Scribd
Upload
121 views23 pages

Windows Incident Response Cheat Sheet

Uploaded by

dodummy6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
121 views23 pages

Windows Incident Response Cheat Sheet

Uploaded by

dodummy6
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 23

Page | 23

Follow us: www.hackingarticles.in


any suspicious user account is present or any restricted permissions have been assigned to a user. By
checking the user account one can be able to get answers to questions like which user is currently
logged in and what kind of a user account one has.
The ways one can view the user accounts are:

Local users

To view the local user accounts in GUI, press ‘Windows+R’, then type ‘lusrmgr.msc’.

Now click on ‘okay’, and here you will be able to see the user accounts and their descriptions.

Page | 24
Follow us: www.hackingarticles.in
You can now open the command prompt and run it as an administrator. Then type the command ‘net
user’ and press enter. You can now see the user accounts for the system and the type of account it is.

net user

net localgroup

‘Net localgroup groupname’ command is used to manage local user groups on a system. By using this
command, an administrator can add local or domain users to a group, delete users from a group,
create new groups and delete existing groups.
Open Command prompt and run as an administrator then type ‘net local group administrators’ and
press enter.

net local group administrators

Page | 25
Follow us: www.hackingarticles.in
To view the local user accounts in PowerShell, open PowerShell as an administrator, type ‘Get-
LocalUser’ and press enter. You will be able to see the local user accounts, with their names, if they
are enabled and their description.
Get-LocalUser

Processes
To get the list of all the processes running on the system, you can use ‘tasklist’ command for this
purpose. By making use of this command, you can get a list of the processes the memory space
used, running time, image file name, services running in the process etc
To view the processes, you can use the following methods;

Task Manager
To view the running processes in a GUI, press ‘Windows+R’, then type ‘taskmgr.exe’.

Now click on ‘OK’ and you will be able to see all the running processes in your system and will be able
to check if there is any unnecessary process running.

Page | 26
Follow us: www.hackingarticles.in
tasklist

To view the processes in the command prompt, Open the command prompt as an administrator and
type ‘tasklist’ and press enter. Here you will be able to see all the running processes with their Process
ID (PID) and their session name and the amount of memory used.

tasklist

Page | 27
Follow us: www.hackingarticles.in
To view the process list in PowerShell, run PowerShell as an administrator and type ‘Get-Process’ and
press enter. It gets a list of all active processes running on the local computer.

get-process

Windows system has an extremely powerful tool with the Windows Management Instrumentation
Command (WMIC). Wmic is very useful when it comes to incident response. This tool is enough to
notice some abnormal signs in the system. This command can be used in the Command-prompt as
well as PowerShell when run as an administrator. The syntax is ‘wmic process list full’.

wmic process list full

To get more details about the parent process IDs, Name of the process and the process ID, open
PowerShell as an administrator and type ‘wmic process get name,parentprocessid,processid’. This
would be the next step after you determine which process is performing a strange network activity.
You will see the following details.

wmic process get name,parentprocessid,processid

Page | 28
Follow us: www.hackingarticles.in
To get the path of the Wmic process, open PowerShell and type ‘wmic process where 'ProcessID=PID’
get Commandline’ and press enter.

wmic process where 'ProcessID=PID’ get Commandline

Page | 29
Follow us: www.hackingarticles.in
properly, you can view your services.

GUI

To view all the services in GUI, press ‘Windows+R’ and type ‘services.msc’.

Now click on ‘Ok’ to see the list of processes.

net start

To start and view the list of services that are currently running in your system, open the command
prompt as an administrator, type ‘net start’ and press enter.

net start

Page | 30
Follow us: www.hackingarticles.in
sc query

To view whether a service is running and to get its more details like its service name, display name,
etc.
sc query | more

Page | 31
Follow us: www.hackingarticles.in
tasklist

If you want a list of running processes with their associated services in the command prompt, run
command prompt as an administrator, then type ‘tasklist /svc’ and press enter.

tasklist /svc

GUI

Task Scheduler is a component in the Windows which provides the ability to schedule the launch
of programs or any scripts at a pre-defined time or after specified time intervals. You can view
these scheduled tasks which are of high privileges and look suspicious.To view the task
Scheduler in GUI, then go the path and press enter.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools

Page | 32
Follow us: www.hackingarticles.in
type ‘schtasks’ and press enter.
schtasks

Startup
The startup folder in Windows, automatically runs applications when you log on. So, an incident
handler, you should observe the applications that auto start.

