-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathCheatsheet Forensics Events
74 lines (59 loc) · 2.8 KB
/
Cheatsheet Forensics Events
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
### WinRegex cheatsheet + Sysmon for Forensics Analytics
| Sysmon ID| Tag|
| ------------- |
| 12 RegistryEvent | Registry object added or deleted |
| 13 RegistryEvent | Registry value set |
| 14 RegistryEvent | Registry object renamed |
| Windows Events | Tag |
| -------------------- |
| 4663(S) | An attempt was made to access an object. |
| 4656(S, F) | A handle to an object was requested. |
| 4658(S) | The handle to an object was closed. |
| 4660(S) | An object was deleted. |
| 4657(S) | A registry value was modified. |
| 5039(-) | A registry key was virtualized. |
| 4670(S | Permissions on an object were changed. |
### Lateral movement
-> Protocols that enable remote authentication, such as
SSH, SMB, and RDP
-> Frameworks designed for remote execution, such as
WinRM, WMI, and RPC
-> Techniques that don’t rely on a protocol or frame-
work to support remote access or execution, such as
the “Sticky Keys” feature abuse
To move laterally, threat actors often employ tools built into
operating systems, such as SSH, Windows Management
Instrumentation (WMI), and Windows Remote Management
(WinRM). Other times the attacker introduces a tool like
Windows Sysinternals PsExec.
### PsExec Logs ( 5140, 5145, 4697, 7045, 4688, ID 1 Sysmon)
EID 5145, which contains metadata about requests
for access to the hidden $ADMIN and $IPC shares;
these logs indicate the responsible process (look for
PsExec).
Metadata: The time the event was recorded (will vary)
The source of the request (Service Control Manager)
The name of the service (PSEXECSVC, but note that this is configurable)
The service executable (%systemroot%\psexecsvc.exe, also configurable)
| ----------------------------------------------- |
EID 5140, which indicates a share was successfully
accessed, may confirm that an attempt succeeded,
as well as the account used and other supporting
evidence.
| ----------------------------------------------- |
EIDs 4697 and 7045, which record service creation,
may capture the installation of the temporary
PSEXESVC service.
| ----------------------------------------------- |
Detailed process execution, captured in EID 4688
events, can identify the use of PsExec on both source
and target systems, including full command line
arguments.
Metadata: The time the event was recorded
The user context (account ID, name, domain, session ID)
Process metadata (ID, full path to executable, privilege token, parent process ID,
parent process full path, full command line)
| ----------------------------------------------- |
Sysmon, a free logging utility, captures detailed pro-
cess execution in EID 1 and includes parent process,
network, and user metadata.