reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger"
sfc /VERIFYFILE=C:\Windows\System32\sethc.exe
sfc /VERIFYFILE=C:\Windows\System32\utilman.exe
sfc /VERIFYFILE=C:\Windows\System32\AtBroker.exe
sfc /VERIFYFILE=C:\Windows\System32\Narrator.exe
sfc /VERIFYFILE=C:\Windows\System32\Magnify.exe
sfc /VERIFYFILE=C:\Windows\System32\DisplaySwitch.exe
sfc /VERIFYFILE=C:\Windows\System32\osk.exe
N/A
reg query "HKLM\System\CurrentControlSet\Control\Session Manager" /v AppCertDlls
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKU\{SID}\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='11'} | FL TimeCreated,Message
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB"
dir %WINDIR%\AppPatch\custom
dir %WINDIR%\AppPatch\AppPatch64\Custom
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-ShimEngine/Operational';}|FL
Note: Some other similar methods exist such as abusing the ‘Command’ value of Windows Telemetry Controller - Special Thanks to TrustedSec.
Hint: Look for a Command not pointing to “CompatTelRunner.exe” or which has ‘-cv’, ‘-oobe’, or ‘-fullsync’ in the command line.
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController" /s
bitsadmin /list /allusers /verbose
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Bits-Client/Operational'; Id='59'} | FL TimeCreated,Message
ls 'C:\ProgramData\Microsoft\Network\Downloader\qmgr.db'
Note: This exists below the OS in the Master Boot Record or Volume Boot Record. The system must be booted through Advanced Startup Options with a Command Prompt, or through a recovery cd.
bootrec /FIXMBR
bootrec /FIXBOOT
Extra: If your boot configuration data is missing or contains errors the below can fix this.
bootrec /REBUILDBCD
If you’re thinking of a bootkit more as a rootkit (malicious system drivers) you can go with the below.
gci C:\Windows\*\DriverStore\FileRepository\ -recurse -include *.inf | FL FullName,LastWriteTime,LastWriteTimeUtc
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue
sc.exe query type=driver state=all
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-CodeIntegrity/Operational'; Id='3001'} | FL TimeCreated,Message
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue | Get-AuthenticodeSignature | where {$_.status -ne 'Valid'}
Note: This will likely have false positives, particularly relating to filter drivers which are used by AV products, EDR solutions, or otherwise.
$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
[PSCustomObject] @{
TimeCreated = $_.TimeCreated
MachineName = $_.MachineName
UserId = $_.UserId
FilterDriver = $_.Properties[4].Value
Message = $_.Message
}
}
echo "Scanning for suspicious filter drivers. Any found will be displayed below:"
$FilterEvents | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends"}
$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
[PSCustomObject] @{
TimeCreated = $_.TimeCreated
MachineName = $_.MachineName
UserId = $_.UserId
FilterDriver = $_.Properties[4].Value
Message = $_.Message
}
}
echo "Scanning for suspicious filter drivers. Any found will be compared against existing services:"
$SuspectDrivers = $($FilterEvents | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends"} | select -exp FilterDriver)
$SuspectDrivers
foreach ($driver in $SuspectDrivers){
echo "Checking services for relevant drivers. Any which aren't present may indicate a filter driver which has since been removed, or an active rootkit filtering service registry keys."
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\$driver
}
Special Thanks - Didier Stevens, multiple times
Note: These keys specify what services are run in Safe Mode. Sometimes they’ll be modified by malware to ensure rootkits can still function in Safe Mode.
