The Human Element in Cybersecurity: Lessons from SOF Truths and the OODA Loop

The Human Element in Cybersecurity: Lessons from SOF Truths and the OODA Loop

In today’s digital age, where technology reigns supreme, it’s easy to get caught up in the allure of automation, artificial intelligence, and the latest cybersecurity gadgets.

However, as we navigate the complex landscape of cybersecurity, it’s important to remember that humans are the linchpin in this battle against digital adversaries. This article explores the significance of the human element in cybersecurity, drawing inspiration from the SOF Truths (Special Operations Forces Truths) and the OODA Loop (Observe, Orient, Decide, Act).

The SOF Truths, or Untied States Special Operations Command – Special Operations Forces Truths, are a set of principles that highlight key aspects of special operations and the roles of Special Operations Forces (SOF). These truths provide insights into the nature of special operations and underscore the principles that guide the work of SOF personnel.

FIRST Special Interest Groups (SIGs)

Special Interest Groups exist to provide a forum where FIRST Members can discuss topics of common interest to the Incident Response community. A SIG is a group of individuals composed of FIRST Members and invited parties, typically coming together to explore an area of interest or specific technology area, with a goal of collaborating and sharing expertise and experiences to address common challenges.

1. Humans Are More Important Than Software

The first of the SOF Truths tells us that when it comes to cybersecurity, humans take precedence over Software. The right team of skilled individuals can effectively safeguard networks, clouds, servers, and data, even with limited technological resources. On the flip side, no amount of cutting-edge Software can fully compensate for a lack of knowledgeable and capable personnel.

2. Quality Over Quantity

The second truth emphasizes that in cybersecurity, quality is more valuable than quantity. A small, well-trained, and well-led team can outperform a larger force, especially when dealing with the intricate and ever-evolving tactics of cyber adversaries.

3. SOF Cannot Be Mass Produced

Building on the SOF Truths, it’s important to recognize that cybersecurity expertise cannot be hurried. Just as it takes years to train Special Operations Forces to the highest level of proficiency, it also requires intensive training and experience to develop cybersecurity professionals who can tackle specialized missions effectively.

4. Competence Cannot Be Created After Emergencies

Preparedness is key in both Special Operations and cybersecurity. In the digital realm, waiting until an emergency arises to create competent and capable cybersecurity teams is not a viable strategy. Cyber threats are constant, and being ready to respond promptly requires maintaining well-trained teams during peacetime.

5. Dependency on Non-SOF Support

While Special Operations Forces are highly skilled and adaptable, they also rely on support from other branches of the military, such as the Air Force, Army, Marine Corps, and Navy. In cybersecurity, the collaboration of various professionals, including engineers, technicians, and intelligence analysts, is crucial to enhance the effectiveness of cyber defense.

6. OODA Loop in Cybersecurity

In addition to the SOF Truths, the OODA Loop concept, which stands for Observe, Orient, Decide, Act. This decision-making process is highly relevant in cybersecurity. Observing and understanding the adversary’s actions, orienting oneself to the evolving threat landscape, making informed decisions, and taking rapid action are fundamental in the battle against cyber threats.

In conclusion, the human element remains at the core of cybersecurity. While automation and technology are invaluable tools, they cannot replace the insights, adaptability, and expertise of cybersecurity professionals. As we strive to protect our digital assets and information, let’s remember the timeless wisdom of the SOF Truths and the agility of the OODA Loop.

Don’t get fooled, plugin in ChatGPT into a existing Software isn’t going to be a game changer, as per the Gartner AI Hyper Cycle.

In terms of looking a solution to this problem, FIRST SIG might be a good start.


Navigating Amazon Security Lake: Key Considerations for Successful Implementation.

Amazon Security Lake: A Revolutionary Solution for Enhanced Data Protection

Avoid common pitfalls and maximize the potential of Amazon Security Lake for robust data protection and threat detection.

Amazon Web Services (AWS) has recently announced the general availability of Amazon Security Lake, a groundbreaking solution that offers enhanced data protection capabilities. In this blog, we will explore the key features and benefits of Amazon Security Lake and discuss how it can revolutionize data security practices for organizations.

Amazon Security Lake is a comprehensive security analytics and threat detection solution offered by AWS. It enables organizations to centralize, analyze, and act upon security data from various sources, such as AWS CloudTrail logs, Amazon VPC Flow Logs, and AWS Config rules. By leveraging machine learning and advanced analytics, Security Lake empowers organizations to gain valuable insights into their security posture and detect potential threats in real-time.

Key Features and Benefits:

  1. Centralized Security Data Repository: Amazon Security Lake acts as a centralized repository for all security-related data, making it easier for organizations to manage and analyze vast amounts of security logs. With this unified approach, organizations can seamlessly integrate security data from various sources, eliminating data silos and enhancing visibility into their overall security landscape.
  2. Real-time Threat Detection: By employing advanced machine learning algorithms, Security Lake enables organizations to proactively detect security threats in real-time. It continuously monitors and analyzes security logs, identifying anomalous activities, unauthorized access attempts, and potential security breaches. This allows organizations to respond promptly and effectively to mitigate risks and prevent data breaches.
  3. Scalable and Flexible Architecture: Built on AWS’s highly scalable infrastructure, Security Lake is designed to accommodate organizations of all sizes. It can effortlessly handle large volumes of security data, ensuring that organizations can scale their security operations without compromising performance. Additionally, Security Lake offers flexible deployment options, allowing organizations to choose between fully managed services or self-managed implementations based on their specific requirements.
  4. Simplified Investigation and Compliance: Amazon Security Lake provides powerful search and query capabilities, enabling security teams to investigate incidents and conduct forensic analysis efficiently. The solution offers pre-built dashboards, visualizations, and security analytics tools, making it easier for organizations to gain actionable insights from their security data. Moreover, Security Lake assists organizations in meeting regulatory compliance requirements by providing pre-configured compliance rules and facilitating security audits.
  5. Integration with AWS Security Services: As part of the AWS ecosystem, Security Lake seamlessly integrates with other AWS security services, such as Amazon GuardDuty and AWS Security Hub. This integration strengthens an organization’s overall security posture by leveraging the combined power of multiple security tools, improving threat detection and response capabilities.

Step-by-step guide,

We will walk you through the process of setting up Amazon Security Lake.

Step 1: Sign in to the AWS Management Console: To begin, sign in to the AWS Management Console using your AWS account credentials. If you don’t have an AWS account, you can create one by following the instructions on the AWS website.

Step 2: Navigate to the Amazon Security Lake Console: Once you are logged in, navigate to the Amazon Security Lake Console. You can find the console by searching for “Security Lake” in the AWS services search bar, or you can access it directly via the following URL:

Step 3: Create a Security Lake: In the Security Lake console, click on the “Create Security Lake” button to start the setup process. You will be prompted to provide a name for your Security Lake and choose a region where it will be deployed. Select the appropriate region based on your organization’s requirements and click “Next.”

Step 4: Configure Data Sources: In this step, you will configure the data sources for your Security Lake. Security Lake supports various AWS data sources, such as CloudTrail logs, VPC Flow Logs, and AWS Config rules. Choose the data sources that you want to integrate with Security Lake by enabling them and providing the necessary permissions. Follow the on-screen instructions to configure each data source.

Step 5: Set Up Data Ingestion: Next, you will set up data ingestion for your Security Lake. Select the desired method of data ingestion based on your organization’s needs. You can choose between real-time ingestion using Amazon Kinesis Data Firehose or batch ingestion using Amazon S3. Configure the necessary settings for data ingestion, such as the destination S3 bucket or Kinesis Firehose delivery stream.

Step 6: Enable Data Analysis: Once the data ingestion is set up, you can enable data analysis for your Security Lake. Security Lake uses machine learning algorithms and advanced analytics to detect security threats and anomalies in real-time. Enable the desired analysis features, such as anomaly detection or specific AWS service integrations, to enhance your security capabilities.

Step 7: Configure Security Lake Settings: In this step, you can configure additional settings for your Security Lake. This includes defining retention periods for the ingested data, setting up access controls and permissions, and configuring notifications for security events. Adjust these settings according to your organization’s compliance and security requirements.

Step 8: Review and Create the Security Lake: Before creating the Security Lake, review all the configuration settings you have made. Ensure that the selected data sources, data ingestion methods, analysis features, and settings align with your organization’s needs. Once you are satisfied, click “Create Security Lake” to initiate the creation process.

Step 9: Monitor and Manage Your Security Lake: After the Security Lake is created, you can monitor and manage it from the Security Lake console. Utilize the pre-built dashboards, visualizations, and security analytics tools provided by Security Lake to gain valuable insights into your security posture. Continuously monitor the alerts and notifications generated by the system to promptly respond to potential security threats.


When setting up Amazon Security Lake, there are a few potential “gotchas” or challenges that you may encounter. Being aware of these pitfalls can help you navigate the setup process more effectively. Here are some important considerations:

  1. Data ingestion limitations: Amazon Security Lake supports various data sources, but each has its own limitations. For example, CloudTrail logs have a maximum size limit per file, and VPC Flow Logs have a limit on the number of records per file. Ensure that you understand and plan for these limitations to avoid potential issues with data ingestion.
  2. Permissions and access control: Configuring proper permissions and access control is crucial for Security Lake. Ensure that you grant the necessary permissions to the AWS services and resources involved in data ingestion and analysis. Additionally, make sure that you set up appropriate access controls for users and roles to prevent unauthorized access to your Security Lake.
  3. Data storage costs: While Security Lake provides a powerful solution for data analysis, keep in mind that storing large volumes of security data can incur additional costs. Be mindful of the storage costs associated with S3 buckets or Kinesis Data Firehose delivery streams, especially if you have high data ingestion rates or long retention periods. Regularly review and optimize your data storage practices to manage costs efficiently.
  4. Performance considerations: The performance of Security Lake can be influenced by factors such as data ingestion rates, analysis complexity, and the size of your security data. If you have a high volume of data or complex analysis requirements, you may need to carefully allocate resources and optimize your Security Lake configuration to ensure smooth and efficient operation.
  5. Security Lake limitations: While Security Lake offers robust security analytics capabilities, it is important to understand its limitations. For example, Security Lake may not cover all types of security logs or support custom log formats. Evaluate your specific security needs and verify that Security Lake aligns with your requirements.
  6. Monitoring and alerts: Monitoring the alerts and notifications generated by Security Lake is crucial for timely threat detection and response. However, it’s essential to set up effective monitoring practices to avoid missing critical alerts or being overwhelmed by false positives. Regularly review and fine-tune your alerting mechanisms to ensure they are tuned to your organization’s security priorities.
  7. Integration challenges: Security Lake integrates with other AWS security services, such as GuardDuty and Security Hub. While this integration enhances your overall security capabilities, it may require additional configuration and management. Be prepared to address any potential challenges related to integration, including service compatibility, data sharing, and event correlation.
  8. Compliance considerations: If your organization operates in regulated industries or needs to comply with specific security standards, ensure that Security Lake meets the necessary compliance requirements. While Security Lake provides built-in compliance rules and tools, additional configurations or customization may be necessary to align with your specific compliance needs.

Remember that it is crucial to consult AWS documentation, user guides, and seek support from AWS experts to address any specific challenges or concerns you may encounter during the setup and configuration of Amazon Security Lake.


NSA Labs

1. NSA NCCP Course: Network Penetration Testing
-Modules Include: Introduction to Penetration Testing, Reconnaissance, Scanning, Exploitation, Password Attacks, Wireless Security

2.NSA NCCP Course: Digital Forensics
-Modules Include: Introduction to Digital Forensics, First Response and Investigation, Digital Forensics Investigation Steps, Introduction to File System, Memory/Live Forensics, Tools for Filesystem Investigation

3.NSA NCCP Course: Computer Security
-Modules Include: Intro to Computer Security, User Authentication, Cryptographic Tools, Malware, DOS Attacks, Buffer Overflow, Intrusion Detection, Access Controls

4. NSA NCCP Course: Machine Learning for Cybersecurity
-Modules Include: Creating a Safe Lab Environment, File Formats, The Windows API, Automated Sandboxes, Monitoring Tools, Malware Delivery Mechanisms, Basic Analysis Techniques, Detecting Packers and Code Obfuscation.

Digital Forensics and Incident Response

Digital Forensics and Incident Response


This post is inspired by all the hard working DFIR, and more broadly security professionals, who have put in the hard yards over the years to discuss in depth digital forensics and incident response….


This page contains a variety of commands and concepts which are known through experience, higher education, tutorials, online blogs, YouTube Videos, professional training, reading the manual, and more. All references to original posts or material will aim to be documented in the ‘Special Thanks’ section.

This is not designed as a manual on how to perform DFIR, and serves only as a quick reference sheet for commands, tools, and common items of interest when performing Incident Response. If you need to undertake Digital Forensics for legal proceedings, seek specialist advice as this requires more rigor around Identification, Preservation, Collection, Examination, Analysis, and Presentation of findings.

Artifact locations

A number of forensic artifacts are known for a number of operating systems.

A large number of these are covered on the Digital Forensics Artifact Repository, and can be ingested both by humans and systems given the standard YAML format.

One action you can take is to parse this for items of interest and then directly spit out areas for investigation. For example if you have the PowerShell ConvertFrom-Yaml module, you can query this directly.

Get an object of forensic artifacts

$obj = ConvertFrom-Yaml $WindowsArtifacts.Content -AllDocuments

Now that it is stored within a format we can use the below will give us information at a glance.

foreach ($Artifact in $obj){
$Artifacts = [pscustomobject][ordered]@{
	Name = $[$count]
	Description = $obj.doc[$count]
	References = $obj.urls[$count]
	Attributes = $obj.sources.attributes[$count]
$Artifacts | FL;

Query object for relevant registry keys:

$obj.sources.attributes.keys|Select-String "HKEY"

Query object for relevant file paths:


Windows Cheat Sheet

Order of Volatility

If performing Evidence Collection rather than IR, respect the order of volatility as defined in: rfc3227

  • registers, cache
  • routing table, arp cache, process table, kernel statistics, memory
  • temporary file systems
  • disk
  • remote logging and monitoring data that is relevant to the system in question
  • physical configuration, network topology
  • archival media

Memory Files (Locked by OS during use)

Note: To obtain these files while they’re in use you can use a low level file extractor such as RawCopy

hiberfil.sys (RAM stored during machine hibernation)

  • %SystemRoot%\hiberfil.sys

pagefile.sys (Virtual memory used by Windows)

  • %SystemDrive%\pagefile.sys

swapfile.sys (Virtual memory used by Windows Store Apps)

  • %SystemDrive%\swapfile.sys

Binalyze IREC Evidence Collector (GUI or CommandLine)

IREC.exe --license AAAA-BBBB-CCDD-DDDD --profile memory

Note: Can be used as an all in one collector (License required for full collection, free version available).

Latest documentation

Belkasoft Live RAM Capturer

RamCapture64.exe "output.mem"

OR for 32 bit OS

RamCapture32.exe "output.mem"


Excellent resource:

Infosec Institute – Memory Analysis using Redline


MemoryDD.bat --output [LOCATION]

Comae DumpIT

DumpIt.exe /O [LOCATION]

	- Used for getting a memory crash file (Useful for analysis with both windbg and volatility)
DumpIt.exe /O [LOCATION]\mem.raw /T RAW

	- Used for getting a raw memory dump (Considered a legacy format)

These can be bundled with PSEXEC to execute on a remote PC; however, this will copy the file to the remote PC for executing. There’s limitations if the tool requires other drivers or files to execute (such as RamCapture). An example command may be:

psexec \\remotepcname -c DumpIt.exe


Where the Microsoft Storage namespace is available (known not to be available in Win7), PowerShell can be used to invoke a native live memory dump. Special thanks to Grzegorz Tworek – 0gtweet.

$ss = Get-CimInstance -ClassName MSFT_StorageSubSystem -Namespace Root\Microsoft\Windows\Storage;
Invoke-CimMethod -InputObject $ss -MethodName "GetDiagnosticInfo" -Arguments @{DestinationPath="[LOCATION]\dmp"; IncludeLiveDump=$true};

Magnet Forensics (Mostly GUI)

Volexity Surge

Microsoft LiveKd


Winpmem Docs

winpmem.exe -o test.aff4 -dd
winpmem.exe -o test.raw --format raw -dd

Imaging Live Machines

FTK Imager (Cmd version, mostly GUI for new versions)

ftkimager --list-drives
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01
ftkimager [source] [destination]
ftkimager \\.\PHYSICALDRIVE0 "[Location]\Case" --e01 --outpass securepasswordinsertedhere 


dd.exe --list
dd.exe if=/dev/<drive> of=Image.img bs=1M
dd.exe if=\\.\<OSDrive>: of=<drive>:\<name>.img bs=1M --size --progress
(LINUX) sudo dd if=/dev/<OSDrive> of=/mnt/<name>.ddimg bs=1M conv=noerror,sync

X-Ways Imager

Encase Forensic

Tableau Imager


Carving Out Files From Image using Scalpel

nano /etc/scalpel/scalpel.conf
mkdir carve
scalpel imagefile.img -o carve

Live Windows IR/Triage

CMD and WMIC (Windows Management Instrumentation Command-Line) Note: less information can be gathered by using ‘list brief’.

Interact with remote machine

Enable Powershell remoting:

wmic /node:[IP] process call create "powershell enable-psremoting -force"


Enter-PSSession -ComputerName [IP]


PsExec: psexec \\IP -c cmd.exe

System information

echo %DATE% %TIME%
date /t
time /t
reg query "HKLM\System\CurrentControlSet\Control\TimeZoneInformation"
wmic computersystem list full
wmic /node:localhost product list full /format:csv
wmic softwarefeature get name,version /format:csv
wmic softwareelement get name,version /format:csv
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /s
echo %PATH%
(gci env:path|Select -exp Value).split(';')
wmic bootconfig get /all /format:List
wmic computersystem get name, domain, manufacturer, model, numberofprocessors,primaryownername,username,roles,totalphysicalmemory /format:list
wmic timezone get Caption, Bias, DaylightBias, DaylightName, StandardName
wmic recoveros get /all /format:List
wmic os get /all /format:list
wmic partition get /all /format:list
wmic logicaldisk get /all /format:list
wmic diskdrive get /all /format:list
fsutil fsinfo drives

(psinfo requires sysinternals psinfo.exe):

psinfo -accepteula -s -h -d

Obtain list of all files on a computer

tree C:\ /F > output.txt
dir C:\ /A:H /-C /Q /R /S /X

User and admin information

whoami /user
net users
net localgroup administrators
net group /domain [groupname]
net user /domain [username]
wmic sysaccount
wmic useraccount get name,SID
wmic useraccount list

Logon information

wmic netlogin list /format:List
Get-WmiObject Win32_LoggedOnUser
Get-WmiObject win32_logonsession
query user
klist sessions
klist -li

NT Domain/Network Client Information

wmic ntdomain get /all /format:List
wmic netclient get /all /format:List
nltest /trusted_domains

Firewall Information

netsh Firewall show state
netsh advfirewall firewall show rule name=all dir=in type=dynamic
netsh advfirewall firewall show rule name=all dir=out type=dynamic
netsh advfirewall firewall show rule name=all dir=in type=static
netsh advfirewall firewall show rule name=all dir=out type=static

Firewall Changes

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall';} | FL TimeCreated, Message

Applications which have added a firewall rule

$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'; Id='2004'};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$RuleId=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleId'} | Select -exp InnerText;
$RuleName=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleName'} | Select -exp InnerText;
$Origin=$XML.Event.EventData.Data|?{$_.Name -eq 'Origin'} | Select -exp InnerText;
$ApplicationPath=$XML.Event.EventData.Data|?{$_.Name -eq 'ApplicationPath'} | Select -exp InnerText;
$ServiceName=$XML.Event.EventData.Data|?{$_.Name -eq 'ServiceName'} | Select -exp InnerText;
$Direction=$XML.Event.EventData.Data|?{$_.Name -eq 'Direction'} | Select -exp InnerText;
$Protocol=$XML.Event.EventData.Data|?{$_.Name -eq 'Protocol'} | Select -exp InnerText;
$LocalPorts=$XML.Event.EventData.Data|?{$_.Name -eq 'LocalPorts'} | Select -exp InnerText;
$RemotePorts=$XML.Event.EventData.Data|?{$_.Name -eq 'RemotePorts'} | Select -exp InnerText;
$Action=$XML.Event.EventData.Data|?{$_.Name -eq 'Action'} | Select -exp InnerText;
$Profiles=$XML.Event.EventData.Data|?{$_.Name -eq 'Profiles'} | Select -exp InnerText;
$LocalAddresses=$XML.Event.EventData.Data|?{$_.Name -eq 'LocalAddresses'} | Select -exp InnerText;
$RemoteAddresses=$XML.Event.EventData.Data|?{$_.Name -eq 'RemoteAddresses'} | Select -exp InnerText;
$RemoteMachineAuthorizationList=$XML.Event.EventData.Data|?{$_.Name -eq 'RemoteMachineAuthorizationList'} | Select -exp InnerText;
$RemoteUserAuthorizationList=$XML.Event.EventData.Data|?{$_.Name -eq 'RemoteUserAuthorizationList'} | Select -exp InnerText;
$EmbeddedContext=$XML.Event.EventData.Data|?{$_.Name -eq 'EmbeddedContext'} | Select -exp InnerText;
$Flags=$XML.Event.EventData.Data|?{$_.Name -eq 'Flags'} | Select -exp InnerText;
$EdgeTraversal=$XML.Event.EventData.Data|?{$_.Name -eq 'EdgeTraversal'} | Select -exp InnerText;
$LooseSourceMapped=$XML.Event.EventData.Data|?{$_.Name -eq 'LooseSourceMapped'} | Select -exp InnerText;
$SecurityOptions=$XML.Event.EventData.Data|?{$_.Name -eq 'SecurityOptions'} | Select -exp InnerText;
$ModifyingUser=$XML.Event.EventData.Data|?{$_.Name -eq 'ModifyingUser'} | Select -exp InnerText;
$ModifyingApplication=$XML.Event.EventData.Data|?{$_.Name -eq 'ModifyingApplication'} | Select -exp InnerText;
$SchemaVersion=$XML.Event.EventData.Data|?{$_.Name -eq 'SchemaVersion'} | Select -exp InnerText;
$RuleStatus=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleStatus'} | Select -exp InnerText;
$LocalOnlyMapped=$XML.Event.EventData.Data|?{$_.Name -eq 'LocalOnlyMapped'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty RuleId "$RuleId" -PassThru `
| Add-Member NoteProperty RuleName "$RuleName" -PassThru `
| Add-Member NoteProperty Origin "$Origin" -PassThru `
| Add-Member NoteProperty ApplicationPath "$ApplicationPath" -PassThru `
| Add-Member NoteProperty ServiceName "$ServiceName" -PassThru `
| Add-Member NoteProperty Direction "$Direction" -PassThru `
| Add-Member NoteProperty Protocol "$Protocol" -PassThru `
| Add-Member NoteProperty LocalPorts "$LocalPorts" -PassThru `
| Add-Member NoteProperty RemotePorts "$RemotePorts" -PassThru `
| Add-Member NoteProperty Action "$Action" -PassThru `
| Add-Member NoteProperty Profiles "$Profiles" -PassThru `
| Add-Member NoteProperty LocalAddresses "$LocalAddresses" -PassThru `
| Add-Member NoteProperty RemoteAddresses "$RemoteAddresses" -PassThru `
| Add-Member NoteProperty RemoteMachineAuthorizationList "$RemoteMachineAuthorizationList" -PassThru `
| Add-Member NoteProperty RemoteUserAuthorizationList "$RemoteUserAuthorizationList" -PassThru `
| Add-Member NoteProperty EmbeddedContext "$EmbeddedContext" -PassThru `
| Add-Member NoteProperty Flags "$Flags" -PassThru `
| Add-Member NoteProperty EdgeTraversal "$EdgeTraversal" -PassThru `
| Add-Member NoteProperty LooseSourceMapped "$LooseSourceMapped" -PassThru `
| Add-Member NoteProperty SecurityOptions "$SecurityOptions" -PassThru `
| Add-Member NoteProperty ModifyingUser "$ModifyingUser" -PassThru `
| Add-Member NoteProperty ModifyingApplication "$ModifyingApplication" -PassThru `
| Add-Member NoteProperty SchemaVersion "$SchemaVersion" -PassThru `
| Add-Member NoteProperty RuleStatus "$RuleStatus" -PassThru `
| Add-Member NoteProperty LocalOnlyMapped "$LocalOnlyMapped" -PassThru | Out-Null
$output += $data;
$output = $output
$output | select -exp ModifyingApplication | sort -u | unique

Applications which have modified a firewall rule

$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'; Id='2005'};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$RuleId=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleId'} | Select -exp InnerText;
$RuleName=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleName'} | Select -exp InnerText;
$Origin=$XML.Event.EventData.Data|?{$_.Name -eq 'Origin'} | Select -exp InnerText;
$ApplicationPath=$XML.Event.EventData.Data|?{$_.Name -eq 'ApplicationPath'} | Select -exp InnerText;
$ServiceName=$XML.Event.EventData.Data|?{$_.Name -eq 'ServiceName'} | Select -exp InnerText;
$Direction=$XML.Event.EventData.Data|?{$_.Name -eq 'Direction'} | Select -exp InnerText;
$Protocol=$XML.Event.EventData.Data|?{$_.Name -eq 'Protocol'} | Select -exp InnerText;
$LocalPorts=$XML.Event.EventData.Data|?{$_.Name -eq 'LocalPorts'} | Select -exp InnerText;
$RemotePorts=$XML.Event.EventData.Data|?{$_.Name -eq 'RemotePorts'} | Select -exp InnerText;
$Action=$XML.Event.EventData.Data|?{$_.Name -eq 'Action'} | Select -exp InnerText;
$Profiles=$XML.Event.EventData.Data|?{$_.Name -eq 'Profiles'} | Select -exp InnerText;
$LocalAddresses=$XML.Event.EventData.Data|?{$_.Name -eq 'LocalAddresses'} | Select -exp InnerText;
$RemoteAddresses=$XML.Event.EventData.Data|?{$_.Name -eq 'RemoteAddresses'} | Select -exp InnerText;
$RemoteMachineAuthorizationList=$XML.Event.EventData.Data|?{$_.Name -eq 'RemoteMachineAuthorizationList'} | Select -exp InnerText;
$RemoteUserAuthorizationList=$XML.Event.EventData.Data|?{$_.Name -eq 'RemoteUserAuthorizationList'} | Select -exp InnerText;
$EmbeddedContext=$XML.Event.EventData.Data|?{$_.Name -eq 'EmbeddedContext'} | Select -exp InnerText;
$Flags=$XML.Event.EventData.Data|?{$_.Name -eq 'Flags'} | Select -exp InnerText;
$EdgeTraversal=$XML.Event.EventData.Data|?{$_.Name -eq 'EdgeTraversal'} | Select -exp InnerText;
$LooseSourceMapped=$XML.Event.EventData.Data|?{$_.Name -eq 'LooseSourceMapped'} | Select -exp InnerText;
$SecurityOptions=$XML.Event.EventData.Data|?{$_.Name -eq 'SecurityOptions'} | Select -exp InnerText;
$ModifyingUser=$XML.Event.EventData.Data|?{$_.Name -eq 'ModifyingUser'} | Select -exp InnerText;
$ModifyingApplication=$XML.Event.EventData.Data|?{$_.Name -eq 'ModifyingApplication'} | Select -exp InnerText;
$SchemaVersion=$XML.Event.EventData.Data|?{$_.Name -eq 'SchemaVersion'} | Select -exp InnerText;
$RuleStatus=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleStatus'} | Select -exp InnerText;
$LocalOnlyMapped=$XML.Event.EventData.Data|?{$_.Name -eq 'LocalOnlyMapped'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty RuleId "$RuleId" -PassThru `
| Add-Member NoteProperty RuleName "$RuleName" -PassThru `
| Add-Member NoteProperty Origin "$Origin" -PassThru `
| Add-Member NoteProperty ApplicationPath "$ApplicationPath" -PassThru `
| Add-Member NoteProperty ServiceName "$ServiceName" -PassThru `
| Add-Member NoteProperty Direction "$Direction" -PassThru `
| Add-Member NoteProperty Protocol "$Protocol" -PassThru `
| Add-Member NoteProperty LocalPorts "$LocalPorts" -PassThru `
| Add-Member NoteProperty RemotePorts "$RemotePorts" -PassThru `
| Add-Member NoteProperty Action "$Action" -PassThru `
| Add-Member NoteProperty Profiles "$Profiles" -PassThru `
| Add-Member NoteProperty LocalAddresses "$LocalAddresses" -PassThru `
| Add-Member NoteProperty RemoteAddresses "$RemoteAddresses" -PassThru `
| Add-Member NoteProperty RemoteMachineAuthorizationList "$RemoteMachineAuthorizationList" -PassThru `
| Add-Member NoteProperty RemoteUserAuthorizationList "$RemoteUserAuthorizationList" -PassThru `
| Add-Member NoteProperty EmbeddedContext "$EmbeddedContext" -PassThru `
| Add-Member NoteProperty Flags "$Flags" -PassThru `
| Add-Member NoteProperty EdgeTraversal "$EdgeTraversal" -PassThru `
| Add-Member NoteProperty LooseSourceMapped "$LooseSourceMapped" -PassThru `
| Add-Member NoteProperty SecurityOptions "$SecurityOptions" -PassThru `
| Add-Member NoteProperty ModifyingUser "$ModifyingUser" -PassThru `
| Add-Member NoteProperty ModifyingApplication "$ModifyingApplication" -PassThru `
| Add-Member NoteProperty SchemaVersion "$SchemaVersion" -PassThru `
| Add-Member NoteProperty RuleStatus "$RuleStatus" -PassThru `
| Add-Member NoteProperty LocalOnlyMapped "$LocalOnlyMapped" -PassThru | Out-Null
$output += $data;
$output = $output
$output | select -exp ModifyingApplication | sort -u | unique

Applications which have deleted a firewall rule

$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Windows Firewall With Advanced Security/Firewall'; Id='2006'};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$RuleId=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleId'} | Select -exp InnerText;
$RuleName=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleName'} | Select -exp InnerText;
$ModifyingUser=$XML.Event.EventData.Data|?{$_.Name -eq 'ModifyingUser'} | Select -exp InnerText;
$ModifyingApplication=$XML.Event.EventData.Data|?{$_.Name -eq 'ModifyingApplication'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty RuleId "$RuleId" -PassThru `
| Add-Member NoteProperty RuleName "$RuleName" -PassThru `
| Add-Member NoteProperty ModifyingUser "$ModifyingUser" -PassThru `
| Add-Member NoteProperty ModifyingApplication "$ModifyingApplication" -PassThru ` | Out-Null
$output += $data;
$output = $output
$output | select -exp ModifyingApplication | sort -u | unique

Pagefile information

wmic pagefile

Group and access information

(Accesschk requires accesschk64.exe or accesschk.exe from sysinternals):

net localgroup
accesschk64 -a *



RecentDocs Information

Special thanks Barnaby Skeggs

*Note: Run with Powershell, get SID and user information with ‘wmic useraccount get name,SID’

$SID = "S-1-5-21-1111111111-11111111111-1111111-11111"; $output = @(); Get-Item -Path "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" | Select-Object -ExpandProperty property | ForEach-Object {$i = [System.Text.Encoding]::Unicode.GetString((gp "Registry::HKEY_USERS\$SID\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" -Name $_).$_); $i = $i -replace '[^a-zA-Z0-9 \.\-_\\/()~ ]', '\^'; $output += $i.split('\^')[0]}; $output | Sort-Object -Unique

More information on recent documents may be found:

gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"

Get NTFS File Streams from Mounted Windows Drive on Linux OS

getfattr -R -n ntfs.streams.list /mnt/<filepath>

Startup process information

wmic startup list full
wmic startup list brief
Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | FL

Startup process information by path/file name

Note: This will search common persistence areas but not all of them, change the $Malware variable value to a term of your choosing.

