Table Of Contents
- LIVE TRIAGE-WINDOWS
- SYSTEM INFORMATION
- USER INFORMATION
- NETWORK INFORMATION
- SERVICE INFORMATION
- POLICY, PATCH AND SETTINGS INFORMATION
- AUTORUN AND AUTOLOAD INFORMATION
- LOGS
- FILES, DRIVES AND SHARES INFORMATION
LIVE TRIAGE - WINDOWS
SYSTEM INFORMATION
echo %DATE% %TIME%
hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
wmic csproduct get name
wmic bios get serialnumber
wmic computersystem list brief
psinfo -accepteula -s -h -d
USER INFORMATION
whoami
net users
net localgroup administrators
net group administrators
wmic rdtoggle list
wmic useraccount list
wmic group list
wmic netlogin get name,lastlogon,badpasswordcount
wmic netclient list brief
doskey /history > history.txt
NETWORK INFORMATION
netstat -e
netstat -naob
netstat -nr
netstat -vb
nbtstat -S
route print
arp -a
ipconfig /displaydns
netsh winhttp show proxy
ipconfig /allcompartments /all
netsh wlan show interfaces
netsh wlan show all
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\WinHttpSettings"
type %SYSTEMROOT%\system32\drivers\etc\hosts
wmic nicconfig get descriptions,IPaddress,MACaddress
wmic netuse get name,username,connectiontype,localname
SERVICE INFORMATION
at
tasklist
tasklist /scv
tasklist /scv /fi "imagename eq svchost.exe"
schtasks
net start
sc query
wmic service list brief | findstr "Running"
wmic service list config
wmic process list brief
wmic process list status
wmic process list memory
wmic job list brief
Get-Service | Where-Object { $_.Status -eq "running" }
List of all processes and then all loaded modules:
Get-Process |select modules|Foreach-Object{$_.modules}
POLICY, PATCH AND SETTINGS INFORMATION
set
gpresult /r
gpresult /z > <OUTPUT FILE NAME>.txt
gpresult /H report.html /F
wmic qfe
List GPO software installed:
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt"
AUTORUN AND AUTOLOAD INFORMATION
Startup information:
wmic startup list full
wmic ntdomain list brief
View directory contents of startup folder:
dir "%SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%SystemDrive%\Documents and Settings\AllUsers\Start Menu\Programs\Startup"
dir %userprofile%\Start Menu\Programs\Startup
%ProgramFiles%\Startup\
dir C:\Windows\Start Menu\Programs\startup
dir "C:\Users\%username%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
dir "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup"
dir "%ALLUSERSPROFILE%\Start Menu\Programs\Startup"
type C:\Windows\winstart.bat
type %windir%\wininit.ini
type %windir%\win.ini
View autoruns, hide Microsoft files:
autorunsc -accepteula -m
type C:\Autoexec.bat
Show all autorun files, export to csv and check with VirusTotal:
autorunsc.exe -accepteula -a -c -i -e -f -l -m -v
HKEY_CLASSES_ROOT:
reg query HKCR\Comfile\Shell\Open\Command
reg query HKCR\Batfile\Shell\Open\Command
reg query HKCR\htafile\Shell\Open\Command
reg query HKCR\Exefile\Shell\Open\Command
reg query HKCR\Exefiles\Shell\Open\Command
reg query HKCR\piffile\shell\open\command
HKEY_CURRENT_USERS:
reg query "HKCU\Control Panel\Desktop"
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Load
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Windows\Scripts
reg query "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f run
reg query "HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Windows" /f load
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\0penSaveMRU
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\0penSavePidlMRU /s
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\RegEdit /v LastKey
reg query "HKCU\Software\Microsoft\InternetExplorer\TypedURLs"
reg query "HKCU\Software\Policies\Microsoft\Windows\ControlPanel\Desktop"
HKEY_LOCAL_MACHINE:
reg query "HKLM\SOFTWARE\Microsoft\ActiveSetup\Installed Components" /s
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders"
