A2.2 Windows NT intruder detection checklist

A2.2 Windows NT intruder detection checklist

This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team).


  1. Look for Signs That Your System May Have Been Compromised

    1. Examine log files

    2. Check for odd user accounts and groups

    3. Look for incorrect group memberships

    4. Look for incorrect user rights

    5. Check for unauthorized applications from starting

    6. Check system binaries

    7. Check network configuration and activity

    8. Check for unauthorized shares

    9. Examine jobs run by the scheduler service

    10. Check for unauthorized processes

    11. Look everywhere for unusual or hidden files

    12. Check for altered permissions on files or registry keys

    13. Check for changes in user or computer policies

    14. Make sure the system has not been moved to a different Workgroup or Domain

    15. Examine all machines on the local network

  2. Review Other AusCERT and CERT Documents

    1. CERT Summaries

    2. "Steps for Recovering from a Windows NT Compromise"

    3. Contacting AusCERT

    4. Contacting CERT /CC

  3. Consider running intrusion detection systems if possible

    Document revision history

This document outlines suggested steps for determining whether or not your system has been compromised. System administrators can use this information to look for several types of break-ins. We encourage you to review all sections of this document and modify your systems to address potential weaknesses.

In addition to the information in this document, we provide three companion documents that may help you:

  • http://www.cert.org/tech_tips/win_configuration_guidelines.html contains suggestions for avoiding common NT system configuration problems

  • http://www.cert.org/tech_tips/win-UNIX-system_compromise.html contains suggested steps for recovering from a compromise on an NT system

  • http://www.cert.org/tech_tips/win-resources.html contains descriptions of tools that can be used to help secure a system and deter break-ins

We also encourage you to check regularly with your vendor(s) for any updates or new patches that relate to your systems.


All action taken during the course of an investigation should be in accordance with your organization's policies and procedures.

  1. Look for signs that your system may have been compromised

    1. Examine log files for connections from unusual locations or for other unusual activity. You can use the Event Viewer to check for odd log-on entries, failures of services, or odd system restarts. If your firewall, web server, or router writes logs to a different location than the compromised system, remember to check these logs as well. But remember that this is not foolproof unless you log to append-only media; many intruders edit log files in an attempt to hide their activity.

    2. Check for odd user accounts and groups. You can use the User Manager tool or the "net user," "net group," and "net localgroup" commands at the command line. Ensure that the built-in GUEST account is disabled if the system does not require guest access.

    3. Check all groups for invalid user membership. Some of the default NT groups give special privileges to the members of those groups. Members of the Administrators group can do anything to the local system. Backup operators can read any file on the system. PowerUsers can create shares.

    4. Look for invalid user rights. To examine user rights use the User Manager tool under Policies, User Rights. There are 27 different rights that can be assigned to users or groups. Generally the default configuration for these rights is secure.

    5. Check to see if unauthorized applications are starting. There are a number of different methods an intruder could use to start a back door program, so be sure to

  • Check the Startup folders. Check all items in c:\winnt\profiles\*\start menu\ programs\startup folders. You can also examine all the shortcuts by selecting Start, Programs, Startup. Note that there are two startup folders, one for the local user and one for all users. When a user logs on, all of the applications in both the "All Users" and in the users startup folder are started. Because of this it is important to check all of the startup folders for suspicious applications.

  • Check the registry. The most common locations for applications to start through the registry are



