Fahd Aomari Last Edit : September 20, 2023 9:11 PM

Incident Response - Windows Live Examination

you wanna detect it, but what if you don’t have any sign of compromise, what can we do? what can we use? suppose you found the IOC, how can u do the scoping?

the normal thing to do is check network logs, but what if malware doesn’t generate traffic? or what if the traffic in encrypted?

Let’s see what can we do in a live host windows.

Live windows examination :

Examining Processes

PowerShell follows a Verb-Noun syntax.

Example : Get-Process, Get is the Noun and Process is the Verb.

Examining running processes:


# Verb-Noun syntax, GET is the verb and Process is the noun

Get-Verb # List all verbs
Get-ChildItem HKCU: # Look at the registry HKEY_CURRENT_USER
Get-ChildItem # or 'dir' for directory listing
Get-Process # Brief info on all running processes
Get-Process 'powersh*' # Brief info on processes starting with 'powersh', uses wildcard
Get-Process 'powershell' | Select-Object * # Detailed info
Get-Process 'powershell' | Select-Object -Property Id, StartInfo* # Select several properties
Get-Process -ComputerName 'FAHD-PC' # Processes on a remote computer
Get-Help Get-Process # Get help on the Get-Process cmdlet
Get-Process | Get-Member # View available properties and methods
Get-Process | Select-Object -Property Id, Name, Path | Where-Object -Property Path -like '*temp*' | Stop-Process

Property explanations:

# Handles: Count of open files, sockets, and pipe resources
# NPM(K): Amount of non-paged memory the process is using in kilobytes
# PM(K): Amount of paged memory the process is using in kilobytes
# WS(K): Process working set size (total memory allocated to a process) in kilobytes
# CPU(s): Processor time used by the process on all processors, in seconds
# Id: Unique identifier for a process (PID)
# ProcessName: Process name, often the executable name

However, we have a limitation with Get-Process, although it gives us a lot of information about processes it doesn’t give also a lot of information, what about the parent process? you wanna know what process launched Thy process ? what command launched Thy process? well microsoft told u if u wanna do such things u need to use Get-CimInstance (which interrogate common information model)


Get-CimInstance
get-help get-ciminstance -examples
get-CimInstance -Class win32_Process | where-object -property Name -eq 'vlc.exe'
get-CimInstance -Class win32_Process | where-object -property Name -eq 'vlc.exe' ! select-object *

Spotting the Bad Guys

now how can you use this commands to distinguish the good from the bad process? asking questions.

  • “Have I ever seen this process before?”
  • “Does this name look weirdly random?”
  • “Why is this running from the temp folder? That’s not normal!”
  • “Who’s the parent process? Does that make sense? lsass launch powershell? from when?”
  • “Is anything encoded in base64? That’s a classic hiding technique!”

Examining network usage

PS C:\> Get-NetTCPConnection

PS C:\> Get-NetTCPConnection -State Listen | Select-Object -Property LocalAddress,LocalPort,OwningProcess

PS C:\> Get-NetTCPConnection -RemoteAddress 127.0.0.1 | Select-ObjectCreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess, State

well, again your ally is knowing the normal. just look for the abnormal :D if you find out that notepad.exe is listening to port or connecting to a network, you better freak out.

PS C:\> Get-NetTCPConnection -State Listen | Select-Object -Property Local*, Remote*, OwningProcess | Format-Table

LocalAddress                 LocalPort RemoteAddress RemotePort OwningProcess
------------                 --------- ------------- ---------- -------------
::                               50131 ::                     0             4
::                               49734 ::                     0          1428
::1                              49727 ::                     0          9568
::                               49678 ::                     0          6988

wait ah there is a problem :D the command gives process id as output not process name. can we make it better? yess pipeline to Get-Process.

PS C:\> Get-NetTCPConnection | Select-Object -Property Local*, Remote*, state,@{Name='Process';Expression={(Get-Process -Id $_.OwningProcess).ProcessName}} | Format-Table
#
LocalAddress                 LocalPort RemoteAddress   RemotePort       State Process
------------                 --------- -------------   ----------       ----- -------
::                               64406 ::                       0       Bound PhoneExperienceHost
::                               64361 ::                       0       Bound pwsh
::                               54124 ::                       0       Bound PhoneExperienceHost
::                               50131 ::                       0      Listen System
::                               49734 ::                       0      Listen services
::1                              49727 ::                       0      Listen jhi_service
::                               49678 ::                       0      Listen spoolsv
::                               49669 ::                       0      Listen svchost
::                               49668 ::                       0      Listen svchost

beaconing too, malware beacons. he wanna connect to a c2 server right?

aaaah, you can use intel too. intel is good intel is life.

Examining Services

Get-Service #list of all servies
#for more information we can win32 class again :
Get-CimInstance -Class win32_service | Where-Object -Property Name -EQ autotimesvc | Select-Object *

Another live examination activity is to check windows services. services can be used as a persistence technique like the mapped-to technique in MITRE T1543.003.

Examining Registry

we can use Get-ChildItem just like fine file system, we can use it on registry too. for example to look for the recently open files by extension

Get-ChildItem 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs'

To be continued…