Sunday, June 28, 2015

More artifacts through PowerShell - Part 3

The main LRUP code lists many event logs that are useful in an incident response scenario. In this section, let's look some additional event logs that are going to be useful to collect.

Firewall related.

The below log shows the firewall rule changes and other actions such as profile changes.

Get-winevent -logname "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" | ft -auto -wrap 

Network related.

The below log shows the time when a network is changed from a home network to office network.

Get-winevent -logname Microsoft-Windows-BranchCache/Operational  | ft -auto -wrap

The below log shows when a network connection was made. 

Get-winevent -logname Microsoft-Windows-NetworkProfile/Operational  | ft -auto -wrap

Below log should be checked to see the RDP logins. More information on the event IDs is available at this MS link.

Get-winevent -logname Microsoft-Windows-TerminalServices-LocalSessionManager | ft -auto -wrap

Driver related.

Looking at the below log helps identify code integrity issues related to bad drivers or unsigned drivers. More information is available at this MSDN link.

Get-winevent -logname Microsoft-Windows-CodeIntegrity/Operational | ft -auto -wrap

Speaking of drivers, we can use the below command to get a listing of PnP related driver information.

Get-WmiObject -Class Win32_PnPEntity | select Caption,Name,Service

When a device is attached the computer, Windows attempts to detect the device type and install the appropriate driver so that it can communicate and control the device.

Completion of a device driver installation attempt gets recorded as an event ID 20001 message in the 'System' event log. The message provides device identification information and a status code for the device installation process. Devices that install successfully log an Event ID 20001 message with a status code of 0. To see this event, we can use the below one liner.

Get-WinEvent -ea 0 -FilterHashtable @{Logname='system';ID=20001} | select TimeCreated,ID,Message |ft -auto -wrap

Sunday, June 21, 2015

More artifacts through PowerShell - Part 2

Quickly identify a login event.

    Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | ft -auto -wrap

Quickly identify a login event for a particular user.

   Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | where {$_.message -like ‘*john*’ } | ft -auto –wrap

Quickly identify a login event for multiple users.

   Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | where {$_.message -like ‘*john*’ -or $_.message -like ‘*jane*’} | ft -auto –wrap

Quickly identify login events between two dates.

  Get-WinEvent -FilterHashtable @{Logname='security';ID=4624 ;StartTime="5/1/15";EndTime="5/31/15"} | ft -auto –wrap

Login events for a particular user between two dates.

  Get-WinEvent -FilterHashtable @{Logname='security';ID=4624 ;StartTime="5/25/15";EndTime="5/30/15"} | where {$_.message -like ‘*john*’ } | ft -auto –wrap

Quickly identify error events for previous day.

  Get-EventLog -LogName System -EntryType error -After (Get-Date).AddDays(-1) | ft -auto -wrap

Error events for a specific source such as NETLOGON

  Get-EventLog -LogName System -EntryType error -Source NETLOGON -After (Get-Date).AddDays(-1) | ft -auto -wrap

As a reminder, you can export any of these into a text file with the 'out-file' option; an example:

  Get-EventLog -LogName System -EntryType error -After (Get-Date).AddDays(-1) | ft -auto -wrap | out-file c:\event.txt

Saturday, June 20, 2015

More artifacts through PowerShell - Part 1

Identify currently logged in user.

If the requirement is to get only the logged in user along with the time of login then use "whoami' or "quser".

To see the privileges assigned for the currently logged in user.

whoami /priv /fo csv | convertfrom-csv | ft -auto -wrap

To identify the user profiles created.

User profiles can be checked by looking at the below registry location using Get-ItemProperty CmdLet.

Get-ItemProperty hklm:'\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*' |Select-Object PSChildName, ProfileImagePath | ft -auto -wrap

To identify users and processes that were started.

There are multiple commands that can be used but the builtin command 'qprocess' is the optimal one. It is similar to tasklist, but produces better output. It shows username, session id, pid, and image name.

Another useful command is 'qwinsta'. This builtin command shows RDP sessions as well.

'quser' is another useful command; this shows the logged in users, session name, time, etc. This command is extremely useful in a server environment.

To see if the user is part of administrator group.

net localgroup administrators .This command will show all the users that are part of the group 'administrators'.

Sunday, June 7, 2015

PowerShell updates

Have received many questions offline on the use of PowerShell and how we can get the desired artifacts from Windows system. While I have responded to most of those, I haven't gotten opportunity to update them here. I will try and update them here in a series of posts in the coming days.

The commands and options I will be posting are to be used in addition to the already published commands in the LRUP code and the SANS paper.

LRUP code is available here.