Windows

Original Author: Jeenali Kothari

Michael Tchuindjang Credits to Hacking Articles

Table of Contents

Abstract ............................................................................................................................................ 3
What is Incident Response?.............................................................................................. 4
User Accounts ...................................................................................................................... 4
Processes ............................................................................................................................... 6
Services ................................................................................................................................ 11
Task Scheduler................................................................................................................... 15
Startup.................................................................................................................................. 17
Registry Entries.................................................................................................................. 20
Active TCP & UDP ports................................................................................................... 21
File sharing ......................................................................................................................... 23
Files ....................................................................................................................................... 24
Firewall Settings ................................................................................................................ 27
Sessions with other Systems .......................................................................................... 29
Open Sessions with ........................................................................................................... 30
Log Entries .......................................................................................................................... 30
Conclusion ...................................................................................................................................... 33
References ..................................................................................................................................... 33

Page | 2
Michael Tchuindjang Credits to Hacking Articles

Abstract
For some people who use their computer systems, their systems might seem normal
to them, but they might never realise that there could be something really phishy
or even that fact that their systems could have been compromised. Making use of
Incident Response a large number of attacks at the primary level could be detected.
The investigation can be carried out to obtain any digital evidence.

This report mainly focuses on Incident response for Windows systems. So, let’s
begin with this cheat sheet to get you going.
Disclaimer: This report is provided for educational and informational
purpose only (Penetration Testing). Penetration Testing refers to legal
intrusion tests that aim to identify vulnerabilities and improve cybersecurity,
rather than for malicious purposes.

Page | 3
Michael Tchuindjang Credits to Hacking Articles

What is Incident Response?

Incident response can be defined as a course of action that is taken whenever a computer or
network security incident occurs.

The security events that could have occurred:

• Unauthorized use of system privileges and sensitive data

• Any cause of System crashes or flooding of packets
• Presence of malware or any malicious program

User Accounts

In Incident response it is very necessary to investigate the user activity. It is used to find if
there is any suspicious user account is present or any restricted permissions have been
assigned to a user. By checking the user account one can be able to get answers to the
questions like which user is currently logged in and what kind of a user account one has.

The ways one can view the user accounts are:

To view the local user accounts in GUI, press ‘Windows+R’, then type

lusrmgr.msc

Now click on ‘okay’, and here you will be able to see the user accounts and their
descriptions.

Page | 4
Michael Tchuindjang Credits to Hacking Articles

To now see the user accounts for the system and the type of account it is. Run command
prompt as administrator and type command

net user

Net localgroup group name is used in order to manage local user groups on a system. By
using this command, an administrator can add local or domain users to a group, delete users
from a group, create new groups and delete existing groups.

Open Command prompt and run as an administrator then type

net localgroup administrators

Page | 5
Michael Tchuindjang Credits to Hacking Articles

To see the local user accounts, with their names, if they are enabled and their description.
Run PowerShell as an administrator, type

Get-LocalUser

Processes

In order to get the list of all the processes running on the system, you can use ‘tasklist’
command for this purpose. By making use of this command, you can get a +-a list of the
processes the memory space used, running time, image file name, services running in the
process etc

To view the processes, you can use the following methods; To view the running processes in
a GUI, press ‘Windows+R’, then type

taskmgr.exe

Page | 6
Michael Tchuindjang Credits to Hacking Articles

Now click on ‘OK’ and you will be able to see all the running processes in your system and
will be able to check if there is any unnecessary process running.

To see all the running processes with their Process ID (PID) and their session name and the
amount of memory used. Run command prompt as an administrator and type

Page | 7
Michael Tchuindjang Credits to Hacking Articles

tasklist

To gets a list of all active processes running on the local computer run PowerShell as an
administrator and type

get-process

Page | 8
Michael Tchuindjang Credits to Hacking Articles

Windows system have an extremely powerful tool with the Windows Management
Instrumentation Command (WMIC). Wmic is very useful when it comes to incident response.
This tool is enough to notice some abnormal signs in the system. This command can be used
in the Command-prompt as well as PowerShell when running as an administrator. The syntax
is wmic process list full

Page | 9
Michael Tchuindjang Credits to Hacking Articles

After you determine which process is performing a strange network activity. To get more
details about the parent process IDs, Name of the process and the process ID, open
PowerShell as an administrator and type

wmic process get name,parentprocessid,processid

To get the path of the Wmic process, open PowerShell and type

wmic process where 'ProcessID=PID’ get CommandLine

Page | 10
Michael Tchuindjang Credits to Hacking Articles

Services

To identify if there is any abnormal service running in your system or some service is not
functioning properly, you can view your services.

To view all the services in GUI, press ‘Windows+R’ and type

services.msc

Now click on ‘Ok’ to see the list of processes.

Page | 11
Michael Tchuindjang Credits to Hacking Articles

To start and view the list of services that are currently running in your system, open
command prompt as an administrator, type

net start

Page | 12
Michael Tchuindjang Credits to Hacking Articles

To view whether a service is running and to get its more details like its service name, display
name, etc.

sc query | more

Page | 13
Michael Tchuindjang Credits to Hacking Articles

If you want a list of running processes with their associated services in the command prompt,
run command prompt as an administrator, then type

tasklist /svc

Page | 14
Michael Tchuindjang Credits to Hacking Articles

Task Scheduler

Task Scheduler is a component in the Windows which provides the ability to schedule the
launch of programs or any scripts at a pre-defined time or after specified time intervals. You
can view these scheduled tasks which are of high privileges and look suspicious.