Listing # HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control Session Manager\KnownDLL HKEY_LOCAL_MACHINE\System\ControlSet001\Control Session Manager\KnownDLLs    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Current Version\Ru HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Current Version\RunOnc HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Current Version\RunOnceE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows CurrentVersion\RunService HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT CurrentVersion\Windows ("run=" line HKEY_CURRENT_USER\Software\Microsoft\Windows Current Version\Ru HKEY_CURRENT_USER\Software\Microsoft\Windows Current Version\RunOnc HKEY_CURRENT_USER\Software\Microsoft\Windows Current Version\RunOnceE HKEY_CURRENT_USER\Software\Microsoft\Windows CurrentVersion\RunService HKEY_CURRENT_USER\Software\Microsoft Window NT\CurrentVersion\Windows ("run=" value Listing # @echo of for /f "tokens=1 delims=[]" %%I in ('reg query HKLM SYSTEM\CurrentControlSet\Services') do call PULLINFO1 %% set START_TYPE goto :EOF PULLINFO for /f "tokens=3 delims=" %%I in ('reg query HKLM SYSTEM\CurrentControlSet\Services\%1 ^| findst "Start" ') do call :PULLINFO2 %1 %% goto :EO :PULLINFO for /f "tokens=3,4 delims=" %%I in ('reg query HKLM SYSTEM\CurrentControlSet\Services\%1 ^| findst "ImagePath" ') do call :SHOWINFO %1 %2 %%I %%J    goto :EO :SHOWINF if /i {%2}=={0} set START_TYPE=Boo if /i {%2}=={1} set START_TYPE=Syste if /i {%2}=={2} set START_TYPE=Automati if /i {%2}=={3} set START_TYPE=Disable if not "%4" == ""(echo %1 %START_TYPE% %3\%4) els (echo %1 %START_TYPE% %3 goto :EO Listing # @echo of for /f "tokens=1,2 delims=:" %%I in ('netstat a ^| findstr "[1-9]"') do call :CLEAN %% %% goto :EO :CLEA set X= for /f "tokens=1,2,3 delims=TAB "%%A i ('findstr /I "\<%3/%1\>" port-numbers.txt') d call :SETUP %%A %%C %3 % if %X% == 0 echo %3/%1 ***UNKNOWN** goto :EO :SETU echo %3/%4 %1 % set X=1 goto :EO Listing # @echo of REM This script is an example to enforce better NTF security on the file system REM Copyright 1998 Carnegie Mellon Universit REM August 1998 RE REM  v0.91 Sept 04, 199 REM Note that the %SystemRoot%\yes.txt is just a tex file at c:\winnt\yes.txt that REM simply contains a 'y and then a hard return in it. CACLS asks if you are sur REM all the time. The piping of the yes.txt will answe yes to that prompt RE REM xcacls is used for a few items. It is part of the N Resource Kit, but not REM in the default install of NT REM  Set the files on the Root Directories to read onl for user RE C cd  cacls.exe . /G administrators:f system:f users: <%SystemRoot%\yes.tx cacls.exe * /C /G administrators:f system:f users: <%SystemRoot%\yes.tx REM  Prevent general users to access the boot files.. RE C cd  cacls.exe boot.ini /G administrators:f system: <%SystemRoot%\yes.tx cacls.exe ntbootdd.sys /G administrators:f system: <%SystemRoot%\yes.tx cacls.exe ntdetect.com /G administrators:f system: <%SystemRoot%\yes.tx cacls.exe ntldr /G administrators:f system: <%SystemRoot%\yes.tx REM     Program Files directories.. REM REM First recurse through and just give read access t everyone to everythin REM in Program Files on C: and all files on the D: C cd  cacls.exe "Program Files" /c /t /g administrators: system:f users:r <%SystemRoot%\yes.tx REM      The TEMP directories... RE REM change permission on temp directory to allo additions from normal users.. RE REM It would be best to give dir-rwx and file-none fo the everyone group, but cacls.ex REM isn't that specific. You can use the GUI or xcacl from the resource kit xcacls.exe c:\Temp /c /t /g "creator owner":co administrators:f system:f users:exw / REM To prevent non-admins from deleting the tem directories . . . (put a locked file in it copy %SystemRoot%\yes.txt c:\Temp\secure.di cacls.exe c:\Temp\secure.dir /g administrators: system:f <%SystemRoot%\yes.tx attrib +h c:\Temp\secure.di REM     The System Directory . . . . (C:\winnt RE C cd %SystemRoot cacls.exe * /c /g administrators:f system:f users: <%SystemRoot%\yes.tx xcacls.exe . /g "creator owner":cop administrators f system:f users:exw /y cacls.exe config  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe cursors  /t /c /g administrators:f system: users:r <%SystemRoot%\yes.tx cacls.exe help  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe forms  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe inf  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe java  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe media  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe ShellNew /t /c /g administrators:f system: users:r <%SystemRoot%\yes.tx cacls.exe system  /t /c /g administrators:f system f users:r <%SystemRoot%\yes.tx cacls.exe system32 /t /c /g administrators:f system: users:r <%SystemRoot%\yes.tx xcacls.exe SendTo  /c /t /g "creator owner":co administrators:f system:f users:exw / REM The profiles tree need to stay the same.. cacls.exe profiles /g administrators:f system f "creator owner":c everyone:r <%SystemRoot%\yes.tx REM Give access to .inf files, .exe files and .hlp file under system . . . consider using REM just X (execute for the com and exe files cacls.exe *.inf /t /g administrators:f system:f users: <%SystemRoot%\yes.tx cacls.exe *.hlp /t /g administrators:f system:f users: <%SystemRoot%\yes.tx cacls.exe *.txt /t /g administrators:f system:f users: <%SystemRoot%\yes.tx cacls.exe *.com /t /g administrators:f system:f users: <%SystemRoot%\yes.txt cacls.exe *.cpl /t /g administrators:f system:f users: <%SystemRoot%\yes.tx cacls.exe *.exe /t /g administrators:f system:f users: <%SystemRoot%\yes.tx cacls.exe *.dll /t /g administrators:f system:f users: <%SystemRoot%\yes.tx REM    Exceptions to the rules . . . . Nothing i simple RE C cd %SystemRoot xcacls.exe system32 /e /g "creator owner":cop users:ex / xcacls.exe help  /e /g "creator owner":cop users:exw / xcacls.exe forms  /e /g "creator owner":cop users:exw / cacls.exe cookies /t /c /g administrators:f system: "creator owner":c <%SystemRoot%\yes.tx cacls.exe history /t /c /g administrators:f system: "creator owner":c <%SystemRoot%\yes.tx cacls.exe occache /t /c /g administrators:f system: "creator owner":c <%SystemRoot%\yes.tx cacls.exe repair /t /c /g administrators:f system: <%SystemRoot%\yes.tx cacls.exe system32\viewers /t /c /e /g users: <%SystemRoot%\yes.tx REM do printer REM cacls.exe system32\spool\printers /t /c /e / "creator owner":c <%SystemRoot%\yes.tx REM cacls.exe system32\spool\drivers /t /c /e / "creator owner":c <%SystemRoot%\yes.tx REM allow write in the "Temporary Internet Files cacls.exe "Temporary Internet Files" /t /c /e / administrators:f system:f "creator owner": <%SystemRoot%\yes.tx  