GUI
To view the applications in Startup menu in GUI, open the task manager and click on the ‘Startup’
menu. By doing this, you can see which applications are enabled and disabled on startup. On
opening the following path, it will give you the same option
dir /s /b "C:\Users\raj\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"

Page | 33
Follow us: www.hackingarticles.in
Powershell

To view, the startup applications in the PowerShell run the PowerShell as an administrator, type
‘wmic startup get caption,command’ and press enter.

wmic startup get caption,command

To get a detailed list of the AutoStart applications in PowerShell , you can run it as an administrator
and type ‘Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location,
User | Format-List’ and press enter.

Page | 34
Follow us: www.hackingarticles.in
Registry
Sometimes if there is a presence of unsophisticated malware it can be found by taking a look at
the Windows Registry's run key.

GUI

To view the GUI of the registry key, you can open REGEDIT reach the run key manually.

Page | 35
Follow us: www.hackingarticles.in
You can also view the registry of the Local Machine of the Run key in the PowerShell, by running
it as an administrator and then type
‘reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ and press enter.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

You can also view the registry of the Current User of the Run key in the PowerShell, by running it
as an administrator and then type
‘reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ and
press enter.

reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Active TCP and UDP Port


As an Incident Responder you should carefully pay attention to the active TCP and UDP ports of
your system.

netstat

Page | 36
Follow us: www.hackingarticles.in
netstat –ano

Powershell

Well, this can also be checked in the PowerShell with a differentcommand. Run PowerShell and
type ‘Get-NetTCPConnection -LocalAddress 192.168.0.110 | Sort-Object LocalPort’ and press
enter. You will get detailed information about the IP and the local ports.

Get-NetTCPConnection -LocalAddress 192.168.0.110 | Sort-Object


LocalPort

Page | 37
Follow us: www.hackingarticles.in
and there in no unnecessary file sharing.

net view

In order to check up on the file sharing options in command prompt, type ‘net view \\<localhost>’
and press enter.
net view \\127.0.0.1

SMBShare

To see the file sharing in PowerShell, you can type ‘Get -SMBShare’ and press enter.

Get-SMBShare

Page | 38
Follow us: www.hackingarticles.in
command. Forfiles is a command line utility software. It was shipped with Microsoft Windows
Vista. During that time, management of multiples files through the command line was difficult as
most of the commands at that time we made to work on single files

Forfiles

To view the .exe files with their path to locate them in the command prompt, type ‘forfiles /D -10
/S /M *.exe /C "cmd /c echo @path"’ and press enter.

forfiles /D -10 /S /M *.exe /C "cmd /c echo @path"

To View files without its path and more details of the particular file extension and its modification
date, type ‘forfiles /D -10 /S /M *.exe /C "cmd /c echo @ext @fname @fdate"’and press enter.

forfiles /D -10 /S /M *.exe /C "cmd /c echo @ext @fname @fdate"

Page | 39
Follow us: www.hackingarticles.in
To check for file size below 6MB, you can use the file explorer’s search box and enter
"size:>6M”

Page | 40
Follow us: www.hackingarticles.in
The incident responder should pay attention to the firewall configurations and settings and should
maintain it regularly.
To view the firewall configurations in the command prompt, type ‘netsh firewall show config’ and
press enter to view the inbound and outbound traffic.

netsh firewall show config

Page | 41
Follow us: www.hackingarticles.in
netsh advfirewall show currentprofile

Sessions with other system


To check the session details that are created with other systems, you can type ‘net use’ in
command prompt and press enter.

net use

Page | 42
Follow us: www.hackingarticles.in
your system. It gives you the details about the duration of the session.

net session

Log Enteries
To view the log entries in GUI you can open the event viewer and see the logs. Press ‘Windows+
R’ and type ‘eventvwr.msc’ and press ‘OK’.

Event Viewer

Page | 43
Follow us: www.hackingarticles.in
To export certain logs of a particular event in command prompt type ‘wevtutil qe security’ and
press enter.

wevtutil qe security

PowerShell

To get the event log list in the PowerShell, type ‘Get-EventLog -list’ and type the particular event
in the supply value and you will get event details of that particular event.

Get-Eventlog -List

Page | 44
Follow us: www.hackingarticles.in
Hence, one can make use of these commands as an incident responder and keep their systems
away from threat.

References
• https://www.hackingarticles.in/incident-response-linux-cheatsheet/
• https://www.hackingarticles.in/incident-response-windows-cheatsheet/

Page | 45
Follow us: www.hackingarticles.in

You might also like