserProfiles.length; $counter++){$path = $UserProfiles[$counter].localpath; $sid = $UserProfiles[$counter].sid; reg load hku\$sid $path\ntuser.dat};
9
$RunKey3 = Get-ItemProperty -Path Registry::HKU\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* | ?{$_ -match $Malware};
10
$Startup = Select-String -Path 'C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' -Pattern $Malware | Select Path;
11
$Startup2 = Select-String -Path 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*' -Pattern $Malware | Select Path;
12
if ($Processes) {echo "Process Found!";$Processes} else {echo "No Running Processes Found."};
13
if ($Tasks) {echo "Tasks Found!";$Tasks} else {echo "No Tasks Found."};
14
if ($Services) {echo "Services Found!";$Services} else {echo "No Services Found."};
15
if ($ServiceDLL) {echo "ServiceDLL Found!";$ServiceDll} else {echo "No Service Dlls Found."};
16
if ($RunKey1) {echo "Wow6432Node Run Key Found!";$RunKey1} else {echo "No Local Machine Wow6432Node Run Key Found."};
17
if ($RunKey2) {echo "Local Machine Run Key Found!";$RunKey2} else {echo "No Local Machine Run Key Found."};
18
if ($RunKey3) {echo "User Run Key Found!";$RunKey3} else {echo "No User Run Key Found."};
19
if ($Startup) {echo "AppData Startup Link Found!";$Startup} else {echo "No AppData Startups Found."};
20
if ($Startup2) {echo "ProgramData Startup Link Found!";$Startup2} else {echo "No ProgramData Startups Found."};
Copied!

Scheduled task/job information

1
at (For older OS)
2
schtasks
3
schtasks /query /fo LIST /v
4
schtasks /query /fo LIST /v | findstr "Task To Run:"
5
schtasks /query /fo LIST /v | findstr "appdata"
6
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "exe"
7
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "Task"
8
schtasks /query /fo LIST /v | Select-String "exe" -Context 2,27
9
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "EXENAME"} | FL Line, Filename
10
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)}|Select-String Command|FL Filename,Line
11
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}|Select-String Command|FL Line,Filename
12
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match "MALICIOUS"}| FL "Taskname","Task To Run"
13
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{$_.Taskname -ne "TaskName"} | FL "Taskname","Task To Run"
14
wmic job get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status
Copied!
Powershell:
1
Get-ScheduledTask
2
gci -path C:\windows\system32\tasks -recurse | Select-String Command | FL Filename, Line
3
gci -path C:\windows\system32\tasks -recurse | Select-String "<Command>",Argument | FT Filename,Command,Line
4
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "MALICIOUSNAME"} | FL Filename, Line
5
(gci -path C:\windows\system32\tasks -recurse | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim();
Copied!

File hash and location of all scheduled tasks

1
$a=((gci C:\windows\system32\tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
Copied!
From System32 Directory:
1
$a=((gci tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}
Copied!

UAC Bypass Fodhelper

1
reg query HKCU\Software\Classes\ms-settings\shell\open\command
2
reg query HKU\{SID}\Software\Classes\ms-settings\shell\open\command
Copied!
1
autorunsc.exe -accepteula -a * -c -h -v -m > autoruns.csv
2
autorunsc.exe -accepteula -a * -c -h -v -m -z 'E:\Windows' > autoruns.csv
Copied!

