CCTC Test Prep
gpresult
Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.
regedit.exe
GUI used to edit registry values.
Parent process to explorer.exe
userinit.exe
Bootmgr: reads BCD and calls
winload.exe/winresume.exe or .efi
registry hive
A group of keys, subkeys, and values in the registry that has a set of supporting files that contain backups of its data.
situational awareness
A method of gaining an understanding of the current operating environment on the target machine.
botnet
A network of infected machines of a botnet.
Potential data at rest issues in Cloud environments.
A potential risk of virtualization.
DS Tools
A set of command line tools that began shipping natively with Windows Server 2003 to manage Group Policy Objects.
MBR (Master Boot Record)
A special type of boot sector at the very begging of the partitioned computer mass storage device. Consists of 512 bytes holding the information on how the logical partitions, containing file systems, are organized on the medium. Contains executable code to function as a loader for the installed operating system. Usually referred to as the boot loader.
multi-threading
A technique that allows a single set of code to be used by several processors at different stages of execution.
running thread
A thread currently running on a processor.
transition thread
A thread ready for execution, but paging is needed to bring the thread back into main memory.
waiting thread
A thread waiting for an event to take place.
Site
AD object that represents a collection of IP subnets, and usually constituting a physical LAN.
enumeration
Acquiring forensically relevant information of a local machine. Used in the process of baselining.
Schema
Active directory component that defines objects that can created in Active Directory.
host-based security product
Security product that runs on the local machine, OS dependent, version dependent, system firewalls, process monitoring, kernel calls, directory monitoring, application whitelisting, etc.
auditing settings
Settings contained in the System Access Control List of an object.
raw socket
Socket that has access to the underlying transport provider. No protocol, just raw communication, poses a security threat.
datagram socket
Socket that uses UDP.
EFI/UEFI (Extensible/Unified Extensbile Firmware Interface)
Software interface between the operating system and platform firmware. Replaces the Basic Input/Output System (BIOS) Firmware.
wininit.exe
Starts Service Control Manager (SCM), Local Security Authority Subsystem (LSASS), Local Session Manager (LSM).
Service Control Manager (SCM)
Starts, stops, and interacts with Windows service processes. Started at system boot, it maintains the database of installed services, enumerates installed services, and allows remote procedure call (RPC) so that service configuration and service control programs can manipulate services on remote machines.
procmon
SysInternals GUI based tool to view, monitor, and filter processes running on a machine.
psgetsid
SysInternals allows you to translate SIDs to their display name and vice versa.
psloggedon
SysInternals tool that displays the locally logged on users and users logged on via resources for either the local computer, or a remote one.
accesschk
SysInternals tool to check an access control list (ACL) for a file.
pslist
SysInternals tool to list processes on a local or remote Windows NT/2000 system.
psinfo
SysInternals tool to show basic system info for a local or remote Windows NT/2000 system.
autoruns
SysInternals tool to show what programs are configures to run during system bootup or login.
logonsessions
SysInternals tools to list the currently active logon sessions.
handle
SysInternals utility to display information about open handles for any process in the system. (See which programs have a file open or to see the object types and names of all the handles of a program.)
sigcheck
Sysinternal tool that shows file version, timestamp, manifest, and digital signature details.
Kernel Mode
Runs in a single virtual address space, not isolated from other processes. Protected from the user to allow the OS to run.
User Mode
Runs in private virtual address space, applications are isolated, one crash will not cause another process to crash.
batch file (.bat)
Script file extension for Windows Command Line Interface.
wmic environment list brief
Windows Management Instrumentation command-line command to display system environment settings.
wmic nicconfig list full
Windows Management Instrumentation command-line command to view all network adapter management information.
namespace
Windows Management Instrumentation is organized into namespaces (folders that correlate products/technology)
terminated thread
Finished execution of a thread, thread is heading for deallocation.
cmdlet
Follows a "verb-noun" pattern, unique to Powershell to execute different commands.
wf.msc
GUI control panel utility to modify windows firewall settings.
Local Security Policy
GUI utility to view Advanced Audit Policy Configuration settings
eventvwr
GUI utility to view/analyze event logs.
