Windows

For automated enumeration of potential PE vectors see here.

Get Help

CMD

# List available commands
help

# Help for a specified command
help <command>
<command> /?

PS

# List available commands
Get-Command

# Help for a specified command
Get-Help <command>
<command> -?

Networking

All the below commands work with both CMD and Powershell.

Network Info

General networking information, such as interfaces, IP addresses, and DNS:

ipconfig /all

ARP Table

Check recent communications via the ARP table:

arp -a

Active Connections

List active TCP and UDP connections:

netstat -ano

Routes

List recent and persistent routes:

route print

Ports

Test-NetConnection -ComputerName 192.168.210.12 -Port 5985

Hosts

Test-Connection -Count 1 -Comp 10.10.10.10 -Quiet

System

PS

General enumeration:

# General system information
systeminfo

# Name of the host
hostname

# Operating system version
[environment]::OSVersion.Version

# Environment variables
dir env:

# Named pipes
gci \\.\pipe\

# Clipboard
Get-Clipboard

Applications:

# Installed applications
> Get-WmiObject -Class Win32_Product |  select Name, Version

# installed applications (registry key queries)
# 32-bit apps
> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
> GCI 'c:\program files (x86)'

# 64-bit apps
> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
> GCI 'c:\program files'

Processes:

# List running processes
> tasklist
> Get-Process
# Information about a specific process
> Get-Process -Id <PID>
> tasklist /FI "PID eq <PID>"
> Get-Process -Name <process-name> | Format-list *

Services:

# Services hosted in each process
tasklist /svc

CMD

General enumeration:

# General system information
systeminfo

# Hostname
hostname

# Operating system version
ver
echo %OS%

# List environment variables
set

# Diplay the value of a specific variable
set %PATH%
echo %PATH%

Applications:

# Installed applications
wmic product get name

Processes:

# Running process
tasklist

# Information about a specific process
tasklist /FI "PID eq <PID>"

Services:

# Running services
tasklist /svc
net start
wmic service list brief # deprecated

# Manage a service
net <start | stop | pause | continue> <service>

# Query running services
sc query type= service

# Create a new service
sc create MyTestService binPath= "C:\Path\To\yourbinary.exe"

# Start / stop a service
sc <start | stop> <service>

# Modify start type (service won't be able to start with 'sc start <service>'
sc config <service> start= disabled

# Revert the change
sc config <service> start= auto

Other:

# Login server for the current user followed by the machine's hostname
echo %LOGONSERVER%

# The location of the current user's home directory
echo %USERPROFILE%

Users & Groups

Users

# Domain/username (domain-joined) or NetBIOS/username (non domain-joined)
whoami # can be used to infer the purpose and type of the machine

# List current user's privileges
whoami /priv

# List current user's information
whoami /all

# List local users (net.exe only lists user objects, not group objects, so it can miss nested group memberships)
net user /domain
Get-LocalUser

# Query about the specified user
net user robert /domain

# List active (logged-on) users (works only on Windows Servers)
query user

Groups

# List current user's groups
whoami /groups

# List local groups
net localgroup

# List domain groups (works only on a DC)
net group /domain
Get-LocalGroup

# Query about the specified group
net group 'Domain Admins' /domain

# List group members
net localgroup <group>
Get-LocalGroup <group>

Shared Resources

All the below commands work with both CMD and Powershell.

# List resources
net share

Protections

Windows Defender

Check WD's status with PS:

Get-MpComputerStatus

Check WD's status with CMD:

sc query windefend

AppLocker

Check AppLocker's rules and policies with PS:

# AppLocker rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# AppLocker policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

HotFixes

List hotfixes with both CMD and PS:

wmic qfe

Files

PowerShell (PS) uses different host types depending on how it's being accessed, so the (Get-PSReadlineOption).HistorySavePath command will point to different files.

1. If the PS process is spawed as local (e.g. via SSH or RDP) → ConsoleHost_history.txt

2. If the PS process is spawned as remote (e.g. WinRM) → ServerRemoteHost_history.txt

PowerShell

# List all (including) hidden files
Get-ChildItem -Force
# All dirs and files
GCI C:\Users\User -Force 
# Only hidden files
GCI C:\Users\User\ -Hidden

# Search for a specific file
Get-ChildItem -Path C:\ -Filter local.txt -Recurse -ErrorAction SilentlyContinue -Force

# Config files, temp saves
GCI C:\Users\User\AppData

# Check PS's host type
$Host.Name
# PS history of the current user
(Get-PSReadlineOption).HistorySavePath

# PS history file of another user
Get-Content C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# KeePass database files
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# XAMPP configuration files
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

# Documents in the user's home directory
Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

CMD

# List all (including) hidden files
dir /a

# Search for a specific file
dir C:\local.txt /s /a
dir C:\ /s /a /b | findstr /i "local.txt"

Permissions

# Check permissions
icacls c:\windows\myfolder

# Grant full permissions
icacls c:\windows\myfolder /grant <USER>:f

# Remove permissions
icacls c:\users /remove <USER>

Writable Directories

C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Users\Public # similar to \Temp but more stealthy
C:\Windows\Temp # all users have rwx
C:\Users\<user>\AppData\Local\Temp # similar to above, but user-only
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

Test access:

# Move into the target directory
cd C:\Windows\Temp
# Create a file
echo "test" > test
# List the file's contents
type test

Use another user's credentials

# Create a PSCredential object
$pass = ConvertTo-SecureString '<password>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential('<domain\user', $pass)

# Add the target user to the group with PowerView
Add-DomainGroupMember -Identity '<group>' -Members '<user>' -Credential $creds

# Confirm
Get-DomainUser <user> -Credential $cred

# Execute remote commands on another host
Invoke-Command -Computer DC -Credential $cred -ScriptBlock { whoami; hostname }

Binaries

We can transfer the binary in a Unix-based attacking host and run strings on it:

# strings with 16-bit encoding for Windows binaries
strings -eb <FILE> | grep pass