Only recently I stumbled upon a slightly dated but still relevant post published on the Japanese CERT blog: Windows Commands Abused by Attackers.
The list is separated into the different attack phases, starting with Initial Investigation, going over Reconnaissance, to Spread of Infection. It is interesting to see that apparently JPCERT has a different definition of “reconnaissance” than it is described by EC Council (the certifier that awards “Certified Ethical Hacker”): While EC Council considers reconnaissance to be the first stage where attackers leverage OSINT to learn as much as possible about the target, the JPCERT author locates this stage way more down the road, where an attacker already executes commands on the victim’s machine. This would probably equal more or less the “gaining access / maintaining access” stage in the EC Council methodology.
But anyway, a methodology is just a way of structure what is observed in reality. What I find really useful about these lists is that you can use them for several purposes:
- Write detection rules in your SIEM / EDR / IDS software
- Deploy policies that restrict usage of some of these tools (e.g. using AppLocker or Software Restriction Policies (SRPs)
- Use these lists as a cheat sheet for daily admin tasks
So, while the original article obviously focuses on how attackers use these commands for abusive tasks, I especially find these lists also useful to remember how to quickly look up certain information when troubleshooting systems (ver, systeminfo, whoami /all, net user, etc.). Always good to have such a cheat sheet handy to avoid clicking through thousands of menus in the GUI.