1. WINDOWS
1.1. **Users** :-
1.1.1. Local Users
1.1.1.1. - To view the local user accounts in GUI, press ‘Windows+R’, then type ‘lusrmgr.msc’. - Now click on ‘okay’, and here you will be able to see the user accounts and their descriptions
1.1.2. Net Users
1.1.2.1. You can now open the command prompt and run it as an administrator. Then type the command ‘net user’ and press enter. You can now see the user accounts for the system and the type of account it is. Command - net user
1.1.3. Net Local Group
1.1.3.1. ‘Net localgroup groupname’ command is used to manage local user groups on a system. By using this command, an administrator can add local or domain users to a group, delete users from a group, create new groups and delete existing groups. Open Command prompt and run as an administrator then type ‘net local group administrators’ and press enter Command - net local group administrators
1.1.4. Local User
1.1.4.1. To view the local user accounts in PowerShell, open PowerShell as an administrator, type ‘Get-LocalUser’ and press enter. You will be able to see the local user accounts, with their names, if they are enabled and their description. Command - Get-LocalUser
1.2. Processes
1.2.1. To get the list of all the processes running on the system, you can use ‘tasklist’ command for this purpose. By making use of this command, you can get a list of the processes the memory space used, running time, image file name, services running in the process etc To view the processes, you can use the following methods
1.2.1.1. Task Manager
1.2.1.1.1. To view the running processes in a GUI, press ‘Windows+R’, then type ‘taskmgr.exe’.
1.2.1.1.2. Now click on ‘OK’ and you will be able to see all the running processes in your system and will be able to check if there is any unnecessary process running.
1.2.1.2. Tasklist
1.2.1.2.1. To view the processes in the command prompt, Open the command prompt as an administrator and type ‘tasklist’ and press enter. Here you will be able to see all the running processes with their Process ID (PID) and their session name and the amount of memory used. Command - tasklist
1.2.1.3. Powershell
1.2.1.3.1. To view the process list in PowerShell, run PowerShell as an administrator and type ‘Get-Process’ and press enter. It gets a list of all active processes running on the local computer. Command - get-process
1.2.1.3.2. Windows system has an extremely powerful tool with the Windows Management Instrumentation Command (WMIC). Wmic is very useful when it comes to incident response. This tool is enough to notice some abnormal signs in the system. This command can be used in the Command-prompt as well as PowerShell when run as an administrator. The syntax is ‘wmic process list full’ Command - wmic process list full
1.2.1.3.3. To get more details about the parent process IDs, Name of the process and the process ID, open PowerShell as an administrator and type ‘wmic process get name,parentprocessid,processid’. This would be the next step after you determine which process is performing a strange network activity. You will see the following details. Command - wmic process get name,parentprocessid,processid
1.2.1.3.4. To get the path of the Wmic process, open PowerShell and type ‘wmic process where 'ProcessID=PID’ get Commandline’ and press enter Command - wmic process where 'ProcessID=PID’ get Commandline
1.3. Services
1.3.1. To identify if there is any abnormal service running in your system or some service is not functioning properly, you can view your services.
1.3.1.1. GUI
1.3.1.1.1. To view all the services in GUI, press ‘Windows+R’ and type ‘services.msc’.
1.3.1.1.2. Now click on ‘Ok’ to see the list of processes.
1.3.1.2. net start
1.3.1.2.1. To start and view the list of services that are currently running in your system, open the command prompt as an administrator, type ‘net start’ and press enter. Command - net start
1.3.1.2.2. To view whether a service is running and to get its more details like its service name, display name, etc Command - sc query | more
1.4. Task Scheduler
1.4.1. tasklist
1.4.1.1. If you want a list of running processes with their associated services in the command prompt, run command prompt as an administrator, then type ‘tasklist /svc’ and press enter. Command - tasklist /svc
1.4.2. GUI
1.4.2.1. Task Scheduler is a component in the Windows which provides the ability to schedule the launch of programs or any scripts at a pre-defined time or after specified time intervals. You can view these scheduled tasks which are of high privileges and look suspicious.To view the task Scheduler in GUI, then go the path and press enter. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools
1.4.3. Schtasks
1.4.3.1. Task Scheduler is a component in the Windows which provides the ability to schedule the launch of programs or any scripts at a pre-defined time or after specified time intervals. You can view these scheduled tasks which are of high privileges and look suspicious.To view the task Scheduler in GUI, then go the path and press enter. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools Command - schtasks
1.5. Startup
1.5.1. The startup folder in Windows, automatically runs applications when you log on. So, an incident handler, you should observe the applications that auto start.
