ipconfig.exe

  • File Path: C:\windows\system32\ipconfig.exe
  • Description: IP Configuration Utility

Hashes

Type Hash
MD5 BF379376C124B19A7535CBA8EA179802
SHA1 588D711E3D5F141987BF2C1B397C59EF1997C0E1
SHA256 21E8B9BD30650E96C36E976AE35B01E409199C244E6A5480A746692C01D78B84
SHA384 63B64B145DA562E290DC1E4F9742BABDBF2435D3BB761C29316B236596CEBA398B94AD845EBFB8CDA87D3DBC3303D28C
SHA512 0AD417B77C9EEEE17163DF384975A2846C45BD8649054BB9892E342A7DE64DCB5B4504BB0D5683447517DA19BD455697547681E5B2E3AB3A24A020B84C4DD7C2
SSDEEP 768:eL5wk6Ek4d5gkUN5UA26fN+jKbmIqkbckdh2x2:sfNKtrn2agjKbzckdT

Signature

  • Status: The file C:\windows\system32\ipconfig.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: ipconfig.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of ipconfig.exe being misused. While ipconfig.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma apt_silence_downloader_v3.yml - '\ipconfig.exe' DRL 1.0
sigma proc_creation_macos_system_network_discovery.yml - '/usr/sbin/ipconfig' DRL 1.0
sigma proc_creation_win_atlassian_confluence_cve_2021_26084_exploit.yml - 'ipconfig' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - ipconfig.exe DRL 1.0
sigma proc_creation_win_susp_network_command.yml - 'ipconfig /all' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\ipconfig.exe' DRL 1.0
malware-ioc misp_invisimole.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](https://attack.mitre.org/software/S0100)/[ifconfig](https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).\n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.", © ESET 2014-2018
malware-ioc rtm ipconfig /flushdns © ESET 2014-2018
malware-ioc misp-turla-lightneuron-event.json "description": "Adversaries will likely look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
atomic-red-team T1016.md <blockquote>Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route. MIT License. © 2018 Red Canary
atomic-red-team T1016.md ipconfig /all MIT License. © 2018 Red Canary
atomic-red-team T1016.md Upon successful execution, cmd.exe will spawn ipconfig /all, net config workstation, net view /all /domain, nltest /domain_trusts. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Powershell script that runs nslookup on cmd.exe against the local /24 network of the first network adaptor listed in ipconfig. MIT License. © 2018 Red Canary
atomic-red-team T1018.md Upon successful execution, powershell will identify the ip range (via ipconfig) and perform a for loop and execute nslookup against that IP range. Output will be via stdout. MIT License. © 2018 Red Canary
atomic-red-team T1018.md $localip = ((ipconfig | findstr [0-9]..)[0]).Split()[-1] MIT License. © 2018 Red Canary
atomic-red-team T1021.006.md Upon successful execution, powershell will execute ipconfig on localhost using invoke-command. MIT License. © 2018 Red Canary
atomic-red-team T1021.006.md | remote_command | Command to execute on remote Host | String | ipconfig| MIT License. © 2018 Red Canary
signature-base apt_oilrig.yar $s1 = “whoami & hostname & ipconfig /all” ascii CC BY-NC 4.0
signature-base apt_volatile_cedar.yar $s1 = “command = "ipconfig /all"” fullword CC BY-NC 4.0
signature-base gen_cn_webshells.yar $s6 = “secparam(‘IP Configurate’,execute(‘ipconfig -all’));” fullword ascii CC BY-NC 4.0
signature-base gen_recon_indicators.yar /* ipconfig /all */ CC BY-NC 4.0
signature-base thor-webshells.yar $s5 = “//——- [netstat -an] and [ipconfig] and [tasklist] ————” fullword CC BY-NC 4.0
stockpile e8017c46-acb8-400c-a4b5-b3362b5b5baa.yml ipconfig Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


ipconfig

Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, ipconfig displays Internet Protocol version 4 (IPv4) and IPv6 addresses, subnet mask, and default gateway for all adapters.

Syntax

ipconfig [/allcompartments] [/all] [/renew [<adapter>]] [/release [<adapter>]] [/renew6[<adapter>]] [/release6 [<adapter>]] [/flushdns] [/displaydns] [/registerdns] [/showclassid <adapter>] [/setclassid <adapter> [<classID>]]

Parameters

Parameter Description
/all Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
/displaydns Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. The DNS Client service uses this information to resolve frequently queried names quickly, before querying its configured DNS servers.
/flushdns Flushes and resets the contents of the DNS client resolver cache. During DNS troubleshooting, you can use this procedure to discard negative cache entries from the cache, as well as any other entries that have been added dynamically.
/registerdns Initiates manual dynamic registration for the DNS names and IP addresses that are configured at a computer. You can use this parameter to troubleshoot a failed DNS name registration or resolve a dynamic update problem between a client and the DNS server without rebooting the client computer. The DNS settings in the advanced properties of the TCP/IP protocol determine which names are registered in DNS.
/release [<adapter>] Sends a DHCPRELEASE message to the DHCP server to release the current DHCP configuration and discard the IP address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/release6[<adapter>] Sends a DHCPRELEASE message to the DHCPv6 server to release the current DHCP configuration and discard the IPv6 address configuration for either all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter disables TCP/IP for adapters configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/renew [<adapter>] Renews DHCP configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/renew6 [<adapter>] Renews DHCPv6 configuration for all adapters (if an adapter is not specified) or for a specific adapter if the adapter parameter is included. This parameter is available only on computers with adapters that are configured to obtain an IPv6 address automatically. To specify an adapter name, type the adapter name that appears when you use ipconfig without parameters.
/setclassid <adapter>[<classID>] Configures the DHCP class ID for a specified adapter. To set the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically. If a DHCP class ID is not specified, the current class ID is removed.
/showclassid <adapter> Displays the DHCP class ID for a specified adapter. To see the DHCP class ID for all adapters, use the asterisk (*) wildcard character in place of adapter. This parameter is available only on computers with adapters that are configured to obtain an IP address automatically.
/? Displays Help at the command prompt.
Remarks
  • This command is most useful on computers that are configured to obtain an IP address automatically. This enables users to determine which TCP/IP configuration values have been configured by DHCP, Automatic Private IP Addressing (APIPA), or an alternate configuration.

  • If the name you supply for adapter contains any spaces, use quotation marks around the adapter name (for example, “adapter name”).

  • For adapter names, ipconfig supports the use of the asterisk (*) wildcard character to specify either adapters with names that begin with a specified string or adapters with names that contain a specified string. For example, Local* matches all adapters that start with the string Local and *Con* matches all adapters that contain the string Con.

Examples

To display the basic TCP/IP configuration for all adapters, type:

ipconfig

To display the full TCP/IP configuration for all adapters, type:

ipconfig /all

To renew a DHCP-assigned IP address configuration for only the Local Area Connection adapter, type:

ipconfig /renew Local Area Connection

To flush the DNS resolver cache when troubleshooting DNS name resolution problems, type:

ipconfig /flushdns

To display the DHCP class ID for all adapters with names that start with Local, type:

ipconfig /showclassid Local*

To set the DHCP class ID for the Local Area Connection adapter to TEST, type:

ipconfig /setclassid Local Area Connection TEST

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.