Windows SysInternals FG

Terminal Learning Objectives

1. Identify SysInternals Tools to Enumerate Systems

2. Identify SysInternals Tools to Analyze Processes


1. Sysinternals Introduction

  • Windows Sysinternals is a collection of advanced system utilities that were established to help users manage,troubleshhot and diagnose Windows systems and applications. The sysinternals tools are housed on the website https://live.sysinternals.com/ to be readily available to run directly from the site. We will have the tools downloaded on our box(es) for ease of use.

  • These are a few commands/instructions to have the tools on your local Windows box.

PS C:\windows\system32> net use * http://live.sysinternals.com (1)
Drive Z: is now connected to http://live.sysinternals.com.

The command completed successfully.
1 The 'net use' command can be used to create a connection to the Live Sysinternals website. (can be persistent with parameter set) 


PS C:\windows\system32> New-PSDrive -Name "SysInt" -PSProvider FileSystem -Root "\\live.sysinternals.com\Tools" (1)

Name           Used (GB)     Free (GB) Provider      Root                                                    CurrentLocation
----           ---------     --------- --------      ----                                                    ---------------
SysInt                                 FileSystem    \\live.sysinternals.com\Tools
1 'New-PSDrive' is a PowerShell command used to create a temporary or persistent connection to the Live Sysinternals website. 
PS C:\Users\andy.dwyer\Desktop> $wc = new-object System.Net.WebClient (1)

PS C:\Users\andy.dwyer\Desktop> $wc.DownloadFile("https://download.sysinternals.com/files/SysinternalsSuite.zip",
"$pwd\SysinternalsSuite.zip") (2)

PS C:\Users\andy.dwyer\Desktop> Expand-Archive SysinternalsSuite.zip (3)
1 Location may be different on your box The webclient provides common methods for sending and receiving data to/from a URI (Uniform Resource Identifier)
2 Download the .zip file from the website
3 Unzip the file, creates a folder on the desktop


2. Procmon

Using PROCMON to monitor the Windows Boot Process


Q: What is Process Monitor?

  • Process Monitor is an advanced monitoring tool for Windows that shows real-time File System, Registry and Process/Thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon.

  • It also has an option to Log at boot and we are going to go over a demo and analyze the Windows Boot Process.


Q: What does Procmon capture?

  • Registry - Anything from creating, reading, deleting, or querying keys

  • File System - File creation, writing, deleting, etc and this includes both local and network drives

  • Network - This only shows source and destination TCP/UDP traffic

  • Process - These events are for processes and threads where a process starts, a thread starts or exits, etc. Probably better in ProcExp

  • Profiling - Checks the amount of processor time and memory use of each process


  • Tabs

    • File - Has the save feature which allows exporting to CSV and CML as well as the native PML format, backup up files in virtual memory or in previous PMLs, import and export your Procmon configurations, and turn on and off Capture Events.

    • Edit - Has features for ease of access: Copy, Find, Find highlight, Find Bookmark, an Auto-scroll, and Clear Display.

    • Event - Options for the currently selected event as if you right clicked. You can view Properties, Stack, Toggle Bookmark, Jump To, Search Online, Filter Include/Exclude, and Highlight options.

    • Filter - For advanced search options it has Enabled Advanced Output, Filter, Reset Filter, Load (saved) Filters, Save Filters, Organize (saved) Filters, Drop Filtered Events (will not capture events that you are filtering) and highlight filters (or things that you have highlighted).

    • Tools - Summary outputs and information cheat sheets. System Details, Process Tree, Process Activity Summary, File Summary, Registry Summary, Stack Summary, Network Summary, Cross Reference Summary (paths that are written and read between differing processes)

    • Options - Configuration of the GUI, Has Always on Top, Font, Highlight Colors, Configure Symbols (for the stack tab), Select Columns, History Depth (how many events it will hold), Profiling Events (if you want it changed to milliseconds), Enable Boot Logging, Show Resolved Network Addresses, Hex Offsets and Length, Hex Process and Thread IDs.

    • Help - Help Manual, Command Line Options, About


  • Default Columns

    • Time - Shows the exact time the event occurred

    • Process Name - The name of the process that generated the event. It doesn’t show the full path by default, but if you hover over it then the full path is displayed.

