CERT® Coordination Center

Windows NT Intruder Detection Checklist


This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team).

Introduction

  1. Look for Signs That Your System May Have Been Compromised
    1. Examine log files
    2. Check for odd user accounts and groups
    3. Look for incorrect group memberships
    4. Look for incorrect user rights
    5. Check for unauthorized applications from starting
    6. Check system binaries
    7. Check network configuration and activity
    8. Check for unauthorized shares
    9. Examine jobs run by the scheduler service.
    10. Check for unauthorized processes
    11. Look everywhere for unusual or hidden files
    12. Check for altered permissions on files or registry keys
    13. Check for changes in user or computer policies
    14. Make sure the system has not been moved to a different Workgroup or Domain
    15. Examine all machines on the local network
  2. Review Other AusCERT and CERT Documents
    1. CERT Summaries
    2. ``Steps for Recovering from a Windows NT Compromise''
    3. Contacting AusCERT
    4. Contacting CERT®/CC
  3. Consider running intrusion detection systems if possible

Document revision history


This document outlines suggested steps for determining whether or not your system has been compromised. System administrators can use this information to look for several types of break-ins. We encourage you to review all sections of this document and modify your systems to address potential weaknesses.

In addition to the information in this document, we provide three companion documents that may help you:

We also encourage you to check regularly with your vendor(s) for any updates or new patches that relate to your systems.

Note: All action taken during the course of an investigation should be in accordance with your organization's policies and procedures.


  1. Look For Signs That Your System May Have Been Compromised

    1. Examine log files for connections from unusual locations or for other unusual activity. You can use the Event Viewer to check for odd logon entries, failures of services, or odd system restarts. If your firewall, web server, or router writes logs to a different location than the compromised system, remember to check these logs as well. But remember that this is not foolproof unless you log to append-only media; many intruders edit log files in an attempt to hide their activity.
    2. Check for odd user accounts and groups. You can use the User Manager tool or the `net user', `net group' and `net localgroup' commands at the command line. Ensure that the built-in GUEST account is disabled if the system does not require guest access.
    3. Check all groups for invalid user membership. Some of the default NT groups give special privileges to the members of those groups. Members of the Administrators group can do anything to the local system. Backup operators can read any file on the system. PowerUsers can create shares.
    4. Look for invalid user rights. To examine user rights use the User Manager tool under Policies, User Rights. There are 27 different rights that can be assigned to users or groups. Generally the default configuration for these rights is secure.
    5. Check to see if unauthorized applications are starting. There are a number of different methods an intruder could use to start a back door program, so be sure to

      • Check the Startup folders. Check all items in c:\winnt\profiles\*\start menu\programs\startup folders. You can also examine all the shortcuts by selecting Start, Programs, Startup. Note that there are two startup folders, one for the local user and one for all users. When a user logs on, all of the applications in both the "All Users" and in the users startup folder are started. Because of this it is important to check all of the startup folders for suspicious applications.

      • Check the registry. The most common locations for applications to start through the registry are

        LISTING 1

      • Check for invalid services. Some backdoor programs will install themselves as a service that is started when the system boots up. Services can then run as any user with the "Logon as Service" user right. Check services that are started automatically and be sure that they are necessary. Also check that the services executable file is not a Trojan horse or backdoor program.
      • The following batch file will help gather information about NT Services running on a system from the registry. The output will list the service key, startup value, and the executed file. This batch file uses the REG.EXE command, which is part of the NT Resource Kit. Files and the registry are not modified with this batch file.

        LISTING 2

    6. Check your system binaries for alterations. Compare the versions on your systems with copies you know that have not been altered, such as those from your initial installation media. Be cautious of trusting backups; they could also contain Trojan horses.

      Trojan horse programs may produce the same file size and timestamp as the legitimate version. Because of this, just checking file properties and timestamps associated with the programs is not sufficient for determining whether or not the programs have been replaced. Instead, use MD5, Tripwire, and other cryptographic checksum tools to detect these Trojan horse programs, (provided that the checksum tools themselves are kept secure and are not available for modification by the intruder.) You may want to consider using a tool (PGP, for example) to "sign" the output generated by MD5 or Tripwire, for future reference.

      Using anti-virus software will also help you check for computer viruses, backdoors, and Trojan horse programs. But remember that malicious programs are continuously created, so it is important to keep your anti-virus software up to date constantly.

    7. Check your system and network configurations for unauthorized entries. Look for invalid entries for settings like WINS, DNS, IP forwarding, etc. These settings can be checked using the Network Properties tool or using the "ipconfig /all" command at the command prompt.

      Make sure that only the Network Services you want to have running on your system are listed in the Network Services configuration.

      Check for odd ports listening for connections from other hosts by using the "netstat -an" command. The following batch file parses out ports that are in a listen state and then tries to show what service may be running on that port. This batch file uses the well-known port numbers file which can be retrieved from following location.

      http://www.isi.edu/in-notes/iana/assignments/port-numbers

      Additional ports used by Microsoft products can be found in the following Microsoft Knowledgebase articles. You may want to build a file in the format of the previous port numbers file that lists various services that are running on your NT systems.

      Windows NT, Terminal Server, and Microsoft Exchange Services Use TCP/IP Ports http://support.microsoft.com/support/kb/articles/q150/5/43.asp

      SMS: Network Ports Used by Remote Helpdesk Functions http://support.microsoft.com/support/kb/articles/q167/1/28.asp

      XGEN: TCP Ports and Microsoft Exchange: In-depth Discussion http://support.microsoft.com/support/kb/articles/q176/4/66.asp

      How to Configure a Firewall for Windows NT and Trusts http://support.microsoft.com/support/kb/articles/q179/4/42.asp

      In the batch file make sure you replace the word "TAB" with an actual tab. This file does not modify or write to any files. It does require a file named "port-number.txt." This file lists port numbers as well as possible services listening on that port.

