master
Raw Download raw file

date: “2016-12-13” draft: false title: “Windows Survey”

Init

  1. Situational Awareness

  • ipconfig /all # Host Name, IP Address

  • wmic process get executablepath, processid, parentprocessid | more # Unusual processes

  • wmic process get commandline # Process args and location

  • net service # current running services

  • date /t # Get system date

    • time /t # Get system time

  • ver # system version

    • net stats server # uptime and stats
    • systeminfo

    PowerShell alternative

  • gwmi win32_networkadapterconfiguration | ft description, ipaddress, defaultipgateway

  • gwmi win32_process | select processid, parentprocessid, <executablepath | commandline> | ft -autosize

  • gwmi win32_service | select processid, <displayname|name>, state, pathname | sort processid | ft -autosize

  • get-date

Networking

  1. Caches
  • ipconfig /displaydns # dns cache
    • arp -a # arp cache

  1. Listening Ports

    • Map service to listening port:
      • sc query <service> # find dll
      • tasklist /FI "services eq <service>" # Find dll
      • listdlls -d <service>.dll # find PID
      • netstat -ano # match PID to PORT
    • Map listening port to process:
      • netstat -ano | findstr EST # find Established connections and PID
      • netstat -ano # find listening connection port's PID
      • tasklist /fi "pid eq <pid>"

  2. NetBIOS

  • nbtstat -n
  1. Routes
  • route print
  1. Share Usage
  • net use # Current outbound connections
  • net share # Current shared resources
  1. Firewall
  • XP
    • netsh firewall show config
  • Vista+
    • netsh advfirewall show allprofiles
    • netsh advfirewall show currentprofile
    • netsh advfirewall firewall show rule profile=<PROFILE> name=all
  • Allowed programs
    • netsh firewall show allowedprogram

Users and Domains

  1. Users
  • net users # Enumerate users
  • net session # Enumerate users
  • reg querey hklm\system\currentcontrolset\control\hivelist # Look for other users logged on SIDs
  • psloggedon # Look for other users logged on
  • psloglist "Security" -i 528 -s | find /i "Logon Type: 10"
  1. Local Policies
  • secedit /export /cfg c:\seccfg.ini
  • type c:\seccfg.ini # show policies
  1. Auditing
  • auditpol # Look for actions which will be logged
  1. Domain Membership
  • reg query hklm\system\currentcontrolset\services\tcpip\parameters # NV Domain
  • systeminfo # Domain
    Values Inference
    NV Domain absent or empty WORKGROUP
    NV Domain == systemifo Domain DOMAIN
    NV Domain != systeminfo Domain WORKGROUP
  1. SIDs
  • wmic useraccount where name='<username>' get sid
  • wmic useraccount where sid='S-1-3-12-1234525106-3567804255-30012867-1437' get name
  • psgetsid <sid>

Hardware

  • Identify the number of logical processors on the target system:
    • wmic cpu get numberoflogicalprocessors
    • pslist processor count:
      • Number of threads in the system IDLE process equals processors
      • smss Elapsed Time / Idle CPU Time aproximately equals
    • systeminfo /find /I "processor"

Software

  1. System info via process lists
  • pslist
    Interogated Values Inferred Information
    System PID = 2 Windows NT
    System PID = 4 Windows XP+
    System PID = 8 Windows 2000
    winint and lsm Windows Vista+
    one csrss Windows XP/2003 or less
    more than 2 csrss Windows Vista+
    dwm Windows Vista+
    MsMpEng Windows Defender
    NlsSrv Security Essentials
    msseces Security Essentials
    explorer Elapsed Time Logon time
    smss Elapsed Time System Uptime
  1. System software integrity
  • dir /tc /od c:\windows\system32 # look for most recent changes in system32 (likely suspect)
  1. System PATH integrity
  • reg query "hklm\system\currentcontrolset\control\session manager\environment" /v path
  • reg query "hkcu\environment" /v path
  1. AppInit (dll) integrity

  • reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v appinit_dlls

    All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session. (TODO: move to registry.md, link to there)

  1. Enumerate Persistance Vectors
  • autorunsc <-b|-l> # show boot and logon auto startups
  • reg query hklm\software\microsoft\windows\currentversion\run
  • reg query hkcu\software\microsoft\windows\currentversion\run
  • reg query hklm\software\microsoft\windows\currentversion\runonce
  • reg query hkcu\software\microsoft\windows\currentversion\runonce
  • reg query hklm\software\microsoft\windows\currentversion\winlogon /v shell
  1. Evaluate Files (exe, dll, sys, etc)
  • dir /O:D /T:[A|C|W]
  1. Evaluate Anti-Virus Protection
  • wmic /namespace:\\root\securitycenter2 path antivirusproduct get displayname /format:list

or

  • make a copy of killav.rb with only the file names, one per line (avlis.txt)
  • $av = gc avlist.txt
  • $p = gwmi win32_process | sort name -unique | select name
  • $p | ?{$av -contains $_.Name} # display the intersection of processes names and anti-virus names

#EVENT LOGS

Read or get data from an event log: :WMIC NTEVENT WHERE SourceName=“security” GET Message,EvenTtype /FORMAT:HTABLE > c:\winmgmtevents.htm (htable formats for htlm) :powershell get-winevent -path C:\Windows\System32\winevt\Logs\Security.evtx sc wevtutil eq

Get last 10 entries from a log file: powershell get-eventlog security -newest 10 | format-list psloglist security -n 10 :wevtutil query-events security /count:10 /rd:true /format:xml WMIC NTEVENT WHERE “LogFile=‘application’” :powershell get-winevent -newest 10 -path C:\Windows\System32\winevt\Logs\Security.evtx

Search an event log for an event type: auditpol security -f “success audit” psloglist -s -t “\t” -n 20 Security | findstr /n /i “Success Audit” Find all events with creating a new user: To find all of the appropriate new user events, you will need to first get the user SID wmic useraccount where name=‘username’ get sid where ‘username’ would be ‘icarus’ use the psloglist and findstr commands to find the relevant entries in the event logs. psloglist -s -t “\t” -n 20 Security | findstr /n /i .SID. 0. USERS Enable a user account: wmic useraccount where name=“vhalen” set disabled=“False” Get information on a specific user: :wmic useraccount where name=“username” get /all /format:list Get all group and user information: :wmic path w32_account get /format:list Find currently logged on user: reg query “HKCU\Volatile Environment” /v homepath Reg query “hklm\software\microsoft\windows nt\currentversion\profilelist” Gets you SID List everything about a user: wmic useraccount where name=‘rblum’ get /format:list
Find who was the last user to log onto a system:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon /v defaultusername Disabling a user account: wmic useraccount where name=‘john’ set disabled=true For re-enabling user account: wmic useraccount where name=‘john’ set disabled=false Set password to never expire: wmic useraccount where name=‘tstark’ set PasswordExpiores=false

  1. DOCUMENTS AND TIMESTAMPS Get version of a file wmic datafile where name=“path_filename” get version Get timestamps dir /t C A W - Create, LastAccess, Last Write gci | select * will show all the options you can select gci | select name, LastWriteTime, LastWriteTimeUTC

#MISC
List the system directory wmic os get systemdirectory /value