    • PID - Process ID

    • Operation - Name of the operation being logged, with corresponding icon (registry, file, network, process)

    • Path - The path of the event that was being touched (the affected) and not the event of the process (the instigator)

    • Result - This shows the result of the operation in codes like SUCCESS or ACCESS DENIED

    • Detail - additional information for troubleshooting


Demo for Using PPROCMON to Monitor the Windows Boot Process


  • Looking at Processes on Boot


  • Start up the Admin-Station Host and log in as Army\andy.dwyer and open REGEDIT from their Search Bar and Go to HKLM\Software\Microsoft\Windows\CurrentVersion\Run.

  • Create a New String Value Called RunME and modify it with c:\windows\notepad.exe.

  • `Go to C:\SysinternalsSuite <Location may be different>

    • Double-Click Procmon.exe. Accept Eula. Go to the File Tab and uncheck Capture Events. Go to the Options tab and Click on Enable Boot Logging.

    • This will enable logging on System Boot. Select Every Second. Restart the System.

  • Once the System restarts, open and minimize notepad and then navigate to and double-click Procmon.exe to start it. It will ask to Save the log file.

    • Save the log file to the Desktop. Once all of the Bootlog.pml files are saved, return to Procmon.

    • If the .pml file does not automatically load, go to the File tab and click on OPEN and browse to our Desktop and select the ".pml" file to load.

  • Click on the Tools tab and click on Process Tree.

    • Explain the Process Tree and how it’s formed (hierarchically) and why things are grayed out (They are no longer running).

    • Discuss why the description and path are important in identifying malware and also the digital signature, the process owner, and the command line syntax and what that could indicate as abnormal. If there is no description it’s a good indicator of malware

      • Processes starting from odd locations

      • Digital signitures are a good indicator of malware if it’s missing but they can be falsified

      • This is where we would look for our malicious boot and pre-windows start malware. We could also look for system diagnostic things such as any programs that are taking to long to load or hang that could indicate malware.


  • Find notepad.exe and have a discussion about things to look for like programs that shouldn’t run at start or unknown programs and services. Continue onto the next part.


  • Learning PROCMON Filtering


  • Once notepad.exe is found, right-click and select Go to Event to show the functionality.


  • Right-Click and go over the list of options focusing on the Include and Exclude for the filtering and the highlight option and the properties.


  • Right-Click and select Include and select PID and Discuss the results (Everything is blown away except the notepad).

    • Select the Filter tab and select Filter…​ and explain the "Include" and "Exclude" at the bottom.

    • Remove the "PID is ???? (whatever the PID is for notepad.exe) include" and add an entry for "Process Name is notepad.exe" then include then remove it and add the same one but "Process Name is notepad.exe then exclude".

    • Exit the Filter and do a Ctrl-F and search for notepad.exe. It is gone.


  • Go back to the Filter Tab and remove the "Process Name in notepad.exe then exclude" and exit the Filter and do a Ctrl-F and search for notepad.exe, you should see it now.

    • Discuss some other filtering techniques. Discuss the advantages and disadvantages and what use they believe they can get out of the tool.


  • Explain any further questions or gaps about filtering or analyzing processes at boot. END DEMO.


Any Questions?


3. Autoruns

Analyze the Windows startup environment using AUTORUNS


Q: What is AUTORUNS?

  • Autoruns shows applications automatically started on during system boot or login as well as the Registry and file system locations for auto-start configurations. Examples: AppInit, Winlogon, Scheduled Tasks, Services, Logon, etc.


  • The External Interface

    • Highlighted items that are colors notate special meanings

      • Pink - Means no publisher information was found or the digital signature doesn’t exist or match.

      • Green - Used when comparing previous set of Autorun data to indicate an item wasn’t there last time.

      • Yellow - The startup entry is there, but the file or job it points to doesn’t exist anymore.

    • Highlight a task - Right-Clicking or Entry Tab - Allows you to Jump to where the entry resides in the File System, Search Online, Open in Process Explorer, Go to it’s Registry Key or Task Scheduler.

