Windows Incident Responce Template

This template is intended to provide some useful commands and areas to look for anomalous behavior within the Windows environment. Please be aware that these commands are the same as those found on the SANS Intrusion Discovery Cheat Sheet; however, this template will take it a step beyond it by providing additional information as to the commands usefulness.

a.     To look for unusual processes and services use the following commands:

                        I.         taskmgr.exe – it displays running processes and services. ii.   In command prompt use these three commands:

                      II.         tasklist – it displays a list of running services along with their corresponding PID (process ID), session name, session number, and memory usage. Getting a PID can be useful for using the taskkill command to end the questionable process.

                    III.         wmic process list full – is a windows management interface control that will display all processes, along with detailed information such as their executable path and much more.

                    IV.         tasklist /svc – will display a list of all processes along with their corresponding PID, and services that are tied to them.

 

b.     To look for unusual files and registry keys use the Windows search feature and look for files larger than 10MB, and use regedit to look for unusual entries in the following areas:

                        I.         HKLM\Software\Microsoft\Windows\CurrentVersion\Run

                      II.         HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

                    III.         HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx

                    IV.         Generally those three registry entries will contain startup configurations for specific programs, including malware.

 

c.     To look for unusual network usage the following Windows commands in the command line interface (cmd) provides an excellent view of network activity on a system:

                        I.         net view \\127.0.0.1 (or localhost) – displays shared folders that are on the system. If there are shared folders that are not supposed to be there that can be a significant red flag.

                       II.         net session – displays open sessions with other systems on the network. This is useful for detecting communications with other systems on the network and determines whether the connections are legitimate. A good example: is a https connection to a rogue server on the internet and heavy bandwidth usage from the compromised computer in question with that rogue server.

                     III.         nbstat –S will display NetBIOS activity over TCP/IP on the various network interfaces that a machine in question may have.

                     IV.         netstat and its various flags (e.g. netstat –na, netstat –nao, etc) provides a tremendous amount of information between listening and established TCP/IP connections, along with their ports and whether the protocol used is TCP or UDP. This is useful for determining unusual traffic patterns on the computer in question.

 

d.      To look for unusual start up (or scheduled) tasks, use the following commands:

                        I.         msconfig –displays all startup configurations from services to files in the startup folder, etc. This is also useful for disabling anything trying startup during Windows login or boot-up, and to troubleshoot problems that are caused by nefarious or poorly written programs.

                       II.         schtasks – displays tasks schedule to run at specific times. This is useful for not only troubleshooting problems, but also looking for would be logic bombs.

                     III.         wmic startup list full – displays all of the services and programs that startup when Windows boots and/or upon Windows login.

 

e.      To look for unusual accounts use the following three commands:

                        I.         lusrmgr.msc – this command is only useful for looking for local accounts on a machine. Two account types to specifically look for are Administrator accounts that are not supposed to be on the machine and active Guest accounts, as those can lead to serious security compromises.

                       II.         net user (in command prompt) – displays all user accounts on a local machine.

                     III.         net localgroup administrators – display all local administrator user accounts

This is useful for finding administrator accounts that do not belong on a particular machine.

 

f.      The final and most crucial area to look for unusual behavior is within event viewer. It displays all the event log content that Windows actively records. The command for it to type in the run command box is eventvwr.msc.

                        I.         Look for warnings, errors, and other events (e.g. system reboots during usual times, etc).

                       II.         If the log files are missing, it is a reliable indicator that the machine has been or is compromised and the intruder is trying to hide his\her tracks.

 

http://www.sans.org/score/checklists/ID_Windows.pdf

Posted on