Menu
Is there a way to specify the -Filter parameter, using the WMI Query Language (WQL), of the Get-WmiObject cmdlet to filter based on the “Command Line” used to invoke the process? By “Command Line” I mean the “Command Line” that is shown in the Windows Task Manger, Process tab.
I want to get an array of process ids where the command line contains the string *Dev_SW*. I cannot use name because there are will be many process running with the same name that are not equal to the *Dev_SW* filter.
347
The Get-WmiObject cmdlet gets instances of WMI classes or information about the available WMI classes. To specify a remote computer, use the ComputerName parameter. If the List parameter is specified, the cmdlet gets information about the WMI classes that are available in a specified namespace.
Process command line can tell us how an application was intended to be used and in some cases can supply us directly with adversary payloads. For example, adversaries often supply malicious encoded PowerShell commands directly at the command line using any of the -EncodedCommand parameter variations.
The object type returned by Get-WmiObject includes a method called GetOwner. GetOwner returns another set of properties, one of which is User: PS C:\WINDOWS\system32> Get-WmiObject -Class Win32_Process -Filter "name='calculator.exe'" | Foreach {$_. GetOwner() | Get-Member} TypeName: System.
Get-WMIObject will make the WMI call to the Class Win32_Process,
Then it will filter it where Command Line is like DEV_SW,
% is wild card in WMI
Get-WmiObject Win32_Process -filter "CommandLine LIKE '%Dev_SW%'"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