RID of 501
Guest Account
Powershell
Object-oriented tool for Windows built on the .NET framework.
socket
One endpoint of a two-way communication link between two programs running on a network.
mailslot
One-way Interprocess Communication method. Max single message size of 424 bytes, acts as a file kept in memory.
mailslot
One-way interprocess communication using SMB over UDP 138.
Ensures the hardware is operational
POST
Preparation
Packing List, update tools, training, documentation, SOP, Network Diagrams, Incident Response Teams
adware
Paid for ads to infect users as they visit a website.
property
Part of a Powershell object that contains data.
method
Part of a Powershell object that contains functions of the object.
bot herder
Person in control of a botnet.
|
Pipes output of one command to input of another command.
handle
Pointer to an object representing a system resource such as a file or thread. Tracked in the Object Manager, allows each process to access the resource these objects represent. Allows Windows to track access control lists (ACLs) for resources.
POST
Power On Self Test
get-member
Powershell cmdlet to get properties and methods of an object.
Get-Acl
Powershell cmdlet to get the access control list (ACL) information for a file.
Get/Set-NetFireWallRule
Powershell cmdlet to get/set Windows Firewall settings.
format-table or format-list
Powershell cmdlet to override default cmdlet output. Usually pip cmdlet output into these cmdlets.
Get-EventLog
Powershell cmdlet to view Event Logs.
get-execution policy
Powershell command to display the current execution policy.
(get-process).name
Powershell command to print the name of every running process.
get-help <cmdlet> -examples
Powershell command to show examples for a cmdlet.
page fault
This occurs when a thread references an invalid page in the page table.
SMB Version 3 - introduced with Server 2012
This version of SMB uses AES for encryption.
initialized thread
Thread is being created in this state.
deferred ready thread
Thread selected to run but not yet executed.
ready thread
Thread waiting for execution, in the priority pool.
wmic computersystem list brief
Windows Management Instrumentation command-line command to display all computer system management information.
host name resolution
1. Name on localhost? 2. Name in the cache? 3. Name in the hosts file? 4. Query DNS server.
P.I.C.I.E.R.
1. Preparation 2. Identification 3. Containment 4. Investigation 5. Eradication 6. Recovery
Registers, Cache
1st in the order of volatility.
Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory
2nd in the order of volatility.
Temporary File Systems
3rd in the order of volatility.
Disk and other Storage Media
4th in the order of volatility.
Remote Logging and Monitoring Data that is Relevant to the System in Question
5th in the order of volatility.
Physical Configuration, Network Topology
6th in the order of volatility.
Archival Media
7th in the order of volatility.
tcpview
A Windows program that will show detailed listings of all TCP and UDP endpoints on the system.
object
A data structure that contains properties and methods.
page
A distinct chunk of memory allocated to a process.
class
A general term for grouped objects.
DSADD
Add specific types of objects to the directory.
RID of 500
Admin Account
script
Allows for completion of repetitive tasks by the command line.
NTOSKRNL.exe
Also known as the kernel image, provides the kernel and executive layers of the Windows NT kernel space. Contains the cache manager, the executive, the kernel, the security reference monitor, the memory manager, and the scheduler.
Event
Any observable occurrence in a system or network.
botnet client
Application to allow an attacker remote administration/command and control of a botnet.
Local Security Authority (LSA)
Applications can use this service to authenticate and log users on to the local system.
Remote Procedure Call (RPC)
Applications load a .dll containing stub procedures for remote functions to allow configuration/viewing of a remote machine.
Domain Controller (DC)
Authenticates domain logon for users.
Security Account Manager (SAM)
Authenticates locally on Windows for local logon.
get-help <cmdlet>
Basic cmdlet help syntax
thread
Basic unit to which the OS allocates processor time.
RID of 1000
Beginning of User Accounts
firewall
Block network traffic based on an established set of rules.
ransomware
Blocks access to local machine resources, usually encrypts files and demands payment from the victim.
NTLDR (NT Loader)
Boot loader for all releases of Windows NT, launched by the volume boot record, requires boot.ini, ntldr, and NTDETECT.COM. Starts NTOSKRNL.exe and HAL.dll
Secure Attention Sequence (SAS)
CTRL+ALT+DEL - tells the system you want to authenticate. The kernel detects the key combination and initiates the trusted login process.
