Tuesday, November 24, 2009

CMD.EXE Incident Response Cheat Sheet

Recently, I have been putting together some incident response tools and documentation for our systems administrators and wanted to provide an easy to use reference of Windows command line tools available at their disposal. There is a a lot of great information and resources available but I could not find a single one page cheat sheet of all the cmd.exe commands one might use during incident response. The closest thing I found to containing all the commands I wanted to cover was Russell Butturini's Hak5 U3 Switchblade which is an awesome resource but my aim was to teach what each command does. Consequently, I began creating a cheat sheet myself using Jeremy Stretch's popular PacketLife.net cheat sheet template he recently made available here.

I have attached v1.0 and am hoping others can find some value with using it or maybe make some suggestions or additions to it. I would love to do one for Linux and maybe a more detailed one on WMIC. Let me know what you think.

6 comments:

  1. Sherwyn aka "Infolookup"November 25, 2009 at 7:49 AM

    Tim,

    This is a great start, I still think it would be great to have tis in a bat script or append it as an update to tsctool's toolkit, all the same its nice and to the point good stuff man.

    I was thinking about updating tsctool kit, with some other examples from a SANS paper I recently saw, maybe we can pull them all together and have a nice working tool.

    Thanks for your work on this cheat sheet.

    ReplyDelete
  2. Sherwyn,

    The forensicsstart.bat file in the USB Switchblade has a lot of these commands and more there. You can certainly run the .bat manually. tcstool also leveredges some external utilities (i.e. sysinternals stuff).

    I was recently told that he was working on another update to his tool. I'm not sure if he is looking for contributors but can find out.

    Either way I welcome the suggestions! Would like to expand the cheat sheet and think a script or bat file is a great idea.

    Ping me with what you have. Thanks for the comment!

    ReplyDelete
  3. Absolutely! I do have a new version in the works, but it is in the early stages right now and I'm having some weird issues moving between Windows platforms. Bart Hopper has also been an invaluable resource for some of the new features, lots of credit goes out to him. Anyways, I will give Bugbear my contact information. Feel free to send suggestions my way.

    -Russell Butturini (aka tcstool)

    ReplyDelete
  4. Thanks Russell,

    I have had a few other people ping me via twitter and email too. Looking forward to seeing the next version!

    ReplyDelete
  5. Just went through your cheat sheet and ran each command really good stuff Tim. I think I will look into making it into a script to run and get info, twice this week I needed something like this to work with TCStool project.

    ReplyDelete
  6. Thanks for this, I've come back to download this cheat sheet many times now it's very helpful for myself, being primarily a linux / mac user.

    ReplyDelete