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Shell Folders"
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\Userinit
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\shellServiceObjectDelayLoad
reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Schedule\TaskCache\Tasks" /s
reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows"
reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows" /f Appinit_DLLs
reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon" /f Shell
reg query "HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon" /f Userinit
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts
reg query HKLM\SOFTWARE\Classes\batfile\shell\open\command
reg query HKLM\SOFTWARE\Classes\comfile\shell\open\command
reg query HKLM\SOFTWARE\Classes\exefile\shell\open\command
reg query HKLM\SOFTWARE\Classes\htafile\Shell\Open\Command
reg query HKLM\SOFTWARE\Classes\piffile\shell\open\command
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects" /s
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SessionManager"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\KnownDLLs"
reg query "HKLM\SYSTEM\ControlSet001\Control\SessionManager\KnownDLLs"
LOGS
Copy event logs:
wevtutil epl Security C:\<BACK UP PATH>\mylogs.evtx
wevtutil epl System C:\<BACK UP PATH>\mylogs.evtx
wevtutil epl Application C:\<BACK UP PATH>\mylogs.evtx
Get list of logs remotely:
psloglist \\<REMOTE COMPUTER> -accepteula -h 12 -x
Clear all logs and start a baseline log to monitor
wevtutil el | Foreach-Object {wevtutil cl"$_"}
List log filenames and path location:
wmic nteventlog get path,filename,writeable
Take pre breach log export:
wevtutil el | ForEach-Object{Get-Eventlog -Log "$_" | Export-Csv -Path C:\<BASELINE LOG>.csv -Append}
Take post breach log export:
wevtutil el | ForEach-Object{Get-EventLog -Log "$_" | Export-Csv -Path C:\<POST BASELINE LOG>.csv -Append}
Compare two files baseline and post breach logs:
Compare-Object -ReferenceObject $(Get-Content "C:\<PATH TO FILE>\<ORIGINAL BASELINE LOGS>.txt") -DifferenceObject $(Get-Content "C:\<PATH TO FILE>\<POST BASELINE LOGS>.txt") >> <DIFFERENCES LOG>.txt
This deletes all logs:
wevtutil el | Foreach-Object {wevtutil cl"$_"}
FILES, DRIVES AND SHARES INFORMATION
net use \\<TARGET IP ADDRESS>
net share
net session
wmic volume list brief
wmic logicaldisk get description,filesystem,name,size
wmic share get name,path
Find multiple file types or a file:
dir /A /S /T:A *.exe *.dll *.bat *.ps1 *.zip
dir /A /S /T:A <BAD FILE NAME>.exe
Find executable (.exe) files newer than Jan 1, 2017:
forfiles /p C:\ /M *.exe /S /D +1/1/2017 /C "cmd /c echo @fdate @ftime @path"
Find multiple files types using loop:
for %G in (.exe, .dll, .bat, .ps) do forfiles -p "C:" -m *%G -s -d +1/1/2017 -c "cmd /c echo @fdate @ftime @path"
Search for files newer than date:
forfiles /P C:\ /S /D +1/01/2017 /C "cmd /c echo @path @fdate"
Find large files: (example <20 MB)
forfiles /S /M * /C "cmd /c if @fsize GEQ 2097152 echo @path @fsize"
Find files with Alternate Data Streams:
streams -s <FILE OR DIRECTORY>
Find files with bad signature into csv:
sigcheck -c -h -s -u -nobanner <FILE OR DIRECTORY> > <OUTPUT FILENAME>.csv
Find and show only unsigned files with bad signature in C:
sigcheck -e -u -vr -s C:\
List loaded unsigned Dlls:
listdlls.exe -u
listdlls.exe -u <PROCESS NAME OR PID>
Run Malware scan (Windows Defender) offline:
MpCmdRun.exe -SignatureUpdate
MpCmdRun.exe -Scan
Install, monitor and log system activity to the Windows event log including md5 hashing of processes created and monitoring of network connections 64bit:
sysmon64.exe -i -accepteula –h md5 –n
:: Uninstall Sysmon
sysmon64.exe –u
View Sysmon log details:
Get-WinEvent -Path C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx | Format-List *