Let’s find the ghost in windows laptop without tools!

Cyber security + Global news Arun R M today12th July 2021 95 145 4

Background
share close

User Management Activity @cynorsense

Let's find the ghost in windows laptop without tools!

Run below commands in powershell with elevated privilages.

“Get-WinEvent -FilterHashtable @{LogName=”Security”;ID=4720,4722,4724,4738,4732,1102}”

Above command will help you understand user managmenet activity.

System Activity @cynorsense

Let's find the ghost in windows laptop without tools!

Run below commands in powershell with elevated privilages.

check Get-WinEvent -FilterHashtable @{LogName="System";ID=7030,7045,1056,7045,1000,100001,10100,20001,20003,24576,24577,24579}

Detailed information on windows system:

Let's find the ghost in windows laptop without tools!

#############-THIS IS CYNORSENSE-############
# Please save this file as cynorsense.bat #
# Run it as administartor #
#############################################
cmd.exe
net user
net localgroup administrators
net start
net view
net view \\127.0.0.1\
nbtstat -S
netstat -abno
tasklist /svc
tasklist /m
netsh firewall show config
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all | findstr Shell
netsh advfirewall firewall show rule name=all | findstr rdp
netsh advfirewall firewall show rule name=all | findstr remote
netsh advfirewall firewall show rule name=all | findstr shell
wmic process get name,parentprocessid,processi,CreationDate,ExecutablePath
wmic process get commandline | findstr rdp
wmic process get commandline | findstr reg
wmic process get commandline | findstr remote
wmic process get commandline | findstr shell
wmic process get commandline | findstr cmd
wmic process get commandline | findstr admin
wmic process get commandline | findstr lsa
wmic process get commandline | findstr dll
sc query
ipconfig /displaydns
reg query hklm\software\microsoft\windows\currentversion\run
reg query hkcu\software\microsoft\windows\currentversion\run
FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
wevtutil qe security /f:text

Now save above lines of commands as cynorsese.bat and run this as below.

“\cynorsense.bat >> log_collection.txt”

Analyze log_collection.txt for various indicators of compromise like : IP’s, DNS, shells, user activity and more. Just keep digging into lines and you will find the posture.

Now lets list some of the know dangerous formats and look for IoC.

“runas /user:administator cmd.exe
cd c:\
dir /S *.dll,*.sys,*exe,*.ps1,*.ps2,*.vbs,*.bat /b > C:\filelist.txt”

Above command will list out all the dangerous files and we can export this to our SOC or Threat Intellegence to analyze further.

Hope you woud find something unusual using above commands.

We are IR expert in ransomware and deception technology. Catch the hacker in act.

Written by: Arun R M

Tagged as: , , , , , .

Rate it
Previous post

Similar posts

Post comments (0)

Leave a reply

Your email address will not be published. Required fields are marked *

Open chat
1
Hello👋

Welcome to Cynorsense

How can we help you?