ipconfig.exe

  • File Path: C:\WINDOWS\SysWOW64\ipconfig.exe
  • Description: IP Configuration Utility

Hashes

Type Hash
MD5 97F33E163FF16F216BC95BA92368009E
SHA1 2D14E81E5447362483BC15498BCC550AC686D3C1
SHA256 6ED413DABF3AF2B25F7FF99B5F6DD6576208274189C4AE8260730A6AEA1AC28B
SHA384 79046F0352D5AE1905A3DC2D88AE961D8270ECA84783825436B8653AE738FACB82F928B60B1557D0B30E844733174169
SHA512 D99BBFFB82E4C9016855D1B46E1AA06A957502E4EF25149F703EC9879F93590EC5411DFEE00DCC3D65855B24E8630E630F72E9C6BAE8BB6E6DCEB7F629DEC249
SSDEEP 384:nDiTka2gQ2iyJtWIpRLAOyd3ayJxZuFP7OLaV7/Pg6P85OpocH+LMZ59lbX+WnG3:nDH2iUt1LADd3ayptaRISpo54ZlbXH
IMP C983706C01A0A915341AF70FB20C0FBE
PESHA1 EA3AC9723401739E525DCE573FA8C9FCABB59A4D
PE256 494E03F32B92795CADE03CC6ECD5AF6E267CA737418C354B832A062E5A01E974

Runtime Data

Usage (stdout):


Error: unrecognized or incomplete command line.

USAGE:
    ipconfig [/allcompartments] [/? | /all | 
                                 /renew [adapter] | /release [adapter] |
                                 /renew6 [adapter] | /release6 [adapter] |
                                 /flushdns | /displaydns | /registerdns |
                                 /showclassid adapter |
                                 /setclassid adapter [classid] |
                                 /showclassid6 adapter |
                                 /setclassid6 adapter [classid] ]

where
    adapter             Connection name 
                       (wildcard characters * and ? allowed, see examples)

    Options:
       /?               Display this help message
       /all             Display full configuration information.
       /release         Release the IPv4 address for the specified adapter.
       /release6        Release the IPv6 address for the specified adapter.
       /renew           Renew the IPv4 address for the specified adapter.
       /renew6          Renew the IPv6 address for the specified adapter.
       /flushdns        Purges the DNS Resolver cache.
       /registerdns     Refreshes all DHCP leases and re-registers DNS names
       /displaydns      Display the contents of the DNS Resolver Cache.
       /showclassid     Displays all the dhcp class IDs allowed for adapter.
       /setclassid      Modifies the dhcp class id.  
       /showclassid6    Displays all the IPv6 DHCP class IDs allowed for adapter.
       /setclassid6     Modifies the IPv6 DHCP class id.


The default is to display only the IP address, subnet mask and
default gateway for each adapter bound to TCP/IP.

For Release and Renew, if no adapter name is specified, then the IP address
leases for all adapters bound to TCP/IP will be released or renewed.

For Setclassid and Setclassid6, if no ClassId is specified, then the ClassId is removed.

Examples:
    > ipconfig                       ... Show information
    > ipconfig /all                  ... Show detailed information
    > ipconfig /renew                ... renew all adapters
    > ipconfig /renew EL*            ... renew any connection that has its 
                                         name starting with EL
    > ipconfig /release *Con*        ... release all matching connections,
                                         eg. "Wired Ethernet Connection 1" or
                                             "Wired Ethernet Connection 2"
    > ipconfig /allcompartments      ... Show information about all 
                                         compartments
    > ipconfig /allcompartments /all ... Show detailed information about all
                                         compartments

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\ipconfig.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ipconfig.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/6ed413dabf3af2b25f7ff99b5f6dd6576208274189c4ae8260730a6aea1ac28b/detection

Possible Misuse

The following table contains possible examples of ipconfig.exe being misused. While ipconfig.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_downloader_v3.yml - '\ipconfig.exe' DRL 1.0
sigma proc_creation_macos_system_network_discovery.yml - '/usr/sbin/ipconfig' DRL 1.0
sigma proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml - 'ipconfig' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - ipconfig.exe DRL 1.0
sigma proc_creation_win_susp_network_command.yml - 'ipconfig /all' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\ipconfig.exe' DRL 1.0
malware-ioc misp_invisimole.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc rtm ipconfig /flushdns © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
atomic-red-team T1016.md <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. MIT License. © 2018 Red Canary
atomic-red-team T1016.md ipconfig /all MIT License. © 2018 Red Canary
atomic-red-team T1016.md Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md $localip = ((ipconfig | findstr [0-9]..)[0]).Split()[-1] MIT License. © 2018 Red Canary
atomic-red-team T1021.006.md Upon successful execution, powershell will execute ipconfig on localhost using invoke-command. MIT License. © 2018 Red Canary
atomic-red-team T1021.006.md | remote_command | Command to execute on remote Host | String | ipconfig| MIT License. © 2018 Red Canary
signature-base apt_oilrig.yar $s1 = “whoami & hostname & ipconfig /all” ascii CC BY-NC 4.0
signature-base apt_volatile_cedar.yar $s1 = “command = "ipconfig /all"” fullword CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s6 = “secparam(‘IP Configurate’,execute(‘ipconfig -all’));” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar /* ipconfig /all */ CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword CC BY-NC 4.0
stockpile e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml ipconfig Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


ipconfig

Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.

Syntax

ipconfig [/allcompartments] [/all] [/renew [<adapter>]] [/release [<adapter>]] [/renew6[<adapter>]] [/release6 [<adapter>]] [/flushdns] [/displaydns] [/registerdns] [/showclassid <adapter>] [/setclassid <adapter> [<classID>]]

Parameters

Parameter Description
/all Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
/displaydns Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.
/flushdns Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically.
/registerdns Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS.
/release [<adapter>] Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/release6[<adapter>] Sends a DHCPRELEASE message to the DHCPv6 server to release the current DHCP configuration and discard the IPv6 address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/renew [<adapter>] Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/renew6 [<adapter>] Renews DHCPv6 configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IPv6 address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/setclassid <adapter>[<classID>] Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed.
/showclassid <adapter> Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically.
/? Displays Help at the command prompt.
Remarks
  • This command is most useful on computers that are configured to obtain an IP address automatically. This enables users to determine which TCP/IP configuration values have been configured by DHCP, Automatic Private IP Addressing (APIPA), or an alternate configuration.

  • If the name you supply for adapter contains any spaces, use quotation marks around the adapter name (for example, “adapter name”).

  • For adapter names, ipconfig supports the use of the asterisk (*) wildcard character to specify either adapters with names that begin with a specified string or adapters with names that contain a specified string. For example, Local* matches all adapters that start with the string Local and *Con* matches all adapters that contain the string Con.

Examples

To display the basic TCP/IP configuration for all adapters, type:

ipconfig

To display the full TCP/IP configuration for all adapters, type:

ipconfig /all

To renew a DHCP-assigned IP address configuration for only the Local Area Connection adapter, type:

ipconfig /renew Local Area Connection

To flush the DNS resolver cache when troubleshooting DNS name resolution problems, type:

ipconfig /flushdns

To display the DHCP class ID for all adapters with names that start with Local, type:

ipconfig /showclassid Local*

To set the DHCP class ID for the Local Area Connection adapter to TEST, type:

ipconfig /setclassid Local Area Connection TEST

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.