Endpoint Analysis using Windows tool - wmic
Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).
From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.
From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise.
WMI can also be used to parse the command line arguments of the process.
It answers the question, “How is the process executed?”
To use it, simply run the following syntax: wmic process get commandline
If you want to use it for a specific process, we can apply a conditional to your query and run the following syntax: wmic process where (NAME Like ‘%<process_name>%’) get commandline /format:list