These are some of the more common directories in which malware will install itself on
Microsoft Windows (multiple versions)
%ApplicationData%\Microsoft\
%System%\[FileName].dll
%Program Files%\Internet Explorer\[FileName].dll
%Program Files%\Movie Maker\[ FileName].dll
%All Users Application Data%\[ FileName].dll
%Temp%\[ FileName].dll
%System%\[ FileName].tmp
%Temp%\[ FileName].tmp
Malware will attempt to hook system and user processes in order to operate behind the
scenes and also attempt to prevent the victim from quickly identifying its activity. These are typical system and user processes affected by malware found.
explorer.exe
services.exe
svchost.exe
Here are some of most common Registry locations where malware will install itself on a victim‟s computer in order
to execute and propagate.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\
BOOT PROCESS
Power – When the system is switched on, power reaches the motherboard
through SMPS
BIOS – BIOS present on the motherboard is activated; Does the POST check;
then check for devices connected and passes control to the relevant device
(boot device) for the next stage of booting.
MBR – MBR of the boot device gets activated and checks for any boot loaders
or active partitions. If a boot loader is present, control is passed to it.
Else the control is passed to the active partition specified.
Active Partition BR – The boot loader of the active partition is activated
when it gets control.
MS WINDOWS
NTLDR (NT Boot Loader) in the system volume is loaded and passed the control
[SYSPART:\ntldr]
NTLDR reads the ‘boot.ini’ in C drive. If more than one OS is present, a choice is requested. Else
it continues booting from the boot partition as found in the boot.ini file. [SYSPART:\boot.ini]
Then NTDETECT from the system partition is loaded which is device detection program.
[SYSPART:\NTDETECT.COM]
It then loads NTOSKRNL (Kernel), HAL (Hardware Abstraction Layer) from the boot partitions.
[%systemroot%\system32\ntoskrnl.exe and %systemroot%\system32\hal.dll]
Then SYSTEM Hive is loaded and all boot drivers is loaded.
[%systemroot%\system32\config\system]
After that the boot loader (NTLOADER) passes control to Kernel (NTOSKRNL)
Kernel then loads the logo screen and initializes the sub-system
It then loads SMSS (Session Manager Subsystem Service) with priority 11 and passes control to it.
[%systemroot%\system32\smss.exe]
SMSS initializes the pagefile and other registry hives.
Starts the 32bit windows kernel (WIN32K.SYS)
[%systemroot%\system32\win32k.sys]
Starts CSRSS (Client Server Runtime Sub System) with priority 13.
[%systemroot%\system32\csrss.exe]
Then it starts WINLOGON with priority 13 and passes control to it.
[%systemroot%\system32\winlogon.exe]
WINLOGON then starts LSASS [Local Security Authorization Subsystem Service] with priority 9.
[%systemroot%\system32\lsass.exe]
WINLOGON then loads MSGINA (Graphical user Identification aNd Authentication), which presents the
login screen to the user.
[%systemroot%\system32\msgina.dll]
It then loads SERVICES (Services Controller) with priority 9.
[%systemroot%\system32\services.exe]
Once the user logs in, SERVICES takes control and loads all the necessary ‘automatic’ services for that user.
https://social.technet.microsoft.com/search/en-US/feed?query=windows%20server&rn=Microsoft%20Security%20Guidance&rq=site:blogs.technet.com/b/secguide/&format=RSS
Sysinternals
Process Explorer
Pink - Services
Blue - same security context as process explorer
Purple - Image is packed (malware commonly use packing/compressed)
process explorer can also check hits on virustotal.
Malware hides in common processes - rundll32.exe and svchost
It does this via an autostart or DLL injection
Sigcheck - image verification is it digitally signed
sigcheck -e -u -s c:\
recursive scan also subdirectories - scan all executables
-u only shows unsigned executables
Sigcheck can also check virustotal for hits
sigcheck -v -s -c c:\
-v : check hash on virustotal (but does not upload file if hash is not present
-c csv output
-vs together submits the sample to virustotal
-----
If
you don't have direct access to the internet, you'll need to specify a
proxy. Unfortunately, it won't take IE's proxy setting, you'll need to
set it via netsh:
backup your settings:
netsh winhttp show proxy
set the proxy
netsh winhttp set proxy
:
Don't forget to reset your proxy settings when you are done:
netsh winhttp reset proxy (or the appropriate command from your backup)
-----
Check all unsigned images especially in \Windows and \Users\
\Appdata
Listdlls - scan running processes for unsigned DLLs
listdlls -u
Well-Known Domain-Relative RIDs
Description
500 Administrator
501 Guest
502 Krbtgt
512 Domain Admins
513 Domain Users
514 Domain Guests
515 Domain Computers
516 Domain Controllers
544 Built-In Administrators
545 Built-In Users
546 Built-In Guests
One possible use case is using the domain admins RID for detecting domain admins activity using a SIEM
