Commands to Avoid
Issuing common host recon commands like "whoami", "net" etc. could trigger alerts in defense systems if chained due to the fact that EDRs can detect these via behavioral analysis.
Using these commands can also risk being logged via command line logging or script logging, in which defenders can analyze and probably act upon these commands.
To minimize our footprint, we can either do two things:
Use the compromised computer as a proxy and pivot to the network to perform enumeration activities.(Use tools like rpcclient, impacket etc.)
Use Code and such to gather info and execute commands
Note that if you take the proxy route, you will lose being in the context of the user due to the fact that Windows SSO is not applicable in your situation. You will have to find credentials in some way to gain back context.
Initial Investigation
Ranking | Command | Times executed |
1 | tasklist | 155 |
2 | ver | 95 |
3 | ipconfig | 76 |
4 | systeminfo | 40 |
5 | net time | 31 |
6 | netstat | 27 |
7 | whoami | 22 |
8 | net start | 16 |
9 | qprocess | 15 |
10 | query | 14 |
Reconnaissance
Ranking | Command | Times executed |
1 | dir | 976 |
2 | net view | 236 |
3 | ping | 200 |
4 | net use | 194 |
5 | type | 120 |
6 | net user | 95 |
7 | net localgroup | 39 |
8 | net group | 20 |
9 | net config | 16 |
10 | net share | 11 |
lateral movement
Ranking | Command | Times executed |
1 | at | 103 |
2 | reg | 31 |
3 | wmic | 24 |
4 | wusa | 7 |
5 | netsh advfirewall | 4 |
6 | sc | 4 |
7 | rundll32 | 2 |
Last updated