1.5.1.1. GUI
1.5.1.1.1. To view the applications in Startup menu in GUI, open the task manager and click on the ‘Startup’ menu. By doing this, you can see which applications are enabled and disabled on startup. On opening the following path, it will give you the same option
1.5.1.2. Powershell
1.5.1.2.1. To view, the startup applications in the PowerShell run the PowerShell as an administrator, type ‘wmic startup get caption,command’ and press enter. Command - wmic startup get caption,command
1.5.1.2.2. To get a detailed list of the AutoStart applications in PowerShell , you can run it as an administrator and type ‘Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List’ and press enter Command - Get-CimInstance Win32_StartupCommand | Select-Object Name, command, Location, User | Format-List'
1.6. Registry
1.6.1. Sometimes if there is a presence of unsophisticated malware it can be found by taking a look at the Windows Registry's run key.
1.6.1.1. GUI
1.6.1.1.1. To view the GUI of the registry key, you can open REGEDIT reach the run key manually.
1.6.1.2. Powershell
1.6.1.2.1. You can also view the registry of the Local Machine of the Run key in the PowerShell, by running it as an administrator and then type ‘reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ and press enter. Command - reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
1.6.1.2.2. You can also view the registry of the Current User of the Run key in the PowerShell, by running it as an administrator and then type ‘reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run’ and press enter. Command - reg query HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
1.7. Active TCP/UDP Port
1.7.1. As an Incident Responder you should carefully pay attention to the active TCP and UDP ports of your system.
1.7.1.1. netstat
1.7.1.1.1. The network statistics of a system can be using a tool. The criteria tested are incoming and outgoing connections, routing tables, port listening, and usage statistics. Open the command prompt, type ‘netstat –ano’ and press enter. Command - netstat -ano
1.7.1.2. Powershell
1.7.1.2.1. Well, this can also be checked in the PowerShell with a differentcommand. Run PowerShell and type ‘Get-NetTCPConnection -LocalAddress 192.168.0.110 | Sort-Object LocalPort’ and press enter. You will get detailed information about the IP and the local ports. Command - Get-NetTCPConnection -LocalAddress 192.168.0.110 | Sort-Object LocalPort
1.8. File Sharing
1.8.1. As an incident responder you should make sure that every file share is accountable and reasonable and there in no unnecessary file sharing.
1.8.1.1. net view
1.8.1.1.1. In order to check up on the file sharing options in command prompt, type ‘net view \\<localhost>’ and press enter Command - net view \\127.0.0.1
1.8.1.2. SMBShare
1.8.1.2.1. To see the file sharing in PowerShell, you can type ‘Get -SMBShare’ and press enter. Command - Get-SMBShare
1.9. Files
1.9.1. To view the files which could be malicious or end with a particular extension, you can use ‘forfiles’ command. Forfiles is a command line utility software. It was shipped with Microsoft Windows Vista. During that time, management of multiples files through the command line was difficult as most of the commands at that time we made to work on single files
1.9.1.1. Forfiles
1.9.1.1.1. To view the .exe files with their path to locate them in the command prompt, type ‘forfiles /D -10 /S /M *.exe /C "cmd /c echo @path"’ and press enter. Command - forfiles /D -10 /S /M *.exe /C "cmd /c echo @path"
1.9.1.1.2. To View files without its path and more details of the particular file extension and its modification date, type ‘forfiles /D -10 /S /M *.exe /C "cmd /c echo @ext @fname @fdate"’and press enter. Command - forfiles /D -10 /S /M *.exe /C "cmd /c echo @ext @fname @fdate"
1.9.1.1.3. To check for files modified in the last 10 days type ‘forfiles /p c : /S /D -10’. To check for file size below 6MB, you can use the file explorer’s search box and enter "size:>6M” Commnad - forfiles /p c : /S /D -10
1.10. Firewall Settings
1.10.1. The incident responder should pay attention to the firewall configurations and settings and should maintain it regularly.
