Show Menu

Windows IR Live Forensics Cheat Sheet by

Based on John Strand's Webcast - Live Windows Forensics..
first     windows     forensics     ir     responder

Unusual Network Usage

Look at File Shares
net view \\127.0.0.1
Open Sessions with Machine
net session
Session This machine has Opened
net use
NetBIOS over TCP/IP Activity
nbtstat -S
List Listening TCP and UDP Ports
netstat -na
5 - Continuous Scrolling every 5 seconds
netstat -na 5
-o flag shows process ID -b flag shows execut­able
netstat -naob
Inspect Firewall rules
netsh advfir­ewall show curren­tpr­ofile
 
netsh firewall show config

Unusual Accounts

Unex­pected Users in the Admini­str­ators Group
lusrm­gr.msc
List Users
net user
List Members of Admin Group
net localgroup admini­str­ators
List Domain Users
net user /domain
When looking at domain accounts, the command will be run on the domain contro­ller. A large domain may take some time - redirect to a text file to analyze:
net user /domain > domain­Use­rs.txt

Windows Security & System Events To Look For

Security 4720
User Account Created
Security 4722
User Account Enabled
Security 4724
Password Reset
Security 4738
User Account Change
Security 4732
Accout Added or Removed From Group
Security 1102
Audit Log Cleared
System 7030
Basic Service Operations
System 7045
Service Was Installed
System 1056
DHCP Server Oddities
System 10000
COM Functi­onality
System 20001
Device Driver Instal­lation
System 20002
Remote Access
System 20003
Service Instal­lation

Search for Other Startup Items

Users' Autostart Folders
dir /s /b "­C:­\Doc­uments and Settings\ [user name]­\Start Menu\"
 
dir /s /b "­C:­\Users\ [user name]­\Start Menu\"
Use WMIC To find Start Up Programs
wmic startup list full
 

Unusual Processes

Task List
tasklist
 
`wmic process list full'
Parend Process ID
wmic process get name,p­are­ntp­roc­essid, processid
Comm­and­-Line Options and DLLs
tasklist /m /fi "pid eq [pid]"
 
wmic process where proces­sid­=[pid] get comman­dline
Run Task Manager: Start-­>Run... and type taskm­gr.exe
- Look for unusua­l/u­nex­pected processes
- Focus on processes with username SYSTEM or ADMI­NIS­TRA­TOR or user in the Local Admini­str­ato­r's group.

Unusual Scheduled Tasks

List System Scheduled Tasks
schtasks
You can also use the Task Scheduler GUI:
Star­t->­Pro­gra­ms-­>Ac­ces­sor­ies­->S­ystem Tools-­>Sc­heduled Tasks

Look for unusual Tasks run as a user of the Local Admin, SYSTEM, or blank username

Unusual Reg Key Entries

Check the Registry Run keys for malware that has made an entry to launch itself.
- HKLM\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\Run
- HKLM\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­unonce
- HKLM\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­uno­nceEx
- HKCU\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\Run
- HKCU\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­unonce
- HKCU\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­uno­nceEx

C:\reg query hklm\s­oft­war­e\m­icr­oso­ft­\win­dow­s\c­urr­ent­ver­sio­n\run
These can also be analyzed with reged­it.e­xe.
Autor­uns.exe from Syst­Int­ern­als will pull all Auto Start Entry Points.

Unusual Services

Services Control Panel
servi­ces.msc
List Of Sevices Availa­ble
nets start
Show Service Datail
sc query | more
Map of Service from Which Process
tasklist /svc

Download the Windows IR Live Forensics Cheat Sheet

2 Pages
//media.cheatography.com/storage/thumb/koriley_windows-ir-live-forensics.750.jpg

PDF (recommended)

Alternative Downloads

Share This Cheat Sheet!

 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          VLC (Windows & OS X) Keyboard Shortcuts
          Sublime Text 2 Windows Keyboard Shortcuts
          Metasploit 4.5.0-dev.15713 Cheat Sheet