Blue Team Field Manual (BTFM) is a Cyber Security Incident Response  Guide that aligns with the NIST Cybersecurity Framework consisting of  the five core functions of Identify, Protect, Detect, Respond, and  Recover by providing the tactical steps to follow and commands to use  when preparing for, working through and recovering from a Cyber Security  Incident.

Preparation (Documentation Review)

  • Organization Chart
  • Network Diagrams
  • Data Flow Diagrams
  • Critical Asset, Data and Services List
  • Rules of Engagement (ROE) Limitations and Boundaries
  • Incident Response Plan
  • Business Continuity Plans
  • Disaster Recovery Plan
  • Required Notification Guidance
  • Action to Date
  • Physical Access Requirements
  • On call/contracted resources
  • Communication Plan
  • Authority and Legal Condition
  • Threat Intelligence Summary
  • Meetings and Deliverable Reporting Requirements
  • Physical Security Plan
  • Risk Assessment Decision Matrix
  • Data and Info Disclosure Procedures
  • Consent to Monitor, Collect and Assess Data
  • MOA/MOU/NDA Documents and Requirements

Identify (Scope)


Ping sweep for network:
# nmap -sn -PE <IP ADDRESS OR RANGE>
Scan and show open ports:
# nmap --open <IP ADDRESS OR RANGE>
Determine open services:
# nmap -sV <IP ADDRESS>
Scan two common TCP ports, HTTP and HTTPS
# nmap -p 80,443 <IP ADDRESS OR RANGE>
Scan UDP and TCP together, verbose on single host include optional skip ping:
# nmap -v -Pn -sU -sT -p U:53,111,137,T:21-25,80,139,8080 <IP ADDRESS>


Basic Nessus Scan:
# nessus [-vnh] [-c.rcfile] [-V] [-T <format]
Batch-mode scan:
# nessus -q [-pPS] <HOST> <PORT> <USER NAME> <PASSWORD> <targets-file> <result-file>
Report conversation:
# nessus -i in.[nsr|nbe] -o out.[xml|nsr|nbe|html|txt]


Step 1: Install the server, client and plugin packages:
# apt-get install openvas-server openvar-client openvas-plugins-base openvas-plugins-dfsg
Step 2: Update the vulnerability database:
# openvas-nvt-sync
Step 3: Add a user to run the client:
# openvas-adduser
Step 4: Login: sysadm
Step 5: Authentication (pass/cert) [pass]: [HIT ENTER]
STEP 6: Login password:
You will then be asked to add "User rules"
Step 7: Allow this user to scan authorized network by typing:
accept <YOUR IP ADDRESS OR RANGE> default deny
Step 8: type ctrl-D to exit, and then accept.
Step 9: Start the server:
# service openvas-server start
Step 10: Set targets to scan:
Create a text file with a list of hosts/networks to scan.
# vi scanme.txt
Step 11: Add one host, network per line: <IP ADDRESS OR RANGE>
Step 12: Run scan:
# openvas-client -q 9390 sysadm nsrc+ws scanme.txt openvas-output-.html -T txt -V -x
Step 13: (Optional) run scan with HTML format:
# openvas-client -q 9390 sysadm nsrc-ws scanme.txt openvas-output.txt -T html -V -x


Network Discovery

Basic network discovery
C:\> net view /all
C:\> net view \\<HOST NAME>
Basic ping scan and write output to file:
C:\> for /L %I in (1,1,254) do ping -w 30 -n 1 192.168.1.%I | find "Reply" >> <OUTPUT FILE NAME>.txt


Enable DHCP server logging:
C:\> reg add HKLM\System\CurrentControlSet\Services\DhcpServer\Parameters /v ActivityLogFlag /t REG_DWORD /d 1
Default Location Windows 2003/2008/2012:
C:\> %windir%\System32\Dhcp


Default location Windows 2003:
C:\> %SystemRoot%\System32\Dns
Default location Windows 2008:
C:\> %SystemRoot%\System32\Winevt\Logs\DNSServer.evtx
Default location of enhanced DNS Windows 2012 R2:
C:\> %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-DNSServer%4Analytical.etl
Enable DNS Logging:
C:\> DNSCmd <DNS SERVER NAME> /config /logLevel <PATH TO LOG FILE> 0x8100F331
Set log location:
C:\> DNSCmd <DNS SERVER NAME> /config /LogFilePath <PATH TO LOG FILE>
Set size of log file:
C:\> DNSCmd <DNS SERVER NAME> /config /logfilemaxsize 0xffffffff


