Last Updated: 2006-03-31 00:31:58 UTC
by Ed Skoudis (Version: 1)
A few weeks ago, uber-handler Tom "I-Write-Spyware" Liston and I were working on some tests of anti-spyware applications. One of the experiments we performed was to take an ultra-infected box and run various anti-spyware tools to see if any of them could clean up the mess. The Windows machine we had was so thoroughly laced with spyware that IE couldn't run, Task Manager couldn't start, and the services control panel was kaput. Pretty much every GUI-based management and analysis tool on the box was hosed. Ouch! And, no, booting into Safe Mode didn't help at all (we tried it of course), because the system was so corrupted. You see, the spyware altered various crucial reg keys and used the SafeBoot reg key for auto-startup, as Tommy-boy described briefly here.
So, how could we do analysis on this machine without resorting to these GUI tools? Of course, there is the stunning arsenal of handy investigating tools from www.sysinternals.com (Process Explorer, TCPView, et al), but we wanted to go with tools built-in to Windows, preferably command line. We didn't even want to use the Resource Kits.
So, what did we resort to? In large measure, we relied on the immense power of the WMIC tool, built into WinXP Pro and Win2003. Sorry, but WinXP Home isn't a professional-class operating system, and it lacks many useful management tools like WMIC. But, for WinXP Pro and Win2003, WMIC is a command-line console to access Windows machines via Windows Management Instrumentation, a framework established by everyone's favorite software vendor for locally and remotely managing Windows boxes (although installed on XP Pro and 2003, it can be used to manage Win2K, WinXP, and Win2003 systems remotely with admin credentials). Before WMIC, you had to write scripts or get a specialized tool to pull data via WMI. But no more? WMIC gives us command console access to the powerful framework of WMI.
WMIC is a world unto itself, immensely complex, able to read several thousands of settings on a Windows box, and update hundreds, again both locally and remotely. It includes its own query language, called WQL, for WMI Query Language, a subset of ANSI SQL.
But enough pontificating! Let's get hands-on. Here are some fun things you can do with WMIC that served us very well in our anti-spyware research:
C:\> wmic process [pid] delete
That's the rough equivalent (for you UNIX/Linux minded folks) of "kill -9 [pid]".
Or, better yet, try this one on for size:
C:\> wmic process where name='cmd.exe' delete
I love that one! It functions something like "killall -9 cmd.exe" would on a Linux box, where killall lets you kill processes by name.
And, check this out:
C:\> wmic process list brief /every:1
Sort of like (but not exactly) the Linux/UNIX top command.
But, wait! There's more...
C:\> wmic useraccount
This one gives a lot more detail than the old "net user" command. With "wmic useraccount" you get user names, SIDs, and various security settings.
Fun, fun, fun! Here's another:
C:\> wmic qfe
This one shows all hotfixes and service packs. For you old-school Sun-heads out there (both of you! -- Just Kidding), qfe doesn't stand for Quad Fast Ethernet... It stands for Quick Fix Engineering in this context.
For a list of some of the items WMIC can touch, run this:
C:\> wmic /?
Now, here's a request. Do you guys have any other fun WMIC tricks? Specifically, have you used WMIC in an investigation or in sysadmin duties to pull some vital data that other readers of the Internet Storm Center can benefit from? Please note that we do not want WMI scripts? We want WMIC command-lines that do cool things of interest to Incident Handlers. Send in your suggestions, and I'll post them throughout the day, giving you full credit (if you want it) for your elite WMIC kung-fu.
What's your favorite thing to do with WMIC?--Ed Skoudis
Co-author of the new book Counter Hack Reloaded (written with Tom "My-Spyware-Is-Actually-Good!" Liston
UPDATE 1: Diligent reader Rob_LD points out this great command:
C:\> wmic startup list full
It shows a whole bunch of stuff useful in malware analysis, including all files loaded at Startup and the reg keys associated with autostart. Who needs msconfig or autoruns? Well, I do. I like to have those around as well. Still, WMIC is our friend.
UPDATE 2: A couple of readers have pointed out that you could either type WMIC followed by commands as I show above, or run WMIC and hit enter. This puts you into a little WMIC console shell, into which you can type the WMIC commands I show above. Which is better? I use both, but typically do the former as I show you above. I myself prefer to use wmic followed by the commands in-line, because then I can pipe its output into other commands to find stuff or sort things, as in the following:
C:\> wmic process list brief | find "cmd.exe"
That works a little like a Linux "ps -aux | grep cmd.exe".
So, I run it as I show above, piping its output through sort, find, findstr, etc. Also, it's nice to redirect its output to a file, with a simple >.
Handler Guru Stud Muffin Marc Sachs pointed out that you can view the really crappy WMIC documentation in a handy file by typing:
C:\> wmic /?:full > wmic_docs_that_stink.txt
Then, open the .txt file and read it and marvel at how much better man pages are than what you see there.
Also, Rob_LD brought up another good point. By default, WMIC lets you blow up critical things, such as vital processes, using the delete item as we showed above. But, if you are a little nervous about this, you can set WMIC to ask you before it does delete something. You can do this by running WMIC, and, within its little command shell, typing "/interactive:on". Then, whenever you delete something from within the WMIC "shell", it'll ask you to confirm. However, please note that if you use WMIC as I say above (right at the c:\> prompt), it still won't ask you for confirmation.
As for me, I like to run with scissors (while chewing gum!), so I use it without the interactive mode. I mean, I would hate it if killall on Linux said to me, "Are you sure you want to do that?"... But perhaps that's just me.
