Command line for Windows malware and forensics
Abstract: WMIC has completed more than a decade of existence without having the limelight in terms of its features, though windows command line geeks have always had a soft spot for this embedded interface to WMI or Windows Management Instrumentation exposed in cmd.exe. Here we plan to take a look at the various commands provided and their switches. In normal cmd.exe commands we use find or findstr as a counterpart to grep to find the relevant string item often using wildcards as well. WMIC uses a SQL like language forming WQL – WMIC Query Language as an alternative declarative syntax to get and format data from the default listings. We will look into some of the differences from regular cmd.exe commands usage and of course wmic in relevant detail.
Learn Digital Forensics
WMIC - à la carte.
WMIC comes loaded from Windows XP and upwards.
To set the mode to wmic in cmd type wmic.
The prompt changes to wmic:rootcli> instead of the regular C:> prompt (default drivedefault path).
Type exit/quit at the wmi prompt to exit from the wmic mode within cmd.exe without exiting cmd.exe.
The advantage of not getting into the wmic console would mean that simple commands like type, fc, sort and find can be used along with the WMIC commands.
Lets enumerate the commands contained in the wmic extension in cmd.exe, just type /?
You get a long list, the screen pauses for user continuity as there is no need for more in this case.
You see a very well listed command and description listings.
A quick count of the wmic /? Help listings of commands (here it's the default terminal mode as wmic has no facility for counting its own lines)–
C: wmic /? | find /c /v ""
The display results in 118. Ignoring the additional lines here and there as, there are about 110 + commands in WMIC that generate information from the system after working with the WMI API interface. WMI works to build better security through authorization features built in and would certainly come in handy for remote administration as its one of the primary uses that it was engineered for.
Most of wmic commands have a common tenor in terms of the syntax :
WMIC [alias or the command keywords displayed on /?] where (filter= "filter string" AND|OR| filter = "filter string") get|call|list|every
Get/Call/List/Every are the most common verbs supported by wmic and typing a further /? reveals a lot more options that can be plugged into the verbs for additional functions.
Get is used to extract values from the filter headers of the wmic self formatted output. E.g. get processed
Call is used to invoke subfunctions specific to the command.
The default tabular view can be formatted for vertical (up/down) scrolling by the use of the list verb. The list verb takes brief and full as two arguments that you will find useful to format the data as per the requirements.
Every is used to denote a timer interval switch "every:" <insert number> seconds.
Lets look at the /output switch (or alias according to the wmic jargon),
/OUTPUT:STDOUT|CLIPBOARD|<filename>
/OUTPUT:CLIPBOARD – redirects the output of the stream to the clipboard, good for quick copy and paste instead of selecting the stdout display from cmd.exe.
/OUTPUT:"C:TESTdummy.txt" – This saves the output to the filename written. It creates a new one if there is none with the same name. No appending is done.
/OUTPUT:STDOUT – resets the output stream to the stdout in cmd.exe, good for restoring display after the above commands.
Nonetheless, the file is overwritten on each command run. To alleviate this concern the /APPEND switch can be used instead.
/APPEND: C:TESTdummy.txt – this would append the future command outputs to the end of the file. Note quotations are needed if spaces are present in the filename.
/APPEND: STDOUT and CLIPBOARD don't work as expected as in the clipboard or the stdout the display does not really append.
/RECORD:C:TESTwmi.xml –saves the current command into the xml file in the path provided. This appends the subsequent outputs to the end of the file xml-tagged. This would ostensibly be the best choice for command recollection if you find xml parsing comfortable. To stop recording to the current file you need to redirect or choose a new file name.
The immediate command to be executed can also be written just after the /OUTPUT /APPEND /RECORD switches with their parameters to skip writing two commands after another.
C:wmic /OUTPUT:C:TESTwmi.xml process get name
/INTERACTIVE:ON sets warnings for delete operations, which are recommended while learning wmic or just as a precaution.
Type CONTEXT to see the compact list of settings in the current context such as the interactive mode, node, locale, record filename path, output mode, append mode, authority, role, namespace, and impersonation level.