Persistence and Automatic Load/Run Reg Keys

Replace: “reg query” with “Get-ItemProperty -Path HK:" in Powershell*
e.g.: Get-Item -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
User Registry (NTUSER.DAT HIVE) - Commonly located at:
1
C:\Users\[username]
Copied!
*Note: These are setup for querying the current users registry only (HKCU), to query others you will need to load them from the relevant NTUSER.DAT file and then query them.
1
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
2
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
3
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
4
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
5
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
6
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
7
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
8
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f run
9
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f load
10
reg query "HKCU\Environment" /v UserInitMprLogonScript
11
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v RESTART_STICKY_NOTES
12
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
13
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows\Scripts"
14
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RecentDocs"
15
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunMRU"
16
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
17
reg query "HKCU\SOFTWARE\AcroDC"
18
reg query "HKCU\SOFTWARE\Itime"
19
reg query "HKCU\SOFTWARE\info"
20
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\User Shell Folders"
21
reg query "HKCU\SOFTWARE\Microsoft\Command Processor"
22
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit" /v LastKey
23
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s
24
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
25
reg query "HKCU\SOFTWARE\Microsoft\Windows\currentversion\run"
26
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\Run"
27
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\RunOnce"
28
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
29
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
30
reg query "HKCU\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
31
reg query "HKCU\SOFTWARE\Microsoft\IEAK\GroupPolicy\PendingGPOs" /s
32
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
33
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
34
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
35
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
36
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
37
reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM
Copied!

Local Machine (SOFTWARE HIVE)

1
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
2
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
3
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
4
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
5
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce"
6
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
7
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts"
8
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f AppInit_DLLs
9
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
10
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
11
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s
12
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s
13
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\policies\explorer\run"
14
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\run"
15
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
16
reg query "HKLM\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
17
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
18
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
19
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
20
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"
21
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
22
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
23
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
24
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
25
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
26
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
27
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
28
reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM
Copied!
Don’t be afraid to use “findstr” or ‘/f’ to find entries of interest, for example file extensions which may also invoke malicious executables when run, or otherwise.
1
reg query "HKLM\SOFTWARE\Classes" | findstr "file"
2
reg query "HKLM\SOFTWARE\Classes" /f "file"
3
reg query HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} /s
4
reg query HKCR\AppID\ /s | findstr "exe"
Copied!

Local Machine (SYSTEM HIVE)

Note: This not only contains services, but also malicious drivers which may run at startup (these are in the form of “.sys” files and are generally loaded from here: \SystemRoot\System32\drivers)
1
reg query "HKLM\SYSTEM\CurrentControlSet\Services\[Random_name]\imagePath"
2
reg query "HKLM\SYSTEM\CurrentControlSet\Services\ /s /f "*.exe"
3
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.exe"
4
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.sys"
5
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
6
Get-Service -Name "*MALICIOUSSERVICE*"
7
gwmi win32_service | ? {$_.PathName -match "MALICIOUSSERVICE"}|FL Name,PathName
8
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" | FL DisplayName,ImagePath,ObjectName
9
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-AuthenticodeSignature
10
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-FileHash
Copied!
Note: Some useful commands to show relevant service information
1
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
2
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
3
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
Copied!

Registry

Powershell: Query Registry Keys

1
Invoke-Command -ScriptBlock {Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run} -Session $s1
Copied!

Review Hivelist

1
gp REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\hivelist | Select *USER*
Copied!

Locate all user registry keys

1
$UserProfiles = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Where {$_.PSChildName -match "S-1-5-21-(\d+-?){4}quot; } | Select-Object @{Name="SID"; Expression={$_.PSChildName}}, @{Name="UserHive";Expression={"$($_.ProfileImagePath)\ntuser.dat"}}
Copied!

Load all users registry keys from their ntuser.dat file (perform above first)

1
Foreach ($UserProfile in $UserProfiles) {If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS\$($UserProfile.SID)) -eq $false) {reg load HKU\$($UserProfile.SID) $($UserProfile.UserHive) | echo "Successfully loaded: $($UserProfile.UserHive)"}}
Copied!

Query all users run key

1
Foreach ($UserProfile in $UserProfiles) {reg query HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run};
Copied!
1
Function Get-WmiNamespace ($Path = 'root')
2
{
3
foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
4
{
5
$FullPath = $Path + "/" + $Namespace.Name
6
Write-Output $FullPath
7
Get-WmiNamespace -Path $FullPath
8
}
9
}
10
Get-WMINamespace -Recurse
Copied!

Network Connections

Network connections

(tcpvcon requires sysintenals tcpvcon.exe):
1
ipconfig /all
2
netstat –anob
3
netstat -ano
4
Tcpvcon -a
Copied!

