An overview of the ten most common "explosive" commands, which are often an indication of an insider or cyber attack:

1. mmc.exe, Active Directory users and computers

A Windows user can use this command to add new user accounts to a domain. The action may indicate that an attacker is setting up a persistent "backdoor" for the entire Windows domain.

2. explorer.exe, user accounts

This command opens a window through which a Windows user can add new accounts to a system. This activity can also be an indication of the creation of a persistent "backdoor".

3. regedit.exe, registry editor

The command provides access to the Windows registry. The registry can be used to change critical system configurations and security settings and to determine confidential access data on the system.

4. mmc.exe, Windows Firewall with advanced security settings

Access to the Windows Firewall allows the modification of security configurations on a system and can be an indication that an attacker is disabling security controls on the machine to facilitate the next steps of their attack.

5. mmc.exe, Network Policy Server

The Windows Network Policy Server allows users to modify network configurations. Its use may indicate that an attacker is allowing unauthorized access to or from a machine.

6. authorized_keys

Commands containing "authorized_keys" can provide access to "authorized_keys" files of Unix or Unixoid systems. This makes it possible to add unauthorized SSH keys to a machine, which can also serve as a persistent "backdoor".

7. sudoers

Command lines with "sudoers" allow access to the sudoers file of Unix systems. Users can manipulate user privileges on a system via this file. Such an action could indicate that an attacker is granting unauthorized privileges to an account, which can later be used for malicious actions.

8. :(){ :|: & };:

This string acts as a forkbomb in the Unix environment, consuming all machine resources and rendering the server unusable. The character string is rarely entered accidentally and therefore signifies a deliberate attempt to damage a company.

9. tcpdump

This command enables access to network traffic and packets on Unix systems and derivatives. Its use can be an indication that an attacker is trying to learn about the communication channels of a machine in order to use this information to plan the next steps of his attack.

10. rm

Files and directories can be deleted by entering this command in the Unix area. Such an action can also be interpreted as a possible attack on the company network.

Even if, according to CyberArk, this list can serve as a first starting point, it must always be borne in mind that every environment is different. So when a company determines the primary IT commands to be monitored, it must take into account which systems are in use, which systems contain the most business-critical data and which activities are common in regular operations.