Commands to Avoid

Issuing common host recon commands like "whoami", "net" etc. could trigger alerts in defense systems if chained due to the fact that EDRs can detect these via behavioral analysis.

Using these commands can also risk being logged via command line logging or script logging, in which defenders can analyze and probably act upon these commands.

To minimize our footprint, we can either do two things:

  1. Use the compromised computer as a proxy and pivot to the network to perform enumeration activities.(Use tools like rpcclient, impacket etc.)

  2. Use Code and such to gather info and execute commands

Note that if you take the proxy route, you will lose being in the context of the user due to the fact that Windows SSO is not applicable in your situation. You will have to find credentials in some way to gain back context.

Initial Investigation

Ranking

Command

Times executed

1

tasklist

155

2

ver

95

3

ipconfig

76

4

systeminfo

40

5

net time

31

6

netstat

27

7

whoami

22

8

net start

16

9

qprocess

15

10

query

14

Reconnaissance

Ranking

Command

Times executed

1

dir

976

2

net view

236

3

ping

200

4

net use

194

5

type

120

6

net user

95

7

net localgroup

39

8

net group

20

9

net config

16

10

net share

11

lateral movement

Ranking

Command

Times executed

1

at

103

2

reg

31

3

wmic

24

4

wusa

7

5

netsh advfirewall

4

6

sc

4

7

rundll32

2

Last updated