$Malware = "appdata";
$Processes = gps |?{$_.Path -match $Malware -or $_.Name -match $Malware} | FL Name,Path,Id;
$Tasks = schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match $Malware}| FL "Taskname","Task To Run","Run As User";
$Services = gwmi win32_service | ? {$_.PathName -match $Malware}| FL Name,PathName;
$ServiceDLL = reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL" | findstr "$Malware";
$RunKey1 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
$RunKey2 = Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' | ?{$_ -match $Malware};
$UserProfiles = (gwmi Win32_UserProfile | ? { $_.SID -notmatch 'S-1-5-(18|19|20).*' }); $paths = $UserProfiles.localpath; $sids = $UserProfiles.sid; for ($counter=0; $counter -lt $UserProfiles.length; $counter++){$path = $UserProfiles[$counter].localpath; $sid = $UserProfiles[$counter].sid; reg load hku\$sid $path\ntuser.dat};
$RunKey3 = Get-ItemProperty -Path Registry::HKU\*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* | ?{$_ -match $Malware};
$Startup = Select-String -Path 'C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*' -Pattern $Malware | Select Path;
$Startup2 = Select-String -Path 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*' -Pattern $Malware | Select Path;
if ($Processes) {echo "Process Found!";$Processes} else {echo "No Running Processes Found."};
if ($Tasks) {echo "Tasks Found!";$Tasks} else {echo "No Tasks Found."};
if ($Services) {echo "Services Found!";$Services} else {echo "No Services Found."};
if ($ServiceDLL) {echo "ServiceDLL Found!";$ServiceDll} else {echo "No Service Dlls Found."};
if ($RunKey1) {echo "Wow6432Node Run Key Found!";$RunKey1} else {echo "No Local Machine Wow6432Node Run Key Found."};
if ($RunKey2) {echo "Local Machine Run Key Found!";$RunKey2} else {echo "No Local Machine Run Key Found."};
if ($RunKey3) {echo "User Run Key Found!";$RunKey3} else {echo "No User Run Key Found."};
if ($Startup) {echo "AppData Startup Link Found!";$Startup} else {echo "No AppData Startups Found."};
if ($Startup2) {echo "ProgramData Startup Link Found!";$Startup2} else {echo "No ProgramData Startups Found."};

Scheduled task/job information

at (For older OS)
schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr "Task To Run:"
schtasks /query /fo LIST /v | findstr "appdata"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "exe"
schtasks /query /fo LIST /v | select-string "Enabled" -CaseSensitive -Context 10,0 | findstr "Task"
schtasks /query /fo LIST /v | Select-String "exe" -Context 2,27 
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "EXENAME"} | FL Line, Filename
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)}|Select-String Command|FL Filename,Line
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}|Select-String Command|FL Line,Filename
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{"$_.Task To Run" -match "MALICIOUS"}| FL "Taskname","Task To Run"
schtasks /query /fo csv /v | ConvertFrom-Csv | ?{$_.Taskname -ne "TaskName"} | FL "Taskname","Task To Run"
wmic job get Name, Owner, DaysOfMonth, DaysOfWeek, ElapsedTime, JobStatus, StartTime, Status


gci -path C:\windows\system32\tasks -recurse | Select-String Command | FL Filename, Line
gci -path C:\windows\system32\tasks -recurse | Select-String "<Command>",Argument | FT Filename,Command,Line
gci -path C:\windows\system32\tasks -recurse | Select-String Command | ? {$_.Line -match "MALICIOUSNAME"} | FL Filename, Line
(gci -path C:\windows\system32\tasks -recurse | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim();

File hash and location of all scheduled tasks

$a=((gci C:\windows\system32\tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}

From System32 Directory:

$a=((gci tasks -rec | Select-String "<Command>" | select -exp Line).replace("<Command>","").trim("</Command>").replace("`"","").trim());foreach ($b in $a){filehash ([System.Environment]::ExpandEnvironmentVariables($b))}

Remediate malicious scheduled tasks

schtasks /Delete /TN [taskname] /F


Unregister-ScheduledTask -TaskName [taskname]
Unregister-ScheduledTask -TaskPath [taskname]

ISO Phishing Execution Evidence

Special Thanks, created from intel by The DFIR Report

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-VHDMP-Operational';ID=12} | FL TimeCreated, Message

MSI Execution Evidence

Special Thanks

Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='MsiInstaller'} | FL
gci REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\*\Products\*\InstallProperties -force
gci REGISTRY::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\*\Products\*\InstallProperties -force | Get-ItemProperty | FL PSPath, LocalPackage, InstallDate, InstallSource, ModifyPath, Publisher, DisplayName
get-wmiobject Win32_Product | Sort-Object -Property Name |Format-Table IdentifyingNumber, Name, LocalPackage -AutoSize
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\ /s /f .msi

UAC Bypass Fodhelper

reg query HKCU\Software\Classes\ms-settings\shell\open\command
reg query HKU\{SID}\Software\Classes\ms-settings\shell\open\command

Quick overview of persistent locations (AutoRuns)

autorunsc.exe -accepteula -a * -c -h -v -m > autoruns.csv
autorunsc.exe -accepteula -a * -c -h -v -m -z 'E:\Windows' > autoruns.csv

Persistence and Automatic Load/Run Reg Keys

Replace: “reg query” with “Get-ItemProperty -Path HK:” in Powershell*

e.g.: Get-Item -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

User Registry (NTUSER.DAT HIVE) – Commonly located at:


*Note: These are setup for querying the current users registry only (HKCU), to query others you will need to load them from the relevant NTUSER.DAT file and then query them.

reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f run
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f load
reg query "HKCU\Environment" /v UserInitMprLogonScript
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v RESTART_STICKY_NOTES
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Windows\Scripts"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RecentDocs"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU"
reg query "HKCU\SOFTWARE\AcroDC"
reg query "HKCU\SOFTWARE\Itime"
reg query "HKCU\SOFTWARE\info"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\User Shell Folders"
reg query "HKCU\SOFTWARE\Microsoft\Command Processor"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\RegEdit" /v LastKey
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg query "HKCU\SOFTWARE\Microsoft\Windows\currentversion\run"
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKCU\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
reg query "HKCU\SOFTWARE\Microsoft\IEAK\GroupPolicy\PendingGPOs" /s
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKCU\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
	reg query "HKCU\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM

Local Machine (SOFTWARE HIVE)

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /f AppInit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\policies\explorer\run"
reg query "HKLM\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\run"
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SOFTWARE\Microsoft\Office\[officeversion]\[word/excel/access etc]\Security\AccessVBOM"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run32"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug"
reg query "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\[Random]\StubPath" /s
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\CPLs"
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Excel\Security\AccessVBOM
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Word\Security\AccessVBOM
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Powerpoint\Security\AccessVBOM
	reg query "HKLM\SOFTWARE\Microsoft\Office\15.0\Access\Security\AccessVBOM

Don’t be afraid to use “findstr” or ‘/f’ to find entries of interest, for example file extensions which may also invoke malicious executables when run, or otherwise.

reg query "HKLM\SOFTWARE\Classes" | findstr "file"
reg query "HKLM\SOFTWARE\Classes" /f "file"
reg query HKCR\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} /s
reg query HKCR\AppID\ /s | findstr "exe"

Local Machine (SYSTEM HIVE)

Note: This not only contains services, but also malicious drivers which may run at startup (these are in the form of “.sys” files and are generally loaded from here: \SystemRoot\System32\drivers)

reg query "HKLM\SYSTEM\CurrentControlSet\Services\[Random_name]\imagePath"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\ /s /f "*.exe"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.exe"
reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s /v ImagePath /f "*.sys"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
Get-Service -Name "*MALICIOUSSERVICE*"
gwmi win32_service | ? {$_.PathName -match "MALICIOUSSERVICE"}|FL Name,PathName
Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\*" | FL DisplayName,ImagePath,ObjectName
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-AuthenticodeSignature
gci -Path C:\Windows\system32\drivers -include *.sys -recurse -ea 0 -force | Get-FileHash

Note: Some useful commands to show relevant service information

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"

T1015 Accessibility Features

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AtBroker.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe" /v "Debugger"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger"
sfc /VERIFYFILE=C:\Windows\System32\sethc.exe
sfc /VERIFYFILE=C:\Windows\System32\utilman.exe
sfc /VERIFYFILE=C:\Windows\System32\AtBroker.exe
sfc /VERIFYFILE=C:\Windows\System32\Narrator.exe
sfc /VERIFYFILE=C:\Windows\System32\Magnify.exe
sfc /VERIFYFILE=C:\Windows\System32\DisplaySwitch.exe
sfc /VERIFYFILE=C:\Windows\System32\osk.exe

T1098 Account Manipulation


T1182 AppCert DLLs

reg query "HKLM\System\CurrentControlSet\Control\Session Manager" /v AppCertDlls

T1103 AppInit DLLs

reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
reg query "HKU\{SID}\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v Appinit_Dlls
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='11'} | FL TimeCreated,Message

T1138 Application Shimming

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB"
dir %WINDIR%\AppPatch\custom
dir %WINDIR%\AppPatch\AppPatch64\Custom
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Kernel-ShimEngine/Operational';}|FL

Note: Some other similar methods exist such as abusing the ‘Command’ value of Windows Telemetry Controller – Special Thanks to TrustedSec.

Hint: Look for a Command not pointing to “CompatTelRunner.exe” or which has ‘-cv’, ‘-oobe’, or ‘-fullsync’ in the command line.

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController" /s

T1197 BITS Jobs

bitsadmin /list /allusers /verbose
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Bits-Client/Operational'; Id='59'} | FL TimeCreated,Message
ls 'C:\ProgramData\Microsoft\Network\Downloader\qmgr.db'

T1067 Bootkit

Note: This exists below the OS in the Master Boot Record or Volume Boot Record. The system must be booted through Advanced Startup Options with a Command Prompt, or through a recovery cd.

bootrec /FIXMBR
bootrec /FIXBOOT

Extra: If your boot configuration data is missing or contains errors the below can fix this.


If you’re thinking of a bootkit more as a rootkit (malicious system drivers) you can go with the below.

General Driver Enumeration

gci C:\Windows\*\DriverStore\FileRepository\ -recurse -include *.inf | FL FullName,LastWriteTime,LastWriteTimeUtc
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue
sc.exe query type=driver state=all

Unsigned Drivers

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-CodeIntegrity/Operational'; Id='3001'} | FL TimeCreated,Message
gci -path C:\Windows\System32\drivers -include *.sys -recurse -ea SilentlyContinue | Get-AuthenticodeSignature | where {$_.status -ne 'Valid'}

Previous Unusual Loaded Filter Drivers (Often used by rootkits)

Note: This will likely have false positives, particularly relating to filter drivers which are used by AV products, EDR solutions, or otherwise.

$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
	[PSCustomObject] @{
		TimeCreated = $_.TimeCreated
		MachineName = $_.MachineName
		UserId = $_.UserId
		FilterDriver = $_.Properties[4].Value
        Message = $_.Message
echo "Scanning for suspicious filter drivers. Any found will be displayed below:"
$FilterEvents | sort TimeCreated | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends" -AND $_.FilterDriver -ine "SysmonDrv"}

Or, filter by unique drivers:

$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
	[PSCustomObject] @{
		TimeCreated = $_.TimeCreated
		MachineName = $_.MachineName
		UserId = $_.UserId
		FilterDriver = $_.Properties[4].Value
		Message = $_.Message
echo "Scanning for suspicious filter drivers. Any found will be displayed below:"
$FilterEvents | sort FilterDriver -Unique | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends" -AND $_.FilterDriver -ine "SysmonDrv"}

Unusual Loaded Filter Drivers (No longer present or filtering registry keys)

$FilterEvents = Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName="Microsoft-Windows-FilterManager"} | ForEach-Object {
	[PSCustomObject] @{
		TimeCreated = $_.TimeCreated
		MachineName = $_.MachineName
		UserId = $_.UserId
		FilterDriver = $_.Properties[4].Value
		Message = $_.Message
echo "Scanning for suspicious filter drivers. Any found will be compared against existing services."
echo "Suspicious filter drivers found:"
echo ""
$SuspectDrivers = $($FilterEvents | sort FilterDriver -Unique | where-object {$_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "WdFilter" -AND $_.FilterDriver -ine "storqosflt" -AND $_.FilterDriver -ine "wcifs" -AND $_.FilterDriver -ine "CldFlt" -AND $_.FilterDriver -ine "FileCrypt" -AND $_.FilterDriver -ine "luafv" -AND $_.FilterDriver -ine "npsvctrig" -AND $_.FilterDriver -ine "Wof" -AND $_.FilterDriver -ine "FileInfo" -AND $_.FilterDriver -ine "bindflt" -AND $_.FilterDriver -ine "PROCMON24" -AND $_.FilterDriver -ine "FsDepends" -AND $_.FilterDriver -ine "SysmonDrv"} | select -exp FilterDriver)
foreach ($driver in $SuspectDrivers){
Write-Warning "Unknown Driver Found - $driver"
echo ""
foreach ($driver in $SuspectDrivers){
echo "Checking $driver for relevant service. Any which aren't present may indicate a filter driver which has since been removed, or an active rootkit filtering service registry keys."
try{gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\$driver -force -ErrorAction Stop}Catch{Write-Warning "$driver NOT FOUND"}

Safe Boot registry keys

Special Thanks – Didier Stevensmultiple times

Note: These keys specify what services are run in Safe Mode. Sometimes they’ll be modified by malware to ensure rootkits can still function in Safe Mode.

reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal /s
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network /s

Unload malicious filter driver

fltmc filters
fltmc volumes
fltmc instances
fltmc unload <filtername>
fltmc detach <filtername> <volumeName> <instanceName>

Note: Common legitimate filter drivers include

  • WdFilter – Windows Defender Filter
  • storqosflt – Storage QoS Filter
  • wcifs – Windows Container Isolation File System Filter
  • CldFlt – Windows Cloud Files Filter
  • FileCrypt – Windows Sandboxing and Encryption Filter
  • luafv – LUA File Virtualization Filter (UAC)
  • npsvctrig – Named Pipe Service Trigger Provider Filter
  • Wof – Windows Overlay Filter
  • FileInfo – FileInfo Filter (SuperFetch)
  • bindflt – Windows Bind Filter system driver
  • FsDepends – File System Dependency Minifilter
  • PROCMON24 – Procmon Process Monitor Driver

T1176 Browser Extensions


Get-ChildItem -path "C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions" -recurse -erroraction SilentlyContinue
Get-ChildItem -path 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default\Extensions' -recurse -erroraction SilentlyContinue -include manifest.json | cat
reg query "HKLM\Software\Google\Chrome\Extensions" /s
reg query "HKLM\Software\Wow6432Node\Google\Chrome\Extensions" /s


Get-ChildItem -path "C:\Users\*\AppData\Roaming\Mozilla\Firefox\Profiles\*\extensions" -recurse -erroraction SilentlyContinue
Get-ChildItem -path "C:\Program Files\Mozilla Firefox\plugins\" -recurse -erroraction SilentlyContinue
Get-ChildItem -path registry::HKLM\SOFTWARE\Mozilla\*\extensions


Get-ChildItem -Path C:\Users\*\AppData\Local\Packages\ -recurse -erroraction SilentlyContinue

Internet Explorer

Get-ChildItem -path "C:\Program Files\Internet Explorer\Plugins\" -recurse -erroraction SilentlyContinue
reg query 'HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects'
reg query 'HKLM\Software\Microsoft\Internet Explorer\Toolbar'
reg query 'HKLM\Software\Microsoft\Internet Explorer\URLSearchHooks'
reg query 'HKLM\Software\Microsoft\Internet Explorer\Explorer Bars'
reg query 'HKU\{SID}\Software\Microsoft\Internet Explorer\Explorer Bars'
reg query 'HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions'

T1109 Component Firmware

Note: This is incredibly rare, and doesn’t have an easy detection/remediation mechanism. Using the Windows CheckDisk utility, System File Checker, or Deployment Image Servicing and Management may assist but isn’t guaranteed.

chkdsk /F
sfc /scannow
dism /Online /Cleanup-Image /ScanHealth
dism /Online /Cleanup-Image /RestoreHealth
dism /Online /Cleanup-Image /StartComponentCleanup /ResetBase

T1122 Component Object Model (COM) Hijacking

Note: This involves replacing legitimate components with malicious ones, and as such the legitimate components will likely no longer function. If you have a detection based on DLLHost.exe with /Processid:{xyz}, you can match xyz with the CLSID (COM Class Object) or AppID mentioned below to check for any malicious EXE or DLL.

HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}
HKLM\SOFTWARE\Classes\CLSID\{abc} /v AppID /t REG_SZ /d {xyz}

Example analysis:

reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID" /s /f "{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"
reg query "HKLM\SOFTWARE\Classes\WOW6432Node\CLSID\{178167bc-4ee3-403e-8430-a6434162db17}" /s
reg query "HKLM\SOFTWARE\Classes\AppID\{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}"


reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".dll"
reg query HKLM\SOFTWARE\Classes\CLSID\ /s /f ".exe"
reg query HKLM\SOFTWARE\Classes\AppID\ /s /f DllSurrogate
gci -path REGISTRY::HKLM\SOFTWARE\Classes\*\shell\open\command 
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".dll"
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f ".exe"
gci 'REGISTRY::HKU\*\Software\Classes\CLSID\*\TreatAs'
gci 'REGISTRY::HKU\*\Software\Classes\Scripting.Dictionary'
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\LocalServer32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocServer32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\InprocHandler*" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\*Server32" -ea 0
gci "REGISTRY::HKU\*\SOFTWARE\Classes\CLSID\*\ScriptletURL" -ea 0
reg query HKU\{SID}\SOFTWARE\Classes\CLSID\ /s /f "ScriptletURL"

Get list of all COM Objects

Original by Jeff Atwood

gci HKLM:\Software\Classes -ea 0| ? {$_.PSChildName -match '^\w+\.\w+$' -and(gp "$($_.PSPath)\CLSID" -ea 0)} | select -ExpandProperty PSChildName

T1136 Create Account

net user
net user /domain
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts" /s

T1038 DLL Search Order Hijacking

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
gci -path C:\Windows\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gci -path C:\Windows\System32\* -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
gps | ? {$_.Modules -like '*{DLLNAME}*'} | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}
$dll = gps | Where {$_.Modules -like '*{DLLNAME}*' } | Select Modules;$dll.Modules;
(gps).Modules | FL FileName,FileVersionInfo
(gps).Modules.FileName | get-authenticodesignature | ? Status -NE "Valid"

T1133 External Remote Services


T1044 File System Permissions Weakness

Get-WmiObject win32_service | FL name,PathName
get-acl "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" | FL | findstr "FullControl"

T1158 Hidden Files and Directories

dir /S /A:H

T1179 Hooking

Finding EasyHook Injection

tasklist /m EasyHook32.dll;tasklist /m EasyHook64.dll;tasklist /m EasyLoad32.dll;tasklist /m EasyLoad64.dll;

More Material:

T1062 Hypervisor


T1183 Image File Execution Options Injection

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" /s /f "MonitorProcess"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f "Debugger"

T1037 Logon Scripts

reg query "HKU\{SID}\Environment" /v UserInitMprLogonScript

T1177 LSASS Driver

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4614';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3033';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='3063';} | FL TimeCreated,Message

T1031 Modify Existing Service

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | foreach {filehash $_.ServiceDll}
Get-ItemProperty REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\*\* -ea 0 | where {($_.ServiceDll -ne $null)} | select -uniq ServiceDll -ea 0 | foreach {filehash $_.ServiceDll} | select -uniq -exp hash

T1128 Netsh Helper DLL

reg query HKLM\SOFTWARE\Microsoft\Netsh

T1050 New Service

reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ImagePath"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "ServiceDLL"
reg query HKLM\SYSTEM\CurrentControlSet\Services /s /v "FailureCommand"
Get-WmiObject win32_service | FL Name, DisplayName, PathName, State
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message

Note: If not examining the registry directly and looking at services in a ‘live’ capacity you may encounter ‘hidden services’ which aren’t shown due to a SDDL applied to them. You can find solely these services using the following (Special thanks – Josh Wright)

Compare-Object -ReferenceObject (Get-Service | Select-Object -ExpandProperty Name | % { $_ -replace "_[0-9a-f]{2,8}$" } ) -DifferenceObject (gci -path hklm:\system\currentcontrolset\services | % { $_.Name -Replace "HKEY_LOCAL_MACHINE\\","HKLM:\" } | ? { Get-ItemProperty -Path "$_" -name objectname -erroraction 'ignore' } | % { $_.substring(40) }) -PassThru | ?{$_.sideIndicator -eq "=>"}

Some common legitimate hidden services are:


T1137 Office Application Startup

Get-ChildItem -path C:\Users\*\Microsoft\*\STARTUP\*.dotm -force
Get-ChildItem -path C:\Users\*\AppData\Roaming\Microsoft\*\STARTUP\* -force
reg query "HKU\{SID}\Software\Microsoft\Office test\Special\Perf" /s
reg query "HKLM\Software\Microsoft\Office test\Special\Perf" /s
Get-ChildItem -path registry::HKLM\SOFTWARE\Microsoft\Office\*\Addins\*
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
Get-ChildItem -path registry::HKLM\SOFTWARE\Wow6432node\Microsoft\Office\*\Addins\*
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Templates\*" -erroraction SilentlyContinue
Get-ChildItem -path "C:\Users\*\AppData\Roaming\Microsoft\Excel\XLSTART\*" -erroraction SilentlyContinue
Get-ChildItem -path C:\ -recurse -include Startup -ea 0
ls 'C:\Program Files\Microsoft Office\root\*\XLSTART\*'
ls 'C:\Program Files\Microsoft Office\root\*\STARTUP\*'
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Inbox
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Security
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\Today\UserDefinedUrl
reg query HKCU\Software\Microsoft\Office\<Outlook Version>\Outlook\WebView\Calendar\URL
Get-WinEvent -FilterHashtable @{ LogName='Microsoft Office Alerts'; Id='300';} | FL TimeCreated,Message

T1034 Path Interception


T1013 Port Monitors

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors" /s /v "Driver"

T1504 PowerShell Profile

ls C:\Windows\System32\WindowsPowerShell\v1.0\Profile.ps1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
ls C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.*Profile.ps1
gci -path "C:\Users\*\Documents\PowerShell\Profile.ps1"
gci -path "C:\Users\*\Documents\PowerShell\Microsoft.*Profile.ps1"

T1108 Redundant Access


T1060 Registry Run Keys / Startup Folder

reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Shell
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Windows"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v BootExecute
gci -path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*" -include *.lnk,*.url
gci -path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -include *.lnk,*.url
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9707'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Shell-Core/Operational'; Id='9708'} | FL TimeCreated,Message

T1053 Scheduled Task

gci -path C:\windows\system32\tasks | Select-String Command | FT Line, Filename
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | Select-String Command | FL Filename,Line
gci -path C:\windows\system32\tasks -recurse | where {$_.CreationTime -ge (get-date).addDays(-1)} | where {$_.CreationTime.hour -ge (get-date).hour-2}| Select-String Command | FL Line,Filename
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\'
gci -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\'
ls 'C:\Windows\System32\WptsExtensions.dll'

Note: thanks to Markus Piéton for the WptsExtensions.dll one.

T1180 Screensaver

reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaveActive"
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "SCRNSAVE.exe"
reg query "HKU\{SID}\Control Panel\Desktop" /s /v "ScreenSaverIsSecure"

T1101 Security Support Provider

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig" /v "Security Packages"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "Security Packages"

T1505 Server Software Component


T1058 Service Registry Permissions Weakness

get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\* |FL
get-acl REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\servicename |FL

T1023 Shortcut Modification

Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "exe"
Select-String -Path "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk" -Pattern "dll"
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "dll"
Select-String -Path "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*" -Pattern "exe"
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "exe" | FL
gci -path "C:\Users\" -recurse -include *.lnk -ea SilentlyContinue | Select-String -Pattern "dll" | FL

T1198 SIP and Trust Provider Hijacking

reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
reg query "HKLM\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg" /s /v "Dll"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData" /s /v "Dll"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy" /s /v "`$DLL"

T1019 System Firmware

Get-WmiObject win32_bios

T1209 Time Providers

reg query "HKLM\System\CurrentControlSet\Services\W32Time\TimeProviders" /s /f "Dll"

T1078 Valid Accounts

net users
net group /domain "Domain Admins"
net users /domain <name>

T1100 Web Shell

Note: The presence of files with these values isn’t necessarily indicative of a webshell, review output.

gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "runat" | FL
gci -path "C:\inetpub\wwwroot" -recurse -File -ea SilentlyContinue | Select-String -Pattern "eval" | FL

ProxyShell – May reveal evidence of mailbox exfil or Web Shell being dropped:

Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'MailboxExportRequest'} | FL TimeCreated, Message
Get-WinEvent -FilterHashtable @{LogName='MSExchange Management';} | ? {$_.Message -match 'aspx'} | FL TimeCreated, Message

T1084 Windows Management Instrumentation Event Subscription

Get WMI Namespaces

Function Get-WmiNamespace ($Path = 'root')
	foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
		$FullPath = $Path + "/" + $Namespace.Name
		Write-Output $FullPath
		Get-WmiNamespace -Path $FullPath
Get-WMINamespace -Recurse

Query WMI Persistence

Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription

T1004 Winlogon Helper DLL

reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Userinit"
reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell"
reg query "HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon" /s

Other – Winsock Helper DLL Persistence

Special Thanks – odzhan

Special Thanks – Hexacorn

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Winsock-WS2HELP/Operational'; Id='1'} | FL TimeCreated,Message
reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters /v Transports
get-itemproperty 'REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock\Parameters' -ea 0 | select -exp Transports
get-item 'REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*\Parameters\Winsock' -ea 0
get-itemproperty 'REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\*\Parameters\Winsock' -ea 0 | select -exp HelperDllName
get-item 'REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters' -ea 0

Check disabled task manager (often from malware)

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr

Review Hivelist

gp REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\hivelist | Select *USER*

Locate all user registry keys

$UserProfiles = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Where {$_.PSChildName -match "S-1-5-21-(\d+-?){4}$" } | Select-Object @{Name="SID"; Expression={$_.PSChildName}}, @{Name="UserHive";Expression={"$($_.ProfileImagePath)\ntuser.dat"}}

Load all users registry keys from their ntuser.dat file (perform above first)

Foreach ($UserProfile in $UserProfiles) {If (($ProfileWasLoaded = Test-Path Registry::HKEY_USERS\$($UserProfile.SID)) -eq $false) {reg load HKU\$($UserProfile.SID) $($UserProfile.UserHive) | echo "Successfully loaded: $($UserProfile.UserHive)"}}

Query all users run key

Foreach ($UserProfile in $UserProfiles) {reg query HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run};

Unload all users registry keys

Foreach ($UserProfile in $UserProfiles) {reg unload HKU\$($UserProfile.SID)};

Remediate Automatic Load/Run Reg Keys

reg delete [keyname] /v [ValueName] /f
reg delete [keyname] /f
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /f}
Foreach ($UserProfile in $UserProfiles) {reg delete HKU\$($UserProfile.SID)\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /f}


Remove-ItemProperty -Path "[Path]" -Name "[name]"

Check Registry for IE Enhanced Security Modification

gci 'REGISTRY::HKU\*\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'
gci 'REGISTRY::HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap'

Check Registry for disabling of UAC (1=UAC Disabled)

gci REGISTRY::HKU\*\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 
gci REGISTRY::HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 

Review Software Keys for malicious entries

gci registry::HKLM\Software\*
gci registry::HKU\*\Software\*

Scan Registry keys for specified text

Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | where {$_.Name -match 'notepad' -or $_.Name -match 'sql'}
Get-ChildItem -path HKLM:\ -Recurse -ea SilentlyContinue | get-itemproperty | where {$_ -match 'notepad' -or $_ -match 'sql'}
reg query HKLM\SOFTWARE /s /f ".exe"
reg query HKLM\SYSTEM /s /f ".exe"
reg query HKLM\SECURITY /s /f ".exe"
reg query HKLM /s /f ".exe"

Persistent file locations of interest

%localappdata%\<random>\<random>.<4-9 file ext>
%appdata%\<random>\<random>.<4-9 file ext>
%SystemRoot%\<random 4 chars starting with digit>
%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\*
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\*"

You can scan these directories for items of interest e.g. unusual exe, dll, bat, lnk etc files with:

dir /s /b %localappdata%\*.exe | findstr /e .exe
dir /s /b %appdata%\*.exe | findstr /e .exe
dir /s /b %localappdata%\*.dll | findstr /e .dll
dir /s /b %appdata%\*.dll | findstr /e .dll
dir /s /b %localappdata%\*.bat | findstr /e .bat
dir /s /b "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .exe
dir /s /b "C:\Users\Public\" | findstr /e .lnk
dir /s /b "C:\Users\Public\" | findstr /e .dll
dir /s /b "C:\Users\Public\" | findstr /e .bat
ls "C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" | findstr /e .lnk

Locate any file of interest from cmd.exe using ‘where.exe’

where.exe /r C:\ *password*
where.exe /r D:\  version.dll /t

Locate LNK Files with a particular string (Special thanks to the notorious)

Select-String -Path 'C:\Users\[User]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\*.lnk' -Pattern "powershell" | Select Path

Master File Table

The Master File Table is an incredibly important artifact; however, this can only be read or obtained using low level disk reading. This contains an entry for every file or directory on the filesystem including metadata about these files, and may provide evidence on files which have been removed (MFT entries marked as ‘free’). More information can be found on Microsoft Docs

Determine Timestomping

Within the Master File Table (Located at the Win root) there are 2 elements, $STANDARD_INFORMATION and $FILE_NAME, both of which have values for a file being created, modified, accessed and written.

These are known as MACB times (Modified, Accessed, Changed, Birth). The $STANDARD_INFORMATION element can be modified from a malicious process, but the $FILE_NAME element is left intact and cannot without some extra trickery.

These discrepancies generally indicate Timestomping with the $FILE_NAME entry being the source of truth. This can be determined by obtaining the MFT (e.g. using a tool such as Rawcopy), and comparing timestamps on the file (e.g. using a tool such as MFTExplorer).


RawCopy.exe /FileNamePath:C:0 /OutputPath:C:\Audit /OutputName:MFT_C.bin


Enable Date Accessed Timestamps

reg add "HKLM\SYSTEM\CurrentControlSet\Control\FileSystem" /v NtfsDisableLastAccessUpdate /d 0 /t REG_DWORD /f

Remove BITSAdmin Persistence

bitsadmin /reset /allusers
import-module bitstransfer
Get-BitsTransfer -AllUsers | Remove-BitsTransfer

Check system directories for executables not signed as part of an operating system release

gci C:\windows\*\*.exe -File -force |get-authenticodesignature|?{$_.IsOSBinary -notmatch 'True'}

Locate Possible Trickbot

gci -path C:\Users\*\AppData\Roaming\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Windows\System32\config\systemprofile\appdata\roaming -recurse -force -include *.exe
schtasks /query /fo LIST /v | findstr "appdata"	
schtasks /query /fo LIST /v | findstr "programdata"	
schtasks /query /fo LIST /v | findstr "public"	
tasklist /svc | findstr "svchost"

Determine if user Trusted a doc/spreadsheet etc and ran a macro

Note: Don’t forget to load in user hives.

reg query 'HKU\[SID]\Software\Microsoft\Office\[versionnumber]\Word\Security\Trusted Documents\TrustRecords';
gci 'REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security\Trusted Documents\TrustRecords' -ea 0 | foreach {reg query $_.Name}

Note: This will show the file name/location and metadata in Hex. If the last lot of hex is FFFFFF7F then the user enabled the macro.

Check Office Security Settings

gci REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security -rec
gci REGISTRY::HKCU\Software\Microsoft\Office\*\*\Security -rec

Check Outlook Temporary Files

gci ((gp REGISTRY::HKU\*\Software\Microsoft\Office\[VerNumber]\Outlook\Security\ -ea 0).OutlookSecureTempFolder)
gci (((gp REGISTRY::HKU\*\Software\Microsoft\Office\*\Outlook\Security\ -ea 0)|select -exp OutlookSecureTempFolder -ea 0))

Check MS Office Logs for high risk file names

Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} |Where { $_.Message -Match 'invoice' }| FL TimeCreated, Message

Prevent CVE-2017-11882, CVE-2018-0802, CVE-2018-0804, CVE-2018-0805, CVE-2018-0806, CVE-2018-0807 (EQNEDT32.EXE) Exploitation

Note: This is the “Equation Editor” exploit, either patch or mitigate. More information on the below process.

64-Bit Windows:

reg add "HKLM\SOFTWARE\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 /f
reg delete "HKEY_CLASSES_ROOT\CLSID\{0002CE02-0000-0000-C000-000000000046}"
reg delete "HKLM\SOFTWARE\Classes\Equation.3"

32-Bit Windows:

reg add "HKLM\SOFTWARE\Wow6432Node\Microsoft\Office\Common\COM Compatibility\{0002CE02-0000-0000-C000-000000000046}" /v "Compatibility Flags" /t REG_DWORD /d 0x400 /f
reg delete "HKEY_CLASSES_ROOT\WOW6432Node\CLSID\{0002CE02-0000-0000-C000-000000000046}"
reg delete "HKLM\SOFTWARE\Classes\Equation.3" /f

Determine if user opened a document

gci "REGISTRY::HKU\*\Software\Microsoft\Office\*\Word\Reading Locations\*"

Number of Sub-Directories

(gci -Path C:\Users\User\ -Recurse -Directory).length

Prevent Executable from Running.

Note: Load in hives and add particular SID to prevent users running named files, helps prevent for example your IIS service account from running cmd.exe or powershell.exe

reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisallowRun /t REG_DWORD /d "00000001" /f
reg add "HKU\{SID}\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun" /v malware.exe /t REG_SZ /d "malware.exe" /f

Show known file extensions and hidden files (excluding OS hidden files)

reg add "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v Hidden /t REG_DWORD /d "1" /f
reg add "HKU\{SID}\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v HideFileExt /t REG_DWORD /d "0" /f
Stop-Process -processname explorer

Open File Extension (e.g. scripts) with certain application (elevated cmd)

FTYPE Custom=Notepad.exe "%1"
ASSOC .wsf=Custom

Disable Command Prompt

reg add "HKCU\SOFTWARE\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 0 /f

Locate Possible DLL Search Order Hijacking

Note: A legitimate clean executable can be used to run malicious DLLs based on how the software searches for them.

More information on Microsoft Docs

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDllSearchMode"

Search order for desktop applications:

If SafeDllSearchMode is enabled (is by default), the search order is as follows:

  • The same directory from which the executable is run.
  • The System Directory (Usually C:\Windows\System32).
  • The 16-bit System Directory.
  • The Windows Directory (Usually C:\Windows).
  • The Current Directory (From the process which executed the executable).
  • The directories that are listed in the PATH environment variable.

If SafeDllSearchMode is disabled (SafeDllSearchMode has a reg value of 0), the search order is as follows:

  • The same directory from which the executable is run.
  • The Current Directory (From the process which executed the executable).
  • The System Directory (Usually C:\Windows\System32).
  • The 16-bit System Directory.
  • The Windows Directory (Usually C:\Windows).
  • The directories that are listed in the PATH environment variable.

