SECURITY INCIDENT SURVEY CHEAT SHEET List network netstat –nao, Look at auto- chkconfig --list (Linux), FOR SERVER ADMINISTRATORS connections and netstat –vb, start services ls /etc/rc*.d (Solaris), related details net session, net use smf (Solaris 10+) Tips for examining a suspect system to decide lusrmgr, net users, List processes ps aux (Linux, BSD), whether to escalate for formal incident response. List users and groups net localgroup administrators, ps -ef (Solaris), Assessing the Suspicious Situation net group administrators lsof +L1 Find recently-modified files ls –lat /, To retain attacker’s footprints, avoid taking actions that Look at scheduled jobs schtasks (affects lots of files!) find / -mtime -2d -ls access many files or installing tools. Look at auto-start programs msconfig Look at system, security, and application logs for List processes taskmgr, Incident Response Communications unusual events. wmic process list full Do not share incident details with people outside the Look at network configuration details and connections; List services net start, team responding to the incident. note anomalous settings, sessions or ports. tasklist /svc Avoid sending sensitive data over email or instant Look at the list of users for accounts that do not belong Check DNS ipconfig /all, messenger without encryption. ipconfig /displaydns, or should have been disabled. settings and the If you suspect the network was compromised, hosts file more %SystemRoot%\  Look at a listing of running processes or scheduled jobs System32\Drivers\etc\hosts communicate out-of-band, e.g. non-VoIP phones. for those that do not belong there. Verify integrity of OS files sigverif Key Incident Response Steps Look for unusual programs configured to run (affects lots of files!) 1. Preparation: Gather and learn the necessary tools, automatically at system’s start time. dir /a/o-d/p  become familiar with your environment. Check ARP and DNS settings; look at contents of the Research recently-modified %SystemRoot%\  2. Identification: Detect the incident, determine its hosts file for entries that do not belong there. files (affects lots of files!) System32 scope, and involve the appropriate parties. Look for unusual files and verify integrity of OS and Avoid using Windows Explorer, as it modifies useful file 3. Containment: Contain the incident to minimize its application files. system details; use command-line. effect on neighboring IT resources. Use a network sniffer, if present on the system or 4. Eradication: Eliminate compromise artifacts, if available externally, to observe for unusual activity. Unix Initial System Examination necessary, on the path to recovery. A rootkit might conceal the compromise from tools; Look at event log files in /var/log, /var/adm 5. Recovery: Restore the system to normal trust your instincts if the system just doesn’t feel right. directories (locations vary) , /var/spool operations, possibly via reinstall or backup. Examine recently-reported problems, intrusion wtmp, who, detection and related alerts for the system. List recent security events 6. Wrap-up: Document the incident’s details, retail last, lastlog collected data, and discuss lessons learned. If You Believe a Compromise is Likely... Examine network arp –an, Other Incident Response Resources Involve an incident response specialist for next steps, configuration route print and notify your manager. Windows Intrusion Discovery Cheat Sheet List network netstat –nap (Linux), http://sans.org/resources/winsacheatsheet.pdf Do not panic or let others rush you; concentrate to connections and netstat –na (Solaris), avoid making careless mistakes. Checking Windows for Signs of Compromise related details lsof –i If stopping an on-going attack, unplug the system from http://www.ucl.ac.uk/cert/win_intrusion.pdf more /etc/passwd the network; do not reboot or power down. List users Linux Intrusion Discovery Cheat Sheet more /etc/crontab Take thorough notes to track what you observed, when, Look at scheduled , http://sans.org/resources/linsacheatsheet.pdf jobs ls /etc/cron.*, and under what circumstances. ls /var/at/jobs Checking Unix/Linux for Signs of Compromise http://www.ucl.ac.uk/cert/nix_intrusion.pdf Windows Initial System Examination Check DNS settings more /etc/resolv.conf, Look at event logs eventvwr and the hosts file more /etc/hosts Examine network arp –a, Verify integrity of installed rpm -Va (Linux), configurationAuthored by Lenny Zeltser, who leads a securitynetstat consulting –nr team at SAVVIS,packages and teaches (affects malware lots of analysisfiles!) at SANS Institute.pkgchk Special (Solaris) thanks for feedback to Lorna Hutcheson, Patrick Nolan, Raul Siles, Ed Skoudis, Donald Smith, Koon Yaw Tan, Gerard White, and Bojan Zdrnja. Creative Commons v3 “Attribution” License for this cheat sheet v. 1.7. More cheat sheets?