Survey

Windows

ipconfig /all

date /t

time /t

tasklist /V

auditpol /get /category:*

netstat /anob

netsh advfirewall show allprofiles

net share

reg query hklm\software\microsoft\windows\currentversion\run

reg query hklm\software\microsoft\windows\currentversion\runonce

reg query hklm\software

at

schtasks /query /v

 -run without the /v for a cleaner output, or run wmic

wmic process get name,processid,parentprocessid,executablepath,sessionid

dir /o:d /t:w c:\

dir /o:d /t:w c:\windows\temp

dir /o:d /t:w c:\windows\

dir /o:d /t:w c:\windows\system32

dir /o:d /t:w c:\windows\system32\winevt\logs

wevtutil qe security /c:25 /rd:true /f:text

query user

*NIX

ifconfig

 ip addr (if ifconfig doesnt work on distro)

date; date -u

uname -a

ls -latr /

ls -latr /tmp

ls -latr .

ls -latr ..

sudo ls -latr /root

ps -elf

netstat -auntp

w

last

ls -latr /var/spool/cron

tail -n 1000 'Files in /var/spool/cron'

ls -la /etc/cron.*

cat /etc/crontab

for user in $(cut -f1 -d: /etc/passwd); do echo "###### $user crontab is:"; cat /var/spool/cron/{crontabs/$user,$user} 2>/dev/null; done

df -h

lsblk

ls -latr /var/*acc*

ls -latr /var/log/

 ls -latr /var/log(s)/

ls -la /etc/*syslog*

 -Read all of the config files

 -If Ubuntu run: cat /etc/rsyslog.d/*.conf

find / \( -path /proc -prune -o -path /sys -prune \) -o -mmin -6 -type f -print | xargs ls -latr

change the 6 to how long you have been on the box

sestatus || getenforce

If enabled get version from: cat /etc/selinux/semanage.conf

sudo cat /root/.bash_history

cat ~/.bash_history

Unexpected OS


Research the below commands and confirm before executing


Research how to identify IP address

Research how to identify Operating System

Research how to identify routes

Research how to identify network connections

Research how to identify updated logs

Research how to identify uptime

Research how to identify running processes

Research how to identify common storage locations and what they contain