Locate Possible Dll Side Loading

Note: A legitimate clean executable can be used to run malicious DLLs based on issues with a manifest file used by the application to load DLLs.

reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners"

By placing a malicious DLL in the below locations legitimate binaries may have been used to sideload these malicious DLLs.

  • C:\Windows\WinSxS
  • C:\Windows\SXS

Unique Sideload DLL hashes (may take some time)

(gci -path C:\Windows\WinSxS -recurse -include *.dll|gi -ea SilentlyContinue|filehash).hash|sort -u

Unsigned or Invalid Sideload DLLs (there will be a lot)

gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"

Unsigned Sideload DLLs (Less noise)

gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned"
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid"

Hash of Unsigned Sideload DLLs

gci -path C:\Windows\WinSxS -recurse -include *.dll | Get-AuthenticodeSignature | Where-Object Status -E "NotSigned" | Select Path | gi -ea SilentlyContinue | filehash | sort -u
gci -path C:\Windows\WinSxS -recurse -include *.ocx | Get-AuthenticodeSignature | Where-Object Status -NE "Valid" | Select Path | gi -ea SilentlyContinue | filehash | sort -u

Find files without extensions

Get-ChildItem -Path C:\Users\[user]\AppData -Recurse -Exclude *.* -File -Force -ea SilentlyContinue

Remediate malicious files

rmdir %localappdata%\maliciousdirectory\ /s
del /F %localappdata%\maliciousdirectory\malware.exe


Remove-Item [C:\Users\Public\*.exe]
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
Get-ChildItem * -Include *.exe -Recurse | Remove-Item

Detect Persistent WMI Subscriptions

These will appear as children spawning from wmiprvse.

Get-WmiObject -Class __FilterToConsumerBinding -Namespace root\subscription
Get-WmiObject -Class __EventFilter -Namespace root\subscription
Get-WmiObject -Class __EventConsumer -Namespace root\subscription

Remediate Persistent WMI Subscriptions

The most important aspect is to locate and remove the CommandLineEventConsumer. This has the malicious command stored within the value ‘CommandLineTemplate’. The below example searches for commands that contain ‘powershell’.

Get-WMIObject -Namespace root\subscription -Class __EventFilter -Filter "Name like '%%[Name]%%'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "CommandLineTemplate like '%%powershell%%'" | Remove-WmiObject
Get-WMIObject -Namespace root\subscription -Class __FilterToConsumerBinding -Filter "__Path like '%%[Name]%%'" | Remove-WmiObject 

Enumerate WMI Namespaces

Function Get-WmiNamespace ($Path = 'root')
	foreach ($Namespace in (Get-WmiObject -Namespace $Path -Class __Namespace))
		$FullPath = $Path + "/" + $Namespace.Name
		Write-Output $FullPath
		Get-WmiNamespace -Path $FullPath
Get-WMINamespace -Recurse

Mimikatz/Credential Extraction Detection

The below represent registry keys which make it more difficult for Mimikatz to work. Modification of these keys may indicate an attacker trying to execute Mimikatz within an environment if they were set to their more secure state. Always test prior to changing registry keys such as these in a production environment to ensure nothing breaks.

	- “UseLogonCredential” should be 0 to prevent the password in LSASS/WDigest
	- “RunAsPPL” should be set to dword:00000001 to enable LSA Protection which prevents non-protected processes from interacting with LSASS. 
	- Mimikatz can remove these flags using a custom driver called mimidriver.
		- This uses the command **!+** and then **!processprotect /remove /process:lsass.exe** by default so tampering of this registry key can be indicative of Mimikatz activity.

The Mimikatz Yara rule may also prove useful.

Some techniques may involve loading lsasrv.dll or wdigest.dll to extract credentials and may be caught if this is loaded legitimately using:

tasklist /m wdigest.dll
tasklist /m lsasrv.dll

You may be able to detect changes to the below registry keys which can be used to load an arbitrary DLL and extract credentials, more information from Adam Chester

reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS /v LsaDbExtPt
reg query HKLM\SYSTEM\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt

An adversary may also tamper with the number of cached logons a system holds (default of 10).

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount

Password Filter DLL Credential Harvesting Detection

reg query “HKLM\SYSTEM\CurrentControlSet\Control\Lsa” /s /f Notification

Network Provider DLL Credential Harvesting Detection

Note: There will be many legitimate ones of these so verify first.

reg query HKLM\SYSTEM\CurrentControlSet /s /f NetworkProvider gci HKLM:\SYSTEM\CurrentControlSet\Services*\NetworkProvider

Note: This is 100% the research performed by Grzegorz Tworek, and the below script can be used to automate detection.

# The script reads information about network providers (possibly acting as password sniffers) from registry, and displays it
# each entry is checked for binary signature and DLL metadata
# no admin privileges needed

# get providers from registry
$providers = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name ProviderOrder

# iterate through entries
foreach ($prov in ($providers.ProviderOrder -split ','))
    $row = New-Object psobject
    $row | Add-Member -Name "Name" -MemberType NoteProperty -Value $prov

    $dllPath = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\$prov\NetworkProvider" -Name ProviderPath).ProviderPath
    $row | Add-Member -Name "DllPath" -MemberType NoteProperty -Value $dllPath
    $signature = Get-AuthenticodeSignature -FilePath $dllPath
    $certSubject = ""
    if ($signature.Status.value__ -eq 0)  #valid
        $certSubject = $signature.SignerCertificate.Subject
    $row | Add-Member -Name "Signer" -MemberType NoteProperty -Value $certSubject
    $row | Add-Member -Name "Version" -MemberType NoteProperty -Value (Get-Command $dllPath).FileVersionInfo.FileVersion
    $row | Add-Member -Name "Description" -MemberType NoteProperty -Value (Get-Command $dllPath).FileVersionInfo.FileDescription

    $arrExp += $row

# Let's display the array
if (Test-Path Variable:PSise)
    $arrExp | Out-GridView
    $arrExp | Format-List

Registry key modification timestamp (by Shaun Hess)



[Alias(“CN”,”__SERVER”,”Computer”,”CNAME”)] [string[]]$ComputerName=$env:ComputerName, [string]$Key = “HKLM”, [string]$SubKey ) function Get-RegKeyLastWriteTime { <# .SYNOPSIS Retrieves the last write time of the supplied registry key .DESCRIPTION The Registry data that a hive stores in containers are called cells. A cell can hold a key, a value, a security descriptor, a list of subkeys, or a list of key values. Get-RegKeyLastWriteTime retrieves the LastWriteTime through a pointer to the FILETIME structure that receives the time at which the enumerated subkey was last written. Values do not contain a LastWriteTime property, but changes to child values update the parent keys lpftLastWriteTime. The LastWriteTime is updated when a key is created, modified, accessed, or deleted. .PARAMETER ComputerName Computer name to query .PARAMETER Key Root Key to query HKCR – Symbolic link to HKEY_LOCAL_MACHINE \SOFTWARE \Classes. HKCU – Symbolic link to a key under HKEY_USERS representing a user’s profile hive. HKLM – Placeholder with no corresponding physical hive. This key contains other keys that are hives. HKU – Placeholder that contains the user-profile hives of logged-on accounts. HKCC – Symbolic link to the key of the current hardware profile .PARAMETER SubKey Registry Key to query .EXAMPLE Get-RegKeyLastWriteTime -ComputerName testwks -Key HKLM -SubKey Software .EXAMPLE Get-RegKeyLastWriteTime -ComputerName testwks1,testwks2 -SubKey Software .EXAMPLE Get-RegKeyLastWriteTime -SubKey Software\Microsoft .EXAMPLE “testwks1″,”testwks2” | Get-RegKeyLastWriteTime -SubKey Software\Microsoft ` \Windows\CurrentVersion .NOTES NAME: Get-RegKeyLastWriteTime AUTHOR: Shaun Hess VERSION: 1.0 LASTEDIT: 01JUL2011 LICENSE: Creative Commons Attribution 3.0 Unported License ( .LINK #> [CmdletBinding()] param(


[Alias(“CN”,”__SERVER”,”Computer”,”CNAME”)] [string[]]$ComputerName=$env:ComputerName, [string]$Key = “HKLM”, [string]$SubKey ) BEGIN { switch ($Key) { “HKCR” { $searchKey = 0x80000000} #HK Classes Root “HKCU” { $searchKey = 0x80000001} #HK Current User “HKLM” { $searchKey = 0x80000002} #HK Local Machine “HKU” { $searchKey = 0x80000003} #HK Users “HKCC” { $searchKey = 0x80000005} #HK Current Config default { “Invalid Key. Use one of the following options: HKCR, HKCU, HKLM, HKU, HKCC”} } $KEYQUERYVALUE = 0x1 $KEYREAD = 0x19 $KEYALLACCESS = 0x3F } PROCESS { foreach($computer in $ComputerName) { $sig0 = @’ [DllImport(“advapi32.dll”, SetLastError = true)] public static extern int RegConnectRegistry( string lpMachineName, int hkey, ref int phkResult); ‘@ $type0 = Add-Type -MemberDefinition $sig0 -Name Win32Utils -Namespace RegConnectRegistry -Using System.Text -PassThru $sig1 = @’ [DllImport(“advapi32.dll”, CharSet = CharSet.Auto)] public static extern int RegOpenKeyEx( int hKey, string subKey, int ulOptions, int samDesired, out int hkResult); ‘@ $type1 = Add-Type -MemberDefinition $sig1 -Name Win32Utils ` -Namespace RegOpenKeyEx -Using System.Text -PassThru $sig2 = @’ [DllImport(“advapi32.dll”, EntryPoint = “RegEnumKeyEx”)] extern public static int RegEnumKeyEx( int hkey, int index, StringBuilder lpName, ref int lpcbName, int reserved, int lpClass, int lpcbClass, out long lpftLastWriteTime); ‘@ $type2 = Add-Type -MemberDefinition $sig2 -Name Win32Utils ` -Namespace RegEnumKeyEx -Using System.Text -PassThru $sig3 = @’ [DllImport(“advapi32.dll”, SetLastError=true)] public static extern int RegCloseKey( int hKey); ‘@ $type3 = Add-Type -MemberDefinition $sig3 -Name Win32Utils -Namespace RegCloseKey -Using System.Text -PassThru $hKey = new-object int $hKeyref = new-object int $searchKeyRemote = $type0::RegConnectRegistry($computer, $searchKey, [ref]$hKey) $result = $type1::RegOpenKeyEx($hKey, $SubKey, 0, $KEYREAD, [ref]$hKeyref) #initialize variables $builder = New-Object System.Text.StringBuilder 1024 $index = 0 $length = [int] 1024 $time = New-Object Long #234 means more info, 0 means success. Either way, keep reading while ( 0,234 -contains $type2::RegEnumKeyEx($hKeyref, $index++, $builder, [ref] $length, $null, $null, $null, [ref] $time) ) { #create output object $o = “” | Select Key, LastWriteTime, ComputerName $o.ComputerName = “$computer” $o.Key = $builder.ToString() # TODO Change to use the time api #Write-host ((Get-Date $time).ToUniversalTime()) $timezone=[TimeZoneInfo]::Local $Offset=$timezone.BaseUtcOffset.TotalHours $o.LastWriteTime = (Get-Date $time).AddYears(1600).AddHours($Offset) $o #reinitialize for next time through the loop $length = [int] 1024 $builder = New-Object System.Text.StringBuilder 1024 } $result = $type3::RegCloseKey($hKey); write-host $builder } } } # End Get-RegKeyLastWriteTime function #write-host $Key $SubKey #Get-RegKeyLastWriteTime -Key $Key -SubKey $SubKey Get-RegKeyLastWriteTime -SubKey System\CurrentControlSet\

NetNTLM Downgrade Attack Detection

reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v LMCompatibilityLevel
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RestrictSendingNTLMTraffic 
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v NTLMMinClientSec

DanderSpritz eventlogedit

Oauth Access Token Theft Detection in Azure

Inversecos – How to Detect OAuth Access Token Theft in Azure

SANS FOR509 – Cloud Forensics and Azure

Putty Detection

reg query HKCU\Software\SimonTatham\PuTTY\Sessions /s

Installed Updates

(WMI Quick Fix Engineering)

wmic qfe

Installed Software/Packages

reg query HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ /s /f DisplayName
wmic product get name,version /format:csv
wmic product get /ALL
dism /online /get-packages
get-WmiObject -Class Win32_Product

Powershell: Full List for all users using uninstall keys in registry

$(Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*; Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*;New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS| Out-Null;$UserInstalls += gci -Path HKU: | where {$_.Name -match 'S-\d-\d+-(\d+-){1,14}\d+$'} | foreach {$_.PSChildName };$(foreach ($User in $UserInstalls){Get-ItemProperty HKU:\$User\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*});$UserInstalls = $null;try{Remove-PSDrive -Name HKU}catch{};)|where {($_.DisplayName -ne $null) -and ($_.Publisher -ne $null)} | Select DisplayName,DisplayVersion,Publisher,InstallDate,UninstallString |FT

Process information

(pslist requires sysinternals pslist.exe):

tasklist -v
wmic process list full /format:csv
wmic process get name,parentprocessid,processid /format:csv
wmic process get ExecutablePath,processid /format:csv
wmic process get name,ExecutablePath,processid,parentprocessid /format:csv | findstr /I "appdata"
wmic process where processid=[PID] get parentprocessid
wmic process where processid=[PID] get commandline
wmic process where "commandline is not null and commandline!=''" get name,commandline /format:csv
gwmi win32_process -Filter "name like 'powershell.exe'" | select name,processId,commandline|FL
gwmi win32_process | select name,processId,path,commandline|FL
gwmi win32_process |FL ProcessID,ParentProcessID,CommandLine,@{e={$_.GetOwner().User}}
gwmi win32_process | Sort-Object -Property ProcessID | FL ProcessID,Path,CommandLine,ParentProcessID,@{n="User";e={$_.GetOwner().User}},@{n="ParentProcessPath";e={gps -Id $_.ParentProcessID|Select -exp Path}}
Get-Process -IncludeUserName

PowerShell Module to show Process Tree

import-module .\Get-ProcessTree.ps1
Get-ProcessTree -Verbose | FT Id, Level, IndentedName, ParentId,Path,CommandLine

Current Process execution or module loads from temporary directories

Note: This will likely have some false positives as it’s just a wildcard. So in this case using ‘temp’ can come up in words such as ‘ItemProvider’.

(gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|unique

Current Process execution or module loads from temporary directories + hash

$A=((gps -Module -ea 0).FileName|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};
$A=((gps).Path|Select-String "Appdata","ProgramData","Temp","Users","public"|sort|unique);foreach ($B in $A) {filehash $B};

Scan for malware with Windows Defender

"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 1
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 2
"%ProgramFiles%\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File C:\Users\[username]\AppData\Local\Temp

Note: Types are as follows

  • 1: Quick scan
  • 2: Full system scan
  • 3: File and directory custom scan

Check Windows Defender for excluded files and default actions

reg query "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions" /s
Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions'
Get-MpPreference | Select Exclusion*
Get-MpPreference | Select *DefaultAction

Delete Windows Defender excluded files

reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v "[RegkeyValue]"
reg delete "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths"
Remove-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' -Name "Paths"

Check Windows Defender Block/Quarantine Logs

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-Windows Defender/Operational'; Data='Severe'} | FL TimeCreated,Message

Check and Set Access Control Lists

Get-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'|FL
Get-Acl -Path [FileWithRequiredAccess] | Set-Acl -Path 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'

Change ACE for “everyone” on folder and subfiles/folders

Grant everyone full access

icacls "C:\{DESIREDFOLDERPATH}" /grant everyone:(CI)(OI)F /T

Remove ACE entries for “everyone”

icacls "C:\{DESIREDFOLDERPATH}" /remove everyone /T

Disable unwanted windows binaries (via Base64 encoding and removal)

Note: This is one method, not the only way.

certutil -encode C:\windows\system32\mshta.exe C:\windows\system32\mshta.disabled
Get-Acl -Path C:\windows\system32\mshta.exe | Set-Acl -Path C:\windows\system32\mshta.disabled
takeown /f C:\windows\system32\mshta.exe
icacls C:\windows\system32\mshta.exe /grant administrators:F
rm C:\windows\system32\mshta.exe

Enable windows binaries (via Base64 decoding and removal)

certutil -decode C:\windows\system32\mshta.disabled C:\windows\system32\mshta.exe
Get-Acl -Path C:\windows\system32\mshta.disabled | Set-Acl -Path C:\windows\system32\mshta.exe
takeown /f C:\windows\system32\mshta.disabled
icacls C:\windows\system32\mshta.disabled /grant administrators:F
rm C:\windows\system32\mshta.disabled

Make multiple files visible and remove ‘superhidden’

gci C:\{DESIREDFOLDERPATH} -force -recurse -ea 0 | foreach {$_.attributes = 'Normal'};
attrib -s -h C:\{DESIREDFOLDERPATH}\*.*

Check Security Descriptor Definition Language (SDDL) and Access Control Entries (ACE) for services

sc sdshow <servicename>
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*DC"}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WD"}
$A=get-service;foreach ($service in $A){$service;sc.exe sdshow $service.Name|Select-String "A;*WO"}

More information on ACE Strings and the level of access they can provide, and a breakdown is included below.

Syntax of Security Descriptor String:

owner (O:), primary group (G:), DACL (D:), and SACL (S:).

Syntax of ACE String:


Note: ACE strings are used in the DACL/SACL components of a SDDL.

Example SDDL:


Example SDDL Breakdown (from above):

	D: = DACL String
	A; = SDDL_ACCESS_ALLOWED (ace_type)
	; = Nil (ace_flags)
	CCLCSWRPWPDTLOCRRC; = Concatenated rights (rights)
	; = Nil (object_guid)
	; = Nil (inherit_object_guid)
	;SY = SDDL_LOCAL_SYSTEM (account_sid)
	S: = SACL String
	AU; = SDDL_AUDIT (ace_type)
	FA; = SDDL_AUDIT_FAILURE (ace_flags)
	CCDCLCSWRPWPDTLOCRSDRCWDWO; = Concatenated rights (rights)
	; = Nil (object_guid)
	; = Nil (inherit_object_guid)
	;WD = SDDL_EVERYONE (account_sid)

Kill “Unstoppable” Service/Process

reg add HKLM\SYSTEM\CurrentControlSet\Services\{SERVICENAME}\Parameters /V start /T reg_dword /D 4 /f
Get-Service -Name {SERVICENAME} | Set-Service -Status Paused
sc.exe config {SERVICENAME} start= disabled
Get-Service -Name {SERVICENAME} | Set-Service -Status Stopped
taskkill /F /t /IM "{SERVICEEXENAME}"

Obtain hash for all running executables

Issues with spaces in names but supports CMD.exe

FOR /F %i IN ('wmic process where "ExecutablePath is not null" get ExecutablePath') DO certutil -hashfile %i SHA256 | findstr -v : >> output.txt

Powershell (Special thanks Lee Holmes)

(gps|gi -ea SilentlyContinue|filehash).hash|sort -u

My less efficient powershell

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | Format-List}

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}

$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique;$A

Obtain hash and established network connections for running executables with dns cache

Get-NetTCPConnection -State Established | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress -ea 0).Entry}}|sort|gu -AS|FT

Obtain hash and listening network connections for running executables

Get-NetTCPConnection -State LISTEN | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT

Obtain hash and possible tunneled network connections for running executables

Get-NetTCPConnection -State ESTABLISHED |? LocalAddress -Like "::1" | Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
Get-NetTCPConnection -State Established |? LocalAddress -Like ""| Select RemoteAddress, RemotePort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}},@{n="DNSCache";e={(Get-DnsClientCache -Data $_.RemoteAddress).Entry}}|sort|gu -AS|FT
Get-NetTCPConnection -State LISTEN |? LocalAddress -Like "" | Select LocalAddress, LocalPort, OwningProcess, @{n="Path";e={(gps -Id $_.OwningProcess).Path}},@{n="Hash";e={(gps -Id $_.OwningProcess|gi|filehash).hash}}, @{n="User";e={(gps -Id $_.OwningProcess -IncludeUserName).UserName}}|sort|gu -AS|FT

Obtain workstation name for tunneled authentication

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='::';} | FL TimeCreated,Message

Obtain hash of DLLs currently loaded by processes

$A = $(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue|? FileName -NotLike "C:\Windows\SYSTEM32\*"){Get-FileHash $dll.FileName| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$A
(gps).Modules.FileName | sort -uniq | foreach {filehash $_ -ea 0}

Obtain processes where binaries file version doesn’t match OS Release

gps -FileVersionInfo -ea 0|? {$_.ProductVersion -notmatch $([System.Environment]::OSVersion.Version|Select -exp Build)}

Obtain process binary file external names

gps -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
gps -module -FileVersionInfo -ea 0 | sort -uniq | Select OriginalFilename,InternalName,Filename
gps -module -FileVersionInfo -ea 0 | sort -uniq | FL *name,*version

Obtain processes running which are running a DLL

$A=(gps|select -ExpandProperty modules -ea SilentlyContinue | where {$_.ModuleName -Like 'sechost.dll' -or $_.ModuleName -Like 'ntdll.dll'} | sort -u);if($A[0].Size -ge -1) {foreach ($Module in $A){tasklist /m $Module.ModuleName}};
gps | FL ProcessName, @{l="Modules";e={$_.Modules|Out-String}}

Obtain hash of unsigned or invalid DLLs currently loaded by processes

$A=$(foreach ($dll in gps|select -ExpandProperty modules -ea SilentlyContinue){Get-AuthenticodeSignature $dll.FileName |Where-Object Status -NE "Valid"|Select Path});$B=$(foreach ($dll in $A){Get-FileHash $dll.Path| select Hash -ExpandProperty Hash})|Sort-Object| Get-Unique;$B

Obtain list of unsigned DLLs currently loaded by processes

gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature|Where-Object Status -NE "Valid"
gps | select -exp modules -ea 0 | Select -exp FileName | Get-AuthenticodeSignature | ? Status -NE "Valid" | FL Path

Obtain DLL information ListDLLs

listdlls [-r] [-v | -u] [processname|pid]
listdlls [-r] [-v] [-d dllname]

Unsigned DLLs loaded by processes (Using ListDLLs)

listdlls64.exe -u -accepteula

Obtain DLLs in use by processes

listdlls.exe -v processname -accepteula
listdlls.exe -v -d dllname.dll -accepteula
listdlls.exe -d dllname.dll -accepteula
listdlls.exe -v PID -accepteula

Enable logging of non non-Windows module loads via WDAC code integrity

Note 1: Special thanks to Matt Graeber for this.

Note 2: This is based off of a Windows Defender Application Control system integrity policy which has been converted on an enterprise system.

On an enterprise system enable it by creating a module load audit policy:

ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b

Store the converted policy on a Win10 system to be monitored at: Windows\System32\CodeIntegrity\SIPolicy.p7b

Extract Module (DLL, SYS and EXE) information from WDAC Audit Events

# Extract relevant properties from 3076 events
# Modified by Jai Minton @CyberRaiju, based from original work by Matt Graeber @mattifestation 

# On an enterprise system enable it by creating a module load audit policy:
	# ConvertFrom-CIPolicy Non_Microsoft_UserMode_Load_Audit.xml C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
# Store the converted policy on a Win10 system to be monitored at: Windows\System32\CodeIntegrity\SIPolicy.p7b
# If you don't have one available you can use a pre-converted one found [here](

# More information:

$SigningLevelMapping = @{
[Byte] 0 = 'Unchecked'
[Byte] 1 = 'Unsigned'
[Byte] 2 = 'Enterprise'
[Byte] 3 = 'Custom1'
[Byte] 4 = 'Authenticode'
[Byte] 5 = 'Custom2'
[Byte] 6 = 'Store'
[Byte] 7 = 'Antimalware'
[Byte] 8 = 'Microsoft'
[Byte] 9 = 'Custom4'
[Byte] 0xA = 'Custom5'
[Byte] 0xB = 'DynamicCodegen'
[Byte] 0xC = 'Windows'
[Byte] 0xD = 'WindowsProtectedProcessLight'
[Byte] 0xE = 'WindowsTcb'
[Byte] 0xF = 'Custom6'

$CIEvents = Get-WinEvent -FilterHashtable @{ LogName = 'Microsoft-Windows-CodeIntegrity/Operational'; Id = 3076} | ForEach-Object {
	$ScenarioValue = $_.Properties[16].Value.ToString()
	$Scenario = $ScenarioValue
		switch ($Scenario) {
		'0' { $Scenario = 'Kernel-Mode' }
		'1' { $Scenario = 'User-Mode' }
	[PSCustomObject] @{
		TimeCreated = $_.TimeCreated
		MachineName = $_.MachineName
		UserId = $_.UserId
		FileName = $_.Properties[1].Value
		ProcessName = $_.Properties[3].Value
		CertificateSHA1AuthentiCodeHash = [BitConverter]::ToString($_.Properties[8].Value).Replace('-', '')
		CertificateSHA256AuthentiCodeHash = [BitConverter]::ToString($_.Properties[10].Value).Replace('-', '')
		ModuleSHA1Hash = [BitConverter]::ToString($_.Properties[12].Value).Replace('-', '')
		ModuleSHA256Hash = [BitConverter]::ToString($_.Properties[14].Value).Replace('-', '')
		OriginalFileName = $_.Properties[24].Value
		InternalName = $_.Properties[26].Value
		FileDescription = $_.Properties[28].Value
		ProductName = $_.Properties[30].Value
		FileVersion = $_.Properties[31].Value
		SISigningScenario = $Scenario
		RequestedSigningLevel = $SigningLevelMapping[$_.Properties[4].Value]
		ValidatedSigningLevel = $SigningLevelMapping[$_.Properties[5].Value]
		PolicyHash = [BitConverter]::ToString($_.Properties[22].Value).Replace('-', '')

Determine handles on a file

handle [[-a] [-u] | [-c <handle> [-l] [-y]] | [-s]] [-p <processname>|<pid>> [name]
handle -a -u -s -p exp
handle windows\system

Verify EternalBlue Patch (MS17-010) is installed – Microsoft

Note: This impacts the SMB 1.0 Server Driver, if you don’t have the below, then it’s not installed. If you do you can use the above to determine patch level.

get-item C:\Windows\system32\drivers\srv.sys | FL VersionInfo
get-hotfix -id KB<111111>

Obtain TXT records from recently resolved domains

foreach ($domains in Get-DnsClientCache){Resolve-DnsName $domains.Entry -Type "TXT"|Select Strings|? Strings -NotLike ""};

Check all Appdata files for unsigned or invalid executables

Get-ChildItem -Recurse $env:APPDATA\..\*.exe -ea SilentlyContinue| ForEach-object {Get-AuthenticodeSignature $_ -ea SilentlyContinue} | Where-Object {$_.status -ine "Valid"}|Select Status,Path

Check for execuables in Local System User Profile and Files

Get-ChildItem C:\Windows\*\config\systemprofile -recurse -force -ea 0 -include *.exe, *.dll *.lnk

Investigate WMI Usage

Note: Requires Strings

strings -q C:\windows\system32\wbem\repository\

Find executables and scripts in Path directories ($env:Path)

Get-Command * -Type Application | FT -AutoSize
Get-Command -Name * | FL FileVersionInfo

PowerShell Command History


Find files created/written based on date

Get-ChildItem <file> | Select-Object CreationTime
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Date -match "12/25/2014"}
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.LastWriteTime -match "12/25/2014"}
Get-ChildItem C:\ -recurse -ea SilentlyContinue -force | where-object { $_.CreationTime.Hour -gt 2 -and $_.CreationTime.Hour -lt 15}

Check running executables for malware via VirusTotal

Note: VT Has a rate limit for the Public API so this won’t work if you are using the Public API. All 1 liners require VTAPIKey to be set as your VirusTotal API key

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri '' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"}}

This query uses a 15 second timeout to ensure only 4 queries are submitted a minute

foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Invoke-RestMethod -Method 'POST' -Uri '' -Body @{ resource =(Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;}

This query uses a 15 second timeout to ensure only 4 queries are submitted a minute and only unique hashes are queried

$A = $( foreach ($process in Get-WmiObject win32_process | where {$_.ExecutablePath -notlike ""}) {Get-FileHash $process.ExecutablePath | select Hash -ExpandProperty Hash}) |Sort-Object| Get-Unique -AsString; foreach ($process in $A) {Invoke-RestMethod -Method 'POST' -Uri '' -Body @{ resource =($process); apikey = "[VTAPIKey]"};Start-Sleep -Seconds 15;} 

Scan systems for IOA/IOC (Yara)

Loki Scanner

loki.exe -p [Directory]

Crowdresponse Scanner

CrowdResponse -v -i config.txt -o out.xml

IREC Tactical

IREC.exe --triage-memory
IREC.exe -ad "\\MACHINE\IREC-DIR" --triage-ruleset MyYaraRules --triage-memory 


yara32.exe -d filename=[file defined in ruleset.yar] [ruleset.yar] [file to scan]
yara32.exe -d filename=[svchost.exe] [ruleset.yar] -r [directory to scan]
yara64.exe yararule.yar -r C:
yara64.exe yararule.yar -r C: -f 2> $null

Yara Linux

Note: -s shows matching yara strings.

yara rule.yara malware.exe -s
yara rule.yara [Directory] -s

For more creation and usage of Yara, refer to PMA Writeup

Use Snort to test a created Snort rule over a pcap

snort -A fast --pcap-single=./pcap.pcap -c ./strrat.rules -l /var/log/snort

Kill malicious process

wmic process where name="malware.exe" call terminate
wmic process where processid=[PID] delete
taskkill /IM malware.exe
taskkill /PID [PID] /T

Note: Call terminate allows you to specify an exit status in terms of a signed integer or a quoted negative value. Both methods essentially function the same by calling TerminateProcess.

Dump full process memory

(procdump requires systinternals procdump.exe)

procdump -ma [processID]

Live Triage of Memory

Shout-out to Matt Graeber, Jared Atkinson and Joe Desimone for the awesome work that has gone into these scripts. Note: Not all tested, appears to work with a standard Meterpreter payload, and by default with Cobalt Strike.

