Windows Privilege Escalation – Unquoted Services C:\Users\a>wmic service get name,pathname,startmode |findstr /i /v “C:\Windows\” |findstr /i /v “”” Name PathName StartMode ASLDRService C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\AsLdrSrv.exe Auto ATKGFNEXSrv C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe Auto LSM Unknown NetSetupSvc Unknown RX =
FTK Identify User Change System Time
Windows\System32\winevt\Logs Security.evtx EventID 4616 : The system time was changed.
Windows 10 Password Using Jack
1. Use AccessData FTK Imager -> Obtain Protected Files 2. Output = SAM, system files 3. Kali Linux, df -l -> /dev/sdb1 = /media/root/DT2G 4. cd /media/root/DT2G 5. pwdump system SAM >/root/Desktop/hashes.txt 6. cd /root/Desktop/ 7. john -format=nt -users=a hashes.txt
WinPmen
1. winpmem-21.post4.exe -o -output.aff4 2. winpmem-2.1.post4.exe output.aff4 –export PhysicalMemory -o memory.img 2.1 rekal -f memory.img hives 3. Rekal -f \\.\pmem 4. pslist 1. Output: Reading 0x3f7338000 16243MiB / 16255MiB 52MiB/s Adding C:\Windows\SysNative\drivers\1394ohci.sys as file:///C:/Windows/SysNative/drivers/1394ohci.sys Adding C:\Windows\SysNative\drivers\3ware.sys as file:///C:/Windows/SysNative/drivers/3ware.sys Adding
Memory Acquisition Analysis Tools
Windows 10 New Processes
Registry Viewer RST Files
AOL Instant Messenger (TM).rsr AOL Instant Messenger.rsr Favorites.rvc Internet Explorer.rsr NTUser – Files set to Run on Startup.rsr NTUser – Internet Account Manager.rsr NTUser – Internet Explorer.rsr NTUser – LastVisited and OpenSave MRU.rsr NTUser – Media Player MRUs.rsr NTUser –
SIFT Clean Install
Instruction on Installing SIFT3 -Download Ubuntu 14.04 Desktop ubuntu-14.04.5-desktop-amd64.iso http://releases.ubuntu.com/14.04/SHA256SUMS -Check SHA256 f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 *ubuntu-14.04.5-desktop-amd64.iso PS C:\download> certutil.exe -hashfile .\ubuntu-14.04.5-desktop-amd64.iso sha256 SHA256 hash of file .\ubuntu-14.04.5-desktop-amd64.iso: f5ce20686a2f3201f04a309d04171ee15757f00954b33b87f3f1d36b3b0f5356 -Install in Oracle VM Virtualbox -sudo apt-get update -wget –quiet -O – https://raw.github.com/sans-dfir/sift-bootstrap/master/bootstrap.sh |
Windows 10 Auto Start Up Program Settings
Hold down the Windows key, and type R. Type: “shell:startup” Click OK. Put shortcut to program to be start up automatically.
Use Powershell Build in Func to check MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512
Build in Powershell certutil -hashfile 1.txt sha256 >1.txt.sha2 MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512 Output (1.txt.sha2) SHA256 hash of file 1.txt: a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3 CertUtil: -hashfile command completed successfully.