I am trying to build a script to automate the excellent work done on the sysforensics.org blog and also based on the "know good find evil" SANS poster.
The script can be run on a remote machine where the user has admin privileges. I have used wmi. Save the script as a .bat file and pass it the computer name to run it against.
echo ********SUSPICIOUS SMSS*******
wmic /node:%1 process where 'name="smss.exe" and parentprocessid!="4"' get executablepath,processid,parentprocessid 2>nul
::echo Check for wininit running with non zero sessionid - There should not be any!
echo ********SUSPICIOUS WININIT*******
wmic /node:%1 process where 'name="wininit.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
echo ********SUSPICIOUS SERVICES.EXE*******
::echo Check for services.exe running with non zero sessionid - There should not be any!
wmic /node:%1 process where 'name="services.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
::wmic process where 'name="services.exe" and sessionid="0"' get executablepath,processid,parentprocessid
echo ********SUSPICIOUS SVCHOST.EXE*******
::echo Check for svchost.exe not running under C:\WINDOWS\system32\svchost.exe - There should not be any!
wmic /node:%1 process list full | findstr "ExecutablePath" | findstr "svchost" | findstr /i /v ExecutablePath=C:\WINDOWS\system32\svchost 2>nul
echo ********Is ParentProcessID of svchost same as the processid of Services.exe*******
for /F "tokens=2" %%i in ('tasklist /S %1 /NH /FI "imagename eq services.exe"') do SET ppid=%%i
wmic /node:%1 process where "ExecutablePath like '%%svchost%%' and parentprocessid!=%ppid%" get ParentProcessID 2>nul
I will update this as I find time to test and build upon this.
The script can be run on a remote machine where the user has admin privileges. I have used wmi. Save the script as a .bat file and pass it the computer name to run it against.
echo ********SUSPICIOUS SMSS*******
wmic /node:%1 process where 'name="smss.exe" and parentprocessid!="4"' get executablepath,processid,parentprocessid 2>nul
::echo Check for wininit running with non zero sessionid - There should not be any!
echo ********SUSPICIOUS WININIT*******
wmic /node:%1 process where 'name="wininit.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
echo ********SUSPICIOUS SERVICES.EXE*******
::echo Check for services.exe running with non zero sessionid - There should not be any!
wmic /node:%1 process where 'name="services.exe" and sessionid!="0"' get executablepath,processid,parentprocessid 2>nul
::wmic process where 'name="services.exe" and sessionid="0"' get executablepath,processid,parentprocessid
echo ********SUSPICIOUS SVCHOST.EXE*******
::echo Check for svchost.exe not running under C:\WINDOWS\system32\svchost.exe - There should not be any!
wmic /node:%1 process list full | findstr "ExecutablePath" | findstr "svchost" | findstr /i /v ExecutablePath=C:\WINDOWS\system32\svchost 2>nul
echo ********Is ParentProcessID of svchost same as the processid of Services.exe*******
for /F "tokens=2" %%i in ('tasklist /S %1 /NH /FI "imagename eq services.exe"') do SET ppid=%%i
wmic /node:%1 process where "ExecutablePath like '%%svchost%%' and parentprocessid!=%ppid%" get ParentProcessID 2>nul
I will update this as I find time to test and build upon this.
No comments:
Post a Comment