Find Suspicious activity

Type of suspicious activities

  • Unusual/failed login attempts
  • Single account used from multiple locations
  • Anomalous access based on location, time of day, data assets etc.
  • Downloading/Accessing/Deletion of large amount of information
  • Unusual program access/installation
  • Access from bad reputation/black listed IP/endpoints
  • Emailing, Printing or saving sensitive data files at unusual times
  • Capturing screen of sensitive information using computer or mobile
  • Changing privileges
  • Installing un-authorized applications
  • Data leaks to external sources / Social media

Five steps to find malicious activity

  1. Scheduled task (SCHTASKS /Query /FO LIST /V)
  2. Wmic startup list full


a) wmic path win32_process get name,commandline /format:list or csv

b) wmic path Win32_Process WHERE Name=”cscript.exe” GET Name,ParentProcessId,processid

c) Tasklist /fi “pid eq 979”


wmic path win32_process Where “Caption Like ‘%svchost%’ “ get Caption,CommandLine,CreationDate

4. Net user (list out of all users)

5. Netstat -ano

6) schtasks /query /fo LIST /v

7) ipconfig /all | findstr DNS ( find proxies) and netstat -anb (iexplore.exe n/w)

Here, i just provided the commands for windows, you can do the same for linux also:

  1. lsof
  2. cron jobs
  3. Checking bash_history file
  4. user enumeration “cut -d: -f1 /etc/group | sort”
  5. cut -d: -f1,3 /etc/passwd | egrep ‘[0–9]{4}$’ |cut -d: -f1

#displaying a list of users with 4-digit UIDs (UIDs>=1000)

6. resolv.conf file for any suspicious DNS

7. lastb -adF #list Failed logins

Audit tool like aureport provides summary reports of the audit system logs



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store