Built-in Windows commands to determine if a system

has been hacked

Let's face it, Windows machines get hacked, and in some environments it happens a lot.
Fortunately, Microsoft has built numerous tools into Windows so administrators and power users
can analyze a machine to determine whether it's been compromised. In this tip, which is the first
of a two-part series, I'll cover five useful command-line tools built into Windows for such analysis.

1) WMIC: A world of adventure awaits

Windows Management Instrumentation Command-line (WMIC) is not merely a command; it's a
world unto itself. Offering a command-line interface to the ultra-powerful Windows Management
Instrumentation API within Windows, WMIC lets administrative users access all kinds of detailed
information about a Windows machine, including detailed attributes of thousands of settings and
objects. WMIC is built into Windows XP Professional, Windows 2003 and Windows Vista. To use
WMIC, users must invoke it by running the WMIC command followed by the area of the machine
the user is interested in (often referred to as an alias within the system). For example, to learn
more about the processes running on a machine, a user could run:
C:\> wmic process

Output of that command will likely look pretty ugly because an output format wasn't specified.
With WMIC, output can be formatted in several different ways, but two of the most useful for
analyzing a system for compromise are the "list full" option, which shows a huge amount of detail
for each area of the machine a user is interested in, and the "list brief" output, which provides one
line of output per report item in the list of entities, such as running processes, autostart programs
and available shares.

For example, we can look at a summary of every running process on a machine by running:
C:\> wmic process list brief

That command will show the name, process ID and priority of each running process, as well as
other less-interesting attributes. To get even more detail, run:
C:\> wmic process list full

This command shows all kinds of details, including the full path of the executable associated with
the process and its command-line invocation. When investigating a machine for infection, an
administrator should look at each process to determine whether it has a legitimate use on the
machine, researching unexpected or unknown processes using a search engine.

Beyond the process alias, users could substitute startup to get a list of all auto-start programs on
a machine, including programs that start when the system boots up or a user logs on, which could
be defined by an auto-start registry key or folder:
C:\> wmic startup list full

A lot of malware automatically runs on a machine by adding an auto-start entry alongside the
legitimate ones which may belong to antivirus tools and various system tray programs. Users can
look at other settings on a machine with WMIC by replacing "startup" with "QFE" (an abbreviation
which stands for Quick Fix Engineering) to see the patch level of a system, with "share" to see a
list of Windows file shares made available on the machine and with "useraccount" to see detailed
user account settings.

A handy option within WMIC is the ability to run an information-gathering command on a repeated
basis by using the syntax "/every:[N]" after the rest of the WMIC command. The [N] here is an
integer, indicating that WMIC should run the given command every [N] seconds. That way, users
can look for changes in the settings of the system over time, allowing careful scrutiny of the
output. Using this function to pull a process summary every 5 seconds, users could run:
C:\> wmic process list brief /every:1

Hitting CTRL+C will stop the cycle.

2) The net command: An oldie but a goodie

While WMIC is a relatively new command, let's not lose site of some useful older commands. One
of my favorites is the venerable "net" command. Administrators can use this to display all kinds of
useful information.

For example, the "net user" command shows all user accounts defined locally on the machine.
The "net localgroup" command shows groups, "net localgroup administrators" shows membership
of the administrators group and the "net start" command shows running services.

Attackers frequently add users to a system or put their own accounts in the administrators
groups, so it's always a good idea to check the output of these commands to see if an attacker
has manipulated the accounts on a machine. Also, some attackers create their own evil services
on a machine, so users should be on the lookout for them.

3) Openfiles: Deep scrutiny

Many Windows administrators are unfamiliar with the powerful openfiles command built into
Windows. As its name implies, this command shows all files that are opened on the box,
indicating the process name interacting with each file. It's built into modern versions of Windows,
from XP Pro to Vista. Like the popular lsof command for Linux and Unix, it'll show administrators
all open files on the machine, giving the process name and full path for each file. Unlike lsof,
however, it doesn't provide many more details, such as process ID number, user number and
other information.

