SecurityVulnerabilityTerminalCode

Windows

HELP

help help <COMMAND> <COMMAND> ? <COMMAND> /?

Hostname

hostname

Sistema Operativo, Versione, Architettura

systeminfo [environment]::OSVersion.Version

Username

echo %USERNAME% whoami whoami /user (also SID) whoami /groups

SID

wmic useraccount get domain,name,sid

wmic useraccount where name="<NAME>" get sid wmic group get name,sid

Privileges

whoami /priv (also with System cmd) To enable privileges (DOWNLOAD) .\EnableAllTokenPrivs.ps1

Users

net user net user <USER> (user info, also groups he/she is in) Get-LocalUser Create new user net user <USER> <PASSWORD> /add New-LocalUser -Name "<USER>" -Password (ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force)

Groups

net localgroup net localgroup <GROUP> (info on who is part of it) Get-LocalGroup Get-LocalGroupMember <GROUP> whoami /groups Create new group net localgroup <GROUP> /add New-LocalGroup -Name "<GROUP>" Assigning a user to a group net localgroup <GROUP> <USER> /add Add-LocalGroupMember -Group "Administrators" -Member "<USER>"

Descriptions

Get-LocalUser (users) Get-WmiObject -Class Win32_UserAccount (domain users) Get-WmiObject -Class Win32_OperatingSystem | select Description (machine)

Other connected users

query user qwinsta

File/Directory permissions

icacls icacls <PATH> /grant <USER>:f icacls <PATH> /remove <USER>:f (DOC: f= FullAccess, W=Write, R=Read)

Execution Policy

Get-ExecutionPolicy -List Change the execution policy for the current process (session) Set-ExecutionPolicy Bypass -Scope Process (No blocks)

Defenses enabled

sc query windefend (Windows Defender da cmd) netsh advfirewall show allprofiles Get-MpComputerStatus | findstr "True" Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections (AppLocker blocks, path bypassing?)

Hotfix

systeminfo wmic qfe wmic qfe list brief Get-HotFix | ft -AutoSize

LAPS

Find-LAPSDelegatedGroups Find-AdmPwdExtendedRights Get-LAPSComputers

Network information

ipconfig /all route print arp -a netstat -ano (Active Network Connections, for service name see PID and then tasklist /SVC | findstr <PID>)

Pipe

pipelist.exe /accepteula gci \\.\pipe\ accesschk.exe /accepteula <PIPE> [/v] (enumerate permissions assigned to a pipe) <PIPE> = \pipe\ to see all, otherwise <PATH>, ex. \\.\Pipe\lsass)

Installed applications

wmic product get name Get-WmiObject -Class Win32_Product | select Name, Version str32BIT = HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall str64BIT = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg query "<str32BIT>" /s /f "DisplayName" | findstr /i "DisplayName” reg query "<str64BIT>" /s /f "DisplayName" | findstr /i "DisplayName” Get-ItemProperty "<str32BIT>\*" | select displayname Get-ItemProperty "<str64BIT>\*" | select displayname $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation

$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Or look in C:\Program Files

Service list

wmic service get name,pathname,state,startmode,<OTHER_FIELDS> | findstr /i /v "<STRING>" (/i caseInsensitive, /v NOT) Get-CimInstance -ClassName win32_service | Select <FIELDS> | ? {$_.<FIELDS> -like '<STRINGS>'} Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl GUI: Services

Running processes

tasklist tasklist /SVC Get-Process

Task Manager

taskmgr GUI: Task Manager GUI: Process Explorer (to download, also shows DLLs used for each process)

Scheduled tasks

schtasks /query /fo LIST /v Get-ScheduledTask

Environment variables

set Get-ChildItem Env: | ft key,value

Variable PATH

$env:path

Alias

get-alias New-Alias -Name "<NAME>" <COMMAND>

View Share/Drive

net share net view \\<COMPUTER> /all net use net use X: \\<COMPUTER>\<SHARE>

Logs

GUI: Event Viewer

Various info

GUI: Computer Management GUI: Local Security Policy GUI: Local Group Policy Editor

Warnings

  • To access a user with RDP, they must be part of the Remote Desktop Users group.

  • To access a user with WinRM, they must be part of the Remote Management Users group.

  • Startup scripts in:

    • For all users (requires administrator privileges):

      • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

    • For single user:

      • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

      • C:\Users\Marco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Last updated

Was this helpful?