Get Process List with Command Line Arguments
One of the most useful things when doing post exploitation on Linux is grabbing a full process list. One of the reasons this is useful is because it includes the arguments passed to these processes. The arguments for a process can tell you where configs are, what passwords might have been used or just tell you the correct arguments to use when running the process yourself.
user 281741 76190 2 14:18 pts/14 00:02:34 java -Xmx3733m -XX:+UseG1GC -jar /usr/share/zaproxy/zap-2.8.1.jaruser 283340 281741 0 14:25 pts/14 00:00:00 /home/user/.ZAP/webdriver/linux/64/geckodriver --port=10696 -b /usr/bin/firefoxuser 283358 283340 0 14:25 pts/14 00:00:08 [firefox-esr] <defunct>On Windows however, this is a lot harder to do. As such, nearly all offensive tools that pull a process list only tell you what process it is, the PID, and maybe (if you have the permissions to view it) what user is running that process.
C:\Users\uberuser>tasklist /vImage Name PID Session Name Session# Mem Usage Status User Name CPU Time Window Title========================= ======== ================ =========== ============ =============== ================================================== ============ ========================================================================System Idle Process 0 Services 0 4 K Unknown NT AUTHORITY\SYSTEM 866:44:11 N/ASystem 4 Services 0 140 K Unknown N/A 0:26:53 N/Asmss.exe 220 Services 0 1,140 K Unknown N/A 0:00:00 N/Acsrss.exe 308 Services 0 3,924 K Unk The only way that I can find to get the command line arguments on Windows is through WMI. (Or 1 of 100 agents that people love to install on end points if you have access to it)
Here is how you do it from cmd: WMIC path win32_process get Caption,Processid,Commandline
C:\Users\uberuser\Desktop>WMIC path win32_process get Caption,Processid,CommandlineCaption CommandLine ProcessId rdpclip.exe rdpclip 1896 taskhostex.exe taskhostex.exe 204 explorer.exe C:\Windows\Explorer.EXE 3748 ServerManager.exe 2304 vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr 60 firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 20200107212822 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 1 -prefMapSize 216481 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 1248 gpu 2408 WMIC.exe WMIC path win32_process get Caption,Processid,CommandLine 4428And via PowerShell Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLine
PS C:\Users\uberuser> Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLineCommandLine-----------"C:\Program Files\Mozilla Firefox\firefox.exe" -os-restarted"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 2..."C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.13.335070555\878171781" -childID 2 -isFo..."C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.20.446400134\1597941165" -childID 3 -isF..."C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.34.1773646251\252067495" -childID 5 -isF...So, to add to my toolkit and so I don’t have to remember the exact commands every time, I wrote a super simple C# snippet to do it for me (I’m sure there at 100 projects on Github and elsewhere that already do this but I didn’t see them when I looked)
https://gist.github.com/mubix/a8882940311d511dfe0e598e5a3fd1a8
*** This is a Security Bloggers Network syndicated blog from Posts on malicious.link authored by Posts on malicious.link. Read the original post at: http://feedproxy.google.com/~r/Room362com/~3/jxXx5GB4FyA/
