Advertisement
joemccray

Common Incident Response Commands

Jan 29th, 2018
1,155
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.91 KB | None | 0 0
  1. Generic Host Info
  2. =================
  3.  
  4. ---------------------------Type This-----------------------------------
  5. hostname
  6.  
  7. ver
  8.  
  9. systeminfo
  10.  
  11. tasklist -svc
  12.  
  13. set
  14. -----------------------------------------------------------------------
  15.  
  16.  
  17. Memory Info
  18. ===========
  19.  
  20. ---------------------------Type This-----------------------------------
  21. mem /d
  22. mem /p
  23. -----------------------------------------------------------------------
  24.  
  25. Directory listing sorted by last accessed time
  26. ==============================================
  27.  
  28. ---------------------------Type This-----------------------------------
  29. dir C:\ /S /OD /TA
  30. dir D:\ /S /OD /TA
  31. dir E:\ /S /OD /TA
  32. dir F:\ /S /OD /TA
  33. dir G:\ /S /OD /TA
  34. -----------------------------------------------------------------------
  35.  
  36.  
  37. Directory listing sorted by created time
  38. ========================================
  39.  
  40. ---------------------------Type This-----------------------------------
  41. dir C:\ /S /OD /TC
  42. dir D:\ /S /OD /TC
  43. dir E:\ /S /OD /TC
  44. dir F:\ /S /OD /TC
  45. dir G:\ /S /OD /TC
  46. -----------------------------------------------------------------------
  47.  
  48. Directory listing sorted by modified time
  49. =========================================
  50.  
  51. ---------------------------Type This-----------------------------------
  52. dir C:\ /S /OD /TW
  53. dir D:\ /S /OD /TW
  54. dir E:\ /S /OD /TW
  55. dir F:\ /S /OD /TW
  56. dir G:\ /S /OD /TW
  57. -----------------------------------------------------------------------
  58.  
  59. Network Info
  60. ============
  61.  
  62. ---------------------------Type This-----------------------------------
  63. netstat -a
  64. arp -a
  65. ipconfig /all
  66. route print
  67. nbtstat -c
  68. nbtstat -n
  69. nbtstat -s
  70. -----------------------------------------------------------------------
  71.  
  72. net commands
  73. ============
  74.  
  75. ---------------------------Type This-----------------------------------
  76. net use
  77. net view
  78. net start
  79. net session
  80. net group
  81. net localgroup
  82. net file
  83. -----------------------------------------------------------------------
  84.  
  85.  
  86. AutoStart Tasks
  87. ===============
  88.  
  89. ---------------------------Type This-----------------------------------
  90. at
  91. schtasks.exe /Query /FO LIST /V
  92. type "%SystemDrive%\autoexec.bat"
  93. type "%SystemRoot%\system.ini"
  94. type "%SystemRoot%\winstart.bat"
  95. type "%SystemRoot%\wininit.ini"
  96. dir "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup"
  97. dir "%SystemRoot%\Tasks"
  98. dir "%UserProfile%\Start Menu\Programs\Startup"
  99. -----------------------------------------------------------------------
  100.  
  101.  
  102.  
  103. Check for autorun
  104. ==================
  105.  
  106. ---------------------------Type This-----------------------------------
  107. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Run /S
  108. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce /S
  109. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /S
  110. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices /S
  111. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /S
  112. reg.exe query HKLM\Software\Policies\Microsoft\Windows\System\Scripts /S
  113. reg.exe query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ /S
  114. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Run /S
  115. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce /S
  116. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx /S
  117. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices /S
  118. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /S
  119. reg.exe query HKCU\Software\Policies\Microsoft\Windows\System\Scripts /S
  120. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ /S
  121. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /S
  122. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs /S
  123. reg.exe query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU /S
  124. reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /S
  125. reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ /S
  126. reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ /S
  127. reg.exe query "HKCU\Software\Microsoft\Internet Explorer\TypedURLs" /S
  128. reg.exe query "HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}" /S
  129. -----------------------------------------------------------------------
  130.  