Routing table and ARP cache

1
route print
2
arp -a
3
Get-NetNeighbor
Copied!

Obtain hash and established network connections for running executables with dns cache

1
Get-NetTCPConnection -State Established | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry}}|sort|gu -AS|FT
Copied!

Obtain hash and listening network connections for running executables

1
Get-NetTCPConnection -State LISTEN | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT
Copied!

Obtain hash and possible tunneled network connections for running executables

1
Get-NetTCPConnection -State ESTABLISHED |? LocalAddress -Like "::1" | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
2
Get-NetTCPConnection -State Established |? LocalAddress -Like "127.0.0.1"| Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
3
Get-NetTCPConnection -State LISTEN |? LocalAddress -Like "127.0.0.1" | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT
Copied!

Obtain workstation name for tunneled authentication

1
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='::';} | FL TimeCreated,Message
Copied!

Contents of DNS resolver

(useful for recent web history)
1
ipconfig /displaydns
2
Get-DnsClientCache | FT -AutoSize
Copied!

Currently connected Access Point name (WiFi)

1
reg query HKLM\system\CurrentControlSet\Services\Dnscache\Parameters\DnsActiveIfs\ /s
2
netsh wlan show interfaces
Copied!

Previously connected Access Point names (WiFi)

1
netsh wlan show profile
Copied!

Current surrounding Access Point names (WiFi)

1
netsh wlan show network mode=bssid
Copied!

Extended network adapter configuration information

1
reg query HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\ /s
2
reg query HKLM\system\CurrentControlSet\Services\Tcpip6\Parameters\ /s
Copied!

RDP

RDP Cache images

This can be used to display some fragments of images which a user could see when operating on a server using the Windows RDP. The cache files are located: %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\
These can be parsed using BMC-Tools
1
bmc-tools.py -s ./ -d ./output
2
bmc-tools.py -s ./ -d ./output -o -b
Copied!

RDP (Terminal Services) Activity

1
reg query 'HKU\{SID}\Software\Microsoft\Terminal Server Client' /s
Copied!

RDP (Terminal Services) Configuration

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /s
Copied!

Check if Terminal Services Enabled

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
Copied!

Check if one session per user has been modified

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser
Copied!

Check if port number has been modified

1
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber
2
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
Copied!

