Basics

Located at C:\Windows\System32\cmd.exe.

Basic Commands

# clear the screen
cls
# command history
doskey /history

Key/Command	Description
doskey /history	Prints the session's command history.
page up	Places the first command in our session history to the prompt.
page down	Places the last command in history to the prompt.
⇧	View previously run commands.
⇩	View most recent commands run.
⇨	Types the previous command to prompt one character at a time.
⇦	N/A
F3	Will retype the entire previous entry to our prompt.
F5	Pressing F5 multiple times will allow you to cycle through previous commands.
F7	Opens an interactive list of previous commands.
F9	Enters a command to our prompt based on the number specified. The number corresponds to the commands place in our history.

Interesting Directories

Location	Description
C:\Windows\Temp	Contains temp system files accessible to all users on the system. All users have full access (rwx). Useful for dropping files as a low-privilege user on the system.
C:\Users\<user>\AppData\Local\Temp	Similar to above, but accessible only to the user account that it is attached to. Useful when the attacker gains control of a local/domain joined user account.
C:\Users\Public	Allows any interactive logon account full access. Alternative to the global \Temp as it's less likely to be monitored for suspicious activity.
C:\Program Files	Contains all 64-bit applications installed on the system.
C:\Program Files (x86)	Contains all 32-bit applications installed on the system.

Navigation

# list directory
dir
# list hidden files
dir /a:h
# current working directory
cd
chdir
# move to another directory
cd <PATH>
chdir <PATH>
# print the structure of current directory & subdirs
tree
# directories & files
tree /F

Files & Dirs

Directories

Basics

# create new dir
mkdir <name>
md <name>
# delete empty dir
rmdir <name>
rd <name>
# delete non-empty dir
rmdir /S <name>
rd /S <name>
# move dir
move <source> <dest>

Copy

xcopy has been deprecated for robocopy. xcopy resets any file attributes by default which can be useful from an attacker's perspective.

# copy dir
xcopy <source> <dest> <options>
# recursive (+empty dirs)
xcopy <source> <dest> /E 
# retain attributes
xcopy <source> <dest> /K

robocopy (robust file copy) is a combination of copy, xcopy, and move. It is made for large directories and drive syncing.

# basic usage
robocopy <source> <dest>

Files

View Content

# view contents
type <filename>
# view contents of all files at once
type *.txt
# read all files from all subdirectories
for /r %i in (*) do type "%i" >> all_files_content.txt
# view contents once-screen at a time, remove extra blank space
more <filename> /S
# we can also large-output commands to it
systeminfo | more

Create & Modify

# create a file
echo <text> > <filename>
fsutil file createNew <filename> 222
# rename a file
ren <filename> <newfilename>
rename <filename> <newfilename>

Delete

# delete a file
del <filename>
erase <filename>
# delete files based on a specific attribute
del /A:R *

Copy & Move

# copy a file (with validation)
copy <source> <dest> /V
# move a file
move <source> <dest>

I/O

# redirect output to a file
systeminfo > <filename>
# append to a file
systeminfo >> <filename>
# pass input to a command
find /i "see" < <filename>
# pass output to a command
type <filename> | find /i "see"

Command Chaining

# just run one after another regardelss of status
<cmd1> & <cmd2>
# run cmd2 only if cmd1 succeeds
<cmd1> && <cmd2>
# run cmd2 only if cmd1 fails
<cmd1> || <cmd2>

Resources

Documentation

Windows commandsMicrosoftLearn

SS64

Robocopy