  131.  
  132. Command History
  133. ===============
  134.  
  135. ---------------------------Type This-----------------------------------
  136. doskey.exe /history
  137. -----------------------------------------------------------------------
  138.  
  139.  
  140.  
  141.  
  142.  
  143.  
  144. ##################
  145. # External Tools #
  146. ##################
  147.  
  148. ---------------------------Type This-----------------------------------
  149.  
  150. psinfo.exe -d -s -h http://www.microsoft.com/technet/sysinternals/utilities/PsTools.mspx
  151. uname.exe -a http://unxutils.sourceforge.net
  152. uptime.exe http://support.microsoft.com/kb/q232243/
  153. uptime.exe /a http://support.microsoft.com/kb/q232243/
  154. whoami.exe http://unxutils.sourceforge.net
  155. auditpol.exe
  156. pslist.exe
  157. listdlls.exe
  158. ps.exe -ealW http://www.cygwin.com
  159. pstat.exe http://support.microsoft.com/kb/927229
  160. tlist.exe -v http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
  161. tlist.exe -s http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
  162. cmdline.exe http://www.diamondcs.com.au/index.php?page=console-cmdline
  163. handle.exe -a http://www.microsoft.com/technet/sysinternals/utilities/Handle.mspx
  164. procinterrogate.exe -list http://winfingerprint.com
  165. psservice.exe
  166. sc.exe queryex
  167. servicelist.exe \\127.0.0.1 http://www.pathsolutions.com/support/tools.asp
  168. tasklist.exe /v
  169. tasklist.exe /svc
  170. drivers.exe http://support.microsoft.com/kb/927229
  171. iplist.exe http://www.diamondcs.com.au/index.php?page=console
  172. fport.exe http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/fport.htm
  173. openports.exe -path -fport http://www.diamondcs.com.au/openports/
  174. ipxroute.exe config
  175. hunt.exe http://www.foundstone.com/resources/freetools.htm
  176. promiscdetect.exe http://www.ntsecurity.nu/toolbox/promiscdetect/
  177. psloggedon.exe
  178. netusers.exe /local http://www.systemtools.com/free.htm)
  179. netusers.exe /local /history
  180. ntlast.exe -v -s http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  181. ntlast.exe -v -f http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  182. ntlast.exe -v -r http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  183. ntlast.exe -v -i http://www.foundstone.com/index.htm?subnav=resources/navigation.htm&subcontent=/resources/proddesc/ntlast.htm
  184. dumpel.exe -t -l system -f http://support.microsoft.com/kb/927229
  185. dumpel.exe -t -l application -f
  186. dumpel.exe -t -l security -f
  187. psloglist.exe
  188. psloglist.exe -s system
  189. psloglist.exe -s application
  190. psloglist.exe -s security
  191. ntfsinfo.exe C http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  192. ntfsinfo.exe D http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  193. ntfsinfo.exe E http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  194. ntfsinfo.exe F http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  195. ntfsinfo.exe G http://www.microsoft.com/technet/sysinternals/utilities/NtfsInfo.mspx
  196. psfile.exe
  197. hfind.exe C:\ http://www.foundstone.com/resources/freetools.htm
  198. streams.exe -s C:\ http://www.microsoft.com/technet/sysinternals/utilities/Streams.mspx
  199. sfind.exe C:\ http://www.foundstone.com/resources/freetools.htm
  200. efsinfo.exe /S:C:\ /U /R /C http://support.microsoft.com/kb/927229
  201. freespace.exe http://www.pathsolutions.com/support/tools.asp
  202. autorunsc.exe -a -d -e -s -w http://www.microsoft.com/technet/sysinternals/utilities/Autoruns.mspx
  203. gplist.exe http://www.ntsecurity.nu/toolbox/gplist/
  204. gpresult.exe /v /scope user
  205. -----------------------------------------------------------------------
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement