o taskmgr.exe
o tasklist
o wmic process list full
o services.msc
o net start
o sc query
o tasklist /svc
§
tasks assoc. with
processes
o dir c:\
§
look for files larger
then 10,000kb
o HKLM\Software\MSOFT\Windows\Run (RunOnce\RunOnceEx)
o reg query <reg key>
o net view \127.0.0.1
§
files shares
o net session
§
open sessions
o net use
§
sessions with other
machines
o nbtstat -S
§
netbios
over tcp activity
o netstat -na (#) - add number
of seconds to scroll updates
§
unusual listening
tcp/udp ports
o netstat -nao
§
o - show the owner
process ID
o netstat -naob
§
b show executables and
dll loaded for network connection
o netsh firewall show config
§
firewall config
o schtasks
o wmic startup list full
o c:\>lusrmgr.msc
o c:\>net user
o c:\>net localgroup
administrators
·
“event log service
stopped”
·
windows file protection
is not active”
·
“the protected
system file <name> was not restored to its original valid version
·
“the ms telnet
service started successfully”
·
large # of auth fails
(in seclog)
·
c:\>eventvwr.msc
·
c:\>eventquery.vbs |
more
·
c:\>eventquery.vbs /L
security
·
Active Directory queries
o Dsquery
o dsquery computer - finds computers in the directory.
o dsquery contact - finds contacts in the directory.
o dsquery subnet - finds subnets in the directory.
o dsquery group - finds groups in the directory.
o dsquery ou - finds
organizational units in the directory.
o dsquery site - finds sites in the directory.
o dsquery server - finds AD DCs/LDS instances in the
directory.
o dsquery user - finds users in the directory.
o dsquery quota - finds quota specifications in the
directory.
o dsquery partition - finds partitions in the directory.
o dsquery * - finds any object in the directory by using
a generic LDAP query.