It is said that one piece of Information is like a penny, it’s value is small until it is combined with thousands of other pennies (or nickles, dimes or whatever). This is certainly true when we collect the windows process list or the output of netstat -naob across a domain (the last two stories I've written up) - any single line is of limited value. But once you combine everthing together, it's easy to find trends, or in the case of the Windows process list, outliers - items that only occur on a few stations.
Luckily it is fairly easy in PowerShell to sort this information so that the outliers are easily seen - in a large domain for instance, you might be looking for the windows process hash value that only exists on 1,2 or maybe up to 5 hosts.
This is pretty easy to do - we'll use the Powershell Group-Object command. Working with the domain task list from yesterday, first "group" the list by the hash value:
Then, sort by "count" (with no arguments, the sort is ascending:
Then, select processes that occur on "less than or equal to 2" hosts:
Or, alternatively, "pick the first 10 in the list"
Verify that the output looks good:
Finally, output to CSV - even in a small domain, on a "first run and clean-up" situation there's usually just too many of these one-offs to list on the screen and deal with.
Now you can see the value of saving up pennies - what falls out of this exercise is often pure gold!
What did we find? Looking at our output, we can see a few things off the bat that we should look closer at:
So some things to fix, but no malware - great news!!
If you have a chance to run something like this scan (or if you already have), please use our comment form and let us know if you found anything interesting (good, bad or ugly, let us know!)
Jun 27th 2019
3 weeks ago