C:wmic context
Note that WMIC takes its time to display the output as processing ostensibly is more involved than cmd.exe direct commands and executables. This additional overhead is sometimes quite annoying, nonetheless better digging into available data than forego the benefit, Also, the familiar CTRL +C does not seem to work, as the process cancellation does not happen at any moment till some time has passed. This second reason merits the real purpose of working in the regular cmd.exe environment as CTRL+C stops wmic in its tracks.
Enumerating Hardware Info :
Baseboard - Gives motherboard information
A quick thing to remember as we work on the WQL syntax is that the column headers are the very fields that are queried in the WQL queries. To get the baseboard name only:
C:wmic baseboard get manufacturer
The get verb takes header fields to begin the data extraction. This is unlike traditional filtering wherein the use of regular expression is used, this is a 4th generation declarative language syntax to extract the data, Much like LINQ(Language Integrated Query) in C#, where the data mining logic is supported in the language itself.
Bios – Gives the details of the bios vendor
C:wmic bios
Bootconfig – displays the bootpartition and related data
C:wmic bootconfig
Cdrom – displays the details of any optical disc hardware or virtual optical drives (daemon tools, gamedrive) as well.
C:wmic cdrom
CPU – lists the properties of the microprocessor(s) installed.
C:wmic cpu list full
Gives a view of the column headers line by line
Csproduct list full – Gives the serial number and vendor name of the laptop/desktop system as well as the UUID and version number. Very useful for viewing this information without opening your laptop.
C:wmic csproduct
Desktop - Gives a very detailed view of the all available desktop settings. A trivial, though useful thing among the list is the path of the wallpaper in case you need to take a backup of the picture or need to replace it with another one. The one displaying the path is the current desktop.
C:wmic desktop
Environment –Gives a comprehensive tabular listings of the environment variables. Adding list full rearranges the tabular list to a more per variable specific view. Both are useful.
C:wmic environment
Loadorder – gives a list of system services that define execution dependencies.
C:wmic loadorder
Memorychip – gives a comprehensive detail about the RAM slots and their chip types – Size, Part Number, Manufacturer (this value seems interesting), serial number and speed among others. No need to boot to the BIOS to check for such data.
C:wmic memorychip
Logical – gives the selective data of the disks serial numbers and their dive names.
C:wmic logical get volumeserialnumber, caption
Notice that WMIC does not relate the output in accordance with the order of the get parameters. If you wanted the caption to display after the serial number it does not happen by default. Some workaround would be needed I suppose.
NIC – lists a very detailed table of every virtual or hardware device that relates to connectivity of some kind. Bluetooth, Infrared, Wireless b/g/n adapters, virtual machines network drivers and installed 3rd party modem adapters.
NICCONFIG – gives a tabular view of the list of adapters with runtime data and protocol parameters as part of the view. The mac address is commonly queried and can be found out as:
C:wmic nicconfig get macaddress,caption
Logon – gives a much consolidated listing of every logon session recorded as long as the machine is running. This could give a timeline of the number of logins and their timestamps.
C:wmic logon
OS - gives a good listing of various OS related information including startup and running duration, partition, DEP status, debug status, version, service pack, country code, current time zone code, encryption level, install date, maximum supported memory, among others.
C:wmic os get encryptionlevel, debug,install date
Startup – gives a good list of the various registry locations having "run" as one of the key strings, as well as the executable path and related data of the startup list.
C:wmic startup
Useraccount – gives a list of related parameters to the user accounts in the system like account type, SID, enabled/disabled status, lockout status and description.
C:wmic useraccount
Sysdriver – gives a detailed list of the loaded drivers and their paths, short names, description among other fields.
C:wmic sysdriver
QFE (Quick Fix Engineering)– a sort of patch management command. It gives a good list of the available updates installed as well as their KB numbers, type (security update/hotfix/update), installation date and installation url.
C:wmic qfe
Product – gives a list of all the installed software much like the control panel Add/Remove programs list but with a lot more detail.
C:wmic product
Pagefile – immediate pagefile location and information like size.
