Blue Team-System Live Analysis [Part 7]- Windows: User Account Forensics- Categorization and Profiling
![Cyber Meisam [CM]](https://miro.medium.com/v2/resize:fill:88:88/1*z3dPwSm2b3NSLl0gK21kYg.png){kind=small}
Let’s Connect | LinkedIn | Twitter
Here we are with the second phase of windows user accounts live forensics to categorize the local user accounts in a windows test system and profile them into four categories as follows:
- Valid Users with Valid Groups and permissions
- Valid Users with odd groups and permissions
- Newly Created Users [Unknowns]
- Missing Users!
Note: It is essential to understand the operational needs, business logic, and standard configuration [baseline] of the targeted system and form a standard system profile to look for any deviation accordingly.
Read more on previous parts: Users, Groups, and Privileges | User Account Forensics-Road Map
1. When users created?
One of the main steps in user account forensics is to check when the user is created and who created it! Especially for the newly created accounts where the system/network admins are not aware of them.
Check the user folders: Not really!
I came across many resources that checked the user folder creation time and considered it a fast way to determine when that user was created.
dir /tc c:\users
This is the user profile folder’s creation time and may not represent the user’s actual birthday! There is a chance that the user was created earlier than its profile folder!
Tip: We still need the folder creation time as it gives us an idea about the time gap between user creation and the First-time Login!!
Windows Event ID 4720
As we discussed earlier, if logs were enabled, we can use the event ID of 4720 to check when a user created and by who.
wevtutil qe security /f:text “/q:*[System[(EventID=4720)]]”
The above result shows that the user sechub [Target Account]was created by Cyfohub [Subject] on 15 of March 2021.
Note: As shown in the different results above, the user “sechub” was created at 13:45 while the user profile folder was created at 14:22. This is the gap between user creation and the First-time Login.
There are other users and all created by Cyfohub, so what is the story behind this creator?!
The figure above shows the correlation between the user and user profile creation time and the windows installation time. You should have guessed correctly by now! The account was created during the first installation of Windows.
Windows registry and SAM hive
The SAM hive of windows registry is another great source of data to look for user account information in case the event logs are not available. The SAM hive located at HKEY_LOCAL_MACHINE\SAM, however, it is protected by the system account and can’t be viewed if the registry editor opens with the current account even if the account has admin rights.
To view the SAM hive the windows registry editor [regedit] must be opened with the system account by using tools such as PsExec.
PsExec64.exe -s -i regedit
Even though we can view the list of user accounts, we need the SAM hive parser tools such as RegRipper to get all related information.
Note: RegRipper cant access the SAM file located in system32\config, thus we need to save the hive into a file as follows:
Now we can use the RegRipper to parse the SAM hive.
The result will be saved into the text file we defined as a Report File:
2. When a user assigned to a group?
A simple net user command shows the sechub is part of the local admin group.
Event ID 4732: A member was added to a security-enabled local group
CMD:
wevtutil qe security /f:text “/q:*[System[(EventID=4732)]]”
The wevtutil command displays all the events with the ID of 4732 regardless of the group name.
Powershell helps us to display results for a particular group or user account. For instance, the command below shows the events with the ID of 4732 associated with the local administrator and sechub user accounts only[based on SID].
Powershell:
Get-EventLog Security -InstanceId 4732 | Where-Object {$_.Message -like "*Administrators*" -and $_.message -match 'S-1-5-21-xxxxxxxx-xxxxxxxxx-xxxxxxxxx-1005'} | Select-Object *
The sechub account was added to the admin group by Cyfohub on 15 MARCH 2021. The above commands can be used to obtain information about event ID 4733 to check if a user account was removed from a security-enabled local group.
3. Is there any hidden user?
A hacker who gained initial access to our system may create a user account to maintain access and hide it from the Windows login screen! There are many ways to hide a user account, and one is via the Windows registry.
reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList” /t REG_DWORD /f /d 0 /v sechub
Reg Query
Reg query assists to obtain the list of users from the above location if there is any :
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList”
RegScanner
The RegScanner developed by Nirsoft is a GUI-based to receive information for Windows Registry.
Note: Do not copy any tool to the target systems; save all things you need on a forensically clean external storage and connect it to the victim system using write blockers.
Note 1: The time shown by the above command and tool is the last time that registry key was updated [last-modified timestamp] or modified as the registry doesn’t keep a record of creation time.
Note 2: We cannot determine which user account made changes or modifications unless we use object access auditing to audit registry changes.
4. When a user Deleted?
We are mainly thinking of how hackers may misuse valid user accounts; however, they may also delete, disable or limit the account to interrupt legitimate accesses. Let’s look at the user accounts list again and focus on RIDs range 1XXX.
Why are the RIDs 1001 and 1005? What happened to 1000? How about 1002, 1003, and 1004? it’s an excellent question!
Fact 1: RID is given to user accounts at creation.
Fact 2: Any time a user is created, the RID increased by one.
Considering the facts above, we can say there were few user accounts deleted from that system. What are those deleted users? Event ID 4726 indicates a user accounts deletion.
wevtutil qe security /f:text “/q:*[System[(EventID=4726)]]”
The above result shows that the user Meisam [Target Account]was deleted by Cyfohub [Subject] on 15 of March 2021. There are other deleted accounts as follows:
Powershell:
wevtutil qe security /f:text “/q:*[System[(EventID=4726)]]” | Select-String -Pattern ‘Target Account’ -Context 0,2
Four user accounts were deleted from our test system, as shown in the results above; however, we may only need to focus on 3 of them! Why!
Tip: Defaultuser0 is a default account used by windows during installation and up before any other user accounts have been created on the system. It will be deleted right after the first reboot during the installation.
5. Summary of Fininindg
The table below summarises all findings regarding the existing and deleted accounts [It’s just a template as a sample, and you can make it based on your style].
For the above example, we need more verification and further investigation on red categories as they are tagged as suspicious. However, it's not the end of the story? Why!
Cybercriminals may misuse valid accounts like Cyfohub to carry out malicious activities; even though creation and privileges are normal, we need to look for other related information to look for potential attacks!
6. What’s Next!
- Users’ Logon Sessions
- Owned App and Services
- Owned Processes and Files
- Profiles and Searches
- Environment Variables
- Program Execution History
Stay safe and tuned….
![Cyber Meisam [CM]](https://miro.medium.com/v2/resize:fill:144:144/1*z3dPwSm2b3NSLl0gK21kYg.png)