Group Policy Object (GPO)
Collection of setting that define policies controlling a group of users or computers.
CIM
Common Information Model for Windows. Cross-platform, cross-compatibility.
Hypervisor
Component that creates and runs virtual machines.
Process Validity
Comprised of valid Process ID (PID), Name, Process Age, Priority Level, and Handles.
endpoint
Consists of an IP address and a port number.
SACL
Defines which secure object interaction will be audited and logged.
signature based detection
Detection based on a database of previously identified attack signatures.
heuristic based detection
Detection based on developing a baseline of the system, then looks for anomalous activity, potential to catch 0-day attacks.
Identification
Determine if we're working with an adverse event or an incident.
Investigation
Determine the priority, scope, and root cause of an incident.
Recovery
Determine when to bring the system back into production and how long we monitor the system for any signs of abnormal activity.
DSGET
Display the selected properties of a specific object in the directory.
worm
Does not require user interaction to replicate.
Components of an NTFS File
Each file in this type of format contains these: Security Identifiers (SIDs) Discretionary Access Control List (DACL) System Access Control List (SACL)
baseline
Establishing what is considered normal on a local machine. Enumeration can accomplish this.
customlog event log
Event log that contains events logged by applications that create a custom log.
application event log
Event log that contains events logged by applications.
system event log
Event log that contains events logged by system components such as the failure of a driver or other system component to load during startup.
security event log
Event log that contains events such as valid and invalid logon attempts, as well as events related to resource use such as creating, opening or deleting files or other objects.
Incident
Event that violates an organization's security or privacy policies.
Adverse Event
Event with a negative consequence.
dynamic analysis
Examining malware while it is running.
static analysis
Examining malware without executing it.
&&
Execute command only if the previous command executes successfully.
& or ;
Execute second command after the execution of the previous command.
||
Execute the second command only if the first fails to execute.
SMSS (Session Manager Subsystem)
Executed during startup, this is the first user-mode process started by the kernel that starts: csrss.exe, winlogon.exe. Creates environment variables and virtual memory paging files.
forensically relevant keys
HKLM\Run, HKLM\RunOnce, HKU\Run, HKLM\Tasks, HKLM\SERVICES, HKLM\USBSTOR, HKU\TypedUrls, HKLM\Profiles, HKLM\BCD00000000, HKLM\SAM\SAMs
UEFI
Hardware configuration tool intended to replace the BIOS.
registry
Hierarchical database of critical system configuration. Configuration and control mechanism for the Windows Operation system. Contains system-wide and per-user settings.
Executive Summary
High-level summary of the report.
Operational Notes
Highly detailed notes that will feed into your report depending whether the report is an executive summary or a technical summary. Includes time stamps, programs/tools used, outputs.
HKEY_CURRENT_CONFIG (HKCC)
Hive Key contains current hardware profile, information that is gathered at runtime.
HKEY_CLASSES_ROOT (HKCR)
Hive Key contains file association and COM objects, backwards compatibility, and file extension information.
HKEY_LOCAL_MACHINE (HKLM)
Hive Key contains system related information, Security Account Manager (SAM), critical boot/kernel functions, 3rd party software, hardware, Boot Configuration Data (BCD.dat)
HKEY_USERS (HKU)
Hive Key that contains all accounts on a machine, the root key contains the ntuser.dat hives for ALL users.
HKEY_CURRENT_USER (HKCU)
Hive Key that contains the current user's settings.
Relative Distinguished Name (RDN)
Hostname or computer name.
VBR (Volume Boot Record)
In Windows 7+, loaded by the MBR, is a boot loader to start the bootmgr.
Information Assurance (IA)
Includes the protection of the integrity, availability, authenticity, non-repudiation, and confidentiality of user data.
zombie
Individual machine within a botnet.
explorer.exe
Last phase in the boot process
Containment
Limit damaged caused to systems and prevent any further damage from occurring.
