ipconfig.exe

  • File Path: C:\Windows\system32\ipconfig.exe
  • Description: IP Configuration Utility

Hashes

Type Hash
MD5 3D33188ECD39ECFEEA2E08996891C76E
SHA1 80D6D97B90BCCDD9DE6301E074A8EF2F5B8F600C
SHA256 C5DBBDDD1193C7ADCA1E30CD17B8C7AF6A76C406DD84DC164BB959C135F1AA70
SHA384 B3D89E9143D507477761AAEC9D1DB0023998E03D6C8BA7D82379B7551E4FA41C663857F5C2FB3F4EB68D6A7B8046AA62
SHA512 5404CFB23F038441617582F6840368C0911764D3C2932E8D1E565F9BA04A9D64918895395A63D4D2D78164863B10228A231FD56957EF7BF45AE3ED7894E6D79E
SSDEEP 768:u23HOsYksucX/iBYuoQeR38BgCnkkYIb9V:ZHO7eYuqR38BFkfc9V
IMP 15167A60983BFC39B2DA4F53B9B1F28C
PESHA1 7DB93D56411709851C5A6FD0C64DCB48AECAD8E1
PE256 EEA545B20217B812B15C8D1FCAD047A8A745B2FA79E47C55C370687BB1998887

Runtime Data

Usage (stdout):


Error: unrecognized or incomplete command line.

USAGE:
    ipconfig [/allcompartments] [/? | /all | 
                                 /renew [adapter] | /release [adapter] |
                                 /renew6 [adapter] | /release6 [adapter] |
                                 /flushdns | /displaydns | /registerdns |
                                 /showclassid adapter |
                                 /setclassid adapter [classid] |
                                 /showclassid6 adapter |
                                 /setclassid6 adapter [classid] ]

where
    adapter             Connection name 
                       (wildcard characters * and ? allowed, see examples)

    Options:
       /?               Display this help message
       /all             Display full configuration information.
       /release         Release the IPv4 address for the specified adapter.
       /release6        Release the IPv6 address for the specified adapter.
       /renew           Renew the IPv4 address for the specified adapter.
       /renew6          Renew the IPv6 address for the specified adapter.
       /flushdns        Purges the DNS Resolver cache.
       /registerdns     Refreshes all DHCP leases and re-registers DNS names
       /displaydns      Display the contents of the DNS Resolver Cache.
       /showclassid     Displays all the dhcp class IDs allowed for adapter.
       /setclassid      Modifies the dhcp class id.  
       /showclassid6    Displays all the IPv6 DHCP class IDs allowed for adapter.
       /setclassid6     Modifies the IPv6 DHCP class id.


The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                       ... Show information
    > ipconfig /all                  ... Show detailed information
    > ipconfig /renew                ... renew all adapters
    > ipconfig /renew EL*            ... renew any connection that has its 
                                         name starting with EL
    > ipconfig /release *Con*        ... release all matching connections,
                                         eg. "Wired Ethernet Connection 1" or
                                             "Wired Ethernet Connection 2"
    > ipconfig /allcompartments      ... Show information about all 
                                         compartments
    > ipconfig /allcompartments /all ... Show detailed information about all
                                         compartments

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ipconfig.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/c5dbbddd1193c7adca1e30cd17b8c7af6a76c406dd84dc164bb959c135f1aa70/detection/

Possible Misuse

The following table contains possible examples of ipconfig.exe being misused. While ipconfig.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_downloader_v3.yml - '\ipconfig.exe' DRL 1.0
sigma proc_creation_macos_system_network_discovery.yml - '/usr/sbin/ipconfig' DRL 1.0
sigma proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml - 'ipconfig' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - ipconfig.exe DRL 1.0
sigma proc_creation_win_susp_network_command.yml - 'ipconfig /all' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\ipconfig.exe' DRL 1.0
malware-ioc misp_invisimole.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc rtm ipconfig /flushdns © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
atomic-red-team T1016.md <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. MIT License. © 2018 Red Canary
atomic-red-team T1016.md ipconfig /all MIT License. © 2018 Red Canary
atomic-red-team T1016.md Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md $localip = ((ipconfig | findstr [0-9]..)[0]).Split()[-1] MIT License. © 2018 Red Canary
atomic-red-team T1021.006.md Upon successful execution, powershell will execute ipconfig on localhost using invoke-command. MIT License. © 2018 Red Canary
atomic-red-team T1021.006.md | remote_command | Command to execute on remote Host | String | ipconfig| MIT License. © 2018 Red Canary
signature-base apt_oilrig.yar $s1 = “whoami & hostname & ipconfig /all” ascii CC BY-NC 4.0
signature-base apt_volatile_cedar.yar $s1 = “command = "ipconfig /all"” fullword CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s6 = “secparam(‘IP Configurate’,execute(‘ipconfig -all’));” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar /* ipconfig /all */ CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword CC BY-NC 4.0
stockpile e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml ipconfig Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


ipconfig

Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.

Syntax

ipconfig [/allcompartments] [/all] [/renew [<adapter>]] [/release [<adapter>]] [/renew6[<adapter>]] [/release6 [<adapter>]] [/flushdns] [/displaydns] [/registerdns] [/showclassid <adapter>] [/setclassid <adapter> [<classID>]]

Parameters

Parameter Description
/all Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
/displaydns Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.
/flushdns Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically.
/registerdns Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS.
/release [<adapter>] Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/release6[<adapter>] Sends a DHCPRELEASE message to the DHCPv6 server to release the current DHCP configuration and discard the IPv6 address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/renew [<adapter>] Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/renew6 [<adapter>] Renews DHCPv6 configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IPv6 address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/setclassid <adapter>[<classID>] Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed.
/showclassid <adapter> Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically.
/? Displays Help at the command prompt.
Remarks
  • This command is most useful on computers that are configured to obtain an IP address automatically. This enables users to determine which TCP/IP configuration values have been configured by DHCP, Automatic Private IP Addressing (APIPA), or an alternate configuration.

  • If the name you supply for adapter contains any spaces, use quotation marks around the adapter name (for example, “adapter name”).

  • For adapter names, ipconfig supports the use of the asterisk (*) wildcard character to specify either adapters with names that begin with a specified string or adapters with names that contain a specified string. For example, Local* matches all adapters that start with the string Local and *Con* matches all adapters that contain the string Con.

Examples

To display the basic TCP/IP configuration for all adapters, type:

ipconfig

To display the full TCP/IP configuration for all adapters, type:

ipconfig /all

To renew a DHCP-assigned IP address configuration for only the Local Area Connection adapter, type:

ipconfig /renew Local Area Connection

To flush the DNS resolver cache when troubleshooting DNS name resolution problems, type:

ipconfig /flushdns

To display the DHCP class ID for all adapters with names that start with Local, type:

ipconfig /showclassid Local*

To set the DHCP class ID for the Local Area Connection adapter to TEST, type:

ipconfig /setclassid Local Area Connection TEST

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.