DLL Information

Extract Module (DLL, SYS and EXE) information from WDAC Audit Events

1
# Extract relevant properties from 3076 events
2
# Modified by Jai Minton @CyberRaiju, based from original work by Matt Graeber @mattifestation
3
4
# On an enterprise system enable it by creating a module load audit policy: https://twitter.com/mattifestation/status/1366435525272481799
5
# ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
6
# Store the converted policy on a Win10 system to be monitored at: Windows\System32\CodeIntegrity\SIPolicy.p7b
7
# If you don't have one available you can use a pre-converted one found [here](https://github.com/JPMinty/Misc-Tools/blob/main/Windows-Defender-Application-Control-WDAC/SIPolicy.p7b)
8
9
# More information:
10
# https://gist.githubusercontent.com/mattifestation/de140831d47e15370ba35c1877f39082/raw/8db18ab36723cc9eaf9770c2cadafe46460ff80e/3076EventExtractor.ps1
11
# https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11
12
# https://github.com/mattifestation/WDACTools
13
14
$SigningLevelMapping = @{
15
[Byte] 0 = 'Unchecked'
16
[Byte] 1 = 'Unsigned'
17
[Byte] 2 = 'Enterprise'
18
[Byte] 3 = 'Custom1'
19
[Byte] 4 = 'Authenticode'
20
[Byte] 5 = 'Custom2'
21
[Byte] 6 = 'Store'
22
[Byte] 7 = 'Antimalware'
23
[Byte] 8 = 'Microsoft'
24
[Byte] 9 = 'Custom4'
25
[Byte] 0xA = 'Custom5'
26
[Byte] 0xB = 'DynamicCodegen'
27
[Byte] 0xC = 'Windows'
28
[Byte] 0xD = 'WindowsProtectedProcessLight'
29
[Byte] 0xE = 'WindowsTcb'
30
[Byte] 0xF = 'Custom6'
31
}
32
33
$CIEvents = Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3076} | ForEach-Object {
34
$ScenarioValue = $_.Properties[16].Value.ToString()
35
$Scenario = $ScenarioValue
36
switch ($Scenario) {
37
'0' { $Scenario = 'Kernel-Mode' }
38
'1' { $Scenario = 'User-Mode' }
39
}
40
[PSCustomObject] @{
41
TimeCreated = $_.TimeCreated
42
MachineName = $_.MachineName
43
UserId = $_.UserId
44
FileName = $_.Properties[1].Value
45
ProcessName = $_.Properties[3].Value
46
CertificateSHA1AuthentiCodeHash = [BitConverter]::ToString($_.Properties[8].Value).Replace('-', '')
47
CertificateSHA256AuthentiCodeHash = [BitConverter]::ToString($_.Properties[10].Value).Replace('-', '')
48
ModuleSHA1Hash = [BitConverter]::ToString($_.Properties[12].Value).Replace('-', '')
49
ModuleSHA256Hash = [BitConverter]::ToString($_.Properties[14].Value).Replace('-', '')
50
OriginalFileName = $_.Properties[24].Value
51
InternalName = $_.Properties[26].Value
52
FileDescription = $_.Properties[28].Value
53
ProductName = $_.Properties[30].Value
54
FileVersion = $_.Properties[31].Value
55
SISigningScenario = $Scenario
56
RequestedSigningLevel = $SigningLevelMapping[$_.Properties[4].Value]
57
ValidatedSigningLevel = $SigningLevelMapping[$_.Properties[5].Value]
58
PolicyHash = [BitConverter]::ToString($_.Properties[22].Value).Replace('-', '')
59
}
60
}
61
$CIEvents
Copied!

Obtain DLL information ListDLLs

1
listdlls [-r] [-v | -u] [processname|pid]
2
listdlls [-r] [-v] [-d dllname]
Copied!

Obtain unsigned DLL information loaded by processes

1
listdlls -u
Copied!

Obtain DLLs in use by processes

1
listdlls -v processname -accepteula
2
listdlls -v -d dllname.dll -accepteula
3
listdlls -v PID -accepteula
Copied!

Determine handles on a file

1
handle [[-a] [-u] | [-c <handle> [-l] [-y]] | [-s]] [-p <processname>|<pid>> [name]
2
handle -a -u -s -p exp
3
handle windows\system
Copied!

DNS

Obtain TXT records from recently resolved domains

1
foreach ($domains in Get-DnsClientCache){Resolve-DnsName $domains.Entry -Type "TXT"|Select Strings|? Strings -NotLike ""};
Copied!

Active Directory

Active Directory Investigation

Note: Live information can be found using DSQuery or Netdom.
1
dsquery computer
2
dsquery user
3
dsquery contact
4
dsquery domainroot -inactive 4
5
dsquery group
6
dsquery ou
7
dsquery site
8
dsquery server
9
dsquery quota
10
dsquery *
11
- dsquery * -limit 999999999
12
netdom query fsmo
13
netdom query trust
14
netdom query pdc
15
netdom query DC
16
netdom query server
17
netdom query workstation
18
netdom query OU
Copied!

