Windows Forensics — DFIR

whoami
8 min readMar 28, 2023

--

This Windows forensics challenge is provided by the Let’sDefend platform.

Happy Investigating and analyzing!

Windows Forensics

What is Windows Forensics Analysis?

This is commonly used in the investigation of cybercrime, fraud, or other types of computer-related incidents.

Windows Forensics involves an in-depth analysis of the Windows Operating System and Windows System artifacts analysis.

In Windows Forensics, we have to know what we look for, where to find it and which investigation tools are utilized.

Scenario

A targeted phishing campaign is carried out against our organization, and the phishing mail has been opened by 3 systems in our network. A quick triage image was collected from one of the infected systems and Provided to you for identification of TTP being used by attackers.

Identify the Techniques and tactics used by the attacker so our incident response team can respond and mitigate any further compromises across the network.

Required Security Tools:

Let’s start the investigation!

We have two ways to see the content of the AD1 image file. Mount the file or import the image file.

FTK Imager

Initial Access was made through a Malicious Document delivered through email. What was the full path where the document was downloaded?

In this case, we are looking for folder access history. In ShellBags, it contains the folder structure and view preferences and it stores in NTUSER.dat, USRCLASS.dat

Mount the [Root] folder> Open the ShellBag Explorer application to analyze. Initially, I went through with NTUSER.dat, this dirty hive and got nothing useful information, then I moved to USRCLASS.dat to see if any download folder.

And, I got it! The FULL PATH is Desktop\My Computer\Downloads\MailDownloads, but keep in mind, it is under user C:\Users\CyberJunkie

ShellBag

What’s the document name? (The document which was delivered via phishing)

What to look for? File creation of evidence or Recently used files

$Recycle.Bin is a folder in the Windows operating system's root directory containing deleted files and folders. When a file or folder is deleted from a Windows system, it’s moved to the Recycle Bin instead of permanently deleted.

The $Recycle.Bin folder here is a valuable source of information. Deleted files and folders in the Recycle Bin may contain important data or evidence that could be useful in an investigation.

Location of Deleted Files
SOFTWARE Hive

Under $Recycle.Bin, we can see $IWKWHDC.docs has Security Awareness.docx file deleting history at 2022–08–21 1:03:33 PM

$Recycle.Bin
$IWKWHDC.docs

What’s the stager name which connected to the attacker C2 server(Fullpath\name)

The C2 stager creates a foothold in the targeted system and provides a gateway for the attacker to gain further access and control over the system. Once the initial connection is established, the attacker can use the C2 channel to send commands and receive data from the compromised system.

What to look for? Execution of evidence (UserAssist, Prefetch)

Where to find it?

Prefetch: C:\Windows\Prefetch

Prefetch files are a type of file in Windows operating systems that contain information about the applications and processes that were most recently executed on a system.

Analyzing the prefetch files can provide information about the programs that were frequently run on the system.

Prefetch Folder

Through the PECmd.exe application, extract the prefetch files into a .csv file.

PECmd.exe -d “D:\__._PHYSICALDRIVEn_Partition 2 [16845MB]_NONAME [NTFS]\[root]\Windows\Prefetch” — csv C:\Users\Ray\Desktop

PECmd.exe

Then, we can spot Securitypatch.exe was executed on 2022–08–21 at 1:03:02 that around deletion time 2022–08–21 at 1:03:33 PM

Timeline Explorer

Alternatively, we can discover the same result through the UserAssist way.

UserAssist: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Registry Explorer

And, we can see there is a binary file is executed by CyberJunkie, which is C:\Users\CyberJunkie\Desktop\SecurityPatch.exe, last executed was on 2022–08–21 at 1:03:00

Take a break time, investigating artifacts needs some effort!

The attacker manipulated MACB Timestamps of the stager executable to confuse Analysts. Analyze the timestamps of the stager and verify the original timestamp and tampered one.