Alert reader Alan Ridgeway points out that WMIC supports all kinds of funky and useful output formats, which it can store in a file via the /output: directive, invoked as follows:
C:\> wmic /output:[file] [stuff you want it to do] /format:[format]
Numerous formats are supported, including HTML format (hform), CSV, XSL, and so on. So, check this out:
C:\> wmic /output:c:\os.html os get /format:hform
Then, open c:\os.html in a browser, and soak in that beautiful output. Ooooohhhh. Ahhhhhhh.
For a list of format types supported by WMIC, you could type:
C:\> wmic [stuff to do] /format /?
C:\> wmic process list /format /?
Going further, nice-guy reader Russell Eubanks mentioned the ability to pull lists of attributes and output them nicely, as follows:
C:\> wmic /output:c:\temp.html os get name,version /format:htable.xsl
That's pretty darn nice, and I find that WMIC is best enjoyed over Mexican food with really good beer.
Some folks have asked about the results of Tom "The-spyware-I-write-works" Liston's and my attempts to clean the infected system. We worked with several anti-spyware companies, each doing scan after scan, trying desparately to get the box clean and working again. After at least 1.5 hours with _each_ vendor, the box was still not usable. We concluded that the best bet if you have a totally infected box is to reinstall the OS. You'll have much more assurance of your end result that way.
A few folks have also written in about my references to Tom "I-Write-Spyware" Liston. Some of you are certainly thinking, "I KNEW IT! LISTON IS EVIL! EVIL I TELL YOU! SKOUDIS JUST CONFIRMED IT!" While I cannot tell you conclusively the state of Mr. Liston's eternal soul, I can tell you this... he did in fact write some spyware. But, the purpose of his spyware was for a project Tom and I were working on. We wanted to evaluate whether the major anti-spyware vendors had solid behavior-based detection capabilities, rather than just relying on their sigs of known spyware. So, Tom wrote some custom, benign, "spyware-like" programs that take action on a system. The resulting suite, which we called Spycar (in homage to the EICAR anti-virus test file), tries to change the IE and Firefox home page, adds entries to the hosts file, changes the Run, RunOnce, and RunOnceEx reg keys, etc. In all, Spycar includes little programs to take about 25 different individual actions on a machine to see if it is blocked by an anti-spyware tool. We'll be releasing Spycar, along with the results of our testing, the first week of May... so stay tuned. And, in the end, sadly, you cannot use this post as proof of Tom Liston's evil nature.
Guys, I love being an incident handler. There's so much we can learn from each other. I just got a message from Alan Ridgeway again, with some immensely useful info about WMIC that I never knew. This is way cool high-speed stuff. Alan points out that you can use the /record option in WMIC to record the WMIC commands you typed, their output, and a timestamp, as in:
C:\> wmic /record:test.xml process list brief
After the command runs, your results are stored in xml format. That's the only format supported, but this is a handy record of what you typed, when you typed it, and the results you got. I really like that as a handler for some complementary evidence! Sweet!
The only down side, though, is that it will overwrite a previous test.xml, rather than append to it. Still, not bad, as long as you make sure to use different names for your record files. Thanks, Alan, for that nice tip.
Another reader, desiring anonymity, talks about the network interface configuration options afforded by WMIC, such as:
C:\> wmic nicconfig where IPEnabled='true'
That'll give you a list of IP interfaces.
Or, to change the IP address at the command line, you could:
C:\> wmic nicconfig where Index=1 call EnableStatic ("10.10.10.10"), ("255.255.255.0")
For DHCP, you'd do this:
C:\> wmic nicconfig where Index=1 call EnableDHCP
Where the index is the number of the interface you get from that first nicconfig command I put in this update.
While these WMIC uses work for altering the NIC settings, I find them really cumbersome. I know, I know... you are thinking, "Cumbersome! Have you seen some of those commands you typed earlier in the diary!" But, in config'ing Windows network interfaces at the command line, I much prefer the netsh command, which is totally independent of WMIC. That's a favorite of yet another reader who wanted anonymity. For more info on that command, type:
C:\> netsh /?
While we're talking trash about WMIC... the issue comes up: How do you pronounce "WMIC" when you are speaking? Some people (a lot, actually) say it "WeeMick". I personally loathe that formulation. I call it "dubbel-you-emmm-eye-sea". Sounds better that way to my ear. Also, you can even sing a little jingle for it: "WMIC... see ya real soon... K-E-Y... why? Because we like you! M-O-U-S-E".
And, in closing, I leave you with this nice reference from Reader Jon. If you want more docs about command-lines for various operating systems (including Windows and its WMIC universe, along with other tools), Linux, Mac OS X, and even Oracle, check this out.
That's it for me today... The Internet Storm Center is now in the ever-capable hands of Mr. Incredible himself, Dave Goldsmith!
Thanks for a fun day, guys, and all your wonderful suggestions--
Last Updated: 2006-03-30 21:46:03 UTC
by Ed Skoudis (Version: 1)
We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio. According to Microsoft:
"So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."
That's not the end of the world, but it is worth noting.
What does this mean to you? On April 11, some of your ActiveX controls may stop working. You can test this new IE voodoo by downloading an optional patch for IE from Windows Update. Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.
For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory, and read this blog posting from a Microsoft employee working this issue. The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)UPDATE 1: Some readers have written in to express their unhappiness that the non-security-related patch done for legal reasons is being released with the fix for the zero-day IE flaw. I agree. I don't like to see them together either. Consider your complaint on that registered with the ISC, not that we can do anything about it.