1st responders technical actions
The goal: “Create a memory dump of the affected device in a very “usual” way, to let the attacker thing he is still undetected”
If the device is connected with the customers internal network, try to isolate the device into a dedicated VLAN that only has Internet access and monitor the behavior within.
Open a cmd shell as local administrator. Note to the customer, that the now used Administrative account MUST have a password already changed on all other systems in the network, prior to the start of this action.
To gather the environmental variables, windows onboard tools do a quite good job already, so let’s have some commands run and save the outcome for the later analysis:
ipconfig /all > c:\PIR[YYYY][MM][DD]\ipconfig.log
nbtstat -ncs > c:\PIR[YYYY][MM][DD]\nbtstat.log
net group /domain c:\PIR[YYYY][MM][DD]\net_group1.log
net group [group name] /domain c:\PIR[YYYY][MM][DD]\net_group2.log
Enter below commands to shutdown the assets to create a fresh hibernate.sys
powercfg -H ON
The asset will start shutting down immediately and create a fresh dump.
After awaiting the shutdown (depending on the size of RAM this might take a short while), switch the asset on again and let the attacker think he is undetected.
Advice the customer to use a fresh and formatted USB stick and have him download a copy of a special tool to this new USB stick:
This tool is needed to copy the hiberfil.sys to the USB-stick in a special way, as the hyberfil.sys is locked by a system process and only accessible if windows is not running.
The command to copy: (replace [USB-Drive] with the drive letter of the customers USB-Stick)
[USB-Drive]:\RawCopy64.exe /FileNamePath:C:\hiberfil.sys /OutputPath:[USB-Drive]:\output /OutputName:hiberfil_c.sys [USB Drive]:\hiberfil.sys
For later use. How to convert into a readable raw file: (volatility cheat sheet)
D:\>volatility.exe -f hiberfil_c.sys --profile=Win7SP1x64 imagecopy -O hiberfile.raw
D:\>volatility.exe -f hiberfile.raw --profile=Win7SP1x64 pslist
D:\>volatility.exe -f hiberfile.raw --profile=Win7SP1x64 malfind
[USB-Drive]:\>RawCopy64.exe /FileNamePath:C:\Windows\System32\config\SAM /OutputPath:[USB-Drive]:\output [USB-Drive]:\SAM.NT
For Server ACTIVE DIRECTORY:
[USB-Drive]:\>RawCopy64.exe /FileNamePath:C:\Windows\NTDS\ntds.dit /OutputPath:[USB-Drive]:\output [USB-Drive]:\ntds.dit
Now have the customer remove the USB-Stick and label it as “PIR[YYYY][MM][DD] Evidence #01” and store it at a save place.