Considering the volume of information it gathers, it's no surprise that the openfiles command is a
performance hog. Thus, the accounting associated with openfiles is off by default, meaning users
can't pull any data from this command until it is turned on. This function can be activated by
running:
C:\> openfiles /local on

Users will need to reboot, and when the system comes back, they will be able to run the openfiles
command as follows:
C:\> openfiles /query /v

This command will show verbose output, which includes the user account that each process with
an open file is running under. To get an idea of what malware has been installed, or what an
attacker may be doing on a machine, users should look for unusual or unexpected files,
especially those associated with unexpected local users on the machine.

When finished with the openfiles command, its accounting functionality can be shut off and the
system returned to normal performance by running the following command and rebooting:
C:\> openfiles /local off

4) Netstat: Show me the network

The Windows netstat command shows network activity, focusing on TCP and UDP by default.
Because malware often communicates across the network, users can look for unusual and
unexpected connections in the output of netstat, run as follows:
C:\> netstat -nao

The –n option tells netstat to display numbers in its output, not the names of machines and
protocols, and instead shows IP addresses and TCP or UDP port numbers. The –a indicates to
display all connections and listening ports. The –o option tells netstat to show the processID
number of each program interacting with a TCP or UDP port. If, instead of TCP and UDP, you are
interested in ICMP, netstat can be run as follows:
C:\> netstat –s –p icmp

This indicates that the command will return statistics (-s) of the ICMP protocol. Although not as
detailed as the TCP and UDP output, users can see if a machine is sending frequent and
unexpected ICMP traffic on the network. Some backdoors and other malware communicate using
the payload of ICMP Echo messages, the familiar and innocuous-looking ping packets seen on
most networks periodically.

Like WMIC, the netstat command also lets us run it every N seconds. But, instead of using the
WMIC syntax of "/every:[N]", users simply follow their netstat invocation with a space and an
integer. Thus, to list the TCP and UDP ports in use on a machine every 2 seconds, users can run:
C:\> netstat –na 2

5) Find: Searching output for useful stuff

Most of the commands I have discussed so far spew a lot of output on the screen, which could be
hard for a human to look through to find a specific item of interest. But, Windows comes to the
rescue. Users can search through the output of a command using the built-in find and findstr
commands in Windows. The find command looks for simple strings, while findstr supports regular
expressions, a more complex way to specify search patterns. Because the regular expressions
supported by findstr go beyond the scope of this tip article, let's focus on the find command. By
default, find is case sensitive – use the /i option to make it case insensitive.

The find command also has the ability to count. Invoked with the /c command, it'll count the
number of lines of its output that include a given string. Users often want to count the number of
lines in the output of a command to determine how many processes are running, how many
startup items are present, or a variety of other interesting tidbits on a machine. To count the lines
of output, users could simply pipe their output through find /c /v "". This command will count (/c)
the number of lines that do not have (/v) a blank line ("") in them. By counting the number of non-
blank lines, the command is, in effect, counting the number of lines.

Now, with the find command, users can look through the output of each of the commands I've
discussed so far to find interesting tidbits. For example, to look at information every second about
cmd.exe processes running on a machine, type:
C:\> wmic process list brief /every:1 | find "cmd.exe"

Or, to see which autostart programs are associated with the registry hive HKLM, run:
C:\> wmic startup list brief | find /i "hklm"

To count the number of files open on a machine on which openfiles accounting is activated, type:
C:\> openfiles /query /v | find /c /v ""

Whenever counting items in this way, remember to subtract the number of lines associated with
column headers. And, as a final example, to see with one-second accuracy when TCP port 2222
starts being used on a machine, along with the process ID using the port, run:
C:\> netstat –nao 1 | find "2222"

Researching output
With these five tools, users can get a great deal of information about the configuration and
security state of a Windows machine. To use each command in identifying a compromise,
however, a user needs to compare the current settings of the machine under analysis to a
"normal," uninfected machine.

There are three options for establishing a baseline comparison. First, if the user is an
experienced malware hunter, he or she may have a sense of what is right and what is wrong with
a given kind of machine, identifying evil or unusual stuff based on experience. Alternatively, this
comparison can be performed against a clean, uninfected machine, if there is one handy. If there
isn't, a user may need to rely on a third option -- researching specific files, process names, file
names and port numbers identified by these commands and searching for them online to
determine whether they are normal for a given machine and the software it has installed, or
whether they are associated with a some type of malware.

In this tip, I have discussed five powerful built-in Windows commands. In a future installment, I'll
finish out our top 10 list by looking at some little-known but immensely useful features of the
tasklist, reg and ipconfig commands, as well as iterating with FOR loops and launching
administrative GUIs via the command-line.

More built-in Windows commands for system analysis

In my March 2008 tip, I covered some of the most useful command-line tools in Windows,
including the WMIC, net, openfiles, netstat and find commands. This month, I'll round out that top
ten list by addressing five more useful commands and analyzing how security professionals can
use each one to help them do their jobs better.

Interacting with processes using tasklist

In my previous tip, I looked at how the WMIC command offers interesting insights into running
processes. The tasklist command also has some nice features worthy of inclusion, pulling some
process attributes that are difficult or impossible to discern using WMIC.

When run by itself with no options, the tasklist command shows a list of all running processes,
displaying their names, PID numbers and other statistics. To get even more out of tasklist,
consider running it like this:

C:\> tasklist /svc

This command tells tasklist to show which services are running inside of each process. Many
Windows users don't understand the relationship between services and processes, having at best
a murky idea that they are different but related entities. In reality, each service on a Windows box
must run inside of a process, and some processes have multiple services living inside of them.
Thus, there is a one-to-many relationship between processes and services, which the tasklist
command can reveal.

Another helpful invocation of the tasklist command is:

C:\> tasklist /m

The "m" stands for "modules", or the way that tasklist refers to DLLs, libraries of code loaded by
processes as they run to do their bidding on machines. When invoked this way, tasklist shows
every DLL currently loaded into all running processes. This provides users with a wealth of
information about what is happening on their machines at a given time. While analysis of this
output is a daunting task, the information included is helpful for malware researchers trying to
determine the nature of the processes running on their boxes. Google searches for specific
processes and DLLs may return descriptions of malware from antivirus vendor sites, which
provides useful insight into attackers' motives with a given specimen.

The reg command for fine-grained registry analysis

The reg command lets users interact with the registry of their machines at the command line.
Instead of using the cumbersome regedit GUI to navigate the registry, security pros can simply
pop open a Windows command shell and run the reg command to read or update the registry.
However, the reg command doesn't allow for interactive browsing of the registry; users need to
know the full path to the registry keys they want to view or alter. But given that path, the reg
command is an easy way to make changes.

To view the settings of a given registry key, use the "query" option of the reg command as
follows:

C:\> reg query hklm\software\microsoft\windows\currentversion\run

This key controls various auto-start programs on Windows that run when a machine is booted up
and subsequently when users log on to the system. Many malware specimens alter this key to
ensure that they run when the system is rebooted.

To export individual keys or complete sections of the registry to a file for analysis or installation on
a separate system, the reg command supports the "reg export" function. In addition to reading
and exporting registry settings, the reg command can update them as well. The "reg add"
command will update the value of an existing key, or create a key if it doesn't exist. The "reg
import" command can import multiple registry keys.

Using ipconfig for DNS analysis

Most serious Windows users are familiar with the ipconfig command, which is useful for showing
the network settings of a Windows box. But there's a particularly useful feature of ipconfig that a
lot of folks aren't aware of -- a function that is quite beneficial to security pros given the
capabilities of today's botnets. The ipconfig command can display the local Windows machine's
DNS cache as follows:

C:\> ipconfig /displaydns

The output of the command shows the various cached domain names, their associated IP
addresses and the time to live (in seconds) for the DNS record. If users run the command
repeatedly, they can see the time to live decreasing until records expire and are discarded, or get
renewed. Watching the DNS cache and time to live (TTL) values is particularly important when
investigating fast-flux botnets, which utilize DNS records with small TTLs to force constant
updates and confuse investigators regarding the location of the hacker's critical back-end servers.
Admittedly, ipconfig doesn't have as many fancy options as the other commands covered in this
series, like tasklist and reg. But this one use of the command is immensely helpful.

