doskey Alias Alerts
- by Vince
-
in Blog
-
Hits: 1315
It's hard to describe this in the subject line but how many times have you been on a Windows system and typed a *nix command? Or on a *nix system and typed a Windows command? One could assume that an attacker might do something similar and we could take advantage of that mistake. First, we'll need to alias some commands like ifconfig and ls with doskey. Our macro file looks like this:
We're aliasing the two commands with a PowerShell script which looks like this:
We'll need these aliases to be permanent so we'll push this into the registry:
We query the entry for a sanity check and we're ready to go. Next, we need to spawn a new command prompt. When we enter ifconfig, we get an empty line. I suppose we could also add in an ipconfig to keep things looking normal. If we really wanted to be evil, we could tie this in with pskill and terminate all cmd.exe processes.
Moments after we type the aliased command, we get an alert:
This does feel a little like Wiley Coyote kind of stuff but it would certainly be effective.