1.10.1.1. To view the firewall configurations in the command prompt, type ‘netsh firewall show config’ and press enter to view the inbound and outbound traffic. Command - netsh firewall show config
1.10.1.2. To view the firewall settings of the current profile in the command prompt, type ‘netsh advfirewall show currentprofile’ and press enter. Sessions with other system To check the session details that are created with other systems, you can type ‘net use’ in command prompt and press enter. Command - netsh advfirewall show currentprofile
1.11. Session with other systems
1.11.1. To check the session details that are created with other systems, you can type ‘net use’ in command prompt and press enter. netsh advfirewall show currentprofile Command - net use
1.12. Open Session
1.12.1. You can type ‘net session’ in the command prompt and press enter to see any open sessions of your system. It gives you the details about the duration of the session. Command - net session
1.13. Log Enteries
1.13.1. To view the log entries in GUI you can open the event viewer and see the logs. Press ‘Windows+ R’ and type ‘eventvwr.msc’ and press ‘OK’.
1.13.1.1. Event Viewer
1.13.1.2. Cmd
1.13.1.2.1. To export certain logs of a particular event in command prompt type ‘wevtutil qe security’ and press enter Command - wevtutil qe security
1.13.1.3. Powershell
1.13.1.3.1. To get the event log list in the PowerShell, type ‘Get-EventLog -list’ and type the particular event in the supply value and you will get event details of that particular event. Command - Get-Eventlog -List
2. What is Incident Response?
3. LINUX
3.1. User accounts
3.1.1. As an Incident Responder, it is very important to investigate the user account’s activity. It helps you understand the logged-in users, the existing users, usual or unusual logins, failed login attempts, permissions, access by sudo etc.
3.1.1.1. /etc/passwd
3.1.1.1.1. To identify whether there is an account entry in your system that may seem suspicious. This command usually fetches all the information about the user account. To do so, type Command - cat /etc/passwd
3.1.1.2. Passwd -S
3.1.1.2.1. The ‘Setuid’ option in Linux is unique file permission. So, on a Linux system when a user wants to make the change of password, they can run the ‘passwd’ command. As the root account is marked as setuid, you can get temporary permission. Command - passwd -S user
3.1.1.3. grep
3.1.1.3.1. Grep is used for searching plain- text for lines that match a regular expression. :0: is used to display ‘UID 0’ files in /etc/passwd file. Command - grep :0: /etc/passwd
3.1.1.4. find / -nouser
3.1.1.4.1. To Identify and display whether an attacker created any temporary user to perform an attack, type Command - find / -nouser -print
3.1.1.5. /etc/shadow
3.1.1.5.1. The /etc/shadow contains the encrypted password, details about the passwords and is only accessible by the root users Command - cat /etc/shadow
3.1.1.6. /etc/group
3.1.1.6.1. The group file displays the information of the groups used by the user. To view the details, type cat /etc/group
3.1.1.7. /etc.sudoers
3.1.1.7.1. If you want to view information about user and group privileges to be displayed, the/ etc/sudoers file can be viewed Command - cat /etc/sudoers
3.2. Log Entries
3.2.1. Lastlog
3.2.1.1. To view the reports of the most recent login of a particular user or all the users in the Linux system, you can type Command - lastlog
3.2.2. Auth.log
3.2.2.1. To identify any curious SSH & telnet logins or authentication in the system, you can go to /var/log/ directory and then type Command - tail auth.log
3.2.3. History
3.2.3.1. To view the history of commands that the user has typed, you can type history with less or can even mention up to the number of commands you typed last. To view history, you can type Command - history| less
3.3. System Resources
3.3.1. System resources can tell you a lot about system logging information, uptime of the system, the memory space and utilisation of the system etc.
