Can you check if my computer’s been hacked?

  • ‘My computer is acting weirdly, can you see if it’s been hacked?’
  • ‘This employee is complaining that their computer is slow, please check if there’s been any malicious activity’
  • Insert random family member who believes you’re an IT god/goddess.
  • How long has the user been experiencing these issues for? This will help to give you an indication of the timeframe you should be investigating; was it yesterday, a week ago, or a month ago? Use this to filter timestamps, event logs, your SIEM etc.
  • What issues has the user been experiencing? Does this happen on a regular basis?
  • What is the users role in the organisation? If the answer is sales, HR, finance, or the C-suite, just go straight to their emails to see if they’ve been phished; don’t hold me to this, but majority of the time, this would have been the initial source of infection.

Event Logs

  • 4624/4634 — successful logon and logoff; there’s a field here called LogonID which you can use to track how long an attacker was logged on for. You see what process was used, logon type, and if you’re lucky, the workstation name and IP address from where they initiated the logon. You can filter for these using the native Event Viewer, as shown below:
Filtering the Security Event Log
  • 4672 — an account logon with superuser rights; they’ve got admin rights. If they used explicit credentials, the logon EID would be 4648.
  • 4720 — an account was created; it’s not uncommon for attackers to do this to maintain persistence
  • 4625 — failed logon attempt; if you see multiples of these one after the other, someone’s trying to brute force their way in
  • 1102 (Security), 104 (System) — audit log was cleared; attackers small and large do this to cover their tracks.
Microsoft Office Alerts analysis via Event Viewer

Internet History

  • downloads; in addition to the site the file was downloaded from or referred from, it will give you the start time of the download, and where on the users computer it was downloaded to (target_path)
  • urls; don’t overlook the ‘title’ field, as this will show you interesting activity such as the subject line of an email or emails they’ve searched for
  • keyword_search_terms; exactly what it sounds like.
Interface of DB Browser for SQLite
Translating timestamps to human readable format
Source: https://www.secjuice.com/how-to-handle-an-intrusion-on-a-windows-system/

Scheduled Tasks

Persistence Mechanisms

  • C:\Windows\System32\config\SOFTWARE
  • The keys: SOFTWARE\Microsoft\Windows\CurrentVersion\Run & SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Registry Explorer interface to investigate Run/RunOnce keys
  • Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit. The value data should be C:\Windows\system32\userinit.exe, but attackers can easily manipulate this to point to their own malware, so that when the user logs in, the malware will also execute.
  • Similarly, in the same Winlogon key, the value Shell should simply have ‘explorer.exe’ in its data field.
  • Any programs listed in a users Startup Menu will automatically run when the user logs on; SOFTWARE\Microsoft\Windows\CurrentVersion
    \Explorer\User Shell Folders
    ; check this registry key, as it’s frequently misused by attackers.
SYSTEM Registry for Service Installation

Recently Open Files

Reviewing RecentDocs in Registry Explorer
  • Name and full path of the executable
  • The first and last time it executed, the number of times it has been executed, and the files/handles that were used by the program at the time of execution
  • The last 8 timestamps of when it was executed.
PECmd Output for Prefetch Analysis

--

--

--

Your one and only source into the scandalous life of a DFIR consultant.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Is StaySafe.ph safe?

SpotGamma Pro ⋆ 06 Months Warranty

Morningstar Premium ⋆ 03 Months Warranty

3 Security Steps for Nonprofits to Remain Safe

{UPDATE} Jungle Dinosaurs Football Penalty Hack Free Resources Generator

Practical security for the home network

Analysis of MS16–104: .URL files Security Feature Bypass

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
darkdefender

darkdefender

Your one and only source into the scandalous life of a DFIR consultant.

More from Medium

A hint to Cyberwars turning into reality

Digital Forensic — Most Commonly used Tools

Postcards from Palazzo Massimo (Rome)

Don’t Plug Unknown USB to your Devices | BAD USB/Rubber Ducky