{
	"id": "745bb07c-75d6-42b4-95a1-6c0d02100dbf",
	"created_at": "2026-04-06T00:06:33.678684Z",
	"updated_at": "2026-04-10T13:12:54.123257Z",
	"deleted_at": null,
	"sha1_hash": "0c37e577d89a66f0d6f0679fab4e5a498fe54eee",
	"title": "Windows Commands Abused by Attackers - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 525558,
	"plain_text": "Windows Commands Abused by Attackers - JPCERT/CC Eyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2016-01-25 · Archived: 2026-04-05 15:15:57 UTC\r\nReport\r\nHello again, this is Shusei Tomonaga from the Analysis Center.\r\nIn Windows OS, various commands (hereafter “Windows commands”) are installed by default. However, what is\r\nactually used by general users is just a small part of it. On the other hand, JPCERT/CC has observed that attackers\r\nintruding into a network also use Windows commands in order to collect information and/or to spread malware\r\ninfection within the network. What is worth noting here is the gap between those Window commands used by\r\ngeneral users and by attackers. If there is a huge difference, it would be possible to detect or limit the attackers’\r\nbehaviour by monitoring/controlling the Windows command execution.\r\nThis entry will demonstrate how to mitigate the attack impact by revealing Windows commands that attackers use\r\non the intruded Windows OS, and by restricting the execution of those commands that are unnecessary for general\r\nusers.\r\nMalware for remote control (Remote Access Tool/Trojan – RAT) has a function to execute shell commands from a\r\nremote environment. With this, attackers can execute Windows commands from a remote environment.\r\nAttackers who successfully installed such malware in a network will attempt to take control of the system within\r\nthe network in the following sequence in order to collect confidential information, etc.\r\n1. Initial investigation: Collect information of the infected machine\r\n2. Reconnaissance: Look for information saved in the machine and remote machines within the network\r\n3. Spread of infection: Infect the machine with other malware or try to access other machines\r\nWindows commands are used in all of the phases above. Respective Windows commands used in each phase are\r\nintroduced here below.\r\nInitial Investigation\r\nTable 1 lists the commands that are often used by attackers in an attempt to collect information of the infected\r\nmachine. “Times executed” is derived from the sum of Windows commands used by 3 different attack groups in\r\ntheir respective C\u0026C servers (Please refer to Appendix A, B and C for details).\r\nTable 1: Initial Investigation (Top 10 commands)\r\nRanking Command Times executed\r\n1 tasklist 155\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 1 of 11\n\nRanking Command Times executed\r\n2 ver 95\r\n3 ipconfig 76\r\n4 systeminfo 40\r\n5 net time 31\r\n6 netstat 27\r\n7 whoami 22\r\n8 net start 16\r\n9 qprocess 15\r\n10 query 14\r\nAttackers use commands such as “tasklist”, “ver”, “ipconfig” and “systeminfo”, etc., and collect information of\r\nthe network, process and OS in order to investigate what kind of machine they succeeded in infecting. This is\r\npresumably how they make sure that the machine is not a sandbox for malware analysis purposes and so on.\r\nReconnaissance\r\nCommands shown in Table 2 are often used to search for confidential information and remote machines within the\r\nnetwork.\r\nTable 2: Reconnaissance (Top 10 commands)\r\nRanking Command Times executed\r\n1 dir 976\r\n2 net view 236\r\n3 ping 200\r\n4 net use 194\r\n5 type 120\r\n6 net user 95\r\n7 net localgroup 39\r\n8 net group 20\r\n9 net config 16\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 2 of 11\n\nRanking Command Times executed\r\n10 net share 11\r\nAttackers use “dir” and “type” to search for files. Sometimes they collect a list of all the document files in the\r\ninfected machine by setting appropriate options and arguments for “dir” command.