Investigating Local Workstations
In any organization one of it’s greatest assets is it’s employees. However, in the information age of it’s greatest liabilities is it’s employees. I cannot tell you the horror stories of compromised information and systems that I have across in my days as a System Engineer. In my current role, I frequently get escalations and automated notifications on compromised workstations. The initial part of investigating these workstation often needs to be done without the end user’s knowledge and interaction. This means I need to leverage 3 different interfaces (WMI, RPC and FS). The first thing that I want to know is…
What has the end user installed?
If your users are anything like my end users, they violate the Acceptable Use Policy (AUP) with great vigour. They install all kinds of garbage on their notebook that A) has no business purpose B) comes with hidden bonus items such as trojans and backdoors. C) Violates various licensing laws and rules.
My primary method of investigating installed Software is with the SCCM Resource Explorer tool. This leverages the WMI interface and gives me a nice list of installed products. If i start seeing items such as Bit-Torrent clients I automatically know that this is not going to end well.
Sometimes though for some strange reason the workstation i’m trying to investigate does not have the SCCM client on it. This is when use a great free tool from the folks at Manage Engine. They come out with some free tools that allow you to leverage the RPC interface. One of the tools included in the package is one called Software Inventory. This tools connects to the remote machine and uses your admin credentials to create a list of Software Installed.
Once you know what is installed you can go ahead you often have a good idea what you are dealing with. Often it’s just time to reimage the workstation. However, if you don’t have any evidence to support the reimage. You then need to proceed further the next step is investigating the applications in the ‘Startup’ category.
MSCONFIG
MSConfig is a great place to look for viruses/trojans that start with the workstation. In the last year though, I’ve noticed that the trojans are getting a lot more tricky and do not show up in MSConfig. 
Trend Micro – HiJack This
HiJack this used to be an opensource tool until it was bought by Trend Micro. This tool allows you to see what starts when the operating system is powered up. What Browser Helper Objects are integrated into the browser. If you start to see items and DLL’s registered that should not be there. You definitely might want to investigate further. Trend still offers HiJack This for free on their website or at download.com
Run Once
The next place you want to look is the “Run Once” portions of the Windows Registry. This is often where Trojans and Viruses hide themselves. The Registry Keys that you want to look at are:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Services
The services MMC console is another great place to look for Viruses and Trojans. A quick perusal of the running services might indicate an infection and depending on the infection will determine the remediation. 
If after investigating these areas you still suspect an infection there are numerous types of free tools that you can use.
1. Sysinternals RootKit Revealer
2. Gmer
In the organization I currently work for we had a scenario where a certain area of users did not get patched and ended up getting infected with the Conficker Virus. Sophos Software has created a great tool to remove the Conficker Worm/Virus it can be found here.
The information security world is definitely a scary one and there is definitely a lot at stake. You don’t need to know necessarily everything about every virus that comes out. It is simply a matter of knowing the key parts of the system to investigate and learning to use Google to investigate the methodology your infection uses as well as the impact on the system.
If you have any questions or need a little extra help. I’d be glad to lend a hand chris (at) chrismadge.com