Access official resources from Carbon Black experts
Advanced Search
IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!
CB Response: How to search for wmic process command execution
Environment
CB Response Console
CB Response Cloud
Objective
How to search for wmic processes and associated commands within the CB Response Console.
Resolution
WMIC ( Windows Management Instrumentatation Command Line) is a software utility that allows users to perform (WMI) operations with a command prompt. This process can be used to discover and perform management tasks on an endpoint.
Below are some examples - (Windows CMD followed by CB Response search query.)
WMIC Command
CB Response - Search Query
wmic nicconfig get ipaddress,macaddress
process_name:wmic.exe and (cmdline:"wmic nicconfig get ipaddress, macaddress")
wmic computersystem get username
process_name:wmic.exe and (cmdline:"wmic computersystem get username")
wmic netlogin get name, lastlogon
process_name:wmic.exe and (cmdline:"wmic netlogin get name, lastlogon ")
wmic logon get authenticationpackage
process_name:wmic.exe and (cmdline:"wmic logon get authenticationpackage ")
wmic process get caption, executablepath,commandline
process_name:wmic.exe and (cmdline:"wmic process get caption, executablepath,commandline ")
wmic process where name="process_name" call terminate
process_name:wmic.exe and (cmdline:"wmic process where name="process_name" call terminate")
wmic os get name, servicepackmajorversion
process_name:wmic.exe and (cmdline:"wmic os get name, servicepackmajorversion")
wmic product get name, version
process_name:wmic.exe and (cmdline:"wmic get name, version")
wmic product where name="name' call uninstall /nointeractive
process_name:wmic.exe and (cmdline:"wmic product where name="product name" call uninstall /nointeractive")
Additional Notes
Watchlists can be created using the CB Response - Search queries.
Navigate to 'Watchlists'
Select 'Create Watchlist'
Enter a the watchlist name and description
Within the 'Query' field enter 'q=' followed by the CB Response - Search query. E.g;
q=process_name:wmic.exe and (cmdline:"wmic get name, version")
