Cracked, inSecure and Generally Broken

The webinar link for last night's lecture on "Cyber (Crime / Espionage / Terror)" is up and available.

https://www2.gotomeeting.com/register/532843426

The WMIC is a Windows command line tool that will allow you to do many of the things we are used to doing at the shell in Unix. For instance, Windows does not have a “kill –9”command, but with WMIC you can do then same function using the following command:

• wmic process where name='winrar.exe' delete
• wmic process process [pid] delete

So, unlike Unix, we can kill a process using just the name of the executable as well as selecting the individual PID (Process ID). This is extremely useful in malware analysis.

For auditing, you can also gather a lot of information. For instance, lists of users on the system.

More importantly, you can list the service patches and hotfixes that are installed on the system.

• wmic qfe

As you can see, this allows you to script a check of all the patches on a system and to even automate this over your domain.

WMIC is one of the commands you really need to know if you are administrating a Windows system. I will post more on this command soon as well as more in the series on IPSec and NAP this week.

Process Explorer is a tool from Microsoft that is in effect Task Manager on steroids without all the bad consequences.

Right clicking on a running process allows you to select properties.

From here, selecting the TCP/IP tab will display the connections in progress from this application.

So, if you have a suspicious application, now you have a tool to watch what it is doing.

Most people know of the Windows Task-manager GUI application. There are many times when it is better to use a CLI (command line interface). One such example would be where a script tests what is running.

The command “tasklist” is a Windows command that allows just this.

Just like its GUI cousin, you can also list services using this tool. The “/svc” option for instance displays the services hosted in each process.

More, you can filter such as in the example below where we have selected processes that do not respond to task-monitoring requests.

Knowing what you are running is the first part of stopping malware.

When investigating an incident in Windows environment, one of the things you should check is the scheduled tasks. Many malware varieties use startup processes to reload and maintain themselves. By seeking new and unusual tasks, you can quickly look for simple compromises and malicious processes.

The inclusion of privileged processes (those running as SYSTEM and Admin for instance) are or particular concern. It is also not unusual to discover malicious code running using a blank username.

To make a simple check of the running and scheduled tasks from the command line, type:

• schtasks

You can see in the image above that we have a number of scheduled tasks on the system that this was run from. This is divided into groups as follows:

• by folder
• Task name
• The next run time
• The status (ready to run or if it is running now)

You can create tasks in Windows using these commands as well, but for now, we are simply seeking commands out that we did not expect. Diff’íng the results is a good way to look for system changes.

You can see the help for this command using the “schtasks /?” extension as displayed below.

Next is WMIC.

WMIC is great for doing malware analysis. It will display all of the files loaded at Startup. More, the Registry keys the system has associated with the “autostart” are also returned.

You can see the values returned in the figure below:

• wmic startup list full

We can also use this to select individual processes.

• wmic process list full | find "cmd.exe"

Here we have restricted the process search to just cmd.exe.

This is useful in checking paths and if a process has inserted itself before the “true” system file.