What is Windows SysInternals | How to use Windows SysInternals tools | what is sysinternals

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] welcome to global information security society for professional of pakistan [Music] we are basically going to cover what it is what tools are included in cis internals and we will also cover some of these tools in more depth a little introduction about myself my name is syed hassan i am currently employed as a forensics and instant response engineer at local firm at karachi and i do use this internals as part of my day-to-day forensics work so let's get to it because of microsoft system terms is basically just a suite of tools you can use it for a wide range of tasks maybe you want to administer your windows host maybe you want to monitor them using sysmon or maybe you want to manage them better or maybe analyze the processes which are open or the dlls that they have the handles that they are currently using so you can easily do that by default the windows uses task manager to assist you in your administration or management of a windows environment but even if you have used it for anything other than that you you would you'd notice that it is just not enough so system tunnels basically grows on that and allows and gives you the ability to administer or manage your windows environments much much better so currently it has over 70 plus tools in itself it was initially launched by mark russenovich and price cogwill windows software but later acquired by microsoft and after acquisition it was renamed to system donors now currently it is open on open for downloads at microsoft technet website you can easily download it for free and these are basically portable executables so you do not have to install anything these are already compiled and ready for execution okay so like i said system tunnel has over 70 plus tools unfortunately we cannot cover all of them in a single video so what i've done is i've gathered a list of must-know tools and we will be covering them in detail in the next few slides i'll first go over the theoretical section and and explain what these tools are and then maybe we'll see practically on a live window system that how and what you can do with these tools all right so if you've ever used task manager before you've seen that it does show the processes on the system but the information it returns about a particular process it is not enough even if it is enough for you it is not presented in a in a more usable format and you cannot export that information for usability into a different uh tool maybe process explorer on the other hand it provides you much more detailed information about a particular process or an application which is currently running on a windows system you can triage processes you can identify the handles the dls that particular process is using as well as the threads along with that you can identify the resource consumption for that process the strings which the that process which that process has both the in memory as well as the image based strings when i refer to the image it is actually the executable itself along with that you can view the security privileges which is assigned to that process and you can also submit the hash of that particular process to virustotal for a scan this can help you identify if the process has already been flagged as a malicious executable and if it has then you can maybe kick off your forensics investigation let's take a look at process explorer and i will quickly shift my screen to if you can take a look so this is process explorer system right so this is basically showing all the processes which are currently executing on my system and it is in a process tree format because i've enabled it i think this is the one okay i think this is because i've already enabled it so this is the tree like format and i can view the processes which are executing on the system for example if i go into powershell and the properties i can view the image and the path that is executing from the command line arguments the current directory the parent the user the start time the comment i've also actually submitted submitted this to ours total before so you can see that there are zero detections out of 76 on wireless total the performance which is uh likely going to have cpu disk usage handles virtual physical memory performance again gpu graphs threads all threads for that particular process if it has any uh internet connections establish any internet connections you can view them in tcp ip in this window security you can identify the user which is currently executing this process as well as the privileges which are assigned to that particular user the environment variables the job and now the strings the string variable are both for from the image as well as from the memory so you can view both these uh strings and you can identify if uh some of these can be used for maybe a detection ruleset based on yara or a different tool next up we have process monitor or procman procmod is a system-wide monitoring tool it can help you identify changes on a system based on the file system the registry as well as process activity let's say you try to execute a process on a system and you wish to see what changes it tries to make so you could could capture that process the image path the command line arguments the user in the session ids the registry changes it tries to make or the registry keys it tries to queries as well as the file system changes maybe tries to read a file maybe tries to write to a file you can view them one of the best features of procmon is its powerful filtering capabilities and when you pair this with its non-destructive nature it is the best what do i mean by this if i could just shift to a demonstration now this is proc one once i've just opened this as soon as i start capturing events you