Try Hack Me: Sysinternals

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

what's going on guys welcome back to the cyber defense path and you're going to see a pretty cool uh little session here today you're gonna see some internal tools that we use um not just red teamers but pretty much everyone in it uses these tools so this is another step in our cyber defense path so if you guys are enjoying the path please like please subscribe it helps out a ton i'm telling you guys you guys have no idea how much it helps we're almost to a thousand i'm super excited all right let's get into it so what are assist tools or assist internals excuse me this is a tool a compilation of over 70 windows based tools so what it is is it's a set or suite of tools that mark rusenovich hopefully i said that right might be rustinovitch but developed them in the 90s and basically microsoft bought them and now they use them um and you can download them and use them internally or you can use them on their web case which i'll show you here but we're not going to do the web version just because this vm doesn't have a lot of power so it doesn't they already take a little while and i don't want them to take any longer okay so first couple of questions when did microsoft acquire them 2006 and then i deployed the machine i'm ready to go okay so this is installing them now you guys can follow this if you want to basically you're going to download them and put them wherever you want but i recommend putting them in the tools so c tools um and you're gonna see here then this is something you're gonna have to do here so you're gonna have to whoops you're gonna have to go here once you have them downloaded wherever you're putting them and this is why i recommend you put them in tools right you got to go to advanced you got to go environment variables and you have to edit the path now if you guys don't know environment variables the path what happens is when you're calling on something in the command line it's going to check is it exists here does it exist in app data local microsoft windows apps if it does it's going to run it this is also how you get some vulnerabilities but then we added c tools system okay so that means when we go to run something it's going to check secondary is it in c tools system if it is in there it's going to run it so that's what the variable does so now instead of us running you know like procmon or process monitor we just have to do that and that's it and it's ran right rather than before we'd have to go to the file which are all here tools assistant and here's all the tools and we'd have to actually click on it but now we can run them all command line and give them different flags and things okay so that's pretty much it um you guys can read how to actually install them they're so easy to install it's literally a download of a zip file and put them in the tools and you're done i mean it's that easy okay so i'm not going to read that to you yeah you can this is a good fun fact you can also use it in powershell you can download it to run internally in powershell if you use powershell all the time you can see here if you use it command line i'm still in powershell that's what the ps stands for um and it works just fine okay so what is the last tool listed in the tool the tools and it's alphabetical order so if you just go down to the bottom it's zoom it and there you go zoom it okay got that out of the way now using cisternal's live we're not going to do this again because it's it was taking forever and i didn't want to sit here and have this video be forever okay so what you can do is you can actually set it up and you can follow this guide and you can run it from this live.system sysinternals.com tools okay now what that means is you're going to call on the web to bring them in now the reason i don't recommend doing this i'll show you guys is you do have to turn on your network discovery you do have to turn on some features that i don't want to say make you vulnerable because it's not necessarily they make you vulnerable especially if you're in an internal network but it's something that i would rather if i don't have to do it why would i for one for two um having them local is just you you want to use these tools as often as you can and so especially depending on if you're learning windows these are huge tools to learn windows if you're a cis ad and you're trying to troubleshoot some stuff if you're you know whatever you will use these a lot if you're an analyst you'll use these and they give you an example at the end that i really like so whatever you're using them for it's just nice to have them sitting there so what service needs to be enabled on localhost that's the web client and they walk you through that it's pretty easy okay so let's get right into the tools now so file and disk utilities so this one's pretty cool this is sig check and you're gonna see i'm gonna run it right now and the only reason i'm gonna run it right now is because it does take a little bit and then we'll talk about it so you can see i'm putting in the the path that i want which is windows and then system32 all right so we'll let that run now sig check what does it do it's checking for signatures on files so you can see here it can check for file status on virustotal that's huge because if you guys know virustotal you guys have used virustotal you know it uploads you can see here a file scans against 40 antivirus engines so it does it takes the signature of the files that you're giving it which in this case we gave it all of windows system 32 and it's going to verify those signatures are legit those are legitimate files from microsoft or whoever and they're verified right so what why is that so important because if virustotal finds out that you know hey this one file is malicious you know they have that on a database somewhere now if they