No external tools, how to quickly find Windows poisoned

After a few years of working on emergency response, I think it is useful to summarize a "methodology" for quickly determining whether a computer is infected with Trojans and viruses. This is obviously not that simple, but I find that the infection is almost in all the less complex attacks, and if you perform the following tests, you can find an infection and kill it quickly. All of these things can be done by an administrator command prompt that is based on the Windows command-line feature.

1. WMIC Startup items (WMIC startup items)

Windows already has a very powerful tool--wmic, and it's easier to set up startup items for your survey in the following ways. Simply open a command prompt and enter "WMIC startup list full." This is a real example, guess which item does not belong to it, will it be a local temporary folder? Yes. If you know what should be in the list and where it normally works, you can pause here, usually very simply. Locate the program, and then look for its hash on malwr.com or virustotal, see if it's infected with something else, and then delete it.

2. DNS caching (DNS cache)

Open a command prompt and enter "Ipconfig/displaydns". Look at the areas to be reversed, are there any anomalies at the scene? Look for the domain name and IP that they resolved in virustotal or elsewhere to see if there are any samples attached to it. If there is, then you must be infected. Here's a ready-made example:

3. WMIC Process List

This is another popular project for WMIC, type "WMIC process list Full|more", or more compact but longer output "WMIC process get description,processed,parentprocessid, Commanline/format:csv. ". Look for things that run in strange places or malicious, random, name-strange programs.

4, WMIC Services list (WMIC service lists)

This may be difficult to use if you don't know what you're looking for. But detection is convenient and easy to find malware by path or EXE name. The format is similar to the others, or you can get a more specific "got" version. Enter the WMIC service list full| More "or" WMIC service get Name,processid,startmode,state,status,pathname/format:csv ". Here's a small example that shows only the service name and path.

5, WMIC work list (WMIC job lists)

It's a project that looks most unlikely to find anything, because most malware doesn't have to be jobs, but it's easy to detect in some versions, such as Mplug. By entering the WMIC job list full, you can get a "no instances available" receipt, which means that no scheduled projects are being executed.

6, Netstat

Don't forget the basics, if IP is Google or stealyourbanknumber.su. "Netstat-abno", the output may need to be searched to see, even if it can still look for exotic external site port numbers, such as 25, 8080, 6667, and so on.

Netstat control is as follows:

-a displays all connections and listening ports

-B displays executable files that participate in creating each connection or listening port

-N displays address and port numbers in digital form

-o Displays each link-related process ID owned by

7. batch file version

How about accomplishing these wmic things in a simple and repeatable way and generating a report? I already have. Throw everything into a batch file, and then set a hostname parameter, and you can even use it across the network--to get the appropriate permissions from other computers to facilitate remote evaluation.

This script will give you a clearer picture of HTML-formatted output, including the information you get from your computer:

wmic/node:%1 ComputerSystem Get model,name,username,domain/format:htable > c:triage-%1.html

wmic/node:%1 Startup list full/format:htable >> c:triage-%1.html

wmic/node:%1 process get description,processid,parentprocessid,commandline/format:htable >> c:triage-%1.html

wmic/node:%1 service get name,processid,startmode,state,status,pathname/format:htable >> c:triage-%1.html

wmic/node:%1 Job list full/format:htable >> c:triage-%1.html