Windows

For automated host enumeration scripts like winPEAS, seatbelt, and jaws can be used.

Get Help

# List available commands
help

# Help for a specified command
help <command>
<command> /?

# List available commands
Get-Command

# Help for a specified command
Get-Help <command>
<command> -?

Networking

All the below commands work with both CMD and Powershell.

General networking information, such as interfaces, IP addresses, and DNS:

ipconfig /all

Check recent communications via the ARP table:

arp -a

List active TCP and UDP connections:

netstat -ano

List recent and persistent routes:

route print

System

General enumeration:

# General system information
systeminfo

# Name of the host
hostname

# Operating system version
[environment]::OSVersion.Version

# Environment variables
dir env:

# Named pipes
gci \\.\pipe\

# Clipboard
Get-Clipboard

Applications:

# Installed applications
> Get-WmiObject -Class Win32_Product |  select Name, Version
wmic product get name

# installed applications (registry key queries)
# 32-bit apps
> Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
> GCI 'c:\program files (x86)'

# 64-bit apps
> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
> GCI 'c:\program files'

Processes:

# List running processes
> tasklist
> Get-Process
# Information about a specific process
> Get-Process -Id <PID>
> tasklist /FI "PID eq <PID>"
> Get-Process -Name <process-name> | Format-list *

Services:

# Services hosted in each process
tasklist /svc

Other:

General enumeration:

# General system information
systeminfo

# Hostname
hostname

# Operating system version
ver
echo %OS%

# List environment variables
set

# Diplay the value of a specific variable
set %PATH%
echo %PATH%

Applications:

# Installed applications
wmic product get name

Processes:

# Running process
tasklist

# Information about a specific process
tasklist /FI "PID eq <PID>"

Services:

# Running services
tasklist /svc
net start
wmic service list brief # deprecated

# Manage a service
net <start | stop | pause | continue> <service>

# Query running services
sc query type= service

# Create a new service
sc create MyTestService binPath= "C:\Path\To\yourbinary.exe"

# Start / stop a service
sc <start | stop> <service>

# Modify start type (service won't be able to start with 'sc start <service>'
sc config <service> start= disabled

# Revert the change
sc config <service> start= auto

Other:

# Login server for the current user followed by the machine's hostname
echo %LOGONSERVER%

# The location of the current user's home directory
echo %USERPROFILE%

Users & Groups

# Domain/username (domain-joined) or NetBIOS/username (non domain-joined)
whoami # can be used to infer the purpose and type of the machine

# List current user's privileges
whoami /priv

# List current user's information
whoami /all

# List local users
net user
Get-LocalUser

# List active (logged-on) users (works only on Windows Servers)
query user

# List current user's groups
whoami /groups

# List local groups
net localgroup

# List domain groups (works only on a DC)
net group
Get-LocalGroup

# List group members
net localgroup <group>
Get-LocalGroup <group>

Shared Resources

All the below commands work with both CMD and Powershell.

# List resources
net share

Protections

Check WD's status with PS:

Get-MpComputerStatus

Check WD's status with CMD:

sc query windefend

Check AppLocker's rules and policies with PS:

# AppLocker rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# AppLocker policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

List hotfixes with both CMD and PS:

wmic qfe

Files

# List all (including) hidden files
Get-ChildItem -Force
# All dirs and files
GCI C:\Users\User -Force 
# Only hidden files
GCI C:\Users\User\ -Hidden

# Search for a specific file
Get-ChildItem -Path C:\ -Filter local.txt -Recurse -ErrorAction SilentlyContinue -Force

# Config files, temp saves
GCI C:\Users\User\AppData

# PowerShell history file
Get-Content C:\Users\<user>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

# KeePass database files
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

# XAMPP configuration files
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue

# Documents in the user's home directory
Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

# List all (including) hidden files
dir /a

# Search for a specific file
dir C:\local.txt /s /a
dir C:\ /s /a /b | findstr /i "local.txt"

# Check permissions
icacls c:\windows\myfolder

# Grant full permissions
icacls c:\windows\myfolder /grant <USER>:f

# Remove permissions
icacls c:\users /remove <USER>

Writable Directories

C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\Users\Public # similar to \Temp but more stealthy
C:\Windows\Temp # all users have rwx
C:\Users\<user>\AppData\Local\Temp # similar to above, but user-only
C:\windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\System32\Tasks_Migrated
C:\Windows\SysWOW64\FxsTmp
C:\Windows\SysWOW64\com\dmp
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks\Microsoft\Windows\PLA\System

Test access:

# Move into the target directory
cd C:\Windows\Temp
# Create a file
echo "test" > test
# List the file's contents
type test

PS Logging

By default, Windows logs minimal PS activity. However, two key logging mechanisms can be enabled:

PowerShell Transcription – Logs everything a user types, like an "over-the-shoulder" view. Saved as transcript files in user directories or network shares.
Script Block Logging – Records executed commands and script blocks as events, including decoded versions of encoded scripts.

Clear-History does not clear the command history recorded by PSReadline.

# get powershell history
Get-History

# PSReadline history's file path
(Get-PSReadlineOption).HistorySavePath

# History files
GC C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

To find Script Block Logging events on Event Viewer:

Press Win + R, type eventvwr.msc, and press Enter.
In the left panel, go to: Applications and Services Logs > Microsoft > Windows > PowerShell > Operational.
Click Filter Current Log (on the right panel), in the Event IDs field enter: 4104, and click OK.
On the right panel click Find and search for interesting keywords, such as pass, key, secret etc.
Open relevant events and check the Details tab for logged script content.

If searching manually isn’t effective, export the logs and analyze them with PowerShell:

Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" | Where-Object { $_.Message -match "password" }

Use another user's credentials

$user_pass = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$user_creds = New-Object System.Management.Automation.PSCredential('<DOMAIN\user', $user_pass)
# adding a member to a group
Add-DomainGroupMember -Identity '<GROUP>' -Members '<USER>' -Credential $user_creds -verbose

Binaries

We can transfer the binary in a Unix-based attacking host and run strings on it:

# strings with 16-bit encoding for Windows binaries
strings -eb <FILE> | grep pass

PreviousInfra NextLinux

Last updated 1 day ago

Was this helpful?