scan your computer or if you scan it using this the way we just did to verify signatures and it finds the same signature that it found malicious earlier on any computer in the world that's been reported guess what you now are going to be hey heads up this file is not verified it has an unverified signature and virustotal is marking it as malicious so that tells you huge amounts of data especially you can see here by the way you're gonna see this a lot um the accept eula that's just accept end user license agreement um you you're gonna see us put that well us you're gonna see them put that in a lot of their commands and it's not a big deal it's just accepting the license agreement so it doesn't pop up and say do you accept this that's that's the only reason so now here's the parameter usage so if you guys see here this is the help page with sig check or signature check however you want to say it so the help page will walk you through some of the flags you can see there's a ton of them but they'll walk you through it and you can go through the page and it's a help page you can see it but what we're the ones we're using here is you and e so you if virus total check is enabled it shows files known or unknown by virustotal or have non-zero day detection so it's just telling you hey if we find these files and we don't know what they are we'll let you know that too otherwise it only shows unsigned files meaning files that came from not necessarily untrusted sources but sources that you aren't familiar with or they're not familiar with um then the tac-e scan executable images only regardless of their extension so what's the point of this well we didn't want to scan this scan would take forever if you well especially on this box with no ram but if you ran it with scanning every single file but you can run this on your own to verify hey do i have files that are unsigned which means they may not be trustworthy or do i just not know what they are so you can do that but it will take a long time but if you have the ram it's not a big deal all right so this you can see this is still taking forever i'm just going to cancel it because it is taking forever but you would end up um basically getting no matching files were found and when you get no matching files were found that means hey it didn't find any mat any files that were unsigned or unverified nothing like that okay so now we're into streams streams so what most people don't know and we covered this in um a couple of the other boxes i believe is that there's ads alternate data streams so when file explorer is a big one that allows this so when you download a file when you're working on a file whatever they allow alternate data streams meaning you're getting the file but then there's this alternate data stream coming and that alternate data stream is probably going on a different totally unbeknown port to you um it's gonna be it it comes on the same port sometimes it just depends but it's an alternate data stream meaning it is not the you're not gonna see it right so this this is used maliciously a lot yes but it's also used for good reasons too so the example they use and is a good example is when you download a file from the internet right well there's a data an alternate data stream attached to that file that you're not going to notice and you can see it right here it says zone identifier uh money signed data that means it's from the internet that is not an internal file you didn't create it on that on that box it came from somewhere on the internet so that's important because that means when you're going and you're doing forensics or anything like that you can say hey this file this person ran this file and then all of a sudden their computer started messing up well you can go back you can look at that file and say well the file came from the internet that's that's the first alarm right so that's gives you a little red flag so we'll go ahead and hit streams and we'll say the accept ula and well i put uas but oh well um so you can see there's two different things you can do recurs subdirectories delete streams well we don't want to delete them that's for sure because we want to actually keep them so you can see since the file has identifier blah blah blah it has the additional measures now one of the questions there's a text file on the desktop name file.txt so you can see that text file there's an alternate data stream in there we need to find it that's what they say so what's one of the things you can do you can do the streams now we are not in the correct directory so we'll have to go users admin desktop and then we'll have to do file okay so this is the file so we hit it and you can see it's got ads.txt data so ads.txt is the alternate data stream now data means it came from the internet so now if we run notepad and we say file.txt let's see let's we can go ahead and open notepad here my dog's sleeping he's barking uh and then we can say file dot text and then you can put the little colon to say alternative data stream alternativedatastream.txt i want to open that i open it backwards all right let's just see if it'll open notepad without uh requiring it there we go uh cannot find that's because i'm in the wrong directory and i'm an idiot okay so all we got to do is see and what was it uh users and of course i have to type it out administrator desktop and then that should be file.txt okay and you can see when you open it with notepad i am hiding in the stream so there's your answer right there i am hiding in the stream so hopefully that made sense to you guys this is an alternative data stream it's it's almost similar i don't want to call it this but it's similar to metadata if you guys are familiar with metadata it's alternate data that's coming in that's can be used for whatever purpose they want it for but it allows you to keep information that may be important to it like