To view the task Scheduler in GUI, then go the path and press enter.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools

Page | 15
Michael Tchuindjang Credits to Hacking Articles

To view the schedule tasks in the command prompt, run command prompt as an
administrator, type

schtasks

Page | 16
Michael Tchuindjang Credits to Hacking Articles

Startup

The startup folder in Windows automatically runs applications when you log on. So, an
incident handler, you should observe the applications that auto-start.

To view the applications in the Startup menu in the GUI, open the task manager and click on
the ‘Startup’ menu. By doing this, you can see which applications are enabled and disabled
on startup. On opening the following path, it will give you the same option

taskmgr

Page | 17
Michael Tchuindjang Credits to Hacking Articles

To view, the startup applications in the PowerShell run the PowerShell as an administrator,
type

wmic startup get caption,command

Page | 18
Michael Tchuindjang Credits to Hacking Articles

To get a detailed list of the AutoStart applications in PowerShell, you can run it as an
administrator and type

Get-CimInstance Win32_StartupCommand | Select-Object

Name, command, Location, User | Format-List

Page | 19
 Michael Tchuindjang Credits to Hacking Articles

Registry Entries

Sometimes if there is a presence of unsophisticated malware it can be found by taking a look

at the Windows Registry’s run key. To view the GUI of the registry key, you can open
REGEDIT reach the run key manually.

You can also view the registry of the Local Machine of the Run key in the PowerShell, by
running it as an administrator and then type

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Page | 20
 Michael Tchuindjang Credits to Hacking Articles

You can also view the registry of the Current User of the Run key in the PowerShell, by
running it as an administrator and then type

reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Active TCP & UDP ports

As an Incident Responder, you should carefully pay attention to the active TCP and UDP
ports of your system.

The network statistics of a system can be using a tool. The criteria tested are incoming and
outgoing connections, routing tables, port listening, and usage statistics. Open the command
prompt, type

netstat -ano

Page | 21
 Michael Tchuindjang Credits to Hacking Articles

Well, this can also be checked in the PowerShell with a different command to see the IP and
the local ports. Run PowerShell and type

Get-NetTCPConnection -LocalAddress 192.168.0.110 | Sort-Object LocalPort

Page | 22
Michael Tchuindjang Credits to Hacking Articles

File sharing

As an incident responder, you should make sure that every file share is accountable and
reasonable and there is no unnecessary file sharing.

In order to check up on the file-sharing options in the command prompt, type

net view \\<localhost>

Page | 23
Michael Tchuindjang Credits to Hacking Articles

To see the file-sharing in PowerShell, you can type

Get-SMBShare

Files

To view the files which could be malicious or end with a particular extension, you can use
‘forfiles’ command. Forfiles is a command-line utility software. It was shipped with
Microsoft Windows Vista. During that time, management of multiples files through the
command line was difficult as most of the commands at that time we made to work on single
files

Page | 24
 Michael Tchuindjang Credits to Hacking Articles

To view the .exe files with their path to locate them in the command prompt, type

forfiles /D -10 /S /M *.exe /C "cmd /c echo @path"

To View files without its path and more details of the particular file extension and its
modification date, type

forfiles /D -10 /S /M *.exe /C "cmd /c echo @ext @fname @fdate"

To check for files modified in the last 10 days type

forfiles /p c: /S /D -10

Page | 25
Michael Tchuindjang Credits to Hacking Articles

To check for file size below 6MB, you can use the file explorer’s search box and enter

size:>6M

Page | 26
Michael Tchuindjang Credits to Hacking Articles

Firewall Settings

The incident responder should pay attention to the firewall configurations and settings and
should maintain it regularly.

To view the firewall configurations and the inbound and outbound traffic in the command
prompt, type

netsh firewall show config

Page | 27
Michael Tchuindjang Credits to Hacking Articles

To view the firewall settings of the current profile in the command prompt, type

netsh advfirewall show currentprofile

Page | 28
Michael Tchuindjang Credits to Hacking Articles

Sessions with other Systems

To check the session details that are created with other systems, you can run command
prompt and type

net use

Page | 29
Michael Tchuindjang Credits to Hacking Articles

Open Sessions with

To see any open sessions of your system, you can get the details about the duration of the
session run the command prompt and type

net session

Log Entries

To view the log entries in GUI you can open the event viewer and see the logs. Press
‘Windows+ R’ and type

eventvwr.msc

Page | 30
Michael Tchuindjang Credits to Hacking Articles

To export certain logs of a particular event in command prompt type

wevtutil qe security

To get the event log list in the PowerShell, type

Get-EventLog -List

Page | 31
Michael Tchuindjang Credits to Hacking Articles

And type the particular event in the supply value and you will get event details of that
particular event.

Page | 32
Michael Tchuindjang Credits to Hacking Articles

Conclusion
Hence, one can make use of these commands as a cybersecurity professional to
assess vulnerabilities on systems and keep these systems away from threat.

References
• https://www.hackingarticles.in/incident-response-windows-cheatsheet/
• https://learn.microsoft.com/en-us/powershell/

Page | 33