Sunday, May 12, 2013

Windows Auditing

   Windows Auditing

Introduction 

This post is a comprehensive list of the things you would want to check while conducting Windows auditing.

Step 1:

Explanation: List all installed programs (after you cd to C:\Program Files)

Command: dir /p /n > Path\<output-file>
Command: tree /A /F > Path\<output-file>


Step 2:

Explanation: List security policies

Command: auditpol /get /category:* (as Admnistrator)
Command: auditpol /backup /file:c:\<output>.csv (as Admnistrator)

Step 3a:

Explanation: List Windows running/stopped services

Command: sc query type= service > Path\<output-file>
Command: sc query type= service state= inactive > Path\<output-file>
Command: sc query type= service state= all > Path\<output-file> (running and not running)
Command: net start > Path\<output-file>


Step 3b:

Explanation: List Windows service running privilages

Command: sc qprivs <service name> > Path\<output-file>


Step 4:

Explanation: Identifying the windows security patches using WMIC

Command: wmic qfe get description,installedOn > Path\<output-file>


Step 5:

Explanation: List Windows processes with relevant information

Command: wmic process > Path\<output-file>
Command: wmic process list brief > Path\<output-file>
Command: wmic process list full > Path\<output-file>
Command: wmic process list system > Path\<output-file>


Step 6:

Explanation: List Windows startup programs

Command: wmic startup > Path\<output-file>
Command: wmic startup list full > Path\<output-file>
Command: wmic startup list brief > Path\<output-file>
Command: wmic startup list system > Path\<output-file>


Step 7:
Explanation: List Windows current connections with ownership

Command: netstat -nab > Path\<output-file>

No comments:

Post a Comment