the fact that it came from the internet okay so that's how you look for that now s delete this is pretty easy secure delete this is uh you can see it's dod 522 oh that's just department of defense um if you guys have ever worked for the government you know dod um just as department of defense but this is what it does uh what happened okay so you can see that's what it does when you go to delete something it'll write a zero and verify it so it actually deletes the file writes over it then it writes a one verifies it then it writes a random character and verifies it now why is this important well this has been used in a lot of attacks because if i delete the logs right you might if you go and do forensics you can go get them if you do it this way theoretically now theoretically you can not go get them the reason i say theoretically is because time and time again we see people delete stuff even using methods like this like secure delete and forensic specialists are still able to pull and extract small amounts of data or large amounts data so what that tells us is we really don't know a 100 method well we do but we don't have the time for it i guess is what we can say number one you can physically break the stuff into little bitty pieces and then it'll never get put back together the other way is you could do this you know 10 000 times and you'd pretty much verify that it's gonna be gone but it's not always that easy um so keep that in mind but this is a good good way to securely delete stuff and not have to worry is it recoverable all right so tcp view um you guys should be fairly familiar with this because we've used resource monitor on this channel before and resource monitor is just it's going to tell you some information about it now tcp view we'll show you the reason i'm not covering resource module very much is because we're going to cover tcp view now this is just a little bit different but this is a really good tool especially if you're looking for like are you part of a botnet or something like that because what a botnet does is it reaches out right and it sends commands to a machine so if you're worried that your machine might be taken over or might be part of a botnet you use tcp view and you can see every port that's open it's kind of like netstat if you've used netstat you can see every port that's open but then you can see okay this one's listening these are all listening but you can see these are listening on local port okay now here you can see this is an actual connection established now if we scroll over you see packets are being sent and received why is that important because that tells you right there hey heads up something is talking to me right now on this port now let's say this is a remote address let's say you look at that and it's an ip that you don't recognize okay now we need to start looking at who is to try and find out who owns that um ip so you can see here using whois tool what is the organization for the remote ip or the remote address in the screenshot above well this is the remote address right here the five two one four three one four one five 154 170 73 and then if we go here on the who is you can see here it's owned by microsoft corporation boom so there's your answer microsoft corporation so hopefully that makes sense to you guys but basically if you go on here and you start looking at your computer and you're like i have a bunch of connections i don't realize um start doing a little research on them now some of them will just be you accessing the internet daily whatever that's fine but some of them could be malicious okay so auto runs this utility which has the most comprehensive knowledge of auto starting locations so what is this it tells you where where and what is auto starting on your computer okay so we'll go ahead and auto runs i'm not even going to accept it we'll just let it go okay so you can see there's going to be a lot of information here now we don't see anything right now and that's fine but what you're going to see it's going to load it's just taking a while because this computer is very slow if we go to image hijacks it's a big one nothing's running though okay so you can see we're at we'll go back to everything this is the stuff that's auto running okay so that means it's going to be set to auto run now there's a lot of different things going on here so don't worry about stressing about knowing everything about it the big thing here is the image hijacks for cyber defense path this is basically if you go here this is a good source for you to read about it but basically what it is file execution options in the windows registry to redirect to process loading by mapping the executable name and that's loading in completely different process so what is it it's these processes are supposed to run autorun right and you could replace the name of this with a name the same name and it could hijack it is what they call it so what's that mean it means you could replace the program that's going to run automatically and then therefore take over the machine and obviously just because they're sitting here doesn't make them vulnerable but it's something to look into okay now we got process dump or proc dump so if we hit proc dump or process dump you can see it gives you a list of options boom boom boom pretty easy you can go through and find and look at it but what you can do is you can go back to process explorer i think it's proc explorer yep and i think we opened this at the very beginning but this is the next one we're going to go to so we'll go ahead and open it and show you okay so this is process explorer so what you can do which is pretty cool is let's say you have a program that you see the cpus like just skyrocketing or something like this you can go here and you can say create dump and create a mini dump or a full dump and it gives you basically all the information