Incident response is one of the most important parts of an enterprise's information security program. Windows,...
which is, of course, one of the most popular operating systems in enterprise settings, is often at the root of security incidents. Discovering whether an enterprise Windows system has been compromised is a critical component of incident response.
While the fundamentals of Windows incident response have largely stayed much the same over the past few years, there are a number of new tools and techniques available that can be incorporated into an enterprise's incident response plan.
Many of the newer Windows command-line tools are from third parties or not installed by default on Windows clients. As a disclaimer, however, there are a fair number of malicious files masquerading as third-party computer security or forensics tools. While there are plenty of valuable tools out there worth exploring, it may be easiest -- and most secure -- to use a standard incident response toolkit on a CD or USB drive.
In this tip, I will cover the new command-line functions included in Windows and the tools that enable IT and security administrators to determine whether a machine has been compromised. I will also offer techniques and clues about how to deal with your findings.
Determine whether a machine has been compromised
One of the first steps in incident response is determining if a machine has been compromised. All of the commands offered in a previous SearchSecurity tip by Ed Skoudis are still valid today for determining this. Skoudis also has an updated version where he covers more details in a Windows command-line cheat sheet that can be included in an incident response toolkit.
Potentially the biggest advancement in command-line tools for Windows has been the development of PowerShell, a task automation and configuration management framework from Microsoft that has significantly more capabilities than older, built-in command-line utilities. In his blog post, Microsoft's Online Services Security & Compliance team member Russ McRee goes over how to use PowerShell to investigate a potential security incident.
PowerShell can replace most common command-line utilities -- such as pslist for listing out processes or pskill to kill a process -- with its advanced scripting capabilities. Enterprises can also write their own standard PowerShell scripts to gather the evidence they determine to be most important in their environment; this would help ensure consistency in incident response. Data gathered can be compared to a noncompromised system or a base image to identify further clues to investigate in more detail. Any irregularities like suspicious network connections, processes or files should be compared to data from an intrusion-detection system or system management tool with a list of installed applications or list of files on the system.
To get a list of processes in PowerShell:
Get-Process | Out-Gridview
To get a list of installed programs:
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table –AutoSize
Alternately, users can get a list of potentially suspicious network connections using a PowerShell script called log connections. This method can be easier for finding the network connections to investigate further.
To investigate other aspects of the host, different command lines can be used to gather data about the running system. To get a list of the IP configurations, admins can use:
The netsh command can be used to list out the status of the firewall with:
netsh advfirewall export "firewall.txt"
The Driverquery command can be used to list out any drivers in use that could be used to identify potentially malicious drivers:
driverquery /v /fo csv > drvlist.csv
All of these commands can be directed to a file using the ">" operator, for example:
C:\>ipconfig /a > ipconfig.txt
Directing this information to a file will allow admins to record the state of the system so it can be further analyzed from a known-secure system and correlated with other tools.
Techniques for dealing with a compromised machine
Once a computer has been identified as compromised, the next step is to further investigate the system or to remediate the issue. Further investigation can be done with commercial or open source forensics tools such as volatility or pyflag or by analyzing malware identified from malicious processes or network connections. This can be helpful, as it may lead to discovering other compromised systems, identifying specific account compromises or learning which data was captured by the attacker.
While the safest and easiest method for recovery is to require a system to be reinstalled if it has been infected with malware or has otherwise been compromised by an attacker, this may be impractical for some systems. If there is sufficient reason to think that sensitive data has been accessed from the compromised machine, a thorough investigation should be done to identify how the security of the machine was compromised so a root cause can be identified and remediated. Remediation could include installing patches, making other system configuration changes to harden a system or adding new security controls around a system.
If the infected machine or user doesn't process, store or have access to sensitive data, incident response may involve just the standard advice of reinstalling from a known-good backup. Alternately, if an attacker is caught in the act and can be prevented from gaining administrative access, the system may not require a full reinstall. Stopping an attack in action could include killing processes run by the attacker, removing the malicious files, and ensuring a root cause is identified and remediated.
Microsoft introduced a command-line tool in Windows 8 called Recimg.exe that can be used to create a custom system image to recover the system. This command can create a known-good image of a system that can be used to restore the system to a known-good state should it ever be compromised. This may be less work than a full reinstall of the system.
As much as computers and the Windows system change not only every year but also with every new version, it is fortunate that many of the same tools and techniques used in the past can be used in incident response nowadays for a machine that has been compromised. These tools can also offer techniques or clues on how to deal with compromises.
It is critical that enterprises update their tools and programs on a regular cycle to prevent falling victim to known and patched issues. Fortunately, these tools and programs should require minor updates once the incident response plan is in place.
About the author:
Nick Lewis, CISSP, is the information security officer at Saint Louis University. Nick received his Master of Science degree in information assurance from Norwich University in 2005 and in telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and at Boston Children's Hospital, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.
Learn about 10 hidden Windows command prompt tricks
Discover more Windows command-line tools and programs
Learn more about Curl-command-line program