    • User Tab - Allows you to analyze different user accounts autoruns (must be administrator to view other accounts).

    • Options Tab- Allows you to hide certain entries and also allows font changes and scan options. The Scan Option allows you to choose to scan Per-User Locations, Verify code signatures, and Check Virustotal.com.

    • File Tab - Allows you to Analyze Offline systems and compare files from other systems or yours, Very handy.


Q: Where are some of the places that AUTORUNS look?

  • The Internal Tabs

    • Everything - Shows all of the outputs from the other tabs together on this one tab. One stop Shop, Not as messy as you might think.

    • Explorer - This tab list add-on components that load themselves into Windows Explorer. Mostly context menu add-ons and the sort.

    • Logon - Checks the normal locations for things to be automatically loaded, including registry keys Run and RunOnce keys, the Start Menu, up to 43 locations.

    • Internet Explorer - This tab list all of the browser extensions, toolbars, browser helper objects that are used by malware to either spy or show you ads.

    • Scheduled Tasks - This tab shows Tasks that are scheduled. Malware uses it to install, reinstall, and do all types of nefarious things with this.

    • Services - This tab list auto-start services. Malware sometimes hides itself as a service by creating it’s own service that helps make sure that other malware processes are running.

    • Drivers - .Sys files. Used to call a bunch of system and svchost executables. Malware can hide in here, look at the path.

    • Codecs - Libraries of code that handle media playback for videos and audio. Used by malware to automatically start on systems.

    • Boot Execute - Things that can’t happen when windows is loaded like a hard drive check.

    • Image Hijacks - Will let you know if a program has been replaced with another, ex: when you run notepad.exe it runs calc.exe instead.

    • AppInit - Settings where RequireSignedAppInit_DLLs key is set to 0 and any DLLs that were loaded with that setting will be showed.

    • KnownDLLs - Listed to make sure you can verify and that they are all verified and published DLLs.

    • Winlogon - Shows DLLs that register for Winlogon notification of logon events.

    • Winsock Providers - Networking, shows registered winsock providers. Malware often installs itself as these because there are few tools that can remove them.

    • Print Monitors - Third party printer applications, Drivers and Dlls that load into the print spooling service. Malware uses this support to autostart itself.

    • LSA Providers - Shows registered LSA authentication notification and security packages.

    • Network Providers - Third party network providers.

    • WMI - Views WMI related persistence (Ex: If a powershell script was using a get-wmiobject, it would show up).

    • Office - Shows Office related material. If excel scripts or power points were infected and opening at start they would show here.


Demo for Analyzing the Startup Environment with Autoruns


  • Have students log into their Admin-Station as Army/andy.dwyer.


  • Have students go to C:\SysinternalsSuite <Location may be different> and open up Autoruns.exe go to the Options tab and make sure that Hide Windows Entries is unchecked.


  • The entry created from the PROCMON demo "RunME Notepad (Verified) c:\windows\notepad.exe" under the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run section in the Everything tab and the Logon tab should be visible.

    • Side note: Unchecking the Hide Windows Entries can create a lot of unneeded clutter. Go to the Options tab and check Hide Windows Entries.

    • Notate that anything (Verified) Microsoft Windows as a Publisher is removed to the class.


  • Discuss what we are looking at and what we are looking for using our notepad.exe as an example such things as registry keys, path, names, digital signatures, etc.


  • Click on the Logon tab, it gives a chunk of information that the Everything tab gave us but gives us only where autoruns checks for "normal" autorun locations. Discuss the locations that malware might hide. (ex: Run, RunOnce, etc)


  • Click on the Scheduled tasks tab. Discuss what ways malware might use schedule tasks and what ways we could mitigate it. (ex: create schedule task to install itself, to set a callback at a certain time/ group policy)


  • Click on the Services tab. Discuss ways that malware can take advantage of services and ways to mitigate it. (ex: create a service that auto starts at boot that runs a malware process, group policy)


  • Discuss the advantages and disadvantages if any and what use do they believe if any they can get out of the tool.