about what's happening so that way you can then give it to whoever is in charge of trying to figure out what's going on so it gives you an option to figure out what's really going on in the back end it's it's almost like giving them the logs if you will but you're giving them much more detailed information about step by step what's happening okay so now we got process explorer okay that's what we're in right now so that should be pretty self-explanatory to you all right so this one tells you in the following images let's look at service dot service host.exe pid3636 so if you remember from the last box the only um pid that will stay consistent or process id is number four and the rest of them will be randomly generated so that three six three six won't be the same over here so don't worry about trying to make it the same or looking for it i should say i don't know why i keep doing that all right this process should be associated with the web client service now we did not create the web client service so we won't have that sitting here but what they're looking for is that web client service and you can see here's the service that the process that's running it and here's what's actually being ran so it's actually being ran right here by administrator and here it is that's what's actually being ran and then there's the actual command okay so why is that important because let's say this says servicehost.exe is running right and then you get over here and it's some weird command that reaches out and pulls down a reverse shell to you that might be uh that's not normal right so that's why it's nice to go through these and look at them and try and figure it out now you can see here ideally it'd be wise to check so what they're talking about is they're looking at the web client so that's the process they set up to run these commands remotely so when they look at it they go through you can see here they're gonna go through and they're looking at now you can also see these are all verified meaning that they're owned by whoever says that they're verified the signature is verified it is the actual product right so you can see here what the one they're talking about if you look at it a little more closely so let's say this one if we double click it you can see their look at the tcp ip is the next one they're looking at and you can see it gives you a local address and a remote address well what they're saying is you should verify this remote address is what it says it is now we verified the program's correct so that's half the battle but you should verify that whatever it's connecting to whoever it's talking to is who they say they are and they you can see there's a lot of tools to verify authenticity of an ip but you can see they use talos and talos verifies yes the ip address uh does have a reverse dns and it's microsoft corporation perfect so we verified it is microsoft it is connecting to a microsoft server so we know that is 100 legit and then you can see here they give you the color code for what's going on here um the pink right here the ones that we have here is a service okay the light blue is a process that's ran by the same account so you can see it's ran by admin so those will be light blue green is ones that have just started so you'll see it pop up and then change colors sometimes and then this like blueish color the i don't know what they're color calling it um but it looks like it's something that was freshly spawned but all right so now let's go to process monitor so that was process explorer and i know i'm going through these fast guys but it gives you a lot a lot of information so you should be able to get through it i want to make sure that you guys see it so what we're going to do you can see here process id now i did this earlier i put a filter in we'll hit ok and you can see the current filter excludes all these now we'll go ahead and hit the filter we'll go back to there we go okay popped up so proc process monitor i put this filter in for process id 516 which is this service host okay that's the only reason we have them but you can see it's showing a thousand of a hundred and eleven thousand so we're not capturing all of them because this would take forever so that's what you want to find out you want to look at a process and monitor that specific process and what it's doing so let's say you have something that's a little suspicious you're not really sure so you notice we can go here we can go to file and we can actually stop the capture so that we can then take this and review it because you're going to get thousands of thousands right so what you're going to do is you're going to go to your process explorer find the the process id of whatever suspicious process you think might be suspicious or you're not really sure about and then put the process id in here as a filter so i'll show you the filters so we'll go ahead and fill oops filter and you can see what i did is i said exclude so those filters were already in i didn't put those in so what you can do is you can say include process id so right here you go to pid 516. so if the process id is 516 you include it then you put one in that says if the pid is not 516 then you exclude it now what that does is then say it'll only show us process id 516 when that happens here's what we're going to get and now we can really start breaking down exactly what the process is doing and step-by-step timelines everything so you can really start figuring out what's going on and what that process is doing this is especially good um if you're trying to analyze malware and see what it's doing um this can can help you with that all right so now ps exec there we go um okay so this is a lightweight telnet replacement so what's the difference this lets you run basically um have an actual interface so most of you know telnet when you run telnet and connect to something you take over