Research

This document describes updates added to the Microsoft-Windows-Windows Firewall With Advanced Security ETW provider

ETW - Microsoft-Windows-Windows Firewall With Advanced Security - DFIR/Detection Updates

The following notes try to document the meaning behind some events and fields provided by this provider.

ETW - Microsoft-Windows-SMBClient - Event Details

Intune Management Extension included on Intune Managed Devices.

Living of the Land - AgentExecutor

The curl utility can accept percent encoded URLs, which can be used to bypass certain filters. Let's take for example the following URL: Encoded, it would look like this: Surprisin…

Living of the Land - Curl

Datacollector is a utility that's of the Microsoft Visual Studio test platform that allows for tracing and collecting about a binary. Paths: - `\dotnet\sdk\<VERSION>\TestHostNetFra…

Living of the Land - Datacollector.EXE

This binary can be used as a LOLBIN as described [here](https://lolbas-project.github.io/lolbas/OtherMSBinaries/DumpMinitool/) - The arguments flags are meaningless only the order…

Living of the Land - DumpMinitool.exe

This binary can be used as a LOLBIN as described [here](https://lolbas-project.github.io/lolbas/OtherMSBinaries/Microsoft.NodejsTools.PressAnyKey/). - The arguments number must be…

Living of the Land - Microsoft.NodejsTools.PressAnyKey.exe

**Source**: https://www.netlimiter.com/ Location: `C:\Program Files\Locktime Software\NetLimiter\PSRun.exe` OriginalFileName: `PSRun.exe` Sha256:…

Living of the Land - NetLimiter

This binary can be used as a LOLBIN as described [here](https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/) While most of the example in the wild are using the `/a` when…

Living of the Land - Odbcconf.exe

> **Note** > > While this is located in the LOLBIN folder of this repo, I wasn't able to do anything with this finding. This is just here to document the finding itself. **Referenc…

Living of the Land - OneDrive (Windows Store Version)

TBD - For now go read https://x.com/nas_bench/status/1953182611024523708 for more info

Living of the Land - SensorLogonTask.exe

`StandaloneRunner.exe` is a utility included with the Windows Driver Kit (WDK) used for testing and debugging drivers on Windows systems. It allows developers to execute and debug…

Living of the Land - Arbitrary Command Execution Via Windows Kit's StandaloneRunner

Reference: - https://twitter.com/nas_bench/status/1483402513193881600 Having an instance of Symantec Endpoint Protection Manager (SEPM) installed would give user access to the…

Living of the Land - WinExec - Symantec Endpoint Protection Manager (SEPM)

- **Description**: `Helps download the Trend Micro software installer` The `TisEzIns` binary bundled with TrendMicro installer and used by it to download the latest version of Tren…

Living of the Land - TisEzIns (Trend Micro)

This documents list PowerShell 7/5 default aliases as well as some additions and changes introduced in PowerShell 7 aliases. You can obtain the alias list by running the command `G…

PowerShell Default Aliases

The code snippet below is the main function of `calc.exe`. On modern Windows, when you execute `calc.exe` located in the `C:\Windows\System32\` directory, it will call `ShellExecut…

Calc Vs Win32Calc Vs CalculatorApp

You'll notice that sometimes when DISM or a related PowerShell Cmdlet that uses the DISM module such as `Get-WindowsOptionalFeature` is run. A child DismHost process will be spawne…

DismHost Temporary Directory

This table lists all documented application layers as extracted from the `Microsoft Application Compatibility Database` (Compatadmin.exe) and `sysmain.sdb` Some of the Shims are al…

Compatibility Application Layers

This table lists all documented (with descriptions) application shims as extracted from the `Microsoft Application Compatibility Database` (Compatadmin.exe) Some of the Shims are a…

32Bit Application Shim Fixes

Compatibility SHIMs are a mechanism in Windows used to trick application by "faking" results and redirecting API calls. The idea is to make older application work on modern version…

Another Way For Finding ShimDBC

You can execute commands in the context of an AppX Package to gain access to it's virtualized resources (example virtualized registry keys or files)…

Invoke-CommandInDesktopPackage Interesting Tidbit

 A couple of years ago,…

LibZ Inject-Dll Artefact

The following is a list of built-in and third party applications that call the `RegisterApplicationRestart` API in order to restart automatically in case of a crash, update, comput…

List Of Built-in & Third Party Applications Calling `RegisterApplicationRestart` API

Windows offer a Shimming functionality to provide backward compatibility for older applications. The Shim Infrastructure implements a form of API hooking where it intercept calls t…

Living Of The SHIMS - Built-In SHIM DB Hijacking

In recent versions of Windows 11, notepad added the ability to create tabs and save the history when closed. In order to achieve this it uses a concept called TabState stored insid…

Notepad History / TabState Location

Windows introduced a functionality that enables certain apps to restart after a crash or a reboot in the Windows 10 fall creators update. Behind the scene this functionality uses t…

Persistence Via RegisterAppRestart Shim

PowerShell has a list of suspicious keywords. If found in a script block an automatic 4104 event will be generated regardless of logging policy (True for both PWSH 5/7). Look for E…

PowerShell

The following notes summarize the behavior of React / Next.js when spawning child processes, particularly in development and production modes with a focus on how the Node.js `child…

React/Next.js Detection Notes

The following logs are generated on a Windows machine at boot time even if no audit policy is configured

Security Logs Generated At Boot

> **Note** > > The following research is still a work in progress and some of the information might be slightly or perhaps completely inaccurate in some areas. > Please provide fee…

Shim Database XML Format

Reference: https://twitter.com/nas_bench/status/1661692446231633920 You can indirectly track child processes created by a process by monitoring registry set events for the…

Tracking Parent/Child Process Relationship Via BAM Registry Key

UWP and Packaged desktop applications have the ability to create startup tasks in order to execute at startup. The information about these tasks aren't stored in one of the known r…

UWP / Packaged Desktop Application Startup Persistence

The Application Compatibility Database Installer (sdbinst.exe) possess some undocumented flags that are often used by Windows itself. > **Note** > > Available on Windows 10 & 11 ve…

Undocumented CLI Flags - Sdbinst.EXE

> **Note** > > The following research is still a work in progress and some of the information might be slightly or perhaps completely inaccurate in some areas. > Please provide fee…

Windows Compatibility QUIRKS

The following are research notes that are the results of reversing the At.EXE binary.

Windows Process Internals - At.EXE

The following will describe how some flags of the fsutil utility actually works behind the scenes. From API calls to registry keys and everything in between.

Windows Process Internals - Fsutil.EXE

The following are research notes that are the results of reversing the `Net.EXE` binary.

Windows Process Internals - Net.EXE

Details into the events provided by this trace logging provider

TraceLogging - Microsoft.Windows.Terminal.App

Winget execution logs, manifest abuse, and DFIR collection notes.

Living of the Land - Winget Detection & DFIR

How attackers abuse COM objects from PowerShell — Schedule.Service, WScript.Shell, and examples.

PowerShell COM Object Execution

ETW event meanings for Kernel-General provider — registry, power, and boot diagnostics.

ETW - Microsoft-Windows-Kernel-General

High-level map of core Windows internals topics for further notes.

Windows Internals Overview

Details into the events provided by this trace logging provider

TraceLogging - Microsoft.Windows.Terminal.Win32Host