  • Clarify any Questions or gaps in learning. END DEMO

  • ANY QUESTIONS


4. Procexp

Analyze Windows running processes using PROCEXP


Q: What is Process Explorer

  • Process Explorer is a task manager and system monitor which collects information on running processes with such features as Hierarchical view of processes, live CPU activity, ability to kill and suspend processes, display DLLs loaded, create process dumps, display handles and much more.

  • There will be a lot of similarities in the options and results that both Task Manager and Process Explorer give.

  • Process Explorer should be run as administrator to get it’s full usage.

  • Process Explorer has a powerful search capability that can show processes and their respective DLLs and handles.


  • Default Interface Columns

    • Process - Processes are listed according to their parent child relationship. Processes listed as a sub row are child processes of the upper process.

    • CPU - Shows general CPU usage percentage of this process.

    • Private Bytes - Shows the size of memory only used by this process and not shared with other processes and DLL’s.

    • PID - Shows the process identifier given by the operating system and used to easily identify the process.

    • Description - Shows process information (what it is).

    • Company Name - Shows the application publisher company.


  • Interface Tabs

    • File - Allows you to run applications as if from the "Run window" and if you are administrator you can run as a limited user (lower credentials), save functions, and the ability to shutdown, restart, lock, etc the system.

    • Options - Allows you to the option to run Process Explorer at logon, the ability the verify Image (digital) signatures, check virus total, to replace task manager with process explorer, and configure graphical options such as colors/fonts/thread symbols/tray icons/highlight duration.

    • View - Shows system information (resource monitor in task manager), manipulate how you view the processes such as speed/refresh rate, allows column manipulation such as adding and removing columns.

    • Process - Is for individual clicked on processes. It shows windows which allows selected processes to be brought to front or maximized or minimized, set affinity which allocated CPU usage, sets priority for it’s placement in the pool, can kill/kill tree/restart/suspend, create a process dump, search the selected process on virustotal, the select the process’s properties and search it online.

    • Find - Used for finding Handles and DLLs.

    • Handle - If split window is selected this will appear. Select a handle on the lower panel and you are able to close the handle or select it’s properties. It is interchangeable with a DLL tab depending on what you select to look at in the lower panel. The DLL tab shows properties, search online, and check virus total.

    • Users - Used for controlling users on host if you are admin. Can connect, disconnect, logoff, remote control, send messages, and view some brief properties about the user’s status.

    • Help - Help manual and an about


  • Colors (Selected by default)

    • Green - New Objects - Briefly flashes "Green" before changing into one of the 9 other colors.

    • Red - Deleted Objects - Dead.

    • Lavender - Own Processes - Processes owned by the current logged in user.

    • Salmon - Services

    • Gray - Suspended Processes

    • Purple - Packed Images -Processes might contain compressed code hidden inside them. Malware uses it because it obfuscates the contents of the file.

    • Cyan - Immersive Process - Windows Store App related, Uses Windows 8+ new APIs


Demo on Analyzing Windows Running Processes with Process Explorer


  • Have students open up their Admin-Station and log in as Army\andy.dwyer.


  • Once logged on they will need to go to C:\SysinternalsSuite <Location may be different> and Right-Click on Procexp.exe and select Run as Administrator and Maximize it.

    • Press "spacebar" to pause ProcExp from refreshing any further so it will be easier to continue (hitting spacebar again will un-pause it).


  • Find notepad.exe (If the process tree is not already in Tree form then go to the View tab and click on Process Tree) and discuss the lay out and columns reinforcing the FG.

    • Once notepad.exe is found, double-click it. The data returned is PATH, CMDLINE, AUTOSTART, TCP/IP, STRINGS, and much more. Discuss why this is important.


  • Close the window. Go to the Options tab, click on VirusTotal.com and click on Check VirusTotal.com and discuss VirusTotal and it’s effects. Agree to the Terms of service to continue.

    • A new column populates on the far right called VirusTotal and everything now has a score (or almost everything).


  • Click on the Options" tab again and click Verify Image Signatures to check that everything has verified publisher digital signatures (discuss why this is important).

    • The Verified Signer column and Company name are now listed (what are we looking for?).


  • Click on View and click on Select Columns, Select Auto Start Location and retouch on autoruns briefly in the Process Image tab and Receives and Sends from the Process Network tab.