whatever command you're telling to if that makes sense so for instance if you telnet to an ftp server you now have to use ftp commands this is different psx actually has an interface that you can interact with and you can even run or you can even interact with console applications without having to mainly install anything perfect okay so you can see ps accept we'll go ahead and just run this and it gives you a bunch of different information to do so it gives you a little help menu that's awesome alright so now run auto runs we did that okay so on the auto runs so we'll go ahead and run that again to show you the question because the question is a little bit confusing so i want to make sure everybody sees it and understands it so if you run the auto runs you'll see what they're saying is on here on the image hijacks tab they only have one image or one entry and it's this one on ours we will have more than one but the one that's been updated so you can see the one that's been updated is this task manager and the reason it's been updated is because you can if you remember we added that see tools sysent in there that was us we added that so once we added that it updated this autorun because that's what's going to run every single time to verify so now what entry was updated is taskmanager.exe was update value c tools system and process explorer so what it's going to do is it's going to run every time perfect we got that okay now we're through the kind of bulk of the knowledge but here sysmon system monitoring this is important because they want you to understand it but they don't want to deep dive into this because it does take a very long time to understand cis mods a whole tool by itself but they want you to know it exists and understand that you can access it so once installed in the system it remains resident so what that means is it's going to stay persistent the whole time whether you reboot whatever it's going to monitor and log system activities to the windows event log so it monitors a little bit more than what your normal logging would and it kind of gives you alerts and stuff if you feed them into a seam so by collecting events it generates using windows event collection or seam agents okay so this is a comprehensive tool and it can't be summarized perfect so just understand it go to it at some point at some point we'll do the sysmon room so then you guys fully understand if you guys are interested in that comment below that you want to see the sysmon room and i'll knock it out quickly um but i i don't know how interesting that will be for some people because some people may not be there yet and have never used it okay so when obj this one may be a little bit confusing to you guys so i'm not expecting you guys to understand it completely but just understand how to access it how to use it if everyone ever needs to okay so you can see it's gonna access and display information on the object manager's namespace okay and that's the official definition so there's an important thing if you guys have not followed the previous box which is and it'll tell us here the core windows processes you need to go back and review that one to understand this process here okay so once we go through here right so here's our root directory if you will all right so now you can see here if we go to sessions if you remember zero session is always the operating system and one is the first person logged in so if we go to zero session and we go to dos devices this is what they're looking for so you notice this is when you log in it's just the directory global right you can see they have a y here and that's because they connected their y drive to their live sys internals we didn't do that so we don't have one right so that's what they're showing you is that you can access it here and and actually see it now let's look at the windows station values for one so if we go back this is session zero so that's the operating system if we go to one this is your session or the user session and you go to windows you can see there's windows stations right there and there's windows stay zero now this is where it's important because if you remember in the windows processes one there's crss.exe it launches with windows login and should be running right so when you run it here's how you can verify it nothing's wrong with it besides the the commonalities that you look for in the pr pass box that we looked at which is like if there's multiple multiple of them running or things like that this is how you can also look so when you go to the crss.exe and you look at the properties you'll see it's going to be referring to this windows station session 1 windows windows station wednesday 0. so you can see you can verify this what this says the windows object is windows station zero and that's what it's referring to and it's not referring to something else which could be very bad so hopefully that makes sense you guys that one will require you guys to have done the core processes box that we just did or else you won't really understand it now this one this one i'll show you guys but um i don't think unless you guys have ever worked in a government um situation or something like that you probably won't ever see this but what we'll do is we'll just go ahead and say cpu so if we wanted to we could change this to whatever we want right so we'll say cpu is stuffy right and it doesn't really matter os version and you can put whatever you want here you can put 100 things you can put two things i'll just say stuffy again okay and then we'll file save as it boom really matter what you save it as uh okay so what this does what a lot of people don't have never used this is when you have this running you basically what you're gonna do is you can see apply boom and now all this information is sitting right here so there you see cpu stuffy os version stuffy you can have that say