Windows Commands for Cybersecurity Analysts

/ Cybersecurity / By

I have compiled β€œπ°π’π§ππ¨π°π¬ π›πšπ¬πžπ πœπ¨π¦π¦πšπ§ππ¬β€ along with the purpose of their use so it would really help security professionals for the following purpose.

Red Teamers

  • Enumerate system and network information
  • Identify users and groups
  • Find and exploit running processes and services
  • Bypass security configurations
  • Test network connections and routes
  • Manipulate files and directories for exfiltration
  • Maintain persistence and cover tracks

Blue Teamers (SOC)

  • Identify system and network configurations
  • Detect user and account anomalies
  • Monitor and manage processes/services
  • Audit and enforce security policies
  • Monitor network activity and prevent malicious traffic
  • Recover and protect files
  • Maintain system integrity and perform system cleanup

Purple Teamers

  • Simulate attacks to assess defenses
  • Verify detection and response capabilities
  • Collaborate on identifying vulnerabilities and improving security posture

Additionally, I’ve segregated the commands with their categories to help you guys understand more clearly.

WINDOWS COMMANDS FOR SOC ANALYSTS

By Danyal Saleem

BASIC WINDOWS COMMANDS FOR SOC ANALYSTS:

1. System Information and Configuration

Β· systeminfo: Displays detailed configuration information about the system, including OS version, memory, and uptime.

Β· hostname: Displays the name of the computer (hostname).

Β· ver: Displays the Windows version.

Β· wmic: Windows Management Instrumentation Command-line tool for system information and management.

Β· wmic os get caption, version, buildnumber: Shows OS version and build number.

Β· wmic cpu get caption, deviceid, numberofcores: Displays CPU information.

Β· msinfo32: Opens the System Information utility, providing a detailed overview of the system.

2. User and Account Management (Discovery and Administration)

Β· net user: Displays user account information or modifies accounts.

Β· net user <username>: Displays user information.

Β· net user <username> <password>: Changes the password for a user account.

Β· net localgroup: Displays or modifies local user groups.

Β· net localgroup <groupname>: Displays members of a specific group.

Β· net localgroup <groupname> <username> /add: Adds a user to a group.

Β· whoami: Displays the currently logged-in user’s username.

Β· netstat -b: Shows the executable involved in creating each connection or listening port.

3. Process and Service Management

Β· tasklist: Displays a list of currently running processes.

Β· taskkill: Terminates a running process by its process ID (PID) or image name.

Β· taskkill /PID <PID>: Kill a process by PID.

Β· taskkill /IM <process-name>: Kill a process by name (e.g., taskkill /IM notepad.exe).

Β· services.msc: Opens the Services management console.

Β· sc: Service control command used to start, stop, or configure Windows services.

Β· sc start <service-name>: Starts a service.

Β· sc stop <service-name>: Stops a service.

Β· sc query <service-name>: Displays the status of a service.

Β· taskmgr: Opens the Task Manager.

4. Security and Access Control

Β· netstat -b: Shows the executable involved in creating each connection or listening port.

Β· net accounts: Displays or modifies the password and logon requirements for the system.

Β· gpresult: Displays Group Policy settings for the user or computer.

Β· gpresult /r: Displays the Group Policy results for the computer and user.

Β· secpol.msc: Opens the Local Security Policy management console.

Β· wevtutil: Utility for managing event logs.

Β· wevtutil qe Security /f:text: Queries the security event log in text format.

Get Danyal Saleem’s stories in your inbox

Join Medium for free to get updates from this writer.Subscribe

Β· auditpol: Configures audit policies.

Β· auditpol /get /category:*: Shows the current audit policy settings.

Β· tasklist /v: Displays verbose information about running processes, including the user account.

5. Network and Connectivity

Β· ipconfig: Displays IP configuration information for all network adapters.

Β· ipconfig /all: Shows detailed IP configuration, including MAC address and DNS servers.

Β· ipconfig /flushdns: Clears the DNS resolver cache.

Β· ping: Tests connectivity to a remote host.

Β· tracert: Tracks the path packets take to a network host.

Β· nslookup: Queries DNS to obtain domain name or IP address mapping.

Β· route: Displays or modifies the IP routing table.

Β· route print: Displays the current routing table.

Β· netsh: A powerful tool for network configuration and troubleshooting.

Β· netsh interface ipv4 show config: Displays IP address configuration for all interfaces.

Β· netsh advfirewall show allprofiles: Displays firewall configuration for all profiles.

6. Disk and File Management

Β· dir: Lists the contents of a directory.

Β· dir C:\: Lists files and directories on the C: drive.

Β· chkdsk: Checks the file system for errors and attempts to fix them.

Β· chkdsk C:: Checks the C: drive for errors.

Β· diskpart: Disk partition management tool.

Β· diskpart: Launches the DiskPart command line utility.

Β· list disk: Lists all disks.

Β· select disk <n>: Selects a disk by number for further operations.

Β· fsutil: File system utility for managing disk drives and file systems.

Β· fsutil dirty query C:: Checks if the file system of drive C: is marked as dirty.

Β· robocopy: Robust file copy utility with advanced features like resume, retries, and copying metadata.

Β· robocopy C:\Source D:\Destination /E: Copies all files and subdirectories from C: to D:.

Β· xcopy: Copies files and directories, including subdirectories.

Β· xcopy C:\Source D:\Destination /E: Copies all files and subdirectories.

7. System Maintenance and Cleanup

Β· cleanmgr: Opens the Disk Cleanup utility.

Β· sfc /scannow: System File Checker to scan and repair corrupted system files.

Β· dism /online /cleanup-image /restorehealth: Repairs Windows system image.

8. System Shutdown and Restart

Β· shutdown: Shuts down or restarts the computer.

Β· shutdown /s /t 0: Shuts down the system immediately.

Β· shutdown /r /t 0: Restarts the system immediately.

Β· shutdown /s /t 0: Immediate shutdown.

Β· shutdown /r /f /t 0: Immediate restart.

9. File and Folder Operations

Β· copy: Copies files from one location to another.

Β· copy C:\file.txt D:\file.txt

Β· move: Moves files from one location to another.

Β· move C:\file.txt D:\file.txt

Β· del: Deletes files.

Β· del C:\file.txt

Β· rd or rmdir: Removes directories.

Β· rd /s /q C:\FolderName: Removes a folder and its contents without confirmation.

10. Miscellaneous Commands

Β· echo: Displays a message or enables/disables command echoing.

Β· echo Hello, World!

Β· cls: Clears the command prompt screen.

Β· cmd: Opens a new Command Prompt window.

Β· powershell: Opens Windows PowerShell for advanced scripting and automation.

11. PowerShell Commands (Advanced)

Β· Get-EventLog: Retrieves event log entries.

Β· Get-EventLog -LogName Security -Newest 10: Retrieves the 10 most recent security event logs.

Β· Get-Process: Lists all running processes.

Β· Get-Service: Lists all services and their statuses.

Β· Set-ExecutionPolicy: Configures the execution policy for running PowerShell scripts.

Β· Set-ExecutionPolicy RemoteSigned: Allows locally created scripts to run while requiring signed scripts from remote sources.