Guest User

Untitled

a guest
Jun 21st, 2018
134
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.00 KB | None | 0 0
  1. wmic path msft_providers get hostinggroup,hostprocessidentifier,namespace,provider,user /format:list
  2.  
  3. Step-by-step:
  4. 1. Computer is slow so you sort Task Manager by CPU and see WmiPrvSE.exe is spiking.
  5. 2. Download Network Monitor 3.4 and take a capture while Wmiprvse is spiking.
  6. 3. In Netmon select "Parser Profiles", then "NetworkMonitor Parsers" then "Windows" to include the WMI parser.
  7. 4. Type "WMI" for the Display Filter and click Apply to view just WMI traffic.
  8. 5. The frame with description "WMI:IWbemServices:ExecQuery Request" shows the IP address of the remote computer making the WMI query (Ipv4: Src = <IP address> in Frame Details).
  9. 6. Expand "WMI: IWbemServices:ExecQuery Request" in Frame Details and look at the StrQuery field for the specific WMI query being made (Select * From SomeWMIClass).
  10. 7. Go to the remote machine with that source address and sort Task Manager by CPU to see if Wscript.exe or Cscript.exe is running (other processes can make WMI queries but VBS scripts run in either Wscript or Cscript, and they are a common source of WMI queries).
  11. 8. "Netstat -anob" shows which processes are connecting to a foreign address matching the IP address of the computer where Wmiprvse.exe is spiking.
  12. 9. "Wmic process get commandline" shows the command line for running processes, which for WscriptCscript would include the name and location of the script, for example: "C:WINDOWSSystem32CScript.exe" "C:ScratchBadScript.vbs"
  13. Note that if the WMI authentication level is packet privacy (pktPrivacy), you will still see the source IP address but the WMI query string (Select * From Whatever) will be encrypted and not visible in the network capture. WBEMTEST defaults to just "packet" when connecting, but the WMIC command-line tool defaults to pktprivacy. For scripts, it would depend on how they are making the connection to WMI, for example, this Vbscript code would result in encrypted query strings because pktPrivacy is specified:
  14. Set objWMIService = GetObject("winmgmts:{authenticationLevel=pktPrivacy}!rootcimv2")
Add Comment
Please, Sign In to add comment