Locate Possible Shellcode within process via Injected Thread

Import-Module .\Get-InjectedThread.ps1

Obtain Possible Shellcode within process as Hex

(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join ''
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join ''

Obtain Possible Shellcode within process as Hex

(Get-InjectedThread|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'
(Get-InjectedThread|? {$_.ThreadId -match '{PID}'}|Select -exp Bytes|ForEach-Object ToString X2) -join '\x'

Basic Memory Analysis via PowerShellArsenal

import-module .\PowerShellArsenal.psd1
Get-ProcessMemoryInfo -ProcessID {PID}

Locate Possible Shellcode Address Space

Get-ProcessMemoryInfo {PID} | ? {$_.AllocationProtect -eq "PAGE_EXECUTE_READWRITE"}

Find Meterpreter in Process Memory:

Ref: Meterpreter Wiki

Find-ProcessPEs {PID} | ?{$_.ModuleName -eq "metsrv.dll" -OR $_.ModuleName -eq "ext_server_stdapi.dll" -OR $_.ModuleName -like "ext_server_*.dll"} | FL ProcessID,ModuleName,Imports;
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll"} | FL ProcessID,ModuleName,Imports};
$A=$(gps | Select -exp Id);	foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll" | FL ProcessID,ModuleName,Imports};
$A=$(gps | Select -exp Id);	foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "metsrv.dll" -OR $_.ModuleName -eq "ext_server_stdapi.dll" -OR $_.ModuleName -like "ext_server_*.dll"} | FL ProcessID,ModuleName,Imports};

Find Cobalt Strike in Process Memory:

Find-ProcessPEs {PID} | ?{$_.ModuleName -eq "beacon.dll" -OR $_.ModuleName -eq "beacon x64.dll" -OR $_.ModuleName -eq "beacon.x64.dll"} | FL ProcessID,ModuleName,Imports;
$A=$(gps | Select -exp Id); foreach ($process in $A){Find-ProcessPEs $process | ?{$_.ModuleName -eq "beacon.dll"} | FL ProcessID,ModuleName,Imports};

Network connections

(tcpvcon requires sysintenals tcpvcon.exe):

ipconfig /all
netstat –anob
netstat -ano
Tcpvcon -a

Routing table and ARP cache

route print
arp -a

Contents of DNS resolver

(useful for recent web history)

ipconfig /displaydns
Get-DnsClientCache | FT -AutoSize

Currently connected Access Point name (WiFi)

reg query HKLM\system\CurrentControlSet\Services\Dnscache\Parameters\DnsActiveIfs\ /s
netsh wlan show interfaces

Previously connected Access Point names (WiFi)

netsh wlan show profile

Current surrounding Access Point names (WiFi)

netsh wlan show network mode=bssid 

Extended network adapter configuration information

reg query HKLM\system\CurrentControlSet\Services\Tcpip\Parameters\ /s
reg query HKLM\system\CurrentControlSet\Services\Tcpip6\Parameters\ /s

Enable DNS Logging

wevtutil set-log "Microsoft-Windows-DNS-Client/Operational" /enabled:true


$DNSLogs = 'Microsoft-Windows-DNS-Client/Operational'
$DNSContainer = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName

Scan DNS Logs

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3010';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';} | FL TimeCreated,Message

Scan DNS Logs and output unique DNS Queries

$events=Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-DNS-Client/Operational'; Id='3020';};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$query=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryName'} | Select -exp InnerText;
$result=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryResults'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty Query "$query" -PassThru `
| Add-Member NoteProperty QueryResults "$result" -PassThru | Out-Null
$output += $data;
$output = $output | sort Query | unique -AsString;

Hostname to corresponding IPs from list

$listofhostnames = cat Hostnames.txt;
foreach ($hostname in $listofhostnames){
try{[System.Net.Dns]::gethostaddresses("$hostname")|FT $hostname, IPAddressToString}catch

T1074 Data Staging

Note: Examples of some known staging directories, lots of false positives likely.

gci C:\ProgramData\ -recurse -include .* -ea 0 -force | ?{ $_.PSIsContainer }
gci C:\Windows\Temp -recurse -ea 0 -force | ?{ $_.PSIsContainer }
ls C:\ProgramData\tmp\log.log
ls C:\ProgramData\log.log
ls C:\ProgramData\google\
ls C:\ProgramData\Sun\low
ls env:temp\SMB
ls $Recycle.Bin
ls C:\ProgramData\.rnd
ls C:\inetpub\

Latest system activities

(requires Nirsoft’s LastActivityView)

LastActivityView.exe /shtml "LastActivityView.html"

Driver information

wmic sysdriver list brief /format:csv
driverquery /FO list /v
driverquery /si
wmic sysdriver list full

Process and extra information

tasklist /m
tasklist /m /fi "pid eq [PID]"
tasklist /svc
wmic process where processid=[PID] get commandline
tasklist /v

Hosts file and service>port mapping

type %SystemRoot%\System32\drivers\etc\hosts
type %SystemRoot%\System32\drivers\etc\services

Recycle Bin Forensics

  • Named as $I = Metadata of file (Info)
  • Named as $R = The file contents itself (Recovery)
  • Located at %SystemRoot%\..\$Recycle.Bin in win vista and later commonly (C:$Recycle.Bin)
  • Use dir /a via cmd to show recycle bin SID folders and files

DCOM Information + Firewall Rules

wmic dcomapp get /all /format:List
netsh advfirewall firewall show rule dir=in name=all | Select-String -Pattern 'dcom' -Context 2,11

Service Information

(psservice requires sysinternals psservice.exe):

wmic service list full
net start
sc query
wmic loadorder

Stop and disable/delete malicious service

net stop [servicename]
sc config [servicename] start= disabled
sc delete [servicename]

Disable Internet Explorer

More Information: MS Docs

dism /online /Disable-Feature /FeatureName:Internet-Explorer-Optional-amd64

cmd history

doskey /history

Linux Subsystem for Windows 10 may have history in a location such as:


Files greater than a 10mb

FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi

Temp files greater than 10mb

FOR /R C:\Users\[User]\AppData %i in (*) do @if %~zi gtr 10000000 echo %i %~zi

Locate process handles (e.g. files open by process)

Note: Requires handles/handles64.exe from sysinternals

handle64.exe -p [PID/name] -nobanner
handle64.exe -a -p [PID/name] -nobanner
handle64.exe -a -l -p [PID/name] -nobanner
handle64.exe -a -l -u -p keepass -nobanner

Close process handles (e.g. files open by process)

Note: Requires handles/handles64.exe from sysinternals

handle64.exe -c [hexhandleref] -p [PID] -nobanner
handle64.exe -c [hexhandleref] -y -p [PID] -nobanner

Event logs between a timeframe

This tool is useful for gathering all windows events within a given timeframe: Event Finder2

Check audit policies

auditpol /get /category:*

Set logging on all success/failure events


auditpol /set /category:* /success:enable /failure:enable

Enable logging of process creation

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Scan process creation logs for ‘appdata’

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4688';}| ? {$_.Message -match 'appdata'}|FL TimeCreated, Message

Parse process creation logs

$ProcessSpawnEvents = Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4688';} | ForEach-Object {
	[PSCustomObject] @{
		TimeCreated = $_.TimeCreated
		MachineName = $_.MachineName
		UserSid = $_.Properties[0].Value
		UserName = $_.Properties[1].Value
		UserDomainName = $_.Properties[2].Value
		SubjectLogonId = $_.Properties[3].Value
		ProcessId = $_.Properties[4].Value
		ProcessName = $_.Properties[5].Value
		TokenElevationType = $_.Properties[6].Value
		ParentProcessId = $_.Properties[7].Value
		CommandLine = $_.Properties[8].Value
		TargetUserSid = $_.Properties[9].Value
		TargetUserName = $_.Properties[10].Value
		TargetDomainName = $_.Properties[11].Value
		TargetLogonId = $_.Properties[12].Value
		ParentProcessName = $_.Properties[13].Value
		MandatoryLabel = $_.Properties[14].Value

Check for Windows Security Logging Bypass

Special thanks to Grzegorz Tworek – 0gtweet

reg query HKLM\System\CurrentControlSet\Control\MiniNt

Check group policies

gpresult /Z /SCOPE USER
gpresult /R /SCOPE USER
gpresult /r /z
ls C:\Users\[username]\AppData\Local\GroupPolicy\DataStore
ls C:\Windows\system32\GroupPolicy\DataStore

Obtain mode settings for ports


Event Logs for offline analysis

Event logs can be found: %SystemRoot%\System32\winevt\Logs

wevtutil epl System [Location]\System.evtx
wevtutil epl Security [Location]\Security.evtx
wevtutil epl Application [Location]\Application.evtx
wevtutil epl "Windows PowerShell" [Location]\Powershell.evtx


esentutl.exe /y /vss C:\Windows\System32\winevt\Logs\Security.evtx /d [Location]\Security.evtx

Copy all event logs:

XCOPY C:\Windows\System32\winevt\Logs [Location] /i
XCOPY C:\WINDOWS\system32\LogFiles\ [Location] /i

User Access Logging (UAL) KStrike Parser

Note: More information can be found here. Special thanks to Brimor Labs. SYSTEMNAME\Current.mdb > Current_mdb.txt

mdb Files are found at the below:


More information available on the CrowdStrike Blog – Patrick Bennett

Quickly scan event logs with DeepblueCLI

.\DeepBlue.ps1 .\evtx\psattack-security.evtx | FL

Event Tracing for Windows (ETW).

Event tracing is how a Provider (an application that contains event tracing instrumentation) creates items within the Windows Event Log for a consumer. This is how event logs are generated, and is also a way they can be tampered with. More information on this architecture can be found below.

Event Tracing Architecture

A great post by Matt Graeber goes into some depth on how this works and some common ways of interacting with ETW Traces.

List Running Trace Sessions

logman query -ets

List Providers That a Trace Session is Subscribed to

logman query "EventLog-System" -ets

List all ETW Providers

logman query providers
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\

View providers process is sending events to

logman query providers -pid {PID}

Setup Custom Log Tracing

Special thanks to Spotless for his crash course

Query Providers Available and their keyword values

logman query providers
logman query providers Microsoft-Windows-WinHttp

Note: Take note of wanted values.

Initiate Tracing Session

logman create trace <TRACENAMEHERE> -ets
logman query <TRACENAMEHERE> -ets

Update trace with wanted providers

Note: the mask is the combined values wanted. For example if a keyword was 0x1 and another 0x16 and you wanted both you’d use 0x17.

logman update <TRACENAMEHERE> -p Microsoft-Windows-WinHttp 0x100000000 -ets

Delete Subscription and Providers

logman update trace <TRACENAMEHERE> --p Microsoft-Windows-WinHttp 0x100000000 -ets
logman stop <TRACENAMEHERE> -ets

Event Log/Tracing Tampering Detection

reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v File
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v MaxSize
reg query HKLM\SYSTEM\CurrentControlSet\Services\EventLog\ /s /v Retention
sc.exe query eventlog
gci REGISTRY::HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\ -recurse
reg query HKLM\SYSTEM\CurrentControlSet\control\WMI\AutoLogger\ /s /v enable*

Timeline Windows Event Logs.

An easy way to explore Windows event logs is to dump them into a normalized csv format using EvtxExplorer.


EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\ --csvf AllEvtx.csv

From here you can analyse the CSV using Timeline explorer to view relevant information and group by MAPs.


Super Timeline a host:

This can be done using Plaso (Log2Timeline)

Common IIS logs can often be found in the below locations:

  • %SystemDrive%\inetpub\logs\LogFiles
  • %SystemRoot%\System32\LogFiles\W3SVC1
  • %SystemDrive%\inetpub\logs\LogFiles\W3SVC1
    • Note: replace 1 with the number for your IIS website ID
  • %SystemDrive%\Windows\System32\LogFiles\HTTPERR

Common Apache logs can often be found in the below locations:

  • /var/log
  • /var/log/httpd/access.log
  • /var/log/apache/access.log
  • /var/log/apache2/access.log
  • /var/log/httpd-access.log

Other logs can be found in the below, often using the Event Trace Log (ETL) format:

  • C:\Windows\System32\LogFiles
  • C:\Windows\Panther

ETL format can be parsed using tracerpt which is included in Windows, some examples below.

tracerpt C:\Windows\System32\LogFiles\WMI\Terminal-Services-RPC-Client.etl
tracerpt logfile1.etl logfile2.etl -o logdump.xml -of XML
tracerpt logfile.etl -o logdmp.xml -of XML -lr -summary logdmp.txt -report logrpt.xml
tracerpt logfile1.etl logfile2.etl -o -report
tracerpt logfile.etl counterfile.blg -report logrpt.xml -df schema.xml
tracerpt -rt "NT Kernel Logger" -o logfile.csv -of CSV

Software specific logs are often stored in readable formats at any of the following locations.

%AppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Roaming\[softwarename]\)
%LocalAppData%\[softwarename] (e.g. C:\Users\[username]\AppData\Local\[softwarename]\)
%programfiles%\[softwarename] (e.g. C:\Program Files\[softwarename]\)
%programfiles(x86)%\[softwarename] (e.g. C:\Program Files (x86)\[softwarename]\)

You may also find useful memory crashdumps at the below:


Security log information

Note: Logs and their event codes have changed over time. Most of the references here are for Windows Vista and Server 2008 onwards rather than Windows 2000,XP,Server 2003. More information on them may be added in the future if required.

(psloglist requires psloglist.exe from systinternals):

wevtutil qe security /f:text
eventquery.vbs /L security
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20
wevtutil qe security /f:text | Select-String -Pattern "Event ID: [EventCode]" -Context 2,20 | findstr "Account Name:"
psloglist -s -x security

Note: Some suspicious events – “Event log service was stopped”, “Windows File Protection is not active on this system”, “The MS Telnet Service has started successfully”

  • Security: 4720 (Account created)
  • Security: 4722 (Account enabled)
  • Security: 4724 (Password reset)
  • Security: 4723 (User changed password)
  • Security: 4736 (Account deleted)
  • Security: 4781 (Account renamed)
  • Security: 4738 (User account change)
  • Security: 4688 (A new process has been created)
  • Security: 4732 (Account added to a group)
  • Security: 4733 (Account removed from a group)
  • Security: 1102 (Audit log cleared)
  • Security: 4614 (Security System Extension)
  • Security: 4672 (Special privileges assigned to new logon)
  • Security: 4624 (Account successfully logged on)
  • Security: 4698 (Scheduled Task Creation)
  • Security: 4702 (Scheduled Task Modified)
  • Security: 4699 (Scheduled Task Deleted)
  • Security: 4701 (Scheduled Task Disabled)
  • Security: 4700 (Scheduled Task Enabled)
  • Security: 4697 (Service Installation)
  • Security: 4625 (Account failed to log on)
  • Security: 4776 (The domain controller attempted to validate credentials for an account)
  • Security: 4634 (Account successfully logged off)
  • Security: 4740 (A user account was locked out)
  • Security: 4767 (A user account was unlocked)
  • Security: 4778 (Remote Desktop session reconnected)
  • Security: 4779 (Remote desktop session disconnected)
  • Security: 4625 (A user account failed to log on)
  • Security: 4648 (A logon was attempted using explicit credentials)
  • Security: 4768 (A Kerberos authentication ticket (TGT) was requested)
    • 0x6 (The username doesn’t exist) – Bad username or not yet replicated to DC
    • 0xC (Start time is later than end time – Restricted workstation)
    • 0x12 (Account locked out, disabled, expired, restricted, or revoked etc)
  • Security: 4769 (A Kerberos service ticket was requested)
  • Security: 4770 (A Kerberos service ticket was renewed)
  • Security: 4771 (Kerberos pre-authentication failed)
    • 0x10 – Smart card logon is being attempted and the proper certificate cannot be located.
    • 0x17 – The user’s password has expired.
    • 0x18 – The wrong password was provided.
  • Security: Greater than 4720 Eand less than 4764 (Account/group modifications)

Logon type information

  • Type: 0 (Used only by System account authentications)
  • Type: 2 (Interactive Logon)
    • User is at the keyboard.
  • Type: 3 (Network Authentication/SMB Auth Logon)
    • Auth over the network. Note: RDP can fall under this if Network Level Authentication is enabled.
  • Type: 4 (Batch Logon)
    • More often than not from a Scheduled Task.
  • Type: 5 (Service Logon)
    • More often than not from a Service.
  • Type: 7 (Unlock Logon)
    • User is at the keyboard unlocking it after lunch.
  • Type: 8 (Network Cleartext Logon)
    • Basically Logon Type 3 but creds are in the clear.
  • Type: 9 (New Credentials Logon)
    • More often than not from using ‘RunAs’ with the ‘/netonly’ parameter.
  • Type: 10 (Terminal/RDP Logon Type)
    • Logon via Terminal Services/RDP.
  • Type: 11 (Cached Interactive)
    • Logon when unable to connect to domain (Cached Creds locally).
  • Type: 12 (Cached Remote Interactive)
    • Same as RemoteInteractive. This is used for internal auditing.
  • Type: 13 (Cached Unlock Logon)
    • Same as Unlock Logon except with cached creds.

Special logon information (4672)

Privilege NameDescriptionNotes
SeAssignPrimaryTokenPrivilegeReplace a process-level tokenRequired to assign the primary token of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess.
SeAuditPrivilegeGenerate security auditsWith this privilege, the user can add entries to the security log.
SeBackupPrivilegeBack up files and directoriesRequired to perform backup operations. With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the access control list (ACL) specified for the file. Any access request other than read is still evaluated with the ACL.
SeCreateTokenPrivilegeCreate a token objectAllows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it.
SeDebugPrivilegeDebug programsRequired to debug and adjust the memory of a process owned by another account.With this privilege, the user can attach a debugger to any process or to the kernel. We recommend that SeDebugPrivilege always be granted to Administrators, and only to Administrators. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components.
SeEnableDelegationPrivilegeEnable computer and user accounts to be trusted for delegationWith this privilege, the user can set the Trusted for Delegation setting on a user or computer object.The user or object that is granted this privilege must have write access to the account control flags on the user or computer object.
SeImpersonatePrivilegeImpersonate a client after authenticationWith this privilege, the user can impersonate other accounts.
SeLoadDriverPrivilegeLoad and unload device driversRequired to load or unload a device driver.With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.
SeRestorePrivilegeRestore files and directoriesRequired to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object.
SeSecurityPrivilegeManage auditing and security logRequired to perform a number of security-related functions, such as controlling and viewing audit events in security event log. With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.A user with this privilege can also view and clear the security log.
SeSystemEnvironmentPrivilegeModify firmware environment valuesRequired to modify the nonvolatile RAM of systems that use this type of memory to store configuration information.
SeTakeOwnershipPrivilegeTake ownership of files or other objectsRequired to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
SeTcbPrivilegeAct as part of the operating systemThis privilege identifies its holder as part of the trusted computer base.This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

System log information:

wevtutil qe system /f:text
eventquery.vbs /L system

Note: Some useful events –

  • System: 7030 (Basic Service Operations)
  • System: 7040 (The start type of a service was changed from disabled to auto start)
  • System: 7045 (Service Was Installed)
  • System: 1056 (DHCP Server Oddities)
  • System: 10000 (COM Functionality)
  • System: 20001 (Device Driver Installation)
  • System: 20002 (Remote Access)
  • System: 20003 (Service Installation)

Application log information

Many applications output errors to the Windows Application Event Logs. For example an application crash may generate an event, or an error may generate an event of value. It’s worth looking for events with a source relating to a known vulnerable component that may have been exploited. For example the Australian Cyber Security Centre makes special note in one of their reports for the following event.

  • Event ID: 1309
  • Source: ASP.NET

In particular instances of this event with reference to Telerik.Web.UI.IAsyncUploadConfiguration, one can help to identify successful exploitation of a vulnerable Telerik instance.

Another example is looking at successful MsiInstaller events, given malicious MSI files are all too common. Some examples of viewing these in PowerShell is given below.

Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='MsiInstaller'} | FL
Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='MsiInstaller';Id='1042'} | FL
Get-WinEvent -FilterHashtable @{LogName='Application';ProviderName='MsiInstaller';Id='11707'} | FL

Sysmon log information

When installed and running the event log is located at: “Applications and Services Logs/Microsoft/Windows/Sysmon/Operational”

Note: Sysmon and a list of up to date events can be found here

Note: A WMI consumer is a management application or script that interacts with the WMI infrastructure. Microsoft Docs – WMI Architecture

  • Sysmon: 1 (Process create)
  • Sysmon: 2 (File creation time)
  • Sysmon: 3 (Network connection detected)
  • Sysmon: 4 (Sysmon service state changed)
  • Sysmon: 5 (Process terminated)
  • Sysmon: 6 (Driver loaded)
  • Sysmon: 9 (Image loaded)
  • Sysmon: 10 (Process accessed)
  • Sysmon: 11 (File created)
  • Sysmon: 12 (Registry object added or deleted)
  • Sysmon: 13 (Registry value set)
  • Sysmon: 14 (Registry object renamed)
  • Sysmon: 15 (File stream created)
  • Sysmon: 16 (Sysmon configuration changed)
  • Sysmon: 17 (Named pipe created)
  • Sysmon: 18 (Named pipe connected)
  • Sysmon: 19 (WMI filter)
  • Sysmon: 20 (WMI consumer)
  • Sysmon: 21 (WMI consumer filter)
  • Sysmon: 22 (DNS Query)
  • Sysmon: 23 (File Delete)
  • Sysmon: 24 (Clipboard Changed)
  • Sysmon: 25 (Process Tampering)
  • Sysmon: 26 (File Delete)

Review Sysmon Logs 1-liner (replace ID value as required from above)

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID='1'} | FL TimeCreated, Message

Parse Process Creation Events and Display Data

$events=Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID='1'};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$RuleName=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleName'} | Select -exp InnerText;
$UtcTime=$XML.Event.EventData.Data|?{$_.Name -eq 'UtcTime'} | Select -exp InnerText;
$ProcessGuid=$XML.Event.EventData.Data|?{$_.Name -eq 'ProcessGuid'} | Select -exp InnerText;
$ProcessId=$XML.Event.EventData.Data|?{$_.Name -eq 'ProcessId'} | Select -exp InnerText;
$Image=$XML.Event.EventData.Data|?{$_.Name -eq 'Image'} | Select -exp InnerText;
$FileVersion=$XML.Event.EventData.Data|?{$_.Name -eq 'FileVersion'} | Select -exp InnerText;
$Description=$XML.Event.EventData.Data|?{$_.Name -eq 'Description'} | Select -exp InnerText;
$Product=$XML.Event.EventData.Data|?{$_.Name -eq 'Product'} | Select -exp InnerText;
$Company=$XML.Event.EventData.Data|?{$_.Name -eq 'Company'} | Select -exp InnerText;
$OriginalFileName=$XML.Event.EventData.Data|?{$_.Name -eq 'OriginalFileName'} | Select -exp InnerText;
$CommandLine=$XML.Event.EventData.Data|?{$_.Name -eq 'CommandLine'} | Select -exp InnerText;
$CurrentDirectory=$XML.Event.EventData.Data|?{$_.Name -eq 'CurrentDirectory'} | Select -exp InnerText;
$User=$XML.Event.EventData.Data|?{$_.Name -eq 'User'} | Select -exp InnerText;
$LogonGuid=$XML.Event.EventData.Data|?{$_.Name -eq 'LogonGuid'} | Select -exp InnerText;
$LogonId=$XML.Event.EventData.Data|?{$_.Name -eq 'LogonId'} | Select -exp InnerText;
$TerminalSessionId=$XML.Event.EventData.Data|?{$_.Name -eq 'TerminalSessionId'} | Select -exp InnerText;
$IntegrityLevel=$XML.Event.EventData.Data|?{$_.Name -eq 'IntegrityLevel'} | Select -exp InnerText;
$Hashes=$XML.Event.EventData.Data|?{$_.Name -eq 'Hashes'} | Select -exp InnerText;
$ParentProcessGuid=$XML.Event.EventData.Data|?{$_.Name -eq 'ParentProcessGuid'} | Select -exp InnerText;
$ParentProcessId=$XML.Event.EventData.Data|?{$_.Name -eq 'ParentProcessId'} | Select -exp InnerText;
$ParentImage=$XML.Event.EventData.Data|?{$_.Name -eq 'ParentImage'} | Select -exp InnerText;
$ParentCommandLine=$XML.Event.EventData.Data|?{$_.Name -eq 'ParentCommandLine'} | Select -exp InnerText;
$ParentUser=$XML.Event.EventData.Data|?{$_.Name -eq 'ParentUser'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty RuleName "$RuleName" -PassThru `
| Add-Member NoteProperty UtcTime "$UtcTime" -PassThru `
| Add-Member NoteProperty ProcessGuid "$ProcessGuid" -PassThru `
| Add-Member NoteProperty ProcessId "$ProcessId" -PassThru `
| Add-Member NoteProperty Image "$Image" -PassThru `
| Add-Member NoteProperty FileVersion "$FileVersion" -PassThru `
| Add-Member NoteProperty Description "$Description" -PassThru `
| Add-Member NoteProperty Product "$Product" -PassThru `
| Add-Member NoteProperty Company "$Company" -PassThru `
| Add-Member NoteProperty OriginalFileName "$OriginalFileName" -PassThru `
| Add-Member NoteProperty CommandLine "$CommandLine" -PassThru `
| Add-Member NoteProperty CurrentDirectory "$CurrentDirectory" -PassThru `
| Add-Member NoteProperty User "$User" -PassThru `
| Add-Member NoteProperty LogonGuid "$LogonGuid" -PassThru `
| Add-Member NoteProperty LogonId "$LogonId" -PassThru `
| Add-Member NoteProperty TerminalSessionId "$TerminalSessionId" -PassThru `
| Add-Member NoteProperty IntegrityLevel "$IntegrityLevel" -PassThru `
| Add-Member NoteProperty Hashes "$Hashes" -PassThru `
| Add-Member NoteProperty ParentProcessGuid "$ParentProcessGuid" -PassThru `
| Add-Member NoteProperty ParentProcessId "$ParentProcessId" -PassThru `
| Add-Member NoteProperty ParentImage "$ParentImage" -PassThru `
| Add-Member NoteProperty ParentCommandLine "$ParentCommandLine" -PassThru `
| Add-Member NoteProperty ParentUser "$ParentUser" -PassThru | Out-Null
$output += $data;
$output = $output | sort UtcTime | unique -AsString;

Parse DNS Query Events and Display Data

$events=Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational';ID='22'};
$output = @();
foreach ($Event in $events){
$data = New-Object -TypeName PSObject;
$XML = [xml]$Event.ToXml();
$RuleName=$XML.Event.EventData.Data|?{$_.Name -eq 'RuleName'} | Select -exp InnerText;
$UtcTime=$XML.Event.EventData.Data|?{$_.Name -eq 'UtcTime'} | Select -exp InnerText;
$ProcessGuid=$XML.Event.EventData.Data|?{$_.Name -eq 'ProcessGuid'} | Select -exp InnerText;
$ProcessId=$XML.Event.EventData.Data|?{$_.Name -eq 'ProcessId'} | Select -exp InnerText;
$QueryName=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryName'} | Select -exp InnerText;
$QueryResults=$XML.Event.EventData.Data|?{$_.Name -eq 'QueryResults'} | Select -exp InnerText;
$Image=$XML.Event.EventData.Data|?{$_.Name -eq 'Image'} | Select -exp InnerText;
$User=$XML.Event.EventData.Data|?{$_.Name -eq 'User'} | Select -exp InnerText;
$data `
| Add-Member NoteProperty RuleName "$RuleName" -PassThru `
| Add-Member NoteProperty UtcTime "$UtcTime" -PassThru `
| Add-Member NoteProperty ProcessGuid "$ProcessGuid" -PassThru `
| Add-Member NoteProperty ProcessId "$ProcessId" -PassThru `
| Add-Member NoteProperty QueryName "$QueryName" -PassThru `
| Add-Member NoteProperty QueryResults "$QueryResults" -PassThru `
| Add-Member NoteProperty Image "$Image" -PassThru `
| Add-Member NoteProperty User "$User" -PassThru | Out-Null
$output += $data;
$output = $output | sort UtcTime | unique -AsString;

Active Directory Investigation

Note: Live information can be found using DSQuery or Netdom.

dsquery computer
dsquery user
dsquery contact
dsquery domainroot -inactive 4
dsquery group
dsquery ou
dsquery site
dsquery server
dsquery quota
dsquery *
	- dsquery * -limit 999999999
netdom query fsmo
netdom query trust
netdom query pdc
netdom query DC
netdom query server
netdom query workstation
netdom query OU

NT Directory Services Directory Information Tree File (ntds.dit)

Active Directory Database file containing all schema, domain, configuration information (e.g. users, IP, computers, domain trusts etc)

  • %SystemRoot%\NTDS\ntds.dit
  • %SystemRoot%\System32\ntds.dit
    • File created only when promoting certain OS to a DC, and seldom used.


10MB transaction log used to store temporary data before it is sent to the ntds.dit database.

  • %SystemRoot%\NTDS\Edb.log


Additional transaction log files if the main edb.log file gets larger than 10MB without being flushed to ntds.dit.

  • %SystemRoot%\NTDS\edbxxxxx.log


Checkpoint file used to determine how much of the transaction logs have been sent to the ntdis.dit database.

  • %SystemRoot%\NTDS\edb.chk


Reserved log files in case the hard drive fills up, at which point these files will be used (ideally they should never be used).

  • %SystemRoot%\NTDS\res1.log
  • %SystemRoot%\NTDS\res2.log


Temporary file to store information during in progress transactions.

  • %SystemRoot%\NTDS\temp.edb


Initialises the ntds.dit file when the domain controller is created, and is then never used again.

  • %SystemRoot%\NTDS\schema.ini

Investigation of ntds.dit

Obtaining this file can be done using any of the following and also requires the SYSTEM hive to decrypt (note: ntdsutil may not work on older AD servers).

(Output will be under C:\Audit)


ntdsutil "activate instance ntds" ifm "create full C:\Audit" quit quit


vssadmin create shadow /for=C:
mkdir C:\Audit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\ntds\ntds.dit C:\Audit\ntds.dit
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy[Number]\Windows\System32\config\SYSTEM C:\Audit\SYSTEM
vssadmin delete shadows /shadow=[ShadowCopyID]

Other ‘less legitimate’ replication methods can be found detailed on the AD Security Blog by Sean Metcalf

Repair the file if required:

esentutl /p /o C:\Audit\ntds.dit

Analysing this file offline can be done with tactics such as:

Origami-PDF (Malicious PDF Analysis)

Github Download

pdfextract malware.pdf

More Malicious PDF/Doc Analysis malware.pdf malware.pdf malware.pdf --object [number] --filter --raw --dump file.[extension] file.[extension] file.[extension] --select [number] --vbadecompress

Exiftool (Image Analysis)

exiftool malware.jpeg

Dump all thumbnails from a jpg image to a folder

Thanks to Phil Harvey

Note: This may be useful for finding evidence of photo manipulation

exiftool -a -b -W FOLDERNAME/%f_%t%-c.%s -preview:all IMAGENAME.jpg

RDP Cache images

This can be used to display some fragments of images which a user could see when operating on a server using the Windows RDP. The cache files are located: %USERPROFILE%\AppData\Local\Microsoft\Terminal Server Client\Cache\

These can be parsed using BMC-Tools -s ./ -d ./output -s ./ -d ./output -o -b 	

RDP (Terminal Services) Activity

reg query 'HKU\{SID}\Software\Microsoft\Terminal Server Client' /s

RDP (Terminal Services) Configuration

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /s

Check if Terminal Services Enabled

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

Check if one session per user has been modified

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fSingleSessionPerUser

Check if port number has been modified

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp" /v PortNumber
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber

Host Firewall information:

netsh firewall show config
advfirewall firewall show rule name=all verbose

Model of motherboard and hardware information:

wmic baseboard get product,manufacturer
wmic desktopmonitor get /all /format:list
wmic baseboard get /all /format:list
wmic bios get /all /format:list
wmic cpu get /all /format:list

Monitoring of open files:

openfiles /local on

Check Bitlocker Encryption

manage-bde -status

OR Powershell:


List open files

(this needs to have been enabled first and the PC rebooted, psfiles requires sysinternals psfile.exe)

openfiles /query

Display proxy information

netsh winhttp show proxy

Disconnect open files based on username:

openfiles /disconnect /a username	

Powershell (some with WMI). Note: Namespace is a group of classes belonging to the same management environment. Most important is the CIMV2 child which is the most common.

Powershell Commands

help get-wmiobject

Service information

Get-WmiObject win32_service | select Name, DisplayName, State, PathName

View Named Pipes

get-childitem \\.\pipe\
dir \\.\pipe\\

Harden System from ISO Phishing

Special Thanks – Mubix

reg add "HKEY_CLASSES_ROOT\Windows.IsoFile\shell\mount" /v ProgrammaticAccessOnly /t REG_SZ
reg add "HKEY_CLASSES_ROOT\Windows.VhdFile\shell\mount" /v ProgrammaticAccessOnly /t REG_SZ

Harden System from Lateral Movement/privesc

Note: These may inadvertently break communication of devices and should be tested. It may also require a restart.

Disable remote interaction with services

reg add "HKLM\SYSTEM\CurrentControlSet\Control" /v DisableRemoteScmEndpoints /t REG_DWORD /d 1 /f

Disable remote interaction with scheduled tasks

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule" /v DisableRpcOverTcp /t REG_DWORD /d 1 /f

Disable RDP access

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f 

Disable DCOM

reg add "HKLM\SOFTWARE\Microsoft\Ole" /v EnableDCOM /t REG_SZ /d N /f

Disable Admin Shares

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareWks" /t REG_DWORD /d 0 /f 
reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "AutoShareServer" /t REG_DWORD /d 0 /f

Disable Printer Spooler Service (PrintNightmare RCE & LPE Mitigation)

Note: Flow chart kindly provided by Benjamin Delpy

Stop-Service -Name Spooler -Force
Set-Service -Name Spooler -StartupType Disabled
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v Start /t REG_DWORD /d 4 /f

Prevent SYSTEM from writing new print DLL (PrintNightmare RCE & LPE Mitigation)

Special thanks to truesec

$Path = "C:\Windows\System32\spool\drivers"
$Acl = (Get-Item $Path).GetAccessControl('Access')
$Ar = New-Object  System.Security.AccessControl.FileSystemAccessRule("System", "Modify", "ContainerInherit, ObjectInherit", "None", "Deny")
Set-Acl $Path $Acl

Disable Remote Printing (PrintNightmare RCE mitigation)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers" /v RegisterSpoolerRemoteRpcEndPoint /t REG_DWORD /d 2 /f

Enable Warning on PointAndPrint and UAC (PrintNightmare LPE mitigation)

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnInstall /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint" /v NoWarningNoElevationOnUpdate /t REG_DWORD /d 0 /f
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 1 /f

Deny vulnerable Netlogon connections (Prevent ZeroLogon CVE-2020-1472)

Note: This should be run on a DC or relevant policy applied. It requires the August 11, 2020 update. Full mitigation advice can be found here

reg add "HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters" /v FullSecureChannelProtection /t REG_DWORD /d 1 /f

It should be noted the following System events relate to this and should be reviewed:

  • Event IDs 5827 and 5828 in the System event log, if ZeroLogon connections are denied.
  • Event IDs 5830 and 5831 in the System event log, if ZeroLogon connections are allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Event ID 5829 in the System event log, if ZeroLogon vulnerable Netlogon secure channel connection is allowed.

Rename mshtml.dll (CVE-2021-40444 Mitigation)

Note: This will render any application which leverages mshtml.dll for rendering HTML content unable to do so (including mshta.exe – yay). At this stage the MSHTML (Trident) engine should not be leveraged by many applications and Microsoft recommends future app development not use the MSHTML (Trident) engine. Some examples of what do use it include .chm files and software mentioned here

  • Run cmd.exe as Administrator.takeown /F mshtml.dll icacls mshtml.dll /grant administrators:F move mshtml.dll mshtml2.dll cd ../SysWOW64 takeown /F mshtml.dll icacls mshtml.dll /grant administrators:F move mshtml.dll mshtml2.dll

Delete ms-msdt association (CVE-2022-30190/Follina Mitigation)


reg delete HKEY_CLASSES_ROOT\ms-msdt /f

Stop Server Responsible for Inter-process Communication Calls

net stop server

Delete Admin Shares

Note: This may break some application communication and admin functionality. It may also be temporary as Windows has been known to recreate them. Always test.

  • C$ = Default share on systems ‘C’ drive.
  • IPC$ = Default Inter-process communication share (used by named pipes)
  • ADMIN$ = Default share for remote administration (used by PsExec)net share C$ /delete net share IPC$ /delete net share ADMIN$ /delete

Disable Anonymous Access to Named Pipes

reg add "HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters" /v "RestrictNullSessAccess" /t "REG_DWORD" /d 1 /f

Notes on named pipes:

  • Named pipes are used for communication between processes, this includes a process from a remote system.
  • A named pipe can be created by anyone.
  • By enabling ‘RestrictNullSessAccess’ you stop anonymous network logons from accessing named pipes on your system.
  • If a process has the ‘SeImpersonatePrivilege’ (or equivalent) privilege assigned and creates a named pipe, it may be able to impersonate the user context of anyone who connects to its named pipe if it then acts as the named pipe server.
    • The client of a named pipe, RPC, or DDE connection can control the impersonation level that the server of the named pipe can impersonate, ref: Microsoft
      • This doesn’t apply if the connection is remote, in that instance the permissions are set by the server.
  • Any service running through the Service Control Manager (SCM), or Component Object Model (COM) specified to run under a certain account, automatically has impersonate privileges.
  • When creating a child process using ‘CreateProcessWithToken’ the secondary logon service ‘seclogon’ needs to be running or else this will fail.
Impersonation levelDescription
SecurityAnonymousThe server cannot impersonate or identify the client.
SecurityIdentificationThe server can get the identity and privileges of the client, but cannot impersonate the client.
SecurityImpersonationThe server can impersonate the client’s security context on the local system.
SecurityDelegationThe server can impersonate the client’s security context on remote systems.