Check for invalid services. Some backdoor programs will install themselves as a service that is started when the system boots up. Services can then run as any user with the "Logon as Service" user right. Check services that are started automatically and be sure that they are necessary. Also check that the services executable file is not a Trojan horse or backdoor program.

The following batch file will help gather information about NT Services running on a system from the registry. The output will list the service key, startup value, and the executed file. This batch file uses the REG.EXE command, which is part of the NT Resource Kit. Files and the registry are not modified with this batch file.


Check your system binaries for alterations. Compare the versions on your systems with copies you know that have not been altered, such as those from your initial installation media. Be cautious of trusting backups; they could also contain Trojan horses.

Trojan horse programs may produce the same file size and time stamp as the legitimate version. Because of this, just checking file properties and time stamps associated with the programs is not sufficient for determining whether or not the programs have been replaced. Instead, use MD5, Tripwire, and other cryptographic checksum tools to detect these Trojan horse programs (provided that the checksum tools themselves are kept secure and are not available for modification by the intruder). You may want to consider using a tool (PGP, for example) to "sign" the output generated by MD5 or Tripwire, for future reference.

Using antivirus software will also help you check for computer viruses, backdoors, and Trojan horse programs. But remember that malicious programs are continuously created, so it is important to keep your antivirus software up to date constantly.

  1. Check your system and network configurations for unauthorized entries. Look for invalid entries for settings like WINS, DNS, IP forwarding, etc. These settings can be checked using the Network Properties tool or using the "ipconfig /all" command at the command prompt. Make sure that only the Network Services you want to have running on your system are listed in the Network Services configuration. Check for odd ports listening for connections from other hosts by using the "netstat an" command. The following batch file parses out ports that are in a listen state and then tries to show what service may be running on that port. This batch file uses the well-known port numbers file which can be retrieved from the following location. http://www.isi.edu/in-notes/iana/assignments/port-numbers

Additional ports used by Microsoft products can be found in the following Microsoft Knowledgebase articles. You may want to build a file in the format of the previous port numbers file that lists various services that are running on your NT systems.

Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/ IP Ports


SMS: Network Ports Used by Remote Helpdesk Functions


XGEN: TCP Ports and Microsoft Exchange: In-depth Discussion


How to Configure a Firewall for Windows NT and Trusts


In the batch file make sure you replace the word "TAB" with an actual tab. This file does not modify or write to any files. It does require a file named "portnumber.txt." This file lists port numbers as well as possible services listening on that port.


  1. Check for unauthorized shares. You can use the "net share" command at the command prompt or use the Server Manager tool to list all the shares on a system. NT provides a way to show hidden shares by adding a '$' to the end of a share name. There are a few default share names that NT uses (such as PRINT$), but if you are not sharing a printer with other users, check to see why that share was created. If you notice an odd share name the tools will show you the actual location on the system that is being shared. A drive or directory can have multiple share names. Each of these shares can have different permissions associated with them.

  2. Check for any jobs scheduled to run. Intruders can leave back doors in files that are scheduled to run at a future time. This technique can let an intruder back on the system (even after you believe you had addressed the original compromise). Also, verify that all files/programs referenced (directly or indirectly) by the scheduler and the job files themselves, are not world-writable. To check for jobs currently pending use the "at" command or the WINAT tool from the NT resource kit.

  3. Check for odd processes. You can use the Task Manager tool or the pulist.exe and tlist.exe commands from the NT resource kit at the command prompt to gather information about the processes running on your system. Pulist.exe and tlist.exe are included in the NT resource kit. A number of shareware/freeware applications also exist to show what files are in use.

    With the pulist command, you can see who started each process.Services are usually associated with the SYSTEM account. The tlist command with the t flag will show you what processes started child processes.

