Kamis, 21 Oktober 2004

Improving Windows Baselining with Tlist.exe

Several people provided feedback on my Simple Post-Installation Baselines on Windows Blog entry. First, Beau Monday reminded me of his FirstOnScene incident response scripts. I haven't tried these out but you might want to see if they make life easier for your first responders.

Second, Harlan Carvey pointed out the program tlist.exe shipped with the Debugging Tools for Windows. This is apparently not the same tlist.exe found on some Windows systems. You can obtain tlist.exe by downloading and installing the debugging tools, and then copying the tlist.exe binary elsewhere.

I tested the independence of tlist.exe by running it on a system where no special debugging tools were installed, and where I did not have administrator privileges.

Here is an excerpt of tlist.exe output. This tool is especially helpful because it shows the full path for executables. This allows you to differentiate between a 'svchost.exe' started from "C:\WINDOWS\system32" (where it belongs) and "C:\WINDOWS\system32\temp" (where it doesn't):



c:\>tlist.exe -v



0 0 System Process

Command Line:

0 4 System

Command Line:

0 376 smss.exe

Command Line: \SystemRoot\System32\smss.exe

Process StartTime: 10/18/2004 6:54:42 AM

0 652 csrss.exe Title:

Command Line: C:\WINDOWS\system32\csrss.exe

ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On

SubSystemType=Windows ServerDll=basesrv,1

ServerDll=winsrv:UserServerDllInitialization,3

ServerDll=winsrv:ConServerDllInitialization,2

ProfileControl=Off MaxRequestThreads=16

Process StartTime: 10/18/2004 6:54:46 AM

0 676 winlogon.exe

Command Line: winlogon.exe

Process StartTime: 10/18/2004 6:54:48 AM

0 720 services.exe Svcs: Eventlog,PlugPlay

Command Line: C:\WINDOWS\system32\services.exe

Process StartTime: 10/18/2004 6:54:49 AM

0 732 lsass.exe Svcs: PolicyAgent,ProtectedStorage,SamSs

Command Line: C:\WINDOWS\system32\lsass.exe

Process StartTime: 10/18/2004 6:54:49 AM

0 888 svchost.exe Svcs: DcomLaunch,TermService

Command Line: C:\WINDOWS\system32\svchost -k DcomLaunch

Process StartTime: 10/18/2004 6:54:50 AM

0 952 svchost.exe Svcs: RpcSs

Command Line: C:\WINDOWS\system32\svchost -k rpcss

Process StartTime: 10/18/2004 6:54:51 AM

0 1040 svchost.exe Svcs:

AudioSrv,BITS,Browser,CryptSvc,Dhcp,dmserver,ERSvc,

EventSystem,FastUserSwitchingCompatibility,helpsvc,

lanmanserver,lanmanworkstation,Netman,Nla,RasMan,

Schedule,seclogon,SENS,SharedAccess,ShellHWDetection,

srservice,TapiSrv,Themes,TrkWks,W32Time,winmgmt,wscsvc,

wuauserv,WZCSVC

Command Line: C:\WINDOWS\System32\svchost.exe -k netsvcs

Process StartTime: 10/18/2004 6:54:51 AM

0 1124 svchost.exe Svcs: Dnscache

Command Line: C:\WINDOWS\system32\svchost.exe -k NetworkService

Process StartTime: 10/18/2004 6:54:51 AM

0 1228 svchost.exe Svcs: LmHosts,RemoteRegistry,SSDPSRV,WebClient

Command Line: C:\WINDOWS\system32\svchost.exe -k LocalService

Process StartTime: 10/18/2004 6:54:52 AM

0 1364 CCSETMGR.EXE Svcs: ccSetMgr

Command Line: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"

Process StartTime: 10/18/2004 6:54:54 AM

0 1392 CCEVTMGR.EXE Svcs: ccEvtMgr

Command Line: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"

Process StartTime: 10/18/2004 6:54:54 AM

0 1556 spoolsv.exe Svcs: Spooler

Command Line: C:\WINDOWS\system32\spoolsv.exe

Process StartTime: 10/18/2004 6:54:55 AM

0 1940 NAVAPSVC.EXE Svcs: navapsvc

Command Line: "C:\Program Files\Norton AntiVirus\navapsvc.exe"

Process StartTime: 10/18/2004 6:55:02 AM

0 1972 NeTmSvNT.exe Svcs: NetTimeSvc

Command Line: "C:\Program Files\NetTime\NeTmSvNT.exe"

Process StartTime: 10/18/2004 6:55:03 AM

0 324 NMSSvc.Exe Svcs: NMSSvc

Command Line: C:\WINDOWS\system32\NMSSvc.exe

Process StartTime: 10/18/2004 6:55:06 AM

0 480 SAVSCAN.EXE Svcs: SAVScan

Command Line: "C:\Program Files\Norton AntiVirus\SAVScan.exe"

Process StartTime: 10/18/2004 6:55:07 AM

0 896 svchost.exe Svcs: stisvc

Command Line: C:\WINDOWS\system32\svchost.exe -k imgsvc

Process StartTime: 10/18/2004 6:55:09 AM

0 1024 symlcsvc.exe Svcs: Symantec Core LC

Command Line: "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe"

Process StartTime: 10/18/2004 6:55:10 AM

0 768 SymWSC.exe Svcs: SymWSC

Command Line: "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"

Process StartTime: 10/18/2004 6:55:11 AM

...

0 1844 msmsgs.exe Title:

Command Line: "C:\Program Files\Messenger\msmsgs.exe" -Embedding

Process StartTime: 10/20/2004 8:52:04 AM

0 3504 msiexec.exe Svcs: MSIServer

Command Line: C:\WINDOWS\system32\msiexec.exe /V

Process StartTime: 10/20/2004 8:52:35 AM

0 2156 cmd.exe Title: Command Prompt - tlist.exe -v

Command Line: "C:\WINDOWS\system32\cmd.exe"

Process StartTime: 10/20/2004 8:53:26 AM

0 172 dllhost.exe Svcs: COMSysApp Mts: System Application

Command Line: C:\WINDOWS\system32\dllhost.exe

/Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}

Process StartTime: 10/20/2004 8:54:09 AM

0 2412 tlist.exe

Command Line: tlist.exe -v

Process StartTime: 10/20/2004 8:54:37 AM


There is a lot you can do with this data. I'm pointing it out because a small amount of work done prior to a compromise when a system is in a trusted post-installation state can make identifying and responding to compromise quicker, cheaper, and easier.

0 komentar:

Posting Komentar