Intrusion Detection Techniques in Network Security

Step-by-Step Guide

Introduction

Detecting and responding to network intrusions involves using various Command Prompt (CMD) techniques. Below is a guide on how to use CMD commands to identify and respond to potential security incidents.

1. Retrieve Audit Policy Settings

Audit policy settings help trace user activities and security incidents.

Steps:

  1. Open Command Prompt as an administrator.
  2. Type the following command and press Enter: 
    auditpol /get /category:*
  3. Review the audit policy settings to ensure that user activities are being monitored properly.

2. Query Security Event Logs

Security event logs provide insights into recent security events.

Steps:

  1. In Command Prompt, type the following command and press Enter: 
    wevtutil qe security /f:text /c:10 /rd:true
  2. This command queries the last 10 events from the security log, allowing you to quickly identify recent suspicious activities.

3. Monitor Network Traffic

Network traffic monitoring can reveal abnormal patterns indicative of intrusions.

Steps:

  1. Start a network packet capture by typing: 
    netsh trace start capture=yes
  2. To stop the capture and save it to a file, type: 
    netsh trace stop
  3. Analyze the saved file for abnormal traffic patterns.

4. Disable Unnecessary Services

Disabling unnecessary services can reduce the potential attack surface.

Steps:

  1. Disable the Remote Registry service to reduce vulnerability: 
    sc config remoteRegistry start=disabled

5. List and Check Open Ports

Identifying open ports can help spot unauthorized access attempts.

Steps:

  1. List all open ports: 
    netstat -an
  2. Check for unexpected open ports that may indicate unauthorized applications or services.

6. Show Executables Associated with Connections

Identifying executables associated with active connections can help find malicious software.

Steps:

  1. List executables associated with active connections: 
    netstat -b
  2. Investigate any suspicious executables that might be communicating over the network.

7. Display Routing Table

Examining the routing table can reveal unauthorized changes in network routing.

Steps:

  1. Display the routing table: 
    route print
  2. Look for unauthorized routes that might indicate network tampering.

8. Check for Quarantined Items

Reviewing quarantined items can provide insights into detected threats.

Steps:

  1. List all quarantined items: 
    "%ProgramFiles%\Windows Defender\mpcmdrun.exe" -restore -listall
  2. Analyze the items to understand potential intrusion attempts.

9. List and Manage Shadow Tasks

Shadow tasks may be created by attackers to maintain persistence.

Steps:

  1. List all shadow tasks: 
    schtasks /query /fo LIST /v
  2. Delete suspicious shadow tasks: 
    schtasks /delete /tn "TaskName" /f

10. Monitor Running Processes

Checking running processes can help detect unauthorized or suspicious activities.

Steps:

  1. List all running processes: 
    tasklist
  2. Terminate suspicious processes: 
    taskkill /PID ProcessID

11. Scan and Repair System Files

Scanning system files can identify and repair unauthorized modifications.

Steps:

  1. Scan system files: 
    sfc /scannow

12. List and Check User Accounts

Listing user accounts helps detect unauthorized accounts created by attackers.

Steps:

  1. List all user accounts: 
    net user
  2. Display detailed information about a specific user account: 
    net user username