From 589a532bcef1ea92943b5278b18d7dc3aceaf549 Mon Sep 17 00:00:00 2001 From: whx Date: Thu, 11 Apr 2024 09:17:36 +0000 Subject: [PATCH] more event logs added, more details about domain user information added --- Forensics/Windows Event Logs.md | 6 +++- Forensics/Windows Registration.md | 46 +++++++++++++++++++++++++------ 2 files changed, 42 insertions(+), 10 deletions(-) diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md index 7d2653a..6ffadcb 100644 --- a/Forensics/Windows Event Logs.md +++ b/Forensics/Windows Event Logs.md @@ -38,11 +38,15 @@ Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl * **4723**: Attempt to change an account password. The user attempts to change their password * **4724**: Attempt to reset the account password. The user attempts to reset the password of another account * **4725**: Account disable -* **4726**: Account removal +* **4726**: Account removed from systemved from system * **4728**: Attempt to add an account to a global security group * **4729**: Attempt to remove an account from a global security group +* **4738**: User account properties were changed +* **4740**: User account was locked after repeated attempt of access * **4756**: Attempt to add an account to a universal security group * **4757**: Attempt to remove an account from a universal security group +* **4768**: Kerberos TGT request +* **4771**: Kerberos pre-auth failure ### Account Logon diff --git a/Forensics/Windows Registration.md b/Forensics/Windows Registration.md index 48a093c..f422052 100644 --- a/Forensics/Windows Registration.md +++ b/Forensics/Windows Registration.md @@ -14,15 +14,12 @@ ## Paths -These parts of the registries are called hives. They can be found under the -following path. - -* `C:\Windows\System32\Config` - * Default -> `HKEY_USERS\DEFAULT` - * SAM -> `HKEY_LOCAL_MACHINE\SAM` - * SECURITY -> `HKEY_LOCAL_MACHINE\Security` - * SOFTWARE -> `HKEY_LOCAL_MACHINE\Software` - * SYSTEM -> `HKEY_LOCAL_MACHINE\System` +These parts of the registries are called hives. They can be found under `C:\Windows\System32\Config`. +* Default -> `HKEY_USERS\DEFAULT` +* SAM contains account names/status/groups, hashed password, login timestamps -> `HKEY_LOCAL_MACHINE\SAM` +* SECURITY -> `HKEY_LOCAL_MACHINE\Security` +* SOFTWARE -> `HKEY_LOCAL_MACHINE\Software` +* SYSTEM -> `HKEY_LOCAL_MACHINE\System` * `C:\Users\\` * NTUSER.DAT -> `HKEY_CURRENT_USER`, hidden file @@ -31,6 +28,9 @@ following path. * `C:\Windows\AppCompat\Programs\Amcache.hve` +* `C:\Windows\security\database\` + * `secedit.sdb`, access control configuration + ### Transaction Logs * Transaction `.LOG` of the registry hive @@ -64,6 +64,7 @@ Following parts of EZTools should be taken note of. * RegRipper, cli and gui ## System Information + * OS Version -> `SOFTWARE\Microsoft\Windows NT\CurrentVersion` * Computer Name -> `SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName` * Time Zone `SYSTEM\CurrentControlSet\Control\TimeZoneInformation` @@ -160,6 +161,33 @@ GUIDs can be found in the following folder. * `NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist\{GUID}\Count` +## Network + +Network configuration can be found in the following path. + +* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\NetworkList` + +## Domain Account Information + +The NT Directory Services `NTDS.dit` hive is an active directory database which contains information about the domain users. + +Information stored about the domain users are for example, their full name, the username the Security identifier (SID),(domain & local) group memberships, hashed passwords for user accounts, login timestamps, last set password, expiration time of the current password, security policies, OUs and connections to other domains. + +To get information out of the `NTDS.dit` hive, it has to be exported along with the SYSTEM hive to get the boot key of the system for decryption. + +Use `ntdsutil` tool to export a snapshot of the information. + +```sh +C:\Windows\system32\ntdsutil.exe "activate instance ntds" "ifm" "create full C:\Windows\Temp\NTDS" quit quit +``` + +Export the boot key of the system and use it for decryption. + +```sh +$BootKey = Get-BootKey -SystemHivePath 'C:\Windows\Temp\NTDS\registry\SYSTEM' +Get-ADDBAccount -All -DBPath 'C:\Windows\Temp\NTDS\NTDS.dit' -BootKey $BootKey +``` + ## Shim Cache Application Compatibility, AppCompatCache