Find Suspicious activity
Type of suspicious activities
- Unusual/failed login attempts
- Single account used from multiple locations
- Anomalous access based on location, time of day, data assets etc.
- Downloading/Accessing/Deletion of large amount of information
- Unusual program access/installation
- Access from bad reputation/black listed IP/endpoints
- Emailing, Printing or saving sensitive data files at unusual times
- Capturing screen of sensitive information using computer or mobile
- Changing privileges
- Installing un-authorized applications
- Data leaks to external sources / Social media
Five steps to find malicious activity
- Scheduled task (SCHTASKS /Query /FO LIST /V)
- Wmic startup list full
3) FIND ALL PROC & CMD LINES RUNNING AT PRESENT
a) wmic path win32_process get name,commandline /format:list or csv
b) wmic path Win32_Process WHERE Name=”cscript.exe” GET Name,ParentProcessId,processid
c) Tasklist /fi “pid eq 979”
&
wmic path win32_process Where “Caption Like ‘%svchost%’ “ get Caption,CommandLine,CreationDate
4. Net user (list out of all users)
5. Netstat -ano
6) schtasks /query /fo LIST /v
7) ipconfig /all | findstr DNS ( find proxies) and netstat -anb (iexplore.exe n/w)
Here, i just provided the commands for windows, you can do the same for linux also:
- lsof
- cron jobs
- Checking bash_history file
- user enumeration “cut -d: -f1 /etc/group | sort”
- cut -d: -f1,3 /etc/passwd | egrep ‘[0–9]{4}$’ |cut -d: -f1
#displaying a list of users with 4-digit UIDs (UIDs>=1000)
6. resolv.conf file for any suspicious DNS
7. lastb -adF #list Failed logins
Audit tool like aureport provides summary reports of the audit system logs