File checksum Integrity Verifier (FCIV):
Hash a file:
C:\> fciv.exe <FILE TO HASH>
Hash all files on C:\ into a database file:
C:\> fciv.exe C:\ -r -md5 -xml <FILE NAME>.xml
List all hashed files:
C:\> fciv.exe c-list -sha1 -xml <FILE NAME>/.xml
Verify previous hashes in db with file system:
C:\> fciv.exe -v sha1 -xml <FILE NAME>.xml
Note: May be possible to create a master db and compare to all system from a cmd line. Fast baseline and difference.
PS C:\> Get-FileHash <File TO HASH> | Format-List
PS C:\> Get-FileHash -algorithm md5 <FILE TO HASH>
C:\> certutil -hashfile <FILE TO HANH> SHA1
C:\> certutil -hashfile <FILE TO HASH> MD5


Basic nbtstat scan:
C:\> nbtstat -A <IP ADDRESS>
Cached NetBIOS info on localhost:
C:\> nbtstat -C
Script loop scan:
C:\> for /L %I in (1,1,254) do nbstat -An 192.168.1.%I


Get users logged on:
C:\> psloggedon \\computername
Script loop scan:
C:\> for /L %i in (1,1,254) do psloggedon \\192.168.1.%i >> C:\users_output.txt


Password guessing or checks:
# for /f %i in (<PASSWORD FILE NAME>/txt) do @echo %i & net use \\<TARGET IP ADDRESS> %i /u:<USER NAME> 2>nul && pause
# for /f %i in (<user name file>.txt) do @(for /f %j in (<PASSWORD FILE NAME>.txt) do @echo %i:%j & @net use \\<TARGET IP ADDRESS> %j /u:%i 2>nul && echo %i:%j >> success.txt && net use \\<IPADDRESS>/del)


Basic scan of a target IP address:
C:\> mbsacli.exe /target <TARGET IP ADDRESS> /n os+iis+sql+password
Basic scan of a target IP range:
C:\> mbsacli.exe /r <IP ADDRESS RANGE> /n os+iis+sql+password
Basic scan of a target domain:
C:\> mbsacli.exe /d <TARGET DOMAIN> /n os+iis+sql+password
Basic scan of a target computer names in txt file:
C:\> mbsacli.exe /listfile <LISTNAME OF COMPUTER NAMES>.txt /n os+iis+sql+password


List all OUs:
List of workstations in the domain:
C:\> netdom query SERVER
List of domain controllers:
C:\> netdom query DC
List of organizational units under which the specified user can create a machine object:
C:\> netdom query OU
List of primary domain controller:
C:\> netdom query PDC
List the domain trusts
C:\> netdom query TRUST
Query the domain for the current list of FSMO owners
C:\> netdom query FSMO
List all computers from Active Directory:
C:\> dsquery COMPUTER "OU=servers,DC=<DOMAIN NAME>,DC=<DOMAIN EXTENSION>" -o rdn -limit 0 > C:\machines.txt
List user accounts inactive longer than 3 weeks:
c:\> dsquery user domainroot -inactive 3
Find anything (or user) created on date in UTC using timestamp format YYYYMMDDHHMMSS.sZ:
C:\> dsquery * -filter "(whenCreated>=20101022083730.0z)"
C:\> dsquery * -filter "((whenCreated>=20101022083730.0Z)&(objectClass=user))"
Alt option:
C:\> idifde -d ou=<OU NAME>,dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -l whencreated, whenchanged -p onelevel -r "(ObjectCategory=user)" -f <OUTPUT FILENAME>
The last login timestamp format in UTC: YYYYMMDDHHMMSS
Alt option:
C:\> dsquery * dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -filter "(&(objectCategory=Person)(objectClass=User)(whenCreated>=20151001000000.0Z))"
C:\> adfind -csv -b dc=<DOMAIN NAME>,dc=<DOMAIN EXTENSION> -filter "(&(objectCategory=Person)(objectClass=User)(whenCreated>=20151001000000.0Z))"
Using PowerShell, dump new Active Directory accounts in last 90 Days:
PS C:\> import-module activedirectory
PS C:\> Get-QADUser -CreatedAfter (Get-Date).AddDays(-90)
PS C:\> Get-ADUser -Filter * -Properties whenCreated | Where-Object {$_.whenCreated -ge ((Get-Date).AddDays(-90)).Date}