Come up with some questions:

  1. How did the attacker modify the timestamp, and in what ways?
  2. What are $STANDARD_INFORMATION and $FILE_NAME?

Every Object in NTFS is given a FILE record and is saved in MFT. File Record contains attributes that hold metadata about the file. Both $STANDARD_INFORMATION and $FILE_NAME are a file's attributes, and there must be at least one each for every file.

What to look for? $MFT

Let’s parser the MFT file through the MFTECmd application to a .csv file

MFTECmd

So, we can see the timestamp after importing the csv file. There are two creation times, 2021–12–25 15:34:32 and 2022–08–21 13:02:23, respectively. We can observe the original one 2022–08–21 13:02:23, but the attacker tampered with the timestamp to 2021–12–25 15:34:32

Timeline Explorer

Additionally, the acceptable answer format includes milliseconds. So, we can justify the answer as 2022–08–21 13:02:23.66 : 2021–12–25 15:34:32 based on MFT Explorer result below.

MFT Explorer

The attacker set up persistence by manipulating registry keys. All we know is that GlobalFlags image file technique was used to set up persistence. When exiting a certain process, the attacker persistence executable is executed. What’s the name of that process?

What is the GlobalFlags image file technique?

GlobalFlags is a registry value that can be used to modify the operating system's behaviour. It is commonly used by developers and researchers to enable or disable various debugging features in Windows. One way that GlobalFlags can be set is through the use of an image file technique.

The image file technique involves creating a specially crafted executable file containing a section with a specific name and value. When this executable is run, the GlobalFlags value in the registry is modified based on the value in the section of the executable.

The attacker can use this technique to achieve the persistence goal.

What to look for? GlobalFlag Registry Key

Where to find it?

  1. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
  2. HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

Then, we can see the binary file “explorer.exe” has the value name “GlobalFlag”

Registry Explorer

Whats the full path alongside name of the executable which is setup for persistence?

We can see the attacker hidden the explorer.exe process under GetPatch.exe executable file C:\Users\CyberJunkie\Documents\GetPatch.exe

Registry Explorer

The attacker logged in via RDP and then performed lateral Movement. Attacker accessed an Internal network-connected Device via RDP. What command was run on cmd after successful RDP into Other Windows machine?

How to find the RDP commands in Windows Forensics? This is a good video that elaborates clearly from 13Cube.

RDP Cache

What to find? RDP cache file

Where to find it? Under the Terminal Server Client folder

Cache location

This is RDP Bitmap Cache when a user connects to a remote desktop using RDP, the Bitmap Cache feature stores frequently accessed images. This can reduce the amount of data that needs to be transmitted over the network, thereby improving the overall performance of the remote desktop connection.

The Bitmap Cache is divided into several parts, including the persistent bitmap cache, which stores images that are likely to be used again in the future, and the non-persistent bitmap cache, which stores images that are only likely to be used once.

Through the RDP Cache parser, the attacker’s command is net localgroup

.\bmc-tools.py -s “D:\__._PHYSICALDRIVEn_Partition 2 [16845MB]_NONAME [NTFS]\[root]\Users\CyberJunkie\AppData\Local\Microsoft\Terminal Server Client\Cache” -d [destination folder]

The attacker tried to download a tool from the user’s browser in that second machine. What’s the tool name? (name.ext)

PowerSploit is a common post-exploitation framework that aids penetration testers during all phases of an assessment

Same way as the previous question, we can see the tool name is PowerView.ps1

What command was executed which resulted in privilege escalation?

If we want to discover executed commands, this is where threat hunting comes in. DeepBlueCLI is a powerful powerShell Module for Threat Hunting via Windows Event Logs.

DeepBlueCLI

The command cmd.exe /c echo kyvckn > \\.\pipe\kyvckn is utilized to achieve privilege escalation.

What framework was used by the attacker?

From the precious questions, it is obvious that attacker the framework used is Metasploit

Resource

Windows Forensics Cheatsheet

Understand NTFS Timestamps

RDP Bitmap Cache

Metasploit Framework: Hunt for GetSystem

--

--