Disable OLE objects in

Set-ItemProperty HKCU:\Software\Microsoft\Office\*\*\Security -Name PackagerPrompt -Type DWORD -Value 2
Set-ItemProperty REGISTRY::HKU\*\Software\Microsoft\Office\*\*\Security -Name PackagerPrompt -Type DWORD -Value 2

Process WMI objects

get-wmiobject -list | where {$ -like "*process*"}

Process information

Get-WmiObject win32_process|select processname,ProcessId,CommandLine
Get-WmiObject win32_process -Filter "name like '%powershell.exe'" | select processId,commandline|FL

Baseline processes and services

(Used to compare new process/services)

Get-Process | Export-Clixml -Path C:\Users\User\Desktop\process.xml
Get-Service | Export-Clixml -Path C:\Users\User\Desktop\service.xml
$edproc = Import-Clixml -Path C:\Users\User\Desktop\process.xml
$edproc1 = Import-Clixml -Path C:\Users\User\Desktop\process1.xml
$edservice = Import-Clixml -Path C:\Users\User\Desktop\service.xml
$edservice1 = Import-Clixml -Path C:\Users\User\Desktop\service1.xml
Compare-Object $edproc $edproc1 -Property processname
Compare-Object $edservice $edservice1 -Property servicename

View and interact with shadow copies (MUST BE RUN FROM ELEVATED CMD.exe)

vssadmin list shadows | findstr "VolumeShadowCopy"
mklink /d shadow \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\
dir shadow
rmdir shadow

With a linked shadow copy we can copy pagefile.sys using the below.

mkdir C:\Audit
robocopy shadow C:\Audit pagefile.sys
attrib -s -h C:\Audit\pagefile.sys

Create Shadow Copy for C: drive

vssadmin create shadow /for=C:

Other Shadow Copy Techniques

In Windows 7 or certain other OS you may not have access to use ‘vssadmin create’. As such some trickery may be required. In Windows 7 we can create a scheduled task (to execute with System privileges) and use it to create a Shadow Copy with Microsoft DLLs, this simulates the activity of creating a ‘System Restore Point’. This can also be done with psexec if you wish to install the psexec service.

schtasks /ru "SYSTEM" /Create /SC DAILY /ST "00:00" /TN "\Microsoft\Windows\SystemRestore\SR" /TR "%windir%\system32\rundll32.exe /d srrstr.dll,ExecuteScheduledSPPCreation" /f
schtasks /run /TN \Microsoft\Windows\SystemRestore\SR
vssadmin list shadows

If you want to remove the scheduled task so it doesn’t run daily, use:

schtasks /delete /TN \Microsoft\Windows\SystemRestore\SR /f

You can also back it up using wbadmin, but it’s a bit more intricate. The below example should backup C drive to E drive.

wbadmin start backup -backupTarget:E: -include:c:

TCP Connections

Get-NetTCPConnection –State Established

List of IPV4 addresses who have connected (RDP)

Get-WinEvent -Log 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | select -exp Properties | where {$_.Value -like '*.*.*.*' } | sort Value -u 

Powershell logs

Get-WinEvent -LogName "Windows Powershell"

Event logs available

Get-EventLog -list
Get-WinEvent -Listlog * | Select RecordCount,LogName 
Get-WinEvent -Listlog *operational | Select RecordCount,LogName
wmic nteventlog list brief

Event Logs per Application Source

Get-EventLog Application | Select -Unique Source
Get-WinEvent -FilterHashtable @{LogName='Application';} -ea 0 | Select -exp ProviderName | sort | unique
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='Outlook'}
Get-WinEvent -FilterHashtable @{ LogName='Application'; ProviderName='MsiInstaller'}
Get-WinEvent -FilterHashtable @{ LogName='OAlerts';} | FL TimeCreated, Message

Event Logs per Severity Source

Critical Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='1';}

Error Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='2';}

Warning Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='3';}

Information Logs

Get-WinEvent -FilterHashtable @{ LogName='Application'; Level='4';}

Live Event Log Filtering

$Before = Get-Date 01/07/19;
$After = Get-Date 31/05/19;

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data=''} | Select -ExpandProperty Message

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data=''} | Select TimeCreated,Message | Select-String -Pattern "0x621EFDC", "0x825225F"

Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; EndTime=$Before; Id='4624'; Data=''} | Select -ExpandProperty Message > [location]\log.txt;
cat [location]\log.txt | Select-String -Pattern "Subject:", "New Logon:", "Process information","Network Information:" -Context 0,4;

Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-SmbClient/Connectivity';} | Select Timecreated,LogName,Message | where {$_.message -like "*Failed to establish a network connection*"} |FL

Get-WinEvent -FilterHashtable @{ LogName='*SMB*'; Data="[IP/HostName]"} | Select Timecreated,LogName,Message |FL

Get-WinEvent -FilterHashtable @{ LogName='*SMB*';} | Select Timecreated,LogName,Message | where {$_.message -like "*[IP/Hostname]*"} |FL

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | where {$_.message -match '0x1F260F3E' } | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | where {$_.TimeCreated.ToString() -match ('28/10/2019')}|FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='2'} | where {$_.TimeCreated.ToString() -match ('28/10/2019 11:22')}
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data=''} | where {$_.TimeCreated.ToString() -match ('28/10/2019') -and $_.Message -match 'user' } | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='NTLM';} -MaxEvents 6 | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data=''} | where {$_.TimeCreated -ge (get-date).addDays(-3) -and $_.TimeCreated.ToString() -match ('11:04') -and $_.Message -match 'user' } | FL TimeCreated,Message

Find Authenticating user/asset for remote service creation (lateral movement)

$After = (get-date).addDays(-3);
$Time = Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | ? {$_.Message -match "MALWARE.exe"} | Select -exp TimeCreated;
foreach ($Event in $Time){
	Get-WinEvent -FilterHashtable @{ LogName='Security'; StartTime=$After; Id='4624';} | ? {$_.TimeCreated -ge $Event.AddSeconds(-2) -AND $_.TimeCreated -le $Event.AddSeconds(+2)} | FL TimeCreated,Message;

Locate possible Kerberoast/Kerberos based attacks

Note: When looking at kerberos listing, RC4-HMAC encryption is generally anomalous and may be indicative of kerberoasting.

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4769'; Data='0x17'} | FL TimeCreated, Message
reg query "HKLM\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters" /v "allowtgtsessionkey"

Extract useful fields from Legacy Logs

$A=Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data=''} | where {$_.TimeCreated -ge (get-date).addDays(-3) -and $_.Message -match 'INSERT DESIRED INFO HERE' };
ForEach ($Event in $A){$Event.TimeCreated;$Event.Message|findstr /i /C:"Logon Type:";$Event.Message|findstr /i /C:"Security ID:";$Event.Message|findstr /i /C:"Account Name:";$Event.Message|findstr /i /C:"Account Domain:";$Event.Message|findstr /i /C:"Process ID:";$Event.Message|findstr /i /C:"Process Name:";$Event.Message|findstr /i /C:"Workstation Name:";$Event.Message|findstr /i /C:"Source Network Address:";$Event.Message|findstr /i /C:"Source Port:";echo "`n";};

Note: You can modify the second string to carve out wanted information, some examples below.

Find User Authenticating

ForEach ($Event in $A){$Event.TimeCreated;$Event.Message|findstr /i /C:"Account Name:";$Event.Message|findstr /i /C:"Account Domain:";echo "`n";};

Find IP/Port Authenticating

ForEach ($Event in $A){$Event.TimeCreated;$Event.Message|(findstr /i /C:"Source Network Address:";$Event.Message|findstr /i /C:"Source Port:";)|findstr -v "-";echo "`n";};

** Note: In the following section filter based on time for reduction of noise Get-Date.

e.g. get something like the below and add them to the FilterHashTable: StartTime=$After; EndTime=$Before;

$Date = (Get-Date).AddDays(-2)
$Before = Get-Date 01/07/19;
$After = Get-Date 31/05/19;

Remote Desktop Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='10'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4778';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4779';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; Id='98';} | FL Message,ProcessId,TimeCreated
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational'; Id='131';} | FL Message,ProcessId,TimeCreated
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='21';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='22';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='25';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-LocalSessionManager/Operational'; Id='41';} | FL TimeCreated,Message
ls C:\Windows\Prefetch\rdpclip.exe*.pf
ls C:\Windows\Prefetch\tstheme.exe*.pf

Map Network Shares Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4776';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4768';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4769';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\C$'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5145';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140';} | FL TimeCreated,Message

PsExec Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='2'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='5140'; Data='\\*\ADMIN$'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045'; Data='PSEXESVC'} | FL TimeCreated,Message
reg query HKLM\SYSTEM\CurrentControlSet\Services\PSEXESVC
reg query HKLM\SYSTEM\CurrentControlSet\Services\
ls C:\Windows\Prefetch\psexesvc.exe*.pf

Scheduled Tasks Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4698';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4702';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4699';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4700';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4701';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='106';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='140';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='141';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='200';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TaskScheduler/Maintenance'; Id='201';} | FL TimeCreated,Message
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks" /s /v Actions
Get-ChildItem -path 'registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\' | Get-ItemProperty | FL Path, Actions
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
gci -path C:\Windows\System32\Tasks\ -recurse -File

Services Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4697';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7034';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7035';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7036';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7040';} | FL TimeCreated,Message 
Get-WinEvent -FilterHashtable @{ LogName='System'; Id='7045';} | FL TimeCreated,Message
reg query 'HKLM\SYSTEM\CurrentControlSet\Services\'

WMI/WMIC Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5857';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5860';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WMI-Activity/Operational'; Id='5861';} | FL TimeCreated,Message
ls C:\Windows\Prefetch\wmiprvse.exe*.pf
ls C:\Windows\Prefetch\mofcomp.exe*.pf

PowerShell Lateral Movement Detection (Destinations)

Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4624'; Data='3'} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Security'; Id='4672';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4103';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='4104';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-PowerShell/Operational'; Id='53504';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='400';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Id='403';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='91';} | FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-WinRM/Operational'; Id='168';} | FL TimeCreated,Message
ls C:\Windows\Prefetch\wsmprovhost.exe*.pf

Extra Information

** Program Compatibility Assistant (PCA) (Windows 11 Pro 22H2 and later) – C:\Windows\appcompat\pca\PcaAppLaunchDic.txt – C:\Windows\appcompat\pca\PcaGeneralDb0.txt – C:\Windows\appcompat\pca\PcaGeneralDb1.txt

Note: Special thanks to Andrew Rathburn, and Lucas Gonzalez who publicised this, and ‘rancio#4162’ who first discovered and raised the question on it.


  • C:\Windows\AppCompat\Programs\Amcache.hve
    • Amcache.hve\Root\File{Volume GUID}#######


  • C:\Windows\System32\config\SYSTEM
    • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

*Prefetch – ls C:\Windows\Prefetch\

** Connected Devices Platform (Timelining)

gci C:\Users\*\AppData\Local\ConnectedDevicesPlatform -recurse

User accounts and logon information

Get-WmiObject Win32_UserProfile

Share information

Get-WmiObject Win32_Share
net share
wmic share list brief
wmic netuse get Caption, DisplayType, LocalName, Name, ProviderName, Status

List Alternate Data Streams in current Dir and view them

gi * -s *

List Alternate Data Streams in text files within AppData

Get-ChildItem -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue|gi -s *|Select Stream -ea SilentlyContinue| Where-Object {$_.Stream -ine ":`$DATA"}

Use Alternate Data Streams to find download location

get-item * -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
get-item C:\Users\Username\Downloads\* -stream *|Where-Object {$_.Stream -ine ":`$DATA"}|cat
$a=(gci -rec -path C:\users\user\downloads -ea 0 | gi -s Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
$a=(get-item * -stream Zone.Identifier -ea 0 | ? {$_.Length -ge '27'});foreach ($b in $a){$b.FileName;$b|cat}
gci -Recurse -Path $env:APPDATA\..\ -include *.txt -ea SilentlyContinue |gi -s *| Where-Object {$_.Stream -ine ":`$DATA"}|cat

General Notes

Under %SystemRoot%\System32\config the below registry hives are some of the most important to obtain. Additionally taking these files from within the RegBack directory also assists in comprehensive analysis should any anti-forensics activities have modified these registries.

  • SAM

Under \Users\name there is also a NTUSER.DAT file which becomes HKEY_CURRENT_USER into the Registry when a user logs on, and this is very important to obtain. There’s also a UsrClass.dat file which can be found: %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat

Gather artifacts


Powershell execution log

  • Located at: C:\Users[name]\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline

Analyse document for macros

Using olevba

olevba [Document]

Capture powershell memdump and analyse

Using Procdump from sysinternals:

procdump -ma [PowershellPID]

Using powerdump

ld powershell.exe_mem_dump

Recent execution of programs

  • Prefetch Located at : %SystemRoot%\Prefetch\
  • RecentFileCache.bcf Located at : %SystemRoot%\AppCompat\Programs\
  • Amcache.hve (reg hive) Located at : %SystemRoot%\AppCompat\Programs\
  • Program Compatibility Assistant (PCA) (Windows 11 Pro 22H2 and later) Located at:
    • %SystemRoot%\appcompat\pca\PcaAppLaunchDic.txt
    • %SystemRoot%\appcompat\pca\PcaGeneralDb0.txt
    • %SystemRoot%\appcompat\pca\PcaGeneralDb1.txt

Or query a lot of run programs from program compatibility assistant:

Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store"
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"

Programs specifically set to run as admin

reg query "HKU\{SID}\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s /f RUNASADMIN
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers" /s /f RUNASADMIN

Windows Indexing Service


Programs Accessing Windows Features such as Webcam and Microphone

Special thanks to Zack (svch0st) for his Medium Post

All Windows Features Including Start and Stop Timestamps

$a=$(gci REGISTRY::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ -recurse | FT -AutoSize | Out-String);$a.replace("#","\")
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\ /s /f LastUsed

Programs Using Webcam

$a=$(gci REGISTRY::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam -recurse | Select PSChildName | Out-String);$a.replace("#","\")

Programs Using Microphone

$a=$(gci REGISTRY::HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone -recurse | Select PSChildName | Out-String);$a.replace("#","\")

USN Journal (any changes to NTFS volume)

fsutil usn readjournal C: > USN.txt
  • LNK Files Located at:C:\Users*\AppData\Roaming\Microsoft\Windows\Recent

Using LECmd to parse Link metadata.

LECmd.exe -f {fileDirectory}\filename.lnk

Of interest is information such as:

  • MachineID (NetBIOS name)
  • MAC Address
  • MAC Vendor
  • Timestamps
  • Volume Droid
  • Volume Droid Birth
  • File Droid
  • File Droid Birth

File format specification

Jump Lists Analysis

  • Jump List Files Located at:C:\Users*\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations

A rough PowerShell 1-liner to gather information on previous opened directories and files is below.

$Files=$(cat C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*Destinations\*.*Destinations-ms);$Files.Split("``")|Select-String "Storage" | findstr -v "1SPSU"|findstr -v "?"

SRUM Analysis

  • System Resource Usage Monitor Located at: %systemroot%\System32\sru\SRUDB.dat

Great tool to parse to csv: SRUM-Dump

Background Activity Moderator (BAM/DAM)

reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings" /s
reg query "HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings" /s
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings" /s /v *.exe
reg query "HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings" /s /v *.exe

Windows 10 Mail App Forensics

%LocalAppData%\Comms\Unistore\data\0 - Windows phone data
%LocalAppData%\Comms\Unistore\data\2 - Contact lists
%LocalAppData%\Comms\Unistore\data\3 - Contents/body of email
%LocalAppData%\Comms\Unistore\data\5 - Calendar invitations
%LocalAppData%\Comms\Unistore\data\7 - Email attachments

Capture packets with netsh

Note: You will need to use something like etl2pcapng to convert these captures to a cap file for analysis with Wireshark Download

netsh trace start persistent=yes capture=yes tracefile=c:\temp\packetcapture.etl
netsh trace stop

Capture Packets with PowerShell

New-NetEventSession -Name "Capture" -CaptureMode SaveToFile -LocalFilePath "c:\temp\packetcapture.etl"
Add-NetEventProvider -Name "Microsoft-Windows-TCPIP" -SessionName "Capture"
Add-NetEventPacketCaptureProvider -SessionName "Capture"
Start-NetEventSession -Name "Capture"

Stop Capturing Packets with PowerShell

Stop-NetEventSession -Name Capture

Convert ETL File to PCAP

etl2pcapng.exe c:\temp\packetcapture.etl c:\temp\packetcapture.pcapng

NTUSER.DAT Important Registry entries:

Recent execution of programs (GUI)


  • \RecentDocs (Notes recent files run, most commonly .lnk files)
  • \UserAssist (Notes files run and number of times run. Values are ROT13 encoded),
    • CEBFF5CD is Executable File Execution
    • F4E57C4B is Shortcut File Execution
  • \TypedPaths (Notes file locations visited using Windows Explorer address bar)
  • \RunMRU (Notes recent commands executed through the ‘run’ program)
  • \ComDlg32 (Last file path visited)
    • \LastVisitedPidlMRU (Last PID which was ‘Most Recently Used’, e.g. the binaries used to open a file)
    • \OpenSavePidlMRU (Last Saved PID file which was ‘Most Recently Used’, location of a file opened by a binary)
  • \WordWheelQuery (Keywords searched for from the START menu bar)
  • \FeatureUsage\AppBadgeUpdated (Every Time Task Bar Application Gets Notification and Badge Updates)
  • \FeatureUsage\AppLaunch (Every Time Task Bar Application Which is Pinned is Launched)
  • \FeatureUsage\AppSwitched (Every Time Task Bar Application Left Clicked)
  • \FeatureUsage\ShowJumpView (Every Time Task Bar Application Right Clicked)
  • \FeatureUsage\TrayButtonClicked (Every Time Relevant Button on Task Bar is Clicked)

You can get the names of recently run files from UserAssist by using ROT13 across them, we can do this quickly in Powershell by using a script from BornToBeRoot and some scriptfu:


$A=$(gci REGISTRY::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count | Select -exp Property);foreach ($B in $A){.\Convert-ROT13.ps1 -Rot 13 $B|Select -exp Text}

Or for those who don’t want to run it over every entry individually.

$A=$(gci REGISTRY::HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*\Count | Select -exp Property)|Out-String;.\Convert-ROT13.ps1 -Rot 13 $A|Select -exp Text

Recent Apps/Last Visited MRU

Note: OpenSavePidlMRU is in hex and will need to be decoded

reg query "HKCU\Software\Microsoft\Windows\Current Version\Search\RecentApps"
reg query "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU" /s

Execution of Sysinternals Tool

reg query HKCU\Software\Sysinternals\ /s /v EulaAccepted
reg query HKU\SID\Software\Sysinternals\ /s /v EulaAccepted

Recent Internet Explorer History

reg query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs"
C:\Users\username\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low
C:\Users\username\AppData\Local\Microsoft\Windows\WebCache\Internet Explorer\WebCacheV01.dat

IE Cache Viewer Browser History Viewer ESE Database View Browsing History View

esentutl.exe /y /vss C:\Users\Username\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat /d C:\Location\WebCacheV01.dat

Google Chrome Service Workers

“A service worker is a script that your browser runs in the background, separate from a web page, opening the door to features that don’t need a web page or user interaction.” – Service Worker Reference

Service Workers control popups and push notifications received from websites. As this can be used to trick users into taking actions such as opening pages with redirects, installing malware and more these have been included and can be found at the below:

In Browser: chrome://serviceworker-internals/
C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache
C:\Users\[username]\AppData\Local\Google\Chrome\User Data\Default\Preferences

Recent Chrome History

'C:\Users\Username\AppData\Local\Google\Chrome\User Data\Default\history'

Recent Firefox History

More Information


Recent Edge History


Check Root Certificate Store

reg query HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
reg query HKCU\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
reg query HKU\{SID}\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\
reg query HKLM\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\
reg query HKCU\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\
reg query HKU\{SID}\Software\Policies\Microsoft\SystemCertificates\Root\Certificates\

Thumbnail Cache


Files located at: C:\Users\Username\AppData\Local\Microsoft\Windows\Explorer


Shellbags can be used to verify the previous existance of files which have been deleted. This is used by the OS to store information about a file location’s customisation e.g. look, feel, size, sorting files method, colour etc and resides after files have been deleted. Shellbags Explorer or ShellBagsView can be used to parse this information.


  • \BagMRU
  • \Bags

BagsMRU contains the database of folders and their saved settings by windows.

UsrClass.dat Shellbags

Additional shellbags files can be found in UsrClass.dat


  • %USERPROFILE%\AppData\Local\Microsoft\Windows\UsrClass.dat

SOFTWARE Hive Registry Entries

Common startup locations

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunonceEx

Network Information

  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList
    • \Signatures
      • \Unmanaged
        • (record DefaultGatewayMac, DnsSuffix, FirstNetwork(SSID), ProfileGUID)
      • \Managed
    • \Nla\Cache
    • Profiles
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\HomeGroup
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles{GUID}
    • 0x06 = Wired
    • 0x17 = Broadband
    • 0x47 = Wireless

Gather information via Live Queries:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles" /s

Gather WiFi Passwords

netsh wlan show profile
netsh wlan show profile name={NAME} key=clear
netsh wlan export profile interface=* key=clear
ls C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\*\* | cat

Networks connected\disconnected to\from and mac address

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-NetworkProfile/Operational'; Id='10000';}|FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-NetworkProfile/Operational'; Id='10001';}|FL TimeCreated,Message
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DHCP*'; Id='50067';}|FL TimeCreated,Message
Get-WmiObject win32_networkadapterconfiguration | FL description, macaddress

Get host Mac Addresses


Lookup MAC Address/Organizationally Unique Identifier (OUI)

A number of ways to do this but one of the most accurate is from the IEEE Webpage. You can interact directly with their REST API to get the results you want in JSON format. To do so via PowerShell, just change the ‘text’ top the first 3 digits of the MAC Address (The OUI):

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri "" | Select -exp content;

Useful Wireshark filters

All traffic to or from an IP

 ip.addr == {IP}

All TCP traffic on a port

tcp.port == {port}

All traffic from an IP

ip.src == {IP}

All traffic to an IP

ip.dst == {IP}

HTTP or DNS Traffic

http || dns

Client>DC traffic filtering noise

smb || nbns || dcerpc || nbss || dns

TCP issues (flags)


TCP protocol flags (present)

tcp.flags.syn == 1
tcp.flags.ack == 1

Encrypted Traffic

(ssh || tls)

Follow TCP Stream == {StreamNum}

TCP packets for string

tcp contains {String}

HTTP codes

http.response.code == 400
http.response.code == 200
http.response.code == 404
http.response.code == 500

User agent, without/with case sensitivity

http.user_agent matches "firefox"
http.user_agent matches "(?-i)firefox"

Addresses on subnet by IP/Hostname

ip.addr ==
ip.addr eq hostname/24

TLS Handshakes (Show’s certificate information)

tls.handshake.type == 11

Filter based on server type

http.server == "Apache"

Wireshark Key Tips and Tricks by Brad Duncan

Decrypting Encrypted Packets

This can be done in a few ways:

Man-in-the-middle (MITM)

Using the (Pre)-Master-Secret SSLKEYLOGFILE Using an RSA Private Key

tshark -nr pcapfile -o ssl.keylog_file:./random.keylog -T fields -e http2.headers.cookie

Using tshark to analyse pcaps

Note: The above filters can be used with the below techniques by specifying ‘-Y’ and using a capture filter, or ‘-R’ and using a read/display filter (only use if doing multiple passes of file). Different outputs are specified using ‘-T’.

Merging multiple pcap files

Note: mergecap

mergecap /<directory>/*.pcap -w /<directory>/capture.pcap

List Unique IP Sources in Pcap

tshark -T fields -r 'capture.pcap' -e ip.src | sort -u

List Unique IP Sources and Destination for HTTP traffic

tshark -T fields -r 'capture.pcap' -e ip.src -e ip.dst -Y "http" | sort -u

Live DNS Request and Responses on WiFi

tshark -i wlan0 -T fields -f "src port 53" -n -e -e dns.resp.addr	

Extract All Objects/Files from Supported Protocols

Note: This will create a folder called ‘exported’ and put the results in there

tshark -r 'capture.pcap' --export-objects http,exported
tshark -r 'capture.pcap' --export-objects dicom,exported
tshark -r 'capture.pcap' --export-objects imf,exported
tshark -r 'capture.pcap' --export-objects smb,exported
tshark -r 'capture.pcap' --export-objects tftp,exported

List URIs Accessed

tshark -T fields -r capture.pcap -e -e ip.dst -e http.request.full_uri -Y "http.request"

Get HTTP POST Requests and Output to JSON

tshark -T json -r capture.pcap -Y "http.request.method == POST"

Export objects

tshark -r capture.pcap --export-objects http,<folderName>
tshark -r capture.pcap --export-objects dicom,<folderName>
tshark -r capture.pcap --export-objects tftp,<folderName>
tshark -r capture.pcap --export-objects imf,<folderName>
tshark -r capture.pcap --export-objects smb,<folderName>

List POST Request Parameters

tshark -r victim.pcap -Y "ip.src == <IP> && http.request.method == POST" -T fields -e frame.time -e ip.src -e -e http.request.uri -e urlencoded-form.key -e urlencoded-form.value

Using tcpdump to analyse (cut out) pcaps

Packets containing Syn & Ack Flags

tcpdump -r file.pcap "tcp[tcpflags] & (tcp-syn|tcp-ack) == tcp-syn|tcp-ack" -w /targetfile.pcap	

Packets containing only Syn Flag

tcpdump -r file.pcap "tcp[tcpflags] == tcp-syn" -w /targetfile.pcap	

Packets containing only Syn and Ack Flags

tcpdump -r file.pcap "tcp[tcpflags] == tcp-syn|tcp-ack" -w /targetfile.pcap	

SYSTEM Hive Registry Entries

USB Information

USB information is commonly found within the Windows Event Logs from Storage Service and Partition diagnostics on Windows 10 and later:


Example query last USB inserted:

$a=(Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Storsvc/Diagnostic';Id='1001'} -MaxEvents 1);
($a) | select -exp TimeCreated;	($a).Properties | select -exp Value;

Example query USB removed:

$a=(Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Partition/Diagnostic';} -MaxEvents 1);
($a) | select -exp TimeCreated;	($a).Properties | select -exp Value;

Outside of this, the registry has a number of artifacts:

  • HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices Note: Find Serial # and then look for FriendlyName to obtain the Volume Name of the USB device
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
    • Key will ONLY be present if system drive is NOT SSD
    • Traditionally used for ReadyBoost
    • Find Serial # to obtain the Volume Serial Numberof the USB deviceoThe Volume Serial Number will be in decimal – convert to hex
    • You can find complete history of Volume Serial Numbers here, even if the device has been formatted multiple times. The USB device’s Serial # will appear multiple times, each with a different Volume Serial Number generated on each format.
  • HKLM\SYSTEM\MountedDevices
    • Find Serial # to obtain the Drive Letter of the USB device
    • Find Serial # to obtain the Volume GUID of the USB device

Using the VolumeGUID found in SYSTEM\MountedDevices, you can find the user that actually mounted the USB device: NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Mountpoints2 USB Times:

  • First time device is connected
  • Last time device is connected
  • Removal time

Live System HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (Class ID/Serial Number) HKLM\SYSTEM\CurrentControlSet\Enum\USB (VID/PID) HKLM\SYSTEM\CurrentControlSet\Control\DeviceContainers*

reg query HKLM\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM\ /s /f FriendlyName
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\ /s /f FriendlyName
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USB\ /s /f FriendlyName
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\
reg query HKLM\SYSTEM\CurrentControlSet\Enum\USB\
reg query HKLM\SYSTEM\CurrentControlSet\Enum\SWD\WPDBUSENUM\
reg query HKLM\SYSTEM\CurrentControlSet\Control\DeviceContainers\ /s /f "USB"

Live System pnputil for all devices and interfaces

pnputil /enum-devices
pnputil /enum-interfaces

Forensic Image (Determine Control Set Number from HKLM\SYSTEM\Select\ -> Current Value) HKLM\SYSTEM\ControlSet00x\Enum\USBSTOR (Class ID/Serial Number) HKLM\SYSTEM\ControlSet00x\Enum\USB (VID/PID)

Note: VID/PID information can be found online. Subdirectories under USB and USBSTOR provide unique USB identifiers (if the & is near the end), if it is near the start they do not conform to MS standards and it is unique to the given PC only.

  • HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial#\Properties{GUID}####
    • 0064 = First Install
    • 0066 = Last Connected
    • 0067 = Last Removal

More Information

OS Information

  • HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
  • HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
  • HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Shares
  • HKLM\SYSTEM\CurrentControlSet\FileSystem
    • NtfsDisableLastAccessUpdate set at 0x1 means that access time stamps are turned OFF by default

Network Information

wmic nic get /all /format:list
wmic nicconfig get /all /format:list
  • HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces
    • Display interfaces and their IP address configuration (using interface GUID)

Prefetch Information

  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
    • 0=Disabled
    • 1=Application prefetching enabled
    • 3=Application and Boot prefetching enabled (default)

Prefetch Parser

PECmd.exe -d "C:\Windows\Prefetch"
PECmd.exe -d "C:\Windows\Prefetch" --csv "c:\temp" --csvf Prefetch.csv
gci C:\Windows\Prefetch\

analyzePF WinPrefetchView

Superfetch Information

  • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters /v EnableSuperfetch
    • 0=Disabled
    • 1=Booting only
    • 2=Applications
    • 3=Application and Boot

Find relevant files:

gci C:\Windows\Prefetch\ -recurse -include *.db, *.trx

PowerShell Host Based Investigation and Containment Techniques

Note: I thoroughly recommend looking at maintaining an accurate log of all actions taken through the use of PowerShell host based IR and Containment. To do so I recommend reading PowerShell ♥ the Blue Team. This will allow you to log all actions taken through this type of IR Framework. Other alternatives for larger scale response include:


Google Rapid Response

Kansa PowerShell IR Framework

Google Rapid Response comes in the form of a Server > Client architecture but is very flexible.

Kansa is a modular PowerShell IR Framework which can be used across multiple hosts in parallel.

Enable PS Remoting using PsExec

psexec.exe \\TARGET -s powershell Enable-PSRemoting -Force;

OR for public network setup (less security)

psexec.exe \\TARGET -s powershell Enable-PSRemoting -SkipNetworkProfileCheck -Force;

Confirm trusted hosts list if required

Get-Item WSMan:\localhost\Client\TrustedHosts
Set-Item WSMan:\localhost\Client\TrustedHosts -Value 'ASSET1,ASSET2'

Quick Remote Response (no audit/logging)

Enter-PSSession -ComputerName SERVER -Credential [name]

Setup logging for IR

Note: If you enter a PSSession, the logging won’t persist, so you will need to enable it on the remote host and pull the file back afterwards. Otherwise refer to PowerShell ♥ the Blue Team mentioned above.

Start-Transcript -Path "C:\[location]\investigation-1.log" -NoClobber

Thanks Barnaby Skeggs

Establish Remote Session

$s1 = New-PSsession -ComputerName remotehost -SessionOption (New-PSSessionOption -NoMachineProfile) -ErrorAction Stop

Enter or exit remote session

Enter-PSSession -Session $s1

Issuing remote command/shell

Invoke-Command -ScriptBlock {whoami} -Session $s1
Invoke-Command -file file.ps1 -Session $s1

Retrieving/downloading files

Copy-Item -Path "[RemoteHostFilePath]" -Destination "[LocalDestination]" -FromSession $s1

Checking for running processes

Invoke-Command -ScriptBlock {Get-Process} -Session $s1

Query Registry Keys

Invoke-Command -ScriptBlock {Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run} -Session $s1

PCAP collection

*Note: Script and pcap should be located under: C:\Windows\System32 or your user directory.

Invoke-Command -ScriptBlock {ipconfig} -Session $s1

Invoke-Command -ScriptBlock {
$url = ""
Invoke-WebRequest -Uri $url `
	-OutFile "raw-socket-sniffer.ps1"
PowerShell.exe -ExecutionPolicy bypass .\raw-socket-sniffer.ps1 `
	-InterfaceIp "[RemoteIPv4Address]
	-CaptureFile "capture.cap"
	} -Session $s1

Blocking a domain

Invoke-Command -ScriptBlock { Add-Content C:\Windows\System32\drivers\etc\hosts "`n127.0.0.1"} -Session $s1

Blocking an IP

Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName "Block_Malicious_IP" -Direction Outbound –LocalPort Any -Protocol TCP -Action Block -RemoteAddress}  -Session $s1

Unblocking an IP

Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName "Block_Malicious_IP"} -Session $s1

Quarantining a host using Firewall

Invoke-Command -ScriptBlock {New-NetFirewallRule -DisplayName InfoSec_Quarantine -Direction Outbound -Enabled True -LocalPort Any -RemoteAddress Any -Action Block} -Session $s1

Creating an OU to quarantine a host into

import-module ActiveDirectory
New-ADOrganizationalUnit -Name "Quarantined" -Path "DC=CORP,DC=COM"


dsadd ou "ou=Quarantined,dc=CORP,dc=COM"

Moving an AD Object into a quarantine OU

Move-ADObject -Identity "CN=<USERNAME>,OU=Marketing,DC=CORP,DC=com" -TargetPath "OU=Quarantined,DC=CORP,DC=com"

Quarantining a host using DCOM

Note: Another method which is a little more DANGEROUS is to disable DCOM on this host and restart which will stop something using DCOM to spread TO this host. This will likely break some aspects of it communicating on the domain, and also your ability to respond so it’s not recommended, but this is a possible solution for a host which is to be thoroughly contained before being investigated once an asset is returned (for example for re-imaging). This can be reversed by changing this registry key back to Y.

