Intro to Windows
Shout-out to Black Hills Information Security and the services they provide by encouraging to share and pay back to the community with their pay-what-you-can series of from AntiSyphon Training.
The Pay-What-You-Can series can also be found on their YouTube channel https://www.youtube.com/live/katlU1_7Nro?si=u14oE1A-E-gcK4Nu - keep an eye out for updates; if you want a cert or CPEs sign up at BHIS.
Ping, Port, Parse will be the foundation for log review methodology
Another fine reference for log analytics to reference and reflect
https://zeltser.com/security-incident-log-review-checklist/
Lab: Documentation: https://docs.google.com/document/d/1bET9zWptaJMadEkpsoKhoCWRFPAN8_gkjgLT7xJJnqw/edit?tab=t.0
Lab Setup: https://docs.google.com/document/d/1bET9zWptaJMadEkpsoKhoCWRFPAN8_gkjgLT7xJJnqw/edit?tab=t.0
Please go to https://app.metactf.com and create a MetaCTF account or log in with your existing account.
Once logged in, please go to the “Cloud Labs” tab
Enter the code DEC-E4XWK7 in the “Access Code” field and click “Submit”.
This is the CODE: DEC-E4XWK7
During this lab the target is to familiarize ourselves with the Windows Command line and the power of it, as well as build repetition in log review and analytics.
Check Network Connections
# Output active TCP and UDP with process that spawned the connection
netstat -naob
# shows the FQDN if present
netstat -f
Take note of PIDs of interest.
Power-Up with Task List (but we don't need no stinky GUI!)
tasklist /m /fi "pid eq [PID]"
The GUI is not always your friend
Next lets dive in a bit deeper with wmic and look for the DLLs that are loaded.
wmic process get name,parentprocessid,processid | select-string [PID]
The Hunt for Malicious Processes Review
We found its parent process ID.
We did a search on that process ID.
As you can see by our analysis, it was launched by the cmd.exe process.
Note that the search we just did may turn up some other things launched by the command line as well.
Follow up labs https://github.com/strandjs/
Last updated