Err TMPFILE location search was.. wmic environment list /format:list
Another handy one.. Need to find if a patch or "QFE" is installed? And on what date and by whom? Try... wmic qfe list brief /format:list Cheers, Chris. On Fri, Sep 3, 2010 at 10:25 AM, Chris Keladis <[email protected]> wrote: > No worries. > > I nearly forgot, you dont even need to install SysInternals "pslist" > to copy a process-list to a share. Windows (from XP on i think) gives > you the tool already (see "tasklist" command). > > Something like "tasklist > X:\my\network\share\user1_machine10.txt" > > Also do variations like "tasklist /svc" to see services and their > dependencies. > > You can use the "wmic" tool locally or even remotely to pull info out > of machines (assuming the malware hasn't impacted WMI operating or > subverted it's results). > > Get a list of popular auto-run locations.. > > wmic startup list brief > > Or a more detailed list.. > > wmic startup list full > > Put it in a nice HTML on a share.. > > wmic /output:Z:\share\user1_machine10_autoruns.htm startup list full > /format:hform.xsl > > Need the machines BIOS info? Easy.. > > wmic bios get /format:list > > Drives inside the machine? > > wmic diskdrive list brief /format:list > > Need to find TMPFILE locations malware likes to hide in? > > wmic diskdrive list brief /format:list > > And so on.. "wmic" will auto-install (no CD or CABs required) if never > used before, and you can remotely query machines on your LAN to gather > info via WMI to perform triage, assuming their XP or newer. > > WMI can be installed as an add-on for prior releases. > > All with no additional software installed. In your case however, keep > in mind the malware may have broken WMI and will likely require manual > clean-up. > > > Cheers, > > Chris. > > > On Fri, Sep 3, 2010 at 7:20 AM, Tyler Robinson <[email protected]> > wrote: >> Thanks that is awesome advice I am starting thereand running ossim and >> trying to analyze ya I could use 2 more people for sure but thanks everyone >> again the advice given is invaluable keep any ideas coming I will be trying >> a lot of things and hopefully can post what works and my experience to help >> others . >> TR >> >> On Sep 2, 2010 3:08 PM, "Chris Keladis" <[email protected]> wrote: >>> On Fri, Sep 3, 2010 at 5:24 AM, Tyler Robinson <[email protected]> >>> wrote: >>> >>> Hey Tyler, >>> >>>> Thanks everyone for all the ideas the enviroment has about 350 machines >>>> at >>>> least all on flat domain can't vlan due to stupid software >>>> configurations. I >>>> have several systems that have to be live all the time (911 systems) and >>>> vmware esx servers in cluster. Any other suggestions is again so much >>>> appreciated I am willing to try just about anything right now I have a >>>> lot >>>> of angry users right now due to network performace ( for there >>>> facebooking I >>>> am sure) wanting this fixed and the sheriffs department has its busiest >>>> week >>>> of the year starting sat so please no idea will not be tried. >>> >>> Ouch! Sounds like you need more hands and eyes on the problem :) >>> >>> The only thing i can think of, bar running around to 350 PCs is maybe >>> sample a few to understand what malware you've got going on. >>> >>> Make use of Microsoft's (ex-Sysinternals) tools to investigate. >>> AutoRuns, ProcExp, etc etc. >>> >>> One handy tip when using ProcExp, dont "kill" malicious processes, >>> rather, "pause" or "freeze" them. Most malware these days have SIGKILL >>> handlers to spawn their cousins when their killed and you end up with >>> more problems. >>> >>> Once you understand what you've got going on you can perhaps download >>> a removal tool and make everyone run it. >>> >>> Also keep in mind sensitive information may have been leaked by the >>> malware, so once you have a handle on the situation, change ALL >>> passwords, and follow up on anything important that might have leaked >>> out of the organization (this may have ramifications down the track). >>> >>> Most malware infections these days aren't one-off's (they use >>> droppers, stagers, load root-kits and other add-ons) so you can try to >>> control the primary infection on the LAN, but at some point manual >>> review will be needed as well, eg, booting off a USB key/CD and >>> checking for rootkits etc etc.. >>> >>> Also tell people to stop using any form of removable media to avoid >>> the (re)spread in or out of the organization, until you get a handle >>> on the situation. >>> >>> Maybe you can script something and use Sysinternals tools like >>> "pslist" to copy a process list to a share you can then analyze >>> further? Maybe setup a job via the RunOnce reg-key or Scheduler and >>> ask everyone to reboot (RunOnce) or wait (Scheduler), so you at least >>> get a peak into the processes running and can make a plan of attack. >>> >>> Hope i've given you some practical advice, unfortunately since the >>> previous admin hadnt set up controls to mitigate you face a very >>> difficult task. >>> >>> But, this disaster may give you the ammunition you need to make >>> improvements! :) >>> >>> >>> Cheers, >>> >>> Chris. >>> _______________________________________________ >>> Pauldotcom mailing list >>> [email protected] >>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >>> Main Web Site: http://pauldotcom.com >> >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