NT Directory Services Directory Information Tree File (ntds.dit)

Active Directory Database file containing all schema, domain, configuration information (e.g. users, IP, computers, domain trusts etc)
  • %SystemRoot%\NTDS\ntds.dit
  • %SystemRoot%\System32\ntds.dit
    • File created only when promoting certain OS to a DC, and seldom used.
Edb.log
10MB transaction log used to store temporary data before it is sent to the ntds.dit database.
  • %SystemRoot%\NTDS\Edb.log
Edbxxxxx.log
Additional transaction log files if the main edb.log file gets larger than 10MB without being flushed to ntds.dit.
  • %SystemRoot%\NTDS\edbxxxxx.log
Edb.chk
Checkpoint file used to determine how much of the transaction logs have been sent to the ntdis.dit database.
  • %SystemRoot%\NTDS\edb.chk
Resx.log/Resx.jrs
Reserved log files in case the hard drive fills up, at which point these files will be used (ideally they should never be used).
  • %SystemRoot%\NTDS\res1.log
  • %SystemRoot%\NTDS\res2.log
Temp.edb
Temporary file to store information during in progress transactions.
  • %SystemRoot%\NTDS\temp.edb
Schema.ini
Initialises the ntds.dit file when the domain controller is created, and is then never used again.
  • %SystemRoot%\NTDS\schema.ini
Investigation of ntds.dit
Obtaining this file can be done using any of the following and also requires the SYSTEM hive to decrypt (note: ntdsutil may not work on older AD servers).
(Output will be under C:\Audit)
ntdsutil
1
ntdsutil "activate instance ntds" ifm "create full C:\Audit" quit quit
Copied!
vssadmin
1
vssadmin create shadow /for=C:
2
mkdir C:\Audit
3
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\ntds\ntds.dit C:\Audit\ntds.dit
4
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\System32\config\SYSTEM C:\Audit\SYSTEM
5
vssadmin delete shadows /shadow=[ShadowCopyID]
Copied!
Other ‘less legitimate’ replication methods can be found detailed on the AD Security Blog by Sean Metcalf
Repair the file if required:
1
esentutl /p /o C:\Audit\ntds.dit
Copied!
Analyzing this file offline can be done with tactics such as:
Copy link
Contents
Gather artifacts
System and User information
Model of motherboard and hardware information:
Installed Updates
Installed Software/Packages
User and admin information
User accounts and logon information
Logon information
NT Domain/Network Client Information
Group and access information
Hosts file and service>port mapping
cmd history
Check group policies
Obtain mode settings for ports
Service information
File Information
Obtain list of all files on a computer
Share information
Pagefile information
Cookies
RecentDocs Information
Recent execution of programs
Show known file extensions and hidden files (excluding OS hidden files)
Files greater than a 10mb
Temp files greater than 10mb
Alternate Data Streams
List Alternate Data Streams in current Dir and view them
List Alternate Data Streams in text files within AppData
Use Alternate Data Streams to find download location
Firewall and AV
Firewall Information
Firewall Changes
Start-up/Autoruns
Startup process information
Startup process information by path/file name
Scheduled task/job information
File hash and location of all scheduled tasks
UAC Bypass Fodhelper
Persistence and Automatic Load/Run Reg Keys
Local Machine (SOFTWARE HIVE)
Local Machine (SYSTEM HIVE)
Registry
Powershell: Query Registry Keys
Review Hivelist
Locate all user registry keys
Load all users registry keys from their ntuser.dat file (perform above first)
Query all users run key
Enumerate WMI Namespaces
Network Connections
Network connections
Routing table and ARP cache
Obtain hash and established network connections for running executables with dns cache
Obtain hash and listening network connections for running executables
Obtain hash and possible tunneled network connections for running executables
Obtain workstation name for tunneled authentication
Contents of DNS resolver
Currently connected Access Point name (WiFi)
Previously connected Access Point names (WiFi)
Current surrounding Access Point names (WiFi)
Extended network adapter configuration information
RDP
RDP Cache images
RDP (Terminal Services) Activity
RDP (Terminal Services) Configuration
Check if Terminal Services Enabled
Check if one session per user has been modified
Check if port number has been modified
DLL Information
Extract Module (DLL, SYS and EXE) information from WDAC Audit Events
Obtain DLL information ListDLLs
Obtain unsigned DLL information loaded by processes
Obtain DLLs in use by processes
Determine handles on a file
DNS
Obtain TXT records from recently resolved domains
Active Directory
Active Directory Investigation
NT Directory Services Directory Information Tree File (ntds.dit)