4. Netstat
The netstat command in Windows can display network behavior, focusing on default TCP and UDP. Because malware typically communicates throughout the network, users can search for unusual connections in netstat's output, running the following command:
C:> netstat -nao
The -n option will tell netstat to display the numbers in its output, except for the host name and protocol that will instead display IP and TCP addresses or UDP port numbers. –A indicates to show all connections and listening ports. The -o option notifies netstat to display the processID number of each program interacting with TCP or UDP ports. If instead of TCP and UDP, you only care about ICMP, then you can run the netstat command as follows:
C:> netstat –s –p icmp
The above command indicates that it will return statistics (-s) of the ICMP protocol. Although it doesn't show much detail with TCP and UDP, users can see whether the computer is sending unexpected ICMP traffic on the network. However, some backdoors and some other malware can communicate using the payload of ICMP Echo messages.
Like WMIC, the netstat command also allows us to run it in a repetitive cycle. However, instead of using the " / every: [N] " syntax like WMIC, users only need to add after the call to netstat spaces and integers. Thus, to list the currently used TCP and UDP ports on the computer every 2 seconds, the user can run:
C:> netstat –na 2
5. Find
Most of the commands that I have introduced so far show a lot of output on the screen, which sometimes makes it difficult for users to take a full view to find something that they are interested in. But Windows has another tool that can help you fix this. Users can search the entire output of each command using the findstr and find command in Windows. The find command will search for simple strings, while findstr will support regular words, a more complex way to distinguish search patterns. Because regular words are supported by findstr beyond the scope of this article, we only focus on the find command. By default the find command will distinguish between uppercase and lowercase letters, but by using the / i option you can lose this distinction.
The find command is also capable of counting. Invoked with the / c command, it will count the line number of the output containing the given string. If the user wants to count the number of lines in the output of the command to know the number of running processes, the number of startup items present, or a series of other actions on the machine. To count the number of output lines, users can lead their output via find / c / v "". This command will count ( / c ) the number of lines except the blank line.
Now, with the find command, users can observe the output of each of the commands that we have introduced here to find interesting things. For example, to see the information every second about cmd.exe processes running on your computer, type:
C:> wmic process list brief / every: 1 | find "cmd.exe"
To count the number of files opened on the computer when openfiles are activated, you only need to type:
C:> openfiles / query / v | find / c / v ""
No matter how you count items, remember to subtract the number of lines associated with the column header. For example, to see with every second accuracy when TCP port 2222 starts to be used on the computer, along with the process ID being used on the port, run:
C:> netstat -nao 1 | find "2222"
Research output
With these 5 tools, users can handle configuration information and security status of each Windows computer. However, in order to use each command to identify compromises, users need to compare the current settings of the suspected computer to the normal computer.
There are three ways to establish this comparison. First, if the user is an experienced "hunter" of malware, he can be aware of what is right and what is wrong with the computer, recognizing unusual problems based on experience. Secondly, this comparison can be done with an uninfected machine if available. Without a 'clean' computer, users can rely on a third option - search for specific files, process names, file names and port numbers recognized by these commands and search for them online to determine if they are regular files for the computer and software that it has installed or are associated with some kind of malware.
In this section, I have shown you five very powerful commands in Windows. In the next part of this series, we will introduce you to 5 other useful commands from the command line.