can see that it is trying to capture over 45 000 events as we speak and i could just pause them and you can see what what it has done there are multiple events on that system on my system which are being currently which were monitored at the time of capture so you can see the registry query values the registry query value again the query information create file we can see this is process explorer as well then we have thread exit then you have close file create file and more such data now if i go to the filters tab and what i can do is if i could just show you let's see i want to just see if there are events related to powershell explorer so what i'm going to do is sorry i meant powershell if i could go into p and we can see pws h right okay just add them so you could see that it just added powershell here if i could just apply filter you can see it has filtered over 76000 events but it has not destroyed them so if i reset the filtering i can view the 76000 meters again i can view all that information again now if i try to explore this information in detail you can see the event properties the image which is basically linked with that particular event the modules it has the parent id the process id session id architecture all that information the user which is currently running that process everything is here now let's say you want to filter based on the operation and i'm going to say only try to see if there are registry set operations i can apply that and you can see these are the keys which are set during execution of our demonstration again if i just start capturing again you can see that it has started capturing those effects again and the events are increasing here i can save them to a file if i want and we can take a look at that later as well next up we have system monitor or sysmon since small is an advanced monitoring tool for a windows environment if you've used windows locking before you know that it does not log many items that it definitely should by default process creations network communication and file modifications are just a few to mention however sysmon does have these capabilities it is registered as a system service on an indus in on a windows environment and a device driver as well so once your system boots up sysmon begins its monitoring phase it can help you identify malware intrusions and breaches within the network if someone does monitor this smart lock so what it does is it logs all those process creations network communications file modification dll changes dll usage and many more fields in a log source so if you if you begin installation of sysmon actually it is one of the tools which does require installation on a windows environment it is not a portable executable itself so first you need a configuration file in a configuration file you can help identify what events or what categories of events you want to monitor maybe i just want to monitor process execution and i would also like to exclude processes which i know are white listed maybe i do not want to monitor opera the browser maybe i do not want to monitor my chrome which is also a browser so i can mention those changes in the configuration file and then install sysmon with that configuration once it's installed sysmon begins monitoring and logging these changes under applications and services logs which you can view in your windows event viewer for better monitoring you can also forward these events which are generated by assessment to a central logging system or a sim for better monitoring unfortunately i do not have a demonstration for cis1 at the moment as it is not installed on my system but the installation is fairly easy and it begins logging changes or events on your system fairly quickly next up we have order runs order runs as the name suggests can help you find all auto start applications services scheduled tasks known dls the boot execute keys or maybe a different registry keyword can help which can help you identify applications which are scheduled to start at the boot up of your windows environment it can help you cover much more sources than a typical different tool and we also have several other features which can aid in our investigation uh one of the optional features is to hide signed executables which belong to microsoft a different feature is to hide all empty locations thirdly we also have virustotal checks so it can submit the hash of your executable or the task or a different key or value to wires total and check if the hash matches a malicious hash it also allows you to delete the entries which you can you're going to find in the auto runs output as well as disable them if you have administrative privileges if i can quickly shift to the demonstration we can take a look at uh auto runs all right so here it is now if you can take a look at the schedule tasks i have currently open other than the schedule tasks we have services the drivers the codex the board execute keys lsa providers explorer keys image hijacks office startups we can review these here and known dlls which is set to auto execution as well as everything else in the same window so if i go into log on and i wish to disable the adobe startup execution i can just quick quickly kick this click this but it is denying me access since i'm not an administrator so i have to restart the the process the order and gui process and once i've assigned it the privilege i can disable the key and stop my execution next up we have psx ps exact is a remote execution utility which you can use to launch international command prompts or execute programs on remote systems by default psx creates a service of itself which is ps exec svc and a named pipe on the remote system to assist in its execution it requires smb file and print sharing and the admin dollar share which is the administrative share on the remote system to be enabled if you wish to