Cover Image

Diverse cheat sheets
 Wed 2019-08-28    SysAdm

Written on the back of a Microsoft release for Server 2003 and Windows XP called " The Services and Service Accounts Security Planning Guide" http://usergroup.doubletake.com/file_cabinet/download/0x000021733  Load of things in that are still relevant to later Window releases.

List of Windows events I like to keep an eye on as they may provide indicators of a compromised, especially if you can link them with DNS request and offer things like DHCP offer logs.

Event ID 1102 Shows the Audit log was cleared.
Event ID 4616 The system time was changed.
Event ID 4624 An account was successfully logged on.
Event ID 4625 Shows an account failed to log on.
Event ID 4626 Shows a numerical value for the type of login that was attempted.
Event ID 4634 An account was logged off
Event ID 4647 User initiated logoff.
Event ID 4720 Shows a user account was created.
Event ID 4722 Shows a user account was enabled.
Event ID 4732 Shows a member was added to a security-enabled local group.
Event ID 4733 Shows a member was removed to a security-enabled local group.
Event ID 4734 A security-enabled local group was deleted.
Event ID 4735 A security-enabled local group was changed.
Event ID 4738 A user account was changed.
Event ID 4740 Shows a user account was locked out.
Event ID 4741 A computer account was created.
Event ID 4742 A computer account was changed.
Event ID 4743 A computer account was deleted
Event ID 4725 Shows a user account was disabled.
Event ID 4726 Shows a user account was deleted.
Event ID 4738 Shows a user account was changed.
Event ID 4781 Shows the name of an account was changed.

New to Linux?  Don't know what one to use? Try them all first at https://distrotest.net

Lenny Zeltser has few great cheat sheets, my favourite is 'How to Suck at Information Security': https://zeltser.com/media/docs/suck-at-security-cheat-sheet.pdf

Definitely worth printing!

Some searches, these are normally the first things I try on a Windows box to try and find passwords (don't ask why...), especially on SysAdmins machines as they always store passwords in text files!  You may want to search any servers or PCs with these to see if you have any unexplained files.  Just run these from CMD.

findstr /si password *.txt
findstr /si password *.xml
findstr /si password *.ini
dir /b /s sysprep.inf
dir /s *pass* == *cred* == *vnc* == *.config*
findstr /spin "password" *.*
reg query HKLM /f password /t REG_SZ /s
reg query HKCU /f password /t REG_SZ /s

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

The last one is for (Windows Autologin) and I would suggest using clip (| clip) at the end of each of the commands, copying the content of the result into notepad and analysing it later.

To view the USB storage devices that have been used on a PC

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

You can find even more information about the USB device using the vendor or device ID or here https://devicehunt.com/

To view what Powershell modules are installed on a PC, open Powershell and run

Get-InstalledModule | Select-Object Name, @{n='Installed';e={$_.Version}}, @{n='Available';e={(Find-Module -Name $_.Name).Version}} | Where-Object {$_.Available -gt $_.Installed}

If you are not really using powershell and there are any installed modules, I would suggest googling what they are!  Posh-SSH is a common one to have for some reason, here's what it is  https://www.powershellgallery.com/packages/Posh-SSH/2.1

You can also use https://www.powershellgallery.com/ to look up any Powershell modules you find.

Another interesting tool is the Live Response Collection from BriMor Labs, the download is available at https://www.brimorlabs.com/tools/ there are MD5 and SHA hashes to validate the download.

To use it, extract the zip file file to a USB stick (don't unzip it and then copy it to the USB drive), there are a few folders for 'nix, MAC and Windows, open the folder for the operating system you have the USB plugged into and run the application for it, ideally as administrator.  It is basically a load of scripts that pulls information about about browsing history, folders open and files views etc.  You will surprised ate what it finds!  Each time you run it it will save the files in a folder called the machines name.

Quite a powerful and simple forensic tool but interesting if you wish to carry out an investigation into a compromised machine as, with a little digging, you should be able to find the website, file or USB serial number that any compromise (malware etc.) came from and then blacklist it.

Breakdown of a TLS 1.2 connection, excellent work if you wish to understand of learn about that:
https://tls.ulfheim.net/?fbclid=IwAR1QPkJVgiwd3Cu1MgeDbTP7W7UXkSgPp3hdecCyXUR46vVaaRMxDiUCW1Q

Microsoft Windows threat protection sheets on Github: https://github.com/MicrosoftDocs/windows-itpro-docs/tree/master/windows/security/threat-protection/a...

A massive load of links for OSINT (Open Source Intelligence): https://start.me/p/b5Aow7/asint_collection

These are great if you;re looking to set up logging on various systems, the Windows Registry Auditing and Windows Logging cheats sheets are really good (as are the others.): https://www.malwarearchaeology.com/cheat-sheets

Packetlife, hopefully everyone knows these, Jeremy Stretch has done an awesome job with these: https://packetlife.net/library/cheat-sheets/

SANS.

DFIR (Digital, Forensic and Incident Response) https://digital-forensics.sans.org/community/cheat-sheets

Loads of good ones here, you may need to register to get some of them, some great references for tools and Windows: https://pen-testing.sans.org/resources/downloads

Misc. tools from SANS, some of these are on the links above, but worth checking out and learning are tools like Scapy, Metasploit Necat: https://pen-testing.sans.org/blog/category/cheatsheet

This site has loads: https://www.cheat-sheets.org/ found it when I was looking for commands for Notepad++ (best notepad and text editors out there IMHO), but the Powershell and Windows ones are good, these is a TLS one which helps visualise with my first link above.

Red Team tips https://github.com/vysec/RedTips These are tips on how Red Team pen testers will look to compromise systems, learn them and protect yours better!

SecJuice https://www.secjuice.com/penetration-test-scanning-introduction/ SecJuice is a website written by and for security researchers, incident responders etc. So great articles on here including how some peoples unusual journeys led them into security. Feel free to submit an article!

Conference videos Cooper (twitter @Ministraitor) is a guy from the Netherlands who goes to about 32 conferences a year, the difference is he films them, and he doesn't charge (except for the paid conferences), boy does he travel! Anyway, here's his website with links the to conferences his films (they get posted on the conferences own YouTube channels) https://administraitor.video/editions If you do appreciate his efforts, buy him a mate (horrible drink he likes), they're about 1.5 Euros https://administraitor.video/buy_me_a_mate.html

IP address converter https://www.convertforfree.com/ip-address-notation-converter/

Team Cymru - US based team, despite the name, awesome researcher, loads of great resources here https://www.team-cymru.com/community-services.html

Sharon Tools, DIT and 9Ping are quite useful, also has a load of online tools which can give you some useful information https://www.sharontools.com/

The Sprawl - Excellent resource for help with Scapy https://thesprawl.org/research/scapy/ also has a load of other great stuff on there.

TCL scripting tutorial https://tcl.tk/man/tcl8.5/tutorial/tcltutorial.html