Hi malware fighters,
In the case of analysis of a malware infested Windows machine, use the following commands for evaluation purposes, see the following article:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1313370,00.htmlAlways keep at the back of your head that the commands may not be trusted if the machine is severely compromised.
1.) WMIC to evaluate a certain process or processes.
C:\> wmic process
C:\> wmic process list brief
C:\> wmic process list brief /every:1
C:\> wmic process list full
C:\> wmic startup list full
2.) To evaluate users and groups.
"net user"
"net localgroup"
"net localgroup administrators"
"net start"
3.) Openfiles to evaluate active files.
C:\> openfiles /local on
C:\> openfiles /query /v
C:\> openfiles /local off
4.) Netstat to evaluate network activity.
C:\> netstat -nao
C:\> netstat –s –p icmp
C:\> netstat –na 2
5.) Find, to render a readable output.
C:\> wmic process list brief /every:1 | find "cmd.exe"
C:\> wmic startup list brief | find /i "hklm"
C:\> openfiles /query /v | find /c /v ""
C:\> netstat –nao 1 | find "2222"
6.) Tasklist to evaluate processes and DLL-files.
C:\> tasklist /svc
C:\> tasklist /m
7.) Reg to analyse the registry.
C:\> reg query hklm\software\microsoft\windows\currentversion\run
8.) Ipconfig to evaluate DNS analysis.
C:\> ipconfig /displaydns
9.) FOR /L to repeat certain commands
C:\> for /L %[var] in ([start],[step],[stop]) do [command]
C:\> for /L %i in (1,1,10) do @echo %i
C:\> for /L %i in (1,0,2) do @tasklist
C:\> for /L %i in (1,0,2) do @tasklist & ping --n 6 127.0.0.1 > nul
10.) To start admin GUIs trough the command line.
C:\> lusrmgr.msc (local user manager)
C:\> Secpol.msc (security policy manager)
C:\> Services.msc (services control panel)
C:\> Control (Configuration screen)
C:\> Taskmgr.exe (task management)
C:\> Explorer.exe (Windows Explorer)
C:\> Eventvwr.msc (Windows Event Viewer)
enjoy,
polonus