Invoke-Command -ScriptBlock {reg add HKLM\SOFTWARE\Microsoft\Ole /v EnableDCOM /t REG_SZ /d N /f; shutdown /r /f;} -Session $s1

Remove a quarantined host

Invoke-Command -ScriptBlock {Remove-NetFirewallRule -DisplayName InfoSec_Quarantine} -Session $s1

Disable Admin Shares

Invoke-Command -ScriptBlock {Red add "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /V "AutoShareWks" /T "REG_DWORD" /D "0" /F } -Session $s1
Invoke-Command -ScriptBlock {restart-service Lanmanserver -Force} -Session $s1

Credentials and Exposure

When investigating a compromised asset, it’s important to know what remote triage methods leave your credentials on the infected endpoint, and what ones don’t. Reference can be found on Microsoft Documentation

Connection MethodLogon TypeReusable credentials on destinationNotes
Logon via consoleInteractiveYIncludes hardware remote access/network KVM/lights-out cards
RUNAS/NETWORKNewCredentialsYClones LSA session, but uses new creds when connecting to network resources.
Remote DesktopRemoteInteractiveYNil
Remote Desktop FailureRemoteInteractiveNOnly stored briefly
Net Use * \SERVERNetworkNNil
Net Use * \ SERVER /userNetworkNNil
MMC snap-ins to remote computerNetworkNNil
PowerShell WinRMNetworkNe.g. Enter-PSSession SERVER
PowerShell WinRM with CredSSPNetworkClearTextYe.g. New-PSSession SERVER -Authentication Credssp -Credential PWD
PsExec without explicit credsNetworkNe.g. PsExec \SERVER cmd
PsExec with explicit credsNetwork&InteractiveYPsExec \SERVER -u USER -p PWD cmd
Remote RegistryNetworkNNil
Remote Desktop GatewayNetworkNAuthenticating to Remote Desktop Gateway
Scheduled TaskBatchYAlso saved as LSA secret on disk
Tools as ServiceServiceYAlso saved as LSA secret on disk
Vuln ScannersNetworkNMost use Network logons; however, those that don’t have the risk of creds on destination.
IIS “Basic Authentication”NetworkCleartextYNil
IIS “Integrated Windows Authentication”NetworkNNTLM/Kerberos Providers

Cached Credentials

Cached credentials are located within a system’s registry at:


Kerberos Tickets and Exposure

Special thanks to Cert EU for this. When comparing Pass-the-Hash to Pass-the-Ticket attacks, the following key differences apply:

  • Administrative privileges are required to steal credentials, but NOT to use an obtained Kerberos ticket.
  • A password change does NOT make Kerberos tickets invalid. By default Kerberos has a max lifetime of 10hrs before the ticket must be renewed, and a max renewal time of 7 days after being granted.

Due to this disabling accounts may not be enough to prevent ongoing compromise, and you may have to purge the users kerberos ticket. Locate the user in question using ‘sessions’ and purge by specifying the user session prior to logging them off.

klist.exe sessions
klist purge –li 0x2e079217 
query user
logoff <session id>

Windows Memory Forensics

Volatility 2.x Basics

(Note: Depending on what version of volatility you are using and where you may need to substitute volatility with if there’s no alias setup)

Find out what profiles you have available

volatility --info

Find out the originating OS profile to be used from the memory dump.

volatility -f memorydump.mem imageinfo
volatility -f memorydump.mem kdbgscan

Determine what plugins are available for use.

volatility -f memorydump.mem --profile=<profilename> -h

Check what processes were running.

(Note: Any entires for svchost.exe should always have services.exe as a parent process and parameters such as /k should always be present)

volatility -f memorydump.mem --profile=<profilename> pslist
volatility -f memorydump.mem --profile=<profilename> psscan
volatility -f memorydump.mem --profile=<profilename> tree

Check what commands have been run and their output.

volatility -f memorydump.mem --profile=<profilename> cmdscan
volatility -f memorydump.mem --profile=<profilename> consoles

Dump process files which were running from memory.

volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./

Dump the memory associated with a process file.

volatility -f memorydump.mem --profile=<profilename> memdump -p <processid> --dump-dir=./

Dump all cached files from memory.

volatility -f memorydump.mem --profile=<profilename> dumpfiles --dump-dir=./

Check what drivers or kernal modules were unloaded or hidden.

volatility -f memorydump.mem --profile=<profilename> modscan

Check what network connectivity has occurred.

volatility -f memorydump.mem --profile=<profilename> netscan

Check what network connectivity has occurred (Windows XP/Server 2003).

volatility -f memorydump.mem --profile=<profilename> connections
volatility -f memorydump.mem --profile=<profilename> conscan
volatility -f memorydump.mem --profile=<profilename> sockets
volatility -f memorydump.mem --profile=<profilename> sockscan

Check what information exists within registry from memory.

volatility -f memorydump.mem --profile=<profilename> hivelist
volatility -f memorydump.mem --profile=<profilename> hivescan
volatility -f memorydump.mem --profile=<profilename> hivedump --dump-dir=./
volatility -f memorydump.mem --profile=<profilename> userassist
volatility -f memorydump.mem --profile=<profilename> shellbags
volatility -f memorydump.mem --profile=<profilename> shimcache
volatility -f memorydump.mem --profile=<profilename> shimcachemem

Check internet explorer browsing history

volatility -f memorydump.mem --profile=<profilename> iehistory

Check for files in memory dump

volatility -f memorydump.mem --profile=<profilename> filescan

Dump files based on offset

volatility -f memorydump.mem --profile=<profilename> dumpfiles -Q <offsetfromfilescan> --dump-dir=./

Scan memory with Yara Rule

volatility -f memorydump.mem --profile=<profilename> yarascan -y rule.yara

Duplicate image space out as a raw DD file

(e.g. dump files such as hiberfil.sys memory from memory).

volatility -f memorydump.mem --profile=<profilename> imagecopy

Dump timelined artifacts from memory.

volatility -f memorydump.mem --profile=<profilename> timeliner

Detect persistence mechanisms using Winesap

  • Research Paper
  • Volatility Plugin – Winesap volatility -f memdump.mem --profile=[profile] autoruns volatility --plugins=./winesap/plugin -f memdump.mem --profile=[profile] autoruns volatility --plugins=./winesap/plugin -f memdump.mem --profile=[profile] autoruns --match

Compare memory dump to known good memory dump.

  • csababarta pluginsvolatility -f infected.mem –profile= processbl -B clean.mem -U 2>/dev/null volatility -f infected.mem –profile= servicebl -B clean.mem -U 2>/dev/null volatility -f infected.mem –profile= driverbl -B clean.mem -U 2>/dev/null

Output visual .dot file to view process tree

volatility -f memorydump.mem --profile=<profilename> psscan --output=dot
volatility -f memorydump.mem --profile=<profilename> tree --output=dot
dot -Tpng -o pstree.png
dot -Tpng -o psscan.png

Volatility 3.x Basics

Note: Version 3 of Volatility was released in November 2019 which changes the Volatility usage and syntax. More information on V3 of Volatility can be found on ReadTheDocs.

A list of common plugins are:

  • linux.bash.Bash
  • linux.check_afinfo.Check_afinfo
  • linux.check_syscall.Check_syscall
  • linux.elfs.Elfs
  • linux.lsmod.Lsmod
  • linux.lsof.Lsof
  • linux.malfind.Malfind
  • linux.proc.Maps
  • linux.pslist.PsList
  • linux.pstree.PsTree
  • mac.bash.Bash
  • mac.check_syscall.Check_syscall
  • mac.check_sysctl.Check_sysctl
  • mac.check_trap_table.Check_trap_table
  • mac.ifconfig.Ifconfig
  • mac.lsmod.Lsmod
  • mac.lsof.lsof
  • mac.malfind.Malfind
  • mac.netstat.Netstat
  • mac.proc_maps.Maps
  • mac.psaux.Psaux
  • mac.pslist.PsList
  • mac.pstree.PsTree
  • mac.tasks.Tasks
  • mac.timers.Timers
  • mac.trustedbsd.trustedbsd
  • windows.cmdline.CmdLine
  • windows.dlldump.DllDump
  • windows.dlllist.DllList
  • windows.driverirp.DriverIrp
  • windows.driverscan.DriverScan
  • windows.filescan.FileScan
  • windows.handles.Handles
  • windows.malfind.Malfind
  • windows.moddump.ModDump
  • windows.modscan.ModScan
  • windows.modules.Modules
  • windows.mutantscan.MutantScan
  • windows.poolscanner.PoolScanner
  • windows.procdump.ProcDump
  • windows.pslist.PsList
  • windows.psscan.PsScan
  • windows.pstree.PsTree
  • windows.registry.certificates.Certificates
  • windows.registry.hivedump.HiveDump
  • windows.registry.hivelist.HiveList
  • windows.registry.hivescan.HiveScan
  • windows.registry.printkey.PrintKey
  • windows.registry.userassist.UserAssist
  • windows.ssdt.SSDT
  • windows.statistics.Statistics
  • windows.strings.Strings
  • windows.symlinkscan.SymlinkScan
  • windows.vaddump.VadDump
  • windows.vadinfo.VadInfo
  • windows.virtmap.VirtMap
  • timeliner.Timeliner

Check Memory Image Information

/usr/bin/python3.6 -f /home/user/samples/mem.bin

Check List of Kernel Drivers

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.modules.Modules

Check List of Kernel Drivers (incl previously unloaded and hidden)

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.modscan.ModScan

Dump List of Kernel Drivers to Files

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.moddump.ModDump

Dump List of Running Processes to Files

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.procdump.ProcDump

Check Process List of Running Processes

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.pslist.PsList

Check Process Tree of Running Processes

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.pstree.PsTree

Check Running Processes from EPROCESS blocks

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.psscan.PsScan

Check Running Processes for possible shellcode/injection via PAGE_EXECUTE_READWRITE

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.malfind.Malfind

Check processes and their command lines

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.cmdline.CmdLine

Check for files which exist in memory

/usr/bin/python3.6 -f /home/user/samples/mem.bin windows.filescan.FileScan

Miscellaneous Tools and Notes

Eric Zimmerman has excellent widely used libraries and tools

RegRipper -r NTUSER.DAT -f ntuser | less. -r SAM -f sam | less
rip.exe -l
rip.exe -r C:\Users\User\ntuser.dat -p userassist


*Note: Video Tutorial

kape.exe --tsource C --target RegistryHives --tdest "[location]"
kape.exe --tsource \\server\directory --target !ALL --tdest "[location]" --vhdx LOCALHOST


./chainsaw search mimikatz -i evtx_attack_samples/
./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
./chainsaw search -e "DC[0-9].insecurebank.local" evtx_attack_samples --json
./chainsaw hunt evtx_attack_samples/ -s sigma_rules/ --mapping mappings/sigma-event-logs-all.yml

ShimCaheParser -h -i SYSTEM --BOM 


AppCompatCacheParser.exe --csv .\ -t


AmcacheParser.exe --csv .\ -f .\Amcache.hve

Windows 10 Timeline Database Parser

WxTCmd.exe -f "C:\Users\[username]\AppData\Local\ConnectedDevicesPlatform\L.[username]\ActivitiesCache.db" --csv .

Bulk Extractor

bulk_extractor64.exe -o [outputdir] memdump.mem


Note: Can be used to determine the Machine Identification Code of a Printer.

Cyber Chef

The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis. Note: This was created by an analyst at the GCHQ which is part of the UKs National Cyber Security Centre. The source is actively maintained on Github


A “sandbox for the web”. One of the most widely used, freely available URL scanners which provides a breakdown of technologies used on a website, safebrowsing score, screenshots, redirects, hosting information and certificates, and much more.

Redirect Tracker

Note: Thanks to Alejandra for sharing this.

Can be used to see any redirects that will likely occur with a description on each response code to help with analysis when accessing a URL e.g. a shortened URL such as bitly links.

Unshorten Me

Can be used to see the end result of a shortened URL that will likely occur along with a screenshot.

MITRE ATT&CK® Framework

Globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.

LOLBAS Project

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.


GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. maps Windows APIs to common techniques used by malware.


Attackers are using popular legitimate domains when conducting phishing, C&C, exfiltration and downloading tools to evade detection. LOTS-Project aims to list websites that allow attackers to use their domain or subdomain.

Repository of file extensions being used by attackers.


Open source agent used to query endpoints in a live response fashion.


Digital forensic and Incident Response tool to enhance visibility on endpoints.


Visual Basic emulation engine used to analyze and deobfuscate malicious VBA macros.

Parse and interpret VBA macros

vmonkey phishing.docm

Faster output

pypy -s phishing.docm

Less verbose output

vmonkey -l warning phishing.docm

XLM Macro Deobfuscator

Parse and interpret hidden XLM Macros (Excel 4.0 Macros)

xlmdeobfuscator --file malware.xlsm

Note: Using a tool such as BiffView we’re able to view BOUNDSHEET records to find hidden sheets. This is indicated by ‘02 01’ hex values at the 5th and 6th offset.

Changing 02 to 00 makes these hidden spreadsheets visible without having to run any macros.

Mounting image files in linux

mkdir /mnt/windows -s <imagefile> /mnt/windows
cd /mnt/windows


mkdir /mnt/windows
sudo apt install libguestfs-tools
sudo virt-list-filesystems <vhdx file>
sudo guestmount -a <vhdx file> -m /dev/<filesystemabove> -r /mnt/windows -o allow_other

Mounting image files in Windows

Unpack binary packed with UPX

upx -d PackedProgram.exe

Scan exchange for phishing emails

Disclaimer: Always test before running against live systems. For those running Office365 this documentation may be more useful.

# This is used to authenticate yourself and connect to the exchange server
$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://EXCHANGEHOSTFQDN/PowerShell/ -Credential $UserCredential
Import-PSSession $Session -DisableNameChecking

# This is used to confirm the mailboxes accessible and modules available

# This is used to remove emails from a mailbox and move them to an administrator mailbox as a backup
Search-Mailbox -Identity "NAME" | Search-Mailbox -SearchQuery 'Subject:"SUBJECT LINE"' -TargetMailbox "ADMINBACKUPMAILBOX" -TargetFolder "BACKUPFOLDER" -DeleteContent

# This is used to run a report on anyone who received an email with a malicious attachment and log this information in an administrator mailbox
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery attachment:trojan* -TargetMailbox "ADMINBACKUPMAILBOX" -TargetFolder "BACKUPFOLDER" -LogOnly -LogLevel Full

# This is used to disconnect from the established powershell session
Remove-PSSession $Session

Common DLL Information

Kernel32.dll(Windows Kernel) This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.
Advapi32.dll(Advanced API) This DLL provides access to advanced core Windows components such as the Service Manager and Registry.
Ntdll.dll(NT Layer) This DLL is the interface to the Windows kernel. Executables rarely import this file directly, although it is always imported indirectly by Kernel32.dll. If an executable deliberately imports this, it means that the author wanted to use functionality not normally available to Windows programs. Some tasks, such as hiding functionality or manipulating processes, will use this interface.
User32.dll(Windows User) This DLL contains all the user interface components, such as buttons, scroll bars, and components for controlling and responding to user actions.
Wininet.dll(Windows Internet API) This DLL contains high level networking functions. These implement protocols such as FTP, HTTP, and NTP.
Gdi32.dll(Graphics Device Interface) This DLL contains functions used for displaying and manipulating graphics.
WSock32.dll and Ws2_32.dll(Windows Sockets API) These are networking DLLs. A program that accesses either of these will likely connect to a network or perform network related tasks.
urlmon.dll(OLE32 Extensions for Win32) This DLL contains functions for COM-based networking. It is used by Internet Explorer and many other applications similar to the Windows Sockets API; however, it is at a higher level than the Windows Sockets API and Windows Internet API and has many elements prefilled.
  • When analysing a binary, small amount of strings present and minimal imported functions help confirm that it is a packed binary.

Show processes with networking functions

tasklist /m WSock32.dll
tasklist /m Ws2_32.dll
tasklist /m Wininet.dll
tasklist /m winhttp.dll
gps | ?{$_.Modules -like '*WSock32.dll*' -OR $_.Modules -like '*Ws2_32.dll*' -OR $_.Modules -like '*Wininet.dll*' -OR $_.Modules -like '*winhttp.dll*' }|FL Id, ProcessName

Show processes importing the Remote Access API

tasklist /m RASAPI32.dll

Show processes importing the task scheduler API

tasklist /m taskschd.dll
tasklist /m mstask.dll

Show processes importing the Windows Media Instrumentation API

tasklist /m wbem*
tasklist /m wmi*

Windows Memory Analysis (Example Process with Volatility)

Identify memory OS information

volatility -f memorydump.mem imageinfo

Identify suspicious running processes

volatility -f memorydump.mem --profile=<profilename> pstree

Show suspicious running processes based on names.

volatility -f memorydump.mem --profile=<profilename> pstree | egrep 'winlogon|lsass|services'
volatility -f memorydump.mem --profile=<profilename> psscan

Show any malicious or suspicious processes requiring investigation

volatility -f memorydump.mem --profile=<profilename> malfind

Show any Process Hollowing (Hollow Process Injection)

volatility -f memorydump.mem --profile=<profilename> hollowfind

Dump suspicious process executables from memory

volatility -f memorydump.mem --profile=<profilename> procdump -p <processid> --dump-dir=./

Parse the Master File Table

volatility -f <memoryDump> mftparser -C --output-file=output.txt

Reassemble raw hex of file under $DATA back into original file from dump.raw file.

xxd -r dump.raw > <filename.originalextension>

Compare hashes with known detections e.g. VirusTotal.

sha256 <filename>

Create a timeline of events.

volatility -f memorydump.mem --profile=<profilename> timeliner
volatility -f memorydump.mem --profile=<profilename> timeliner --hive=SECURITY
volatility -f memorydump.mem --profile=<profilename> timeliner --type=Registry

Windows Memory Analysis (dump) using Windbg

Using Comaeio SwishDbgExt you are able to better analyse Windows Crash (DMP) files using Windbg. To do this, download the latest release, run windbg, load the correct dll and then run a command. At the time of writing there are:

!load X:\FullPath\SwishDbgExt.dll 

!help             - Displays information on available extension commands
!ms_callbacks     - Display callback functions
!ms_checkcodecave - Look for used code cave
!ms_consoles      - Display console command's history 
!ms_credentials   - Display user's credentials (based on gentilwiki's mimikatz) 
!ms_drivers       - Display list of drivers
!ms_dump          - Dump memory space on disk
!ms_exqueue       - Display Ex queued workers
!ms_fixit         - Reset segmentation in WinDbg (Fix "16.kd>")
!ms_gdt           - Display GDT
!ms_hivelist      - Display list of registry hives
!ms_idt           - Display IDT
!ms_lxss          - Display lsxx entries
!ms_malscore      - Analyze a memory space and returns a Malware Score Index (MSI) - (based on Frank Boldewin's work)
!ms_mbr           - Scan Master Boot Record (MBR)
!ms_netstat       - Display network information (sockets, connections, ...)
!ms_object        - Display list of object
!ms_process       - Display list of processes
!ms_readkcb       - Read key control block
!ms_readknode     - Read key node
!ms_readkvalue    - Read key value
!ms_regcheck      - Scan for suspicious registry entries
!ms_scanndishook  - Scan and display suspicious NDIS hooks
!ms_services      - Display list of services
!ms_ssdt          - Display service descriptor table (SDT) functions
!ms_store         - Display information related to the Store Manager (ReadyBoost)
!ms_timers        - Display list of KTIMER
!ms_vacbs         - Display list of cached VACBs
!ms_verbose       - Turn verbose mode on/off
!ms_yarascan      - Scan process memory using yara rules

Other inbuilt WindBG commands (Useful for single-process memory dump analysis)

Get Address memory information


Get All Thread Information


Get Current Thread Information


Get information from each frame of thread stack

!for_each_frame db
!for_each_frame dv -t -v
!for_each_frame dt -b

Recursively dump PEB of process

dt ntdll!_PEB @$peb -r

Create Dump

.dump D:\Downloads\test\test.dmp

DLL/Module Information

x *!
!lmi [ModuleName]

Get stacks for all threads


Search Heap for String to view in memory

!address -f:Heap -c:"s -u %1 %2 \"http\""

Search for String across all memory

s -a 0 L?FFFFFFFF "StringToFind"
s -u 0 L?FFFFFFFF "StringToFind"

List nearest module to address

ln <address>
ln 7c951782

Quick analysis

!analyze -v

Normal Process Relationship Hierarchy (Geneology)

Excellent SANS Reference



  • smss.exe
    • winlogon.exe (upon smss.exe exiting)
      • userinit.exe
        • explorer.exe (upon userinit.exe exiting)
    • wininit.exe (upon smss.exe exiting)
      • lsass.exe
      • services.exe
        • svchost.exe
        • taskhost.exe
    • crss.exe

Windows 10:


  • smss.exe
    • winlogon.exe (upon smss.exe exiting)
      • userinit.exe
        • explorer.exe (upon userinit.exe exiting)
    • wininit.exe (upon smss.exe exiting)
      • lsass.exe
      • lsaiso.exe (credential guard only)
      • services.exe
        • svchost.exe
          • taskhostw.exe
          • runtimebroker.exe
    • crss.exe

Extra notes

Be mindful of the below:

  • svchost.exe should always have services.exe pid as ppid and a service associated with it.
  • there should never be more than 1 lsass.exe process.
  • lsass.exe should always have a parent of winlogon.exe (WinXP and older) or Wininit.exe (Vista or newer).
  • pslist and pstree follow a ‘Double Linked List’ which malware can ‘unlink’ itself from thus hiding the process.
  • psscan looks instead for ‘EPROCESS blocks’ which is memory associated with a windows process.
  • Discrepencies between these 2 areas can indicate the process hollowing has occurred.
    • VAD = Virtual Address Descriptor which lives in kernel memory.
    • PEB = Process Environment Block which lives in process memory.
  • PAGE_EXECUTE_READWRITE protection indicates memory marked as executable, which may indicate potential shellcode was used or injected.
  • Process hollowing essentially pauses and duplicates a legitimate process, replaces the executable memory with something malicious, and then resumes the process. Process Injection on the other hand injects malicious code into an already running process which causes that process to execute the code.

Linux Cheat Sheet

Dumping Memory

dd if=/dev/kmem of=/root/kmem
dd if=/dev/mem of=/root/mem


sudo insmod ./lime.ko "path=./Linmen.mem format=raw"


./linpmem -o memory.aff4
./linpmem memory.aff4 -e PhysicalMemory -o memory.raw

Taking Image

fdisk -l
dd if=/dev/sda1 of=/[outputlocation]

Misc Useful Tools


python ./


./ -t

Live Triage

System Information

uname –a
lsb_release -a
cat /proc/version

Account Information

cat /etc/passwd
cat /etc/shadow
cat /etc/sudoers
cat /etc/sudoers.d/*
cut -d: -f1 /etc/passwd
getent passwd | cut -d: -f1
compgen -u

Current user


Last logged on users

cat /var/log/auth.log

Initialisation Files

cat /etc/bash.bashrc
cat ~/.bash_profile 
cat ~/.bashrc 

Environment and Startup Programs

cat /etc/profile
ls /etc/profile.d/
cat /etc/profile.d/*

Scheduled Tasks

ls /etc/cron.*
ls /etc/cron.*/*
cat /etc/cron.*/*
cat /etc/crontab
crontab -l

Commands That Can Be Run As Root or User

sudo -l

SSH Keys and Authorised Users

cat /etc/ssh/sshd_config

Note: This specifies where the SSH daemon will look for keys. Generally this will be as below.

ls /home/*/.ssh/*
cat /home/*/.ssh/
cat /home/*/.ssh/authorized_keys

Sudoers File (who who can run commands as a different user)

cat /etc/sudoers

Configuration Information

ls /etc/*.d
cat /etc/*.d/*

Network Connections / Socket Stats

netstat -apetul
netstat -plan
netstat -plant
netstat -naote
ss -l
ss -ta
ss -tp

DNS Information for Domain

dig a
dig any
dig ns
dig soa
dig hinfo
dig txt
dig +short

IPs Allowed to Perform Domain Transfer

cat /etc/bind/named.conf.local

Specify IP To Use For Domain Transfer

dig @ axfr -b <IP>

IP Table Information

ls /etc/iptables
cat /etc/iptables/*.v4
cat /etc/iptables/*.v6
iptables -L

Use IPTables For Filtering

AndreaFortuna Cheatsheet

Network Configuration

ifconfig -a

Difference Between 2 Files

diff <file1> <file2>

Browser Plugin Information

ls -la ~/.mozilla/plugins
ls -la /usr/lib/mozilla/plugins
ls -la /usr/lib64/mozilla/plugins
ls -la ~/.config/google-chrome/Default/Extensions/

Kernel Modules and Extensions/

ls -la /lib/modules/*/kernel/*

File Permissions

-rw-r-x-wt 1 fred fred 0 Aug 10 2019 /home/fred/malware
|[-][-][-]- [---][---]
| |  |  | |   |    |
| |  |  | |   |    *-----------------> 7. Group
| |  |  | |   *----------------------> 6. Owner
| |  |  | *--------------------------> 5. Alternate Access Method
| |  |  *----------------------------> 4. Others Permissions
| |  *-------------------------------> 3. Group Permissions
| *----------------------------------> 2. Owner Permissions
*------------------------------------> 1. File Type

File Permissions in Linux

Decode base64 Encoded File

base64 -d <filename>
echo <b64stream> | base64 -d

Process Information

ps <simplelistoutputthreadsmiscall>’
ps -s
ps -l
ps -o
ps -t
ps -m
ps -a
ps -ax

Size Of File (Bytes)

wc -c <file>

IP Making Most Requests in Access Log

cut -d " " -f 1 access.log | sort | uniq -c | sort -n -k 1,1

Count of Unique IPs in Access Log

cut -d " " -f 1 access.log | sort -u | wc -l

Unique User Agents in Access Log

awk -F \" '{ print $6 }' access.log | sort -u

Most Requested URLs For POST Request in Access Log

awk -F \" '{ print $2 }' access.log | grep "POST" | sort | uniq -c | sort -n -k 1,1

Lines In File

wc -l <file>

Search files recursively in directory for keyword

grep -H -i -r "password" /

Process Tree

ps -auxwf

Open Files and space usage


Pluggable Authentication Modules (PAM)

cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/

Disk / Partition Information

fdisk -l

Fulle Path For Command in environment variables

which <softwarename>

System Calls / Network Traffic

strace -f -e trace=network -s 10000 <PROCESS WITH ARGUMENTS>;
strace -f -e trace=network -s 10000 -p <PID>;

Strings Present In File

strings <filepath>
strings -e b <filepath>

Note: Below material with thanks to Craig Rowland – Sandfly Security

Detailed Process Information

ls -al /proc/[PID]


  • CWD = Current Working Directory of Malware
  • EXE = Binary location and whether it has been deleted
  • Most Common Timestamp = When process was created

Recover deleted binary which is currently running

cp /proc/[PID]/exe /[destination]/[binaryname]

Capture Binary Data for Review

cp /proc/[PID]/ /[destination]/[PID]/

Binary hash information

sha1sum /[destination]/[binaryname]
md5sum /[destination]/[binaryname]

Process Command Line Information

cat /proc/[PID]/cmdline
cat /proc/[PID]/comm


  • Significant differences in the above 2 outputs and the specified binary name under /proc/[PID]/exe can be indicative of malicious software attempting to remain undetected.

Process Environment Variables (incl user who ran binary)

strings /proc/[PID]/environ
cat /proc/[PID]/environ

Process file descriptors/maps (what the process is ‘accessing’ or using)

ls -al /proc/[PID]/fd
cat /proc/[PID]/maps

Process stack/status information (may reveal useful elements)

cat /proc/[PID]/stack
cat /proc/[PID]/status

Deleted binaries which are still running

ls -alr /proc/*/exe 2> /dev/null |  grep deleted

Process Working Directories (including common targeted directories)

ls -alr /proc/*/cwd
ls -alr /proc/*/cwd 2> /dev/null | grep tmp
ls -alr /proc/*/cwd 2> /dev/null | grep dev
ls -alr /proc/*/cwd 2> /dev/null | grep var
ls -alr /proc/*/cwd 2> /dev/null | grep home

Using JQ To Analyse JSON

cat people.json | jq '.[] | select((.name.first == "Fred") or (.name.last == "John"))'
cat people.json | jq '.[] | select((.name.first == "Fred") or (.name.last == "John"))'|@csv

Hidden Directories and Files

find / -type d -name ".*"

Immutable Files and Directories (Often Suspicious)

lsattr / -R 2> /dev/null | grep "\----i"

SUID/SGID and Sticky Bit Special Permissions

find / -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;

File and Directories with no user/group name

find / \( -nouser -o -nogroup \) -exec ls -lg  {} \;

File types in current directory

file * -p

Executables on file system

find / -type f -exec file -p '{}' \; |  grep ELF

Hidden Executables on file system

find / -name ".*" -exec file -p '{}' \; | grep ELF

Files modified within the past day

find / -mtime -1

Find files for a particular user

find /home/ -user fred -type f

Persistent Areas of Interest


Audit Logs

ls -al /var/log/*
ls -al /var/log/*tmp
utmpdump /var/log/btmp
utmpdump /var/run/utmp
utmpdump /var/log/wtmp

Installed Software Packages

ls /usr/bin/
ls /usr/local/bin/

MacOS Cheat Sheet

IMPORTANT NOTE: This section is still in its early stages of documentation and testing. I strongly suggest checking out Sarah Edwards, who is an industry leader in this space, as she has many excellent resources and this section for the most part is reiterating the hard work she has put in. Other excellent resources include the Mac OS X Forensics Wikis and shared spreadsheet containing Forensics Artifacts.

Dumping Memory



sudo kextload MacPmem.kext
sudo dd if=/dev/pmem of=memorydump.raw

Live Mac IR / Triage

System Information

uname –a
cat /System/Library/CoreServices/SystemVersion.plist
cat /private/var/log/daily.out
cat /Library/preferences/.Globalpreferences.plist

Network Connections

netstat –an
netstat –anf
lsof -i

Routing Table

netstat –rn

Network Information

arp –an
ndp -an

Open Files


File System Usage

sudo fs_usage
sudo fs_usage [process] 
sudo fs_usage -f network
sudo fs_usage pid [PID]

Bash History

cat ~/.bash_history

User Logins

who -a

Running Processes

ps aux

System Profiler

system_profiler -xml -detaillevel full > systemprofiler.spx

Persistent Locations

Quick Overview (KnockKnock)

./ -whosthere > /path/to/some/file.json

XPC Services

ls Applications/<application>.app/Contents/XPCServices/
cat Applications/<application>.app/Contents/XPCServices/*.xpc/Contents/Info.plist
ls ~/System/Library/XPCServices/

Launch Agents & Launch Daemons

ls /Library/LaunchAgents/
ls /System/Library/LaunchAgents/
ls /System/Library/LaunchDaemons/
ls /Library/LaunchDaemons/
ls /users/*/Library/LaunchAgents/
ls /users/*/Library/LaunchDaemons/


cat ~/Library/Preferences/
ls <application>.app/Contents/Library/LoginItems/

Disable Persistent Launch Daemon

sudo launchctl unload -w /Library/LaunchDaemons/<name>.plist
sudo launchctl stop /Library/LaunchDaemons/<name>.plist

Web Browsing Preferences

cat ~/Library/Preferences/ 
ls ~/Library/Application Support/Google/Chrome/Default/Preferences
ls ~/Library/Application Support/Firefox/Profiles/********.default/prefs.js

Safari Internet History

cat ~/Library/Safari/Downloads.plist
cat ~/Library/Safari/History.plist 
cat ~/Library/Safari/LastSession.plist
ls ~/Library/Caches/ Previews/ 
sqlite3 ~/Library/Caches/  

Chrome Internet History

ls ~/Library/Application Support/Google/Chrome/Default/History
ls ~/Library/Caches/Google/Chrome/Default/Cache/
ls ~/Library/Caches/Google/Chrome/Default/Media Cache/

Firefox Internet History

sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/places.sqlite 
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/downloads.sqlite
sqlite3 ~/Library/Application Support/Firefox/Profiles/********.default/formhistory.sqlite
ls ~/Library/Caches/Firefox/Profiles/********.default/Cache

Apple Email

cat ~/Library/Mail/V2/MailData/Accounts.plist
ls ~/Library/Mail/V2/
ls ~/Library/Mail Downloads/
ls ~/Downloads
cat ~/Library/Mail/V2/MailData/OpenAttachments.plist

Temporary / Cached

ls /tmp
ls /var/tmp 
ls /Users/<user>/Library/Caches/Java/tmp
ls /Users/<user>/Library/Caches/Java/cache

System and Audit Logs

ls /private/var/log/asl/
ls /private/var/audit/
cat /private/var/log/appfirewall.log
ls ~/Library/Logs
ls /Library/Application Support/<app> 
ls /Applications/ 
ls /Library/Logs/

Specific Log Analysis

bzcat system.log.1.bz2 
system.log.0.bz2 >> system_all.log 
cat system.log >> system_all.log
syslog -f <file>
syslog –T utc –F raw –d /asl
syslog -d /asl
praudit –xn /var/audit/*
sudo log collect
log show
log stream

Files Quarantined

ls ~/Library/Preferences/
ls ~/Library/Preferences/ 

User Accounts / Password Shadows

ls /private/var/db/dslocal/nodes/Default/users/ 
ls /private/var/db/shadow/<User GUID>

Pluggable Authentication Modules (PAM)

cat /etc/pam.d/sudo
cat /etc/pam.conf
ls /etc/pam.d/

File Fingerprinting/Reversing

file <filename>
xxd <filename>
nm -arch x86_64 <filename>
otool -L <filename>
sudo vmmap <pid>
sudo lsof -p <pid>
xattr –xl <file>

Connected Disks and Partitions

diskutil list
diskutil info <disk>
diskutil cs
ap list
gpt –r show 
gpt -r show -l

Disk File Image Information

hdiutil imageinfo *.dmg

User Keychain Information

security list-keychains
security dump-keychains -d <keychain>

Spotlight Metadata

mdimport –X | -A
mdls <file>

Extract download location from Extended Attribute

Note: This is essentially the ‘ADS’ of the MacOS world.

xattr -p filename.dmg | xxd -r -p | plutil -p -

Locate historical file names from Extended Attribute

xattr -p filename

SANS FOR518 Reference

Special Thanks

FREE Network Security Project provided by the NSA!

