Windows IR Live Forensics Cheat Sheet by koriley via cheatography.com/12660/cs/11352/ Unusual Network Usage Windows Security & System Events To Look For Look at File Shares net view \\127.0.0.1 Security 4720 User Account Created Open Sessions with Machine net session Security 4722 User Account Enabled Session This machine has net use Security 4724 Password Reset Opened Security 4738 User Account Change NetBIOS over TCP/IP Activity nbtstat -S Security 4732 Accout Added or Removed From Group List Listening TCP and UDP Ports netstat -na Security 1102 Audit Log Cleared 5 - Continuous Scrolling every 5 netstat -na 5 System 7030 Basic Service Operations seconds System 7045 Service Was Installed netstat -naob -o flag shows process ID -b flag System 1056 DHCP Server Oddities shows executa​ ble System 10000 COM Functio​ nality Inspect Firewall rules netsh advfire​ wall show System 20001 Device Driver Install​ ation current​ pro​ file System 20002 Remote Access netsh firewall show System 20003 Service Install​ ation config Search for Other Startup Items Unusual Accounts Users' Autostart dir /s /b "C​ :\​ Docu​ ments and Unexp​ ected Users in the lusrmg​ r.msc Folders Settings\ [user name]\​ Start Menu\" Adminis​ tra​ tors Group dir /s /b "C​ :\​ Users\ [user List Users net user name]\​ Start Menu\" List Members of Admin Group net localgroup adminis​ tra​ tors Use WMIC To find wmic startup list full Start Up Programs List Domain Users net user /domain When looking at domain accounts, the command will be run on the domain control​ ler. A large domain may take some time - redirect to a text file to analyze: net user /domain > domainU​ ser​ s.txt By koriley Published 4th April, 2017. Sponsored by CrosswordCheats.com cheatography.com/koriley/ Last updated 5th April, 2017. Learn to solve cryptic crosswords! Page 1 of 2. http://crosswordcheats.com Windows IR Live Forensics Cheat Sheet by koriley via cheatography.com/12660/cs/11352/ Unusual Processes Unusual Services Task List tasklist Services Control Panel servic​ es.msc `wmic process list full' List Of Sevices Availab​ le nets start Parend Process ID wmic process get Show Service Datail sc query | more name,pa​ ren​ tpr​ oce​ ssid, processid Map of Service from Which Process tasklist /svc Comma​ nd-​ Line tasklist /m /fi "pid eq [pid]" Options and DLLs wmic process where process​ id=​ [pid] get command​ line Run Task Manager: Start->​ Run... and type taskmg​ r.exe - Look for unusual​ /un​ exp​ ected processes - Focus on processes with username SYSTEM or ADMIN​ IST​ RAT​ OR or user in the Local Adminis​ tr​ator​ 's group. Unusual Scheduled Tasks List System Scheduled Tasks schtasks You can also use the Task Scheduler GUI: Start​ ->P​ rog​ ram​ s->​ Acc​ ess​ ori​ es-​ >Sy​ stem Tools->​ Sch​ eduled Tasks Look for unusual Tasks run as a user of the Local Admin, SYSTEM, or blank username Unusual Reg Key Entries Check the Registry Run keys for malware that has made an entry to launch itself. - HKLM\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Run - HKLM\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ nonce - HKLM\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ non​ ceEx - HKCU\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Run - HKCU\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ nonce - HKCU\So​ ftw​ are​ \Mi​ cro​ sof​ t\​ Wind​ ows​ \Cu​ rre​ ntV​ ers​ ion​ \Ru​ non​ ceEx C:\reg query hklm\so​ ftw​ are​ \mi​ cro​ sof​ t\​ wind​ ows​ \cu​ rre​ ntv​ ers​ ion​ \run These can also be analyzed with regedi​ t.ex​ e. Autoru​ ns.exe from SystI​ nte​ rna​ ls will pull all Auto Start Entry Points. By koriley Published 4th April, 2017. Sponsored by CrosswordCheats.com cheatography.com/koriley/ Last updated 5th April, 2017. Learn to solve cryptic crosswords! Page 2 of 2. http://crosswordcheats.com.