Category: Endpoint Analysis

wmic sharelist

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

We can use WMI to query shared folders and path, run the following syntax: wmic share list brief

wmic service

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

We can use WMI to query a service, run the following syntax: wmic service get name, state, startmode, pathname

 

wmic process

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI
Click here to view wmic process use cases

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

wmic network

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

WMIC can give us the network details of our local or remote endpoint. 

To use, run the following syntax: wmic nicconfig get ipaddress, macaddress /format:list

wmic commandline

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

WMI can also be used to parse the command line arguments of the process. 

It answers the question, “How is the process executed?” 

To use it, simply run the following syntax: wmic process get commandline 

If you want to use it for a specific process, we can apply a conditional to your query and run the following syntax: wmic process where (NAME Like ‘%<process_name>%’) get commandline /format:list

wmic

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

WMIC tool can be used to gather information about computer systems. 

The /format option is how the data is displayed. We can use list, csv 

To use the run the following syntax: wmic computersystems list brief 

tasklist

Posted on by randrada

Endpoint Analysis using Windows tool - tasklist

Learn more
Click here to view tasklist use cases

tasklist is a Windows utility command prompt tool that is used to display all running processes on the local computer or on a remote computer.

In an incident, attackers persist inside the compromised system by injecting themselves into to a process with malicious code to avoid detection. Your organization’s security product detects that one of your endpoint is suspiciously connecting to an unknown server or a non whitelisted processes was spawned on one of your endpoints.

These are the few cases of how processes can be a good artifact to detect host-based IOCs, to aid responders, and to quickly triage these incidents Windows tasklist can be useful.

routeprint

Posted on by randrada

Endpoint Analysis using Windows tool - route

Learn more

route is a windows utility command prompt tool that is used to display the routing table.

From the standpoint of incident response, network connection on endpoint is an important artifact to detect potential beacon, and having the right tool to quickly extract this artifact is critical for any responder.

You can easily view the routing table of your machine inside the command prompt.

To view, run the following syntax: route print 

 

net session

Posted on by randrada

Endpoint Analysis using Windows tool - net session

Learn more

netsession is a Windows utility command prompt tool that is used to manage server computer connections. This displays information about all the sessions with the local computer.

From an incident response perspective, the ability to jump from one endpoint to another is part of the attack chain. This is called “living off the land because when an adversary traverses inside the organization, the goal is to acquire domain level compromise and this technique leaves breadcrumbs for us as a responder. It is important to see a record when the suspected patient successfully contacts another endpoint. 

When netsession is executed from an endpoint in the domain, the connection history will be displayed. 

Computer      User name        Client type  Opens   Idle time

————————————————————————

\\BWESTON       CHRISDR          Windows 7       1       00:00:13

\\JAMESMC-01    Administrator    Windows Vista   0       01:05:13

 

netstat

Posted on by randrada

Endpoint Analysis using Windows tool - netstat

Learn more
Click here to view netstat use cases

Netstat is a windows utility command prompt tool that is used to display the inbound and outbound active TCP connections. It also displays the port on which the computer is listening.

From the standpoint of incident response, network connection on endpoint is an important artifact to detect potential beacon, and having the right tool to quickly extract this artifact is critical for any responder.