FREE Network Security Project provided by the NSA!

1. Introduction to Networks:
2. OSI Model:
3. Network Topologies:
4. Network Devices:
5. TCP-IP:
6. Routing:
7. Switching & Virtual LANs:
8. Wireless Networks:
9. Troubleshooting Networks:
10. Network Project Final:

NIST CSF vs ISO 27001/2 vs NIST 800-53 vs SCF

NIST CSF vs ISO 27001/2 vs NIST 800-53 vs SCF


What Is The “Best” Cybersecurity Framework For Your Needs?

The concept of a “best” cybersecurity framework is misguided, since the most appropriate framework to align with is entirely dependent upon your business model. The applicable laws, regulations and contractual obligations that your organiation must comply with will most often point you to one of four (4) starting points to kick off the discussion about “Which framework is most appropriate for our needs?“:

  • NIST Cybersecurity Framework (NIST CSF);
  • ISO 27001/27002;
  • NIST SP 800-53 (moderate or high baselines); or
  • Secure Controls Framework (SCF) (or a similar metaframework).

When you graphically depict the various, leading cybersecurity frameworks from “easier to harder” it primarily focuses on the sheer number of unique cybersecurity and privacy controls. The volume of these controls (e.g., requirements) directly impacts the number of domains covered by that cybersecurity framework. The lesser number of controls in a cybersecurity framework might make it appear easier to implement, but it also might not provide the necessary coverage that your organization needs from the perspective of administrative, technical and physical cybersecurity and privacy practices. Defining “just right” for your cybersecurity and privacy controls is primarily a business decision, based on your organization’s risk profile, which needs to consider applicable laws, regulations and contractual obligations that are required to support existing or planned business processes. 

A very important consideration when selecting a framework is necessary customization. It is unlikely that a single framework will fit your needs perfectly, so you have to expect to tailor a framework for your specific needs (e.g., add to it, remove unnecessary content or merge multiple frameworks). From a customization perspective, think of “bolting on” content to a cybersecurity frameworks similar to the concept of gnawing off the square sides of a peg to make it fit into a round hole – it will eventually fit but it likely will not look very good or fit very well. This is the downside of customizing cybersecurity frameworks to add content that the framework lacks. It is generally less painful/costly to align with a more robust framework and remove content than it is to start with a lesser framework and add content.

Is There A Goldilocks Framework – Not Too Hard, Not Too Soft, But Just Right?

The selection process for cybersecurity frameworks generally leads to adopting a “starting point” framework. These foundational frameworks are the NIST Cybersecurity FrameworkISO 27002NIST 800-53 or the Secure Controls Framework (SCF). We call it the “cybersecurity Goldilocks dilemma” since it addresses the question: Which cybersecurity framework is “not too hard, not too soft, but just right!” for my organization? It comes down to first defining your “must have” and “nice to have” requirements, since that helps point you to the most appropriate framework to meet your specific needs:

  • “Must Have” Minimum Compliance Criteria (MCC) (e.g., laws, regulations and contractual obligations); and
  • “Nice to Have” Discretionary Security Requirements (DSR) (e.g., not legally-required but you feel you need to be secure, such as FIM, DLP, MFA, etc.)

Those two considerations come together to address the “Compliant vs Secure” decision for an organization’s cybersecurity and/or privacy program to be both secure and compliant. You can read more about that in the Integrated Controls Management (ICM) model.


“Compliant” vs “Secure” Considerations

The more robust the framework you select to align with, you can expect to have more topics covered by the included controls. This generally means you will have more comprehensive policies and standards to meet the expanded coverage. The dilemma many companies face is they want to be compliant, while minimizing the amount of paperwork (e.g., policies, standards and controls) that they have to maintain. This is where the aspect of your organization’s leadership team is important to really define the risk culture of the organization at a fundamental level:

  • Compliance Focused – this is aiming for mediocrity by focusing on only the bare minimums to comply with a law, regulation or framework. (note – this approach is very common. It is misguided, but common)
  • Security Focused – this is focused on hard-core secure engineering practices and compliance is not a concern. (note – this approach is rare)
  • Compliant & Secure Focused – this is a holistic approach that is focused on making sure systems, applications and services are secure by design and default, where compliance is viewed as a natural byproduct by having the proper blend of cybersecurity and privacy practices. (note – this is an optimal approach that organizations should strive for)

Cybersecurity Framework Heatmap

Not all frameworks are created equally and that is ok. It is not uncommon for experienced cybersecurity practitioners to have fundamental misunderstandings of the differences between laws, regulations and frameworks. However, in this context, what is depicted on the heatmap is refered to as a “framework” since by the NIST Glossary definition, a framework is “a layered structure indicating what kind of programs can or should be built and how they would interrelate.” Even a law or regulation can serve as a framework for building a cybersecurity program.

We understand that it can be a little confusing when you look at it from a “heat map” perspective, since each cybersecurity framework has its own unique scope of applicability (e.g., specialization) and depth of coverage. However, understanding this can help you make an informed decision on where to start for the most appropriate framework(s) for your needs (often, organizations utilize more than one framework). You may even find you need to leverage a metaframework (e.g., framework of frameworks) to address more complex compliance requirements.

NIST CSF vs ISO 27001 27002 vs NIST 800-53 vs SCF

How Do You Pick A Cybersecurity Framework? (Coke vs Pepsi Analogy)

If you look at this from the perspective of a debate over which soft drink tastes best (e.g., Coke vs Pepsi), it generally comes down to personal preferences, since both products are essentially sugary, carbonated drinks and only differ slightly in flavor and packaging. The same arguments can be made for cybersecurity’s two heavy hitters – NIST 800-53 and ISO 27002. Gaining popularity is the NIST Cybersecurity Framework (NIST CSF), but it lacks appropriate coverage out of the box to be considered a comprehensive cybersecurity framework. For more complex compliance requirements, the SCF is a “metaframework” that encompasses over 100 laws, regulations and frameworks in a hybrid framework that can span multiple compliance requirements.

Cybersecurity Framework Comparison: NIST CSF vs ISO 27001/2 vs NIST 800-53 vs SCF 

A key consideration for picking a cybersecurity framework involved understanding the level of content each framework offers, since this directly impacts the available cybersecurity and privacy controls that exist “out of the box” without having to bolt-on content to make it work for your specific needs. If you ask a cybersecurity professional to identify their preferred “best practice framework”, it generally comes down to NIST or ISO, since those are the most commonly-found frameworks. However, that doesn’t mean that is where you should limit your search.

If you are not sure where to start, here are some recommendations:

  • Have a discussion with your legal and procurement departments to find out what laws, regulations and contractual obligations your organization needs to comply with. If they don’t know, then you need to perform that discovery with their involvement to ensure you have the facts. Do not try to work off assumptions!
  • Talk with peers in your industry to identify what framework(s) their organization chose to align with and what those decisions were that led them to adopting one framework over another. You still have to do your own analysis to determine what is right, but talking with peers can help avoid “re-inventing the wheel” on certain aspects of the analysis process.
  • Determine what resources you have available to adopt and implement a framework. If it is a flip of the coin decision between two frameworks where you feel both meet your needs, you need to be sure to take into account which framework will be the most efficient to implement and maintain. 
  • Evaluate your organization’s business and IT strategies to identify components that may require the adoption of a specific framework. For example:.
    • Your CEO puts out a roadmap to grow business and next year the company will start going after US Government and Department of Defense (DoD) contracts. This means your organization will have to address DFARS, FAR and CMMC compliance, which is based on NIST SP 800-171. This means alignment with NIST SP 800-53 or SCF might be the best path forward
    • A business unit is expanding into the European market and will focus on B2C sales. This means your organization will have to address EU GDPR for robust privacy practices, on top of cybersecurity. This means you could select any framework to address underlying cybersecurity practices, but you need a privacy program. The SCF might be the best path forward.
  • Speak with a reputable consultant. Not all “cybersecurity professionals” have the same backgrounds, experiences and competencies. Speak with a Governance, Risk and Compliance (GRC) professional about compliance-related frameworks and scoping decisions.

NIST CSF   <   ISO 27001/2   <   NIST 800-53   <   Secure Controls Framework (SCF)


To help provide further context to the image:

  • ISO 27001/2 is essentially a subset of the content found in NIST 800-53 (ISO 27002 went from fourteen (14) sections in 2013 to three (3) sections in 2022) where ISO 27002’s cybersecurity controls fit within the twenty (20) families of NIST 800-53 rev5 security controls.
  • NIST CSF is a subset of NIST 800-53 and also shares controls found in ISO 27001/2. 
  • NIST CSF incorporates parts of ISO 27001/2 and parts of NIST 800-53, but is not inclusive of both – this is what makes NIST CSF is a common choice for smaller companies that need a set of “industry-recognized secure practices” to align with, where ISO 27001/2 and NIST 800-53 are better for larger companies or those that have unique compliance requirements. 

When you start taking into account common requirements such as the Payment Card Industry Data Security Standard (PCI DSS), you will see from crosswalk mapping that these common requirements are more comprehensive than what is included natively by NIST CSF, so you would need to use ISO 27002 or NIST 800-53 to meet PCI DSS as a framework (depending on your SAQ level), unless you want to bolt-on additional controls to the NIST CSF to make that work. Is that wrong? No, but it is just messy when you start bolting onto frameworks. 

Secure Controls Framework (SCF) Overview

If you are not familiar with the Secure Controls Framework (SCF), it was developed with the ambitious goal of providing a comprehensive catalog of cybersecurity and privacy control guidance to cover the strategic, operational and tactical needs of organizations, regardless of its size, industry or country of origin. By using the SCF, your IT, cybersecurity, legal and project teams can speak the same language about controls and requirement expectations! The SCF is a “metaframework” which is a framework of frameworks. The SCF is a superset that covers the controls found in NIST CSF, ISO 27002, NIST 800-53 and over 100 other laws, regulations and frameworks. These leading cybersecurity frameworks tend to cover the same fundamental building blocks of a cybersecurity program, but differ in some content and layout. Before picking a framework, it is important to understand that each one has its benefits and drawbacks. Therefore, your choice should be driven by the type of industry your business is in and what laws, regulations and contractual obligations your organization needs to comply with. 

The SCF is an open source project that provides free cybersecurity and privacy controls for businesses. The SCF focuses on internal controls, which are the cybersecurity and privacy-related policies, standards, procedures and other processes that are designed to provide reasonable assurance that business objectives will be achieved and undesired events will be prevented, detected and corrected.

The Secure Controls Framework (SCF) is a “best in class” approach that covers over 100 cybersecurity and privacy laws, regulations and frameworks, including NIST 800-53, ISO 27001/2 and NIST CSF. Being a hybrid, it allows you to address multiple cybersecurity and privacy frameworks simultaneously. The SCF is a free resource for businesses to use. ComplianceForge’s Digital Security Program (DSP) has 1-1 mapping with the SCF, so the DSP provides the most comprehensive coverage of any ComplianceForge product.  

NIST SP 800-53 Overview

The National Institute of Standards and Technology (NIST) is on the fifth revision (rev5) of Special Publication (SP) 800-53, Security and Privacy Controls for Information Systems and Organizations. From rev4 to rev5, NIST dropped the “US Government” focus for NIST SP 800-53 and now has it generalized enough for private industry to use. There are still “NISTisms” for wording that are entirely US Government-focused, but it is a significant improvement for private industry adoption. NIST 800-53 “best practices” are the de facto standard for private businesses that do business with the US federal government.

One thing to keep in mind is that NIST 800-53 is a super-set of ISO 27002 – that means you will find all the components of ISO 27002 covered by NIST 800-53. However, ISO 27002 does not cover all of the areas of NIST 800-53. 

The Federal Information Security Management Act (FISMA) and the Department of Defense Information Assurance Risk Management Framework (RMF) rely on the NIST 800-53 framework, so vendors to the US federal government must meet those same requirements in order to pass these rigorous certification programs. Additionally, for NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST 800-53 is called out as the best practices for government contractors to secure their systems.  That further helps strengthen NIST 800-53 as a best practice within the US, especially for any government contractors. We have a section that describes NIST 800-171 and Cybersecurity Maturity Model Certification (CMMC) if you are interested in that subject.

NIST 800-53 includes what both ISO 27002 and NIST CSF addresses, as well as a whole host of other requirements. NIST 800-53 is the basis for the controls found in NIST 800-171 / CMMC. NIST 800-53 is commonly found in the financial, medical and government contracting industries. One great thing about NIST 800-53, and it applies almost universally to all NIST 800-series publications. As with other NIST publications, it is freely available, at no cost to the public –

ISO 27001 / 27002 Overview

The International Organization for Standardization (ISO) is a non-governmental organization that is headquartered in Switzerland. ISO can be a little more confusing for newcomers to IT security or compliance, since a rebranding occurred in 2007 to keep ISO’s IT security documents in the 27000 series of their documentation catalog – ISO 17799 was renamed and became ISO 27002. To add to any possible confusion, ISO 27002 is a supporting document that aides in the implementation of ISO 27001. Adding a little more confusion to the mix, it is important to note that companies cannot certify against ISO 27002, just ISO 27001.

ISO 27001 Appendix A contains the basic overview of the security controls needed to build an Information Security Management System (ISMS), but ISO 27002 provides those specific controls that are necessary to actually implement ISO 27001. Essentially, you can’t meet ISO 27001 without implementing ISO 27002:

  • ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection — Information security management systems — Requirements
  • ISO/IEC 27002:2022 – Information security, cybersecurity and privacy protection — Information security controls

To keep things simple, just remember that ISO 27001 lays out the framework to create an “Information Security Management System (ISMS)” (e.g., a comprehensive IT security program), whereas ISO 27002 contains the actual “best practices” details of what goes into building a comprehensive IT security program. Since ISO’s information security framework has been around since the mid-1990s, it was in “right time at the right place” to evolve into the de facto IT security framework outside of the United States. You will find ISO 27002 extensively used by multinational corporations and for companies that do not have to specifically comply with US federal regulations. ISO 27002 is also “less paranoid” than NIST 800-53, which has an advantage of being less complex and therefore easier implement.

One unfortunate thing about ISO 27001/2, and it applies to all ISO publications, is that ISO charges for its publications –

NIST Cybersecurity Framework (NIST CSF) Overview

NIST Cybersecurity Framework (NIST CSF) has the least coverage of the major cybersecurity frameworks. NIST CSF works great for smaller and unregulated businesses that just want to align with a recongized cybersecurity framework. The downside to the NIST CSF is that its brevity makes it incompatible with common compliance requirements, such as NIST 800-171, GDPR, CPRA/CCPA and PCI DSS (depending on SAQ level). For those, more comprehensive frameworks, such as NIST 800-53 or ISO 27002 are recommended.  

In reality, NIST CSF is a “dumbed down” and civilianized version of NIST 800-53. It came out nearly a decade ago when NIST 800-53 was entirely focused on the US Government, so there was a need for a subset of the controls that NIST 800-53 provided but for the non-enterprise space in private industry (e.g., tailored for small to medium businesses). Over the past decade, different US Federal agencies have published documents describing how NIST CSF v1.1 controls can be leveraged to comply with HIPAA, FINRA, etc.

Overall, NIST CSF does not introduce new standards or concepts, but leverages and integrates industry-leading cybersecurity practices that have been developed by organizations like NIST and ISO. NIST CSF if organized into five categories of controls:

  • Identify;
  • Protect;
  • Detect;
  • Respond
  • Recover

The NIST CSF comprises a risk-based compilation of guidelines that can help organizations identify, implement, and improve cybersecurity practices, and creates a common language for internal and external communication of cybersecurity issues. The NIST CSF is designed to evolve with changes in cybersecurity threats, processes, and technologies. Essentially, the NIST CSF envisions effective cybersecurity as a dynamic, continuous loop of response to both threats and solutions. However, the “framework implementation tiers” should be avoided, since it is bad guidance. For example, you have to get to Tier 3 before you document policies, standards or procedures. That means a business at Tier 1 and Tier 2 would be considered negligent for failing to meet “reasonable expectations” for a security program. This is an example of “the path to hell is paved with good intentions” so that component of NIST CSF should be avoided.

Cybersecurity Policies, Standards & Procedures Are Meant To Address Your Compliance Needs

It is important to keep in mind that picking a cybersecurity framework is more of a business decision and less of a technical decision since cybersecurity and privacy controls identified in external laws, regulations or frameworks directly influence your organization’s internal policies, standards and procedures. 

  • Policies are established by an organization’s corporate leadership establishes “management’s intent” for cybersecurity and data protection requirements that are necessary to support the organization’s overall strategy and mission.
  • Control Objectives identify the technical, administrative and physical protections that are generally tied to a law, regulation, industry framework or contractual obligation.
  • Standards provide organization-specific, quantifiable requirements for cybersecurity and data protection.
  • Guidelines are additional guidance that is recommended, but not mandatory.
  • Procedures (also known as Control Activities) establish the defined practices or steps that are performed to meet to implement standards and satisfy controls / control objectives.

Build With A Hierarchical Approach To Cybersecurity & Privacy Documentation

The Hierarchical Cybersecurity Governance Framework (HCGF) is the “ComplianceForge Reference Model” of cybersecurity and privacy documentation. This free guide is a documentation model that leverages industry-recognized terminology to logically arrange these documentation components into their rightful order. This model creates an approach to architecting documentation that is concise, scalable and comprehensive. When that is all laid out properly, an organization’s cybersecurity and data protection documentation should be hierarchical and linked from policies all the way through metrics. The swimlane diagram shown below (click for a larger PDF) defines the terminology and demonstrates the linkages between these various documentation components.

​It all starts with influencers – these external and internal influencers set the tone to establish what is considered due diligence for cybersecurity & data protection operations.

  • For external influencers, this includes statutory requirements (laws), regulatory requirements (government regulations) and contractual requirements (legally-binding agreements) that companies must address.
  • For internal influencers, these are business-driven and the focus is more on management’s desire for consistent, efficient and effective operations:
    • Alignment with business strategy; and
    • Meeting business goals & objectives.

Fundamentally, the process of selecting a cybersecurity framework must be driven by what your organization is obligated to comply with from a statutory, regulatory and contractual perspective, since that understanding establishes the minimum set of requirements necessary to:

  • Avoid being considered negligent by being able to demonstrate evidence of due diligence and due care pertaining to “reasonably-expected” security & privacy practices;
  • Properly address risk management expectations by having the proper controls to secure your organization’s systems, applications and processes from reasonable threats.

Once you know the minimum requirements you need to meet, it can help narrow down the most appropriate framework. As shown in the “framework spectrum” diagram (shown below) that helps depict how not all frameworks are the same, you need to focus on selecting the most appropriate set of cybersecurity controls (e.g., controls framework) for your organization to align with. 

What Documentation Do I Need To Comply With NIST CSF, ISO 27002 or NIST 800-53?

To do NIST CSF, ISO 27002 or NIST 800-53 properly, it takes more than just a set of policies and standards. While those are foundational to building a cybersecurity program aligned with that framework, there is a need for program-specific guidance that helps operationalize those policies and standards (e.g., risk management program, third-party management, vulnerability management, etc.). It is important to understand what is required to be in compliance with NIST CSF vs ISO 27002 vs NIST 800-53, since there are significantly different levels of expectation.

When you start looking at “What should I buy to comply or align with X framework?” it is important to understand what the expectations of the various frameworks entail. When you look at these frameworks from the perspective of a spectrum that spans from weaker to more robust controls coverage, the basic expectation is that there are more requirements as you advance along this spectrum. The chart below helps identify the various ComplianceForge products where they intersect with NIST CSF, ISO 27002, NIST 800-53 and NIST 800-171/CMMC requirements. As depicted in the spectrum graphic at the top of this page, there are less requirements to comply with the NIST Cybersecurity Framework, while ISO 27002 has more requirements. However, ISO 27002 has less requirements than NIST 800-53. 

ComplianceForge ProductsNIST CSFISO 27002NIST 800-53 r4NIST 800-171 r1
Cybersecurity & Data Protection Program (CDPP) or
Digital Security Program (DSP)
[multiple sections]
[multiple sections]
[multiple sections]
NIST 800-171 (multiple CUI & NFO controls)
Supply Chain Risk Management (SCRM)ID.SC-115.1.1PS-7
NIST 800-171 NFO PS-7
Cybersecurity Risk Management Program (RMP)ID.GV-4
NIST 800-171 3.11.1 & NFO RA-1
Cybersecurity Risk Assessment Template (CRA)
Vulnerability & Patch Management Program (VPMP)ID.RA-1
NIST 800-171 3.11.2
Integrated Incident Response Program (IIRP)PR.IP-916.1.1IR-1252.204-7008
NIST 800-171 3.6.1
Security & Privacy By Design (SPBD)N/AN/APrivacy Section
NIST 800-171 NFO SA-3
System Security Plan (SSP) & POA&MN/AN/APL-2252.204-7008
NIST 800-171 3.12.4
Cybersecurity Standardized Operating Procedures (CSOP)PR.IP-5
[multiple sections]
[multiple sections]
[multiple sections]
NIST 800-171 (multiple CUI & NFO controls)
Continuity of Operations Plan (COOP)RC.RP-117.1.2CP-1
NIST 800-171 3.6.1
Secure Baseline Configurations (SBC)PR.IP-1
NIST 800-171 3.4.1
Information Assurance Program (IAP)N/A14.2.8CA-1
NIST 800-171 NFO CA-1
Cybersecurity Business Plan (CBP)N/AN/AN/ACMMC Level 4
CMMC Level 5

NIST Cybersecurity Framework (NIST CSF)- Good/Better/Great/Awesome Solutions

When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with the NIST Cybersecurity Framework (NIST CSF). The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST CSF. 

Good (NIST CSF)Better (NIST CSF)Great (NIST CSF)Awesome (NIST CSF)

ISO 27002  – Good/Better/Great/Awesome Solutions

When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with ISO 27001 / 27002. The product names you see in the various packages below map into the matrix shown above to show you how that maps into ISO 27002.

Good (ISO 27002)Better (ISO 27002)Great (ISO 27002)Awesome (ISO 27002)
CDPP – ISO 27002 Policies & StandardsCDPP + CSOP – ISO 27002 Policies, Standards & ProceduresCDPP Bundle 3: CDPP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAPDSP Bundle 3: DSP-CSOP-SCRM-RMP-CRA-VPMP-IIRP-COOP-SBC-IAP-SPBD

NIST 800-53  – Good/Better/Great/Awesome Solutions

When you look at it from a sliding scale of good, better, great or awesome, we have a few options for you to meet your needs and budget to align your company with NIST 800-53. The product names you see in the various packages below map into the matrix shown above to show you how that maps into NIST 800-53.

Good (NIST 800-53)Better (NIST 800-53)Great (NIST 800-53)Awesome (NIST 800-53)

GoogleChrome Books and SSPM is the future of security and Digital Transformation.

GoogleChrome Books and SSPM is the future of security and Digital Transformation.

Digital Transformation means as much as Zero trust, I prefer to think in terms of Technology solutions rather than Terms that can be manipulate as required by Vendors and Marketing teams. This is also for Traditional Enterprise workloads and End user computing, rather than developing applications or Power Users.

As the complexity of Multi-cloud and access to business environments from any device continues to grow. CISO and CTO, needs to work together to create a strategy for both Digital Transformation and agility and reduce the footprint and exposure. you don’t do that much continuously doing the same playbook. It’s simple, you need to move to SaaS and reduce your Windows Endpoint foot print. So how do you do that.

Reference articles

Azure Security Posture Auditing – Microsoft Azure/ AzureAD/O365 Security

Microsoft AzureAD/O365 Security

AzureAD – Users can create Azure AD tenants by Default.

Azure AD & O365 Attack Matrix

The amount of things that are defaulted in the AzureAD/O365 commercial tenants is too much and it’s critical to verify all settings are required as Defaults, it is also important to monitor updates. As a example;

Users can create Azure AD tenants Disable this setting, it was available by default but now there is a toggle to disable it!;

Azure Security Posture Auditing


1. Create a new user in Azure AD

2. Manage Azure AD identities

3. Enable SSPR in Azure AD

4. Create a conditional access policy

5. Explore Microsoft security score

6. Use secure score in Microsoft Defender to improve security posture

7. Microsoft 365 Defender for Cloud Apps

8. Explore the Service Trust Portal

9. Explore the Microsoft Purview compliance portal

10. Explore compliance manager

11. Manage subscriptions and RBAC

12. Manage governance via Azure Policy

13. Manage Azure resources by using the Azure Portal

14. Manage Azure resources by using ARM templates

15. Manage Azure resources by using Azure PowerShell

16. Manage Azure resources by using Azure CLI

17. Implement virtual networking

18. Implement inter-site connectivity

19. Implement traffic management

20. Manage Azure storage

21. Manage virtual machines

22. Implement Azure web apps

23. Implement Azure Container Instances

24. Implement Azure Kubernetes Service

25. Backup virtual machines

26. Implement monitoring

Azure Cloud Security


Cyber Security Technical Interview [CHEATCODES]

Here is my brain dump of Cyber Security interview questions from the past, after every interview, I wrote down the questions and made up my own for preparation. I hope this helps someone get a job and take care of your family.

Advise for Hiring managers

You should allow the candidate to ask you 3 technical questions in return, too many times, I’ve had technical questions from interviewers who got the answer incorrect. or blast through a list questions. Someone times hiring people get these answers wrong or could not even pass their own interviews.

I would ask experience based question, for a Solution Architect for a Solutions Integrator, give me a example of how you wrote a SOW and the process you went about doing that and pick apart that answer or Explain how you would design X solution?

Take One Day, One Step at a Time.

Some advice; I was recently out of work and going to multiple interviews for Email Security, to Micro segmentation to Identify Architect, If you are in this situation, it is very difficult, as you are doing multiple interviews per day and may need to do multiple technical interviews and even presentations and even proposals and even write code and build environments inside cloud. This is not an ideal situation, getting a job is very difficult. The best way is to apply for a single job and really research exactly the requirements and prepare, which takes allot of investment in time and of course, there is always luck of the draw. So take One day and One step at a time.

I found this very useful for Webcam interviews;

Cyber Security Interview Questions

What is the ‘Shadow file’ and locationThe shadow file is probably one of the most important files on your linux system, and that’s because it stores the actual encrypted passwords for everything on your system. The shadow file is located at /etc/shadow, and is only accessible to the root user.
Explain ASEP keysAuto-Start Extensibility Points (ASEPs is specific areas within in the Windows Operating System, that can be used by Malware to maintain persistence such as the Run key inside the registry;

What is the LSASS DriverThe Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
What is the Registry Hive
The registry is a hierarchical database that contains data that is critical for the operation of Windows and the applications and services that run on Windows. The data is structured in a tree format. Each node in the tree is called a key. Each key can contain both subkeys and data entries called values. Sometimes, the presence of a key is all the data that an application requires; other times, an application opens a key and uses the values associated with the key. A key can have any number of values, and the values can be in any form. For more information, see Registry Value Types and Registry Element Size Limits.

HKEY_CURRENT_CONFIG System, System.alt, System.log, System.sav
HKEY_CURRENT_USER Ntuser.dat, Ntuser.dat.log
HKEY_LOCAL_MACHINE\SAM Sam, Sam.log, Sam.sav
HKEY_LOCAL_MACHINE\Security Security, Security.log, Security.sav
HKEY_LOCAL_MACHINE\Software Software, Software.log, Software.sav
HKEY_LOCAL_MACHINE\System System, System.alt, System.log, System.sav
HKEY_USERS\.DEFAULT Default, Default.log, Default.sav
Explain AAA?AAA stands for authenticationauthorization, and accounting.
AAA is a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services. These processes working in concert are important for effective network management and security.

Authentication provides a method of identifying a user, typically by having the user enter a valid username and password before access to the network is granted. Authentication is based on each user having a unique set of login credentials for gaining network access.
The AAA server compares a user’s authentication credentials with other user credentials stored in a database; in this case, that database is Active Directory. If the user’s login credentials match, the user is granted access to the network. If the credentials don’t match, authentication fails and network access is denied.

Following authentication, a user must gain authorization for doing certain tasks. After logging in to a system, for instance, the user may try to issue commands. The authorization process determines whether the user has the authority to issue such commands.
Simply put, authorization is the process of enforcing policies—determining what types or qualities of activities, resources, or services a user is permitted. Usually authorization occurs within the context of authentication. After you have authenticated a user, they may be authorized for different types of access or activity.
As it relates to network authentication via RADIUS and 802.1x, authorization can be used to determine what VLAN, Access Control List (ACL), or user role that the user belongs to.

The final piece in the AAA framework is accounting, which monitors the resources a user consumes during network access. This can include the amount of system time or the amount of data sent and received during a session.
Accounting is carried out by logging session statistics and usage information. It is used for authorization control, billing, trend analysis, resource utilization, and planning for the data capacity required for business operations.
ClearPass Policy Manager functions as the accounting server and receives accounting information about the user from the Network Access Server (NAS). The NAS must be configured to use ClearPass Policy Manager as an accounting server, and it is up to the NAS to provide accurate accounting information to ClearPass Policy Manager.
What is a Three-Way Handshake?
The TCP handshake

TCP uses a three-way handshake to establish a reliable connection. The connection is full duplex, and both sides synchronize (SYN) and acknowledge (ACK) each other. The exchange of these four flags is performed in three steps: SYN, SYN-ACK, ACK.
What port uses SSH?
What port uses DNS?
Port 22
Port 53, DNS operates a Layer 7.
What is Risk and Risk Management? Risk can be defined as the ‘effect of uncertainty on objectives’. Risk is important as it assists organisations in setting strategy, achieving objectives and making informed decisions. Taking risks is fundamental to organisations 

Cybersecurity risk management is a strategic approach to prioritizing threats. Organizations implement cybersecurity risk management in order to ensure the most critical threats are handled in a timely manner. This approach helps identify, analyze, evaluate, and address threats based on the potential impact each threat poses.

A mentee reached out for CISSP help. Sharing my notes on the high level processes to measure Organizational Risk and Quantify Impact.

Effective Risk Management enables businesses to proactively prioritize risk treatments and maximize returns on security investments. Scale is a challenge.

How to Measure Risk:

1. Determine Asset Values: The value of an asset is more than the out-of-pocket dollars required to obtain the assets.

• Determining Asset values is a foundational part of the overall risk vs. impact analysis process that helps an organization understand the possible financial impact on the enterprise concerning a specific threat.

• Qualitative – subjective values based on assets worth to the organization
• Quantitative- values based on assets cost

2. Measure:
• The initial and ongoing cost to the enterprise for purchasing/licensing/ developing and supporting the environment or information asset

• An assets value to the enterprise production operations R&D in core business viability

• An asset’s value established on the external marketplace and the estimated value of the intellectual property such as trade secrets, patents, copyright

• An asset’s value to an adversary
• Cost to replace if the asset is lost
• Operational costs incurred if unavailable
• Liability issues if the asset is compromised

3. Perform Security Risk Analysis Steps:
• Assign a value to information and assets
• Estimate potential loss of risk
• Perform threat analysis
• Remedial measures to counteract each risk
• Reduce, Assign, Transfer, or Accept the risk
4. Determine Financial Impact & Investment Threshold:

• Impact analysis is concerned with calculating the potential financial impact of threats to various assets.

A. Determine exposure factor:
Single loss expectancy * asset value = exposure

The exposure is the percent of an asset loss caused by an identified threat. E.G.- If a hurricane hits my business office and generates 50% destruction, then the exposure factor is 50%

B. Determine Single Loss Expectancy (SLE):

Asset Value * Exposure factor = SLE

For the business office example, the SLE would be 1billion x .05 = 500 million

C. Determine Annualized Rate of Occurrence:
The Annualized rate of occurrence is the possibility of a specific threat occurring within a year. If a hurricane season is only 20% of a year, then the annualized rate of occurrence is 20%

D. Determine Annualized Loss Expectancy:

To calculate the annualized loss expectancy for a company per year, multiply the SLE by the annualized rate of occurrence.

Example: SLE (500 million) x annualized rate of occurrence (.20) = 100 million ALE

5. Business Insight for Risk Impact & Mitigation Cost Threshold

* ALE enables cost/benefit analysis when choosing mitigating actions to reduce potential loss.