  4. Look throughout the system for unusual or hidden files. These can be used to hide tools and information (password cracking programs, password files from other systems, etc.). Hidden files can be seen with the NT Explorer. Select View, Options, Show all Files. To view hidden files at the command prompt type "dir /ah."

  5. Check for altered permissions on files or registry keys. Part of properly securing an NT system is to set the proper permissions on files and registry keys so that unauthorized users cannot start unauthorized programs (e.g., backdoors or keyloggers) or change system files. In order to check many files throughout your directory tree you can use the XCA-CLS.EXE program that is part of the NT Resource Kit. The NT Security Configuration Manager can also be used to analyze your system against a configuration you have defined previously. This would help to determine what may have been modified.

  6. Check for changes in user or computer policies. Policies are used on NT systems to define a wide variety of configurations and can be used to control what users can and cannot do. Since a number of items are configured in the policy editor (poledit.exe) it is recommended to keep a current copy of the policies you create in case they are altered and you need to determine what was changed.

  7. Make sure the system has not been redefined to a different domain. An intruder may attempt to gain Domain Administrator access to a workstation by changing the current domain to a domain that the intruder has control over.

  8. When searching for signs of intrusion, examine all machines on the local network. Most of the time, if one host has been compromised, others on the network have also been compromised.

  1. Review other AusCERT and CERT documents

    1. For further information about the types of attack that have recently been reported to the CERT Coordination Center and for a list of new or updated files available for anonymous FTP, see our past CERT Summaries at http://www.cert.org/summaries/

    2. If you suspect that your system has been compromised, please review "Steps for Recovering from a System Compromise" at http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

      You can also review other appropriate files in our tech_tips directory.

    3. Incidents involving Australian and New Zealand sites should be reported to AusCERT (Australian Computer Emergency Response Team). To report a computer security incident to AusCERT use the following contact information.

      Internet: <auscert@auscert.org.au> monitored during business hours (GMT+10:00)

      Telephone: +61 7 3365 4417 monitored during business hours (GMT+10:00)

      Hotline: +61 7 3365 4417 monitored 24 hours, 7 days for emergencies (GMT+10:00)

      Facsimile: +61 7 3365 7031

      Australian Computer Emergency Response Team

      The University of Queensland


      Qld 4072


    4. To report a computer security incident to the CERT Coordination Center, please complete and return a copy of our Incident Reporting Form, available from http://www.cert.org/ftp/incident_reporting_form

      The information on the form helps us provide the best assistance. It enables us to understand the scope of the incident, to determine if your incident may be related to any other incidents that have been reported to us, and to identify trends in intruder activities.

  1. Consider running intrusion detection systems if possible

    1. Freeware/shareware intrusion detection systems:

      The COAST Intrusion Detection System Resources web page has a list of some freeware/shareware intrusion detection systems. It is available at:


    2. Commercial intrusion detection systems:

      There are a number of commercial intrusion detection tools available, we only list some herein:

      Kane Security Monitor (KSM) http://centauri.ods.com/security/products/ksm.shtml

      OmniGuard/ITA (OmniGuard/Intruder Alert) http://www.axent.com/Axent/Products/IntruderAlert

      Real Secure http://solutions.iss.net/products/rsecure/rs.php

      CyberCop Monitor http://solutions.sun.com/catalogs/all/Internet_and_Intranet/Security/42189.html

      Intact http://pedestalsoftware.com/intact/

      This document is available from: http://www.cert.org/tech_tips/win_intruder_detection_checklist.html

      CERT/CC Contact Information

      Email: <cert@cert.org>

      Phone: +1 412-268-7090 (24-hour hotline)

      Fax: +1 412-268-6989

      Postal address:

      CERT Coordination Center

      Software Engineering Institute

      Carnegie Mellon University

      Pittsburgh PA 15213-3890


      CERT personnel answer the hotline 08:00 20:00 EST(GMT-5)/ EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

      Using encryption

      We strongly urge you to encrypt sensitive information sent by e-mail. Our public PGP key is available from http://www.cert.org/CERT_PGP.key

      If you prefer to use DES, please call the CERT hotline for more information.

      Getting security information

      CERT publications and other security information are available from our web site http://www.cert.org/

      To be added to our mailing list for advisories and bulletins, send e-mail to <cert-advisory-request@cert.org> and include SUBSCRIBE your-email-address in the subject of your message.

      Copyright 2000 Carnegie Mellon University.

      Conditions for use, disclaimers, and sponsorship information can be found in http://www.cert.org/legal_stuff.html

      * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Internet Security(c) A Jumpstart for Systems Administrators and IT Managers
Internet Security: A Jumpstart for Systems Administrators and IT Managers
ISBN: 1555582982
EAN: 2147483647
Year: 2003
Pages: 103
Authors: Tim Speed, Juanita Ellis

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net