Windows IR Live Forensics Cheat Sheet by koriley via cheatography.com/12660/cs/11352/
Unusual Network Usage Windows Security & System Events To Look For
Look at File Shares net view \\127.0.0.1 Security 4720 User Account Created
Open Sessions with Machine net session Security 4722 User Account Enabled
Session This machine has net use Security 4724 Password Reset Opened Security 4738 User Account Change
NetBIOS over TCP/IP Activity nbtstat -S Security 4732 Accout Added or Removed From Group
List Listening TCP and UDP Ports netstat -na Security 1102 Audit Log Cleared
5 - Continuous Scrolling every 5 netstat -na 5 System 7030 Basic Service Operations seconds System 7045 Service Was Installed netstat -naob -o flag shows process ID -b flag System 1056 DHCP Server Oddities shows executa ble System 10000 COM Functio nality Inspect Firewall rules netsh advfire wall show System 20001 Device Driver Install ation current pro file System 20002 Remote Access netsh firewall show System 20003 Service Install ation config
Search for Other Startup Items Unusual Accounts Users' Autostart dir /s /b "C :\ Docu ments and Unexp ected Users in the lusrmg r.msc Folders Settings\ [user name]\ Start Menu\" Adminis tra tors Group dir /s /b "C :\ Users\ [user List Users net user name]\ Start Menu\" List Members of Admin Group net localgroup adminis tra tors Use WMIC To find wmic startup list full Start Up Programs List Domain Users net user /domain
When looking at domain accounts, the command will be run on the domain control ler. A large domain may take some time - redirect to a text file to analyze: net user /domain > domainU ser s.txt
By koriley Published 4th April, 2017. Sponsored by CrosswordCheats.com cheatography.com/koriley/ Last updated 5th April, 2017. Learn to solve cryptic crosswords! Page 1 of 2. http://crosswordcheats.com Windows IR Live Forensics Cheat Sheet by koriley via cheatography.com/12660/cs/11352/
Unusual Processes Unusual Services
Task List tasklist Services Control Panel servic es.msc
`wmic process list full' List Of Sevices Availab le nets start
Parend Process ID wmic process get Show Service Datail sc query | more name,pa ren tpr oce ssid, processid Map of Service from Which Process tasklist /svc Comma nd- Line tasklist /m /fi "pid eq [pid]" Options and DLLs
wmic process where process id= [pid] get command line
Run Task Manager: Start-> Run... and type taskmg r.exe - Look for unusual /un exp ected processes - Focus on processes with username SYSTEM or ADMINISTRATOR or user in the Local Administrator's group.
Unusual Scheduled Tasks
List System Scheduled Tasks schtasks
You can also use the Task Scheduler GUI: Start ->P rog ram s-> Acc ess ori es- >Sy stem Tools-> Sch eduled Tasks
Look for unusual Tasks run as a user of the Local Admin, SYSTEM, or blank username
Unusual Reg Key Entries
Check the Registry Run keys for malware that has made an entry to launch itself. - HKLM\So ftw are \Mi cro sof t\ Wind ows \Cu rre ntV ers ion \Run - HKLM\So ftw are \Mi cro sof t\ Wind ows \Cu rre ntV ers ion \Ru nonce - HKLM\So ftw are \Mi cro sof t\ Wind ows \Cu rre ntV ers ion \Ru non ceEx - HKCU\So ftw are \Mi cro sof t\ Wind ows \Cu rre ntV ers ion \Run - HKCU\So ftw are \Mi cro sof t\ Wind ows \Cu rre ntV ers ion \Ru nonce - HKCU\So ftw are \Mi cro sof t\ Wind ows \Cu rre ntV ers ion \Ru non ceEx
C:\reg query hklm\so ftw are \mi cro sof t\ wind ows \cu rre ntv ers ion \run
These can also be analyzed with regedi t.ex e. Autoru ns.exe from SystI nte rna ls will pull all Auto Start Entry Points.
By koriley Published 4th April, 2017. Sponsored by CrosswordCheats.com cheatography.com/koriley/ Last updated 5th April, 2017. Learn to solve cryptic crosswords! Page 2 of 2. http://crosswordcheats.com