Detection Methodology

Last updated: 18 Mar 2008

Detect Anomalies

What is expected normal environment or behavior?
What aspects appear to deviate from that?

Assess the Physical Environment

Without powering off the computer:

Inspect cables and connectors
Check for inserted media (CDs, DVDs, floppies)
Look at attached peripherals, both internal and external

Record Network Ports From Outside

This may take a long time:

nmap name_or_ip -p-

Example:

nmap 192.168.10.5 -p-

If no service name attached, map ports to known services. Google it, or consult Unix /etc/services or Windows C:\WINDOWS\system32\drivers\etc\services.

Remotely Investigate Computer (Windows)

must be in same workgroup or domain
must have file sharing enabled to allow "net use"
firewall must not be blocking ports used (135?)
provides a way to look at information using a safe system, unless compromised machine is controlling access to network

Connect to C: drive:

  net use * \\computername_or_ip\C$ /user:computername_or_ip\administrator *

Example:

  net use * \\10.20.87.78\C$ /user:10.20.87.78\administrator *

Connect to registry

regedit (File/Connect Network Registry -- only shows HKLM and HKCU)

reg command

    reg subcommand \\computername_or_ip\key

Example:

    reg query \\10.10.15.23\hklm\software\microsoft\windows\currentversion

Look at services

  sc \\computername_or_ip query

Example:

  sc \\mydc query

Show processes

  tasklist /s computer_or_ip  /u user /p password

Example:

  tasklist /s 10.18.233.176 /u administrator /p

Show scheduled tasks

  schtasks /Query /S computer_or_ip /U user /P password

Example:

  schtasks /query /s 10.18.233.176 /u administrator /p

Locally Investigate Computer (Windows)

must login
system may have a rootkit installed, so all information is suspect
if possible, use Helix CD and Windows Forensic Toolchest to gather info
if possible, use tools from Sysinternals to gather info

If you have to use the features of Windows or tools already installed on Windows, here is some help:

Scan for rootkits in memory and on disk, if possible
This way you might know what you are dealing with, if you get a positive indication. If you don't find anything, Windows doesn't have any built-in tools to do scanning. Some antivirus tools, such as McAfee VirusScan and Panda Antivirus, include rootkit detection tools.
Look for open accounts with privileges
1. Administrator with blank password
  Press enter when prompted for the password after entering the command below. If it gives you a new command prompt, there is a blank password.
```
    runas /user:administrator cmd
    
```
2. Accounts in Administrators group
```
    net localgroup Administrators
    
```
3. Accounts in Domain Admins (domain controller only)
```
    net group "Domain Admins"
    
```
4. Accounts in Enterprise Admins (domain controller only)
```
    net group "Enterprise Admins"
    
```
5. Look at Active Directory (AD) users and computers in general via a GUI (domain controllers only)
  1. Enter the following command:
```
      mmc
      
```
  2. Bring up the Add/Remove Snapin; enter:
```
      Ctrl-M
      
```
  3. Click on the Add... button
  4. Select Active Directory Users and Computers
  5. Double-click on Active Directory Users and Computers
  6. Click on the OK button
  7. Double-click on Active Directory Users and Computers
    To open up Active Directory's Users and Computers window.

Check areas from which programs automatically can run, to prevent easy reinfection

Startup folder

Registry entries (there are many more than these obvious ones)

    reg query hklm\software\microsoft\windows\currentversion\run
    reg query hklm\software\microsoft\windows\currentversion\runonce
    reg query hklm\software\microsoft\windows\currentversion\runonceex

For a GUI version:

    regedit

Services
```
    sc query
    
```
For a GUI version:
```
    services.msc
    
```
Scheduled tasks
```
    schtasks /query
    
```
There are no scheduled tasks that automatically come activated with Windows.

Look for open network ports and the processes that own them
```
  netstat -anob >c:\netstat.out
  
```
Compare the "LISTENING" ports to those found externally via nmap. They should match; if they don't, you need to find out why. It could be a service or process that no longer is listening, or a rootkit that is attempting to hide its tracks.

You should also try to match up the services gathered about with the listening ports. They should make sense (e.g., web service should have port 80 open, Kerberos should on port 88).
Check for other processes that might be suspicious:
```
  tasklist
  
```
Look for changed files in the command path
Display the path:
```
  set path
  
```
Here you are looking for "suspicious" files of any type:
- If there shouldn't be any new files in the directory, that's suspicious.
- If there shouldn't be any newly-changed files in the directory, that's suspicious.
In each directory in the path, type the following commands:
1. Show all files in order of modification, newest to oldest
```
    dir /a /o-d | more
    
```
2. Show all files in order of creation, newest to oldest
```
    dir /a /o-d /tc | more
    
```
Investigate logs
```
  eventvwr
  
```
System and Security logs are the most important, followed by Application logs. You are looking for unusual events, such as Windows File Protection being disabled, a successful login when you weren't home, or your antivirus service being turned off. If you have auditing turned on, this is where the results of the audit will be recorded.