{"id":13641619,"url":"https://github.com/jipegit/IRNotes","last_synced_at":"2025-04-20T11:31:30.525Z","repository":{"id":27773631,"uuid":"31262121","full_name":"jipegit/IRNotes","owner":"jipegit","description":"Some IR notes","archived":false,"fork":false,"pushed_at":"2016-07-23T09:17:26.000Z","size":12,"stargazers_count":73,"open_issues_count":0,"forks_count":16,"subscribers_count":13,"default_branch":"master","last_synced_at":"2024-11-07T04:18:48.922Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jipegit.png","metadata":{"files":{"readme":"Readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2015-02-24T13:50:21.000Z","updated_at":"2024-08-12T19:16:22.000Z","dependencies_parsed_at":"2022-07-12T18:23:33.452Z","dependency_job_id":null,"html_url":"https://github.com/jipegit/IRNotes","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jipegit%2FIRNotes","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jipegit%2FIRNotes/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jipegit%2FIRNotes/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jipegit%2FIRNotes/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jipegit","download_url":"https://codeload.github.com/jipegit/IRNotes/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223827488,"owners_count":17209796,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T01:01:22.330Z","updated_at":"2024-11-09T12:30:35.493Z","avatar_url":"https://github.com/jipegit.png","language":null,"funding_links":[],"categories":["Others"],"sub_categories":[],"readme":"# IR Notes\n\n## Windows \n### Windows Event IDs and Lateral Movements \n\n| Scheduled Tasks Log | XP: %SystemRoot%\\SchedLgu.txt - 7: %SystemRoot%\\Tasks\\SchedLgu.txt | | |\n|----------------------|---------------------------------------------------------------------|-------------|---------------------------------------------------|\n| | 106 | | Task Scheduled |\n| | 200 | | Task Executed |\n| | 201 | | Task Completed |\n| | 141 | | Task Removed |\n| Logon Events | 528 | 4624 | Successful Logon |\n| | 529 | 4625 | Failed Logon |\n| | 538 | 4647 / 4634 | Successful Logoff |\n| | 540 | 4624 | Successful Network Logon |\n| | | 4672 | Successful Network Logon as Admin |\n| RDP | 21 | | RDP logon success |\n| | 24 | | RDP user disconnected |\n| | 24 | | RDP user reconnected |\n| | | 1149 | RDP user authenticated |\n| Account Logon Events | 680 | 4776 | Successful / Failed account authentication |\n| | 672 | 4768 | TGT was issued (successful logon) |\n| | 675 | 4771 | Pre-authentication failed (failed logon) |\n| Rogue Local Account | 680 | 4776 | An account successfully authenticated |\n| | 540 | 4624 | Successful Network Logon immediately following |\n| Share | | 5140 | Share mount |\n| Suspicious Services | | 7034 | Service crashed unexpectedly |\n| | | 7035 | Service sent a Start/Stop control |\n| | | 7036 | Service sent a started or stoped |\n| | | 7040 | Start type changed (Boot | On request | Disabled) |\n| Clearing Event Logs | 517 | 1102 | |\n\n### Normal \n\n#### System \n\tImage Path: No Image Path\n\tParent Process: No Parent Process\n\tNumber of Instances : One \n\tUser account: Local System\n\tStart Time: At boot time\n\n#### smss.exe \n\tImage Path: %SystemRoot%\\System32\\smss.exe\n\tParent Process: System\n\tNumber of Instances : One master and another child per session exiting after session is created\n\tUser account: Local System\n\tStart Time: Within seconds of boot time for the master instance\n\n#### wininit.exe\n\tImage Path: %SystemRoot%\\System32\\wininit.exe\n\tParent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name)\n\tNumber of Instances : One\n\tUser account: Local System\n\tStart Time: Within seconds of boot time\n\n#### taskhost.exe\n\tImage