CMD and PowerShell For Incident Response Flashcards
CMD and PowerShell
This lesson will introduce you to some useful CMD and PowerShell commands to assist with incident response. Some of the actions we can take include:
List networking information (to gather information such as IP address, MAC, and more)
Viewing open and listening ports (to detect backdoors and beaconing)
Viewing running processes and their related executable files (to detect malware or backdoors)
List all users and admins on the local system (to identify unusual accounts)
List programs that launch at system boot (to detect malicious files)
List services and detailed information (to identify malicious services)
And more!
Command Line
Why do we use CMD?
Although using it requires the memorization of many different commands, it can allow us to complete tasks faster than interacting with the Windows graphical user interface, and also allows us to automate tasks using batch scripts. This can help in incident response scenarios, as we can query the system for information about almost anything, from users to running processes!
CMD For Incident Response
Below we’re going to cover a number of commands that may be useful for security investigations and incident response. We will also include examples so you can see what the input could look like, and how to interpret the information that is printed to the terminal. These commands should be run as an administrator to function correctly.
ipconfig /all
Description: This command will get network configuration information from the local system, including the assigned IP address and the device’s MAC address.
Example: In this example we can see that we have the hostname “MSEDGEWIN10“, a MAC address of “00-0C-29-AA-02-FA“, and IPv4 address of “192.168.125.129” . We can also see that the DNS server being used for name resolution is currently “192.168.125.2“.
tasklist
Description: This command will check running processes and programs and print a list to the terminal.
Example: In the below screenshot we are presented with a list of running processes, their process identifiers (PIDs), and the memory usage in the final column. This can be helpful to identify processes that are running in the background and how many system resources they are consuming. This can be a good way to identify malware such as crypto miners which will work silently, but consume a lot of system memory to work.
wmic process get description, executablepath
wmic process get description, executablepath
Description: This command will display running processes and the associated binary file that was executed to create the process.
Example: As the description states we are able to view running processes and the executable file that initiated them. Look just below halfway down the list and you’ll find Discord.exe on the left-hand side (process name). To the right on the same row we can see that Discord was launched from C:\Users\IEUser\AppData\Local\Discord\app-0.0.307\Discord.exe – we now have the full file path! We can use this command to identify unusual process names and identify where the executable file is so we can analyze it. Processes that are running out of unusual locations such as /tmp/ and /Downloads/ are definitely worth investigating further!
net user
net user
Description: This command will print a list of all system users to the terminal.
Example: Using this cmd command we have printed all local system users, regardless of usergroup, to the terminal, in this case we can see:
Administrator DefaultAccount Guest Jeff S MarkA sshd SteveE WDAGUtilityAccount
net localgroup administrators
net localgroup administrators
Description: This command will list all users that are in the administrators user group.
Example: In the below screenshot we can see all administrator accounts on this system. In this case it is the following:
Administrator
Jeff S
MarkA
SteveE
We can replace “administrators” with any local group that we want to enumerate. To see a list of all groups, use the command net localgroup. If you want to search for users in a group that includes spaces, you’ll need to run your commands like this: net localgroup “Remote Desktop Users”.
sc query | more
Description: This command will list all services and detailed information about each one.
netstat -ab
Description: This command will list open ports on a system, which could show the presence of a backdoor.
PowerShell
Why do we use PowerShell?
PowerShell is amazing, and chances are you’ll use it a lot while working in the security industry. We can automate complex tasks, use it for offensive security purposes, or during security investigations to get more information about a user or system. For incident response, we can use it similarly to CMD, but we can often retrieve much more information.
Get-NetIPConfiguration and Get-NetIPAddress
Description: Similar to ifconfig in CMD, we can use the two above commands to get network-related information from the system.
Example:
Get-LocalUser
Description: Using the above command we can list all local users on the system.
Example:
Get-LocalUser -Name BTLO | select *
Description: We can provide a specific user to the command to only get information about them. Piping ( | ) the results to a “select” with a wildcard ( * ) will give us all of the properties for the command, providing us with valuable information about the account. This can be extremely useful for us as incident responders, especially when we find local accounts that do not expire or have passwords that don’t expire.
Example:
Get-Service | Where Status -eq “Running” | Out-GridView
Description: The above command let’s us quickly identify running services on the system. By piping ( | ) the command to Out-GridView, we are telling PowerShell to show us the results in a nice windows, which is much easier to work with than outputting the results to the PowerShell window.
Example:
Get-Process | Format-Table View priority
Description: Another great command is the ability to group running processes by their priority value. Using the above command we can see the process name, the process ID (PID), and other information, where different priority ratings are grouped into tables.
Example:
Get-Process -Id ‘idhere’ | Select *
Description: We can collect specific information from a service by including the name in the command (-Name ‘namehere’) or the Id, as shown above and below. Piping to Select * provides us with all the properties.
Example:
Get-ScheduledTask
Description: Similar to Services, Scheduled Tasks are often abused and utilized a common persistence technique. With the above command we can list tasks that are set to run after certain conditions are met.
Example:
Get-ScheduledTask -TaskName ‘PutANameHere’ | Select *
Description: We can dig deeper by specifying the task we’re interested in, and retrieving all properties for it.