\r\nFor searching networks, “net” is used. In particular, the following commands are often seen:\r\nnet view: Obtain a list of connectable domain resources\r\nnet user: Manage local/domain accounts\r\nnet localgroup: Obtain a list of users belonging to local groups\r\nnet group: Obtain a list of users belonging to certain domain groups\r\nnet use: Access to resources\r\nFurthermore, the following commands may be used in an environment where Active Directory is used (Please\r\nrefer to Table 5 in Appendix A). These commands are installed in Windows Server and do not originally exist in\r\nclient OS such as Windows 7 and 8.1 – but attackers download and install these commands from outside and\r\nexecute them.\r\ndsquery: Search for accounts in Active Directory\r\ncsvde: Obtain account information in Active Directory\r\nSpread of Infection\r\nTo intrude remote machines and spread malware infection within the network, the following commands are often\r\nexecuted:\r\nTable 3: Spread of Infection\r\nRanking Command Times executed\r\n1 at 103\r\n2 reg 31\r\n3 wmic 24\r\n4 wusa 7\r\n5 netsh advfirewall 4\r\n6 sc 4\r\n7 rundll32 2\r\n*”wmic” is also used for reconnaissance.\r\n“at” and “wmic” are often used to execute malware on remote machines.\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 3 of 11\n\nWith “at” command, attackers can execute commands on remote machines, by registering tasks to execute files\r\nagainst connectable machines as follows.\r\nat \\\\[remote host name or IP address] 12:00 cmd /c \"C:\\windows\\temp\\mal.exe\"\r\nAlso, by setting the following options and arguments with “wmic” command, attackers can execute commands on\r\nremote machines.\r\nwmic /node:[IP address] /user:”[user name]” /password:”[password]” process call create “cmd /c c:\\Windows\\Syste\r\nRestricting Execution of Unnecessary Windows Commands\r\nIt is fair to say that these Windows commands used by attackers include those that are unused by general users, if\r\ncarefully selected. With AppLocker and software restriction policy, which restrict such commands from being\r\nexecuted, it would be possible to limit the attackers’ behaviour. For example, if you wish to restrict “net”\r\ncommands, you can set rules as in Figure 1. (For details of AppLocker configuration, please see Microsoft’s\r\nWebsite [1]).\r\nFigure 1: AppLocker Rules\r\nAlso, by enabling AppLocker, events where selected Windows commands were executed or attempted but denied\r\nwill be recorded in the event logs, which can be utilized for investigation on Windows commands that attackers\r\nexecuted after infecting the machine with malware.\r\nFigure 2: Logs of the Processes Restricted by AppLocker\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 4 of 11\n\nAppLocker can also just monitor Windows commands [2]. With this, AppLocker cannot prevent unintended\r\nWindows commands from being executed, but the execution history will be recorded in the event log. If the users\r\nthemselves use Windows commands that may be used for attacks, it is a good idea to set AppLocker just for\r\nmonitoring purpose. (Windows command execution can also be monitored by activating “Audit Process Creation”\r\nin the local security policy.)\r\nConclusion\r\nIn targeted attacks, attackers not only use functions implemented in the malware, but also often use Windows\r\ncommands to pursue their purposes. If such activities can be hindered, spread of incidents can be prevented in a\r\nfairly early stage. However, it may be difficult to limit the usage of Windows commands right away – so our\r\nrecommendation is to start by collecting logs of executed processes by using AppLocker, etc.