legal contact

The SIX STEPS of an Incident Response

"whack-a-mole" = unmögliches Spiel: Jumping from Identification straight to Eradication and tainting/missing out a lot of details.

First APT in 1998 "Moonlight Maze"

No. Name  Desciption Actions
1 Preparation Preparation is as straightforward as making sure you have a trained incident response team, either employed, on retainer, or at least someone’s business card so you know who to call.

Create and test the response plan.
Define the CSIRT members and roles
Define communication matrix
Define Start and Stop of an IR

2 Identification and Scoping

An incident is initially identified in any number of ways, leading you to start your response plan with only slight awareness of what the incident may be. The identification phase is meant to clear this part up. This phase also includes the investigation of the depth of the compromise, its source, and its success or failure.

Identification is done through review of log files... lots and lots (and sometimes lots and lots and lots) of log files.

Consult your usecases from SIEM.

3 Containment
and Intelligence Development
Containment often happens concurrently with identification or immediately following. Damaged systems removed from production, devices are isolated, compromised accounts are locked down — the bleeding stops here.

avoid "whack-a-mole"

  • Full-scale host/network monitoring
  • Kill switch (i.e screening router)
  • Data decoy
  • Nit mangeling
  • Adversary network segmentation (Sophos REDUX)

Intelligence-Driven Incident Response

Provide Goal Action
  • Where to look
  • What to look for
  • Likelihood of attack (Threat group)
Find initial compromise Find the initial attack that gave the intruder threat access to the network or system.

Find the foothold Find out how the adversary got foothold at the network/system. I.e. C2C server, etc.)

Find the lateral movement Find indicators of lateral movements. (i.e. .bash_history, aut.log, WINEVENT 4624)

Find Data collection

Find out how the adversary collects "interesting" data or how he tries to find valuable systems.

(i.e. Proof of portscans, WINEVENT 4625, auth.log, etc.)

Find Data exfiltration actions

Find how the adversary uploads/steals the data.

(i.e. large emails, large ssh sessions, https PUT, etc.)

  • Malware gathering
  • TTP (Tools Technics and Procedures) obersavtions
  • IOC development
  • Adversary intent
  • Campaign identification
4 Remediation

Eradication is exactly what it sounds like. Removing and remediating any damage discovered in the identification phase. This is normally done by restoring systems from backup and re-imaging workstation systems.

Step Action monitor
1 Block malicious IP addresses log sources to find further adversaries
2 Blackhole malicious domain names log sources to find further adversaries
3 Rebuild compromised systems log new foothold attempts to find further adversaries
4 coordinate with cloud and ISP have them above logging established
5 Action an enterprise wide PW change log unchanged accounts
log changed accounts of unused (i.e. vacation) accounts
6 Verify all remediations activities document this as well
  1. Deny access to the environment to the adversary
  2. Eliminate the ability for the adversary to react to the remediation
  3. Remove the presence of the adversary from the environmant
  4. Degrade the ability of the adversary to return
5 Recovery Recovery is the testing of the fixes in the eradication phase and the transition back to normal operations. Vulnerabilities are remediated, compromised accounts have passwords changed or are removed altogether and replaced with other more secure methods of access. Functionality is tested and day to day business resumes. Monitor LMS against occurance of gathered IOCs and TTPs
6 Lessons learned / Threat intel consumption The last phase is the one that many organizations skip, but it’s arguably the most important to prevent future incidents. Lessons Learned involves reviewing the steps that were taken during each phase and improving both your incident response capability and your security footprint are the important take-aways from this phase. Publish IOC lists and TTPs via MISP and create usecases in SIEM

Hunting team

pce Role duty
1 Team lead Nudge analyst on to the next artefact to look for to avoid him the impression of having missed something an search endless.
1-2 System und host forensicators Have them the right and ability to access ALL sources/data within a company
1-2  Network forensicators Have them the right and ability to access ALL sources/data within a company
1 Reverse Eng. Analyse forensic samples and prove the valid IOC

Cyber kill chain

(c)Lockeed Martin

Step Name Action
1 Reconnaissance Harvesting public available information.
Finding vulnerabilities (scanning), email addresses, conference names, etc.
2 Weaponization Building an exploit with backdoor into a deliverable payload
3 Delivery Delivering the payload to the victim (via email, USB stick, drive-by, SQL-inject., etc.)
4 Exploitation Exploiting a vulnerability to execute code on victims system
i.e. phishing, ZeroDay use
5 Installation Installing the malware on the asset
6 Command & Control Establishing the command channel for remote manipulation of the victim
7 Actions on Objectives "Hands on keyboard" access to accomplish their original goals


(c) MITRE 

ATTA&CK focus on TTPs adversaries use to make decissions, expand access and execute their objectieves.

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact

Hunt Evil - Know the "Normal"

Image Path system.exe
Parrent Proc. None
Number of instances One
User account Local System
Start time at boot
Description run most kernel-module threats. Modules run under System (.sys files) but also
several important DLLs as well as the ntoskrnl.exe

Image Path %SystemRoot%\System32\smss.exe
Parrent Proc. System
Number of instances One master instance and other child instance per session. Children exit after creating theit session.
User account Local System
Start time seconds after boot for the master instance

SessionManager creates new sessions. 
It starts csrss.exe and wininit.exe for session 0 or winlogon.exe for session 1 and higher, the child instance exits.

