ipconfig.exe
- File Path:
C:\windows\system32\ipconfig.exe - Description: IP Configuration Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | BF379376C124B19A7535CBA8EA179802 |
| SHA1 | 588D711E3D5F141987BF2C1B397C59EF1997C0E1 |
| SHA256 | 21E8B9BD30650E96C36E976AE35B01E409199C244E6A5480A746692C01D78B84 |
| SHA384 | 63B64B145DA562E290DC1E4F9742BABDBF2435D3BB761C29316B236596CEBA398B94AD845EBFB8CDA87D3DBC3303D28C |
| SHA512 | 0AD417B77C9EEEE17163DF384975A2846C45BD8649054BB9892E342A7DE64DCB5B4504BB0D5683447517DA19BD455697547681E5B2E3AB3A24A020B84C4DD7C2 |
| SSDEEP | 768:eL5wk6Ek4d5gkUN5UA26fN+jKbmIqkbckdh2x2:sfNKtrn2agjKbzckdT |
Signature
- Status: The file C:\windows\system32\ipconfig.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
- Serial: ``
- Thumbprint: ``
- Issuer:
- Subject:
File Metadata
- Original Filename: ipconfig.exe.mui
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
- Product Version: 6.3.9600.16384
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
Possible Misuse
The following table contains possible examples of ipconfig.exe being misused. While ipconfig.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | apt_silence_downloader_v3.yml | - '\ipconfig.exe' |
DRL 1.0 |
| sigma | proc_creation_macos_system_network_discovery.yml | - '/usr/sbin/ipconfig' |
DRL 1.0 |
| sigma | proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml | - 'ipconfig' |
DRL 1.0 |
| sigma | proc_creation_win_multiple_suspicious_cli.yml | - ipconfig.exe |
DRL 1.0 |
| sigma | proc_creation_win_susp_network_command.yml | - 'ipconfig /all' |
DRL 1.0 |
| sigma | proc_creation_win_webshell_detection.yml | - '\ipconfig.exe' |
DRL 1.0 |
| malware-ioc | misp_invisimole.json | "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", |
© ESET 2014-2018 |
| malware-ioc | rtm | ipconfig /flushdns |
© ESET 2014-2018 |
| malware-ioc | misp-turla-lightneuron-event.json | "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", |
© ESET 2014-2018 |
| atomic-red-team | T1016.md | <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | ipconfig /all | MIT License. © 2018 Red Canary |
| atomic-red-team | T1016.md | Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. | MIT License. © 2018 Red Canary |
| atomic-red-team | T1018.md | $localip = ((ipconfig | findstr [0-9]..)[0]).Split()[-1] | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.006.md | Upon successful execution, powershell will execute ipconfig on localhost using invoke-command. |
MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.006.md | | remote_command | Command to execute on remote Host | String | ipconfig| | MIT License. © 2018 Red Canary |
| signature-base | apt_oilrig.yar | $s1 = “whoami & hostname & ipconfig /all” ascii | CC BY-NC 4.0 |
| signature-base | apt_volatile_cedar.yar | $s1 = “command = "ipconfig /all"” fullword | CC BY-NC 4.0 |
| signature-base | gen_cn_webshells.yar | $s6 = “secparam(‘IP Configurate’,execute(‘ipconfig -all’));” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_recon_indicators.yar | /* ipconfig /all */ | CC BY-NC 4.0 |
| signature-base | thor-webshells.yar | $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword | CC BY-NC 4.0 |
| stockpile | e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml | ipconfig |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
ipconfig
Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.
Syntax
ipconfig [/allcompartments] [/all] [/renew [<adapter>]] [/release [<adapter>]] [/renew6[<adapter>]] [/release6 [<adapter>]] [/flushdns] [/displaydns] [/registerdns] [/showclassid <adapter>] [/setclassid <adapter> [<classID>]]
Parameters
| Parameter | Description |
|---|---|
| /all | Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections. |
| /displaydns | Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers. |
| /flushdns | Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically. |
| /registerdns | Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS. |
/release [<adapter>] |
Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/release6[<adapter>] |
Sends a DHCPRELEASE message to the DHCPv6 server to release the current DHCP configuration and discard the IPv6 address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/renew [<adapter>] |
Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/renew6 [<adapter>] |
Renews DHCPv6 configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IPv6 address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters. |
/setclassid <adapter>[<classID>] |
Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed. |
/showclassid <adapter> |
Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. |
| /? | Displays Help at the command prompt. |
Remarks
-
This command is most useful on computers that are configured to obtain an IP address automatically. This enables users to determine which TCP/IP configuration values have been configured by DHCP, Automatic Private IP Addressing (APIPA), or an alternate configuration.
-
If the name you supply for adapter contains any spaces, use quotation marks around the adapter name (for example, “adapter name”).
-
For adapter names, ipconfig supports the use of the asterisk (*) wildcard character to specify either adapters with names that begin with a specified string or adapters with names that contain a specified string. For example,
Local*matches all adapters that start with the string Local and*Con*matches all adapters that contain the string Con.
Examples
To display the basic TCP/IP configuration for all adapters, type:
ipconfig
To display the full TCP/IP configuration for all adapters, type:
ipconfig /all
To renew a DHCP-assigned IP address configuration for only the Local Area Connection adapter, type:
ipconfig /renew Local Area Connection
To flush the DNS resolver cache when troubleshooting DNS name resolution problems, type:
ipconfig /flushdns
To display the DHCP class ID for all adapters with names that start with Local, type:
ipconfig /showclassid Local*
To set the DHCP class ID for the Local Area Connection adapter to TEST, type:
ipconfig /setclassid Local Area Connection TEST
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.