Are These Dangerous Files?

2021-09-27

arp.exe hostname.exe ntdutil.exe schtasks.exe at.exe ipconfig.exe pathping.exe systeminfo.exe bitsadmin.exe nbtstat.exe ping.exe tasklist.exe certutil.exe net.exe powershell.exe tracert.exe cmd.exe net1.exe qprocess.exe ver.exe dsget.exe netdom.exe query.exe vssadmin.exe dsquery.exe netsh.exe qwinsta.exe wevtutil.exe find.exe netstat.exe reg.exe whoami.exe findstr.exe nltest.exe rundll32.exe wmic.exe fsutil.exe nslookup.exe sc.exe wusa.exe

What are these?

If you find that IIS (Microsoft's web server suite) has executed one of these files, an attacker has probably tried to hack into your system.

The mentioned files are not a threat per se, because they are part of the operating system. However, they are often used tools in case of an attack, precisely because they are often found and contain many functions that allow, for example, downloading #malware or reading system files.

The log on these files can be examined for example in such a way:

Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational";id=1;} | Where {$_.message -like "*ParentImage: C:\Windows\System32\inetsrv\w3wp.exe*"} | %{ $_.properties[4]} | Sort-Object -Property value -Unique

Are These Dangerous Files?

Table of Contents