SECURITY INCIDENT SURVEY CHEAT SHEET Examine network arp –a, Verify integrity of installed rpm -Va (Linux),

configuration netstat –nr packages (affects lots of files!) pkgchk (Solaris)

FOR SERVER ADMINISTRATORS
List network netstat –nao, Look at auto- chkconfig --list (Linux),
Tips for examining a suspect system to decide netstat –vb, ls /etc/rc*.d (Solaris),
connections and start services
whether to escalate for formal incident response. net session, net use smf (Solaris 10+)
related details
Assessing the Suspicious Situation List users and lusrmgr, net users, List processes ps aux (Linux, BSD),
To retain attacker’s footprints, avoid taking actions that net localgroup administrators, ps -ef (Solaris),
groups
net group administrators lsof +L1
access many files or installing tools.
Look at scheduled jobs schtasks Find recently modified files ls –lat /,
Look at system, security, and application logs for find / -mtime -2d -ls
msconfig (affects lots of files!)
unusual events. Look at auto-start programs
Look at network configuration details and connections; List processes taskmgr, Incident Response Communications
note anomalous settings, sessions or ports. wmic process list full Do not share incident details with people outside the
List services net start, team responding to the incident.
Look at the list of users for accounts that do not belong
tasklist /svc Avoid sending sensitive data over email or instant
or should have been disabled.
Check DNS ipconfig /all, messenger without encryption.
Look at a listing of running processes or scheduled jobs ipconfig /displaydns,
settings and the If you suspect the network was compromised,
for those that do not belong there. more %SystemRoot%\
hosts file communicate out-of-band, e.g. non-VoIP phones.
Look for unusual programs configured to run System32\Drivers\etc\hosts
automatically at system’s start time. Verify integrity of OS files sigverif Key Incident Response Steps
(affects lots of files!) 1. Preparation: Gather and learn the necessary tools,
Check ARP and DNS settings; look at contents of the
hosts file for entries that do not belong there. Research recently modified dir /a/o-d/p become familiar with your environment.
files (affects lots of files!) %SystemRoot%\
Look for unusual files and verify integrity of OS and 2. Identification: Detect the incident, determine its
System32
application files. scope, and involve the appropriate parties.
Avoid using Windows Explorer, as it modifies useful file
Use a network sniffer, if present on the system or 3. Containment: Contain the incident to minimize its
system details; use command-line.
available externally, to observe for unusual activity. effect on neighboring IT resources.
Unix Initial System Examination
A rootkit might conceal the compromise from tools; 4. Eradication: Eliminate compromise artifacts, if
Look at event log files in /var/log,
trust your instincts if the system just doesn’t feel right. necessary, on the path to recovery.
directories (locations vary) /var/adm,
Examine recently reported problems, intrusion /var/spool 5. Recovery: Restore the system to normal
detection and related alerts for the system. List recent security events wtmp, who, operations, possibly via reinstall or backup.
last, lastlog 6. Wrap-up: Document the incident’s details, retail
If You Believe a Compromise is Likely...
Examine network arp –an, collected data, and discuss lessons learned.
Involve an incident response specialist for next steps route print
and notify your manager. configuration Other Incident Response Resources
List network netstat –nap (Linux), Windows Intrusion Discovery Cheat Sheet
Do not panic or let others rush you; concentrate to netstat –na (Solaris),
connections and https://dfir.to/windows-intrusion-discovery
avoid making careless mistakes. lsof –i
related details Checking Windows for Signs of Compromise
If stopping an on-going attack, unplug the system from
List users more /etc/passwd https://dfir.to/windows-signs-of-compromise
the network; do not reboot or power down.
Look at scheduled jobs more /etc/crontab, Linux Intrusion Discovery Cheat Sheet
Take thorough notes to track what you observed, when, ls /etc/cron.*,
and under what circumstances. https://dfir.to/linux-intrusion-discovery
ls /var/at/jobs
Windows Initial System Examination more /etc/resolv.conf, Checking Unix/Linux for Signs of Compromise
Check DNS settings
eventvwr more /etc/hosts https://dfir.to/linux-signs-of-compromise
Look at event logs and the hosts file

Authored by Lenny Zeltser, who leads a security consulting team at SAVVIS, and teaches malware analysis at SANS Institute. Special thanks for feedback to Lorna Hutcheson, Patrick Nolan, Raul Siles,
Ed Skoudis, Donald Smith, Koon Yaw Tan, Gerard White, and Bojan Zdrnja. Creative Commons v3 “Attribution” License for this cheat sheet v. 1.8. More cheat sheets?