Windows IR Live Forensics Cheat Sheet by koriley via cheatography.com/12660/cs/11352/

Unusual Network Usage Windows Security & System Events To Look For

Look at File Shares net view \\127.0.0.1 Security 4720 User Account Created

Open Sessions with Machine net session Security 4722 User Account Enabled

Session This machine has net use Security 4724 Password Reset Opened Security 4738 User Account Change

NetBIOS over TCP/IP Activity nbtstat -S Security 4732 Accout Added or Removed From Group

List Listening TCP and UDP Ports netstat -na Security 1102 Audit Log Cleared

5 - Continuous Scrolling every 5 netstat -na 5 System 7030 Basic Service Operations seconds System 7045 Service Was Installed netstat -naob -o flag shows process ID -b flag System 1056 DHCP Server Oddities shows executa​ ble System 10000 COM Functio​ nality Inspect Firewall rules netsh advfire​ wall show System 20001 Device Driver Install​ ation current​ pro​ file System 20002 Remote Access netsh firewall show System 20003 Service Install​ ation config

Search for Other Startup Items Unusual Accounts Users' Autostart dir /s /b "C​ :\​ Docu​ ments and Unexp​ ected Users in the lusrmg​ r.msc Folders Settings\ [user name]\​ Start Menu\" Adminis​ tra​ tors Group dir /s /b "C​ :\​ Users\ [user List Users net user name]\​ Start Menu\" List Members of Admin Group net localgroup adminis​ tra​ tors Use WMIC To find wmic startup list full Start Up Programs List Domain Users net user /domain

When looking at domain accounts, the command will be run on the domain control​ ler. A large domain may take some time - redirect to a text file to analyze: net user /domain > domainU​ ser​ s.txt

By koriley Published 4th April, 2017. Sponsored by CrosswordCheats.com cheatography.com/koriley/ Last updated 5th April, 2017. Learn to solve cryptic crosswords! Page 1 of 2. http://crosswordcheats.com Windows IR Live Forensics Cheat Sheet by koriley via cheatography.com/12660/cs/11352/

Unusual Processes Unusual Services

Task List tasklist Services Control Panel servic​ es.msc

`wmic process list full' List Of Sevices Availab​ le nets start

Parend Process ID wmic process get Show Service Datail sc query | more name,pa​ ren​ tpr​ oce​ ssid, processid Map of Service from Which Process tasklist /svc Comma​ nd-​ Line tasklist /m /fi "pid eq [pid]" Options and DLLs

wmic process where process​ id=​ [pid] get command​ line

Run Task Manager: Start->​ Run... and type taskmg​ r.exe - Look for unusual​ /un​ exp​ ected processes - Focus on processes with username SYSTEM or ADMI​NIS​TRA​TOR or user in the Local Admini​str​ato​r's group.

Unusual Scheduled Tasks

List System Scheduled Tasks schtasks

You can also use the Task Scheduler GUI: Start​ ->P​ rog​ ram​ s->​ Acc​ ess​ ori​ es-​ >Sy​ stem Tools->​ Sch​ eduled Tasks

Look for unusual Tasks run as a user of the Local Admin, SYSTEM, or blank username

Unusual Reg Key Entries

Check the Registry Run keys for malware that has made an entry to launch itself. - HKLM\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Run - HKLM\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ nonce - HKLM\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ non​ ceEx - HKCU\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Run - HKCU\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ nonce - HKCU\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ non​ ceEx

C:\reg query hklm\so​ ftw​ are​ \mi​ cro​ sof​ t\​ wind​ ows​ \cu​ rre​ ntv​ ers​ ion​ \run

These can also be analyzed with regedi​ t.ex​ e. Autoru​ ns.exe from SystI​ nte​ rna​ ls will pull all Auto Start Entry Points.

By koriley Published 4th April, 2017. Sponsored by CrosswordCheats.com cheatography.com/koriley/ Last updated 5th April, 2017. Learn to solve cryptic crosswords! Page 2 of 2. http://crosswordcheats.com