Our team was called in to have a look at a system of a board member of our company. The user's C drive was found to be shared over the network with no user restrictions. When the user initially discovered the same, he called in the local IT team who immediately removed the share on the hard drive.
We were initially only provided with the logs and got a chance to have a look at the system after almost a month since the share drive was discovered and attended to.
The system had Windows 7 Pro as the OS.
I checked below from the system to find any clue as to when the drive was shared
1. Security logs for event ids 5140 and 5144. Did not find any.
2. Took a backup of user's registry using DART 2.0. Checked following keys
2.1. HKLM\SYSTEM\ControlSet001\services\LanmanServer\Shares\C
2.2. HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD- ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBA
2.3. HKU\S-1-5-21-2026121395-1561275589-1958889591-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{41525333-0076-A76A-76A7-7A786E7484D7}\iexplore\Count
The registry entries had time stamps when the local IT team removed the share.
Any suggestions as to what more artifacts could be gathered to find when the drive was shared?
Any local Windows Firewall logs? Access from client to client is rather unusual…
Were Volume Shadow Copies enabled?
I ask, as a good deal of the IR work I've done in corporate environments has been with systems were VSCs were disabled.
If VSCs are available, image the system immediately to preserve the state, and from there, find a shadow copy that pre-dates the IT staff removing the share, and pull the Registry files from that VSC. Creating a timeline of system activity may reveal how the share got enabled…
@MDCR Since the system is in a corporate network, Symantec was being used as an endpoint protection tools. I checked logs for the same but didn't turn up anything.
@keydet89 I did check Volume Shadow Copy, however the last VSC available was for the date after the local techs had made the changes.
On a side note I did however find attempts to access the system via network logon. So we are trying to trace the system and analyze.
PS- Thanks a lot for your views. )
I don't see any updates to this thread, but I did want to share something…
I've been doing IR work for about 15 yrs. I guess I'm not shocked at all the sort of "response" indicated in this thread still exists…I've seen it before, and in what I've seen, it's not isolated to government entities. I worked a targeted breach just this year where forensic analysis of a couple of selected systems clearly indicated that one of the admins found the adversary's tools on two different systems, removed them, but did not say anything at all to any other staff members, nor did they report the incident to security.
This thread may ultimately be determined to be a small issue, but apparently at some point, someone thought that getting answers was important…why else would they send logs for analysis?
In today's day and age, not having an IR plan is just going to lead to even more trouble, particularly when a breach is exposed to the public and it's clear that the "victim" organization had no plan.