    • Explain what we are looking for from these Three tabs are autorun locations and network traffic.


  • Between the View and Process tabs there is a Show Lower Pane button, click that button and it will bring up a list of Handles or DLLs, we want Handles (Handles in Windows refer to an integer value that is used to uniquely identify a resource in memory like a window, an open file, a process, etc).

    • To change between the two, you would click on the View tab and click on Lower Pane View and there are two options DLLs and Handles.

    • We can see any Files, Processes, Registry keys associated with our selected process and discuss some of the things we might be looking for.


  • Switch to DLLs by repeating the previous step. Discuss what we are looking for and why we are looking at DLLs. Unsigned, not in C:\Windows\System32, No description, weird names, anything that looks abnormal.


  • Double click on notepad.exe, click on the Image tab and to click the Explore option for Path information.

    • The first thing to look for is if there are any DLLs in the folder that are not listed in Process Explorer. Discuss rogue DLLs and files.

    • Malware sometimes has associated DLLs that come packaged with it or is itself a DLL that plugs into legitimate processes or other DLLs, Discuss ways Malware injects.

    • Look at time stamps at the files in the folder and at the files themselves, but at this point we would start to move onto other tools and methods.


  • Discuss the advantages and disadvantages if any and what use do they believe if any they can get out of the tool.

  • ANY QUESTIONS?


5. TCPView

Analyze Windows network connections using TCPVIEW

Q: What is TCPVIEW?

  • TCPView is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections.[1]

  • It’s a more informative Graphical (GUI) representation of the NETSTAT command

  • Shows network connections

Open TCPView

  • If you see any Red Rows

    • That indicates when a network connection terminates

  • If you see any Green Rows

    • That indicates when a connection is made

  • If the colors are disappearing to quickly, you can modify the Update Speed

    • View → Update Speed → 5 seconds

    • Keeps colors longer to see what is stopping or starting

  • Column Sorting

    • Allows you to see lines grouped by State or Process

Q: What are some known malicious ports?

  • 1337 Leet Port = 1337 means "elite" in hacker/cracker spelling (1=L, 3=E, 7=T, "LEET"="ELITE"). Because of the reference, it may be used by some backdoors.

  • 31337 Eleet port

  • 4444 Metasploit default listener port

    • To kill Processes

  • Right click → End Process


6. PsExec

Analyze Windows privileges' using PsExec

Q: What is PsExec?

  • light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software.

  • Switches

    • -s Run as System account

    • -i interacts with the desktop

    • -c Copy the specified program to the remote system for execution.

  • Demo regedit.exe

    • Open as regular user

    • Go to HKLM\SAM\SAM

    • Can’t go deeper

From an admin cmd shell

psexec -i -s regedit.exe

  • Can view down to HKLM\SAM\SAM\Domains\Accounts\Users

This function will not work in our current environment but talk about the ability of running the tool across a network. Also, demo a cmd shell back from another system as System

PsExec -s \\file-server cmd.exe
whoami
nt authority\system


7. PsLoggedon

Analyze Windows logons using PsLoggedon

Q: What is PsLoggedon used for?

  • It can list users that are logged on currently to a system

Q: How can I view the options for PsLoggedon?

  • psloggedon.exe /? -accepteula

Q: What does the -accepteula do?

  • Prevents a pop up to accept the End User License Agreement

Show output from running PsLoggedon

PS C:\SysinternalsSuite> .\PsLoggedon.exe

PsLoggedon v1.35 - See who's logged on
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
     <unknown time>             ADMIN-STATION\cloudbase-init
     5/10/2021 2:02:19 PM       ADMIN-STATION\student
     5/10/2021 2:07:48 PM       ADMIN-STATION\andy.dwyer

No one is logged on via resource shares.

The following function will not work in our current environment but talk about the ability of pulling logon information from remote boxes. Set up a Server List for this demo

Write-Output File-Server > "$env:HOMEPATH\Desktop\ServerList.txt"
Write-Output Domain-Controll >> "$env:HOMEPATH\Desktop\ServerList.txt"
Write-Output $env:Computername >> "$env:HOMEPATH\Desktop\ServerList.txt"

Run PsLoggedon on all the systems in the list

Foreach ($system in (gc "$env:HOMEPATH\Desktop\ServerList.txt") ) {.\PsLoggedon.exe \\$system -nobanner}


Q: How could this tool be used in Cyber?

