Skip to main content

Table Of Contents

  • PATCHING
    • WINDOWS
    • LINUX
  • BACKUP
    • WINDOWS
    • LINUX
  • KILL MALWARE PROCESS
    • WINDOWS
    • LINUX

PATCHING

WINDOWS

Single Hotfix update for Windows 7 or higher:

wusa.exe C:\<PATH TO HOTFIX>\Windows6.0-KB934307-x86.msu

Set of single hotfix updates for pre-Windows 7 by running a batch script:

@echo off
setlocal
set PATHTOFIXES=E:\hotfix
%PATHTOFIXES%\Q123456_w2k_sp4_x86.exe /Z /M
%PATHTOFIXES%\Q123321_w2k_sp4_x86.exe /Z /M
%PATHTOFIXES%\Q123789_w2k_sp4_x86.exe /Z /M

To check and update Windows 7 or higher:

wuauclt.exe /detectnow /updatenow

LINUX

Ubuntu

Fetch list of available updates:

apt-get update

Strictly upgrade the current packages:

apt-get upgrade

Install updates (new ones):

apt-get dist-upgrade

Red Hat Enterprise Linux 2.1,3,4

up2date

To update non-interactively:

up2date-nox --update

To install a specific package:

up2date <PACKAGE NAME>

To update a specific package:

up2date -u <PACKAGE NAME>

Red Hat Enterprise Linux 5

pup

Red Hat Enterprise Linux 6

yum update

To list a specific installed package:

yum list installed <PACKAGE NAME>

To install a specific package:

yum install <PACKAGE NAME>

To update a specific package:

yum update <PACKAGE NAME>

KALI

apt-get update && apt-get upgrade

BACKUP

WINDOWS

Backup GPO Audit Policy to backup file:

auditpol /backup /file:C\auditpolicy.csv

Restore GPO Audit Policy from backup file:

auditpol /restore /file:C:\auditpolicy.csv

Backup All GPOs in domain and save to Path:

Backup-Gpo -All -Path \\<SERVER>\<PATH TO BACKUPS>

Restore All GPOs in domain and from backup Path:

Restore-GPO -All -Domain <INSERT DOMAIN NAME> -Path \\<SERVER>\<PATH TO BACKUPS>

Start Volume Shadow Service:

net start VSS

List all shadow files and storage:

vssadmin List ShadowStorage

List all shadow files:

vssadmin List Shadows

Browse Shadow Copy for files/folders:

mklink /d c:\<CREATE FOLDER>\<PROVIDE FOLDER NAME BUT DO NOT CREATE> \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Revert back to a selected shadow file on Windows Server and Windows 8:

vssadmin revert shadow /shadow={<SHADOW COPY ID>} /ForceDismount

List a files previous versions history using volrest.exe:

"\Program Files (x86)\Windows Resource Kits\Tools\volrest.exe" "\\localhost\c$\<PATH TO FILE>\<FILE NAME>"

Revert back to a selected previous file version or @GMT file name for specific previous version using volrest.exe:

subst Z: \\localhost\c$\$\<PATH TO FILE>

"\Program Files (x86)\Windows Resource Kits\Tools\volrest.exe" "\\localhost\c$\<PATH TO FILE>\<CURRENT FILE NAME OR @GMT FILE NAME FROM LIST COMMAND ABOVE>" /R:Z:\

subst Z: /D

Revert back a directory and subdirectory files previous version using volrest.exe:

"\Program Files (x86)\Windows Resource Kits\Tools\volrest.exe" \\localhost\c$\<PATH TO FOLDER\*.* /S /r:\\localhost\c$\<PATH TO FOLDER>\

Revert back to a selected shadow file on Windows Server and Windows 7 and 10 using wmic:

wmic shadowcopy call create Volume='C:\'

Create a shadow copy of volume C on Windows 7 and 10 using PowerShell:

(gwmi -list win32_shadowcopy).Create('C:\','ClientAccessible')

Create a shadow copy of volume C on Windows Server 2003 and 2008:

vssadmin create shadow /for=c:

Create restore point on Windows:

wmic.exe /Namespace:\\root\default Path SystemRestore Call CreateRestorePoint "%DATE%", 100, 7

Start system restore points on Windows XP:

sc config srservice start= disabled
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f
net stop srservice

Stop system restore points on Windows XP:

sc config srservice start= Auto
net start srservice
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v DisableSR /t REG_DWORD /d 0 /f

List of restore points:

Get-ComputerRestorePoint

Restore from a specific restore point:

Restore-Computer -RestorePoint <RESTORE POINT #> -Confirm

LINUX

  • Reset root password in single user mode:
    • Step 1: Reboot system. 
      reboot -f
    • Step 2: Press ESC at GRUB screen.
    • Step 3: Select default entry and then e for edit.
    • Step 4: Scroll down until, you see a line that starts with linux, linux16 or linuxefi.
    • Step 5: At end of that line leave a space and add without quote rw init=/bin/bash
    • Step 6: Press Ctrl-X to reboot.
    • Step 7: After reboot, should be in single user mode and root, change password. 
      passwd
    • Step 8: Reboot system. 
      reboot -f
  • Reinstall a package: 
    apt-get install --reinstall <COMPROMISED PACKAGE NAME>
  • Reinstall all packages: 
    apt-get install --reinstall $(dpkg --get-selections |grep -v deinstall)

KILL MALWARE PROCESS

WINDOWS

Malware Removal:

gmer.exe (GUI)

Kill running malicious file

gmer.exe -killfile C:\WINDOWS\system32\drivers\<MALICIOUS FILENAME>.exe

Kill running process using wmic:

wmic process <PID> delete
wmic process where name=”<FILENAME.exe>” delete

Kill running malicious file in PowerShell:

Stop-Process -Name <PROCESS NAME>
Stop-Process -ID <PID> -Force

LINUX

Stop a malware process or processes:

kill <MALICIOUS PID>
killall -9 -I <PROCESS NAME>

Change the malware process from execution and move:

chmod -x /usr/sbin/<SUSPICIOUS FILE NAME>
mkdir /home/quarantine/
mv /usr/sbin/<SUSPICIOUS FILE NAME> /home/quarantine/