Find A Windows Infection Quickly Without Tools

Note: Part 2 of this article is now posted here.

After several years doing incident response, I thought it would be useful to give a short list of my go-to actions for quickly determining if a computer is infected. This obviously isn't foolproof but I find that in almost all non-sophisticated attacks, performing the following checks will highlight a present infection and can quickly lead to the details on finding and killing it. All of these things can be done from an administrator command prompt with built in Windows command line features. In a 2nd post later on, I will write about further things that can be done given a prepared set of tools.

WMIC Startup Items

Windows has a very powerful built in tool - WMIC, that will, among other things on this list, easily dump startup items for you to investigate. Just open up a command prompt and type wmic startup list full. Here's a real example, guess which item doesn't belong, perhaps the thing running from the Local\Temp folder? Yes. If you know what should be in the list and where things normally run from, often it's this easy and you can stop right here. Find the program, look up it's hash on malwr.com or VirusTotal, see what else it drops and remove it.

DNS Cache

Stay at that open command prompt and type ipconfig /displaydns. These are the domains that have been recently resolved, see anything that looks odd? Search the domain name and IP it resolved to on VirusTotal/elsewhere and see if any samples contact it, if so, you can bet you're infected. Here's a made up example:

WMIC Process List

Another WMIC favorite, type wmic process list full | more, or the more compact output, but longer to type version:

wmic process get description,processid,parentprocessid,commandline /format:csv

Look for things running in odd places or malicious/random/odd-looking process names.

WMIC Service List

This one can be harder if you don't know what you're looking at, but it's easy to check and often malware is still easily found by the path or exe name. The format is the same as others, or you can go more specific with the "get" version.

wmic service list full | more

or

wmic service get name,processid,startmode,state,status,pathname /format:csv

Here's a minimal example showing only the service name and path:

WMIC Job List

This one is less likely to find anything because most malware doesn't use jobs, but some versions of things like MPlug do, and once again it's easy enough to check. wmic job list full You'll probably receive a No Instance(s) Available response which means there are no jobs scheduled.

Windows Prefetch

You may or may not have this feature turned on if you have an SSD, but if you do, it's an easy list of the last 128 executables run. Check the names of the ".pf" files in the C:\Windows\Prefetch folder. The names of each .pf file are created from the executable file name + a hash of the path where it was run. These files also store the run count and dates it was first and last run, although extracting this information might require extra tools. Further information on prefect files is here if you're interested.

Netstat

Don't forget the basics, even though the output takes some searching to find out if that IP is Google or stealyourbanknumber.su. netstat -abno. Also look for odd port numbers going to external sites, 25, 8080, 6667, etc.

The netstat switches are:

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each connection or listening port.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each connection.

Batch File Version

How about doing these WMIC things in a simple repeatable way the produces a report, I've got that too. Throw the following in a batch file and feed it a hostname argument, you can even use this over a network, given the proper permissions on the other computers, for easy remote assessment. This script will give you a decent looking HTML formatted output including information on the computer you got it from.

wmic /node:%1 computersystem get model,name,username,domain /format:htable > c:\triage-%1.html
wmic /node:%1 startup list full /format:htable >> c:\triage-%1.html
wmic /node:%1 process get description,processid,parentprocessid,commandline /format:htable >> c:\triage-%1.html
wmic /node:%1 service get name,processid,startmode,state,status,pathname /format:htable >> c:\triage-%1.html
wmic /node:%1 job list full /format:htable >> c:\triage-%1.html