Commands to Avoid

Issuing common host recon commands like "whoami", "net" etc. could trigger alerts in defense systems if chained due to the fact that EDRs can detect these via behavioral analysis.

Using these commands can also risk being logged via command line logging or script logging, in which defenders can analyze and probably act upon these commands.

To minimize our footprint, we can either do two things:

1. Use the compromised computer as a proxy and pivot to the network to perform enumeration activities.(Use tools like rpcclient, impacket etc.)

2. Use Code and such to gather info and execute commands

Note that if you take the proxy route, you will lose being in the context of the user due to the fact that Windows SSO is not applicable in your situation. You will have to find credentials in some way to gain back context.

Initial Investigation

Ranking	Command	Times executed
1	tasklist	155
2	ver	95
3	ipconfig	76
4	systeminfo	40
5	net time	31
6	netstat	27
7	whoami	22
8	net start	16
9	qprocess	15
10	query	14

Reconnaissance

Ranking	Command	Times executed
1	dir	976
2	net view	236
3	ping	200
4	net use	194
5	type	120
6	net user	95
7	net localgroup	39
8	net group	20
9	net config	16
10	net share	11

lateral movement

Ranking	Command	Times executed
1	at	103
2	reg	31
3	wmic	24
4	wusa	7
5	netsh advfirewall	4
6	sc	4
7	rundll32	2

Windows Commands Abused by Attackers - JPCERT/CC EyesJPCERT/CC Eyes