Blue Team-System Live Analysis [Part 9]- Windows: User Account Forensics- Ownership: Process, Applications, Folders, and Files

  • Runs an odd process
  • Owns malicious files
  • Has access to a restricted folder
  • Installed unsolicited or malicious application
Users that Run a Process — Task Manager
  • The currently logged-in user is Cyfohub; however, a process named lsass.exe is running by the sechub user account!
  • According to the Windows standard baseline for processes, the lsass.exe user name is supposed to be NT AUTHORITY\SYSTEM, not any other local user account.
Tasklist /v
Users that Run a Process — Tasklist
tasklist /fi “username eq Cyfohub”
List of Processes Running by Specific User Accounts — Tasklist
Get-Process -IncludeUserName | Select-Object Name,Username
Users that Run a Process — Powershell
List of Processes Running by Specific User Accounts — Powershell
  • Who installed it? — Which user account installed that application.
  • Installed for Who? — To check whether the application is installed for a specific user or all.
wevtutil qe application /f:text “/q:*[System[(EventID=11707)]]”
Successful Installation of Autopsy Application — Event ID 11707
wevtutil qe application /f:text “/q:*[System[(EventID=1033)]]”
Successful Installation of Autopsy Application — Event ID 1033
MSI vs. EXE Installers
wevtutil qe security /f:text “/q:*[System[(EventID=4688)]]”
Obtain a Process Creator
UninstallView by Nirsoft
wevtutil qe security /f:text “/q:*[System[(EventID=4688)]]” | findstr [process name].exe
Installed Application Executable File Locations
reg query “HKEY_LOCAL_MACHINE”
and
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node"
List of Applications that are installed for All Users
List of Softwares Installed for Specific User
reg query “HKEY_USERS\[User SID]\SOFTWARE
List of Softwares Installed for Specific User [Cyfohub and sechub user accounts]
  • /q: Displays file ownership information.
  • /s: Lists all of the file names within the directory along with all subdirectories.
DIR /s/q
Folder and File Owners with DIR Command
DIR /s/q | findstr sechub
Folder and File for Specific Owner
Folder Owners with Powershell
Get-ChildItem d: -recurse | ForEach-Object {Get-Acl $_.FullName} | Select-Object -Property Path, Owner
Folder, Subfolder, and File Owners with Powershell

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store