Show Menu
Cheatography
  1. Home >
  2. Software >

Windows IR Live Forensics Cheat Sheet by

Based on John Strand's Webcast - Live Windows Forensics..

Unusual Network Usage

Look at File Shares
 
net view \\127.0.0.1
Open Sessions with Machine
 
net session
Session This machine has Opened
 
net use
NetBIOS over TCP/IP Activity
 
nbtstat -S
List Listening TCP and UDP Ports
 
netstat -na
5 - Continuous Scrolling every 5 seconds
 
netstat -na 5
-o flag shows process ID -b flag shows executable
 
netstat -naob
Inspect Firewall rules
 
netsh advfir­ewall show curren­tpr­ofile
  
netsh firewall show config

Unusual Accounts

Unexpected Users in the Admini­str­ators Group
 
lusrmg­r.msc
List Users
 
net user
List Members of Admin Group
 
net localgroup admini­str­ators
List Domain Users
 
net user /domain
When looking at domain accounts, the command will be run on the domain contro­ller. A large domain may take some time - redirect to a text file to analyze:
net user /domain > domain­Use­rs.txt

Windows Security & System Events To Look For

Security 4720
User Account Created
Security 4722
User Account Enabled
Security 4724
Password Reset
Security 4738
User Account Change
Security 4732
Accout Added or Removed From Group
Security 1102
Audit Log Cleared
System 7030
Basic Service Operations
System 7045
Service Was Installed
System 1056
DHCP Server Oddities
System 10000
COM Functi­onality
System 20001
Device Driver Instal­lation
System 20002
Remote Access
System 20003
Service Instal­lation

Search for Other Startup Items

Users' Autostart Folders
 
dir /s /b "­C:­\Doc­uments and Settings\ [user name]\Start Menu\"
  
dir /s /b "­C:­\Users\ [user name]\Start Menu\"
Use WMIC To find Start Up Programs
 
wmic startup list full
 

Unusual Processes

Task List
 
tasklist
 
`wmic process list full'
Parend Process ID
 
wmic process get name,p­are­ntp­roc­essid, processid
Comman­d-Line Options and DLLs
 
tasklist /m /fi "pid eq [pid]"
  
wmic process where proces­sid­=[pid] get comman­dline
Run Task Manager: Start-­>Run... and type 
taskmg­r.exe

- Look for unusua­l/u­nex­pected processes
- Focus on processes with username SYSTEM or ADMINI­STRATOR or user in the Local Admini­str­ator's group.

Unusual Scheduled Tasks

List System Scheduled Tasks
 
schtasks
You can also use the Task Scheduler GUI:
Start-­>Pr­ogr­ams­->A­cce­sso­rie­s->­System Tools-­>Sc­heduled Tasks

Look for unusual Tasks run as a user of the Local Admin, SYSTEM, or blank username

Unusual Reg Key Entries

Check the Registry Run keys for malware that has made an entry to launch itself.
- HKLM\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\Run
- HKLM\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­unonce
- HKLM\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­uno­nceEx
- HKCU\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\Run
- HKCU\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­unonce
- HKCU\S­oft­war­e\M­icr­oso­ft­\Win­dow­s\C­urr­ent­Ver­sio­n\R­uno­nceEx

C:\reg query hklm\s­oft­war­e\m­icr­oso­ft­\win­dow­s\c­urr­ent­ver­sio­n\run
These can also be analyzed with 
regedi­t.exe
.
Autoru­ns.exe
from SystIn­ternals will pull all Auto Start Entry Points.

Unusual Services

Services Control Panel
 
servic­es.msc
List Of Sevices Available
 
nets start
Show Service Datail
 
sc query | more
Map of Service from Which Process
 
tasklist /svc
               
 

Metadata

  • Languages:
  • Published: 4th April, 2017
  • Last Updated: 5th April, 2017

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          VLC (Windows & OS X) Keyboard Shortcuts
          Sublime Text 2 Windows Keyboard Shortcuts