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal /s
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /s
fltmc filters
fltmc volumes
fltmc instances
fltmc unload <filtername>
fltmc detach <filtername> <volumeName> <instanceName>
Note: Common legitimate filter drivers include
- WdFilter – Windows Defender Filter
- storqosflt - Storage QoS Filter
- wcifs - Windows Container Isolation File System Filter
- CldFlt - Windows Cloud Files Filter
- FileCrypt - Windows Sandboxing and Encryption Filter
- luafv – LUA File Virtualization Filter (UAC)
- npsvctrig – Named Pipe Service Trigger Provider Filter
- Wof – Windows Overlay Filter
- FileInfo – FileInfo Filter (SuperFetch)
- bindflt - Windows Bind Filter system driver
- FsDepends - File System Dependency Minifilter
- PROCMON24 - Procmon Process Monitor Driver
Get-ChildItem -path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -recurse -erroraction SilentlyContinue
Get-ChildItem -path 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions' -recurse -erroraction SilentlyContinue -include manifest.json | cat
reg query "HKLM\Software\Google\Chrome\Extensions" /s
reg query "HKLM\Software\Wow6432Node\Google\Chrome\Extensions" /s
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions" -recurse -erroraction SilentlyContinue
Get-ChildItem -path "C:\Program Files\Mozilla Firefox\plugins\" -recurse -erroraction SilentlyContinue
Get-ChildItem -path registry::HKLM\SOFTWARE\Mozilla\*\extensions
Get-ChildItem -Path C:\Users\*\AppData\Local\Packages\ -recurse -erroraction SilentlyContinue
Get-ChildItem -path "C:\Program Files\Internet Explorer\Plugins\" -recurse -erroraction SilentlyContinue
reg query 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
reg query 'HKLM\Software\Microsoft\Internet Explorer\Toolbar'
reg query 'HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks'
reg query 'HKLM\Software\Microsoft\Internet Explorer\Explorer Bars'
reg query 'HKU\{SID}\Software\Microsoft\Internet Explorer\Explorer Bars'
reg query 'HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions'
Note: This is incredibly rare, and doesn’t have an easy detection/remediation mechanism. Using the Windows CheckDisk utility, System File Checker, or Deployment Image Servicing and Management may assist but isn’t guaranteed.
chkdsk /F
sfc /scannow
dism /Online /Cleanup-Image /ScanHealth
dism /Online /Cleanup-Image /RestoreHealth
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase
Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost.exe with /Processid:{xyz}, you can match xyz with the CLSID (COM Class Object) or AppID mentioned below to check for any malicious EXE or DLL.
HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
HKLM\SOFTWARE\Classes\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
HKLM\SOFTWARE\Classes\AppID\{xyz}
HKLM\SOFTWARE\Classes\WOW6432Node\AppID\{xyz}
HKLM\SOFTWARE\WOW6432Node\Classes\AppID\{xyz}
Example analysis:
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID" /s /f "{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{178167bc-4ee3-403e-8430-a6434162db17}" /s
reg query "HKLM\SOFTWARE\Classes\AppID\{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
Queries:
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".dll"
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".exe"
reg query HKLM\SOFTWARE\Classes\AppID\ /s /f DllSurrogate
gci -path REGISTRY::HKLM\SOFTWARE\Classes\*\shell\open\command
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".dll"
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".exe"
gci 'REGISTRY::HKU\*\Software\Classes\CLSID\*\TreatAs'
gci 'REGISTRY::HKU\*\Software\Classes\Scripting.Dictionary'
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\LocalServer32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocServer32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocHandler*" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\*Server32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\ScriptletURL" -ea 0
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f "ScriptletURL"
gci HKLM:\Software\Classes -ea 0| ? {$_.PSChildName -match '^\w+\.\w+$' -and(gp "$($_.PSPath)\CLSID" -ea 0)} | select -ExpandProperty PSChildName
net user
net user /domain
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" /s
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
gci -path C:\Windows\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gci -path C:\Windows\System32\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
gps | ? {$_.Modules -like '*{DLLNAME}*'} | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
$dll = gps | Where {$_.Modules -like '*{DLLNAME}*' } | Select Modules;$dll.Modules;
(gps).Modules.FileName
(gps).Modules | FL FileName,FileVersionInfo
(gps).Modules.FileName | get-authenticodesignature | ? Status -NE "Valid"
Locate Possible DLL Search Order Hijacking
Note: A legitimate clean executable can be used to run malicious DLLs based on how the software searches for them.
More information on Microsoft Docs
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode"
If SafeDllSearchMode is enabled (is by default), the search order is as follows:
- The same directory from which the executable is run.
- The System Directory (Usually C:\Windows\System32).
- The 16-bit System Directory.
- The Windows Directory (Usually C:\Windows).
- The Current Directory (From the process which executed the executable).
- The directories that are listed in the PATH environment variable.
If SafeDllSearchMode is disabled (SafeDllSearchMode has a reg value of 0), the search order is as follows:
- The same directory from which the executable is run.
- The Current Directory (From the process which executed the executable).
- The System Directory (Usually C:\Windows\System32).
- The 16-bit System Directory.
- The Windows Directory (Usually C:\Windows).
- The directories that are listed in the PATH environment variable.
