One of the most useful things when doing post exploitation on Linux is grabbing a full process list. One of the reasons this is useful is because it includes the arguments passed to these processes. The arguments for a process can tell you where configs are, what passwords might have been used or just tell you the correct arguments to use when running the process yourself.
1
2
3
|
user 281741 76190 2 14:18 pts/14 00:02:34 java -Xmx3733m -XX:+UseG1GC -jar /usr/share/zaproxy/zap-2.8.1.jar
user 283340 281741 0 14:25 pts/14 00:00:00 /home/user/.ZAP/webdriver/linux/64/geckodriver --port=10696 -b /usr/bin/firefox
user 283358 283340 0 14:25 pts/14 00:00:08 [firefox-esr] <defunct>
|
On Windows however, this is a lot harder to do. As such, nearly all offensive tools that pull a process list only tell you what process it is, the PID, and maybe (if you have the permissions to view it) what user is running that process.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
C:\Users\uberuser>tasklist /v
Image Name PID Session Name Session# Mem Usage Sta
tus User Name CPU Time Win
dow Title
========================= ======== ================ =========== ============ ===
============ ================================================== ============ ===
=====================================================================
System Idle Process 0 Services 0 4 K Unk
nown NT AUTHORITY\SYSTEM 866:44:11 N/A
System 4 Services 0 140 K Unk
nown N/A 0:26:53 N/A
smss.exe 220 Services 0 1,140 K Unk
nown N/A 0:00:00 N/A
csrss.exe 308 Services 0 3,924 K Unk
|
The only way that I can find to get the command line arguments on Windows is through WMI. (Or 1 of 100 agents that people love to install on end points if you have access to it)
Here is how you do it from cmd: WMIC path win32_process get Caption,Processid,Commandline
1
2
3
4
5
6
7
8
9
10
11
12
|
C:\Users\uberuser\Desktop>WMIC path win32_process get Caption,Processid,Commandline
Caption CommandLine ProcessId
rdpclip.exe rdpclip 1896
taskhostex.exe taskhostex.exe 204
explorer.exe C:\Windows\Explorer.EXE 3748
ServerManager.exe 2304
vmtoolsd.exe "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr 60
firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 20200107212822 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 1 -prefMapSize 216481 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 1248 gpu 2408
WMIC.exe WMIC path win32_process get Caption,Processid,CommandLine 4428
|
And via PowerShell Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLine
1
2
3
4
5
6
7
8
9
|
PS C:\Users\uberuser> Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLine
CommandLine
-----------
"C:\Program Files\Mozilla Firefox\firefox.exe" -os-restarted
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 2...
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.13.335070555\878171781" -childID 2 -isFo...
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.20.446400134\1597941165" -childID 3 -isF...
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.34.1773646251\252067495" -childID 5 -isF...
|
So, to add to my toolkit and so I don’t have to remember the exact commands every time, I wrote a super simple C# snippet to do it for me (I’m sure there at 100 projects on Github and elsewhere that already do this but I didn’t see them when I looked)
https://gist.github.com/mubix/a8882940311d511dfe0e598e5a3fd1a8