C:wmic pagefile
RecoverOS – memory dump information like path for all types of crash dumps (full/kernel/mini)
C:wmic recoveros
Group – gives a list of the groups as well as their descriptions.
C:wmic group
Share- enumerates the local shares including hidden shares having suffix $.
C:wmic share
Services – Comprehensive listing of the services and their descriptions among other info.
C:wmic services
Process – very detailed listing of process parameters. Use list full verb to give a per process scrolling view for ease of parsing.
C:wmic process list full
Nteventlog – gives a per event view as recorded in the event log.
C:wmic nteventlog list full
Combo power
The use of wmic and regular cmd.exe commands enable greater leverage of features provided in cmd.exe especially when using the WQL keywords like where in association with find or findstr. Further, the use of logical statements +WQL wildcards+cmd.exe commands means full leverage of the terminal environment.
Lets get back to the cmd.exe terminal mode – type quit at the wmic prompt if still there.
Using logical conditions and specifying the field to focus on requires the use of the following:
Where clause to specify the column header as seen in the default outputs in wmic commands. These header fields are passed as parameters to filter out the data line within the lists.
The = verb is used to assign the filter string to the field string after the where clause as in:
C:wmic process where processid="536"
The use of quotations is mandatory or the command will fail.
Conditions like AND/OR is used in parenthesis encapsulating the fields and their filter strings as in:
C:wmic process where (processid="536" and name="malware.exe")
Further filtering for searching for a particular numeric sequence or a substring can use the find/findstr commands.
C:wmic process where (processid="536" and name="malware.exe") | find "32"
The use of the delete clausewill cause the selected process to terminate as in:
C:wmic process where name="malware.exe" delete
Finding command line arguments passed to a particular executable are done using filters:
C:wmic process where name = "mal.exe" list full
displays the full block where the process listing has been made for the particular executable.
C:wmic process where name= "mal.exe" get commandline
ParentProcessID is a valid parameter for many malware that launch child processes to stay resident in memory or keep launching new processes. Thus as a filter it would be very useful indeed.
C:wmic process where (name="mal.exe" or parentprocessid="246") delete
Call verb in certain commands in WMIC enable some special use of functions that are called by that command.
To debug a certain executable process, the process command can be used as:
C:wmic process where name = "mal.exe" call attachdebugger
At this the default debugger set in the AEDebug registry key will be activated. You could set any debugger to this registry key and it will launch to debug the process. Cool eh?!
Other functions supported by the call method in process command are:
GetOwner, GetOwnerSid, SetPriority, Terminate.
Termination as:
C:wmic process where name="mal.exe" call terminate
The /format /? switch displays the list of formats the command can output. It seems that a few of the formats are not supported anymore even thought the options are present.
/format:table also works.
C:wmic /output:C:ownzplist.txt process list full /format:table
Use the line above to get a tabular format.
/format:htable for html table and hform for html form do not work with this settings. It seems xml is made to be used to issue a standard data exchange format, especially with all Microsoft development platforms going xml with everything.
The patches list can be very quickly queried for a particular KB number, using find
C:wmic qfe list full | find "<number>"
Using a timer within WMIC. The every switch takes in a numeric as a time to repeat the command preceding the switch.
C:wmic process list brief /every:1 | find "mal.exe"
Learn Digital Forensics
Conclusion
We have taken a second round at the possibilities of the cmd.exe and the now 11+ years running wmic extension that is not used as often as one would like. WMIC has a lot to offer in terms of its depth of information, especially on the system overview front and bios/hardware related data. It pretty much beating the programs masqueraded as commands in cmd,exe in terms of reporting depth, though the cmd.exe commands have great use of their own, especially with the fast search and sort commands. Much of its commands negate the use to log into the BIOS unless we need to change the device boot order or something of that nature and not just to check the RAM Chip data. Furthermore, the efficacy in reporting through xml means that data exchange will be standard issue. The use of a declarative syntax means that data mining is intuitive and accurate. The next part will continue on the features of WMIC/CMD and get into other commands that merit explanation. Thereafter we will delve into PowerShell and finally conclude with a round up of the most essential list of commands that can be used for pretty much most of the triage and corroborative activities as security professionals.