From 6fba5dd86d203f0ac5277ba1c44f5c6305e0b277 Mon Sep 17 00:00:00 2001 From: gurkenhabicht Date: Wed, 3 Apr 2024 15:41:21 +0200 Subject: [PATCH] windows forensics --- Enumeration/Windows/Powershell.md | 10 ++++++++++ Forensics/Windows Event Logs.md | 16 +++++++++++++++ Forensics/Windows Task Scheduler.md | 31 +++++++++++++++++++++++++++++ 3 files changed, 57 insertions(+) create mode 100644 Forensics/Windows Task Scheduler.md diff --git a/Enumeration/Windows/Powershell.md b/Enumeration/Windows/Powershell.md index cf3af1b..77b6e4b 100644 --- a/Enumeration/Windows/Powershell.md +++ b/Enumeration/Windows/Powershell.md @@ -314,3 +314,13 @@ Get-ADGroup Get-ADGroupMember Get-ADPrincipalGroupMembership ``` + +### Services + +List services that are running or stopped but always started automatically +after reboot in the following way. + +```sh +Get-Service | Where-Object {$_.State -eq "Running" -and $_.StartType -eq "Automatic"} +Get-Service | Where-Object {$_.State -eq "Stopped" -and $_.StartType -eq "Automatic"} +``` diff --git a/Forensics/Windows Event Logs.md b/Forensics/Windows Event Logs.md index 9879cb7..7d2653a 100644 --- a/Forensics/Windows Event Logs.md +++ b/Forensics/Windows Event Logs.md @@ -9,6 +9,17 @@ evtx_dump $EVENT_LOG > event.log evtx_dump -o json $EVENT_LOG > event.log ``` +## Query Windows Events + +One method is to use the GUI Tool `Event Viewer`, another method is to use Powershell. + +Use `Win-Event` to filter categories like Security or System (same categories +like in `Event Viewer`) and Event IDs throught the following line. + +```sh +Get-WinEvent -FilterHashTable @{LogName='';ID=''} | fl +``` + ## Event IDs ### Process @@ -46,8 +57,13 @@ evtx_dump -o json $EVENT_LOG > event.log * **4702**: Scheduled task updated * **4699**: Scheduled task deletion +### System + +* **7045**: Service installation + ### Security * **1100**: Logging service disabled * **1102**: Log deletion * **1116**: Malware detection +* **4697**: Service installation (subsection of **7045**) diff --git a/Forensics/Windows Task Scheduler.md b/Forensics/Windows Task Scheduler.md new file mode 100644 index 0000000..a43f303 --- /dev/null +++ b/Forensics/Windows Task Scheduler.md @@ -0,0 +1,31 @@ +# Windows Task Scheduler + +## Files & Paths + +By default, scheduled tasks are saved inside `C:\Windows\System32\Tasks\` + +## Use Task Scheduler + +There is a `Task Scheduler` GUI application, which uses the XML files inside +the (default) path mentioned above to display information about the scheduled +tasks. + +**Malicious Findings**: Compare mismatches between modification dates of the +XML files and the displayed values inside the GUI app + +There is also a Powershell Command-Let which works with the tasks. + +List enabled, scheduled tasks via Get-ScheduledTask or use `schtasks.exe` to +get CSV output in the following way. + +```sh +Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} +schtasks.exe /query /fo CSV | findstr /V Disabled +``` + +List scheduled tasks by creation date through `Get-ScheduledTask` in the +following way. + +```sh +Get-ScheduledTask | Where-Object {$_.Date -ne $null -and $_.State -ne "Disabled"} | Sort-Object Date | Select Date,TaskName,Author,State,TaskPath | ft +```