Will add sub bullets for specific tools/scripts
- JC - martha, kelsi
- Johnathan - taylor, darbus
- Ryan - chad, jason
- Chris - troy, zeke
- Ben - sharpay, gabriella
- Linux
- Windows/AD
- Web
- FTP/SMB/Samba
- DNS
- SSH
- MYSQL
- IR Report Author
-
- List Users
Get-WmiObject -Class Win32_UserAccount
- Remove Local Users
Remove-LocalUser -Name "<name>"
- List Users
-
- Turn on
netsh advfirewall set allprofiles state on
- Remove all Rules at Start
netsh advfirewall set allprofiles firewallpolicy blockinbound,blockoutbound
- Start Logging
netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
- Turn on
-
Disable WinRm (https://4sysops.com/wiki/disable-powershell-remoting-disable-psremoting-winrm-listener-firewall-and-localaccounttokenfilterpolicy/)
- Stop Current Session for user if any
Disable-PSRemoting -Force
- Stop Service Alltogether
Stop-Service WinRm -PassThruSet-Service WinRM -StartupType Disabled -PassThru
- Check For Listener and then Delete Remote Listener
- list listeners
dir wsman:\localhost\listener
Remove-Item -Path WSMan:\Localhost\listener\<Listener Name>
- list listeners
- Disable Firewall Exceptions
Set-NetFirewallRule -DisplayName 'Windows Remote Management (HTTP-In)' -Enabled False -PassThru | Select -Property DisplayName, Profile, Enabled
- Disable remote execution with admin access token. Remote Users will trigger UAC prompt.
Set-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system -Name LocalAccountTokenFilterPolicy -Value 0
- Stop Current Session for user if any
-
- View Running Tasks
Get-ScheduledTask | ? State -eq Running
- Disable/Enable Tasks
[Enable|Disable]-ScheduledTask -TaskName "<name>"
- View Running Tasks
-
- sudo iptables-restore < /etc/iptables.firewall.rules
-
- Sanity Check permissions /etc/passwd /etc/shadow
ls -l /etc/shadow
ls -l /etc/passwd
- Sudoer Groups only should be root + sudo
cat /etc/sudoers
- Check Sudo group members
grep -Po '^sudo.+:\K.*$' /etc/group
- Sanity Check permissions /etc/passwd /etc/shadow
-
cut -d : -f1,3,4 /etc/passwd
-
sudo sed i- s/#PermitRootLogin.*/"PermitRootLogin no"/ /etc/ssh/sshd_config; /etc/init.d/sshd restart
-
for user in $(cut -d : -f 1 /etc/passwd; do sudo crontab -u $user -l; done > crontab_summary.txt
sudo touch /etc/cron.d/cron.allow
, then add users as necessaryrm -f /etc/cron.deny
-
atq # check for at jobs
touch /etc/at.d/at.allow
, then add root onlyrm -f /etc/at.deny
-
unalias -a
-
Pam Config: session required pam_tty_audit.so enable=*
ausearch -ts <some_timestamp> -m tty -i
aureport --tty
-
ppriv <pid/user>
- Sanity Check permissions /etc/passwd /etc/shadow
ls -l /etc/shadow
ls -l /etc/passwd
-
cut -d : -f1,3,4 /etc/passwd
-
modinfo; modunload -i 0
- Check Apache Modules: Apxs
- Static ARP tables
-
nope
- Delete script artifacts
- https://github.com/meirwah/awesome-incident-response
- https://alexlevinson.wordpress.com/2017/05/09/know-your-opponent-my-ccdc-toolbox/
- https://github.com/BinaryDefense/artillery
- https://github.com/chrisjd20/Blue-Team-Cheat-Sheets/blob/master/BTCSwGSEnotes.pdf
- https://github.com/ucrcyber/CCDC/tree/master/blue-team
- https://github.com/marshyski/quick-secure/blob/master/quick-secure
- https://docs.google.com/presentation/d/1pPXLg3KqwSMLRCNRfows5QnVI2mLjSmll5vN2WHMFJg/edit#slide=id.g8e1a55d_0_5
- https://www.netresec.com/?page=networkminer
- http://www.cheat-sheets.org/saved-copy/Solaris_quickref.pdf
- http://www.tablespace.net/quicksheet/solaris-quicksheet.pdf