PID of smss.exe < csrss.exe 
PID of smss.exe < wininit.exe 

Image Path %SystemRoot%\System32\wininit.exe
Parrent Proc. smss.exe (but it exited after spawning, so looks like been called by a non-existent process
Number of instances One 
User account Local System
Start time seconds after boot for the master instance

wininit.exe starts:

  • services.exe (Service Control Manager)
  • lsass.exe (Local Security Authority process
  • lsaiso.exe (if Credential Guard enabled)
  • lsm.exe (prior Win10 only)

Image Path %SystemRoot%\System32\RuntimeBroker.exe
Parrent Proc. svchost.exe
Number of instances One or more
User account logged on users
Start time varies

RuntimeBroker.exe is a proxy for UWP and Windows API.
Generally one process is spawned for each UWP app.

Image Path %SystemRoot%\System32\taskhostw.exe
Parrent Proc. svchost.exe
Number of instances One or more
User account Local System and logged on user
Start time varies

Generic host process for windows tasks. It runs a continous loop and waits for trigger events.

Image Path %SystemRoot%\System32\winlogon.exe
Parrent Proc. smss.exe (but it exited after spawning, so looks like been called by a non-existent process
Number of instances One or more
User account Local System
Start time seconds after boot for the first instance

winlogon.exe handles interactive user logons and logoffs. It launches LogonUI.exe which passes credentials to lsass.exe for validation. One authenticated, winlogon loads the NTUSER.DAT into HKCU and start the user's shell (i.e. explorer.exe) via userinit.exe.

Image Path %SystemRoot%\System32\csrss.exe
Parrent Proc. smss.exe (but it exited after spawning, so looks like been called by a non-existent process
Number of instances Two or more
User account Local System
Start time seconds after boot for the first two instance

The Client/Server Run-Time Subsystem is the user-mode process for the Windows subsystem. Use of RDP and fast user swiitching creates each on new process of csrss.exe

Image Path %SystemRoot%\System32\services.exe
Parrent Proc. wininit.exe (but it exited after spawning, so looks like been called by a non-existent process
Number of instances One ONLY
User account Local System
Start time seconds after boot 

Implements the unified background process manager (UBPM), which is responsible for background activities such as services and scheduled tasks. It implements also the SCM that loads services and device drivers marked for auto-start.
Once a user has logged on sucessfully the SCM (services.exe) also sets the Last Good Control Set (HKLM\SYSTEM\Select\LastKnownGood)

Image Path %SystemRoot%\system32\svchost.exe
Parrent Proc. services.exe (most often)
Number of instances Many (generally at least 10)
User account Local System, Network Service, Local Service. Win10 also logged-on user
Start time seconds after boot 

Generic host process for Windows services. Used to run service DLLs. Uses the -k parameters for grouping similar services.

>Win10 1703 >3,5GB RAM, expect more than 50 instances.

Image Path %SystemRoot%\System32\lsaiso.exe
Parrent Proc. wininit.exe 
Number of instances zero or one
User account Local System
Start time seconds after boot 

Runs only if Credential Guard is active. lsass.exe uses lsaiso.exe  to rovide safe storing by running in a context that is isolated from other process through hardware virtualization technology.

Image Path %SystemRoot%\explorer.exe
Parrent Proc. userinit.exe (but it exited after spawning, so looks like been called by a non-existent process
Number of instances One or more per interactively logged-on user
User account logged-on user
Start time First instance starts when the owner's interactive logon begins

At its core, Explorer provides users access to files, but also to Desktop, Start Menu, Taskbar, control panel and application launching.
It is the default user interface (shell) (HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell)
Explorer.exe should reside at %SystemRoot% rather than %SystemRoot\System32
If "Launch folder windows in a separate process" is enabled, many process can occure.

Malware Persitence Mechanisms

AutoStart Persistence Locations (ASEPs)

Most popular registry_

Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit\

.. file

%AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Scheduled Tasks

at.exe runs as SYSTEM (depreciated but still present in WinXP and Windows7+
The use is recorded at at*.job files and Schdlgu.txt (XP)


C:\Windows\Tasks and C:\Windows\System32\Tasks

Both (at.exe and schtasks.exe) can be used  on remote4 machines.


Windows Services

New service creation (7045, 4688). Start value 0x02 will start at boot
IPRIP: RIP listener Service APT1

Service Replacement (GlasRAT) used the disabled "RasAuto" service

Service Failure Recorvery uses a service crash to recover with the implanted malware as recovery option. (!!!)
→ Kansa Get-SvcFail.ps1)

DLL Perstistance Attacks


While looking at the DLL search order, find a way to load the malicious dll before the legetime DLL.

Sample: Windows2000, explorer.exe (from \Windows) will load also the ntshuri.dll that an attacker had placed at \Windows instead of using the legetime DLL in \Windows\System32 that has restictions on writing at.