User Account Control (UAC)
Limits the privileges of user run applications to prevent the modification of system files, resources, or settings. Requesting elevated privileges requires explicit acknowledgment from the user.
winload.exe
Loads NTOSKRNL.exe, load dependencies, loads device drives, occurs after the bootmgr on a fresh restart/boot.
Userinit.exe
Loads user profile, runs startup programs, starts explorer.exe
Technical Summary
Low-level summary of all technical intricacies in a report.
backdoor
Malicious program that allows illegitimate access to a machine.
remote access tool (RAT)
Malicious program that provides remote command and control of a machine.
rootkit
Malicious program to hide and remain persistent on a remote machine.
trojan
Malware hidden within another legitimate program.
Windows Management Instrumentation
Microsoft's implementation of the Common Information Model (CMI)
DSMOD
Modify existing objects in the directory.
network security products
Monitors network traffic, can be inline or passive, Intrusion Detection Systems, Intrusion Prevention Systems, Web/Application Proxy
spyware
Monitors the behavior of a user.
blended attack
Multiple infection/transmission methods used together.
UDP port 137 for name registration and resolution services UDP port 138 for datagram services - connectionless TCP port 139 for session service - connection oriented
NETBIOS provides 3 services (ports). What are they and what are they used for?
Run, RunOnce, Services, APPINIT_DLL, Shell Extension (Startup Folder), Scripts
Name 5 registry keys utilized as a persistence mechanism.
standby thread
Next thread to run, only one processor per system.
Windows Resource Protection
Previously Windows File Protection (WFP), protects system files and resources. Protected Resources can only be modified by the Windows Module Installer service (trustedinstaller.exe)
Server Message Block
Primary remote file-access protocol on Windows Clients and Servers, also known as Common Internet File System (CIFS)
Windows Firewall Components
Private Public Work/Domain
new/created process
Process state in which initial execution of the process and its threads begin.
waiting process
Process state in which the process can't continue execution until some event occurs (like an I/O read/write)
terminated/exit process
Process state in which the process is being terminated due to a halt or abort.
running process
Process state in which the process is currently being executed.
ready process
Process state in which the process is ready to execute when given the opportunity.
GINA (Graphical Identification and Authentication)
Provides customizable user identification and authentication procedures. Most common use of GINA is to communicate with an external device such as a smart-card reader. Activates the user shell after Winlogon secure attention sequence (SAS) is executed.
HAL.dll (Hardware Abstraction Layer)
Provides services primarily tot he Windows executive and kernel and kernel mode device drivers. Device drivers for devices in kernel mode directly call routines in the HAL to access I/O ports and registers for their devices.
CSRSS (Client/Server Runtime SubSystem)
Provides the user mode side of the Win32 subsystem, responsible for process/thread creation without compromising the kernel.
DSQUERY
Query the directory according to specific criteria.
most commonly used data types
REG_SZ REG_BINARY REG_DWORD REG_LINK REG_MULTI_SZ REG_QWORD
MDMP Process
Receipt of Mission Mission Analysis COA Development COA Analysis COA Comparison COA Approval Conduct Mission AAR/ Lessons Learned
Security Reference Monitor
Receives the system audit policy from the LSASS. This monitor generates auditing messages when an object is accessed and sends the messages to LSASS. LSASS logs these transactions in the Event Logger.
keylogger
Records keyboard usage of a machine.
>>
Redirect input and create/append location.
>
Redirect input and create/overwrite location.
Eradication
Remove the infection.
bootmgr
Replaces NTLDR, reads Boot Configuration Data and displays the operating system choice screen. Calls winload.exe for a fresh boot or winresume.exe if waking from hibernation.
virus
Requires user interaction to replicate.
LSASS (Local Security Authority Subsystem Service)
Responsible for enforcing the security policy on the system. Verifies users logging on, handles password changes, and creates access tokens. Writes to the Windows Security Log.
situational awareness targets
Running Processes Active Users Network Configuration Network Communications Logging Scheduled Jobs Aliases
Winlogon.exe
The component of Windows that is responsible for handling the secure attention sequence (SAS), loading the user profile on logon, and optionally locking the computer when a screensaver is running. Prior to Windows Vista, provides functions for GINA to apply the security of the newly logged-on user to the initial user processes GINA spawns.
