One of the most useful things when doing post exploitation on Linux is grabbing a full process list. One of the reasons this is useful is because it includes the arguments passed to these processes. The arguments for a process can tell you where configs are, what passwords might have been used or just tell you the correct arguments to use when running the process yourself.

user      281741   76190  2 14:18 pts/14   00:02:34 java -Xmx3733m -XX:+UseG1GC -jar /usr/share/zaproxy/zap-2.8.1.jar
user      283340  281741  0 14:25 pts/14   00:00:00 /home/user/.ZAP/webdriver/linux/64/geckodriver --port=10696 -b /usr/bin/firefox
user      283358  283340  0 14:25 pts/14   00:00:08 [firefox-esr] <defunct>

On Windows however, this is a lot harder to do. As such, nearly all offensive tools that pull a process list only tell you what process it is, the PID, and maybe (if you have the permissions to view it) what user is running that process.

C:\Users\uberuser>tasklist /v

Image Name                     PID Session Name        Session#    Mem Usage Sta
tus          User Name                                              CPU Time Win
dow Title
========================= ======== ================ =========== ============ ===
============ ================================================== ============ ===
System Idle Process              0 Services                   0          4 K Unk
nown         NT AUTHORITY\SYSTEM                                   866:44:11 N/A

System                           4 Services                   0        140 K Unk
nown         N/A                                                     0:26:53 N/A

smss.exe                       220 Services                   0      1,140 K Unk
nown         N/A                                                     0:00:00 N/A

csrss.exe                      308 Services                   0      3,924 K Unk                    

The only way that I can find to get the command line arguments on Windows is through WMI. (Or 1 of 100 agents that people love to install on end points if you have access to it)

Here is how you do it from cmd: WMIC path win32_process get Caption,Processid,Commandline

C:\Users\uberuser\Desktop>WMIC path win32_process get Caption,Processid,Commandline

Caption				CommandLine				ProcessId  
rdpclip.exe			rdpclip					1896       
taskhostex.exe 		taskhostex.exe			204        
explorer.exe		C:\Windows\Explorer.EXE 3748       
ServerManager.exe 							2304       
vmtoolsd.exe	"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr	60         

firefox.exe		"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 20200107212822 -prefsHandle 1132 -prefMapHandle 1124 -prefsLen 1 -prefMapSize 216481 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3728 "\\.\pipe\gecko-crash-server-pipe.3728" 1248 gpu 		2408       

WMIC.exe			WMIC  path win32_process get Caption,Processid,CommandLine 		4428

And via PowerShell Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLine

PS C:\Users\uberuser> Get-WmiObject Win32_Process -Filter "name = 'firefox.exe'" | Select-Object CommandLine

"C:\Program Files\Mozilla Firefox\firefox.exe" -os-restarted
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.0.819826060\1553883004" -parentBuildID 2...
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.13.335070555\878171781" -childID 2 -isFo...
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.20.446400134\1597941165" -childID 3 -isF...
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3728.34.1773646251\252067495" -childID 5 -isF...

So, to add to my toolkit and so I don’t have to remember the exact commands every time, I wrote a super simple C# snippet to do it for me (I’m sure there at 100 projects on Github and elsewhere that already do this but I didn’t see them when I looked)