A Penetration Testing Cheat Sheet For Windows Machine – Intrusion Detection
In the event that your Windows machine has been compromised . in any case, don’t know where to hope to locate the awful folks’ nearness? This cheat sheet is intended to help Windows Administrators and security personnel to better execute and inside and out examination of their framework keeping in mind the end goal to search for indications of compromise .
Windows Cheat Sheet
1.Unusual Log Entries :
Check your logs for suspicious events, such as:
- “Event log service was stopped.”
- “Windows File Protection is not active on this system.”
- “The protected System file [file name] was not restored to its original, valid version because the Windows File Protection…”
- “The MS Telnet Service has started successfully.”
- Look for large number of failed logon attempts or locked out accounts.
To do this using the GUI, run the Windows event viewer:
C:\> eventvwr.mscUsing the command prompt:
C:\> eventquery.vbs | moreOr, to focus on a particular event log:
C:\> eventquery.vbs /L security2.Unusual Processes and Services :
Look for unusual/unexpected processes, and focus on processes with User Name “SYSTEM” or “Administrator” (or users in the Administrators’ group). You need to be familiar with normal processes and services and search for deviations.
Using the GUI, run Task Manager:
C:\> taskmgr.exeUsing the command prompt:
C:\> tasklistC:\> wmic process list full
Also look for unusual services.
Using the GUI:C:\> services.msc
Using the command prompt:
C:\> net startC:\> sc query
For a list of services associated with each process:
C:\> tasklist /svc3.Unusual Files and Registry Keys
Check file space usage to look for sudden major decreases in free space, using the GUI (right-click on partition), or type:
C:\> dir c:\Look for unusually big files:
Start–> Search–>For Files of Folders… Search Options–>Size–>At Least 10000KBLook for strange programs referred to in registry keys associated with system start up:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceExNote that you should also check the HKCU counterparts (replace HKLM with HKCU above).
Using the GUI:
C:\> regeditUsing the GUI:
Using the command prompt:
C:\> reg query 4.Unusual Network Usage
Look at file shares, and make sure each has a defined business purpose:
C:\> net view \\127.0.0.1Look at who has an open session with the machine:
C:\> net sessionLook at which sessions this machine has opened with other systems:
C:\> net useLook at NetBIOS over TCP/IP activity:
C:\> nbtstat –SLook for unusual listening TCP and UDP ports:
C:\> netstat –naFor continuously updated and scrolling output of this command every 5 seconds:
C:\> netstat –na 5The –o flag shows the owning process id:
C:\> netstat –nao 5The –b flag shows the executable name and the DLLs loaded for the network connection.
C:\> netstat –naob 5Note that the –b flag uses excessive CPU resources.
Again, you need to understand normal port usage for the system and look for deviations.
Again, you need to understand normal port usage for the system and look for deviations.
Also check Windows Firewall configuration:
C:\> netsh firewall show config5.Unusual Scheduled Tasks
Look for unusual scheduled tasks, especially those that run as a user in the Administrators group, as SYSTEM, or with a blank user name.
Using the GUI, run Task Scheduler:
Start–>Programs–>Accessories–>System Tools–>Scheduled TasksUsing the command prompt:
C:\> schtasksCheck other autostart items as well for unexpected entries, remembering to check user autostart directories and registry keys.
Using the GUI, run msconfig and look at the Startup tab:
Start –> Run, msconfig.exeUsing the command prompt:
C:\> wmic startup list full6.Unusual Accounts
Look for new, unexpected accounts in the Administrators group:
C:\> lusrmgr.mscClick on Groups, Double Click on Administrators, then check members of this group.
This can also be done at the command prompt:
C:\> net userThis can also be done at the command prompt:
C:\> net localgroup administrators
7.Other Unusual Items
Look for unusually sluggish performance and a single unusual process hogging the CPU:
Task Manager –> Process and Performance tabsLook for unusual system crashes, beyond the normal level for the given system.
On a periodic basis (daily, weekly, or each time you logon to a system you manage,) run through these quick steps to look for anomalous behavior that might be caused by a computer intrusion. Each of these commands runs locally on a system.