Category: Endpoint Analysis

PSDecode

Posted on by randrada

Endpoint Incident Response using - PSDecode

Download PSDecode
Click here to view PSDecode use cases

PSDecode is a powershell script module for decoding powershell obfuscated scripts. This tool removes layered obfuscated techniques like strings concatenating and string replacement.

From Malware Analysis perspective adversaries frequently employ encoding and obfuscation techniques to camouflage their downloader scripts, aiming to evade detection and hinder analysis by security professionals. By encoding and obfuscating their scripts, adversaries can make it difficult for security solutions to identify and analyze the malicious intent embedded within the code.

Adversaries encode and obfuscate their downloader scripts to enhance their chances of successful infiltration, impede analysis, and protect their techniques. As defenders, it is crucial to know advanced techniques and tools capable of overcoming these obfuscation methods to effectively detect, analyze, and mitigate emerging threats.

Automate Artifact Collection

To use PSDecode, create a directory named “PSDecode” under “WindowsPowerShell/v1.0”

See Image for reference.

KDiff 3

Posted on by randrada

Endpoint Analysis using - KDiff 3

KDiff3 Use Cases
Download KDiff 3
KDiff3 Tool Walkthrough

KDiff 3 is a cross-platform tool designed to analyze text difference and merge files or directories. It features support for Unicode, UTF-8, reveals the difference between each character and line, integrates into Windows Explorer; it can print the differences, etc.

Why Baseline? It is like answering the question, “How can I detect abnormal behavior when I don’t know what is normal?” Baseline is one of the best ways to know what is normal and abnormal inside the organization, especially on endpoints and critical systems. It is having a clear understanding of what normal looks like. Getting a baseline from time to time gives the organization the ability to detect abnormal behavior through different baseline comparisons gathered on different timelines.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice berg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue. 

RegRipper3.0

Posted on by randrada

Endpoint Incident Response using - RegRipper

Download RegRipper 3.0
Click here to view RegRipper use cases

RegRipper is an open source forensic software application developed by Harlan Carvey, and what it does is extract data from the Windows Registry, ranging from user-related registry to system registry and etc.

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.

Automate Artifact Collection

RegRipper

Posted on by randrada

Endpoint Incident Response using - RegRipper

Download RegRipper 3.0

RegRipper is an open source forensic software application developed by Harlan Carvey and what it does is it extracts data from Windows Registry ranging from user related registry to system registry and etc. 

RegRipper has a set of plugins that can be used by the examiner to suit their needs.

In an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the ice burg, a responder must gather evidences, artifacts and data about the compromised systems and having the right tool to execute these actions is a must not only it automates everything but it also help the responder to reduce the time to solve the issue.

Automate Artifact Collection

In this demo, we will try create a test account named “MaliciousAccount” and use RegRipper to extract the data from SAM hive.

First, extract the data from the Registry using RegRipper the examiner must provide the Registry Hive and the location where the logs will be saved. 

Then, if all requirements are provided click Rip! to start the execution.

#note: RegRipper uses a series of plugins to parse information from the Hive file then it logs the output and save in a .txt format

Now, using RegRipper to extract data from our SAM Hive we can see our newly created user account and its particular details that can be used during investigation such as Account Created Date and Time.

Now, Let’s try to see what is inside SOFTWARE Registry Hive and what data is then extracted by RegRipper.

RegRipper parse the Hive and gives us the following details:

      • Launched Installer and its details
      • Last Logged On 
      • MSI Package Installed  
      • Network Cards Details
      • Network Profile 
      • Run Registry key which is a common destination for Persistence 
      • Scheduled Task under TaskCache Registry Key

#Note: There are a lot of information and for the sake of demo I just cited some of it. Feel free to explore 🙂

Last Hive we’re about to tackle in this demo is SYSTEM Registry Hive, we won’t be able to tackle all in details and it’s up to you to explore and see it for yourself 🙂

By using RegRipper to parse SYSTEM hive it gives us the following details:

      • AppCompatCache and this can be used as an artifact for evidence of execution.
      • Mounted Device such as External Devices (USB)
      • System Services
      • ShimCache that can be also used as an artifact for evidence of execution
      • USBTor which can be used as an artifact to view history of USB usage inside the system

#Note: For the sake of demo, we only cited the details that are easily understood. We will not cite all information for you to explore its usage. Again, feel free to explore and find what suits your need 🙂

Powershell CIM

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-CimInstance

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features, can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Windows Powershell’s Get-CimInstance cmdlet gets the CIM instance of a class from a CIM server.

To use the following syntax: In this case, to query a process’s name, pid, and parent pid

Get-CimInstance -Class Win32_<class_name> -Filter “Name = ‘<object_name>’ | Select-Object <object_property>

To apply a condition to the previous query, we can pipe it to a Where-Object

Get-CimInstance -Class Win32_<class_name> -Filter “Name = ‘<object_name>’ | Select-Object <object_property> | Where-Object{$_.ParentProcessId -eq <pid>}

 

Powershell services

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Service

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features, can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Windows Powershell can query services through Get-Process and Get-WmiObject 

To put this to workrun the following syntax:

To view Services or specific service: Get-Service <service_name> 

To view Services or a specific service: 

Get-WmiObject -Class Win32_Service -Filter ‘Name = “<Service_name>”‘ -Property <property_name>

 

Powershell WMIObject

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Wmiobject
Click here to view Get-WMIObject use cases

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Powershell localuser

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Localusers

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

We can get the list of local users through Powershell. We can parse the name, lastlogon, logontype

To achieve this run the following syntax: Get-LocalUser | Select-Object -Property name,lastlogon,logontype

 

Powershell

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Process
Click here to view Get-Process use cases

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

wmic users

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

We can use WMI to query useraccounts, run the following syntax: wmic useraccount list brief