Path: %SystemRoot%\\System32\\taskhost.exe\n\tParent Process: services.exe\n\tNumber of Instances : One or more\n\tUser account: Multiple taskhost.exe processes are normal. Logged-on users and/or local services accounts\n\tStart Time: Within seconds of boot time\n\n#### lsass.exe\n\tImage Path: %SystemRoot%\\System32\\lsass.exe\n\tParent Process: wininit.exe\n\tNumber of Instances : One\n\tUser account: Local System\n\tStart Time: Within seconds of boot time\n\n#### winlogon.exe\n\tImage Path: %SystemRoot%\\System32\\winlogon.exe\n\tParent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name)\n\tNumber of Instances : One or more\n\tUser account: Local System\n\tStart Time: Within seconds of boot time for the first instance\n\n#### csrss.exe\n\tImage Path: %SystemRoot%\\System32\\csrss.exe\n\tParent Process: Created by an instane of smss.exe that exists (tools usually don't provide the parent process name)\n\tNumber of Instances : Two or more\n\tUser account: Local System\n\tStart Time: Within seconds of boot time for the first two instances (Session 0 and 1)\n\tNote: cmd.exe history is stored in these processes' memory \n\n#### services.exe\n\tImage Path: %SystemRoot%\\System32\\services.exe\n\tParent Process: wininit.exe\n\tNumber of Instances : One\n\tUser account: Local System\n\tStart Time: Within seconds of boot time for the first two instances (Session 0 and 1)\n\n#### svchost.exe\n\tImage Path: %SystemRoot%\\System32\\services.exe\n\tParent Process: services.exe\n\tNumber of Instances : Five or more\n\tUser account: Depends of the instance : Local System, Network Service or Local Service accounts\n\tStart Time: Within seconds of boot time or later for services launched after boot\n\tNote: On Win7+ all services bin are signed by Microsoft\n\n#### lsm.exe\n\tImage Path: %SystemRoot%\\System32\\lsm.exe\n\tParent Process: wininit.exe\n\tNumber of Instances : One\n\tUser account: Depends of the instance : Local System\n\tStart Time: Within seconds of boot time\n\tNote: Handled terminal services including RDP and Fast user switching\n\n#### explorer.exe\n\tImage Path: %SystemRoot%\\explorer.exe\n\tParent Process: userinit.exe that exists (tools usually don't provide the parent process name)\n\tNumber of Instances : One per logged-on user\n\tUser account: logged-user\n\tStart Time: Starts when the ownser's interactive session logon begins\n\n#### Reference\nhttps://digital-forensics.sans.org/media/Poster_2016_Find_Evil.pdf\n\n### Artifacts \nTo-Do\n\n| File Download | Open/Save MRU | E-mail Attachments | Skype History | Index.dat/ Places.sqlite | Downloads.sqlite |\n|---------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| | This key tracks files that have been opened or saved within a Windows shell dialog box | E-mail Attachments | Skype history | Not directly related to “File Download”. Details stored for each local user account. Records number of times visited (frequency) | Firefox has a built-in download manager application which keeps a history of every file downloaded by the user |\n| | XP: NTUSER.DAT\\Software\\Microsoft\\Windows\\ CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU | XP: %USERPROFILE%\\Local Settings\\Application Data\\ Microsoft\\Outlook | XP: C:\\Documents and Settings\\\u003cusername\u003e\\Application\\Skype\\\u003cskypeusername\u003e | XP: IE: %userprofile%\\Local Settings\\History\\ History.IE5 FF: %userprofile%\\Application Data\\Mozilla\\ Firefox\\ Profiles\\.default\\places.sqlite | XP: %userprofile%\\Application Data\\Mozilla\\ Firefox\\ Profiles\\.default\\downloads.sqlite |\n| | Win7: NTUSER.DAT\\Software\\Microsoft\\Windows\\,CurrentVersion\\Explorer\\ComDlg32\\ OpenSavePIDlMRU | Win7: %USERPROFILE%\\AppData\\Local\\Microsoft\\ Outlook | Win7: C:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\ Skype\\\u003cskypeusername\u003e | Win7: IE: %userprofile%\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5 %userprofile%\\AppData\\Local\\Microsoft\\Windows\\History\\Low\\History.IE5 FF: %userprofile%\\AppData\\Roaming\\Mozilla\\ Firefox\\Profiles\\.default\\places.sqlite | Win7: %userprofile%\\AppData\\Roaming\\Mozilla\\ Firefox\\ Profiles\\.default\\downloads.sqlite |\n| | The “*” key – This subkey tracks the most recent files of any extension input in an OpenSave dialog .??? (Three letter extension) – This subkey stores file info from the OpenSave dialog by specific extension | MS Outlook data files found in these locations include OST and PST files. One should also check the OLK and Content.Outlook folder, which might roam depending,on the specific version of Outlook used. | Each entry will have a date/time value and a Skype username associated with the action. | Many sites in history will list the files that were opened from remote sites and downloaded to the local system. History will record the access to the file on the website,that was accessed via a link. | Downloads sqlite will include: Filename, Size, and Type Download from and Referring Page File Save Location Application Used to Open File Download Start and End Times |\n\n| Program Execution | UserAssist | LastVisited MRU | RunMRU Start-\u003eRun | AppCompact Cache | Win7 Jump Lists | Prefetch | Service Events |\n|-------------------|-----------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------|\n| | GUI-based programs launched from the desktop are tracked in the launcher on a Windows System. | Tracks the specific executable used by an application to open the files documented in the OpenSaveMRU key. In addition, each value also tracks the directory location for the last file that was accessed by that application. | Whenever someone does a Start -\u003e Run command, it will log the entry for the command they executed. | Windows Application Compatibility database. Tracks the executable file names, file size, last modified time and in XP the last update time | | Utilized to know an application was executed on a system. | Analyze logs for suspicious services |\n| | NTUSER.DAT\\Software\\Microsoft\\Windows\\ Currentversion\\Explorer\\UserAssist\\{GUID}\\Count | XP: NTUSER.DAT\\Software\\Microsoft\\Windows\\ CurrentVersion\\Explorer\\ComDlg32\\ LastVisitedMRU Win7: NTUSER.DAT\\Software\\Microsoft\\Windows\\ CurrentVersion\\Explorer\\ComDlg32\\,LastVisitedPidlMRU | NTUSER.DAT\\Software\\Microsoft\\Windows\\ CurrentVersion\\Explorer\\RunMRU | XP: SYSTEM\\CurrentControlSet\\Control\\SessionManager\\AppCompatibility\\ Win7: SYSTEM\\CurrentControlSet\\Control\\Session Manager\\AppCompatCache | Win 7: C:\\Users\\username\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ AutomaticDestinations | C:\\Windows\\Prefetch | |\n| | | Tracks the application executables used to open files in OpenSaveMRU and the last file path used. | The order in which the commands are executed is listed in the RunMRU list value. The letters represent the order in which the commands were executed. | Tool: MANDIANT’s ShimCacheParser | Creation Time = First time item added to the AppID file. Modification Time = Last time item added to the AppID file. | Each .pf will include last time of execution, number of times run, and device and file handles used by the program Date/Time file by that name and path was first executed - Creation Date of .pf file (-10 seconds), Date/Time file by that name and path was last executed - Embedded last execution time of .pf file - Last modification date of .pf file (-10 seconds) | |\n\n\n#### Reference\nhttp://digital-forensics.sans.org/media/poster_fall_2013_forensics_final.pdf\n\n### Windows