API tools faq
paste
Advertisement
joemccray

Common Incident Response Commands

joemccray
Jan 29th, 2018
1,145
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.91 KB | None | 0 0
raw download clone embed print report
  1. Generic Host Info
  2. =================
  3.  
  4. ---------------------------Type This-----------------------------------
  5. hostname
  6.  
  7. ver
  8.  
  9. systeminfo
  10.  
  11. tasklist -svc
  12.  
  13. set
  14. -----------------------------------------------------------------------
  15.  
  16.  
  17. Memory Info
  18. ===========
  19.  
  20. ---------------------------Type This-----------------------------------
  21. mem /d
  22. mem /p
  23. -----------------------------------------------------------------------
  24.  
  25. Directory listing sorted by last accessed time
  26. ==============================================
  27.  
  28. ---------------------------Type This-----------------------------------
  29. dir C:\ /S /OD /TA
  30. dir D:\ /S /OD /TA
  31. dir E:\ /S /OD /TA
  32. dir F:\ /S /OD /TA
  33. dir G:\ /S /OD /TA
  34. -----------------------------------------------------------------------
  35.  
  36.  
  37. Directory listing sorted by created time
  38. ========================================
  39.  
  40. ---------------------------Type This-----------------------------------
  41. dir C:\ /S /OD /TC
  42. dir D:\ /S /OD /TC
  43. dir E:\ /S /OD /TC
  44. dir F:\ /S /OD /TC
  45. dir G:\ /S /OD /TC
  46. -----------------------------------------------------------------------
  47.  
  48. Directory listing sorted by modified time
  49. =========================================
  50.  
  51. ---------------------------Type This-----------------------------------
  52. dir C:\ /S /OD /TW
  53. dir D:\ /S /OD /TW
  54. dir E:\ /S /OD /TW
  55. dir F:\ /S /OD /TW
  56. dir G:\ /S /OD /TW
  57. -----------------------------------------------------------------------
  58.  
  59. Network Info
  60. ============
  61.  
  62. ---------------------------Type This-----------------------------------
  63. netstat -a
  64. arp -a
  65. ipconfig /all
  66. route print
  67. nbtstat -c
  68. nbtstat -n
  69. nbtstat -s
  70. -----------------------------------------------------------------------
  71.  
  72. net commands
  73. ============
  74.  
  75. ---------------------------Type This-----------------------------------
  76. net use
  77. net view
  78. net start
  79. net session
  80. net group
  81. net localgroup
  82. net file
  83. -----------------------------------------------------------------------
  84.  
  85.  
  86. AutoStart Tasks
  87. ===============
  88.  
  89. ---------------------------Type This-----------------------------------
  90. at
  91. schtasks.exe /Query /FO LIST /V
  92. type "%SystemDrive%\autoexec.bat"
  93. type "%SystemRoot%\system.ini"
  94. type "%SystemRoot%\winstart.bat"
  95. type "%SystemRoot%\wininit.ini"
  96. dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup"
  97. dir "%SystemRoot%\Tasks"
  98. dir "%UserProfile%\Start Menu\Programs\Startup"
  99. -----------------------------------------------------------------------
  100.  
  101.  
  102.  
  103. Check for autorun
  104. ==================
  105.  
  106. ---------------------------Type This-----------------------------------
  107. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S
  108. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /S
  109. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /S
  110. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices /S
  111. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /S
  112. reg.exe query HKLM\Software\Policies\Microsoft\Windows\System\Scripts /S
  113. reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ /S
  114. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /S
  115. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /S
  116. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /S
  117. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices /S
  118. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /S
  119. reg.exe query HKCU\Software\Policies\Microsoft\Windows\System\Scripts /S
  120. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ /S
  121. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /S
  122. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs /S
  123. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU /S
  124. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /S
  125. reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ /S
  126. reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ /S
  127. reg.exe query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /S
  128. reg.exe query "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}" /S
  129. -----------------------------------------------------------------------
  130.  
  131.  
  132. Command History
  133. ===============
  134.  
  135. ---------------------------Type This-----------------------------------
  136. doskey.exe /history
  137. -----------------------------------------------------------------------
  138.  
  139.  
  140.  
  141.  
  142.  
  143.  
  144. ##################
  145. # External Tools #
  146. ##################
  147.  
  148. ---------------------------Type This-----------------------------------
  149.  
  150. psinfo.exe -d -s -h http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx
  151. uname.exe -a http://unxutils.sourceforge.net
  152. uptime.exe http://support.microsoft.com/kb/q232243/
  153. uptime.exe /a http://support.microsoft.com/kb/q232243/
  154. whoami.exe http://unxutils.sourceforge.net
  155. auditpol.exe
  156. pslist.exe
  157. listdlls.exe
  158. ps.exe -ealW http://www.cygwin.com
  159. pstat.exe http://support.microsoft.com/kb/927229
  160. tlist.exe -v http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
  161. tlist.exe -s http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
  162. cmdline.exe http://www.diamondcs.com.au/index.php?page=console-cmdline
  163. handle.exe -a http://www.microsoft.com/technet/sysinternals/utilities/Handle.mspx
  164. procinterrogate.exe -list http://winfingerprint.com
  165. psservice.exe
  166. sc.exe queryex
  167. servicelist.exe \\127.0.0.1 http://www.pathsolutions.com/support/tools.asp
  168. tasklist.exe /v
  169. tasklist.exe /svc
  170. drivers.exe http://support.microsoft.com/kb/927229
  171. iplist.exe http://www.diamondcs.com.au/index.php?page=console
  172. fport.exe http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
  173. openports.exe -path -fport http://www.diamondcs.com.au/openports/
  174. ipxroute.exe config
  175. hunt.exe http://www.foundstone.com/resources/freetools.htm
  176. promiscdetect.exe http://www.ntsecurity.nu/toolbox/promiscdetect/
  177. psloggedon.exe
  178. netusers.exe /local http://www.systemtools.com/free.htm)
  179. netusers.exe /local /history
  180. ntlast.exe -v -s http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  181. ntlast.exe -v -f http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  182. ntlast.exe -v -r http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  183. ntlast.exe -v -i http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  184. dumpel.exe -t -l system -f http://support.microsoft.com/kb/927229
  185. dumpel.exe -t -l application -f
  186. dumpel.exe -t -l security -f
  187. psloglist.exe
  188. psloglist.exe -s system
  189. psloglist.exe -s application
  190. psloglist.exe -s security
  191. ntfsinfo.exe C http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  192. ntfsinfo.exe D http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  193. ntfsinfo.exe E http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  194. ntfsinfo.exe F http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  195. ntfsinfo.exe G http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  196. psfile.exe
  197. hfind.exe C:\ http://www.foundstone.com/resources/freetools.htm
  198. streams.exe -s C:\ http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx
  199. sfind.exe C:\ http://www.foundstone.com/resources/freetools.htm
  200. efsinfo.exe /S:C:\ /U /R /C http://support.microsoft.com/kb/927229
  201. freespace.exe http://www.pathsolutions.com/support/tools.asp
  202. autorunsc.exe -a -d -e -s -w http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
  203. gplist.exe http://www.ntsecurity.nu/toolbox/gplist/
  204. gpresult.exe /v /scope user
  205. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!