Compromised Windows System Analysis
- •Check Windows Event Logs: wevtutil qe Security /c:100 | findstr "4688 4689"
- •Analyze SAM registry: reg query HKLM\SAM\SAM\Domains\Account\Users /s
- •Review MRU lists: reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
- •Examine prefetch files: Get-ChildItem C:\Windows\Prefetch | Sort LastWriteTime -Descending
- •Check Windows Defender logs: Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Windows Defender/Operational'; ID=1116,1117}
- •List scheduled tasks: schtasks /query /fo list /v | findstr /I suspicious
- •Show network connections: netstat -anob | findstr LISTENING
- •View established connections: Get-NetTCPConnection -State Established | Select LocalAddress, LocalPort, RemoteAddress, RemotePort
- •Check browser history: Get-ChildItem -Path 'C:\Users\*\AppData\Local\Google\Chrome\User Data\Default' -Filter History
- •Review Windows Update logs: Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Windows Update'}
Registry Analysis
- •Query startup programs: reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /s
- •Check services: reg query "HKLM\System\CurrentControlSet\Services" /s | findstr ImagePath
- •User startup items: reg query "HKU\*\Software\Microsoft\Windows\CurrentVersion\Run"
- •Find recent registry edits: reg query HKLM /s | findstr /I lastwrite
- •Check AppInit_DLLs (DLL injection): reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
- •USB device history: reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2"
Process Analysis
- •List all processes with parent: Get-Process | Select ProcessName, ID, SI | Format-Table -AutoSize
- •Find suspicious process spawning: wmic process list brief get commandline
- •Check process DLL loads: Get-Process [processname] | Select -ExpandProperty Modules
- •Monitor process creation events: Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688}
- •Detect process injection: tasklist /m | findstr [suspicious_dll]
- •Analyze process memory: C:\tools\procdump.exe -ma [PID] dump.dmp
QUICK REFERENCE & TECHNICAL SKILLS
Essential Linux Commands
# Check recent logins
last -20
# Find modified files
find / -mtime -7
# List active connections
ss -antp
# Check cron jobs
grep CRON /var/log/syslogWindows PowerShell Commands
# View Event Logs
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624}
# List running processes
Get-Process | Select ProcessName, ID
# Check network connections
Get-NetTCPConnectionForensic Analysis Tools & Resources
→ Wireshark
Network packet analysis and protocol inspection
→ Sleuth Kit
Digital forensics framework and tools
→ Volatility
Memory forensics and analysis tool
→ YARA
Malware identification and classification
→ SANS Resources
Security training and documentation
→ MITRE ATT&CK
Adversary tactics, techniques & procedures