Windows machines get hacked, and in some environments it happens a lot. Fortunately, Microsoft has built numerous tools into Windows so administrators and power users can analyse a machine to determine whether it's been compromised. In this tip, which is the first of a two-part series, I'll cover five useful command-line tools built into Windows for such analysis.
1) WMIC: A world of adventure awaits: Windows Management Instrumentation Command-line (WMIC) is not merely a command; it's a world unto itself. Offering a command-line interface to the ultra-powerful Windows Management Instrumentation API within Windows, WMIC lets administrative users access all kinds of detailed information about a Windows machine, including detailed attributes of thousands of settings and objects. WMIC is built into Windows XP Professional, Windows 2003 and Windows Vista.
To use WMIC, users must invoke it by running the WMIC command followed by the area of the machine the user is interested in (often referred to as an alias within the system). For example, to learn more about the processes running on a machine, a user could run:
C:\> wmic process
Output of that command will likely look pretty ugly because an output format wasn't specified. With WMIC, output can be formatted in several different ways, but two of the most useful for analysing a system for compromise are the "list full" option, which shows a huge amount of detail for each area of the machine a user is interested in, and the "list brief" output, which provides one line of output per report item in the list of entities, such as running processes, autostart programs and available shares.
For example, we can look at a summary of every running process on a machine by running:
C:\> wmic process list brief
That command will show the name, process ID and priority of each running process, as well as other less-interesting attributes. To get even more detail, run:
C:\> wmic process list full
This command shows all kinds of details, including the full path of the executable associated with the process and its command-line invocation. When investigating a machine for infection, an administrator should look at each process to determine whether it has a legitimate use on the machine, researching unexpected or unknown processes using a search engine.
Beyond the process alias, users could substitute startup to get a list of all auto-start programs on a machine, including programs that start when the system boots up or a user logs on, which could be defined by an auto-start registry key or folder:
C:\> wmic startup list full
A lot of malware automatically runs on a machine by adding an auto-start entry alongside the legitimate ones which may belong to antivirus tools and various system tray programs. Users can look at other settings on a machine with WMIC by replacing "startup" with "QFE" (an abbreviation which stands for Quick Fix Engineering) to see the patch level of a system, with "share" to see a list of Windows file shares made available on the machine and with "useraccount" to see detailed user account settings.
A handy option within WMIC is the ability to run an information-gathering command on a repeated basis by using the syntax "/every:[N]" after the rest of the WMIC command. The [N] here is an integer, indicating that WMIC should run the given command every [N] seconds. That way, users can look for changes in the settings of the system over time, allowing careful scrutiny of the output. Using this function to pull a process summary every 5 seconds, users could run:
C:\> wmic process list brief /every:1
Hitting CTRL+C will stop the cycle.
2) The net command: An oldie but a goodie: While WMIC is a relatively new command, let's not lose site of some useful older commands. One of my favourites is the venerable "net" command. Administrators can use this to display all kinds of useful information.
For example, the "net user" command shows all user accounts defined locally on the machine. The "net localgroup" command shows groups, "net localgroup administrators" shows membership of the administrators group and the "net start" command shows running services.
Attackers frequently add users to a system or put their own accounts in the administrators groups, so it's always a good idea to check the output of these commands to see if an attacker has manipulated the accounts on a machine. Also, some attackers create their own evil services on a machine, so users should be on the lookout for them.
Windows, Security, Command Prompt, Tools, Hacking, Detection