10 Stealthy Windows Commands Every Red Team Should Know (But Blue Teams Miss)

While defenders focus on AV signatures, EDR dashboards, and threat feeds, many attackers operate using the tools already available on every Windows box. These aren’t zero-days. They’re zero-config—built-in, overlooked, and absurdly effective.

Below is a curated list of 10 powerful yet low-noise Windows commands—often used by red teams and overlooked by blue teams. They’re ideal for enumeration, privilege escalation, lateral movement, and persistence… all while blending in with legitimate activity.

1. whoami /all

Why it matters: Reveals all group memberships, privileges, and token info. Vital for identifying local admin, domain admin, or SYSTEM-level access without triggering elevated tools.

whoami /all

2. net user /domain

Why it matters: Queries domain user accounts without needing PowerShell or external tools. Often slips through basic monitoring.

net user /domain

3. tasklist /v /fo csv

Why it matters: Provides process names, PIDs, and associated window titles—useful for detecting RDP sessions, terminals, or apps in use.

tasklist /v /fo csv

4. dir /a /s C:\ > filelist.txt

Why it matters: Recursively lists all files (including hidden/system) for offline staging. Often used pre-exfiltration or for finding juicy creds.

dir /a /s C:\ > filelist.txt

5. sc qc <service>

Why it matters: Shows configuration details of any service, including its binary path—useful for hijacking weak or writable services.

sc qc Spooler

6. netsh advfirewall show allprofiles

Why it matters: Checks if the firewall is enabled and what rules are applied. Red teams use this to prep for lateral movement or C2 setup.

netsh advfirewall show allprofiles

7. nltest /domain_trusts

Why it matters: Discovers trusted domains—critical for pivoting across AD forests or domains during lateral movement.

nltest /domain_trusts

8. runas /user:<targetuser> cmd.exe

Why it matters: Tests credentialed access to another account without tools. Often used for privilege testing in assumed-breach scenarios.

runas /user:admin cmd.exe

9. reg query HKLM\SAM /s

Why it matters: When run under SYSTEM, this exposes sensitive security registry hives. A classic privilege escalation and data loot vector.

reg query HKLM\SAM /s

10. findstr /si password *.txt *.xml *.config

Why it matters: Lightweight, no-download grep-alternative for quickly locating cleartext credentials in config files or documents.

findstr /si password *.txt *.xml *.config

⚙️ Bonus: Batch These Commands Silently

Red teamers often wrap these commands into silent, non-prompting .bat or .ps1 payloads using techniques like:

Start-Process cmd.exe -ArgumentList '/c whoami /all > whoami.txt' -WindowStyle Hidden

Combine multiple commands in batch scripts or deploy them via schtasks, at, or WMI for stealth execution.

🔒 Defensive Countermeasures

If you’re on the blue team, don’t ignore these CLI natives. You can detect or log many of them by:

• Enabling command line auditing (Event ID 4688)
  
  

• Monitoring script block logging for PowerShell
  
  

• Using Sysmon to catch unexpected command execution
  
  

• Watching for unusual use of runas, netsh, or reg access patterns
  
  

📡 Final Word

The loudest tools aren’t always the most dangerous. Red teams know the value of subtlety—so should defenders. Everything listed here is native to Windows and often unmonitored. That makes them powerful… and risky.

🧠 More to come at www.gerardking.dev
Your interface between stealth ops, automation, and intelligent systems.