ECIH - commands

System info

systeminfo. exe, PsInfo

volatile info

cat; uname

command history

doskey /history

Netstat all executable files running running processes

netstat -ab

basic info about processes

Pslist. exe

string search

pmdump. exe

chcek service for any malicious programm installed

tasklist; wmic

logged-on users

net sessions; logonsessions

NetBIOs info

nbstat

linux running processes

top; w; ps; pstree

netstat TCP and UDP including ports

netstat -ano

netstat routing table

netstat -r

Ping sweet scan attempts

icmp. type==8; icmp. type==0; tcp. dstport==7; udp. dstport==7

SYN SCAN ATTACK

tcp. flags. syn==1

NULL SCAN

tcp. flags==0x00

TCP XMAS SCAN

tcp. flags==0x029

Browser data Mozilla

C\users\user_name\AppData\local\Mozilla\Firefox\Profiles\XXXdefault\cache: cookies. sqllite, fomhistory. sqllite

Browser data Chrome

C\users\user_name\AppData\local\google\chrome\user data\default\cache: Profile 1(cookies): Default(history)

Browser data Edge

C\users\Admin\AppData\local\microsoft\windows\INetCache:\AC\MsEdge(cookies): History

MSQL server logs

c: programfiles\MSsqlServer\MSsql12...\MSSQL\LOG\EROR LOG: log_n. trc (open with notepad)

function that allows retrival of the active portion of the transaction log file

fn_dblog()

SENDMAIL - log

SENDMAIL - log - /var/log/maillog - most linux. /var/adm/maillog Solaris. /var/log/mail. log Debian/Ubuntu

Microsoft Exchange Email Server Log

Microsoft Exchange Email Server Log -. edb database files,. stm, checkpoint files, temp files

locate access times

access locate times - dir command, ls command

Collecting volatile info: open files

Collecting volatile info: open files - "net file", psFile utility, OpenFiles command

Collecting volatile info: clopboard

Collecting volatile info: clopboard - Free Clopboard Viewer

Collecting volatile info: Service/Driver info

Collecting volatile info: Service/Driver info - tasklist, wmic

Collecting volatile info: logged on users

Collecting volatile info: logged on users - PsLoggedOn, netsessions, LogonSessions

Logged on users PsLoggedOn

Logged on users PsLoggedOn - "-l"-only local logons, "-x"-doesnt display times

Logged on users LogonSessions

Logged on users LogonSessions: "-c"-CSV, "-ct"-prints as tab, "-p"-processes list

Collecting volatile info: DLL and shared libraries

Collecting volatile info: DLL and shared libraries: ListDLL(win) "-r"-relocated "-u"-unsigned DLL, "-r"-DLL version. Ldd/ls(linux)

Nbstat

Nbstat: "-c"-NetBIOS name-to-IP mapping, "-n"-names registered locally, "-r"-names resolved by broadcast and querying, "-s"-current NetBIOS sessions and statuses

netstat listening connections

netstat -a

netstat ethernet statistics - number of bytes, packets

netstat -e

Malware is the most common threat

port monitoring command and tool

port monitoring command and tool - netstat, TCPView

registry monitoring tool

registry monitoring tool - jv16 Power tools 2017

windows service monitoring

windows service monitoring - windows server manager (SrvMan)

startup programs monitoring

startup programs monitoring - Autoruns for Windows

Perform string search tool

Perform string search tool - BinText

identyfing packing/obfuscation methotds tool

identifying packing/obfuscation methotds tool - PEiD

intrusion analysis: covert communication tools:

intrusion analysis: covert communication tools: SSDT View, ReKall, RougeKiller

Detect packet sniffing: MAC flooding

Detect packet sniffing: MAC flooding - from various IP to single with same TTL (malformed packets)

Detect packet sniffing: ARP poisoning

Detect packet sniffing: ARP poisoning - filter: arp. duplicate-address-detected, Xarp tool

Machine generating ... will be most likely running a sniffer

Machine generating REVERSE DNS LOOKUP TRAFFIC will be most likely running a sniffer

check if host has its network card in promiscuos mode

check if host has its network card in promiscuous mode - nmap -script = sniffer-detect [IP]

Detects potentially malicious elements within HTML:

Detects potentially malicious elements within HTML: tags like <FK>,

, <BR>, <DIV> and background-image, <script>, <object>, <applet>, <enabled>

Apache web server logs

Apache web server logs: /var/log/'apache2/access. log - useful with Local File Injection LFI detection

command line tool to locate connected devices

command line tool to locate connected devices: DevCon(windows)

Behavioral analysis:

Behavioral analysis: 1) extract behavioral patterns 2) compare to other users 3) generated clusters based on behav simmilarity 4) build profiles of each group 5) discover outliners of each group