Collection of Windows commands abused by attackers

Only recently I stumbled upon a slightly dated but still relevant post published on the Japanese CERT blog: Windows Commands Abused by Attackers.

The list is separated into the different attack phases, starting with Initial Investigation, going over Reconnaissance, to Spread of Infection. It is interesting to see that apparently JPCERT has a different definition of “reconnaissance” than it is described by EC Council (the certifier that awards “Certified Ethical Hacker”): While EC Council considers reconnaissance to be the first stage where attackers leverage OSINT to learn as much as possible about the target, the JPCERT author locates this stage way more down the road, where an attacker already executes commands on the victim’s machine. This would probably equal more or less the “gaining access / maintaining access” stage in the EC Council methodology.

But anyway, a methodology is just a way of structure what is observed in reality. What I find really useful about these lists is that you can use them for several purposes:

So, while the original article obviously focuses on how attackers use these commands for abusive tasks, I especially find these lists also useful to remember how to quickly look up certain information when troubleshooting systems (ver, systeminfo, whoami /all, net user, etc.). Always good to have such a cheat sheet handy to avoid clicking through thousands of menus in the GUI.

This article was written by Fabian

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.