Manual Windows Checks

Windows Attack
by TechnoHerder : Leave a comment

Windows Patch Level

Lists installed packages:

wmic qfe list
wmic qfe list | find “KBxxxxxxx you are after”


Available Shares

List open file shares:

net share wmic share get name,path

The default Windows shares are: C$, IPC$, ADMIN$

If these are present that is fine. If there are any more then investigate what they are and try to determine if they are sharing sensitive information. If you find it is sharing a CD-ROM drive this might appear odd but it can be an indication that the server is a VMWare as this is how VMWare tools gets installed.

File System Configuration

List available drives:

fsutil fsinfo drives

Find drive type (replace C: with appropriate drive):

fsutil fsinfo drivetype C:

List file system of a drive (replace C: with appropriate drive):

fsutil fsinfo volumeinfo C:

Installed Software

List installed software and versions:

wmic product

You probably only need to know the product, version and vendor. You can pipe this output through “get” to filter those columns:

wmic product get name,version,vendor

To save the output to a file:

<!-- wp:paragraph -->
<p>To save the output to a file:</p>
<!-- /wp:paragraph -->

Review the list produced, looking for:

  • Anything that may be unnecessary for the role of the device. (i.e., you don’t need Windows Media Player on a Server)
  • Things that are “Internet Facing” such as; Web Browsers, FTP Clients etc and browser plugins like; Silverlight, Flash Player and Java. Determine if these are outdated. The quickest way to do this is to supply Local Administrator credentials to Nessus as it will do most of the work for you, otherwise google is your friend. A list of CVEs can be obtained for most products by going to www.cvedetails.com and looking up the version.
  • Things that are susceptible to file type exploits such as; Windows Media Player, Microsoft Office Suite, Adobe Acrobat Reader, and Java etc. Same methodology applies here. But the risk requires the user to engage with a file in a vulnerable piece of software.

Anti-Virus Software

You can usually find the installed anti-virus by checking for icons in the system tray. Follow the steps below for analysis:

  • Right click on the icon and see if you can find the “about” screen to observe the version. Verify that this is the latest version and if not advise upgrading
  • Check the revision\version of the virus definition database. Also check that this is updated regularly, anything more than a few weeks is likely to be dangerous. Ask how machines receive updates. Is this straight to the vendor or via an internal update server? Google to see if you can find the most recent definition database from the vendor. If the update server itself is not being supplied with updates then your workstations could be at risk while the GUI happily tells you that it is bang up to date.
  • Determine what the solution is configured to scan. You want it to be configured for “active” scanning and ideally a full hard disk scan should be scheduled regularly
  • For extra points upload an “eicar” anti malware test file to trigger an anti-virus alert. This is a non-malicious file that all AV vendors should recognise. This can be used to prove that no-AV solution is configured when you are in doubt. In a secure environment this check should cause an alert to someone within the organisation. If you don’t get a phone call then ask if they have logging and response procedures for AV alerts. If not then recommend that they do!

Exploit Mitigation Technologies

System DEP Policy

Check System Data Execution Prevention Policy:

wmic os get /format:value

The key parameters to look to work out if DEP is available and how it’s set are:

DataExecutionPrevention_Available=TRUE
DataExecutionPrevention_SupportPolicy=3

Or alternatively:

DataExecutionPrevention_32BitApplications=TRUE
DataExecutionPrevention_Drivers=TRUE

Active Local Processes

To list running processes, PIDs and owners:

tasklist

Process Explorer

For a more detailed look at processes, push Process Explorer to the host.

For bonus points, do View > Select Columns and enable the following:

  • DEP Status
  • Integrity Level
  • Virtualized
  • ASLR Enabled

Networking

Firewall

Check status of the personal firewall:

netsh firewall show opmode
netsh firewall show state
netsh firewall show config

For Windows Vista, Windows 7 and Server 2008, Microsoft recommends the netsh advfirewall firewall. In particular, the following can be used to show all firewall rules:

netsh advfirewall firewall name=all verbose

Check that the firewall logs both accepted and blocked packets to a log file of a reasonable size. By default, the firewall logs nothing and the default log file is only 4MB.

Windows Services

Binary Permissions – PowerScript

Use the .ps1 script found here: INSERT GitLab URL

Save as bin_perms.ps1 and execute as follows:

powershell -ExecutionPolicy ByPass .\bin_perms.ps1 > service_bin_perms.txt

Leave a Reply

Your email address will not be published. Required fields are marked *