Windows Commands Most Used by Attackers

Profile image for toxicptr
November 19, 2016 | Views: 12434

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Introduction

This guide contains the Windows commands most used by attackers as shown by a study of the Japanese National CERT and explains how to defend against these attacks. It also suggests more Windows commands that can also be interesting for potential attackers.

Windows Commands

The most used commands during the attack phases were:

  • tasklist. Displays a list of currently running processes on the local computer or on a remote computer.
  • ipconfig. Displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings.
  • systeminfo. Displays detailed configuration information about a computer and its operating system
  • netstat. Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP, ICMP, TCP, and UDP protocols), and IPv6 statistics
  • whoami. Displays user, group and privileges information for the user who is currently logged on to the local system.
  • qprocess. Displays information about processes that are running on a Remote Desktop Session Host (RD Session Host) server.
  • query. Displays information about processes, sessions, and Remote Desktop Session Host (RD Session Host) servers.
  • net. Used to perform operations on Groups, users, account policies, shares etc.
  • at. Schedules commands and programs to run on a computer at a specified time and date.
  • reg. Performs operations on registry subkey information and values in registry entries.
  • wmic. Command-line and scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through WMI.
  • wusa. Uses the Windows Update Agent API to install update packages.
  • netsh. Command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer.
  • sc. Communicates with the Service Controller and installed services.
  • rundll32. Loads and runs 32-bit dynamic-link libraries (DLLs).

The following commands are not mentioned in the article, but they could be included in the block list due to their features:

  • quser. Displays information about user sessions on a Remote Desktop Session Host (RD Session Host) server.
  • qappsrv. Displays a list of all Remote Desktop Session Host (RD Session Host) servers on the network.
  • qwinsta. Displays information about sessions on a Remote Desktop Session Host (RD Session Host) server.
  • taskkill. Ends one or more tasks or processes. Processes can be ended by process ID or image name.
  • regedit. Utility for editing the registry.
  • regedt32. Utility for editing the registry.
  • regsvr32. Registers .dll files as command components in the registry.
  • regini. Modifies the registry from the command line or a script, and applies changes that were pre-set in one or more text files.
  • telnet. Communicates with a computer running the Telnet Server service.
  • tftp. Transfers files to and from a remote computer that is running the Trivial File Transfer Protocol (TFTP)
  • tracert. Determines the path taken to a destination by sending Internet Control Message Protocol (ICMP) Echo Request or ICMPv6 messages to the destination with incrementally increasing Time to Live (TTL) field values.

AppLocker

AppLocker is a feature in Windows Server 2012, Windows Server 2008 R2, Windows 8, and Windows 7 that advances the functionality of the Software Restriction Policies feature. AppLocker helps administrators control how users can access and use files, such as executable files, scripts, Windows Installer files, and DLLs.

The software restriction policy of AppLocker allows you to limit the capabilities of the attacker.

In order to configure AppLocker, launch gpedit.msc and go to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker.

1-applocker_gpedit

Now, we can add the commands we want to deny under Executable Rules. If we want to apply the rules to de Administrators Group, delete the BUILTINAdministrator rule.

2-applocker_rules

Enable the Executable rules under AppLocker properties.

3-applocker_execrules

The AppLocker depends on the Application Identity Service. Launch services.msc and set it to Automatic startup or the rules will not be enforced.

4-appid_serv

We can check the logs of AppLocker in Applications and Services Logs > Microsoft > Windows > AppLocker.

5-applocker_event_viewer

Now, if an unauthorized user tries to launch a denied command, he will receive a warning message and the attempt will be logged.

6-applocker_denymsg

Conclusion

AppLocker is a simple and effective way to restrict the capabilities of the attackers on Windows environments provided by Microsoft. Nevertheless, it does not work if the attackers download third party tools.

A more extreme solution is to delete any unneeded executable. But this option is more difficult to revert and can lead to system instability.

Share and Earn Cybytes
FacebookTwitterGoogle+LinkedInEmail
Save
+1
30
14
Use Cybytes and
Tip the Author!
Join
Share and Earn
Cybytes
FacebookTwitterGoogle+LinkedInEmail
Ready to share your knowledge and expertise?
Be the Best at Whatever You Do.
We Have the Tools to Get You There.
Visit the NEW Marketplace of Over 500 Skill Enhancement Tools.
14 Comments
  1. I dont see psexec in the list, nice tool to use for remote activities

  2. Bonjour ,c est excellent tout ça,aussij’aimerais savoir les concepts existants pour pirater un phone Android tel que le bluesnarffing et,divers

Page 3 of 3«123
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar
Cybrary works best if you switch to our Android-friendly app
Continue

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel