Windows
HELP
help
help <COMMAND>
<COMMAND> ?
<COMMAND> /?
Hostname
hostname
Sistema Operativo, Versione, Architettura
systeminfo
[environment]::OSVersion.Version
Username
echo %USERNAME%
whoami
whoami /user (also SID)
whoami /groups
SID
wmic useraccount get domain,name,sid
wmic useraccount where name="<NAME>" get sid
wmic group get name,sid
Privileges
whoami /priv (also with System cmd)
To enable privileges (DOWNLOAD)
.\EnableAllTokenPrivs.ps1
Users
net user
net user <USER> (user info, also groups he/she is in)
Get-LocalUser
Groups
net localgroup
net localgroup <GROUP> (info on who is part of it)
Get-LocalGroup
Get-LocalGroupMember <GROUP>
whoami /groups
Descriptions
Get-LocalUser (users)
Get-WmiObject -Class Win32_OperatingSystem | select Description (machine)
Other connected users
query user
qwinsta
File/Directory permissions
icacls
icacls <PATH> /grant <USER>:f
icacls <PATH> /remove <USER>:f
(DOC: f= FullAccess, W=Write, R=Read)
Execution Policy
Get-ExecutionPolicy -List
Change the execution policy for the current process (session)
Set-ExecutionPolicy Bypass -Scope Process (No blocks)
Defenses enabled
sc query windefend (Windows Defender da cmd)
netsh advfirewall show allprofiles
Get-MpComputerStatus | findstr "True"
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections (AppLocker blocks, path bypassing?)
systeminfo
wmic qfe
wmic qfe list brief
Get-HotFix | ft -AutoSize
LAPS
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights
Get-LAPSComputers
Network information
ipconfig /all
route print
arp -a
netstat -ano (Active Network Connections, for service name see PID and then tasklist /SVC | findstr <PID>)
Pipe
pipelist.exe /accepteula
gci \\.\pipe\
accesschk.exe /accepteula <PIPE> [/v] (enumerate permissions assigned to a pipe)
<PIPE> = \pipe\ to see all, otherwise <PATH>, ex. \\.\Pipe\lsass)
Installed applications
wmic product get name
Get-WmiObject -Class Win32_Product | select Name, Version
str32BIT = HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
str64BIT = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
reg query "<str32BIT>" /s /f "DisplayName" | findstr /i "DisplayName”
reg query "<str64BIT>" /s /f "DisplayName" | findstr /i "DisplayName”
Get-ItemProperty "<str32BIT>\*" | select displayname
Get-ItemProperty "<str64BIT>\*" | select displayname
$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize
Or look in C:\Program Files
Service list
wmic service get name,pathname,state,startmode,<OTHER_FIELDS> | findstr /i /v "<STRING>" (/i caseInsensitive, /v NOT)
Get-CimInstance -ClassName win32_service | Select <FIELDS> | ? {$_.<FIELDS> -like '<STRINGS>'}
Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl
GUI: Services
Running processes
tasklist
tasklist /SVC
Get-Process
Task Manager
taskmgr
GUI: Task Manager
GUI: Process Explorer (to download, also shows DLLs used for each process)
Scheduled tasks
schtasks /query /fo LIST /v
Get-ScheduledTask
Environment variables
set
Get-ChildItem Env: | ft key,value
Variable PATH
$env:path
Alias
get-alias
New-Alias -Name "<NAME>" <COMMAND>
View Share
net share
net use x: \<COMPUTER>\<SHARE>
Logs
GUI: Event Viewer
Various info
GUI: Computer Management
GUI: Local Security Policy
GUI: Local Group Policy Editor
Warnings
To access a user with RDP, they must be part of the
Remote Desktop Users group.To access a user with WinRM, they must be part of the
Remote Management Users group.Use the runas command to execute commands on behalf of another user on the same host.
runas /user:<USER> <COMMAND, ex. cmd>Start-Process cmd.exe -Verb runAs
Last updated