various command for quick IR

January 10, 2022
Saya sedang mengerjakan sebuah investigation challenge di tryhackme.com, dan ada

Beberapa command line yang menurut saya cukup menarik untuk di dokumentasikan, serta dapat dipakai sebagai sarana IR kilat di bagian awal asesmen.

command line yang saya pakai

list usernames

net user

Get-LocalUser | Select name, Enabled, sid, lastlogon

wmic useraccount get name, accounttype, sid, status

list ADusername

Get-ADUser -Filter 'Name -Like "*"' | where Enabled -eq $True

list logged on user

Get-CimInstance –ClassName Win32_ComputerSystem | Select-Object Name, UserName, PrimaryOwnerName, Domain, TotalPhysicalMemory, Model, Manufacturer

last logon, group member, password settings, user full name, etc

net user [username]

show local group and/or members of groups

net localgroup

net localgroup "Administrators"

Get-LocalGroup

show ADgroups

Get-ADGroupMember Administrators | where objectClass -eq 'user'

Get-ADComputer -Filter "Name -Like '*'" -Properties * | where Enabled -eq $True | Select-Object Name, OperatingSystem, Enabled

list running programs (and certain programs only)

tasklist
tasklist /m /fi “pid eq <Insert Process ID here w/out the brackets>”

Get-CimInstance -ClassName Win32_Process | Select-Object CreationDate, ProcessName, ProcessID, CommandLine, ParetProcessId | where ProcessID -eq xxxx

Get-Process | Select-Object StartTime, ProcessName, ID, Path | Where Id -eq xxxx

list schedule task, services

schtasks /query /fo list /v > schtasks.txt

list services

Get-CimInstance –ClassName Win32_Service | Select-Object Name, DisplayName, StartMode, State, PathName, StartName, ServiceType

Get-Service | Select-Object Name, DisplayName, Status, StartType

various wevtutil

wevtutil qe Security /f:text > seclogs.txt
wevtutil el | Measure-Object

system information

systeminfo

osbuild, servicepack, buildnumber, csname, lastboot

Get-CimInstance Win32_OperatingSystem | Select-Object Caption, Version, servicepackmajorversion, BuildNumber, CSName, LastBootUpTime

various wmic

wmic /node:<remote-ip> /user:<username> startup list full | more
wmic /node:<remote-ip> /user:<username> service list full | more
wmic /node:<remote-ip> /user:<username> ComputerSystem Get UserName
wmic /node:<remote-ip> /user:<username> useraccount list full
wmic /node:<remote-ip> /user:<username> process get description,processid,parentprocessid,commandline /format:csv
wmic /node:<remote-ip> /user:<username> bios get serialnumber
wmic /node:<remote-ip> /user:<username> diskdrive get model,serialNumber,size,mediaType

ipconfig

ipconfig /displaydns

network related

Get-NetTCPConnection -RemoteAddress xxx.xxx.xxx.xxx -RemotePort xx | Select-Object CreationTime, LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess, Stat

netstat with PID

netstat -bona

see firewall state

netsh firewall show state

melihat dan setting execution policy

Get-ExecutionPolicy
Set-ExecutionPolicy

check PS version

Get-Host | Select-Object Version

hashing

Get-FileHash .\file.txt -Algorithm MD5

alternate data stream (ADS)

Get-Item .\file.txt -Stream *

raw file access, hex

Get-Content .\file.txt –Encoding Byte | Format-Hex

penutup

post ini tentu saja akan saya update d masa mendatang, dan semoga suatu saat script yang menyatukannya akan saya kerjakan :D

referensi

  1. arts.ubc.ca
  2. sans
  3. jordanpotti
  4. cybernote
  5. troy wojewoda