  • Gather a list of every user currently logged on a system

  • Possibly find for a malicious actor in the network

  • Look for logged on users who are logging in outside of normal hours


8. LogonSessions

Analyze Windows session using LogonSessions

While Psloggedon shows who is logged on and what time he/she logged on, loggonsessions shows how that user logged on.

Logon type

Logon title

Description

2

Interactive

A user logged on to this computer.

3

Network

A user or computer logged on to this computer from the network.

4

Batch

Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5

Service

A service was started by the Service Control Manager.

7

Unlock

This workstation was unlocked.

8

NetworkCleartext

A user logged on to this computer from the network. The user’s password was passed to the authentication package in its un-hashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9

NewCredentials

A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.[2]

  • Demo

List sessions and processes running under each user

PS C:\SysinternalsSuite> .\logonsessions.exe -p

LogonSessions v1.41 - Lists logon session information
Copyright (C) 2004-2020 Mark Russinovich
Sysinternals - www.sysinternals.com

_Output_Truncated_
[14] Logon session 00000000:0010d7b1:
    User name:    ADMIN-STATION\andy.dwyer
    Auth package: NTLM
    Logon type:   RemoteInteractive
    Session:      2
    Sid:          S-1-5-21-2352402639-359936040-2003525269-1005
    Logon time:   5/10/2021 2:07:07 PM
    Logon server: ADMIN-STATION
    DNS Domain:
    UPN:
     7580: powershell_ise.exe
     6992: conhost.exe
    10188: powershell.exe
     7628: conhost.exe
    10156: cmd.exe
     6692: conhost.exe
     5856: notepad.exe
     8872: cmd.exe
     9360: conhost.exe
     1808: ssh.exe
     4388: logonsessions.exe
_Output_Truncated_

Q: Why would you ever need to see what processes a logged on user was running?

A: If you are trying to locate a malicious user or if you are trying to identify processes a piece of malware was running


9. PsList

Analyze Windows processes using PsList on local or remote systems

Q: What is PsList used for?

  • Another command line tool for gathering process information

  • Allows you to refresh the tool for a specified period of time

Q: How do you get the help file for PsList?

pslist /?

Q: How can I get a process list that updates every 10 seconds for 100 seconds?

pslist -s 100 -r 10

  • -s [n] run for this many seconds

  • -r n refresh every n seconds

Q: Why is this important to Cyber?

  • To see if a new admin logs in. Can’t refresh this by default with tasklist or get-process

  • To see when a new process starts that could jeopardize your mission

Q: How can this be run on a remote system?

pslist \\file-server (1)
1 Will not work in current environment

Show the output from running the tool

PS C:\SysinternalsSuite> pslist

PsList v1.4 - Process information lister
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Process information for ADMIN-STATION:

Name                Pid Pri Thd  Hnd   Priv        CPU Time    Elapsed Time
Idle                  0   0   4    0     52   115:19:16.046    28:59:33.270
System                4   8 101 4115    188     0:01:21.687    28:59:33.270
Registry            104   8   4    0    360     0:00:03.484    28:59:40.221
smss                324  11   2   59    500     0:00:00.171    28:59:33.264
csrss               432  13  12  539   1772     0:00:00.921    28:59:09.665
wininit             508  13   1  168   1356     0:00:00.078    28:59:09.146
csrss               516  13  10  388   1640     0:00:00.656    28:59:09.139
winlogon            604  13   3  281   2420     0:00:00.125    28:59:09.097
services            652   9   5  669   4872     0:00:14.375    28:59:09.056
lsass               664   9   7 1700   8080     0:00:09.531    28:59:08.760
_Output_Truncated_

10. PsInfo

Analyze Windows system information using PsInfo

  • Gathers key system information from both local and remote systems.

