Get Process List with Command Line Arguments - Security Boulevard

Get Process List with Command Line Arguments

One of the most useful things when doing post exploitation on Linux is grabbing a full process list. One of the reasons this is useful is because it includes the arguments passed to these processes. The arguments for a process can tell you where configs are, what passwords might have been used or just tell you the correct arguments to use when running the process yourself.

user      281741   76190  2 14:18 pts/14   00:02:34 java -Xmx3733m -XX:+UseG1GC -jar /usr/share/zaproxy/zap-2.8.1.jaruser      283340  281741  0 14:25 pts/14   00:00:00 /home/user/.ZAP/webdriver/linux/64/geckodriver --port=10696 -b /usr/bin/firefoxuser      283358  283340  0 14:25 pts/14   00:00:08 [firefox-esr] <defunct>

On Windows however, this is a lot harder to do. As such, nearly all offensive tools that pull a process list only tell you what process it is, the PID, and maybe (if you have the permissions to view it) what user is running that process.

C:\Users\uberuser>tasklist /vImage Name                     PID Session Name        Session#    Mem Usage Status          User Name                                              CPU Time Window Title========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================System Idle Process              0 Services                   0          4 K Unknown         NT AUTHORITY\SYSTEM                                   866:44:11 N/ASystem                           4 Services                   0        140 K Unknown         N/A                                                     0:26:53 N/Asmss.exe                       220 Services                   0      1,140 K Unknown         N/A                                                     0:00:00 N/Acsrss.exe                      308 Services                   0      3,924 K Unk                    

The only way that I can find to get the command line arguments on Windows is through WMI. (Or 1 of 100 agents that people love to install on end points if you have access to it)

Here is how you do it from cmd: WMIC path win32_process get Caption,Processid,Commandline

C:\Users\uberuser\Desktop>WMIC path win32_process get Caption,Processid,CommandlineCaption				CommandLine				ProcessId  rdpclip.exe			rdpclip					1896       taskhostex.exe 		taskhostex.exe			204        explorer.exe		C:\Windows\Explorer.EXE 3748       ServerManager.exe 							2304       vmtoolsd.exe	"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr	60         firefox.exe		"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 20200107212822 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 1 -prefMapSize 216481 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 1248 gpu 		2408       WMIC.exe			WMIC  path win32_process get Caption,Processid,CommandLine 		4428

And via PowerShell Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLine

PS C:\Users\uberuser> Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLineCommandLine-----------"C:\Program Files\Mozilla Firefox\firefox.exe" -os-restarted"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 2..."C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.13.335070555\878171781" -childID 2 -isFo..."C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.20.446400134\1597941165" -childID 3 -isF..."C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.34.1773646251\252067495" -childID 5 -isF...

So, to add to my toolkit and so I don’t have to remember the exact commands every time, I wrote a super simple C# snippet to do it for me (I’m sure there at 100 projects on Github and elsewhere that already do this but I didn’t see them when I looked)

https://gist.github.com/mubix/a8882940311d511dfe0e598e5a3fd1a8


*** This is a Security Bloggers Network syndicated blog from Posts on malicious.link authored by Posts on malicious.link. Read the original post at: http://feedproxy.google.com/~r/Room362com/~3/jxXx5GB4FyA/