Detection Methodology

Last updated: 18 Mar 2008

Detect Anomalies

  1. What is expected normal environment or behavior?
  2. What aspects appear to deviate from that?

Assess the Physical Environment

Without powering off the computer:

  1. Inspect cables and connectors
  2. Check for inserted media (CDs, DVDs, floppies)
  3. Look at attached peripherals, both internal and external

Record Network Ports From Outside

This may take a long time:

nmap name_or_ip -p-

Example:

nmap 192.168.10.5 -p-

If no service name attached, map ports to known services. Google it, or consult Unix /etc/services or Windows C:\WINDOWS\system32\drivers\etc\services.

Remotely Investigate Computer (Windows)

  1. Connect to C: drive:
      net use * \\computername_or_ip\C$ /user:computername_or_ip\administrator *
      

    Example:

      net use * \\10.20.87.78\C$ /user:10.20.87.78\administrator *
      
  2. Connect to registry
    1. regedit (File/Connect Network Registry -- only shows HKLM and HKCU)
    2. reg command
          reg subcommand \\computername_or_ip\key
          

      Example:

          reg query \\10.10.15.23\hklm\software\microsoft\windows\currentversion
          
  3. Look at services
      sc \\computername_or_ip query
      

    Example:

      sc \\mydc query
      
  4. Show processes
      tasklist /s computer_or_ip  /u user /p password
      

    Example:

      tasklist /s 10.18.233.176 /u administrator /p
      
  5. Show scheduled tasks
      schtasks /Query /S computer_or_ip /U user /P password
      

    Example:

      schtasks /query /s 10.18.233.176 /u administrator /p
      

Locally Investigate Computer (Windows)

If you have to use the features of Windows or tools already installed on Windows, here is some help:

  1. Scan for rootkits in memory and on disk, if possible

    This way you might know what you are dealing with, if you get a positive indication. If you don't find anything, Windows doesn't have any built-in tools to do scanning. Some antivirus tools, such as McAfee VirusScan and Panda Antivirus, include rootkit detection tools.

  2. Look for open accounts with privileges
    1. Administrator with blank password

      Press enter when prompted for the password after entering the command below. If it gives you a new command prompt, there is a blank password.

          runas /user:administrator cmd
          
    2. Accounts in Administrators group
          net localgroup Administrators
          
    3. Accounts in Domain Admins (domain controller only)
          net group "Domain Admins"
          
    4. Accounts in Enterprise Admins (domain controller only)
          net group "Enterprise Admins"
          
    5. Look at Active Directory (AD) users and computers in general via a GUI (domain controllers only)
      1. Enter the following command:
              mmc
              
      2. Bring up the Add/Remove Snapin; enter:
              Ctrl-M
              
      3. Click on the Add... button
      4. Select Active Directory Users and Computers
      5. Double-click on Active Directory Users and Computers
      6. Click on the OK button
      7. Double-click on Active Directory Users and Computers

        To open up Active Directory's Users and Computers window.

  3. Check areas from which programs automatically can run, to prevent easy reinfection
    1. Startup folder
    2. Registry entries (there are many more than these obvious ones)
          reg query hklm\software\microsoft\windows\currentversion\run
          reg query hklm\software\microsoft\windows\currentversion\runonce
          reg query hklm\software\microsoft\windows\currentversion\runonceex
          

      For a GUI version:

          regedit
          
    3. Services
          sc query
          

      For a GUI version:

          services.msc
          
    4. Scheduled tasks
          schtasks /query
          

      There are no scheduled tasks that automatically come activated with Windows.

  4. Look for open network ports and the processes that own them
      netstat -anob >c:\netstat.out
      

    Compare the "LISTENING" ports to those found externally via nmap. They should match; if they don't, you need to find out why. It could be a service or process that no longer is listening, or a rootkit that is attempting to hide its tracks.

    You should also try to match up the services gathered about with the listening ports. They should make sense (e.g., web service should have port 80 open, Kerberos should on port 88).

  5. Check for other processes that might be suspicious:
      tasklist
      
  6. Look for changed files in the command path

    Display the path:

      set path
      

    Here you are looking for "suspicious" files of any type:

    In each directory in the path, type the following commands:

    1. Show all files in order of modification, newest to oldest
          dir /a /o-d | more
          
    2. Show all files in order of creation, newest to oldest
          dir /a /o-d /tc | more
          
  7. Investigate logs
      eventvwr
      

    System and Security logs are the most important, followed by Application logs. You are looking for unusual events, such as Windows File Protection being disabled, a successful login when you weren't home, or your antivirus service being turned off. If you have auditing turned on, this is where the results of the audit will be recorded.

References

  1. Botnet Detection
  2. Windows Forensics: Have I Been Hacked?
  3. Windows Forensic Analysis