The following function will not work in our current environment but talk about the ability of pulling PsInfo information from remote boxes. Set up a Server List for this demo

Write-Output File-Server > "$env:HOMEPATH\Desktop\ServerList.txt"
Write-Output Domain-Controll >> "$env:HOMEPATH\Desktop\ServerList.txt"
Write-Output $env:Computername >> "$env:HOMEPATH\Desktop\ServerList.txt"

Run PsInfo on all the systems in the list

Foreach ($system in (gc "$env:HOMEPATH\Desktop\ServerList.txt") ) {.\Psinfo.exe -hs -nobanner \\$system | out-file $env:homepath\Desktop\psinfo.txt -append}


Show the output from running the tool

  • Talk about the importance of identifying the following system information and how it can be used to associate possible exploits by either the network owner or an adversary.

PS C:\SysinternalsSuite> psinfo

PsInfo v1.78 - Local and remote system information viewer
Copyright (C) 2001-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

System information for \\ADMIN-STATION:
Uptime:                    1 day 5 hours 9 minutes 14 seconds
Kernel version:            Windows 10 Enterprise, Multiprocessor Free
Product type:              Professional
Product version:           6.3
Service pack:              0
Kernel build number:       17763
Registered organization:
Registered owner:
IE version:                9.0000
System root:               C:\windows
Processors:                4
Processor speed:           2.2 GHz
Processor type:            AMD EPYC-Rome Processor
Physical memory:           2 MB
Video driver:              Microsoft Basic Display Adapter

11. Strings

Analyze Windows files using Strings

  • Switches

    • -a ASCII

Must provide literal file path

strings -a C:\users\andy.dwyer\Desktop\<doc>.txt


12. Handle

Analyze Windows handles process using Handle

Q: What is a handle?

  • Handles are data structures that represent open instances of basic operating system objects applications interact with, such as files, registry keys, synchronization primitives, and shared memory.

  • Applications can’t access objects directly, must obtain a handle

  • Handles for each process are tracked in an internal table known as the Object Manager

  • Handles allow a common interface to objects, regardless of underlying changes to the object

  • Handles allow Windows to track ACLs for objects during handle creation time

DEMO: Killing a handle using Sysinternal handle.exe

Step one: Open Powershell.exe and start-transcript

PS C:\windows\system32> Start-Transcript (1)
Transcript started, output file is C:\Users\andy.dwyer\Documents\PowerShell_transcript.ADMIN-STATION.x9xkJMAJ.20210510184103.txt
1 Note the file name and location

Step two: Locate the PID number of powershell.exe, we will run tasklist and scroll down until you find powershell

tasklist

Step three: In a different cmd prompt, use the following command to show the handles in use with powershell.exe

C:\windows\system32>handle.exe -p <pid of powershell> -accepteula

Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

   40: File  (RW-)   C:\Windows\System32
   C4: File  (R-D)   C:\Windows\System32\WindowsPowerShell\v1.0\en-US\powershell.exe.mui
  174: Section       \BaseNamedObjects\__ComCatalogCache__
  1C4: Section       \BaseNamedObjects\windows_shell_global_counters
  1F4: Section       \...\Cor_SxSPublic_IPCBlock
  1F8: Section       \BaseNamedObjects\Cor_Private_IPCBlock_v4_10188
  208: Section       \Sessions\2\BaseNamedObjects\windows_shell_global_counters
  _Output_Truncated_

Step four: Show that the start-transcript log file cannot be altered. Open in notepad and type anything then try to save it

Step five: Run the following command

C:\windows\system32>handle.exe -p 10188 -c c:\Users\andy.dwyer\Documents\PowerShell_transcript.ADMIN-STATION.x9xkJMAJ.20210510184103.txt

Nthandle v4.22 - Handle viewer
Copyright (C) 1997-2019 Mark Russinovich
Sysinternals - www.sysinternals.com

    C: WaitCompletionPacket
Close handle C in powershell.exe (PID 10188)? (y/n)

After the handle is closed reopen the log file back in notepad and show the file can now be edited.

Q: Why are handles important to Cyber?

  • Looking at handles to DLLs will help understand what malware could be doing as well as killing handles to logs could prevent behavior on systems from being recorded.


References