Linux incident response cheat sheet... Download link of uac tool: https://github.com/tclahr/uac https://github.com/tclahr/uac/releases Please download the latest release of the tool from the above link. You will get the tool under Assets section for example named as: uac-3.3.0.tar.gz Setting up uac tool: Taking the tool to the victim/compromised machine: scp uac-3.3.0.tar.gz lab@192.168.10.135:/tmp scp uac-3.3.0.tar.gz lab@192.168.10.135: (if you do not give /tmp then the tool will be placed under that lab user home directory. Now provide the password of the target system) ssh lab@192.168.10.135 (Access the target system with creds) cd /tmp tar zxf uac-3.3.0.tar.gz cd uac-3.3.0/ sudo ./uac -p ir_triage /root (Run the tool using root user or with sudo privilege. -p for profile. Captured artifacts will be saved on /root directory) Avi
Turning off windows update that leads windows 11 system auto restart. Open run dialog box in your windows system and type gpedit.msc If nothing comes then you need to enable it. Follow Avi's google blog https://mahimfiroj.blogspot.com/2024/07/how-to-enable-gpeditmsc-on-windows-11.html or follow this link: https://www.thewindowsclub.com/local-security-policy-missing-in-windows#google_vignette Then go to: Computer Configurations > Administrative Templates > Windows Components > Windows Update > Legacy Policies Now open the following policy or setting and Enabled it. No auto-restart with logged on users for scheduled automatic updates installations . Now open command prompt with admin privilege and type: gpupdate /force Avi