whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

windows forensics

This commit is contained in:
gurkenhabicht 2024-04-03 15:41:21 +02:00
parent 97317fcefa
commit 6fba5dd86d
3 changed files with 57 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Enumeration/Windows/Powershell.md
View File

@ -314,3 +314,13 @@ Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership
```
### Services
List services that are running or stopped but always started automatically
after reboot in the following way.
```sh
Get-Service | Where-Object {$_.State -eq "Running" -and $_.StartType -eq "Automatic"}
Get-Service | Where-Object {$_.State -eq "Stopped" -and $_.StartType -eq "Automatic"}
```

16
Forensics/Windows Event Logs.md
View File

@ -9,6 +9,17 @@ evtx_dump $EVENT_LOG > event.log
evtx_dump -o json $EVENT_LOG > event.log
```
## Query Windows Events
One method is to use the GUI Tool `Event Viewer`, another method is to use Powershell.
Use `Win-Event` to filter categories like Security or System (same categories
like in `Event Viewer`) and Event IDs throught the following line.
```sh
Get-WinEvent -FilterHashTable @{LogName='<Category>';ID='<Event IDs>'} | fl
```
## Event IDs
### Process
@ -46,8 +57,13 @@ evtx_dump -o json $EVENT_LOG > event.log
* **4702**: Scheduled task updated
* **4699**: Scheduled task deletion
### System
* **7045**: Service installation
### Security
* **1100**: Logging service disabled
* **1102**: Log deletion
* **1116**: Malware detection
* **4697**: Service installation (subsection of **7045**)

31
Forensics/Windows Task Scheduler.md Normal file
View File

@ -0,0 +1,31 @@
# Windows Task Scheduler
## Files & Paths
By default, scheduled tasks are saved inside `C:\Windows\System32\Tasks\`
## Use Task Scheduler
There is a `Task Scheduler` GUI application, which uses the XML files inside
the (default) path mentioned above to display information about the scheduled
tasks.
**Malicious Findings**: Compare mismatches between modification dates of the
XML files and the displayed values inside the GUI app
There is also a Powershell Command-Let which works with the tasks.
List enabled, scheduled tasks via Get-ScheduledTask or use `schtasks.exe` to
get CSV output in the following way.
```sh
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"}
schtasks.exe /query /fo CSV | findstr /V Disabled
```
List scheduled tasks by creation date through `Get-ScheduledTask` in the
following way.
```sh
Get-ScheduledTask | Where-Object {$_.Date -ne $null -and $_.State -ne "Disabled"} | Sort-Object Date | Select Date,TaskName,Author,State,TaskPath | ft
```