Kamis, 21 Oktober 2004

Improving Windows Baselining with Tlist.exe

10.55  , ,  No comments

Several people provided feedback on my Simple Post-Installation Baselines on Windows Blog entry. First, Beau Monday reminded me of his FirstOnScene incident response scripts. I haven't tried these out but you might want to see if they make life easier for your first responders.

Second, Harlan Carvey pointed out the program tlist.exe shipped with the Debugging Tools for Windows. This is apparently not the same tlist.exe found on some Windows systems. You can obtain tlist.exe by downloading and installing the debugging tools, and then copying the tlist.exe binary elsewhere.

I tested the independence of tlist.exe by running it on a system where no special debugging tools were installed, and where I did not have administrator privileges.

Here is an excerpt of tlist.exe output. This tool is especially helpful because it shows the full path for executables. This allows you to differentiate between a 'svchost.exe' started from "C:\WINDOWS\system32" (where it belongs) and "C:\WINDOWS\system32\temp" (where it doesn't): 



c:\>tlist.exe -v



 0    0 System Process  

     Command Line: 

 0    4 System          

     Command Line: 

 0  376 smss.exe        

     Command Line: \SystemRoot\System32\smss.exe

     Process StartTime: 10/18/2004 6:54:42 AM

 0  652 csrss.exe       Title: 

     Command Line: C:\WINDOWS\system32\csrss.exe 

 ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On

 SubSystemType=Windows ServerDll=basesrv,1

 ServerDll=winsrv:UserServerDllInitialization,3

 ServerDll=winsrv:ConServerDllInitialization,2

 ProfileControl=Off MaxRequestThreads=16

     Process StartTime: 10/18/2004 6:54:46 AM

 0  676 winlogon.exe    

     Command Line: winlogon.exe

     Process StartTime: 10/18/2004 6:54:48 AM

 0  720 services.exe    Svcs:  Eventlog,PlugPlay

     Command Line: C:\WINDOWS\system32\services.exe

     Process StartTime: 10/18/2004 6:54:49 AM

 0  732 lsass.exe       Svcs:  PolicyAgent,ProtectedStorage,SamSs

     Command Line: C:\WINDOWS\system32\lsass.exe

     Process StartTime: 10/18/2004 6:54:49 AM

 0  888 svchost.exe     Svcs:  DcomLaunch,TermService

     Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch

     Process StartTime: 10/18/2004 6:54:50 AM

 0  952 svchost.exe     Svcs:  RpcSs

     Command Line: C:\WINDOWS\system32\svchost -k rpcss

     Process StartTime: 10/18/2004 6:54:51 AM

 0 1040 svchost.exe     Svcs:

 AudioSrv,BITS,Browser,CryptSvc,Dhcp,dmserver,ERSvc,

 EventSystem,FastUserSwitchingCompatibility,helpsvc,

 lanmanserver,lanmanworkstation,Netman,Nla,RasMan,

 Schedule,seclogon,SENS,SharedAccess,ShellHWDetection,

 srservice,TapiSrv,Themes,TrkWks,W32Time,winmgmt,wscsvc,

 wuauserv,WZCSVC

     Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs

     Process StartTime: 10/18/2004 6:54:51 AM

 0 1124 svchost.exe     Svcs:  Dnscache

     Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService

     Process StartTime: 10/18/2004 6:54:51 AM

 0 1228 svchost.exe     Svcs:  LmHosts,RemoteRegistry,SSDPSRV,WebClient

     Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService

     Process StartTime: 10/18/2004 6:54:52 AM

 0 1364 CCSETMGR.EXE    Svcs:  ccSetMgr

     Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

     Process StartTime: 10/18/2004 6:54:54 AM

 0 1392 CCEVTMGR.EXE    Svcs:  ccEvtMgr

     Command Line: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

     Process StartTime: 10/18/2004 6:54:54 AM

 0 1556 spoolsv.exe     Svcs:  Spooler

     Command Line: C:\WINDOWS\system32\spoolsv.exe

     Process StartTime: 10/18/2004 6:54:55 AM

 0 1940 NAVAPSVC.EXE    Svcs:  navapsvc

     Command Line: "C:\Program Files\Norton AntiVirus\navapsvc.exe"

     Process StartTime: 10/18/2004 6:55:02 AM

 0 1972 NeTmSvNT.exe    Svcs:  NetTimeSvc

     Command Line: "C:\Program Files\NetTime\NeTmSvNT.exe"

     Process StartTime: 10/18/2004 6:55:03 AM

 0  324 NMSSvc.Exe      Svcs:  NMSSvc

     Command Line: C:\WINDOWS\system32\NMSSvc.exe

     Process StartTime: 10/18/2004 6:55:06 AM

 0  480 SAVSCAN.EXE     Svcs:  SAVScan

     Command Line: "C:\Program Files\Norton AntiVirus\SAVScan.exe"

     Process StartTime: 10/18/2004 6:55:07 AM

 0  896 svchost.exe     Svcs:  stisvc

     Command Line: C:\WINDOWS\system32\svchost.exe -k imgsvc

     Process StartTime: 10/18/2004 6:55:09 AM

 0 1024 symlcsvc.exe    Svcs:  Symantec Core LC

     Command Line: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"

     Process StartTime: 10/18/2004 6:55:10 AM

 0  768 SymWSC.exe      Svcs:  SymWSC

     Command Line: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"

     Process StartTime: 10/18/2004 6:55:11 AM

...

 0 1844 msmsgs.exe      Title: 

     Command Line: "C:\Program Files\Messenger\msmsgs.exe" -Embedding

     Process StartTime: 10/20/2004 8:52:04 AM

 0 3504 msiexec.exe     Svcs:  MSIServer

     Command Line: C:\WINDOWS\system32\msiexec.exe /V

     Process StartTime: 10/20/2004 8:52:35 AM

 0 2156 cmd.exe         Title: Command Prompt - tlist.exe -v 

     Command Line: "C:\WINDOWS\system32\cmd.exe" 

     Process StartTime: 10/20/2004 8:53:26 AM

 0  172 dllhost.exe     Svcs:  COMSysApp  Mts:   System Application

     Command Line: C:\WINDOWS\system32\dllhost.exe

 /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

     Process StartTime: 10/20/2004 8:54:09 AM

 0 2412 tlist.exe       

     Command Line: tlist.exe -v 

     Process StartTime: 10/20/2004 8:54:37 AM


There is a lot you can do with this data. I'm pointing it out because a small amount of work done prior to a compromise when a system is in a trusted post-installation state can make identifying and responding to compromise quicker, cheaper, and easier.

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)