Time Rules\n\n#### $STDINFO\n\n| File Rename | Local File Move | Volume File Move | File Copy | File Access | File Modify | File Creation | File Deletion |\n|----------------------|----------------------|----------------------|----------------------|-----------------------------------------|----------------------|--------------------|----------------------|\n| Modified – No Change | Modified – No Change | Modified – No Change | Modified – No Change | Modified – No Change | \u003cb\u003eModified – Change\u003c/b\u003e | \u003cb\u003eModified – Change\u003c/b\u003e | Modified – No Change |\n| Access – No Change | Access – No Change | \u003cb\u003eAccess – Change\u003c/b\u003e | \u003cb\u003eAccess – Change\u003c/b\u003e | \u003cb\u003eAccess – Change\u003c/b\u003e No Change on Vista/Win7 | Access – No Change | \u003cb\u003eAccess – Change\u003c/b\u003e | Access – No Change |\n| Creation – No Change | Creation – No Change | Creation – No Change | \u003cb\u003eCreation – Change\u003c/b\u003e | Creation – No Change | Creation – No Change | \u003cb\u003eCreation – Change\u003c/b\u003e | Creation – No Change |\n| \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | Metadata – No Change |\n\n#### $FILENAME\n\n| File Rename | Local File Move | Volume File Move | File Copy | File Access | File Modify | File Creation | File Deletion |\n|----------------------|----------------------|--------------------|--------------------|----------------------|----------------------|--------------------|----------------------|\n| Modified – No Change | \u003cb\u003eModified – Change\u003c/b\u003e | \u003cb\u003eModified – Change\u003c/b\u003e | \u003cb\u003eModified – Change\u003c/b\u003e | Modified – No Change | Access – No Change | \u003cb\u003eModified – Change\u003c/b\u003e | Modified – No Change |\n| Access – No Change | Access – No Change | \u003cb\u003eAccess – Change\u003c/b\u003e | \u003cb\u003eAccess – Change\u003c/b\u003e | Access – No Change | Access – No Change | \u003cb\u003eAccess – Change\u003c/b\u003e | Access – No Change |\n| Creation – No Change | Creation – No Change | \u003cb\u003eCreation – Change\u003c/b\u003e | \u003cb\u003eCreation – Change\u003c/b\u003e | Creation – No Change | Creation – No Change | \u003cb\u003eCreation – Change\u003c/b\u003e | Creation – No Change |\n| Metadata – No Change | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | \u003cb\u003eMetadata – Changed\u003c/b\u003e | Metadata – No Change | Metadata – No Change | \u003cb\u003eMetadata – Changed\u003c/b\u003e | Metadata – No Change |\n\n\n### Mass Registry analysis with RegRipper\n\n\t$ find path_to_the_files/ -type f -exec ./wrapper.sh {} \\; \n\n\twrapper.sh\n\t./rip.exe -r \"$1\" -p user_run \u003e\u003e results.txt\n\n\n### Procmon filters\n\tOperation is WriteFile\n\tOperation is RegSetValue\n\tDetails containts Desired Access: Generic Write\n\n### Domain users' SIDs\n\nvol.py -f memdump.mem --profile=Win7SP1x64 getsids \u003e getsids_output.txt\ngrep 'S-1-5-21-XXXXXXXXX-XXXXXXXXX-XXXXXXXXX-' getsids_output.txt | egrep '[A-Z][0-9]{6}' -o | sort -u\n\n## OS X ##\nList process related to port XXXX (bash)\n\t\n\t$ process=`lsof -n -i4TCP:XXXX | grep -v COMMAND | cut -d' ' -f1` ; for i in $process; do ps aux | grep $i | cut -d' ' -f 39- ; done\n\n## Linux ##\nList process related to port XXXX \n\t\n\t$ process=`sudo netstat -anp | egrep \":XXXX\\s\" | cut -d/ -f 1 | rev | cut -d' ' -f1 | rev` ; for i in $process; do ps aux | grep $i | grep -v grep; done\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjipegit%2FIRNotes","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjipegit%2FIRNotes","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjipegit%2FIRNotes/lists"}