*In the example, spending more than $100M on annual risk mitigation would be a waste of $
What is risk vulnerability and threat?,when%20the%20threat%20does%20occur.,when%20the%20threat%20does%20occur.
What is the difference between HTTP and HTTPsHTTP sends data over port 80 while HTTPS uses port 443.
HTTP operates at application layer, while HTTPS operates at transport layer.
No SSL certificates are required for HTTP; with HTTPS, it is required that you have an SSL certificate and a CA signs it.
What is the difference between SSL/TLS
What is TLS?
Transport Layer Security (TLS) is the successor protocol to SSL. TLS is an improved version of SSL. It works in much the same way as the SSL, using encryption to protect the transfer of data and information. The two terms are often used interchangeably in the industry although SSL is still widely used. When you buy an ‘SSL’ certificate from DigiCert, you can of course use it with both SSL and TLS protocols.
What port is RDP?3389
What port is smtp25
most common SMTP Ports you should know about, namely Port 25, Port 465, 587-
What is the difference between UDP / TCPWhat is TCP?
Transmission Control Protocol (TCP) is connection-oriented, meaning once a connection has been established, data can be transmitted in two directions. TCP has built-in systems to check for errors and to guarantee data will be delivered in the order it was sent, making it the perfect protocol for transferring information like still images, data files, and web pages.
But while TCP is instinctively reliable, its feedback mechanisms also result in a larger overhead, translating to greater use of the available bandwidth on your network. 

What is UDP?
User Datagram Protocol (UDP) is a simpler, connectionless Internet protocol wherein error-checking and recovery services are not required. With UDP, there is no overhead for opening a connection, maintaining a connection, or terminating a connection; data is continuously sent to the recipient, whether or not they receive it. 
Although UDP isn’t ideal for sending an email, viewing a webpage, or downloading a file, it is largely preferred for real-time communications like broadcast or multitask network transmission.
What is a APT?An advanced persistent threat (APT) is a broad term used to describe an attack campaign in which an intruder, or team of intruders, establishes an illicit, long-term presence on a network in order to mine highly sensitive data.

An advanced persistent threat is a stealthy threat actor, typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period

APT Groups –

What is a IoC?Indicator of compromise or IOC is a forensic term that refers to the evidence on a device that points out to a security breach. In this article, we discussed how IOC can be useful for your cyber security team.

Explain the MITRE tiers?ATT&CK Matrix for Enterprise Matrices (11 Tiers)

They now have multiple Matrices that covers, Cloud, Mobile, ICS and SaaS / O365.

Resource Development
Initial Access
Privilege Escalation
Defense Evasion
Credential Access
Lateral Movement
Command and Control
Explain Control Plane vs Data Plane (in respect to AWS?In terms of Control Plane and Data plane, in respect to AWS, The Control Pane is the AWS management layer and the Data Plane is were the Servers, Data and Applications run.
What is SSL Inspection?
What are the 7 OSI Model layers?

In which OSI layer is DNS? Layer 7
What is DNS?
What happens DNS when you hit on browser
Explain DNS name resolutions?
The Domain Name System
(DNS) is the phonebook of the Internet. Humans access information online through domain names, like or Web browsers interact through Internet Protocol (IP) addresses. DNS translates domain names to IP addresses so browsers can load Internet resources. –

Each device connected to the Internet has a unique IP address which other machines use to find the device. DNS servers eliminate the need for humans to memorize IP addresses such as (in IPv4), or more complex newer alphanumeric IP addresses such as 2400:cb00:2048:1::c629:d7a2 (in IPv6).

What is Authoritative DNS?
What is recursive DNS?
Authoritative DNS is the system that takes an address, like, and provides an answer about the resources in that zone.

The purpose of Recursive DNS, as we saw in step 2.1 above, is to hold information about a host for the given amount of time specified by that record’s Time To Live (TTL) Value. Recursion can happen at a number of different levels, depending on the network.

Recursive DNS exists primarily to help reduce authoritative lookups, and increase the speed at which Internet users are able to access the resources they most frequently use. While ISPs provide this as a free service, there are a number of public DNS recursives that can be used as an alternative. OpenDNS and Google DNS are examples of free, public recursive servers – because they are more widely used, the recursion is aggregated globally and may result in an increase in performance when browsing the web.

What is SASE?
What is DNS Tunnelling?
How does SAML work?SAML works by exchanging user information, such as logins, authentication state, identifiers, and other relevant attributes between the identity and service provider. As a result, it simplifies and secures the authentication process as the user only needs to log in once with a single set of authentication credentials.
What is a CDN?
What are cookie –
Explain DNS return code?
Is HTTP stateless connection?
What is HTTPS/HTTP ?,the%20use%20of%20stateful%20sessions.
Which Operating Systems would you use for different use cases/requirements?FreeBSD – Secure / Front End Webservers + NGENIX
UbuntuLTS – General Desktop OS
MacOS/Windows – General User Desktop OS
CentOS/RedHat – Servers
AIX/System Z – Mission Critical
What is the AWS Shared Responsibility Model?What is the AWS Shared Responsibility Model?
If you where going to develop a Prototype MVP application that needs to scale-out to millions of users quickly, how would you do it?I would build it on top of GCP as that is IMO, the best Cloud Platform, using Serverless Code connecting to GCP Database backend and front end using either Flutter and Backend using Python, or use a existing framework such as Joomla CMS or WordPress as the basis for a MVP. I would also use QT for multi-os application and for a Machine Learning platform, use ELK stack.
What is a ODDA Loop?
What is a CIA Triad?Confidentiality is roughly equivalent to privacy. Confidentiality measures are designed to prevent sensitive information from unauthorized access attempts. It is common for data to be categorized according to the amount and type of damage that could be done if it fell into the wrong hands. More or less stringent measures can then be implemented according to those categories.
Integrity involves maintaining the consistency, accuracy and trustworthiness of data over its entire lifecycle. Data must not be changed in transit, and steps must be taken to ensure data cannot be altered by unauthorized people (for example, in a breach of confidentiality).
Availability means information should be consistently and readily accessible for authorized parties. This involves properly maintaining hardware and technical infrastructure and systems that hold and display the information.
What is the Gartner SOC Visibility Triad
Explain Chain of Custody?Chain of Custody is a term referring to the order and way physical or electronic evidence in investigations is handled.

It is important to show that all evidence was handled in line with best practice procedures, by documenting all relevant details in the ‘Chain of Custody’ document.

Items found to form part of an inadequate or inaccurate chain of custody document may be deemed inadmissible.
Explain the difference between BCP/DRP?BCDR

business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected.

disaster recovery plan (DRP) is a documented, structured approach that describes how an organization can quickly resume work after an unplanned incident. A DRP is an essential part of a business continuity plan (BCP). It is applied to the aspects of an organization that depend on a functioning information technology (IT) infrastructure. A DRP aims to help an organization resolve data loss and recover system functionality so that it can perform in the aftermath of an incident, even if it operates at a minimal level.

What is RPO/RTO?Recovery Point Objective (RPO) describes the interval of time that might pass during a disruption before the quantity of data lost during that period exceeds the Business Continuity Plan’s maximum allowable threshold or “tolerance.”

Recovery Time Objective (RTO) is the duration of time and a service level within which a business process must be restored after a disaster in order to avoid unacceptable consequences associated with a break in continuity. In other words, the RTO is the answer to the question: “How much time did it take to recover after notification of business process disruption?“
What is the first things you would do for a Cyber Security Strategy? 1. Create an Incident Response Plane and DFIR retainer for any Incidents (CSIRT).
2. Create an IT asset register?
3. Create Cyber Awareness Training?
4. Create a Cyber Strategy and Roadmap based on a BIA?
5. Establish 24/7 Detection and Response capability?
6. Ensure your BCP/DRP and Backups work.
What Cyber security Polcies and Frameworks are you familiar with?Regulations / Governance / Law
Australian Privacy Principles
PCS-DSS (Layer 1, Layer 2, Layer 3 and Layer 4)


ASD Essential 8
NIST 800-53
ISO 27001
CIS Controls
Explain CVE?CVE stands for Common Vulnerabilities and Exposures. CVE is a glossary that classifies vulnerabilities. The glossary analyzes vulnerabilities and then uses the Common Vulnerability Scoring System (CVSS) to evaluate the threat level of a vulnerability. A CVE score is often used for prioritizing the security of vulnerabilities.

The CVE glossary is a project dedicated to tracking and cataloging vulnerabilities in consumer software and hardware. It is maintained by the MITRE Corporation with funding from the US Division of Homeland Security. Vulnerabilities are collected and cataloged using the Security Content Automation Protocol (SCAP).
Does Australian Government provide any Cyber Security guidance?Essentials 8
Australian Privacy Principles.
Australian Energy Sector Cyber Security Framework (AESCSF)
What is the Purdue Model?
Ask questions based on the SANs Posters– SANs Windows Forensic –
– SANS Hunt Evil –
Explain Cross site Scripting?

Cross site scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website. Attackers often initiate an XSS attack by sending a malicious link to a user and enticing the user to click it. 
What is a Drive by download?Lurk, a cybercriminal group infamous for their stealthy and fileless
 infection techniques, exploited web browser vulnerabilities for their drive-by download attacks. A cyberespionage group called Patchwork (or Dropping Elephant),
 used drive-by download techniques — such as creating a fake social video website called YoukuTudou
 to target victims in China — to download and execute an xRAT
 Trojan under the guise of an Adobe Flash Player update
Explain SQL Injection
How do you stop SQL injection?
Structured Query Language (SQL*) Injection is a code injection technique used to modify or retrieve data from SQL databases. By inserting specialized SQL statements into an entry field, an attacker is able to execute commands that allow for the retrieval of data from the database, the destruction of sensitive data, or other manipulative behaviors.

Escape All User Supplied Input – When writing SQL, specific characters or words have particular meaning. For example, the ‘*’ character means “any” and the words “OR” is a conditional. To circumvent users who enter these characters either accidentally or maliciously into an API request to the database, user supplied input can be escaped. Escaping a character is the way of telling the database not to parse it as a command or conditional but instead treat it as literal input.
Use of Stored Procedures – Although not a robust security strategy by itself, stored procedures can help limit the risk associated with SQL injection. By properly limiting the permissions of the database account running SQL queries, even non-robust application code that is vulnerable to SQL injection will lack the permissions necessary to manipulate unrelated database tables. Stored procedures may also check the type of input parameters, preventing data to be input that violates the type the field is designed to receive. In instances where static queries are insufficient, stored procedures are typically to be avoided.
Enforce Least Privilege – As a general rule, in all instances where a website needs to use dynamic SQL, it is important to reduce the exposure to SQL injection by limiting permissions to the narrowest scope required to execute the relevant query. In its most obvious form, this means that an administrative account should in no instance be executing SQL commands as a result of a API call from an unauthorized request. While stored procedures are best utilized for static queries, enforcing least privilege can help reduce the risks of dynamic SQL queries.
What is CSRF?Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.
XSS Cross Site ScriptingCross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Explain Durability?
Building a Corporate Security Program From The Ground Up?
Stateful vs. Stateless Firewalls?Stateless firewalls are designed to protect networks based on static information such as source and destination. Whereas stateful firewalls filter packets based on the full context of a given network connection, 
Stateless firewalls filter packets based on the individual packets themselves
What is DMARC?Domain-based Message Authentication, Reporting and Conformation)
What is AuditD?Auditd is the userspace component to the Linux Auditing System. Auditd is short for Linux Audit Daemon. In Linux, daemon is referred to as background running service and there is a ‘d’ attached at the end of the application service as it runs in the background. The job of auditd is to collect and write log files of audit to the disk as a background service
Explain SQL Joins
What is the difference between Truncate database and drop table?quickly removes all data from a table, typically bypassing a number of integrity enforcing mechanisms.
dropping a table. Deleting a table will result in loss of complete information stored in the table
Explain Public Key Cryptography (PKI)Public key infrastructure (PKI) governs the issuance of digital certificates to protect sensitive data, provide unique digital identities for users, devices and applications and secure end-to-end communications.
What is the meaning of TCP and IP in the term TCP/IPTransmission Control Protocol/Internet ProtocolTCP/IP Transmission Control Protocol/Internet Protocol

TCP/IP stands for Transmission Control Protocol/Internet Protocol and is a suite of communication protocols used to interconnect network devices on the internet. TCP/IP is also used as a communications protocol in a private computer network (an intranet or extranet).
What is symmetric and asymmetricsecurity
Machine Learning
Block Chain
Pre vs Post Routing
What is SElinux
Explain Logon types
MITM attack happens when a communication between two parties is intruded or intercepted by an outside entity.
– Use encryption (public key encryption) between both parties
– Avoid using open wi-fi networks.
– Use HTTPS, forced TLS or VPN.
What the difference between RFI vs LFIRemote File Inclusion (RFI) is a type of vulnerability most often found on PHP running websites.
Local File Inclusion (LFI) is very much like RFI; the only difference is that in LFI the attacker has to upload the malicious script to the target server to be executed locally.,found%20on%20PHP%20running%20websites.&text=Local%20File%20Inclusion%20(LFI)%20is,server%20to%20be%20executed%20locally.
What are Linux C groups
Control groups, usually referred to as cgroups, are a Linux kernel feature which allow processes to be organized into hierarchical groups whose usage of various types of resources can then be limited and monitored. The kernel’s cgroup interface is provided through a pseudo-filesystem called cgroupfs. Grouping is implemented in the core cgroup kernel code, while resource tracking and limits are implemented in a set of per-resource-type subsystems (memory, CPU, and so on).
What is the Shadow Group?The shadow group allows system programs which require access the ability to read the /etc/shadow file. No users should be assigned to the shadow group.
What is kerberos rosting?Kerberoasting is a post-exploitation attack technique that attempts to crack the password of a service account within the Active Directory (AD).,the%20Active%20Directory%20(AD).
Common Ports
What is OWASP?1. Broken Access Links
2. Cryptographic Failures
3, Injection
4. Insecure Design
5. Security Misconfiguration
6. Vulnerable and Outdate Components
7. Software and Data Integrity Failures
8. Security Logging and Monitoring.
9. Server-Side Request Forgery (SSRF)
10. XML External Entities (XXE)
11. Cross-Site Scripting (XSS)
A01:2021-Broken Access Control moves up from the fifth position to the category with the most serious web application security risk; the contributed data indicates that on average, 3.81% of applications tested had one or more Common Weakness Enumerations (CWEs) with more than 318k occurrences of CWEs in this risk category. The 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category.
A02:2021-Cryptographic Failures shifts up one position to #2, previously known as A3:2017-Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed name focuses on failures related to cryptography as it has been implicitly before. This category often leads to sensitive data exposure or system compromise.
A03:2021-Injection slides down to the third position. 94% of the applications were tested for some form of injection with a max incidence rate of 19%, an average incidence rate of 3.37%, and the 33 CWEs mapped into this category have the second most occurrences in applications with 274k occurrences. Cross-site Scripting is now part of this category in this edition.
A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.
A05:2021-Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration, with an average incidence rate of 4.5%, and over 208k occurrences of CWEs mapped to this risk category. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for A4:2017-XML External Entities (XXE) is now part of this risk category.
A06:2021-Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.
A07:2021-Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.
A08:2021-Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. A8:2017-Insecure Deserialization is now a part of this larger category.
A09:2021-Security Logging and Monitoring Failures was previously A10:2017-Insufficient Logging & Monitoring and is added from the Top 10 community survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.
A10:2021-Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.
What is eBFP?BPF is a revolutionary technology with origins in the Linux kernel that can run sandboxed programs in an operating system kernel. It is used to safely and efficiently extend the capabilities of the kernel without requiring to change kernel source code or load kernel modules.
Historically, the operating system has always been an ideal place to implement observability, security, and networking functionality due to the kernel’s privileged ability to oversee and control the entire system. At the same time, an operating system kernel is hard to evolve due to its central role and high requirement towards stability and security. The rate of innovation at the operating system level has thus traditionally been lower compared to functionality implemented outside of the operating system.
What is micro-segmentation?
What is a ‘Golden Ticket’
What is ‘Ring 0’Ring 0 (most privileged) and 3 (least privileged)
Ring 0 is accessible to the kernel, which is a central part of most operating systems and can access everything. Code running here is said to be running in kernel mode. Processes running in kernel mode can affect the entire system; if anything fails here, it will probably result in a system shutdown. This ring has direct access to the CPU and the system memory, so any instructions requiring the use of either will be executed here.

Ring 3, the least priviliged ring, is accessible to user processes that are running in user mode. This is where most applications running on your computer will reside. This ring has no direct access to the CPU or memory, and therefore has to pass any instructions involving these to ring 0.

How does HTTP maintain state?HTTP is a stateless (or non-persistent) protocol. Each request is treated by its own. A request will not know what was done in the previous requests. The protocol is designed to be stateless for simplicity.  However, some Internet applications, such as e-commerce shopping cart, require the state information to be passed one request to the next. Since the protocol is stateless, it is the responsibility of the application to maintain state information within their application.
A few techniques can be used to maintain state information across multiple HTTP requests, namely,

– Cookie
– Hidden fields of the HTML form.
– URL rewriting.,to%20be%20stateless%20for%20simplicity.
Does TLS use Asymmetric or Symmetric Encryption?SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session between a client and a server, and symmetric encryption is used to exchange data within the secured session.
What is Asymmetric or Symmetric Encryption?Symmetric encryption uses a single key that needs to be shared among the people who need to receive the message while asymmetric encryption uses a pair of public key and a private key to encrypt and decrypt messages when communicating.,and%20decrypt%20messages%20when%20communicating.
What is the difference between General Purpose OS and other operating systems like ESXi?
Explain SHA-11 algorithm in detail?,which%20is%2040%20digits%20long.
What is MD5 checksum?MD5 (technically called MD5 Message-Digest Algorithm) is a cryptographic hash function whose main purpose is to verify that a file has been unaltered.

Instead of confirming two sets of data are identical by comparing the raw data, MD5 does this by producing a checksum on both sets and then comparing the checksums to verify they’re the same.

MD5 has certain flaws, so it isn’t useful for advanced encryption applications, but it’s perfectly acceptable to use it for standard file verifications.
Explain sessions hijacking and the effect of 2 factor authentication?
What is MITREMITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.
What’s the difference between a policy, process and procedure?
Explain Zero TrustZero trust network access (ZTNA) is a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications. The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.,a%20set%20of%20named%20entities.
Name 3 Internet Protocols which use TCP?
Name 3 protocols which use udp?
Name 2 which use neither?

What is the difference between encoding, encryption and hashing?Encoding: Reversible transformation of data format, used to preserve the usability of data.
Hashing: A one-way summary of data that cannot be reversed and is used to validate the integrity of data.
Encryption: Secure encoding of data used to protect the confidentiality of data.
What is a rainbow table?A rainbow table attack is a password cracking method that uses a special table (a “rainbow table”) to crack the password hashes in a database
If you had to encrypt and compress data during transmition, what would you do first?You should compress before encrypting. Encryption turns your data into high-entropy data, usually indistinguishable from a random stream. Compression relies on patterns in order to gain any size reduction.
Cross site request forgery (CSRF), also known as XSRF, Sea Surf or Session Riding, is an attack vector that tricks a web browser into executing an unwanted action in an application to which a user is logged in.
In a public-key cryptography, you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which purpose?
Explain AWS Security and networkingVPC
Security Groups
Network ACls
Explain Kubernetes networking?Kubernetes automates operational tasks of container management and includes built-in commands for deploying applications, rolling out changes to your applications, scaling your applications up and down to fit changing needs, monitoring your applications, and more—making it easier to manage applications.

Kubernetes networking allows Kubernetes components to communicate with each other and with other applications. The Kubernetes platform is different from other networking platforms because it is based on a flat network structure that eliminates the need to map host ports to container ports. The Kubernetes platform provides a way to run distributed systems, sharing machines between applications without dynamically allocating ports. 

Kubernetes is a portable, extensible, open source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available.
The name Kubernetes originates from Greek, meaning helmsman or pilot. K8s as an abbreviation results from counting the eight letters between the “K” and the “s”. Google open-sourced the Kubernetes project in 2014. Kubernetes combines over 15 years of Google’s experience running production workloads at scale with best-of-breed ideas and practices from the community.

Containers uses a Flat network.
What are Helm ChartsHelm helps you manage Kubernetes applications — Helm Charts help you define, install, and upgrade even the most complex Kubernetes application.
Charts are easy to create, version, share, and publish — so start using Helm and stop the copy-and-paste.
Helm is a graduated project in the CNCF and is maintained by the Helm community.
Explain how to achieve lateral movement?
Explain a tool to gain privilege escalation?Benjamin Delpy originally created Mimikatz as a proof of concept to show Microsoft that its authentication protocols were vulnerable to an attack. Instead, he inadvertently created one of the most widely used and downloaded threat actor tools of the past 20 years.

What is side car?sidecar is a separate container that runs alongside an application container in a Kubernetes pod – a helper application of sorts. Typically, the sidecar is responsible for offloading functions required by all apps within a service mesh – SSL/mTLS, traffic routing, high availability, and so on –
Familiarise your self with Flare-On 9 Challenge Solutions
Difference between TLS version 1.2 and 1.3. Explain the DNS flow when any website is accessed on browser.TLS 1.3 offers several improvements over earlier versions, most notably a faster TLS handshake and simpler, more secure cipher suitesZero Round-Trip Time (0-RTT) key exchanges further streamline the TLS handshake. Together, these changes provide better performance and stronger security.

A Faster TLS Handshake
TLS encryption and SSL decryption require CPU time and add latency to network communications, somewhat degrading performance. Under TLS 1.2, the initial handshake was carried out in clear text, meaning that even it needed to be encrypted and decrypted. Given that a typical handshake involved 5 – 7 packets exchanged between the client and server, this added considerable overhead to the connection. Under version 1.3, server certificate encryption was adopted by default, making it possible for a TLS handshake to be performed with 0 – 3 packets, reducing or eliminating this overhead and allowing faster, more responsive connections.
Simpler, Stronger Cipher Suites
In addition to reducing the number of packets to be exchanged during the TLS handshake, version 1.3 has also shrunk the size of the cipher suites used for encryption. In TLS 1.2 and earlier versions, the use of ciphers with cryptographic weaknesses had posed potential security vulnerabilities. TLS 1.3 includes support only for algorithms that currently have no known vulnerabilities, including any that do not support Perfect Forward Secrecy (PFS). The update has also removed the ability to perform “renegotiation,” in which a client and server that already have a TLS connection can negotiate new parameters and generate new keys, a function that can increase risk.
Zero Round-Trip Time (0-RTT)
As with SSL, TLS relies on key exchanges to establish a secure session. In earlier versions, keys could be exchanged during the handshake using one of two mechanisms: a static RSA key, or a Diffie-Hellman key. In TLS 1.3, RSA has been removed, along with all static (non-PFS) key exchanges, while retaining ephemeral Diffie-Hellman keys. In addition to eliminating the security risk posed by a static key, which can compromise security if accessed illicitly, relying exclusively on the Diffie-Hellman family allows the client to send the requisite randoms and inputs needed for key generation during its “hello.” By eliminating an entire round-trip on the handshake, this saves time and improves overall site performance. In addition, when accessing a site that has been visited previously, a client can send data on the first message to the server by leveraging pre-shared keys (PSK) from the prior session—thus “zero round-trip time” (0-RTT).
Packet flow for networking and securityo transfer a packet from source to destination, both the MAC address and IP address of the destination should be known. If the destination MAC address is not present then ARP will resolve this issue first then the packet will be delivered to a destination host. 
There are simple rules for a packet flow in a network: 

If the destination host is present in the same network as the source host then the packet will be delivered directly to the destination host using MAC address.
Within a network, the packet will be delivered on the basis of MAC address.
MAC address never crosses its broadcast domain.
Now, first, we have to take an idea about ARP.
What is Perfect Forward Secrecy Definition?
Perfect Forward Secrecy (PFS), also called forward secrecy (FS), refers to an encryption system that changes the keys used to encrypt and decrypt information frequently and automatically. This ongoing process ensures that even if the most recent key is hacked, a minimal amount of sensitive data is exposed.
Web pages, calling apps, and messaging apps all use encryption tools with perfect forward secrecy that switch their keys as often as each call or message in a conversation, or every reload of an encrypted web page. This way, the loss or theft of one decryption key does not compromise any additional sensitive information—including additional keys.
OWSAP Top 10
Explain Log4J
How can you Pentest a WAF based ApplicationDefault no configuration settings – No WaF protection at all.
Simple URL restriction policy – Restrictions for URL access only.
Simple URL restrictions & parameter checking – URL restriction and parameter inspection.
Simple URL restrictions & parameter checking for basic HTTP traffic – All the above with specific malicious traffic inspection (this will be listed below in the attack types).
Simple URL restrictions & parameter checking for basic JSON/SOAP specific traffic – Same as the above, however, may also be required if your application uses specific web services.
File upload checking – finally, file upload facilities should be inspected for malicious content.
Popular attack signatures – encoded and non-encoded SQL injection, XSS, OS Injection, LDAP Injection, XML Injection, Path Traversal, Local File Inclusion, Remote File Inclusion etc.
Header manipulation techniques – attacking cookie/referer/host headers etc.
JSON/SOAP schema bypass techniques.
Masked data – shikata_ga_nai and Base64 encoding etc.
File scanning manipulation – masked and unmasked anti-virus and malware signatures.
Charecter limit oversights
Finger printing WAF
 SQL injection, Cross-Site Scripting (XSS), buffer overflows, file inclusion attacks
What is the MS GINAWinlogon, the GINA, and network providers are the parts of the interactive logon model. The interactive logon procedure is normally controlled by Winlogon, MSGina.dll, and network providers. To change the interactive logon procedure, MSGina.dll can be replaced with a customized GINA DLL
Explain how a VPN works?

Explain Threat Modellingl
Explain STRIDE
Explain DevSecOps and SDLC
Explain what is a Security Strategy
What is BIA
What is Risk Management?
What is FIRST method?

Threat Modelling: Threat modeling is a systematic approach used to identify, assess, and mitigate potential threats and vulnerabilities in a system, application, or process. It involves analyzing the system’s architecture, identifying potential threats, and evaluating their potential impact. The goal is to proactively identify and address security risks, enabling organizations to design and implement effective security controls.
STRIDESTRIDE is an acronym that represents different categories of threats used in threat modeling. It stands for:

– Spoofing An attacker impersonates a legitimate user or system to gain unauthorized access
– Tampering, Unauthorized modification or alteration of data, code, or system components
-Repudiation, The inability to prove or disprove an action or event, often used by attackers to deny their involvement.
– Information Disclosure: Unauthorized access to sensitive or confidential information.
– Denial of Service: Disrupting or disabling the availability or functionality of a system or service.
– Elevation of Privilege: An attacker gains unauthorized privileges or elevated access rights.

By considering each of these threat categories during threat modeling, organizations can identify potential security weaknesses and develop appropriate countermeasures.
DevSecOpsDevSecOps and SDLC: DevSecOps is an approach that integrates security practices into the software development lifecycle (SDLC) from the beginning, rather than treating security as an afterthought. It emphasizes collaboration between development, operations, and security teams to ensure that security considerations are addressed at every stage of the software development process.
SDLCThe SDLC refers to the series of phases and activities involved in developing software, from conception to retirement. It typically includes requirements gathering, design, development, testing, deployment, and maintenance. When security is incorporated into the SDLC, it ensures that security measures are implemented at each stage, reducing vulnerabilities and enhancing overall system security
Security StrategyA security strategy is a comprehensive plan that outlines an organization’s approach to managing and mitigating security risks. It includes a set of guiding principles, objectives, and measures to protect critical assets, data, and systems. A security strategy typically covers areas such as risk assessment, incident response, access control, threat prevention, and employee awareness and training.

The strategy is tailored to the organization’s specific needs, considering factors such as industry regulations, business goals, and the threat landscape. It provides a roadmap for implementing security controls and establishes a framework for ongoing monitoring, evaluation, and improvement of security measures.
BIABIA (Business Impact Analysis): Business Impact Analysis is a process used to identify and evaluate the potential impact of a disruption or incident on critical business operations. It assesses the potential financial, operational, and reputational consequences of various events, such as natural disasters, cyber-attacks, or system failures.

BIA involves identifying key business processes, determining their criticality and dependencies, and estimating the potential impacts of disruptions, including financial losses, customer dissatisfaction, and regulatory non-compliance. The analysis helps prioritize the allocation of resources for disaster recovery planning, business continuity strategies, and risk mitigation efforts.
Risk ManagementRisk management is the process of identifying, assessing, and prioritizing risks to minimize their impact on an organization’s objectives. It involves understanding potential threats and vulnerabilities, analyzing their likelihood and potential impact, and developing strategies to mitigate or transfer the risks.
The risk management process typically includes risk identification, risk assessment, risk mitigation planning, risk monitoring, and risk review. It aims to strike a balance between risk reduction and business goals, enabling organizations to make informed decisions and allocate resources effectively to address security threats.
FIRST MethodThe FIRST (Forum of Incident Response and Security Teams) method is a framework used for incident response. It provides a structured approach to handling security incidents effectively and efficiently. The FIRST method consists of the following steps:
What is the Kubernetes command line tool, and what does it do?Kubectl, this allows you to run commands against your Kubernetes clusters
What is a control plane?The brain of the Kubernetes cluster. It contains several components like the API server, which acts as a gateway to the cluster, the scheduler, which assigns workloads to nodes, and the controller manager, which manages various controllers to maintain desired state of the cluster. Resides on designated node in the cluster
What is the kubectl command to view all CBContainer resources?kubectl get all -n cbcontainers-dataplane
What are the two K8’s processes that you will find running on all of your K8’s nodes?Kubeproxy and kubelet
What is a secret in containerization?A secret refers to a sensitive piece of information or confidential data that is securely stored and managed for use by applications running within containers. Secrets are typically used to handle sensitive information, such as API keys, passwords, or other authentication creden
What are some risks associated with Containers and KubernetesThird party image registries -> Attackers target these and insert malicious code- Ephemeral nature of containers- > Makes it more challenging to monitor and detect vulnerabilities- Speed of deployment -> Modern apps are updated rapidly which means that rigorous testing and scanning is required to prevent vulnerabilities in prod environments- Complexity of environments, difficult for any one person to understand it
What Kubernetes hardening rules modules are used to restrict the capabilities of individual programs and containers, confining them to a specific set of permissions and limiting their access to system resources?Confidential │© Carbon Black7AppArmor, SELinux, SecComp Profile
What is a PODA pod is the smallest deployable unit in Kubernetes and is the basic building block of the Kubernetes object model. Basically, a pod is a group of one or more containers with shared storage and network resources, and a specification for how to run the containers. Pods run on nodes. If a pod (or the nodes it runs on) fails, Kubernetes can automatically create a new replica of that pod to continue operations. Pods are used for deploying and m
What is a container image?A container image is a lightweight, standalone, and executable software package that includes everything needed to run a piece of software including code, runtime, libraries, and system tools. It is a static and immutable file, meaning it cannot be changed. A container image has a very basic operating system only to run its application within the container. W
What is a container?A container is a running instance of a container image. It is a runnable process that encapsulates the application and its dependencies. When a container is started, it runs the code and processes defined in the container image. Container creation also adds a writable layer on top of the container image.
What is the writable layer in a container?When a container starts, it creates what we call a writable layer. This is also referred to as the container layer. This writable layer, known as the container’s file system, allows processes running inside the container to make changes, create files, modify
Does the writable layer affect the container imageNo, the underlying image remains immutable and unchanged. And modifications or changes made within the running container are stored in the writable layer on top of the container image
What are some IRL scenarios where changes would be made to a container’s writable layer?Confidential │© Carbon Black14Application logs, database data updates, temporary files/caches, configuration overrides, application updates

Other resources

Learning Resources

[1] Several videos including 2 concerning technical interview questions by Mike Meyers of Total Seminars and Richard Chapman of CyberNow Labs.

[2] An article on go-to answers for tricky interview questions; not SOC Analyst specific.

[3] 47 Cybersecurity interview questions from Springboard.

[4] 50 Cybersecurity interview questions from Edureka.

[5] SOC Analyst interview questions from LetsDefend.

[6] What to do before, during, and after an interview from LinkedIn Learning.

[7] I’ve been told I will be asked about OWASP® Foundation Top 10. Here is all you need to answer questions about it from Sucuri Security.

[8] A great interview prep resource list courtesy of Will Broom.

[9] 12 SOC Analyst interview questions courtesy of  👉🏼 Gerald Auger, Ph.D. Auger, Ph.D. and Simply Cyber.

[10] Short, sweet, and great interview advice courtesy of Thrive Global.

[11] This is a great post covering interview techniques courtesy of David Meece.

[12] Some good pre-interview preparation advice courtesy of Josh Fullmer.

Professor Messera –

Learning Resources

More Resources

Top 30 Penetration Tester Interview Questions / Answers

Cyber Security Interview Prep

SOC Analyst Interview Questions (LetsDefend)

GRC Entry-Level Interview Q&A (👉🏼 Gerald Auger, Ph.D.)

Mastering the Art of the Interview (TEDX Talks / Ashley Rizzotto, M.Ed.)

Tell Me About Yourself – A Good Answer To This Question

How to Ace a Job Interview: 10 Crucial Tips

Cybersecurity Interview Preparation Playlist (👉 Jon Good 👈)

How To Be Confident In Interviews

How To Crush Any Interview

10 Best Questions to Ask an Interviewer

How to Ace Your Job Interview (David Bombal)

Cybersecurity Practice Interview Questions Playlist (Josh Madakor)

How to Prepare for a Cyber Security Interview (Cyberspatial)

How to Fail a Cybersecurity Interview (Cyberspatial)

Interview Tips

Cloud Interview Questions