      LISTING 3

    8. Check for unauthorized shares. You can use the "net share" command at the command prompt or use the Server Manager tool to list all the shares on a system. NT provides a way to show hidden shares by adding a '$' to the end of a share name. There are a few default share names that NT uses (such as PRINT$), but if you are not sharing a printer with other users, check to see why that share was created. If you notice an odd share name the tools will show you the actual location on the system that is being shared. A drive or directory can have multiple share names. Each of these shares can have different permissions associated with them.
    9. Check for any jobs scheduled to run. Intruders can leave back doors in files that are scheduled to run at a future time. This technique can let an intruder back on the system (even after you believe you had addressed the original compromise). Also, verify that all files/programs referenced (directly or indirectly) by the scheduler and the job files themselves, are not world-writable. To check for jobs currently pending use the "at" command or the WINAT tool from the NT resource kit.
    10. Check for odd processes. You can use the Task Manager tool or the pulist.exe and tlist.exe commands from the NT resource kit at the command prompt to gather information about the processes running on your system. pulist.exe and tlist.exe are included in the NT resource kit. A number of shareware/freeware applications also exist to show what files are in use.

      With the pulist command, you can see who started each process. Services are usually associated with the SYSTEM account. The tlist command with the -t flag will show you what processes started child processes.

    11. Look throughout the system for unusual or hidden files. These can be used to hide tools and information (password cracking programs, password files from other systems, etc.). Hidden files can be seen with the NT Explorer. Select View, Options, Show all Files. To view hidden files at the command prompt type `dir /ah.'

    12. Check for altered permissions on files or registry keys. Part of properly securing an NT system is to set the proper permissions on files and registry keys so that unauthorized users cannot start unauthorized programs (eg. backdoors or keyloggers) or change system files. In order to check many files throughout your directory tree you can use the XCACLS.EXE program that is part of the NT Resource Kit. The NT Security Configuration Manager can also be used to analyze your system against a configuration you have defined previously. This would help to determine what may have been modified.

    13. Check for changes in user or computer policies. Policies are used on NT systems to define a wide variety of configurations and can be used to control what users can and cannot do. Since a number of items are configured in the policy editor (poledit.exe) it is recommended to keep a current copy of the policies you create in case they are altered and you need to determine what was changed.

    14. Make sure the system has not been redefined to a different Domain. An intruder may attempt to gain Domain Administrator access to a workstation by changing the current domain to a domain that the intruder has control over.

    15. When searching for signs of intrusion, examine all machines on the local network. Most of the time, if one host has been compromised, others on the network have also been compromised.

  2. Review Other AusCERT and CERT Documents

    1. For further information about the types of attack that have recently been reported to the CERT Coordination Center and for a list of new or updated files available for anonymous FTP, see our past CERT Summaries at
      http://www.cert.org/summaries/

    2. If you suspect that your system has been compromised, please review "Steps for Recovering from a System Compromise" at
      http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
      You can also review other appropriate files in our tech_tips directory.
    3. Incidents involving Australian and New Zealand sites should be reported to AusCERT (Australian Computer Emergency Response Team). To report a computer security incident to AusCERT use the following contact information.

      Internet: auscert@auscert.org.au monitored during business hours (GMT+10:00)
      Telephone: +61 7 3365 4417 monitored during business hours (GMT+10:00)
      Hotline: +61 7 3365 4417 monitored 24 hours, 7 days for emergencies (GMT+10:00)
      Facsimile: +61 7 3365 7031

      Australian Computer Emergency Response Team
      The University of Queensland
      Brisbane
      Qld 4072
      AUSTRALIA

    4. To report a computer security incident to the CERT Coordination Center, please complete and return a copy of our Incident Reporting Form, available from
      http://www.cert.org/ftp/incident_reporting_form
      The information on the form helps us provide the best assistance. It enables us to understand the scope of the incident, to determine if your incident may be related to any other incidents that have been reported to us, and to identify trends in intruder activities.

  3. Consider running intrusion detection systems if possible

    1. Freeware/shareware intrusion detection systems:

      The COAST Intrusion Detection System Resources web page has a list of some freeware/shareware intrusion detection systems. It is available at:

      http://www.cerias.purdue.edu/coast/ids/
    2. Commercial intrusion detection systems:

      There are a number of commercial intrusion detection tools available, we only list some herein:

      Kane Security Monitor (KSM)
      http://centauri.ods.com/security/products/ksm.shtml
      OmniGuard/ITA (OmniGuard/Intruder Alert)
      http://www.axent.com/Axent/Products/IntruderAlert
      Real Secure
      http://solutions.iss.net/products/rsecure/rs.php
      CyberCop Monitor
      http://solutions.sun.com/catalogs/all/Internet_and_Intranet/Security/42189.html
      Intact
      http://pedestalsoftware.com/intact/


This document is available from: http://www.cert.org/tech_tips/win_intruder_detection_checklist.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT® Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.
CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include

subscribe cert-advisory

in the body of your message.

Copyright 2000 Carnegie Mellon University.
Conditions for use, disclaimers, and sponsorship information can be found in

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.
Revision History
April 17, 2000
Initial Release