N/A
Get-WmiObject win32_service | FL name,PathName
get-acl "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" | FL | findstr "FullControl"
T1158 Hidden Files and Directories
dir /S /A:H
tasklist /m EasyHook32.dll;tasklist /m EasyHook64.dll;tasklist /m EasyLoad32.dll;tasklist /m EasyLoad64.dll;
More Material:
N/A
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s /f "MonitorProcess"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f "Debugger"
reg query "HKU\{SID}\Environment" /v UserInitMprLogonScript
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4614';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3033';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3063';} | FL TimeCreated,Message
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | select -uniq ServiceDll -ea 0 | foreach {filehash $_.ServiceDll} | select -uniq -exp hash
reg query HKLM\SOFTWARE\Microsoft\Netsh
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
Get-WmiObject win32_service | FL Name, DisplayName, PathName, State
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
Note: If not examining the registry directly and looking at services in a ‘live’ capacity you may encounter ‘hidden services’ which aren’t shown due to a SDDL applied to them. You can find solely these services using the following (Special thanks - Josh Wright)
Compare-Object -ReferenceObject (Get-Service | Select-Object -ExpandProperty Name | % { $_ -replace "_[0-9a-f]{2,8}$" } ) -DifferenceObject (gci -path hklm:\system\currentcontrolset\services | % { $_.Name -Replace "HKEY_LOCAL_MACHINE\\","HKLM:\" } | ? { Get-ItemProperty -Path "$_" -name objectname -erroraction 'ignore' } | % { $_.substring(40) }) -PassThru | ?{$_.sideIndicator -eq "=>"}
Some common legitimate hidden services are:
WUDFRd
WUDFWpdFs
WUDFWpdMtp
Get-ChildItem -path C:\Users\*\Microsoft\*\STARTUP\*.dotm -force
Get-ChildItem -path C:\Users\*\AppData\Roaming\Microsoft\*\STARTUP\* -force
reg query "HKU\{SID}\Software\Microsoft\Office test\Special\Perf" /s
reg query "HKLM\Software\Microsoft\Office test\Special\Perf" /s
Get-ChildItem -path registry::HKLM\SOFTWARE\Microsoft\Office\*\Addins\*
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Templates\*" -erroraction SilentlyContinue
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Excel\XLSTART\*" -erroraction SilentlyContinue
Get-ChildItem -path C:\ -recurse -include Startup -ea 0
ls 'C:\Program Files\Microsoft Office\root\*\XLSTART\*'
ls 'C:\Program Files\Microsoft Office\root\*\STARTUP\*'
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Inbox
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Today\UserDefinedUrl
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Calendar\URL
Get-WinEvent -FilterHashtable @{ LogName='Microsoft Office Alerts'; Id='300';} | FL TimeCreated,Message
N/A
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" /s /v "Driver"
ls C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
gci -path "C:\Users\*\Documents\PowerShell\Profile.ps1"
gci -path "C:\Users\*\Documents\PowerShell\Microsoft.*Profile.ps1"
N/A
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
gci -path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" -include *.lnk,*.url
gci -path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -include *.lnk,*.url
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9707'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9708'} | FL TimeCreated,Message
gci -path C:\windows\system32\tasks | Select-String Command | FT Line, Filename
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | Select-String Command | FL Filename,Line
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}| Select-String Command | FL Line,Filename
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
ls 'C:\Windows\System32\WptsExtensions.dll'
Note: thanks to Markus Piéton for the WptsExtensions.dll one.
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaveActive"
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "SCRNSAVE.exe"
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaverIsSecure"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" /v "Security Packages"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages"
N/A
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\servicename |FL
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "exe"
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "dll"
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "dll"
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "exe"
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "exe" | FL
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "dll" | FL
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
reg query HKLM\HARDWARE\DESCRIPTION\System\BIOS
Confirm-SecureBootUEFI
Get-WmiObject win32_bios
reg query "HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders" /s /f "Dll"
net users
net group /domain "Domain Admins"
net users /domain <name>
Note: The presence of files with these values isn’t necessarily indicative of a webshell, review output.
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "runat" | FL
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "eval" | FL
ProxyShell - May reveal evidence of mailbox exfil or Web Shell being dropped:
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'MailboxExportRequest'} | FL TimeCreated, Message
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'aspx'} | FL TimeCreated, Message
Function Get-WmiNamespace ($Path = 'root')
{
foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
{
$FullPath = $Path + "/" + $Namespace.Name
Write-Output $FullPath
Get-WmiNamespace -Path $FullPath
}
}
Get-WMINamespace -Recurse
Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /s
Locate Possible Dll Side Loading
Note: A legitimate clean executable can be used to run malicious DLLs based on issues with a manifest file used by the application to load DLLs.
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners"
By placing a malicious DLL in the below locations legitimate binaries may have been used to sideload these malicious DLLs.
- C:\Windows\WinSxS
- C:\Windows\SXS
(gci -path C:\Windows\WinSxS -recurse -include *.dll|gi -ea SilentlyContinue|filehash).hash|sort -u
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned"
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid" | Select Path | gi -ea SilentlyContinue | filehash | sort -u