\r\nThank you for reading and best wishes for the New Year!\r\n- Shusei Tomonaga\r\nReference:\r\n[1] Microsoft - Windows AppLocker\r\nhttps://technet.microsoft.com/en-us/library/dd759117.aspx\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 5 of 11\n\n[2] Microsoft – Using Auditing to Track Which Applications Are Used\r\nhttps://technet.microsoft.com/en-us/library/dd723693%28v=ws.10%29.aspx\r\nAppendix A: List of Executed Commands by respective Attack Groups (Attack Group A)\r\nTable 4: Initial Investigation (Attack Group A)\r\nRanking Command Times executed Option\r\n1 tasklist 119 /s /v\r\n2 ver 92  \r\n3 ipconfig 58 /all\r\n4 net time 30  \r\n5 systeminfo 24  \r\n6 netstat 22 -ano\r\n7 qprocess 15  \r\n8 query 14 user\r\n9 whoami 14 /all\r\n10 net start 10  \r\n11 nslookup 4  \r\n12 fsutil 3 fsinfo drives\r\n13 time 2 /t\r\n14 set 1  \r\nTable 5: Reconnaissance (Attack Group A)\r\nRanking Command Times executed Option\r\n1 dir 903  \r\n2 net view 226  \r\n3 ping 196  \r\n4 net use 193  \r\n5 type 118  \r\n6 net user 74  \r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 6 of 11\n\nRanking Command Times executed Option\r\n7 net localgroup 35  \r\n8 net group 19  \r\n9 net config 16  \r\n10 net share 11  \r\n11 dsquery 6  \r\n12 csvde 5 /f /q\r\n13 nbtstat 5 -a\r\n14 net session 3  \r\n15 nltest 3 /dclist\r\n16 wevtutil 2  \r\nTable 6: Spread of Infection (Attack Group A)\r\nRanking Command Times executed Option\r\n1 at 98  \r\n2 reg 29 add export query\r\n3 wmic 24  \r\n4 netsh advfirewall 4  \r\n5 sc 4 qc query\r\n6 wusa 2  \r\nAppendix B: List of Executed Commands by respective Attack Groups (Attack Group B)\r\nTable 7: Initial Investigation (Attack Group B)\r\nRanking Command Times executed Option\r\n1 tasklist 29 /m /svc\r\n2 whoami 6  \r\n3 ipconfig 5 /all\r\n4 net start 4  \r\n5 netstat 3 -ano\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 7 of 11\n\nRanking Command Times executed Option\r\n6 nslookup 3  \r\n7 ver 2  \r\n8 time 1 /t\r\nTable 8: Reconnaissance (Attack Group B)\r\nRanking Command Times executed Option\r\n1 dir 62  \r\n2 net user 21 /domain /add\r\n3 net view 9 /domain\r\n4 ping 4  \r\n5 net localgroup 4 /add\r\n6 tree 3 /F\r\n7 type 2  \r\n8 net group 1 /domain\r\nTable 9: Spread of Infection (Attack Group B)\r\nRanking Command Times executed Option\r\n1 at 5  \r\n2 wusa 5  \r\n3 reg 2  \r\n4 rundll32 2  \r\nAppendix C: List of Executed Commands by respective Attack Groups (Attack Group C)\r\nTable 10: Initial Investigation (Attack Group C)\r\nRanking Command Times executed Option\r\n1 systeminfo 16  \r\n2 ipconfig 13 /all /?\r\n3 tasklist 7  \r\n4 netstat 5 -ano\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 8 of 11\n\nRanking Command Times executed Option\r\n5 whoami 2  \r\n6 net start 2  \r\n7 arp 1 -a\r\n8 chcp 1  \r\n9 net time 1  \r\n10 ver 1  \r\nTable 11: Reconnaissance (Attack Group C)\r\nRanking Command Times executed Option\r\n1 dir 11  \r\n2 net user 1 /all /?\r\n3 net view 1  \r\n4 qwinsta 1 -ano\r\n*Commands for “Spread of Infection” by Attack Group C are omitted since they did not spread the infection.\r\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 9 of 11\n\nMultiple Threat Actors Rapidly Exploit React2Shell: A Case Study of Active Compromise\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 10 of 11\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nhttps://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html"
	],
	"report_names": [
		"windows-commands-abused-by-attackers.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775433993,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0c37e577d89a66f0d6f0679fab4e5a498fe54eee.pdf",
		"text": "https://archive.orkl.eu/0c37e577d89a66f0d6f0679fab4e5a498fe54eee.txt",
		"img": "https://archive.orkl.eu/0c37e577d89a66f0d6f0679fab4e5a498fe54eee.jpg"
	}
}