Blue Team-System Live Analysis [Part 5]- Windows: Users, Groups, and Privileges
Let’s Connect | LinkedIn | Twitter
Have you enjoyed reading the previous parts? The needs for system live analysis, rules, and some required tools, the checklist to carry out Windows live investigation, and how to retrieve the system information and configuration.
This part will discuss one of the most exciting topics in forensics investigations…. “existing users on a target system, account groups, and users’ privileges!
Data Types: User account information, login timestamps, account activities, account groups, and privileges.
Investigation Value: To look for any questionable activities related to user accounts such as suspicious and unexpected login hours, locations, and privileges.
1- How User Accounts Abused by Hackers!
Finding user account exists on systems being analyzed is an integral part of every forensics investigation. Why? Because there might be a mystery behind every user account [Local | Domain]!
- Existing/Default Accounts: Users and system default accounts are one of the hackers' top favorite targets as they may able to abuse them to carry out malicious activities.
- Newly Created Accounts: As mentioned in part 3, creating new accounts upon initial access are a common technique used by attackers. Therefore, the user account list in a system must be verified and validated by the user or company IT team to look for any user without their knowledge. The Stolen Pencil malware utilized a tool to create an admin account on an infected Windows machine.
- Deleted/Modified Accounts: Yes! It's not all about the existing users only! An attacker may delete a user account, disable it or change its password or privilege to interrupt system or resource availability. For instance, LockerGoga ransomware changed user passwords right after the initial infection and their log them off from the system.
2- The hackers' mindset: Use of user name in a cyber attack lifecycle
Hackers use user accounts for initial access and several ways in different stages of a cyber attack. I just try to briefly explain the key points from MITRE ATT&CK knowledge base of adversaries.
- Lateral Movement: Having access to legitimate user account credentials may allow attackers to establish a remote connection, interact with target machines, or log in to them via services such as telnet, SSH, RDP, SMB, WinRM, and VNC.
- Persistence: Creating a new account [local |domain] or manipulating the existing ones is a common technique used by adversaries to maintain access to compromised systems across conditions that may remove or limit the initial access.
- Privilege Escalation: Obtaining the default and valid accounts’ credentials may help an attacker evaluate the initial access to the higher levels with more permissions such as system and root.
- Defense Evasion: Attackers may abuse the valid account in the system to establish legitimate access to the victim machine, which is more challenging to be traced and detected.
- Impact: We are mostly thinking of how hackers may use the user accounts. However, they may delete, disable or limit the account to interrupt legitimate accesses.
3- List of User Accounts in Windows
There are many ways to retrieve the user accounts during live windows analysis. As a common practice of my write-ups, I will cover several methods without a detailed comparison of their efficiency.
net user:
net user is a built-in windows commands to displays a list of all user accounts. The figure below shows the use of the net user to find the local accounts:
can use the net user command to get more information on a particular user account. Example: net user Cyfohub
As shown in the figure above, we can determine the last login time and local group membership of the Cyfohub user account. As discussed in previous parts, we can always combine the commands with findstr if we only aim to retrieve specif information. For instance, to only obtain the last logon time of the Cyfohub user account, we can use the command below:
net user username | findstr /B /C:"Last logon"
wmic useraccount:
The wmic useraccount is my favorite command as we can obtain more information in an organized way. We have LIST and GET options. Let's try both of them:
wmic useraccount list full
The “/?” help us to display the list of available options. For instance, the command below shows the list of “get” options.
wmic useraccount get /?
I'm going to retrieve the name, account type, sid, and status for user accounts:
wmic useraccount get name, accounttype, sid, status
[i] Account Type: Indicates the type of users such as Normal account (512), Temporary duplicate account (256), Interdomain trust account (2048), and Server trust account (8192).Workstation trust account (4096).
Code 512 represents default or normal accounts; thus, we only see this account type when a system is not part of a domain and only contains local accounts.
[ii] SID: Security Identifier is a unique value assigned to an object such as a user, a group, or a service within a system. SID is issued by an authority, such as a Microsoft AD Domain Controller or the Windows OS, and used to set special privileges or restrictions for objects (e.g., user).
[iii]Status: This is the current status of the user account. The value for the enabled account is “Ok” and for disabled accounts is “Degraded”.
Powershell Get-LocalUser
The Get-LocalUser, along with “select *” displays the list of all existing users in addition to the associated fields.
Get-LocalUser | Select *
We can use the select option only to retrieve specific information about each user.
Get-LocalUser | Select name, Enabled, sid, lastlogon
4- Groups and Privileges
A group is a set of user accounts with the same security rights and have the same privileges [access rights] to deal with the system or network resources. A group can be defined at the host level only as a local group or can be part of the Domain level as a Distribution or security group.
Note: These write-up series focuses on local groups only.
net localgroup
A built-in Windows command helps to display the local groups that exist on the target being analyzed.
Windows create most of the groups above as a default group during OS installation. Let’s check the user members of the administrator and user groups.
net localgroup [Group name]
net localgroup Administrators
net localgroup Users
As shown in the figure above, we have two accounts for the Administrators group [Administrator, and Cyfohub] and one under the User group [Sechub].
Powershell
Get-LocalGroupMember -Group “Administrators” | select name,PrincipalSource, sid
5. What would be Next
If you read this post, you may ask… mmm… ok! now I know:
- How hackers may use user accounts
- How would be the use of a username in a cyberattack life cycle
- How to obtain the list of user accounts in the system
- how to determine the groups that user account belongs to and what they can do in that group.
But….. what would be next! How to look for suspicious or malicious acts!
Stay Tune ..next post will be on user account profiling and behavior analysis