Commands to Avoid
Issuing common host recon commands like "whoami", "net" etc. could trigger alerts in defense systems if chained due to the fact that EDRs can detect these via behavioral analysis.
Using these commands can also risk being logged via command line logging or script logging, in which defenders can analyze and probably act upon these commands.
To minimize our footprint, we can either do two things:
  1. 1.
    Use the compromised computer as a proxy and pivot to the network to perform enumeration activities.(Use tools like rpcclient, impacket etc.)
  2. 2.
    Use Code and such to gather info and execute commands
Note that if you take the proxy route, you will lose being in the context of the user due to the fact that Windows SSO is not applicable in your situation. You will have to find credentials in some way to gain back context.
Initial Investigation
Ranking
Command
Times executed
1
tasklist
155
2
ver
95
3
ipconfig
76
4
systeminfo
40
5
net time
31
6
netstat
27
7
whoami
22
8
net start
16
9
qprocess
15
10
query
14
Reconnaissance
Ranking
Command
Times executed
1
dir
976
2
net view
236
3
ping
200
4
net use
194
5
type
120
6
net user
95
7
net localgroup
39
8
net group
20
9
net config
16
10
net share
11
lateral movement
Ranking
Command
Times executed
1
at
103
2
reg
31
3
wmic
24
4
wusa
7
5
netsh advfirewall
4
6
sc
4
7
rundll32
2
Windows Commands Abused by Attackers - JPCERT/CC Eyes
JPCERT/CC Eyes
Copy link