Saturday, October 16, 2004

Simple Post-Installation Baselines on Windows

I just finished setting up a new Windows XP SP2 system on a Shuttle SB52G2 for my wife. This box screams compared to the 1998-era PII 333 MHz tower it replaced.

Now that the installation is done and I've loaded all the software we expect to use on the system and all appropriate patches, I've taken a few simple steps to record a baseline configuration. I use the free PsTools suite from SysInternals.com to record key aspects of the operating system and installed software. Here are the tools I run and sample output for each. All of this information is redirected into text files that I store on the system and on a separate system for safekeeping. I ran all of these programs without administrator privileges.

Believe it or not, but not everyone who breaks into your Windows systems is a Uber Elite hacker. Sometimes they tools used by intruders or malware leaves evidence in output such as this. If you can compare this listing, taken in a known good state, to later records, you might discover unauthorized software. It is best to update these records each time you apply a service pack or hotfix.

PsInfo: This utility records essential system information, like patch levels and installed applications:

c:\>psinfo -h -s -d

System information for \\SCOUT:

Volume Type Format Label Size Free Free
A: Removable 0%
C: Fixed NTFS 15.0 GB 11.8 GB 78%
D: Fixed NTFS data 59.5 GB 55.9 GB 94%
E: CD-ROM 0%
OS Hot Fix Installed

KB834707 10/16/2004
KB885884 10/16/2004
Q147222 10/12/2004
Applications:
7-Zip 4.09 beta
Adobe Acrobat - Reader 6.0.2 Update 6.0.2
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition 2.00.100
Adobe Reader 6.0.1 006.000.001
AutoUpdate 1.0
Avance AC'97 Audio
CC_ccStart 2.0.0.635
DivX 5.2.1
DivX Player 2.5.5
Intel(R) 82845G Graphics Driver Software
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PRO Intelligent Installer 2.01.0000
IrfanView (remove only)
LiveReg (Symantec Corporation) 2.4.2.2295
LiveUpdate 2.5 (Symantec Corporation) 2.5.55.0
MSRedist 1.0.0.0
MWSnap 3 3.0.0.74
Macromedia Shockwave Player
Microsoft Baseline Security Analyzer 1.2.1 1.2.4013.0
Microsoft Money 2002 10.0.80
Microsoft Money 2002 System Pack 10.0.80
Microsoft Office XP Standard 10.0.6626.0
NetTime 2.0
Norton AntiVirus 2004 10.00.00
Norton AntiVirus 2004 (Symantec Corporation) 10.00.00
Norton AntiVirus Parent MSI 10.0.0
Norton AntiVirus SYMLT MSI 10.0.0
Norton WMI Update 2005.1.0.111
PDFCreator 0.8.0
QuickTime
RealPlayer
SymNet 4.7.1
Symantec Script Blocking Installer 1.0.0
WebFldrs XP 9.50.7523
WinMX
Windows XP Hotfix - KB834707 20040929.110854
Windows XP Hotfix - KB885884 20040924.025457
ccCommon 2.0.0.635
iTunes 4.6.0.15
iTunes 4.6.0.15

PsList: This tool lists all processes running on the system. Again, you might notice an unauthorized process by comparing a later listing to this one taken under post-installation conditions. While the PsInfo output was easy to ready, it can be more difficult to make sense of processes based solely on their names.

c:\>pslist

PsList 1.26 - Process Information Lister
Copyright (C) 1999-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

Process information for SCOUT:

Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
Idle 0 0 1 0 0 0:34:33.093 0:00:00.000
System 4 8 55 266 0 0:00:09.468 0:00:00.000
smss 372 11 3 21 164 0:00:00.984 0:40:50.680
csrss 664 13 11 498 1680 0:00:20.765 0:40:47.946
winlogon 688 13 20 532 7468 0:00:05.125 0:40:46.540
services 736 9 15 296 1912 0:00:07.703 0:40:45.540
lsass 748 9 20 366 3720 0:00:05.375 0:40:45.446
svchost 892 8 20 206 3008 0:00:01.343 0:40:44.086
svchost 960 8 11 376 1844 0:00:06.828 0:40:43.680
svchost 1000 8 72 1459 13024 0:00:11.953 0:40:43.461
svchost 1080 8 6 101 1252 0:00:00.343 0:40:42.665
svchost 1160 8 15 212 1656 0:00:00.328 0:40:42.071
CCSETMGR 1268 8 6 183 2400 0:00:00.765 0:40:40.774
CCEVTMGR 1296 8 22 202 2584 0:00:00.484 0:40:40.336
spoolsv 1460 8 14 144 3520 0:00:03.281 0:40:39.571
NAVAPSVC 1580 8 11 241 5648 0:00:11.937 0:40:39.071
NeTmSvNT 1616 8 7 74 844 0:00:01.203 0:40:38.805
NMSSvc 1668 8 6 136 1964 0:00:01.781 0:40:38.415
SAVSCAN 1724 8 7 60 8240 0:00:08.546 0:40:37.993
svchost 1768 8 8 135 3424 0:00:01.218 0:40:37.540
symlcsvc 1796 8 4 78 784 0:00:00.265 0:40:37.040
SymWSC 1904 8 8 254 7448 0:00:10.062 0:40:36.024
alg 240 8 6 105 1016 0:00:00.078 0:40:31.149
explorer 2740 8 11 325 11004 0:00:11.218 0:28:14.425
PROMon 3692 8 4 85 776 0:00:01.406 0:28:08.753
igfxtray 3764 8 1 58 1228 0:00:00.203 0:28:08.659
hkcmd 1156 8 2 67 1348 0:00:00.281 0:28:08.503
SOUNDMAN 3384 8 1 42 1708 0:00:00.031 0:28:08.409
CCAPP 1676 8 22 336 5092 0:00:04.156 0:28:08.347
NetTime 3716 8 2 33 744 0:00:00.203 0:28:08.284
iTunesHelper 3160 8 4 104 800 0:00:00.171 0:28:08.128
qttask 3144 8 2 38 500 0:00:00.125 0:28:08.066
iPodService 2220 8 6 112 1896 0:00:00.203 0:28:06.144
LUCOMS~1 3824 8 5 132 2244 0:00:00.578 0:28:04.925
cmd 3368 8 1 31 1928 0:00:00.578 0:05:26.631
msmsgs 4056 8 4 149 1176 0:00:00.156 0:00:17.109
pslist 3036 13 2 70 680 0:00:00.046 0:00:00.046


Netstat: Recently Windows has added the ability to show the process id (PID) of the process that opens a listening socket. That means the old netstat command can show the PID responsible for open sockets on a Windows system if passed the -o switch:

c:\>netstat -nao

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 960
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:1025 0.0.0.0:0 LISTENING 240
TCP 127.0.0.1:1078 0.0.0.0:0 LISTENING 1676
TCP 192.168.2.11:139 0.0.0.0:0 LISTENING 4
UDP 0.0.0.0:445 *:* 4
UDP 0.0.0.0:500 *:* 748
UDP 0.0.0.0:1031 *:* 1080
UDP 0.0.0.0:1032 *:* 1080
UDP 0.0.0.0:1033 *:* 1080
UDP 0.0.0.0:1034 *:* 1080
UDP 0.0.0.0:1035 *:* 1080
UDP 0.0.0.0:4500 *:* 748
UDP 127.0.0.1:123 *:* 1000
UDP 127.0.0.1:1900 *:* 1160
UDP 192.168.2.11:123 *:* 1000
UDP 192.168.2.11:137 *:* 4
UDP 192.168.2.11:138 *:* 4
UDP 192.168.2.11:1900 *:* 1160


You can get similar but not exactly the same output with Foundstone's Fport program:

c:\>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
960 -> 135 TCP
4 System -> 139 TCP
4 System -> 445 TCP
240 -> 1025 TCP
1676 ccApp -> 1078 TCP C:\Program Files\Common Files\Symantec Shared\ccApp.exe

0 System -> 123 UDP
0 System -> 137 UDP
0 System -> 138 UDP
960 -> 445 UDP
4 System -> 500 UDP
240 -> 1031 UDP
1676 ccApp -> 1032 UDP C:\Program Files\Common Files\Symantec Shared\ccApp.exe
4 System -> 1033 UDP
0 System -> 1034 UDP
0 System -> 1035 UDP
0 System -> 1383 UDP
0 System -> 1900 UDP
0 System -> 4500 UDP


PsService: The last program I like to run shows the services that load under Windows. Only a few are shown for demonstration purposes:

c:\>psservice
PsService v2.12 - local and remote services viewer/controller
Copyright (C) 2001-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is
stopped, programs that use administrative alerts will not receive them. If this
service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and
the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

SERVICE_NAME: AppMgmt
DISPLAY_NAME: Application Management
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

Again, in a situation where you expect an intrusion, comparing new data to this baseline can help identify suspicious processes or services.

If you want to collect even more data, assume administrator privileges and run Listdlls. Listdlls displays all of the DLLs loaded on a Windows system.

If you're wondering how I identify potential intrusions on Windows systems, the answer is simple. One of the host-based steps involves "live response," or the collection of volatile information using certain Windows tools. My IR toolkit includes these and other tools. Quite often I can identify suspicious entries in records like those shown, and having a baseline in hand makes that job much easier. Of course, truly skilled intruders will use kernel mode rootkits to hide their presence. Under those conditions, other techniques must be applied.

2 comments:

jenna said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.