The common search order is:

  1. Side-ba-Side components
  2. KnownDLL list
  3. Application Directory
  4. C:\Windows\System32
  5. C:\Windows\system
  6. C:\Windows
  7. Applications registered App Paths directories
  8. System PATH

Phantom DLL hijacking

Use long forgotten DLLs that are still attempted to be loaded but are not existing anymore. Like fxsst.dll of the Fax service in the \Windows\System32 folder

DLL Side-Loading

Use the SxS function to present an "updated" version of the existing legetime DLL to the program. The presented version is the malicious code.
See the PlugX RAT or NetTraveler for the use of this technique.

WMI Event Consumer Backdoors

WMI came active with Windows2000

This technique requires three discrete steps (Managed Object Format MOF-Format: MOF)

  1. An event must be created describing a specific trigger to detect (i.e trigger every 20 sec.)
  2. An event consumer is added to the system with a script (or executable) to run
  3. The event and consumer are tied together via a binding and the persistence mechanism is loaded into the WMI repository.

Has been used by STUXNET MS10-016

Sysinternals autoruns and Kansa PowerShell framework helps to find such suspects

Hunting Accross the Enterprise

Using WMIC


Find Executables that do not reside in %Windows%-like folders aka find executables outside of trusted paths:

wmic /node:<remote-ip> /user:<username> PROCESS WHERE (NOT ExecutablePath LIKE "%Windows%") get name, executablepath, ParentProcessID


Examine Auto Start processes:
wmic /node:<remote-ip> /user:<username> startup list full

Find who is logged on to a computer's console:
wmic /node:<remote-ip> /user:<username> ComputerSystem Get UserName

Query local user accounts:
wmic /node:<remote-ip> /user:<username> useraccount list full

Find the path to a specific running executable and its parent process (for all, leave off ?where name='):
wmic /node:<remote-ip> /user:<username> process where get ExecutablePath,parentprocessid

Find command line invocation of a specific executable as well as the creation time for the process (for all, leave off ?where name='). Reference this Microsoft TechNet article for converting the time:
wmic /node:<remote-ip> /user:<username> process where get name,processid,commandline,creationdate

Find status of a specific service?note that 'caption' is needed in the where clause, but it is actually the 'displayname' (for all, leave off ?where caption='):
wmic /node:<remote-ip> /user:<username> service where caption="PsExec" get displayname,startname,state,status,startmode

Using PowerShell

(!!!) powershell.exe -ExecutionPolicy ByPass -file .\script.ps1 (!!!)

PS = Default in Win7/8/10 and Server 2008/2012/2017
See also: SANS Live Response Using PowerShell

List the running processes:
Get-WmiObject win32_process | select processname, ProcessId, CommandLine

List the creation date of the running processes:
Get-WmiObject win32_process | select
processname,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.CreationDate)}},ProcessId,CommandLine |sort CreationDate -desc | format-table –auto -wrap

Save the successful logon events to a text file
$UserDirectory = (gi env:\userprofile).value Get-WinEvent -FilterHashtable @{Logname='security';ID=4624} | select TimeCreated,ID,Message | ft –auto -wrap | out-file $UserDirectory\desktop\Event-4624.txt

Check a cool PS1 script from Sajeev.Nair that I adopted


While you have created some PS for the local machine, use it in an enterprise wide scenario to collect you the required information to safe time and resources.


At the target machine, run: "Enable-PSRemoting -force"

Or via remote command with psexec
psexec \[computer name]-u [admin account name]-p [admin account password]-h -d powershell.exe "enable-psremoting -force"

And add the destination to the trusted group:
winrm s winrm/config/client '@{TrustedHosts="WINSERVER"}'

Create a variable with your domain credentials. This way the credentials are not stored in plain text at the CLI.

$cred = get-credential

Now using the "invoke-command" to psremote the PS to the target machine:
invoke-command {get-eventlog -LogName Security } -ComputerName "the target"-credential $cred

The final action:
invoke-command { Get-WmiObject win32_process | select processname,@{NAME='CreationDate';EXPRESSION={$_.ConvertToDateTime($_.CreationDate)}},ProcessId,CommandLine | sort CreationDate -desc  } -ComputerName WINSERVER -credential $cred

KANSA: The Swiss-Army-Knife for PowerShell

Remote Server Adminstration Tools (or simply activate via "add internal features".

Create a variable with your domain credentials

$cred = get-credential

.\kansa.ps1 -TargetList .\hostlist -Pushbin -credential $cred

After that, you'll find the created files (.csv) in the unique output folder:

WMI Attacks


  • WMIC.exe process get CSName,description,ExecutablePath,ProcessId
  • wmic useraccount list full
  • wmic group list  full
  • wmic netuse list full
  • wmic qfe get Caption,Description,HotFixID,Installed
  • wmic startup get Caption,Command,Location,User

(!!!) add "/node:<remote-ip> /user:<username>" for remote actions (!!!)

Find unquoted autostart items NOT in %WINDOWS%:
WMIC.exe /node: /user:mpauli service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """