Live Examination - Lab included Flashcards
Examine a process
tasklist
tasklist /v
tasklist /m /fi “pid eq pid”
netcat -na
looks for listening processes
the pid from netstat when cross referenced with output from task manager, the tasklist command or wmic process output is useful.
true.
netstat with -naob argument will show the EXE and DLLs associated with each listening port
true
the netstat -b flag requires administrator privledges
true
what is the most common way to look at running processes?
taskmgr.exe
By default task manager does not show the process ID numbers
true.
wmic output is good to see the command line used and the parent process ID
true
how to check services that are defined and started on the box?
services.msc
how to obtain windows services info?
services.msc or sc command
sc command allows more detail about windows services
true.
tasklist /svc
shows the services mapped to their processes they are running out of.
How to start live Examination?
start with what you know. If investigation was due to an IDS alert, start by examining network traffic.
or start with one aspect of the environment such as running processes
Examining processes?
Task Manager
Examine processes at the command line?
tasklist
Run tasklist verbosely for more detailed output?
tasklist /v
get command line options and loaded DLLS for a process ID
tasklist /m /fi “pid eq pid”
Start | Run taskmgr.exe
starts the GUI
Besides taskmanger to examine processes what other more in depth tool can get you a look into examining processes?
wmic
Get brief information about running processes
wmic process list brief
Get lots of info about running processes
wmic process list full
get specific fields
wmic process where process name,processid,parentproccessid
Pay attention to running processes with base64 encoded command line options
true
What is powershells command option to specificy content of a script to run at the command line?
-EncodedCommand
