Reports
Security Products
*****Security Product*****
Name - <>
Version - <>
Primary registry key/config file - <>
*****End of Report*****
Name and version of the product
version: read the README file
find / -name "psp name"
version: read config file in /etc/, usually at the top
Primary registry key / config file
/etc
Installation folder
ls /etc/
ls /usr/bin
Directory location of logs
ls -latr /var/log
Timestamp of all log files
ls -latr /var/log
Cloud based?; yes or no
best to google it
Can we read the logs?; yes or no
If Yes, put the most recent 5 lines of logs in your notes
If No, why?
Name and version of the product
Powershell - get-item "c:\Program Files\Windows Defender\MpCmdrun.exe").VersionInfo
where /R c:\ “psp name”
reg query hklm\software\<product name> /s
wmic path win32_product
wmic path win32_product get name, version
Primary registry key
reg query hklm\software\ /s
Installation folder
dir /o:d /t:w "c:\program files"
dir /o:d /t:w "c:\program files (x86)"
Directory location of logs
where /R c:\ LOG
dir "c:\program files\path\to\logs"
Timestamp of all log files
dir "c:\program files\path\to\logs
Cloud based?; yes or no
reg query "HKEY_LOCAL_MACHINE\software\Wow6432Node\Zone Labs" /s /f cloud
Can we read the logs?; yes or no
If Yes, put the most recent 5 lines of logs in your notes
If No, why?
Abnormal Logging Report
*****Abnormal Logging Report*****
Name - <>
PID - <>
PPID - <>
User - <>
Location of config file - <>
Remote hostname or IP - <>
Network connections - <>
*****End of Report*****
Provide process name/options, PID, Parent ID, user
find / -iname [malware]
ps -elf
ls -laR /usr/share/*/*man*/*rpcbind*
lsof -PRpn
cat /proc/pid/maps
Location of Config File
ls /etc/ | grep "malwareName"
ls /usr/bin
Remote hostname or IP
netstat -auntp
cat /etc/rsyslog.d/*.conf
Network connections
netstat -auntp
Provide process name/options, PID, Parent ID, user
where /R c:\ [malware name]
wmic process get processid,parentprocessid,executablepath
tasklist /svc
tasklist /m /fi "IMAGENAME eq lsass.exe"
Location of Config File
reg query hklm /f “search term” /s
Remote Hostname or IP
netstat /anob
Network connections
netstat /anob
Malware Report
*****Malware Report*****
Name -
PID - <>
PPID - <>
User - <>
File type - <>
Supporting files - <>
Logs - <>
Persistence - <>
Description - <>
*****End of Report*****
Provide process name/options, PID, Parent ID, user
find / -iname [malware]
ps -elf
ls -laR /usr/share/*/*man*/*rpcbind*
lsof -PRpn
cat /proc/pid/maps
Provide file type of malware binary and supporting files
ls -la /path/to/file
file /path/to/file
egrep logon -ri /etc/init*
egrep systemf -ri /etc/rc*
egrep logon -ri /home
egrep logon -ri /root
egrep logon -ri /usr
find /var/log -type f -mmin -90 -exec ls -trialh {} + | egrep -v "\/sys\/|\/proc\/"
Provide any logs generated by malware
ls -la /path/to/logs
Provide location and lines of any persistence mechanisms
cat /etc/crontab
ls -la /etc/cron.*
Provide full path of malware files or support files
dir path\to\support
Provide any network connections opened/established by malware
netstat -pant
Provide any identifiable text
strings
cat
Provide any/all modules loaded by malware
strings /proc/28046/maps
md5sum
sha1sum
Provide process name/options, PID, Parent ID, user
where /R c:\ [malware]
wmic process get processid,parentprocessid,executablepath
tasklist /svc
tasklist /m /fi "IMAGENAME eq lsass.exe"
Provide file type of malware binary and supporting files
where /R c:\ baddy
powershell.exe "get-childitem c:\ -recurse | ? {$_.lastwritetime -gt '10/16/17' -AND $_.lastwritetime -lt '10/16/17'} | select fullname"
reg query hklm\software /s /f nvspcaps64
reg query hklm\software\wow6432node /s /f nvspcaps64
#powershell "get-ChildItem -path HKLM:\SOFTWARE\wow6432node -Recurse | where { $_.Name -match 'nvspcaps64'}"
#dir /o:d /t:w /s c:\progra~1\*baddy*
#dir /o:d /t:w /s c:\progra~2\*baddy*
#dir /o:d /t:w /s c:\windows\*baddy*\
#dir /o:d /t:w /s c:\users\admin3
Provide any logs generated by malware
dir path\to\logs
Provide location and lines of any persistence mechanisms
schtasks /query /FO list
Provide full path of malware files or support files
dir path\to\support
Provide any network connections opened/established by malware
netstat /anob
Provide any identifiable text
strings
Provide any/all modules loaded by malware
tasklist /m /fi "IMAGENAME eq <malware.name>"
certutil -hashfile C:\Windows\CompanionApp.exe MD5
get
Strings