use a ph exact uh usually administrators use ps exec to take control of systems in their environment and administer them or execute programs which are which might be related to updates or a different category it can also be used by mal users for example apt groups have used ps exec to take control of systems in the environment and laterally move in order to execute their malicious with their malicious payloads one of the examples commands is ps exec the ip address the username and the password and then the command that you wish to execute this is going to return you the output of ipconfig on the specified host if the permissions are granted and the required services which i've mentioned before are enabled okay so next up we have tcp view which can help you identify all tcp udp connections which are established by processes on your workstation it is the output is basically similar to netstart but it is uh you could say it is presented in a much better format you can identify the packets and the bytes in the remote port the remote ip address the local and port and address as well as well as the protocol the pids and the process information we're going to see this uh in a short demonstration next but again you also have access to the command line version for tcp view which is tcp vcon it is shipped in the same distribution for assistant donors and you can access that once you've downloaded the zip file now if you can't if i can transition to tcp view you can see that these are the processes which are open on my system and are currently uh establishing connections so you can see these established connections by the following the following process for example opera is trying to connect to this remote address on this port and the state is established these are the bytes and the bytes received this can also help you identify malware beacons and can be used in your forensic investigation to help identify tcp or udp connections next up we have ps lockdown and log on sessions ps lockdown can help you identify currently logged in users on a particular system this includes both local as well as remote logons and resource shares as well next we have logon sessions which can help you identify all active logon sessions on a particular system you are going to be shocked with the amount of results it returns and the number of lock-ons which are currently which are actually active at a particular time it also has the capability of returning the process of a particular logon for example what i mean by a process is that let's say the user has logged on and begin execution of powershell so what you can do is you can identify that logon session and you can also identify all processes which are executing on the right logon so powershell will definitely be included now if i could shift to my command prompt and we can just take that out of there all right so if you have ps log down here uh we can see that there's only one user which is logged on which is myself and i was locked down on that date and there is no resource share on my system next if we try to execute logon sessions the 64-bit you can see that there are 11 logons on my system right now what it means but right now is it could have been a system log on uh maybe a service log on a basketball which maybe i would have uh scheduled on my system but let's say we try to see if i can find out my particular system right i mean my particular log on section right now then all right maybe we should take a look at what argument it accepts all right so yeah so if i want the process information i can write dash p the p flag and you can see that this is my logon session and i'm currently interactively logged on to that particular this system and these are the processes which are executed on my system so this is the information which log conversation presents to you for all log on sessions on that system this is available for every information you can see that these are the services host so this is likely my service lifetime log on yeah and the username is empty authority and local service so these information you can correlate if you already know more about the windows system so if you try to delete something on your system on the fire system the fire system actually just marks it as deleted but the data is actually not removed until it is overwritten by something else so fancy tooling can still recover data on your file system if it has not been overwritten estillate on the other hand can help you delete information files or folders in a much more secure manner such that no tool can recover that particular information it is used for handling classified information and it can also be used by thread actors actually we have seen it being used by thread actors to wipe their malware after installation or execution or after lateral movement it can also be used for disk wipers which completely wiped the file system off of a hard disk and it is left unusable detailed working is also available on sdelete uh this includes how it works how it was programmed and more such detail now if i can shift to the command prompt window we can take a look at the help uh commands here all right so we have sleep we have the number of passes which is going to take and it basically specifies the number of override passes so if i specified one as one it is only overwritten once if i specify let's say we go and we say let's override this three times and i'm going to specify the the folder i think the test.txt yeah if i just specify this now if you have any other requirements i don't think so uh we do not want dash r we do not want request sub directory we do not want the zero free space which is i think it's fine and i think files deleted is equal to one now if i go into test data and ls there so we can see that there is nothing here so the file is securely deleted now you can explore more such options using its elite and you can also review reports on how malware authors and threat actors use sjle to wipe their malware next up we have sickchick which can help you identify versions time stamps hashes signatures and the designing nature of the files on a particular file system folder or partition so you can also submit files from a sig chat to virustotal and you can review if a particular file matches the hash of a well-known malware now one of the examples command for sig check is dash u nashvity and the the path in which you wish to with which you wish to see if all files are signed or not now if i can quickly shift to the demonstration window and uh all right so here's the help window for sick check and we can see that uh all right so uh the command i previously wrote was dash u where dash u is if virustotal check is enabled we're going to see if we're going to see all those files which are unknown by virustotal all right and or have non-zero detections otherwise we will not show them and only show uh unsigned files right next we had vt which is for the virus total you must accept the times and conditions and then only time can you use it right so if i can simply execute the same command actually i will show you how to use your number system by on this particular folder that i'm in in sister tunnel suite by using dash h where dash edge is show file hashes so if i just quickly run this you can see that it is it has begun execution and as soon as it ends or maybe i can just quit it for you all right so if i just quit it you can see that uh let's say we pick this process not the process a process executable and it is verified yes it assigned signing date was 919 when it's 970 2020 the publisher is microsoft corporation the companies has internals the description the product the product version file version machine type and these are the hashes now you can also review these hashes and maybe submit them manually to virus total or enable the the vt check let's let's try to enable them region issue let's see if this works if if we're going to have a file that is not available on virustotal or has non-zero detections then we can review them all right so you you can see that some of these files uh do have a various detection 176 176 and these are likely false positives and if you do wish to review them you can then also review the vt link the webstore language is provided with the output so that can help you identify if the output is actually correct or not lastly we have streams alternate data streams is a is an ability of an ntfs file system to store something in a particular file along with the default data stream as well these alternate data streams can be used by malware authors to hide malicious commands and can be used on in the runtime to basically extract that command from the alternate data stream and execute them now if i can quickly show you a demonstration of how we can do so let's say i uh let's say i go into my assistant suite since i'm going to test data and ls cad file right so this is one of the files that i've created and now let's say i wish to write something in a data stream i just want to say i i want to say i am malicious command i'm going to write it to txt and it's mal command data stream this is how i can create uh an alternate data stream but if i try to dire into it i cannot see anything in it can i you can just see the camera.txt and even if i open it in notepad you're not going to see anything like this let's see if i can yeah you're going to see it just has high in it but not the malicious command so how can i review it like what there are two ways either i can run the dlr command i'm not sure this is going to work all right so this is an error but lastly secondly what i can do is i can go and run streams and i can say go to test data and go into cart and show me all the data streams so here's how you can see that the mal command i can review that here's a stream mal command and his a separate stream note there's going to be one more stream which is the default stream and it is going to contain the data which says hi so streams can help you identify these uh and can also help you these alternate data streams and can also likely help you if i could just uh clear this out all right so i can delete the streams from that particular file so if i go in and say test data and then card again and it has just deleted my alternate industry so if i go to test data and i go all right sorry if i go and say show me the stream for this file it does not have any alternate data streams it is because we have deleted all those streams and there's nothing left within it we're going to conclude our presentation on microsoft system tunnels i really hope i've given you a quick kickstart as to how you can use the toolset in your own environment and on your own use cases if there was any issue with the the quality of the video or if you have any feedback you would like to share with us please feel free to do so so we may improve our content in later videos again thank you very much for [Music] for listening to the video and for joining me in this learning session thank you and allah office
Info
Channel: GISPP ACADEMY
Views: 20,712
Rating: undefined out of 5
Keywords: Sysinternals, Pstools, Process Explorer, Procmon, sysmon, psexec, sysinternals, sysinternals suite, windows sysinternals, sysinternal, sysinternals tools, sysinternals autoruns, tryhackme sysinternals, tryhackme sysinternals walkthrough, sysinternals tool, systinternals, sysinternal tools, intro to sysinternals, sysinternals tutorial, sysinternals blue team, autoruns sysinternals, sysinternals autoruns 64, integrating sysinternals, getting sysinternals tools, sysinternals tools windows
Id: 61Wu4x03dZ8
Channel Id: undefined
Length: 26min 6sec (1566 seconds)
Published: Sat Jan 09 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.