Scribd
Upload
6 views

ar

The document outlines various methods for detecting suspicious activities related to DLLs, USB devices, services, and files on a computer system. It includes techniques for identifying manipulated services, checking for deleted prefetch files, and verifying digital signatures. Additionally, it discusses the importance of timing in relation to USB disconnections and event log manipulations.

Uploaded by

w14807223
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
6 views

ar

The document outlines various methods for detecting suspicious activities related to DLLs, USB devices, services, and files on a computer system. It includes techniques for identifying manipulated services, checking for deleted prefetch files, and verifying digital signatures. Additionally, it discusses the importance of timing in relation to USB disconnections and event log manipulations.

Uploaded by

w14807223
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 2

1) How do you detect executed/visited DLLs, with CSRSS, Search Indexer, (other

services/processes too)

in systeminformer going to csrss filter by ^[A-Z]:\\.+\.(dll)$ regex search indexer


by :\ then .dll same principle with other processes such as app info explorer etc
(C:\ .dll)

2) How do you detect a unplugged usb without the usage of usbdeview or the current
registry?

event vwr kernell pnp can show removed volumes on the system aswell as microsoft-
windows-partition/diagnostic

3) How do you check manipulated services, in any form whether that being a restart
or manipulation with threads (as an example)

checking the service uptime in comparison to pc uptime in systeminformer and


looking at the services details

4) You suspect a file is a cheat or bypass but it won't open. How would you
approach this?

well there could be many reasons for this e.g a rename an anti ss application a
shredded file that didnt shred a shortcut but the main things we can do is first
scan in virus total check if its a malicious software and then checking its details
to see renames and if it drops any files we can then further string extract using
detect it easy bin text or my personal favourite triage as it shows u exactly what
guy etc the file would open

5) How do you detect if BAM (Background Activity Moderator) was recently


cleared/manipulated?

check the bam state in regedit (HKLM:\SYSTEM\CurrentControlSet\Services\bam\state\)


additionally we can use bstrings as a comparison to wtvr external bam parser we may
be using

6) How do you check if the event log service was manipulated?

well we can use tools like hayabusa to check if the event log was forcefully shut
down during a pc uptime we can also use journal to check any manipulations to .evtx
files as bypassers will use these to custom write eventlogs

7) How do you check if a date for a file was changed?

idk what u exactly want by "a date for a file" this could mean the run times
through pf the journalling times the date last installed on the os etc

8) How do you detect files without extensions, names, and both?

files without extensions we can use JLECmd through eric zimmerman tools examining
the .csv file through timeline files without names in systeminformer dps with the
following regex !!((?!\.exe).)*!\d{4}(\/\d{2}){2}(:\d{2}){3}!([0-9a-f]{4,8}|0)!
which is similar to modified extensions which is through the dps again with this
regex (^!!((?!\.exe).)*!\d{4}(\/\d{2}){2}(:\d{2}){3}!([0-9a-f]{4,8}|0)! but is
different to files without extensions

9) How do you check if prefetch was deleted and what are some important prefetch
files you could look at?
we can use any journal parser to confirm a deletion of pf and we would be looking
for things such as the cmd / any terminal anything to do with elevated privileges
such as the conhost etc and run times of apps we may need like fivem and so on

10) If someone already has PC Checking tools on their PC such as "Everything" or


"System Informer" would you reinstall them or just use them the way they are

i would re install within a custom ss folder

11) A file had its digital signatures removed, how is this detected? For example
when you open properties for a file and for a signed file it usually has a section
which says "Digital Signatures" and vice versa with digital signatures added

we can use virus total to verify sigs but presuming u are asking about a faked sig
as thats my interpretation of this if i saw that the file was coming up as signed
yet when i manually investigate and see its either a sig from a non associated
signer/ its non trusted there should be a warning within the dialog box, aswell as
checking the sigs revocation status

12) What are some event log bypasses you could look for?

i presume u mean bypasses to work from logging in eventlog so this would be a


clearance of logs a consistent start and stopping of the eventlog within a pc boot
and the manipulation/ re writing of .evtx files

13) What is a FAT32 replace and how would you detect this?

basically the movance of files within a fat device which is common due to the fact
that the smaller fat 32 devices will not naturally obtain a journal to help us ss
see any replacements or overwrites of files on the volume we can detect it through
ftk imager attaching the suspected fat device and examining the file / file slack
we can additionally ram dump to strengthen our theory

14) Name at least two ways of checking for deleted journal and what time it matters
it was deleted (as we only check when they are ingame) (and explain can they
bypassed still)

3079 in eventlog and using ftk once again attaching the drive extending the root
and examining the usn journal dump date modified idk what u mean by "and explain
can they bypassed still)" but if u are asking can they manipulate jrnl and bypass
this ofc they can

15) If you see someone has an unplugged USB or dismounted drive, does it matter if
they had it unplugged/dismounted before PC boot time / Right after being told to
join gen, etc (What time matters?)

ofc it matters but its fully time depending eg if the suspicion or ticket on the
user is days old (we can use 3 days for this eg) and they unplug their mass storage
device 2 days ago then it can be seen as a bypass attempt due to them unplugging it
post report however if the device is unplugged 5 days before a report or suspicion
is made of a user then it wouldn't be important as we want to see what they were
doing on their pc at the time of suspicion

You might also like