Intrusion Discovery Cheat Sheet V2.0 Windows Xp Pro / 2003 Server / Vista (Page 2 of 2) in pdf

Unusual Processes and Services

Unusual Scheduled Tasks

Unusual Network Usage

Look for unusual/unexpected processes, and focus on processes

Look for unusual scheduled tasks, especially those

with User Name “SYSTEM” or “Administrator” (or users in the

that run as a user in the Administrators group, as

Look at file shares, and make sure each has a defined business

Administrators' group). You need to be familiar with normal

purpose:

SYSTEM, or with a blank user name.

processes and services and search for deviations.

C:\> net view \\127.0.0.1

Using the GUI, run Task Scheduler:

Using the GUI, run Task Manager:

C:\> taskmgr.exe

StartProgramsAccessoriesSystem

Look at who has an open session with the machine:

ToolsScheduled Tasks

Using the command prompt:

C:\> net session

C:\> tasklist

Using the command prompt:

C:\> wmic process list full

Look at which sessions this machine has opened with other

C:\> schtasks

systems:

Also look for unusual services.

C:\> net use

Check other autostart items as well for unexpected

Using the GUI:

entries, remembering to check user autostart

C:\> services.msc

Look at NetBIOS over TCP/IP activity:

directories and registry keys.

Using the command prompt:

C:\> nbtstat –S

C:\> net start

Using the GUI, run msconfig and look at the

C:\> sc query

Look for unusual listening TCP and UDP ports:

Startup tab:

Start  Run, msconfig.exe

For a list of services associated with each process:

C:\> netstat –na

C:\> tasklist /svc

For continuously updated and scrolling output of this command

Using the command prompt:

every 5 seconds:

C:\> wmic startup list full

Unusual Files and Registry Keys

C:\> netstat –na 5

Check file space usage to look for sudden major decreases in free

The –o flag shows the owning process id:

Unusual Accounts

space, using the GUI (right-click on partition), or type:

C:\> dir c:\

C:\> netstat –nao 5

Look for new, unexpected accounts in the Administrators

Look for unusually big files: StartSearchFor Files of Folders…

group:

The –b flag shows the executable name and the DLLs loaded for

Search OptionsSizeAt Least 10000KB

the network connection.

C:\> lusrmgr.msc

Look for strange programs referred to in registry keys associated

with system start up:

C:\> netstat –naob 5

Click on Groups, Double Click on Administrators, then

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce

check members of this group.

Note that the –b flag uses excessive CPU resources.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx

Again, you need to understand normal port usage for the

This can also be done at the command prompt:

Note that you should also check the HKCU counterparts (replace

system and look for deviations.

HKLM with HKCU above).

C:\> net user

Using the GUI:

Also check Windows Firewall configuration:

C:\> regedit

C:\> netsh firewall show config

C:\> net localgroup administrators

Using the command prompt:

C:\> reg query <reg key>

Intrusion Discovery Cheat Sheet V2.0 Windows Xp Pro / 2003 Server / Vista Page 2

Related Articles

Related forms

Related Categories