CB Response: How to search for wmic process command execution
search cancel

CB Response: How to search for wmic process command execution

book

Article ID: 285586

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

  • How to search for wmic processes and associated commands within the CB Response Console.

Environment

  • CB Response Console
  • CB Response Cloud

Resolution

  • WMIC ( Windows Management Instrumentatation Command Line) is a software utility that allows users to perform (WMI) operations with a command prompt. This process can be used to discover and perform management tasks on an endpoint.
  • Below are some examples - (Windows CMD followed by CB Response search query.)
 
WMIC CommandCB Response - Search Query
wmic nicconfig get ipaddress,macaddressprocess_name:wmic.exe and (cmdline:"wmic  nicconfig get ipaddress, macaddress")
wmic computersystem get username process_name:wmic.exe and (cmdline:"wmic  computersystem get username")
wmic netlogin get name, lastlogon process_name:wmic.exe and (cmdline:"wmic  netlogin get name, lastlogon ")
wmic logon get authenticationpackageprocess_name:wmic.exe and (cmdline:"wmic  logon get authenticationpackage ")
wmic process get caption, executablepath,commandlineprocess_name:wmic.exe and (cmdline:"wmic  process get caption, executablepath,commandline ")
wmic process where name="process_name" call terminate process_name:wmic.exe and (cmdline:"wmic process where name="process_name" call terminate")
wmic os get name, servicepackmajorversionprocess_name:wmic.exe and (cmdline:"wmic os get name, servicepackmajorversion")
wmic product get name, versionprocess_name:wmic.exe and (cmdline:"wmic get name, version")
wmic product where name="name' call uninstall /nointeractive process_name:wmic.exe and (cmdline:"wmic product where name="product name" call uninstall /nointeractive")

Additional Information

  • Watchlists can be created using the CB Response - Search queries.
    1. Navigate to 'Watchlists'
    2. Select 'Create Watchlist'
    3. Enter a the watchlist name and description
    4. Within the 'Query' field enter 'q=' followed by the CB Response - Search query. E.g;
      • q=process_name:wmic.exe and (cmdline:"wmic get name, version")
Powered by Wolken Software