Scripts Executed on Forensics

Following is the list of data that is collected from Windows Agent 5.1.30 and above for Forensics data collection:

Event Log

  • System Information- Collects system information.
  • System Critical- Collects critical system logs.
  • Application Critical- Collects critical application logs.
  • Security- Collects security event logs. 
  • Windows Defender- Collects Windows Defender logs.
  • Windows Powershell- Collects Windows Powershell logs.
  • Windows Sysmon- Collects Windows Sysmon logs.

Persistence

  • Services- List all services running on the system.
  • ScheduledTasks- List all scheduled tasks on the system.
  • Registry key data- Collects the data from the following registry keys :
    • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • hklm\SOFTWARE\Classes\Protocols\Filter 

    • hklm\SOFTWARE\Classes\Protocols\Handler

    • hklm\Software\Classes*\ShellEx\ContextMenuHandlers

    • hklm\Software\Classes\Drive\ShellEx\ContextMenuHandlers

    • hklm\Software\Classes*\ShellEx\PropertySheetHandlers

    • hklm\Software\Classes\Directory\ShellEx\ContextMenuHandlers

    • hklm\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers

    • hklm\Software\Classes\Folder\ShellEx\ContextMenuHandler

    • hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

    • hklm\Software\Microsoft\InternetExplorer\Extensions

    • hklm\Software\Wow6432Node\Microsoft\InternetExplorer\Extensions

    • hklm\Software\Google\Chrome\Extensions                   

    • hklm\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    • hklm\System\CurrentControlSet\Services

    • hklm\Software\Microsoft\WindowsNT\CurrentVersion\Drivers32

    • hklm\Software\Wow6432Node\Microsoft\WindowsNT\CurrentVersion\Drivers32

    • hklm\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Startup

    • hklm\Software\Microsoft\Windows\CurrentVersion\GroupPolicy\Scripts\Shutdown

    • hkcu\Software\Microsoft\Windows\CurrentVersion\Run

    • hklm\SOFTWARE\Microsoft\ActiveSetup\InstalledComponents

    • hklm\SOFTWARE\Wow6432Node\Microsoft\ActiveSetup\InstalledComponents

    • hkcu\Software\Classes\All\ShellEx\ContextMenuHandlers

    • hklm\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

    • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

    • hklm\SOFTWARE\Classes\Htmlfile\Shell\Open\Command

    • hklm\SYSTEM\CurrentControlSet\Control\Print\Monitors

    • hklm\Software\Microsoft\Office\Outlook\Addins

    • hkcu\Software\Microsoft\Office\Outlook\Addins

    • hklm\Software\Microsoft\Office\Excel\Addins

    • hklm\Software\Microsoft\Office\PowerPoint\Addins

    • hklm\Software\Wow6432Node\Microsoft\Office\PowerPoint\Addins

    • hkcu\Software\Microsoft\Office\Word\Addin

    • hkcu\software\microsoft\Windows\CurrentVersion\runonc

    • hklm\Software\Wow6432Node\Microsoft\Office\Excel\Addin

    • hkcu\Software\Microsoft\Office\PowerPoint\Addin

    • hklm\SYSTEM\CurrentControlSet\Control\Session\Manager\AppCompatCache

    • hklm\Wow6432Node\Windows\NT\CurrentVersion\ImageFileExecutionOptions

    • hklm\System\Controlset\00x_Services_Bam

User Accounts

  • Query user- Collects information about user sessions on a Remote Desktop Session Host server.
  • Local groups- Collects local groups on the system.
  • Local users- Collects local users on the system.
  • Created users- Collects recently created users on the system.
  • Locked accounts- Collects locked accounts on the system.
  • Password reset- Collects recent password reset accounts on the system.
  • Deleted users- Collects recently deleted users on the system.

Network

  • Active net connections- Collects all active network connections on the system.
  • Address resolution cache- Collects address resolution cache from the system.
  • DNS cache- Collects DNS cache from the system.
  • IPConfig- Collects the ipconfig command data.
  • SMB inbound sessions- Collects all the SMB inbound sessions from the system.
  • SMB outbound sessions- Collects all the SMB outbound sessions from the system.
  • Firewall log- Collects the firewall logs from the system.

Process Files

  • Process list- Collects all running processes from the system.
    • ProcessFiles\TempDirFiles
    • ProcessFiles\UserInstalledPrograms
  • WMIC Installed programs- Collects all the installed programs from the system.
  • Installed Programs- Collects the following registry keys:
    • hklm\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall

    • hklm\Software\Microsoft\Windows\CurrentVersion\Uninstall

    • hkcu\Software\Microsoft\Windows\Explorer\RunMRU

Prefetch Files

When a program is executed on a Windows operating system, the Prefetch file allows you to access the program quickly. It contains the program's name when it was executed, along with other information. The prefetch files are located at `%systemroot%\Prefetch`. 

This file proves a malicious program was executed on the system, along with the timestamp at which it was executed. The prefetch parser script lists the following fields in its output:

  • Version

  • File Size

  • Application name

  • File path hash (Decimal)

  • Application run count

  • Last execution time (UTC)

  • Other Execution times (UTC)

  • Prefetch file creation time(First run of application)

  • Prefetch modified time (UTC)

  • Prefetch accessed time (UTC)

  • Dependency count

  • Dependency files