Summary

For part two, we’re not going to necessarily go in-depth of the attack itself, but cover common tools and where/when to use them. Below you’ll find links to the tools and resources for training. TCM-Sec has an amazing Windows Forensics course that will walk you through the DFIR methodology, Atomic Red Team, and the full analysis.

Resources
https://academy.tcm-sec.com/p/practical-windows-forensics
https://bluecapesecurity.com/build-your-forensic-workstation

Tools
https://ericzimmerman.github.io/#!index.md
https://bluecapesecurity.com/build-your-forensic-workstation (Scroll down to the middle of the page for the tools.)

Disk Analysis

Windows Event Logs > Windows Registry > NTFS > Other Windows Artifacts

Registry
Registry hives are located here:
C:\Cases\E\Windows\System32\config
C:\Cases\E\Users\tstark\NTUSER.DAT. C:\Cases\E\Users\tstark\AppData\Local\Microsoft\Windows\Usr\Class.dat

Using Registry Explorer

Copy and paste the registry hives into Registry Explorer

Using the ‘Available Bookmarks’ will make it possible to view common items.

Reg Ripper

This is a more automated way to extract information.
Plugin matrix: https://github.com/bluecapesecurity/PWF/tree/main/Resources

Using the GUI version (rr.exe), will load all plugins, which may be too much information for us to parse through.

Create an analysis folder in the Cases directory and copy the registry hives into it for each user.

Now we can use rip.exe using the following command and plugin.

rip.exe -r C:\Cases\Analysis\SOFTWARE -p winver

There are a number of plugins that can be used, which depends on what we need to extract; see the plugins directory.

Parse through hives in bulk

First we need to allow the UsrClass.dat and NTUSER.DAT to be viewed because they’re hidden by default.

To view their status, use: attrib *

To make them visable, use the below commands.

attrib -h UsrClass.dat
attrib -h NTUSER.dat

Using a ‘for’ loop to run through all hives.

for /r %i in (*) do (C:\Tools\RegRipper\rip.exe -r %i -a > %i.txt)

To review the users, we can utilize Registry Explorer which then can export the SAM.

Using the Eric Zimmerman tool Timeline Explorer, we’ll then be able to see the accounts in more detail.

Drag and drop the exported .xlsx file and the below is the output.

User Behavior Analysis

Under NTUSER, there’s an UserAssist log that keeps track of recently used applications.

Under value names there’s additional interesting fields.

Recent Docs, under NTUSER, displays files/folders that were recently accessed. Easiest way to view is by utilizing Registry Explorer.

Shell Bags, under UserClass, is another area that displays which folders were accessed.

Another GUI method is using ShellBagsExplorer, under Eric Zimmerman tools. This will present an easier to read timestamps.

Disk Analysis

Using Eric Zimmerman’s tools, we’re going to utilize MFTECmd.exe.

MFTECmd.exe -f c:\cases\E$MFT –csv C:\Cases\Analysis\NFTS\ –csvf MFT.csv

Now we’ll use Timeline Explorer to read any csv files and filter/search for whatever we need, such as ‘atomic’.

From here, we can narrow down to view the timestamps.

Evidence of program execution

Loading the SYSTEM hive in Registry Explorer, look under BAM and the SIDS which should show the programs that were last ran.

Amache, should have been extracted by KAPE.
Windows\AppCompat\Programs.

Doing a ‘dir /a’ will show hidden log files.

Amcacheparser.exe will handle providing us with a CSV file.

AmcacheParser.exe -f c:\cases\e\windows\appcompat\programs\Amcache.hve –csv c:\cases\analysis\execution.

Using the Unassociated csv would normally be the one that we are interested in using within Timeline Explorer.

Prefetch is a process that Windows uses a preload function to improve performance.

C:\Cases\E\Windows\prefetch

PECMD.exe will be used.

pecmd.exe -f c:\cases\e\windows\prefetch\ATOMICSERVICE.EXE-59E20F94.pf

To import all prefetch file we can use the below command.

pecmd.exe -d c:\cases\e\windows\prefetch –csv C:\Cases\Analysis\Execution\

Using the smaller file called Timeline, will present a simpler view of just the timeline.

Persistence

Start with Auto-Run Keys, scheduled tasks, then services.
For services, we can use the SYSTEM.txt and search ‘services v. or svc v.’

For scheduled tasks, under the SOFTWARE hive. Microsoft\Windows NT\CurrentVersion\Scheduler\TaskCache\Tree\

Also under Task and TaskCache overview, sort by Created On.

For Autorun/Service programs, we’ll use SysInternals' Autoruns.
Use the ‘Analyze Offline System..’ and then navigate to the image and user.

Under the Services tab, we can see the AtomicTestService.

Windows Event Logs

Event Log Resources:
UltimateWindowsSecurity.com - Windows Security Log Events:
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j
EventTracker:
https://kb.eventtracker.com/
Github - Awesome-event-ids:
https://github.com/stuhli/awesome-event-ids

KAPE should have collected the logs, which would be located in the below path.
Windows\System32\winevent\logs

Event Log Explorer
Drag and drop event logs, like Security and Application.

Reviewing service installs, which is under the SYSTEM logs:
Event ID: 7045.

Security Events under SECURITY logs:
Event ID 4624
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624

Logon types 2 and 10 are normally the ones we should start with since they normally are interactive.

We can narrow all events to Logon ID: 0x3e7

PowerShell events using the Windows Powershell logs:
Event ID 400

Sysmon:

We can focus on Parent process to see the child processes.

Memory Analysis

Volatility, using Windows Linux Subsystem.

pip3 install volatility3

Volatiltiy3 symbol tables: https://github.com/volatilityfoundation/volatility3#symbol-tables

cd /mnt/c/Cases/Analysis/Memory
vol -f <memdump_file> <plugin_to_use>

vol -f memdump.mem windows.info

vol -f memdump.mem windows.pstree

1500 684 AtomicService. 0x800fd9377080

Dump process info.

vol -f memdump.mem windows.pslist –pid 1500

Pivot off parent ID 684

What we’ve learned is that the services.exe process kicked off ‘AtomicService’.

Now we can dump the parent process into a file to see if we can find additional information.

vol -f memdump.mem windows.pslist –pid 1500 –dump

Using ‘strings’ we can explore the dump.
In my case, the dump didn’t contain anything, but know that there could be useful information within the dump.

Inspecting dll injection

vol -f memdump.mem windows.dlllist –pid 1500

To dump the dll to be used by strings, we can do the following. Note that this will dump all dlls, so there will be a lot of files.

vol -f memdump.mem windows.dlllist –pid 1500 –dump

Finding SIDS

vol -f memdump.mem windows.getsids > sids.txt

Conclusion
We were able to cover a lot of tools and where/when to use them. Although we didn’t cover the attack path from start to finish, we have at least a referene sheet of what certain tools do and why they’re used during an investigation. Because each investigation is unique, the methodology is more important than following step by step in a simulated attack. If you’re looking for this type of training, I highly recommend TCM-Sec’s Practical Windows Forensics.

I hope that you enjoyed this writeup. Until next time, take care.