Intrusion Discovery Cheat Sheet 2.0 (Windows XP Pro/2003 Server/Vista


Unusual Processes and Services

Using the GUI, run Task Manager
Using the command prompt:
     c:/tasklist
     c:/wmic process list full
Also look for unusual Services.
Using the GUI
Using the Command Prompt:
     c:/ net start
     c:/ sc query
For a list of services associated with each process:
     c:/ tasklist /svc
Unusual Files and Registry Keys

Check the file space usage to look for sudden major decreases in free space, using the GUI (right-click on partition), or type:
     c:/ dir c:\
Look for unusually big files: Start->Search->For Files of Folders…Search Options->Size->at least 10000KB
Look for storage programs referred to in registry keys associated with system start up:
  • HKLM\Software\Microsoft\Window\CurrentVersion\Run
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx
Note you should also check the HKCU counterparts (replace HKLM with HKCU above).

Using the GUI:
     c:/ regedit

Using the command prompt:
     c:\ reg query <reg key>

Unusual Network Usage

Look at file shares, and make sure each has a defined business purpose:

     c:\ net view \\127.0.0.1
Look at who has an open session with the machine:
     c:\ net session
Look at which sessions this machine has opened with other systems:
     c:\ net use
Look at NetBIOS over TCP/IP activity:
     c:\ nbtstat -S
Look for unusual listening TCP and UDP ports:
     c:\ netstat -na
For continuously updated and scrolling output of this comm and every 5 seconds:
     c:\ netstat -na 5
The -o flag shows the owning process id:
     c:\ netstat -nao 5
The -b flag shows the executable name and the DLLs loaded for the network connection:
     c:\ netstat -naob 5
Note the -b flag uses excessive CPU resources.
Again, you need to understand normal port usage for the system and look for deviations.
Also check Windows Firewall configuration:
     c:\ netsh firewall show config

Look for unusual scheduled tasks, especially those that run as a user in the Administrators group, as SYSTEM, or with a blank user name.
Using the GUI, run Task Scheduler:
Start->Programs->Accessories->System->Tools->Scheduled Tasks
Using the command prompt:
     c:\ schtasks
Check other autostart items as well for unexpected entries, remembering to check user autostart directories and registry keys.
Using the GUI, run msconfig and look at the Startup tab:
     Start->Run, msconfig.exe
Using the command prompt:
     c:\ wmic startup list full
Unusual Accounts

Look for new, unexpected accounts in the Administrators group:
     c:\ lusrmgr.msc
Click on Groups, Double Click on Administrators, then check members of the group.
This can also be done at the command prompt:
     c:\ net user
     c:\ net localgroup administrators
Unusual Log Entries

Check you logs for suspicious events, such as:
  • Event log service was stopped.”
  • Windows File Protection is not active on this system”
  • “The protected System file [file name] was not restored to its original, valid version because  the Windows File Protection ….”
  • “The MS Telnet Service has started successfully.”
To do this using the GUI, run the Windows event viewer:

     c:\ eventvwr.msc

Using the Command Prompt:

     c:\eventquery.vbs | more

Or, to focus on a particular event log:

     c:\ eventquery.vbs /L security

Other Unusual Items

Look for unusually sluggish performance and a single unusual process hogging the CPU: Task Manager->Process and Performance tabs

Look for unusual system crashes, beyond the normal level for the given system.

Additional Supporting Tools

The following tools are not built into Windows operating system but can be used to analyze security issues in more detail.  Each is available for free download at the listed web site.

Tools for mapping listening TCP/UDP ports to the program listening on those ports:

     Fport – command-line tool at www.foundstone.com
     TCPView – GUI tool at www.microsoft.com/technet/sysinternals
Additional Process Analysis Tools:
The Center for Internet Security has released various Windows security templates and security scoring tools for free at www.cisecurity.org.