Skip to main content

Remote Commands

Some data collected by the Windows Collection Module is not available through WMI. For this data, the Windows Collection Module uses a facility for running commands on Windows hosts through cmd.exe. The wmiexec.py utility from the open source Impacket project is used to provide this facility.

The process uses the SMB and WMI protocols. First, a WMI session is established with the remote Windows system, and an SMB session is established with the ADMIN$ share. The WMI Win32_Process provider is used to invoke a new process through the cmd.exe command interpreter. The output of the command that is invoked is redirected to a file in the ADMIN$ share, and the contents of this file is read using the established SMB connection. Once all of the data has been read from the output file, the file is removed and the SMB and WMI sessions are torn down.

The output file created during this process uses an established naming convention. The name begins with two underscore characters. This is followed by the current epoch time (the number of seconds that have elapsed since January 1st, 1970), a period, and two fractional second digits. For example, __1497992728.46.

The final form of the command as invoked on the remote Windows service, where COMMAND is replaced by the command requested by the Windows Collection Module and FILENAME is replaced by a filename in the format described in the previous paragraph:

cmd.exe /Q /c COMMAND 1> \\127.0.0.1\ADMIN$\FILENAME 2>&1

Remote commands support encrypted SMB sessions if the SMB server is configured for encryption. Versions 3, 2, and 1 of the SMB protocol are supported, and the session will use the highest protocol version advertised by the server.

For more information about remote commands, see the following sections:

Remote Command Reference

The following table lists remote commands.

CommandDescription
netstat -anop TCPReports network connections.
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall /sReports installed applications.
reg query HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall /sReports installed 32-bit applications on a 64-bit host.
ipconfig /displaydnsReports cached DNS name lookups.
chcp.comReports the console code page, used to determine text encoding format.
powershell Get-Content -Path PATHRetrieves the content of the file at path PATH (Configuration File Collection).

Netstat

The netstat command shown in the Remote Command Reference reports the network connections currently active on the remote Windows host. This is used as a critical component in grouping Application Stacks and reporting application dependencies in the environment. This command is executed during the Performance collection process.

The formulation of the command is as follows:

CommandDescription
-aDisplays all connections and listening ports
-nDisplays connections numerically, rather than resolving them to hostnames or service names
-oDisplays the process ID (PID) that has bound the socket
-pTCP filters the results to the TCP protocol only

Installed Applications Registry Query

The reg query command shown in the Remote Command Reference queries the Windows Registry for information regarding installed software. This is a read-only query. The response data includes a number of key-value pairs describing the installed software, which is filtered down to a subset of keys. This data is used for a variety of purposes, including the Application Matching and Security Module features. This command is executed during the Inventory and Performance collection processes.

Local DNS Cache

The ipconfig /displaydns command shown in the Remote Command Reference is used to collect the contents of the local DNS cache from a Windows system, the DNS names that the system has recently requested. This feature is enabled by default, but may be disabled by accessing the Appliance Settings section within the Assessment page on the RN150 appliance and toggling the Windows DNS Cache Collection feature to the Off position.

CHCP

To better support international customers, the RN150 appliance will automatically run the chcp.com command when first interacting with a Windows system. This run process enables the RN150 to determine what text encoding is used by that system when interpreting the results of a remote command. The RN150 will only run this command once for a given system and will store the results for future use; however if the RN150 is not able to execute this command, or if data collection is not successful for that system, the command may be run on future attempts to communicate with that system.

Configuration File Collection

The RN150 supports an optional feature, disabled by default, that collects the content of configuration files installed on the system. For Windows devices, this includes IIS configuration files. If the feature is enabled and IIS application services are determined to be running on a Windows device, the content of the following directory is retrieved, along with any app pool configuration files listed as an argument to the running IIS process or loaded from the applicationHost.config file:

C:\Windows\System32\inetsrv\config\applicationHost.config