Find A Windows Infection Quickly Without Tools
카테고리 없음 2015. 7. 20. 11:26 |http://909research.com/find-a-windows-infection-quickly-without-tools/
After several years doing incident response, I thought it would be useful to give a short list of my go-to actions for quickly determining if a computer is infected. This obviously isn't foolproof but I find that in almost all non-sophisticated attacks, performing the following checks will highlight a present infection and can quickly lead to the details on finding and killing it. All of these things can be done from an administrator command prompt with built in Windows command line features. In a 2nd post later on, I will write about further things that can be done given a prepared set of tools.
WMIC Startup Items - Windows has a very powerful built in tool - WMIC, that will, among other things on this list, easily dump startup items for you to investigate. Just open up a command prompt and type
wmic startup list full. Here's a real example, guess which item doesn't belong, perhaps the thing running from the Local\Temp folder? Yes. If you know what should be in the list and where things normally run from, often it's this easy and you can stop right here. Find the program, look up it's hash on malwr.com or VirusTotal, see what else it drops and remove it.
DNS Cache - Stay at that open command prompt and type
ipconfig /displaydns. These are the domains that have been recently resolved, see anything that looks odd? Search the domain name and IP it resolved to on VirusTotal/elsewhere and see if any samples contact it, if so, you can bet you're infected. Here's a made up example:
WMIC Process List - Another WMIC favorite, type
wmic process list full | more, or the more compact output, but longer to type versionwmic process get description,processid,parentprocessid,commandline /format:csv. Look for things running in odd places or malicious/random/odd-looking process names.
WMIC Service List - This one can be harder if you don't know what you're looking at, but it's easy to check and often malware is still easily found by the path or exe name. The format is the same as others, or you can go more specific with the "get" version.
wmic service list full | moreorwmic service get name,processid,startmode,state,status,pathname /format:csv. Here's a minimal example showing only the service name and path:
WMIC Job List - This one is less likely to find anything because most malware doesn't use jobs, but some versions of things like MPlug do, and once again it's easy enough to check.
wmic job list fullYou'll probably receive aNo Instance(s) Availableresponse which means there are no jobs scheduled.Netstat - Don't forget the basics, even though the output takes some searching to find out if that IP is Google or stealyourbanknumber.su.
netstat -abno. Also look for odd port numbers going to external sites, 25, 8080, 6667, etc.
The netstat switches are:
-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.
Batch File Version
How about doing these WMIC things in a simple repeatable way the produces a report, I've got that too. Throw the following in a batch file and feed it a hostname argument, you can even use this over a network, given the proper permissions on the other computers, for easy remote assessment. This script will give you a decent looking HTML formatted output including information on the computer you got it from.
wmic /node:%1 computersystem get model,name,username,domain /format:htable > c:\triage-%1.html
wmic /node:%1 startup list full /format:htable >> c:\triage-%1.html
wmic /node:%1 process get description,processid,parentprocessid,commandline /format:htable >> c:\triage-%1.html
wmic /node:%1 service get name,processid,startmode,state,status,pathname /format:htable >> c:\triage-%1.html
wmic /node:%1 job list full /format:htable >> c:\triage-%1.html