whatever you want but that stays on the desktop no matter what whether you change the desktop whether you do or don't change something whatever and they have to actually run that bg info to change it now why is this important because what it does let's say you have 50 computers on a domain right but i have this running on all i have this in the group policy that it runs what it's going to do is it's going to pull depending on what you have you have it set up the default gateway you don't just set that to just random whatever it's going to pull that from the information on the computer so what does that mean so for instance you can have it pull the os version it says say stuffy it'll actually read what's on the os version and tell you hey this is what it is it can read the environment variables and tell you the dns server is xyz you know the host name is and it's got the hostname there now it'll pull that information and set it up here now why is that important it's really not for typical day-to-day users but a lot of government computers have this on the background and the reason is so that if someone's working on it or something like that it's a quick boom got it up i've got the ip the dns the i've got everything i need to work okay so keep that in mind this isn't common but it's good to know because you can put background information on your computer let's say you want your company's information right here the address name phone number whatever on your company on every one of your companies laptops this will do that for you that way every time someone logs in they you can't say i don't know our address i don't know you know whatever there's all kinds of reasons you could you could use that okay reg jump now we're not going to use this one here but reg jump is very good because what it allows you to do is you can see if you actually put in the exact register registry entry that you want it will jump you straight to it now the registry is way beyond the scope of this box but the registry controls everything the registry is your god okay so keep that in mind that but when you go to registry editor if you've ever looked at it it's very there's a million tiers in it right so this allows you to jump straight to it and not have to try and dig around and find it so it's really good now strings strings is if you ever use linux and you probably use strings so that's what it's the same thing so what we're going to show you here says run the strings tool on the zoom it dot e x e what is the full path so we're gonna run strings and then we're gonna say on zoom int now i will say if you guys are um if you guys are just getting on the box you notice i'm already in the tools assistant directory you will have to change to that directory now you have to change the find string and to and you're going to looks like dot pdb so what's this going to do it's going to go through the file and it's going to look at all strings and it's going to pull them out then we have this pipe the pipe is going to then say take all the strings that we just got feed it into this fine string and then that i i believe is just case sensitive and then look for pdp pdb my god and boom it gives us two of them see agent work 112 s windows 32 release and it's the first one windows 32 release boom boom boom and i don't know if the other one will work it probably will um but i don't know so that's it guys we covered a lot of information now this is something i wanted to cover with you guys real quick the real world scenario so this is telling you whether you're a desktop engineer system analyst or security engineer no matter how much experience you have these tools come in handy now here's one as a security engineer i had to work with vendors to troubleshoot why an agent wasn't responding to an endpoint or on an endpoint so they had an agent sitting there meaning that's a program sitting on an endpoint and it was not getting back and they didn't know why they couldn't figure it out so they used process explorer to inspect the agent processes as properties and associated threads so what what is it doing what's it trying to open what's going on with it process monitor to investigate if there's any indicators so is it running high cpu and then crashing is it um you know is there no network connectivity what's going on then proc proc dump this creates a dump of the agent process to send to the vendor so the vendor owns the software so if you send the dump to the vendor they should be able to look through it and say oh here's where it's going wrong because they coded it themselves so that's a good example of a real world scenario where they use these tools and they were not low level troubleshooters they weren't help desks they weren't sys ads they were a security engineer trying to figure out what's going on so hopefully that helped you guys this is a very informational box but also allows you hands-on i really like this box these tools are invaluable when i say invaluable they are used on red teams blue teams purple teams are used everywhere so keep in mind that this is a defensive path but you can use these tools um offensively as well so hopefully you guys enjoyed it thank you guys and hope you guys have a great day

Info

Channel: stuffy24

Views: 2,820

Rating: undefined out of 5

Keywords: hacking, tryhackme tutorial, tryhackme cyber defense, cyber security, cyber defense, cyber defense course, cyber defense vs cyber security, cyber defense operations air force, tryhackme sysinternals, tryhackme sysinternals walkthrough, tryhackme sysinternals writeup, tryhackme sysinternals answers, sysinternals, sysinternals malware hunting, sysinternals suite, sysinternals process monitor tutorial, Microsoft tools, microsoft tools for learning, microsoft tools for windows 10

Id: pBnHDHSAku8

Channel Id: undefined

Length: 36min 25sec (2185 seconds)

Published: Fri Jun 24 2022