Net view scan:
# smbtree -b
# smbtree -D
# smbtree -S
View open SMB shares:
# smbclient -L <HOST NAME>
# smbstatus
Basic ping scan:
# for ip in $(seq 1 254); do ping -c 1 192.168.1.$ip>/dev/null; [ $? -eq 0 ] && echo "192.168.1.$ip UP" || : ; done


View DHCP lease logs:
Red hat 3:
# cat /var/lib/dhcpd/dhcpd.leases
# grep -Ei 'dhcp' /var/log/syslog.1
Ubuntu DHCP logs:
# tail -f dhcpd.log


Start DNS logging
# rndc querylog
View DNS logs:
# tail -f /var/log/messages | grep named


Hash all executables files in these specified locations:
# find /<PATHNAME TO ENUMERATE> -type f -exec md5sum {} >> md5sums.txt \;
# md5deep -rs / > md5sums.txt


Basic nbtstat scan:


Password and username guessing or checks:
# while read line; do username=$line; while read line; do smbclient -L <TARGET IP ADDRESS> -U $username%$line -g -d 0; echo $username:$line; done<<PASSWORDS>.txt; done<<USER NAMES>.txt




Get a list of services and disable or stop:
C:\> sc query
C:\> sc config "<SERVICE NAME>" start= disabled
C:\> sc stop "<SERVICE NAME>"
C:\> wmic service where name='<SERVICE NAME>' call ChangeStartmode Disabled


Show all rules:
C:\> netsh advfirewall firewall show rule name=all
Set firewall on/off:
C:\> netsh advfirewall set currentprofile state on
C:\> netsh advfirewall set currentprofile firewall policy blockinboundalways,allowoutbound
C:\> netsh advfirewall set publicprofile state on
C:\> netsh advfirewall set privateprofile state on
C:\> netsh advfirewall set domainprofile state on
C:\> netsh advfirewall set allprofile state on
C:\> netsh advfirewall set publicprofile state off
Set firewall rules examples:
C:\> netsh advfirewall firewall add rule name="Open Port 80" dir=in action=allow protocol=TCP localport=80
C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes
C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=,,LocalSubnet profile=domain
C:\> netsh advfirewall firewall add rule name="My Application" dir=in action=allow program="C:\MyApp\MyApp.exe" enable=yes remoteip=,,LocalSubnet profile=private
C:\> netsh advfirewall firewall delete rule name=rule name program="C:\MyApp\MyApp.exe"
C:\> netsh advfirewall firewall delete rule name=rule name protocol=udp localport=500
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=Yes profile=domain
C:\> netsh advfirewall firewall set rule group="remote desktop" new enable=No profile=public
Setup logging location:
C:\> netsh advfirewall set currentprofile logging C:\<LOCATION>\<FILE NAME>
Windows firewall log location and settings:
C:\> more %systemroot%\system32\LogFiles\Firewall\pfirewall.log
C:\> netsh advfirewall set allprofile logging maxfilesize 4096
C:\> netsh advfirewall set allprofile logging droppedconnections enable
C:\> netsh advfirewall set allprofile logging allowedconnections enable
Display firewall logs:
PS C:\> Get-Content $env:systemroot\system32\LogFile\Firewall\pfirewall.log


Change password:
C:\> net user <USER NAME> * /domain
C:\> net user <USER NAME> <NEW PASSWORD>
Change password remotely:
Change password remotely:


Flush DNS of malicious domain/IP:
C:\> ipconfig /flushdns
Flush NetBios cache of host/IP:
C:\> nbtstat -R
Add new malicious domain to hosts file, and route to localhost:
C:\> echo <MALICIOUS DOMAIN> >> C:\Windows\System32\drivers\etc\hosts
Check if hosts file is working, by sending ping to
C:\> ping <MALICIOUS DOMAIN> -n 1


Use a proxy Auto Config(PAC) file to create Bad URL or IP List (IE, Firefox, Chrome):

function FindProxyForURL(url, host) {
// Send bad DNS name to the proxy
if (dnsDomainIs(host, ""))
return "PROXY";
// Send bad IPs to the proxy
if (isInNet(myIpAddress(), "",""))
return "PROXY";
// All other traffic bypass proxy
return "DIRECT";


AppLocket - Server 2008 R2 or Window 7 or higher:
Using GUI Wizard configure:

