A Penetration Testing

Cheat Sheet For

Windows Machine –
Intrusion Detection
gurubaran
March 26, 2017 | Views: 22402

Save Email

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Begin Learning Cyber Security for FREE Now!
FREE REGISTRATION Already a Member Login Here

In the event that your Windows machine has been compromised or for any
other reason, this cheat sheet is intended to help. This article is for Windows
Administrators and security personnel to better execute a thorough
examination of their framework (inside and out) keeping in mind the end goal
is to search for indications of compromise.

Windows Cheat Sheet

1.Unusual Log Entries:

Check your logs for suspicious events, such as:

“Event log service was stopped.”

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 “Windows File Protection is not active on this system.”
“The protected System file [file name] was not restored to its
original, valid version because of the Windows File Protection…”
“The MS Telnet Service has started successfully.”
Look for a large number of failed logon attempts or locked out
accounts.

To do this using the GUI, run the Windows event viewer:

C:> eventvwr.msc

Using the command prompt:

C:> eventquery.vbs | more

Or, to focus on a particular event log:

C:> eventquery.vbs /L security

2.Unusual Processes and Services:

Look for unusual/unexpected processes, and focus on processes with User

Name “SYSTEM” or “Administrator” (or users in the Administrators’ group). You

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 need to be familiar with normal processes and services and search for
deviations.

Using the GUI, run Task Manager:

C:> taskmgr.exe

Using the command prompt:

C:> tasklist

C:> wmic process list full

Also look for unusual services.

Using the GUI:

C:> services.msc

Using the command prompt:

C:> net start

C:> sc query

For a list of services associated with each process:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 C:> tasklist /svc

3.Unusual Files and Registry Keys

Check file space usage to look for sudden major decreases in free space, using
the GUI (right-click on a partition), or type:

C:> dir c:

Look for unusually big files:

Start–> Search–>For Files of Folders… Search Options–>Size–>At Least 10000KB

Look for strange programs referred to in registry keys associated with system
start up:

HKLMSoftwareMicrosoftWindowsCurrentVersionRun

HKLMSoftwareMicrosoftWindowsCurrentVersionRunonce

HKLMSoftwareMicrosoftWindowsCurrentVersionRunonceEx

Note that you should also check the HKCU counterparts (replace HKLM with
HKCU above).

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Using the GUI:

C:> regedit

Using the command prompt:

C:> reg query <reg key>

4.Unusual Network Usage

Look at file shares, and make sure each has a defined business purpose:

C:> net view \127.0.0.1

Look at who has an open session with the machine:

C:> net session

Look at which sessions this machine has opened with other systems:

C:> net use

Look at NetBIOS over TCP/IP activity:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 C:> nbtstat –S

Look for unusual listening TCP and UDP ports:

C:> netstat –na

For continuously updated and scrolling output of this command every 5

seconds:

C:> netstat –na 5

The –o flag shows the owning process id:

C:> netstat –nao 5

The –b flag shows the executable name and the DLLs loaded for the network
connection.

C:> netstat –naob 5

Note that the –b flag uses excessive CPU resources.

Again, you need to understand normal port usage for the system and look for
deviations.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Also, check Windows Firewall configuration:

C:> netsh rewall show con g

5.Unusual Scheduled Tasks

Look for unusually scheduled tasks, especially those that run as a user in the
Administrators group, as SYSTEM, or with a blank user name.

Using the GUI, run Task Scheduler:

Start–>Programs–>Accessories–>System Tools–>Scheduled Tasks

Using the command prompt:

C:> schtasks

Check other autostart items as well for unexpected entries, remembering to

check user autostart directories and registry keys.

Using the GUI, run msconfig and look at the Startup tab:

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Start –> Run, mscon g.exe

Using the command prompt:

C:> wmic startup list full

6.Unusual Accounts

Look for new, unexpected accounts in the Administrators group:

C:> lusrmgr.msc

Click on Groups, Double Click on Administrators, then check members of this

group.
This can also be done at the command prompt:

C:> net user

C:> net localgroup administrators

7.Other Unusual Items

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Look for unusually sluggish performance and a single unusual process hogging
the CPU:

Task Manager –> Process and Performance tabs

Look for unusual system crashes, beyond the normal level for the given
system.

On a periodic basis (daily, weekly, or each time you logon to a system you
manage,) run through these quick steps to look for anomalous behavior that
might be caused by a computer intrusion. Each of these commands runs
locally on a system.

You can get more articles in our Website https://gbhackers.com/

Use Cybytes and Share with Friends

Tip the Author!

Join

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Ready to share your knowledge and expertise?

Submit to 0P3N

10 Comments

INFOSECTDK

10:15 am on March 12, 2018

I useful reminder that tipped me o to try

something on a server.

Log in to Reply

MASTERK
11:30 pm on April 2, 2017

Very good checklist.

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 Thanks for your time.

Log in to Reply

A FAROOK
11:03 am on March 30, 2017

Great article

Log in to Reply

W@Y&3

5:52 am on March 29, 2017

Great thanks and I would like to add something to

be more e ective of these commands. You can
export the command results by doing “Command
> …txt”. By doing so you can see various outputs
to a text le as export.

Log in to Reply

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 THEDUDE
1:31 am on March 29, 2017

Thanks for taking time to do this, man. Very

helpful reference.

Log in to Reply

Page 2 of 2 « 1 2

Comment on This
You must be logged in to post a comment.

Related Reads
Cloud-Based A Penetration
Application Testing Cheat
December 6, 2016 7578 March 26, 2017 22402
By: Hari Charan By: gurubaran

September 2017 WannaCry

Hall of Fame Ransomware
October 9, 2017 352 June 22, 2017 370
By: Bugcrowd By: Tripwire

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 OUR STUDENT SUPPORT CYBRARY|0P3N
REVOLUTION SUPPORT CYBRARY
We believe Cyber
Get charon223
Security training
Support What is the need of
should be free, for
secure and strong
everyone, FOREVER.
passwords?
Everyone, OTHER PAGES Views: 338 / October 8, 2019
everywhere, About
deserves the
Join Our Team rebeccaberis2
OPPORTUNITY to Donate Here to Get
Press PCI Security
learn, begin and This Month's Donor
Terms of Service Compliance
grow a career in Badge
Verify Certi cate Challenges and
this fascinating
Best Practices
eld. Therefore, Submit
Views: 427 / October 7, 2019
Cybrary is a free Suggestions
community where Companies
slwelty
people, companies
National
and training come
Cybersecurity
together to give
Awareness Month
everyone the ability Views: 1614 / October 4,
to collaborate in an 2019

open source way

that is GarrettsG2
revolutionizing the When Should IT
cyber security Pros Take CISSP
educational Training?
experience. Views: 2046 / October 3,
2019

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD
 FOLLOW US: a b c j

Protected by

© 2018 Cybrary.IT - Privacy Policy - Terms of Service Back to Top

Create PDF in your applications with the Pdfcrowd HTML to PDF API PDFCROWD