There is no tried-and-tested method for doing manual human scans because the nature of the clues are unpredictable. That variability gives investigators a chance to find something amiss.
That said, I've built up my little manual inspection checks over the last decade into a very simple batch files or scripts. Using the batch files or scripts, I collect a lot of very normal information very quickly, on each reviewed machine, and then view it offline later looking for interesting exploratory breadcrumbs. You can click here to download a copy of my Windows batch file, or create your own.
Here's what my Windows batch file and manual processes looks like:
Using a batch file
- Hostname.exe (just to document the name of the computer)
- Winver.exe (Windows product and version)
- Svrcheck.exe (requires tool addition)
- Systeminfo.exe
- Check IPconfig /all
- Run gpresult.exe (group policy settings, group memberships, etc.)
- Review services (services.msc or sc \query)
- Check local group memberships (GUI or net groups or net localgroups)
- Check local directory structure (Windows Explorer or dir) dir \ and dir \ /ah /s
- Dir \
- Dir \ /ah /s
- Dir \Program Files
- View current shares (net share)
- Run netstat -ano looking for unusual connections or open ports
- Check patch status and simple security checks (mbsa, mbsacli.exe, 3rd party software, etc.)
- Check browser configuration looking at security zones, proxy stuff, add-ons, etc.
- Check event log files looking for severe errors, weird stuff, or a lot of noise
- View HOSTS file (Windows explorer or type \%windir%\System32\drivers\etc\hosts
- Use autoruns or autorunsc.exe to verify auto-start programs (requires tool addition)
- View scheduled tasks (looking for malicious tasks)
- Audituser.exe, auditpol.exe (looking for per-user auditing policies)
- Run net statistics server (looking for excessive password violations)
- Run netstat -e (looking for excessive network errors)
- Certmgr.exe, mmc, or certutil.exe (looking for broken certs or malicious certs)
Manual Processes
- Run gpedit.msc
- Run rsop.msc
- Run Security Configuration and Analysis mmc snap-in against security template (if compliance against regulation is requested)
- Run Best Practice Analyzer tool(s), if relevant (requires tool addition)
- Check anti-virus settings and definition dates
- Check for unauthorized installation of software (inquire about approved software list)
- Check status of third-party patches
- Eventvwr.exe -- looking for issues and security problems
But your processes and checks can contain anything you them to. Happy bread-crumbing!
This story, "For better security, ditch the automatic tools," was originally published at InfoWorld.com. Follow the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com.