Windows Auditing
This post is a comprehensive list of the things you would want to check while conducting Windows auditing.
Step 1:
Explanation: List all installed programs (after you cd to C:\Program Files)
Command: dir /p /n > Path\<output-file>
Command: tree /A /F > Path\<output-file>
Step 2:
Explanation: List security policies
Command: auditpol /get /category:* (as Admnistrator)
Command: auditpol /backup /file:c:\<output>.csv (as Admnistrator)
Step 3a:
Explanation: List Windows running/stopped services
Command: sc query type= service > Path\<output-file>
Command: sc query type= service state= inactive > Path\<output-file>
Command: sc query type= service state= all > Path\<output-file> (running and not running)
Command: net start > Path\<output-file>
Step 3b:
Explanation: List Windows service running privilages
Command: sc qprivs <service name> > Path\<output-file>
Step 4:
Explanation: Identifying the windows security patches using WMIC
Command: wmic qfe get description,installedOn > Path\<output-file>
Step 5:
Explanation: List Windows processes with relevant information
Command: wmic process > Path\<output-file>
Command: wmic process list brief > Path\<output-file>
Command: wmic process list full > Path\<output-file>
Command: wmic process list system > Path\<output-file>
Step 6:
Explanation: List Windows startup programs
Command: wmic startup > Path\<output-file>
Command: wmic startup list full > Path\<output-file>
Command: wmic startup list brief > Path\<output-file>
Command: wmic startup list system > Path\<output-file>
Step 7:
Explanation: List Windows current connections with ownership
Command: netstat -nab > Path\<output-file>
 
No comments:
Post a Comment