Incident Response Checklist Actions
A "mock" Incident Response Checklist using WMIC and a few other tools and attempt to answer the questions forensically so I am prepared when a real-world incident occurs (again).
1. Name of System and the Current Time:
C:\>hostname
WIN-xxxxxxxxx7
C:\>whoami
win-xxxxxxxxxx7\my name
C:\>echo %DATE% %TIME%
Fri 01/20/2012 20:52:34.28
C:\>wmic timezone list brief
Bias Caption SettingID
540 (UTC+09:00) Seoul
2. IP Address of the targeted system:
C:\>ipconfig /allcompartments /all
Windows IP Configuration
===============================================================
Network Information for Compartment 1 (ACTIVE)
===============================================================
Host Name . . . . . . . . . . . . : WIN-xxxxxxxxx7
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection
Physical Address. . . . . . . . . : 00-00-00-00-00-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.1.151(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
NetBIOS over Tcpip. . . . . . . . : Enabled
3. Serial number of the system (this is going to be a bit off since I am on a Vmware instance):
C:\>wmic csproduct get name
Name
VMware Virtual Platform
C:\>wmic bios get serialnumber
SerialNumber
VMware-00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
4. OS of the targeted system:
C:\>systeminfo | findstr /B /C:"OS Name" /C:"OS Version" - CREDIT
OS Name: Microsoft Windows 7 Ultimate
OS Version: 6.1.7601 Service Pack 1 Build 7601
C:\>ver
Microsoft Windows [Version 6.1.7601]
5. MAC Address of the system NIC:
C:\>wmic nicconfig get description,IPAddress,MACaddress
Description IPAddress MACAddress
Intel(R) PRO/1000 MT Network Connection {"192.168.1.151"} 00:00:00:00:00:00
RAS Async Adapter 00:00:00:00:00:00
Bluetooth Device (Personal Area Network)
----cut out some output----
6. How long has the system been online:
C:\>uptime.exe
\\WIN-xxxxxxxxxx7 has been up for: 0 day(s), 0 hour(s), 34 minute(s), 37 second(s)
7. Date and/or Level of Latest Patch:
C:\>wmic qfe get Hotfixid or if you wanted a bit more detail with dates C:\>wmic qfe list
HotFixID
KB971033
KB2305420
KB2393802
KB2425227
----cut out most of the output----
8. System Hardware:
C:\>wmic computersystem get manufacturer (assuming this would say, "Dell" if I was on a physical machine)
Manufacturer
VMware, Inc.
9. Software Installed on the System: I prefer wmic product list the best because it pulls install dates.
C:\>wmic product list
C:\>reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
10. Is there Anti-virus installed on the machine? If so, what brand and what are the latest anti-virus dat file updates? Were there any alerts?
I'm going to consider this one somewhat answered based off some of the information we already gathered from above, specifically: wmic get product list and running reg query against the Uninstall key. Other than that one could always look in the Uninstall Programs list to see if something is installed, or quite possibly look at the bottom right hand corner of the box and see if you see the "Shield" or another product logo. You could also see what's currently running as well. Some of the anti-virus vendors have unique process names.
11. Do you have EFS running on the system?
C:\>cipher /y
EFS certificate thumbprint for computer WIN-xxxxxxxxxx7:
0000 0000 0000 0000 0000 0000 0000 0000 0000 0000
C:\>cipher /s:"New Folder"
Listing C:\New Folder\
New files added to this directory will be encrypted.
E Meh.txt
E Foo.txt
E = Encrypted
12. Is there a firewall protecting the system? If so, do you have logs?
C:\>copy %windir%\System32\Logfiles\Firewall\*.log <output_directory>
C:\>netsh firewall show state
C:\>netsh firewall show config
C:\>netsh dump
Try these yourself. Too much information to paste here.
13. Is there any volatile network data?
C:\>route print
===========================================================================
Interface List
10...00 00 00 00 00 00 ......Intel(R) PRO/1000 MT Network Connection
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.143 10
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.1.0 255.255.255.0 On-link 192.168.1.143 266
192.168.1.143 255.255.255.255 On-link 192.168.1.143 266
192.168.1.255 255.255.255.255 On-link 192.168.1.143 266
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.1.143 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.1.143 266
===========================================================================
Persistent Routes:
None
------cut more output-------
C:\>arp -A
Interface: 192.168.1.143 --- 0xa
Internet Address Physical Address Type
192.168.1.1 00-00-00-00-00-00 dynamic
192.168.1.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 00-00-00-00-00-00 static
224.0.0.252 00-00-00-00-00-00 static
255.255.255.255 ff-ff-ff-ff-ff-ff static
C:\>netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 392
-----cut out most of the output-----
C:\>net start
These Windows services are started:
Application Information
Background Intelligent Transfer Service
Base Filtering Engine
Bluetooth Support Service
COM+ Event System
-----cut out most of the output-----
C:\>net user and C:\>wmic useraccount list
User accounts for \\WIN-xxxxxxxxxx7
---------------------------------------------------------------
Administrator Guest My Name
The command completed successfully.
C:\>net use
New connections will be remembered.
Status Local Remote Network
---------------------------------------------------------------------
Z: \\vmware-host\Shared Folders VMware Shared Folders
The command completed successfully.
C:\>type %windir%\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
C:\>type %windir%\System32\drivers\etc\networks
# For example:
#
# loopback 127
# campus 284.122.107
# london 284.122.108
loopback 127
14. Are there event logs?
C:\>wmic nteventlog get name - Use this output to create the next command
C:\>copy %windir%\System32\Winevt\Logs\*.evtx <output_directory>
Those were all of the questions asked on the incident response checklist I found online. My work one is much more detailed, but I don't have permission to release all of its contents nor will I get permission. I suggest all of you go through the "actionable" items so you're not surprised when an incident DOES occur (not IF).
Other "general questions" to ask in no particular order are:
Point of contact information.
What is the system used for?
What kind of information is stored on this system (Classified, PII, etc.)?
Is it public facing, or is it an internal system?
Is it a server or workstation?
Other Commands and Tools to run to collect information:
wmic process list status
wmic process list memory
wmic job list brief
wmic startup list brief
wmic ntdomain list brief
wmic service list config
handle.exe /accepteula
gplist
listdlls.exe
logonsessions.exe /accepteula
pslist.exe /accepteula
psloggedon.exe /accepteula
tasklist
tcpvcon.exe -a /accepteula
No comments:
Post a Comment