Windows Defend#

A defender’s reference for triaging a Windows host. The page covers evidence collection order, blue / DFIR tools, where on disk the OS parks browser, email, prefetch, jump-list, and PowerShell history artifacts, plus the security and Sysmon event IDs an analyst hunts across.

Evidence order#

Per RFC 3227, work from most volatile to least when collecting from a live host.

  • Registers, cache.

  • Routing table, ARP cache, process table, kernel statistics, memory.

  • Temporary file systems.

  • Disk.

  • Remote logging and monitoring data relevant to the system.

  • Physical configuration, network topology.

  • Archival media.

Blue / DFIR tools#

  • Microsoft Attack Surface Analyzer, analyzes the attack surface of a target system and reports on security vulnerabilities and misconfiguration introduced during install, microsoft/attacksurfaceanalyzer

  • GRR Rapid Response, incident response framework focused on remote live forensics; Python client (agent) on targets, Python server to manage them, google/grr

Artifacts#

USB access timeline.

HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR        # Class ID / Serial
HKLM\SYSTEM\CurrentControlSet\Enum\USB             # VID / PID
HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices
HKLM\SYSTEM\MountedDevices
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EMDMgmt
NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

USB times stored in HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\Ven_Prod_Version\USB iSerial #\Properties\{83da6326-97a6-4088-9453-a1923883fcd}.

  • 0064, first time device connected.

  • 0066, last time device connected.

  • 0067, last removal time.

Setup logs that record first-connect, XP at C:\Windows\setupapi.log, Vista and later at C:\Windows\inf\setupapi.dev.log.

Prefetch.

C:\Windows\Prefetch                                # default directory
AUDIODG.EXE-B0D3A458.pf                            # default file pattern (exename-(8char_hash).pf)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

EnablePrefetcher values, 0 disabled, 1 app launch, 2 boot, 3 both.

PowerShell history default location.

$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Disable history.

$PS> SaveNothing
$PS> MaximumHistoryCount 0

Jump lists.

C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations
C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations

Jump-list AppIDs reference, https://raw.githubusercontent.com/EricZimmerman/JumpList/master/JumpList/Resources/AppIDs.txt

Email attachments.

Outlook       C:\%USERPROFILE%\AppData\Local\Microsoft\Outlook
Thunderbird   C:\%USERPROFILE%\AppData\Roaming\Thunderbird\Profiles\

Browser data.

IE 8-9       C:\%USERPROFILE%\AppData\Roaming\Microsoft\Windows\IEDownloadHistory\index.dat
IE 10-11     C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\WebCache\WebCacheV##.dat
Edge         C:\%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxxxx\AC\MicrosoftEdge\User\Default\DataStore\Data\<user>\xxxxx\DBStore\spartan.edb
             C:\%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\#!001\MicrosoftEdge\Cache\
             C:\%USERPROFILE%\AppData\Local\Packages\Microsoft.MicrosoftEdge_xxxx\AC\MicrosoftEdge\User\Default\Recovery\Active\
Firefox v3-25 C:\%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<random>.default\downloads.sqlite
Firefox v26+ C:\%USERPROFILE%\AppData\Roaming\Mozilla\Firefox\Profiles\<random>.default\places.sqlite (Table: moz_annos)
Chrome       C:\%USERPROFILE%\AppData\Local\Google\Chrome\User Data\Default\History

ESE databases are read with EseDbViewer, ESEDatabaseView, or esedbexport.

Image thumbnail cache, C:\%USERPROFILE%\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db.

Security log event IDs#

The handbook groups Windows Security event IDs by hunting category. Pivot a hunt on these.

  • Logon, 4611, 4624, 4648, 4776, 4778.

  • Logoff, 4643, 4779.

  • Privilege usage, 4672, 4673, 4674, 4703, 4768, 4769, 4771.

  • Process executed, 4688.

  • Process terminated, 4689.

  • Filtering platform, 5156.

  • Account management, 4720, 4722, 4724, 4726, 4728, 4737, 4738.

  • Policy change, 4670, 4904, 4905, 4946, 4947.

  • File sharing, 5140, 5142, 5144, 5145.

  • Handles, 4656, 4658, 4659, 4660, 4661, 4663, 4690.

  • VSS, 8222.

  • System, 7036, 7040, 7045.

  • Application, 102, 103, 105, 216, 300, 302, 2001, 2003, 2005, 2006.

  • Logs cleared, 104.

Selected event IDs the analyst maps fast.

Event ID

Description

1100

The event logging service has shut down.

1102

The audit log was cleared.

4608

Windows is starting up.

4609

Windows is shutting down.

4624

An account was successfully logged on.

4625

An account failed to log on.

4634

An account was logged off.

4648

A logon was attempted using explicit credentials.

4672

Special privileges assigned to new logon.

4688

A new process has been created.

4689

A process has exited.

4697

A service was installed in the system.

4698

A scheduled task was created.

4720

A user account was created.

4726

A user account was deleted.

4728

A member was added to a security-enabled global group.

4738

A user account was changed.

4740

A user account was locked out.

4768

A Kerberos authentication ticket (TGT) was requested.

4769

A Kerberos service ticket was requested.

4776

The domain controller attempted to validate the credentials for an account.

4800

The workstation was locked.

4801

The workstation was unlocked.

5140

A network share object was accessed.

5156

The Windows Filtering Platform has allowed a connection.

7045

A service was installed in the system.

The full enumeration runs from event ID 1100 to 8191. See Microsoft Learn’s Windows Security Audit events reference for the exhaustive table.

Sysmon log event IDs#

ID

Description

1

Process creation.

2

A process changed a file creation time.

3

Network connection.

4

Sysmon service state changed.

5

Process terminated.

6

Driver loaded.

7

Image loaded.

8

CreateRemoteThread.

9

RawAccessRead.

10

ProcessAccess.

11

FileCreate.

12

RegistryEvent (object create and delete).

13

RegistryEvent (value set).

14

RegistryEvent (key and value rename).

15

FileCreateStreamHash.

16

Sysmon config state changed.

17

Pipe created.

18

Pipe connected.

19

WmiEventFilter activity detected.

20

WmiEventConsumer activity detected.

21

WmiEventConsumerToFilter activity detected.

225

Error.

References#