legal contact
 

1st responders technical actions

Single Windows client asset affected no regulations is place

The goal: “Create a memory dump of the affected device in a very “usual” way, to let the attacker thing he is still undetected”

If the device is connected with the customers internal network, try to isolate the device into a dedicated VLAN that only has Internet access and monitor the behavior within.

Open a cmd shell as local administrator. Note to the customer, that the now used Administrative account MUST have a password already changed on all other systems in the network, prior to the start of this action.

To gather the environmental variables, windows onboard tools do a quite good job already, so let’s have some commands run and save the outcome for the later analysis:

Action

command

Create

mkdir c:\PIR[YYYY][MM][DD]

IP

ipconfig /all > c:\PIR[YYYY][MM][DD]\ipconfig.log

NetBios

nbtstat -ncs > c:\PIR[YYYY][MM][DD]\nbtstat.log

Domains

net group /domain c:\PIR[YYYY][MM][DD]\net_group1.log

Domain Users

net group [group name] /domain c:\PIR[YYYY][MM][DD]\net_group2.log

Enter below commands to shutdown the assets to create a fresh hibernate.sys

powercfg -H ON
shutdown /h

The asset will start shutting down immediately and create a fresh dump.

After awaiting the shutdown (depending on the size of RAM this might take a short while), switch the asset on again and let the attacker think he is undetected.

Advice the customer to use a fresh and formatted USB stick and have him download a copy of a special tool to this new USB stick:

https://github.com/jschicht/RawCopy/blob/master/RawCopy64.exe
https://github.com/jschicht/RawCopy/blob/master/RawCopy.exe

This tool is needed to copy the hiberfil.sys to the USB-stick in a special way, as the hyberfil.sys is locked by a system process and only accessible if windows is not running.

The command to copy: (replace [USB-Drive] with the drive letter of the customers USB-Stick)

[USB-Drive]:\RawCopy64.exe /FileNamePath:C:\hiberfil.sys /OutputPath:[USB-Drive]:\output /OutputName:hiberfil_c.sys [USB Drive]:\hiberfil.sys

For later use. How to convert into a readable raw file: (volatility cheat sheet)
D:\>volatility.exe -f hiberfil_c.sys --profile=Win7SP1x64 imagecopy -O hiberfile.raw
D:\>volatility.exe -f hiberfile.raw --profile=Win7SP1x64 pslist
D:\>volatility.exe -f hiberfile.raw --profile=Win7SP1x64 malfind

[USB-Drive]:\>RawCopy64.exe /FileNamePath:C:\Windows\System32\config\SAM /OutputPath:[USB-Drive]:\output [USB-Drive]:\SAM.NT

For Server ACTIVE DIRECTORY:

[USB-Drive]:\>RawCopy64.exe /FileNamePath:C:\Windows\NTDS\ntds.dit /OutputPath:[USB-Drive]:\output [USB-Drive]:\ntds.dit

Now have the customer remove the USB-Stick and label it as “PIR[YYYY][MM][DD] Evidence #01” and store it at a save place.