  • Executable Rules (.exe, .com)
  • DLL Rules (.dll, .osx)
  • Script Rules (.ps1, .bat, .cmd, .vbs, .js)
  • Windows Install Rules (.msi, .msp, .mst)

Steps to employ AppLocker (GUI is neede for digital signed app restrictions):

  1. Create a new GPO.
  2. Right-click on it to edit, and then navigate through COmputer Configation, Policies, Windows Settings, Security Settings, Application Control Policies and AppLocker.
    Click configure Rule Enforcement.
  3. Under Executable Rules, check the Configured box and then make sure Enforce Rules is selected from the drop-down box. Click OK.
  4. In the left pane, click Executable Rules.
  5. Right-click in the right pane and select Create New Rule.
  6. On the Before You Begin screen, click Next.
  7. On the persmissions screen, click Next.
  8. On the Conditions screen, select the Publisher condition and click Next.
  9. Click the Browser button and browse to any executable file on your system. It doesn't matter which.
  10. Drag the slider up to Any Publisher and then click Next.
  11. Click Next on the Execeptions screen.
  12. Name policy, Example "Only run executables that are signed" and click Create.
  13. If this is your first time creating an AppLocker policy, Windows will prompt you to create default rule, click Yes.
  14. Ensure Application Identity Service is Running.
    C:\> net start AppIDSvc
    `C:> REG add "HKLM\SYSTEM\CurrentControlSet\services\AppIDSrc" /v Start /t REG_DWORD /d 2 /f
  15. Change requires reboot.
    C:\ shutdown.exe /r
    C:\ shutdown.exe /r /m \\<IP ADDRESS OR COMPUTERNAME> /f
    Add the AppLocker cmdlets into PowerShell
    PS C:\> import-module AppLocker
    Gets the file information for all of the files and scripts in the directory:
    PS C:\> Get-AppLockerFileInformation -Directory C:\Windows\Systm32 -Recure -FileType Exe, Script Create a AppLocker Policy that allow rules for all of the executable files in C:\Windows\System32: PS C:> Get-ChildItem C:\Windows\System32*.exe | Get-AppLockerFileInformation | NewAppLockerPolicy- RuleType Publisher, Hash -User Everyone - RuleNamePrefix System32Sets the local AppLocker policy to the policy specified in C:\Policy.xml:PS C:> Set AppLockerPolicy -XML Policy C:\Policy.xmlUses the AppLocker policy in C:\Policy.xml to test whether calc.exe and notepad.exe are allowed for to run for users who are members of the everyone group . If you do not specify a group, the everyone group is used by default.PS C:> Test-AppLockerPolicy -XMLPolicy C:\Policy.xml -Path C:\Windows\System32\calc.exe, C:\Windows\System32\notepad.exe -User Everyone
    Review how many times a file would have been blocked from running if rules were enforced:
    PS C:\> Get-AppLockerFileInformation -Eventlog -Logname "Microsoft-Windows-AppLocker\EXE and DLL" -EventType Audited -Statistics
    Creates a new AppLocker policy from the audited events in the local Microsoft-Windows-AppLocker/EXE and DLL event log, applied to and current AppLocker policy will be overwritten:
    PS C:\> Get-AppLockerFileInformation -EventLog -LogPath "Microsoft-Windows-AppLocker/EXE and DLL" -EventType Audited | New-AppLockerPolicy -RuleType Publisher,Hash -User domain\<group> -IgnoreMissingFileInformation | Set-AppLockerPolicy -LDAP "LDAP://<DC>.<DOMAIN>.com/CN={31B2F340-016D-11D2-945F-00C04FB984F9}, CN=Policies,CN=System,DC=<DOMAIN>,DC=com"
    Export the local AppLocker policy, comparing User's explicity denied access to run and output text file:
    OS C:\> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -Path C:\Windows\System32\*.exe -User domain\<USER NAME> -FILTER Denied | Format-List -Property Path > C:\DeniedFiles.txt
    Export the results of the test to a file for analysis:
    PS C:\> Get-ChildItem <DirectoryPathtoReview> -Filter <FileExtensionFilter> -Recurse | Convert-Path | Test-AppLockerPolicy -XMLPolicy <Path ToExportedPolicyFile> -User <domain\username> =Filter <TypeofRuleToFilterFor> | ExportCSV <PathToExportResultsTo.CSV
    GridView list of any local rules applicable:
    PS C:\> Get-AppLockerPolicy -Local -Xml | Out-GridView