Windows Incident Response
Before I kick this blog post off, I’d like to thank Lina L for her excellent work in developing and sharing her work, both on Twitter, as well as in a blog post. Both are thoughtful, cogent, and articulate.
In her blog post, Lina references detection techniques, something that is extremely important for all analysts to understand. What Lina is alluding to is the need for analysts to truly understand their tools, and how they work.
Back around 2007-ish, the team I was on had several members (myself included) certified to work PCI forensic investigations. Our primary tool at the time for scanning acquired images and data for credit card numbers (CCNs) was EnCase (at the time, a Guidance Software product)…I believe version 6.19 or thereabouts. We had a case where JCB and Discover cards were included, but the tool was not finding the CCNs. Troubleshooting and extensive testing revealed that the built-in function, isValidCreditCard(), did not apply to those CCNs. As such, we worked with a trusted resource to write the necessary regexes, and override the function call. While this was slower than using the built-in function, accuracy took precedence over speed.
The point is, as analysts, we need to understand how our tools work, what they do, and what they can and cannot do. This also applies to the data sources we rely on, as well. As such, what I’m going to do in this blog post is expand on some of the items Lina shared in part 3 of her blog post, “Detection Methodology”. She did a fantastic job of providing what amounts to elements of an artifact constellation when it comes to the evasion technique that she describes.
Let’s take a look at some of the detection methodologies Lina describes:
1. Review event logs for 7045, 7035, 7034, 7036, 7040, 4697 service creation
Most of these Windows Event Log Evasion Review