Hi malware fighters,
In the case of analysis of a malware infested Windows machine, use the following commands for evaluation purposes, see the following article:
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1313370,00.html
Always keep at the back of your head that the commands may not be trusted if the machine is severely compromised.
1.) WMIC to evaluate a certain process or processes.
C:> wmic process
C:> wmic process list brief
C:> wmic process list brief /every:1
C:> wmic process list full
C:> wmic startup list full
2.) To evaluate users and groups.
“net user”
“net localgroup”
“net localgroup administrators”
“net start”
3.) Openfiles to evaluate active files.
C:> openfiles /local on
C:> openfiles /query /v
C:> openfiles /local off
4.) Netstat to evaluate network activity.
C:> netstat -nao
C:> netstat –s –p icmp
C:> netstat –na 2
5.) Find, to render a readable output.
C:> wmic process list brief /every:1 | find “cmd.exe”
C:> wmic startup list brief | find /i “hklm”
C:> openfiles /query /v | find /c /v “”
C:> netstat –nao 1 | find “2222”
6.) Tasklist to evaluate processes and DLL-files.
C:> tasklist /svc
C:> tasklist /m
7.) Reg to analyse the registry.
C:> reg query hklm\software\microsoft\windows\currentversion\run
8.) Ipconfig to evaluate DNS analysis.
C:> ipconfig /displaydns
9.) FOR /L to repeat certain commands
C:> for /L %[var] in ([start],[step],[stop]) do [command]
C:> for /L %i in (1,1,10) do @echo %i
C:> for /L %i in (1,0,2) do @tasklist
C:> for /L %i in (1,0,2) do @tasklist & ping --n 6 127.0.0.1 > nul
10.) To start admin GUIs trough the command line.
C:> lusrmgr.msc (local user manager)
C:> Secpol.msc (security policy manager)
C:> Services.msc (services control panel)
C:> Control (Configuration screen)
C:> Taskmgr.exe (task management)
C:> Explorer.exe (Windows Explorer)
C:> Eventvwr.msc (Windows Event Viewer)
enjoy,
polonus