DFIR - FAQ

Question 1

How do you validate if a process was executed in Windows ?

Answer 1

Windows Security Event 4688 tracks this.
* Not enabled by default.

Contains:
- Creator Subject - Who created the Process.
- Target Subject - who the process is executing the process in behalf of.
- Login ID - ties to a unique login ID session.
- Creator Process - the parent process. (provides context)
- Provides a process ID - unique to the host.
- Token Elevation Type - if the process was executed with a higher level.
- Process Command line - This would need to be configured by GPO. This is what was written on the CLI and provides switch and config data.

Question 2

Where are Windows Event Logs located?

Answer 2

Location:
C:\Windows\System32\winevt\Logs*.evtx

Question 3

How do you capture an event trace in Windows?

Answer 3

New-EtwTraceSession (Start a new Session.)
New-NetEventSession (start an ETW-based packet capture session)
Save-EtwTraceSession (will flush the buffer to disk and remove the session)
Send-EtwTraceSession (will keep the session alive but immediately write to disk)

Question 4

What are the 6 process steps of the SANS DF/IR process?

Answer 4

1) Preparation
2) Identification (scoping)
3) Containment (Intel development)
4) Eradication and Remediation
5) Recovery
6) Lessons Learned (Threat Intel consumption)

Question 5

Common Malware Obfuscation Techniques? What are they, and how do you detect them ?

Answer 5

1) Code Injection (memory analysis)
2) DLL Injection (Looks for DLLs in unusual locations)
3) Obfuscation (Pescan, sig check)
4) Rogue Process ( wrong parent, SID, startup location, suspicious DLL, spelling.)
5) Root Kits (memory forensics)
6) Signing code with valid certificates

Question 6

Common Malware Obfuscation Techniques? What are they, and why/how do they occur ?

Answer 6

1) Code Injection (only allowed for debugging)
2) DLL Injection (Search Order, Phantom, Side-Loading)
3) Obfuscation (delete indicators, change name / profile, encryption)
4) Rogue Process (Hide in plain sight.)
5) Root Kits (Hide activities and data)
6) Signing code with valid certificates (cert authority)

Question 7

Key Windows Processes:

Answer 7

1. csrss
2. explorer
3. isaiso
4. lsass
5. Runtime Broker
6. Process Tree
7. Services
8. SMSS
9. SVCHost
10. system
11. taskhostw
12. winit.exe
13. winlogon.exe

Question 8

Explain the LSASS Process:

Answer 8

Image Path: %SystemRoot%\System32\lsass.exe

Parent Process: wininit.exe

Number of Instances: One

User Account: Local System

Start Time: Within seconds of boot time

Description: The Local Security Authentication Subsystem Service process is responsible for authenticating users by calling an appropriate authentication package specified in HKLM\SYSTEM\CurrentControlSet\Control\Lsa. Typically, this will be Kerberos for domain accounts or MSV1_0 for local accounts. In addition to authenticating users, lsass.exe is also responsible for implementing the local security policy (such as password policies and audit policies) and for writing events to the security event log. Only one instance of this process should occur, and it should rarely have child processes (EFS is a known exception).
Image Path: %SystemRoot%\System32\lsass.exe Parent Process:

Question 9

Malware Persistence - Windows

Answer 9

1. AutoStart - Registry
2. BIOS flashing
3. DLL (search order, phantom and side-loading)
4. Local group policy
5. Scheduled Tasks
6. Service manipulation : Creation / replacement
7. WMI Event consumers

Question 10

Lateral Movement- Windows

Answer 10

1. Account creation
2. Application deployment
3. Credential Harvesting
4. Powershell / WMIC
5. PSExec
6. Remote Desktop
7. Vulnerability Exploitation
8. Windows Admin Shares
9. Windows Remote Management Tools.