Checklist

Comprehensive Incident Response Procedures Using Key Tools

This guide outlines a systematic approach to incident response using tools like Process Hacker, Autoruns, and more, focusing on memory analysis, user account changes, scheduled tasks, services, and startup mechanisms.

1. Memory Analysis

Tools:

  • Process Hacker

Key Procedures:

A. Process Tree

  • Inspect the parent-child relationships.

  • Identify suspicious child processes like cmd.exe or powershell.exe under unusual parents (winword.exe, explorer.exe).

Steps:

  1. Open Process Hacker.

  2. Navigate to the Processes tab.

  3. Analyze processes for anomalies.

B. Web Connections

  • Identify malicious connections, unusual remote IPs, or non-standard ports.

Steps:

  1. In Process Hacker, open the Network tab.

  2. Investigate processes with external connections.

C. Signature Status

  • Check if processes are digitally signed.

Steps:

  1. Right-click on the column header in Process Hacker.

  2. Add the Verification Status and Verified Signer columns.

  3. Investigate unsigned or suspiciously signed processes.

2. User Analysis

Tools:

  • Net User

  • Lusrmgr.msc

  • Event Viewer

Key Events to Investigate:

A. Account Creation

  • Event ID 4720: A new user account was created.

Steps:

  1. Use Event Viewer:

    • Navigate to Windows Logs -> Security.

    • Filter by Event ID 4720.

  2. Use Net User:

    • Run net user to list user accounts.

B. Group Membership Changes

  • Event ID 4732: A user was added to a security-enabled local group.

Steps:

  1. Open Event Viewer.

  2. Filter by Event ID 4732 to detect any unauthorized privilege escalations.

3. Scheduled Tasks

Tools:

  • Autoruns

  • Event Viewer

Key Events to Investigate:

  • Event ID 4698: A scheduled task was created.

  • Event ID 4702: A scheduled task was updated.

Steps:

  1. Use Autoruns:

    • Navigate to the Scheduled Tasks tab.

    • Look for suspicious tasks without publishers.

  2. Use Event Viewer:

    • Open Applications and Services Logs -> Microsoft -> Windows -> TaskScheduler -> Operational.evtx.

    • Filter for Event ID 4698 or 4702.

4. Services

Tools:

  • Autoruns

  • Event Viewer

Key Steps:

  1. Use Autoruns:

    • Navigate to the Services tab.

    • Review services for unsigned or suspicious entries.

  2. Analyze logs:

    • Use Event Viewer to find logs related to service creation or modification.

5. Registry Run Keys / Startup Folder

Tools:

  • Autoruns

  • Event Viewer

Key Registry Locations:

  • HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE paths for Run and RunOnce.

  • Policies\Explorer\Run for policy-based startup programs.

Key Event:

  • Event ID 4657: A registry value was modified.

Steps:

  1. Use Autoruns:

    • Check the Logon tab for suspicious entries.

  2. Use Event Viewer:

    • Navigate to Windows Logs -> Security.

    • Filter by Event ID 4657.

Key Takeaways

By leveraging these tools and procedures:

  • Memory Analysis identifies active threats.

  • User and Scheduled Task Analysis detects unauthorized account and task creation.

  • Service and Registry Analysis uncovers persistence mechanisms.

Consistent log analysis and tool usage ensure a comprehensive incident response process.

PreviousFilesNextIncident Response on Linux

Last updated