Help - Search - Members - Calendar
Full Version: How To Investigate a Windows Compromise
The Planet Forums > Security > General Security
joec@home
Nov 30 2005, 10:28 AM
A follow up from How To Investigate a Linux Compromise
http://forums.ev1servers.net/showthread.php?t=59486
joec@home
Nov 30 2005, 10:34 AM
I am wanting to gather my notes to make a howto for windows as I did with linux. I have my ways of handling this but I am needing to put them into a method, and wanting to get as much feedback as possible to what other people do to invesigate windows servers.

Basic ideas so far:

Gather proccess and network data:
netstat -noa > test.txt && tasklist /SVC >> test.txt && notepad test.txt

Good old msconfig.exe

Turn off all hidden functions and check in
Recycler
System Volume Information
WINNTTemp
WU Temp

Questions:
Does any one have any more information on the registry settings of a compromised Recycle Bin, what to look for at the registry level?
joec@home
Jan 22 2006, 07:41 AM
Registry

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServicesHKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersion
RunServices
joec@home
Mar 22 2006, 09:30 AM
Silly but rather simple

Search for all .bat and .wsh files
joec@home
Jul 13 2008, 02:17 PM
Windows Security


Microsoft remote administration tools that are potentially dangerous in a webhosting environment if not secured.

DCOM
\WINDOWS\system32\dcomcnfg.exe



Microsoft remote administration tools that are potentially dangerous in a webhosting environment if not removed unless needed in your amdinistration schema.

CLUSTER-ADMIN
\WINDOWS\Cluster\CluAdmin.exe

COMPONENT SERVICES
\WINDOWS\system32\Com\comrepl.exe

COMPONENT SERVICES
\WINDOWS\system32\Com\comrereg.exe

DISTRIBUTED-FILE-SYSTEM
\WINDOWS\system32\dfscmd.exe

DISTRIBUTED-FILE-SYSTEM
\WINDOWS\system32\dfsinit.exe

DISTRIBUTED-FILE-SYSTEM
\WINDOWS\system32\dfssvc.exe

INETINFO
\WINDOWS\system32\inetsrv\inetinfo.exe

WINDOWS-LOAD-BALANCING
\WINDOWS\system32\nlbmgr.exe

WINDOWS-MEDIA-PLAYER
\Program Files\Windows Media Player\wmplayer.exe




Microsoft.NET remote administration tools that are potentially dangerous in a webhosting environment.

(Someone please tell me why would anyone allow a web publishing program have access to core server administration tools? EVER? Please! REALY? WHY?!!!)

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SetRegNI.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\RegAsm.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CasPol.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\gacutil.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\IEExec.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPol.exe

MICROSOFT.NET-1.1.4
\WINDOWS\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CasPol.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe

MICROSOFT.NET-2.0.5
\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\DeleteTemp

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\RebootStub.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\runmsi.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\install.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelReg.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\WsatConfig.exe

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Workflow Foundation\WF_3.0_x86.msi

MICROSOFT.NET-3.0
\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\wpf.msi
joec@home
Aug 31 2008, 02:09 PM
WMIC /OUTPUT:C:\ProcList.txt PROCESS get Caption,Commandline,Processid
WMIC /OUTPUT:C:\ServiceList.txt SERVICE get Caption,pathname,Processid,state
echo ----- Proclist ---- >> c:\test.txt
type C:\ProcList.txt >> c:\test.txt
echo ----- ServiceList.txt ---- >> c:\test.txt
type C:\ServiceList.txt >> c:\test.txt
echo ----- Netstat ----- >> c:\test.txt
netstat -vanbot >> c:\test.txt
echo ----- Task Mapping ----- >> c:\test.txt
tasklist /M >> c:\test.txt
echo ----- Users ----- >> c:\test.txt
audirusr >> c:\test.txt
echo ----- Recycler ----- >> c:\test.txt
tree c:\RECYCLER /A >> c:\test.txt
notepad c:\test.txt
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.