WxTCmd is bundled with EZTools. This tool is a Windows 10 timeline database parser.
Windows 10 Timeline is a feature in Windows 10 that displays user activity and makes it possible to quickly return to previous documents, programs, videos, images, and websites.
From an incident response perspective, we may want to gather or recover evidence of an activity that happened inside our suspected endpoint before behaving in such odd behavior.
VSCmount is bundled with EZTools. This tool can be used to mount all VSCs on a drive letter to a given mount point.
Volume Shadow Copy (VSC) is a feature in Windows that allows the system to take a snapshot or backup of your files, volumes, etc.
From an incident response perspective, we may want to gather or recover evidence of a deleted file and compare the system to its previous state before the detection happened.
VSCMount.exe command line option and arguments
We can look for information about our Volume Shadow Copy in the following Registry paths:
HKLM\SYSTEM\CurrentControlSet\Services\VSS
HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore
TimeLine Explorer is bundled with EZTools. This tool is used to view CSV and Excel(xls-x) files and can do filtering, grouping, sorting, and etc.
From an incident response perspective, we may be dealing with a lot of CVS and Excel file formats when we gather artifacts. Having a tool to parse and open these documents with ease can be very useful during investigation. Because, gathering evidence and artifacts alone consumes time, and looking inside these collected artifacts without a proper tool can drown us with data.
SumECmd is bundled with EZTools. This tool process Microsoft User Access Logs.
User Access Logging is a feature in Windows Server that aggregates client usage data by role and product on a local server. It helps Windows server administrators quantify requests from client computers for roles and services on a local server.
User Access Logging is a feature that “logs unique client access requests, in the form of IP addresses and user names, of installed products and roles on the local server.”
From an incident response perspective, responders need to know where to look to find evidence if an attacker contacted a system. Breadcrumbs of this action performed by the attacker can be found on the user records and through UAL artifacts can help the responder to correlate an account used by the attacker and the source IP address with actions performed remotely on systems.
User Access Logs can be found under C:\Windows\System32\LogFiles\SUM
SrumECmd is bundled with EZTools. This tool process SRUDB.dat and SOFTWARE hive for network, process and energy info.
In Windows, the system resource usage monitor is a built-in tool that allows you to view and track the usage of various resources on your computer, such as memory, CPU, and network usage. The information is stored in a database, which can be accessed using the Task Manager or other system monitoring tools. This information can be used to troubleshoot performance issues, identify resource bottlenecks, and optimize system performance.
From an incident response perspective, responders need to gather evidence of program execution. Let say a suspicious PE file dropped when a user of your organization clicked a phishing email, and one of the most useful sources of evidence of execution on a Windows system is the SRUM.
SQLECmd is bundled with EZTools. This tool find and process SQLite files.
SQLite file contains contains a database created with SQLite, a lightweight database storage system widely used in application development. SQLite files are often created by software developers for storing data used by their applications.
Shellbag Explorer is bundled with EZTools. This tool is a GUI for viewing Shellbag data.
Shellbags are a set of registry keys which contain details about a user’s viewed folder, such as its size, position, and icon. This means that all
directory traversal is tracked and maintained in the registry.
Windows creates a number of additional artifacts when storing these properties
in the registry, providing the investigator with valuable information about the suspect’s folder and browsing history, as well as details for any folder that might no longer exist on a system. (due to deletion, or
being located on a removable device.)
During an incident, adversaries may delete or open a directory, and being to
track their actions through these artifacts can help the responder to retrieve evidence whether the directory was opened or deleted.
Related Blog Post:
https://www.eyehatemalwares.com/digital-forensics/blog-df/shellbags-artifacts/
On Windows system, this can be found at: C:\Users\<users>\App Data\Local\Microsoft\Windows\UserClass.DAT
On Windows registry, this can be found at: HKEY_CLASSES_ROOT\Local Settings\SOFTWARE\Microsoft\Windows\Shell
Below is the Shellbag Explorer user interface:
SBECmd is bundled with EZTools. This tool is a ShellBags Explorer, a command line edition for exporting Shellbag data.
Shellbags are a set of registry keys which contain details about a user’s viewed folder, such as its size, position, and icon. This means that all directory traversal is tracked and maintained in the registry.
Windows creates a number of additional artifacts when storing these properties in the registry, providing the investigator with valuable information about the suspect’s folder and browsing history, as well as details for any folder that might no longer exist on a system. (due to deletion, or being located on a removable device.)
During an incident, adversaries may delete or open a directory, and being to track their actions through these artifacts can help the responder to retrieve evidence whether the directory was opened or deleted.
Related Blog Post:
https://www.eyehatemalwares.com/digital-forensics/blog-df/shellbags-artifacts/
On a Windows system, this can be found at: C:\Users\<users>\App Data\Local\Microsoft\Windows\UserClass.DAT
On a Windows registry, this can be found at: HKEY_CLASSES_ROOT\Local Settings\SOFTWARE\Microsoft\Windows\Shell
Below is the SBECmd options and arguments
SDB Explorer is bundled with EZTools. This tool displays the Shim Database in a GUI-based format.
Shims are a library that transparently intercepts API calls and changes the arguments passed, handles the operation itself or redirects the operation elsewhere, and are also mainly used for compatibility purposes for legacy applications.
During an incident, shims can serve a legitimate purpose. This can also be used in a malicious way. Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims.
A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:
%WINDIR%\AppPatch\sysmain.sdb and HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\appcompatflags\installedsdb
Custom databases are stored in:
%WINDIR%\AppPatch\Custom & %WINDIR%\AppPatch\AppPatch64\Custom
HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\Current Version\appcompatflags\custom
Below is the SDB Explorer User Interface
RLA is bundled with EZTools. This tool replays transaction logs and updates registry hives so they are no longer dirty. useful when tools do not know how to handle transaction logs.
Windows Registry can provide us with a wide array of information about executables, systems, users, applications, etc., inside Windows systems.
Registry Hive is a logical group of keys, subkeys, and values inside the registry that has a set of supporting files loaded into memory when the operating system is started or a user logs in.
Registry Transaction Logs(.LOG) Windows can use transaction logs when performing writes to registry files. The logs act as journals that store data being written to the registry before it is written to the hive files. Transaction logs are used when registry hives cannot be directly written due to locking or corruption.
During an incident, the Windows Registry can give us a lot of evidence and breadcrumbs that can be used during the investigation. Being able to acquire this evidence with the help of skills and the right tools can aid the responder to quickly resolve the incident.
NTUSER.DAT can be located in C:\Users\<user>\NTUSER.DAT
#note: By default NTUSER.DAT is hidden from the user’s eye, configure folder options and enable ‘Show Hidden Files’
⚠️ YOU ARE TRYING TO DOWNLOAD A FILE THAT CONTAINS MALICIOUS EXECUTABLE ⚠️
eyehatemalwares is “PAY WHAT YOU CAN” project.
The zip file associated with this lab is password protected.
For hands-on experience, click the “Donate” button and you will be redirected to eyehatemalwares Paypal donation homepage or scan the QR Code below.
Click the “Download” button again to download the lab zip file.
After successful donation, email us the zip file name and the Paypal transaction details for the password.
Thank you for helping us build this community!
We will make sure that your donation will be use to bring more value to the community.
Contact us: About
– EHM Team