3.3.1.1. Uptime
3.3.1.1.1. To know whether your Linux system has been running overtime or to see how long the server has been running for, the current time in the system, how many users have currently logged on, and the load averages of the system, then you can type: Command - uptime
3.3.1.2. free
3.3.1.2.1. To view the memory utilisation by the system in Linux, the used physical and swap memory in the system, as well as the buffers used by the kernel, you can type Command - free
3.3.1.3. /proc/memory
3.3.1.3.1. As an incident responder to check the detail information of the ram, memory space available, buffers and swap on the system, you can type Command - cat /proc/meminfo
3.3.1.4. /proc/mounts
3.3.1.4.1. As an incident responder, it’s your responsibility to check if there is an unknown mount on your system, to check the mount present on your system, you can type Command - cat /proc/mounts
3.4. Processes
3.4.1. As an incident responder, you should be always curious when you are looking through the output generated by your system. Your curiosity should compel you to view the programs that are currently running in the system, if they necessary to run and if they should be running, and usage of the CPU usage by these processes etc
3.4.1.1. top
3.4.1.1.1. To get a dynamic and a real-time visual of all the processes running in the Linux system, a summary of the information of the system and the list of processes and their ID numbers or threads managed by Linux Kernel, you can make use of Command - top
3.4.1.2. ps aux
3.4.1.2.1. To see the process status of your Linux and the currently running processes system and the PID. To identify abnormal processes that could indicate any malicious activity in the Linux system, you can use Command - ps aux
3.4.1.3. PID
3.4.1.3.1. To display more details on a particular process, you can use, Command - lsof -p [pid]
3.5. Services
3.5.1. The services in the Linux system can be classified into system and network services. System services include the status of services, cron, etc and network services include file transfer, domain name resolution, firewalls, etc. As an incident responder, you identify if there is an anomaly in the services.
3.5.1.1. Service
3.5.1.1.1. To find any abnormally running services, you can use Command - service --statis-all
3.5.1.2. /etc/cronjob
3.5.1.2.1. The incident responder should look for any suspicious scheduled tasks and jobs. To find the scheduled tasks, you can use, cat /etc/cronjob
3.5.1.3. /etc/resolv.conf
3.5.1.3.1. To resolve DNS configuration issues and to avail a list of keywords with values that provide the various types of resolver information, you can use Command - more /etc/resolv.conf
3.5.1.4. /ec/hosts
3.5.1.4.1. To check file that translates hostnames or domain names to IP addresses, which is useful for testing changes to the website or the SSL setup, you can use more /etc/hosts
3.5.1.5. iptables
3.5.1.5.1. To check and manage the IPv4 packet filtering and NAT in Linux systems, you can use iptables and can make use of a variety of commands like: Command - iptables -L -n
3.6. Files
3.6.1. As an incident responder, you should be aware of any abnormal-looking files in your system.
3.6.1.1. Large Files
3.6.1.1.1. To identify any overly large files in your system and their permissions with their destination, you can use Command - find /home/ -type f -size +512k -exec ls -lh {} \;
3.6.1.2. mtime
3.6.1.2.1. As an incident responder, if you want to see an anomalous file that has been present in the system for 2 days, you can use the command Command - find / -mtime -2 -ls
3.7. Network Settings
3.7.1. As an incident responder, you should have a keen eye on the Network activity and setting. It is extremely vital to identify the overall picture of a system network and its health.
3.7.1.1. ifconfig
3.7.1.1.1. To obtain the network activity information, you can use various commands Command - ifconfig
3.7.1.1.2. To see all the network interfaces, you can use Command - ifconfig -a
3.7.1.2. Open files
3.7.1.2.1. To list all the processes that are listening to ports with their PID, you can use Command - lsof -i
3.7.1.3. netstat
3.7.1.3.1. To display all the listening ports in the network use Command - netstat -nap
3.7.1.4. arp
3.7.1.4.1. To display the system ARP cache, you can type Command - arp -a
3.7.1.5. path
3.7.1.5.1. The $PATH displays a list of directories that tells the shell which directories to search for executable files, to check for directories that are in your path you can use. Command - echo $PATH