Sunday, May 31, 2020

Using WMIC to communicate with remote hosts

/ by  / with No comments /

We can manager user accounts on a Windows computer using wmic commands. You can find commands for various operations below.

WMIC can collect a list of the currently running processes similar to what you’d see in “Task Manager” using the following command:
#wmic process list

Note that some of the WMIC built-ins can also be used in “brief” mode to display a less verbose output. The process built-in is one of these, so you could collect more refined output using the command:
#wmic process list brief

Start an Application
#wmic process call create "calc.exe"

Terminate an Application
#wmic process where name="calc.exe" call terminate

Change Process Priority
#wmic process where name="explorer.exe" call setpriority 64

Get List of Process Identifiers
#wmic process where (Name='svchost.exe') get name,processid

Find a specific Process
#wmic process list brief find "cmd.exe"

You can collect a listing of the environment variables (including the PATH) with this command:
#wmic environment list


OS/System Report HTML Formatted
#wmic /output:c:os.html os get /format:hform

Products/Programs Installed Report HTML Formatted
#wmic /output:c:product.html product get /format:hform

Turn on Remoted Desktop Remotely
#Wmic /node:"servername" /user:"user@domain" /password: "password" RDToggle where ServerName="server name" call SetAllowTSConnections 1

Get Server Drive Space Usage Remotely
#WMIC /Node:%%A LogicalDisk Where DriveType="3" Get DeviceID,FileSystem,FreeSpace,Size /Format:csv MORE /E +2 >> SRVSPACE.CSV

Get PC Serial Number
#wmic /node:<ID Address> bios get serialnumber

Get PC Product Number
#wmic /node:"HOST" baseboard get product

Find stuff that starts on boot
#wmic STARTUP GET Caption, Command, User

Reboot or Shutdown
#wmic os where buildnumber="2600" call reboot

Get Startup List
#wmic startup list full

Information About Harddrives
#wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Information about os
#wmic os get bootdevice, buildnumber, caption, freespaceinpagingfiles, installdate, name, systemdrive, windowsdirectory /format:htable > c:osinfo.htm

Information about files
#wmic path cim_datafile where "Path='\windows\system32\wbem\' and FileSize>1784088" > c:filedetails.txt

The following global switches are available:
/NAMESPACE           Path for the namespace the alias operate against.
/ROLE                Path for the role containing the alias definitions.
/NODE                Servers the alias will operate against.
/IMPLEVEL            Client impersonation level.
/AUTHLEVEL           Client authentication level.
/LOCALE              Language id the client should use.
/PRIVILEGES          Enable or disable all privileges.
/TRACE               Outputs debugging information to stderr.
/RECORD              Logs all input commands and output.
/INTERACTIVE         Sets or resets the interactive mode.
/FAILFAST            Sets or resets the FailFast mode.
/USER                User to be used during the session.
/PASSWORD            Password to be used for session login.
/OUTPUT              Specifies the mode for output redirection.
/APPEND              Specifies the mode for output redirection.
/AGGREGATE           Sets or resets aggregate mode.
/AUTHORITY           Specifies the <authority type> for the connection.
/?[:<BRIEF|FULL>]    Usage information.


Use Case Examples 01:
Use of WMIC to query remote servers to get the hardware serial numbers.

In order to run against ab entire subnet and output to a text document, I used the below approach. This helps me to verify the inventory of computers.

I placed the IP list after node: node:ip1,ip2,ip3, or sometime used a text file when the list is so large with a file node:@file:

#wmic /node:@nodes.txt /user:administrator /password:mypassword /output:out.csv bios get serialnumber /format:csv

Use Case Example 02:
While investigating suspicious behaviours recorded on windows computers, I have some times seen entries shown as below which suspicious

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c start c:\windows\system32\<processname>.exe"

#wmic  /node:<IP ADDRESS> /user:<USERNAME> /password:<PASSWORD> process call create "cmd /c del c:\windows\system32\<processname>.exe"


























Saturday, May 30, 2020

Searching Through /var/log Folder

/ by  / with No comments /

To check for all user logins and logsouts
#last -f wtmp

Wtmp is a file on the Linux, Solaris, and BSD operating systems that keeps a history of all logins and logouts. On Linux systems, it is located at /var/log/wtmp. Various commands access wtmp to report login statistics, including the who and lastb commands

To check for failed login attempts
#last -f btmp
btmp logs failed attempts into your system. In theory this could mean someone is trying to brute force passwords. You can empty this file but should not remove it since software could crash when it expects the file to be there.

Using ausearch
Searching for user ssh login attempts on the audit logs located in audit log folder.
# ausearch --input <filename> -i | grep -i sshd | grep -i USER_AUTH
USER_AUTH is triggered when a user-space authentication attempt is detected.
  • -i,--interpret            Interpret results to be human readable
  • -if,--input                 Specify the file name rather than default audit file
  • -a,--event <Audit event id>    search based on audit event id
  • -gi,--gid <Group Id>        search based on group id
  • -ui,--uid <User Id>        search based on user id
  • --session <login session id>    search based on login session id

TTY ports are direct connections to the computer such as a keyboard/mouse or a serial connection to the device. PTS connections are SSH connections or telnet connections.

Some of the usefull Audit record types are listed below.
Audit Record Types:
  • ADD_USER    Triggered when a user-space user account is added.
  • CRED_ACQ    Triggered when a user acquires user-space credentials.
  • CRED_DISP    Triggered when a user disposes of user-space credentials.
  • CRED_REFR    Triggered when a user refreshes their user-space credentials.
  • CRYPTO_KEY_USER    Triggered to record the cryptographic key identifier used for cryptographic purposes.
  • CRYPTO_LOGIN    Triggered when a cryptographic officer login attempt is detected.
  • CRYPTO_LOGOUT    Triggered when a crypto officer logout attempt is detected.
  • DEL_GROUP    Triggered when a user-space group is deleted
  • DEL_USER    Triggered when a user-space user is deleted
  • SYSTEM_RUNLEVEL    Triggered when the system's run level is changed.
  • SYSTEM_SHUTDOWN    Triggered when the system is shut down.
  • USER_LOGIN    Triggered when a user logs in.
  • USER_LOGOUT    Triggered when a user logs out.
  • USER_START    Triggered when a user-space session is started.

Regex with gedit
To check for any post requests in the web log files on a given date. Below regex can be used with gedit.
At lease one work shoudl match: ^.*(21/May/2020|POST).*$
Both word should match: ^(?=.*21/MAY/2020)(?=.*POST).*$

Reference:
RedHat Audit record type can be found on:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types
Subscribe to: Posts (Atom)