SECURITY 531

Windows Command-Line Kung Fu In-Depth for Info Sec Pros

To maximize their value in handling incidents, analyzing systems, conducting forensics analyses, and performing penetration tests, security personnel should wield some Windows command-line kung fu. Many people do not realize the power of the Windows command line and have confined themselves inside the prison of the Windows GUI. But, sometimes, in the face of extremely nasty malware that disables GUI-based tools, security personnel are forced to the command line to analyze an infestation. Don't fret! In this fun and engaging session we'll discuss in depth one of the most powerful command-line tools built into Windows, wmic, and how it can greatly improve the capabilities of security personnel, incident handlers, and even auditors.

We'll also look at other really powerful built-in commands to monitor systems and analyze them for indications of compromise. This full-day session includes a major amount of hands-on depth with fun labs and examples. For example, do you know how to kill a bunch of processes based on their name across the network using only built-in Windows tools? How about finding out whether a given patch is installed, the date it was installed, and the user who installed it, again remotely and using only built-in features? What if your GUI is shot by a rootkit, and you want to see which services are associated with each process and which DLLs those processes have loaded? How can you run a single command that will show you with one-second accuracy when a piece of malware receives a connection from a bad guy on the network, along with the ProcessID of the malware and IP address of the bad guy? After this session you will be able to do all of this and more... much more. For this session, have a Windows 7, Windows Vista, Windows 2003, or Windows XP Pro box handy (WinXP Home won't do!), grab a soda, pop up a cmd.exe, and get ready for some serious kung fu.

Author Statement

This course is a detailed, hands-on description of how information security professionals can use the Windows command line to do their jobs better. There is no CD for the course, as we will use all built-in tools in Windows XP, 2003, and Vista. There really is no other course like this on the market — we talk about a lot of undocumented features of Windows and how they can be used in analyzing a machine for infection and controlling malware. The course is full of hands on challenges for the attendees to solve during exercises in the class.