Running repeatedly with FOR /L loops

Sometimes administrators or security professionals want to run a command repeatedly, perhaps
at five-second intervals to look for changes in its output. To accomplish this goal, they can rely on
Windows FOR loops. Windows supports five different kinds of FOR loops, which can iterate over
file integers, file names, directory names, file contents and strings. The focus here will be on the
simplest of these loops, specifically the FOR /L variety, which iterates over integers since they
can be used to make commands run continuously. The syntax of a FOR /L loop is:

C:\> for /L %[var] in ([start],[step],[stop]) do [command]

The [var] is our iterator variable, a single alphabetic letter that will take on different integer values
at each step through the loop. The user then specifys the starting value of the variable, the
amount it should be incremented at each step through the loop, and its maximum value that will
stop the loop. A command to run at each step through the loop should also be specified. To
illustrate, consider the following:

C:\> for /L %i in (1,1,10) do @echo %i

This loop will use %i as a variable, starting at a value of 1. At each iteration through the loop, %i
will be incremented by 1, going up to 10. Then, in the loop, the user can simply print the value of
the iterator variable on the screen using the echo command. The @ tells the system not to print
out the command itself, making the output a little prettier. The user just told the system to count
from 1 to 10.

Now, let's see how to use this command to make the tasklist command run continuously:

C:\> for /L %i in (1,0,2) do @tasklist

With this command, a user is telling the machine to start a loop with a variable at 1, counting by
zero, all the way up to 2. That'll count forever, until the user hits CTRL-C to stop it. A user can
simply run the tasklist command at each iteration.

To add a delay of a few seconds between iterations, simply ping the localhost (127.0.0.1) multiple
times at each iteration through the loop, by adding "& ping --n 6 127.0.0.1 > nul" as follows:

C:\> for /L %i in (1,0,2) do @tasklist & ping --n 6 127.0.0.1 > nul

Since the Windows command line has no built-in sleep function to wait for a given delay, users
can make a delay happen with ping. The command above will ping the localhost address six
times (-n 6), introducing a delay of five seconds (the first ping happens immediately, followed by
one ping per second for five seconds). We're dumping the ugly output of ping into nul, making it
disappear. The result is a command that runs tasklist every five seconds. This technique can be
used to run each of the commands covered in this series repeatedly, letting users more carefully
scrutinize the output. More complex syntax can even parse the output of the command to allow
generation of custom scripts for detailed system analysis, but such syntax goes beyond the scope
of these monthly tips.

Launching admin GUIs via the command line

While the Windows command line has many powerful tools, believe it or not, sometimes a GUI
tool can do the job better than the command line. However, memorizing the obscure locations
where Microsoft has buried various controls in its GUI is a bewildering task.

Fortunately, users don't have to dig through the GUI to find what they want; instead they can rely
on command-line shortcuts. For example, instead of going to the start menu to find and run local
user manager GUI, users can go to the nearest command prompt and type:

C:\> lusrmgr.msc

There are numerous other GUI controls that can be launched from the command line in this way,
which saves a lot of time. Here are some of my favorites:
Secpol.msc: This is the local security policy manager, used to configure hundreds of security
settings on the box.
Services.msc: This command launches the services control panel GUI.
Control: This command brings up the overall control panel set of tools.
Taskmgr.exe: This command launches the Task Manager.
Explorer.exe: To invoke the Windows file explorer in a handy fashion, run this command.
Eventvwr.msc: This command runs the Windows Event Viewer, useful for log analysis.

Conclusion:
At first, it may seem that the various Windows commands covered in these tips are obscure or
hard to memorize. But, with diligent practice, these Windows command-line tools can help
administrators and security pros wield far more power over their Windows machines, configuring
them more securely and analyzing them in greater detail when they get attacked.