Improving Windows Baselining with Tlist.exe
Several people provided feedback on my Simple Post-Installation Baselines on Windows Blog entry. First, Beau Monday reminded me of his FirstOnScene incident response scripts. I haven't tried these out but you might want to see if they make life easier for your first responders.
Second, Harlan Carvey pointed out the program tlist.exe shipped with the Debugging Tools for Windows. This is apparently not the same tlist.exe found on some Windows systems. You can obtain tlist.exe by downloading and installing the debugging tools, and then copying the tlist.exe binary elsewhere.
I tested the independence of tlist.exe by running it on a system where no special debugging tools were installed, and where I did not have administrator privileges.
Here is an excerpt of tlist.exe output. This tool is especially helpful because it shows the full path for executables. This allows you to differentiate between a 'svchost.exe' started from "C:\WINDOWS\system32" (where it belongs) and "C:\WINDOWS\system32\temp" (where it doesn't):
There is a lot you can do with this data. I'm pointing it out because a small amount of work done prior to a compromise when a system is in a trusted post-installation state can make identifying and responding to compromise quicker, cheaper, and easier.
Second, Harlan Carvey pointed out the program tlist.exe shipped with the Debugging Tools for Windows. This is apparently not the same tlist.exe found on some Windows systems. You can obtain tlist.exe by downloading and installing the debugging tools, and then copying the tlist.exe binary elsewhere.
I tested the independence of tlist.exe by running it on a system where no special debugging tools were installed, and where I did not have administrator privileges.
Here is an excerpt of tlist.exe output. This tool is especially helpful because it shows the full path for executables. This allows you to differentiate between a 'svchost.exe' started from "C:\WINDOWS\system32" (where it belongs) and "C:\WINDOWS\system32\temp" (where it doesn't):
c:\>tlist.exe -v
0 0 System Process
Command Line:
0 4 System
Command Line:
0 376 smss.exe
Command Line: \SystemRoot\System32\smss.exe
Process StartTime: 10/18/2004 6:54:42 AM
0 652 csrss.exe Title:
Command Line: C:\WINDOWS\system32\csrss.exe
ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On
SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:UserServerDllInitialization,3
ServerDll=winsrv:ConServerDllInitialization,2
ProfileControl=Off MaxRequestThreads=16
Process StartTime: 10/18/2004 6:54:46 AM
0 676 winlogon.exe
Command Line: winlogon.exe
Process StartTime: 10/18/2004 6:54:48 AM
0 720 services.exe Svcs: Eventlog,PlugPlay
Command Line: C:\WINDOWS\system32\services.exe
Process StartTime: 10/18/2004 6:54:49 AM
0 732 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs
Command Line: C:\WINDOWS\system32\lsass.exe
Process StartTime: 10/18/2004 6:54:49 AM
0 888 svchost.exe Svcs: DcomLaunch,TermService
Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch
Process StartTime: 10/18/2004 6:54:50 AM
0 952 svchost.exe Svcs: RpcSs
Command Line: C:\WINDOWS\system32\svchost -k rpcss
Process StartTime: 10/18/2004 6:54:51 AM
0 1040 svchost.exe Svcs:
AudioSrv,BITS,Browser,CryptSvc,Dhcp,dmserver,ERSvc,
EventSystem,FastUserSwitchingCompatibility,helpsvc,
lanmanserver,lanmanworkstation,Netman,Nla,RasMan,
Schedule,seclogon,SENS,SharedAccess,ShellHWDetection,
srservice,TapiSrv,Themes,TrkWks,W32Time,winmgmt,wscsvc,
wuauserv,WZCSVC
Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs
Process StartTime: 10/18/2004 6:54:51 AM
0 1124 svchost.exe Svcs: Dnscache
Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService
Process StartTime: 10/18/2004 6:54:51 AM
0 1228 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient
Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService
Process StartTime: 10/18/2004 6:54:52 AM
0 1364 CCSETMGR.EXE Svcs: ccSetMgr
Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
Process StartTime: 10/18/2004 6:54:54 AM
0 1392 CCEVTMGR.EXE Svcs: ccEvtMgr
Command Line: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Process StartTime: 10/18/2004 6:54:54 AM
0 1556 spoolsv.exe Svcs: Spooler
Command Line: C:\WINDOWS\system32\spoolsv.exe
Process StartTime: 10/18/2004 6:54:55 AM
0 1940 NAVAPSVC.EXE Svcs: navapsvc
Command Line: "C:\Program Files\Norton AntiVirus\navapsvc.exe"
Process StartTime: 10/18/2004 6:55:02 AM
0 1972 NeTmSvNT.exe Svcs: NetTimeSvc
Command Line: "C:\Program Files\NetTime\NeTmSvNT.exe"
Process StartTime: 10/18/2004 6:55:03 AM
0 324 NMSSvc.Exe Svcs: NMSSvc
Command Line: C:\WINDOWS\system32\NMSSvc.exe
Process StartTime: 10/18/2004 6:55:06 AM
0 480 SAVSCAN.EXE Svcs: SAVScan
Command Line: "C:\Program Files\Norton AntiVirus\SAVScan.exe"
Process StartTime: 10/18/2004 6:55:07 AM
0 896 svchost.exe Svcs: stisvc
Command Line: C:\WINDOWS\system32\svchost.exe -k imgsvc
Process StartTime: 10/18/2004 6:55:09 AM
0 1024 symlcsvc.exe Svcs: Symantec Core LC
Command Line: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"
Process StartTime: 10/18/2004 6:55:10 AM
0 768 SymWSC.exe Svcs: SymWSC
Command Line: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
Process StartTime: 10/18/2004 6:55:11 AM
...
0 1844 msmsgs.exe Title:
Command Line: "C:\Program Files\Messenger\msmsgs.exe" -Embedding
Process StartTime: 10/20/2004 8:52:04 AM
0 3504 msiexec.exe Svcs: MSIServer
Command Line: C:\WINDOWS\system32\msiexec.exe /V
Process StartTime: 10/20/2004 8:52:35 AM
0 2156 cmd.exe Title: Command Prompt - tlist.exe -v
Command Line: "C:\WINDOWS\system32\cmd.exe"
Process StartTime: 10/20/2004 8:53:26 AM
0 172 dllhost.exe Svcs: COMSysApp Mts: System Application
Command Line: C:\WINDOWS\system32\dllhost.exe
/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
Process StartTime: 10/20/2004 8:54:09 AM
0 2412 tlist.exe
Command Line: tlist.exe -v
Process StartTime: 10/20/2004 8:54:37 AM
There is a lot you can do with this data. I'm pointing it out because a small amount of work done prior to a compromise when a system is in a trusted post-installation state can make identifying and responding to compromise quicker, cheaper, and easier.
Comments
http://www.loranbase.com/idx/14/0/Debugging-Tools.html