Body
The report itself. Introduction, Methods, Findings, Conclusion
nslookup
This command is used to query DNS servers or name resolution.
overcommitted
This occurs on an operating system when processes/threads attempt to use more physical memory than available
malicious mobile code
Transmitted from remote host to local host, executed without user instruction.
stream socket
Uses TCP, provides a bidirectional, reliable, sequenced, and unduplicated flow of data with no record boundaries.
Security Accounts Manager (SAM)
Validates local logon.
LDAP
Verifies authenticity of the active directory.
Volatility
Volatility is a measure of how perishable electronically stored data is when electrical power is turned off or fails.
LSASS.exe, MSGINA, SCM, logonUI
What 4 processes does Winlogon start?
SMB 2.1 added MTU size, and SMB 3 uses AES encryption
What are the key differences between SMB Version 2.1 and Version 3.
asinvoker highestavailable requireadministrator
What are the three types of execution levels in a file's manifest?
net user
Windows Command Line command allows administrators to manage user accounts.
net localgroup
Windows Command Line command allows you to add, display and modify local groups.
tasklist /v
Windows Command Line command displays a list of currently running processes on either a local or remote machine. (Displays verbose task information.)
schtasks
Windows Command Line command that will display scheduled tasks.
netsh advfirewall
Windows Command Line command to configure Windows firewall settings.
reg add <path> /v <key> /d <data>
Windows Command Line command to create a new registry key.
reg delete <path>
Windows Command Line command to delete a registry key.
arp -a
Windows Command Line command to display Layer 2 information about hosts on the Local Network.
nbtstat
Windows Command Line command to display NetBIOS over TCP/IP protocol statistics.
ipconfig /all
Windows Command Line command to display all network configuration information.
netstat -anbo
Windows Command Line command to display current TCP/IP network connections, ports, executables involved, owning process IDs, and IP addresses.
tasklist /svc
Windows Command Line command to display services hosted in each process.
echo
Windows Command Line command to echo input to stdout.
reg
Windows Command Line command to edit registry information.
findstr
Windows Command Line command to find a specific string within a specific path or file.
where
Windows Command Line command to find executables within the PATH environment variable.
reg add <path> /v <key> /d <data> /f
Windows Command Line command to modify a registry key.
type
Windows Command Line command to output contents of a file to stdout.
date /t
Windows Command Line command to output the system date.
time /t
Windows Command Line command to output the system time.
hostname
Windows Command Line command to print the name of the current host.
reg query
Windows Command Line command to query a registry key.
dir /ah
Windows Command Line command to show hidden files in a directory.
arp
Windows Command Line command to view MAC addressing info.
wevtutil
Windows Command Line command to view Windows Event Logs.
set
Windows Command Line command to view all current environment variables.
icacls
Windows Command Line command to view and configure access control lists (ACLs) for a file.
auditpol
Windows Command Line command to view and modify local machine audit policies.
dir
Windows Command Line command to view contents of a directory.
netstat
Windows Command Line command to view network statistics.
route
Windows Command Line command to view the routing table.
systeminfo
Windows Command Line tool to display operating system configuration information for a local or remote machine.
net use
Windows Command Line tool to map a remote drive.
sc queryex
Windows Command Line utility and subsequent command to query extended statuses for services.
mpssvc.dll
Windows Firewall .dll hosted in HKLM\SYSTEM\CurrentControlSet\services\MpsSvc
WMIC
Windows Management Instrumentation Command-Line (Windows Specific)
wmic service list brief
Windows Management Instrumentation command-line command for service application management.
wmic process list brief
Windows Management Instrumentation command-line command that lists processes available for management.
wmic useraccount list brief
Windows Management Instrumentation command-line command that lists user accounts on the local machine.
wmic ntdomain
Windows Management Instrumentation command-line command to display NT domain management information.
wmic nteventlog list brief
Windows Management Instrumentation command-line command to display all NT eventlog file management information.
TCP 445
Windows supports file and printer sharing traffic by using the SMB protocol directly hosted over this port.
active directory logical structure
domains organizational units trees and forest
physical structure
sites domain controllers member servers