Windows

HELP

help help <COMMAND> <COMMAND> ? <COMMAND> /?

Hostname

hostname

Sistema Operativo, Versione, Architettura

systeminfo [environment]::OSVersion.Version

Username

echo %USERNAME% whoami whoami /user (also SID) whoami /groups

SID

wmic useraccount get domain,name,sid

wmic useraccount where name="<NAME>" get sid wmic group get name,sid

Privileges

Users

net user net user <USER> (user info, also groups he/she is in) Get-LocalUser Create new user net user <USER> <PASSWORD> /add New-LocalUser -Name "<USER>" -Password (ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force)

Groups

net localgroup net localgroup <GROUP> (info on who is part of it) Get-LocalGroup Get-LocalGroupMember <GROUP> whoami /groups Create new group net localgroup <GROUP> /add New-LocalGroup -Name "<GROUP>" Assigning a user to a group net localgroup <GROUP> <USER> /add Add-LocalGroupMember -Group "Administrators" -Member "<USER>"

Descriptions

Get-LocalUser (users) Get-WmiObject -Class Win32_UserAccount (domain users) Get-WmiObject -Class Win32_OperatingSystem | select Description (machine)

Other connected users

query user qwinsta

File/Directory permissions

Execution Policy

Get-ExecutionPolicy -List Change the execution policy for the current process (session) Set-ExecutionPolicy Bypass -Scope Process (No blocks)

Defenses enabled

sc query windefend (Windows Defender da cmd) netsh advfirewall show allprofiles Get-MpComputerStatus | findstr "True" Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections (AppLocker blocks, path bypassing?)

systeminfo wmic qfe wmic qfe list brief Get-HotFix | ft -AutoSize

LAPS

Find-LAPSDelegatedGroups Find-AdmPwdExtendedRights Get-LAPSComputers

Network information

ipconfig /all route print arp -a netstat -ano (Active Network Connections, for service name see PID and then tasklist /SVC | findstr <PID>)

Pipe

Installed applications

wmic product get name Get-WmiObject -Class Win32_Product | select Name, Version str32BIT = HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall str64BIT = HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall reg query "<str32BIT>" /s /f "DisplayName" | findstr /i "DisplayName” reg query "<str64BIT>" /s /f "DisplayName" | findstr /i "DisplayName” Get-ItemProperty "<str32BIT>\*" | select displayname Get-ItemProperty "<str64BIT>\*" | select displayname $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation

$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Or look in C:\Program Files

Service list

wmic service get name,pathname,state,startmode,<OTHER_FIELDS> | findstr /i /v "<STRING>" (/i caseInsensitive, /v NOT) Get-CimInstance -ClassName win32_service | Select <FIELDS> | ? {$_.<FIELDS> -like '<STRINGS>'} Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl GUI: Services

Running processes

tasklist tasklist /SVC Get-Process

Task Manager

Scheduled tasks

schtasks /query /fo LIST /v Get-ScheduledTask

Environment variables

set Get-ChildItem Env: | ft key,value

Variable PATH

$env:path

Alias

get-alias New-Alias -Name "<NAME>" <COMMAND>

View Share/Drive

net share net use net use x: \<COMPUTER>\<SHARE>

Logs

GUI: Event Viewer

Various info

GUI: Computer Management GUI: Local Security Policy GUI: Local Group Policy Editor

Warnings

To access a user with RDP, they must be part of the Remote Desktop Users group.
To access a user with WinRM, they must be part of the Remote Management Users group.
Use the runas command to execute commands on behalf of another user on the same host. runas /user:<USER> <COMMAND, ex. cmd> Start-Process cmd.exe -Verb runAs
Startup scripts in:
- For all users (requires administrator privileges):
  - %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
  - C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
- For single user:
  - %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
  - C:\Users\Marco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Last updated 4 days ago

Was this helpful?

Warnings

To access a user with RDP, they must be part of the Remote Desktop Users group.

To access a user with WinRM, they must be part of the Remote Management Users group.

Use the runas command to execute commands on behalf of another user on the same host. runas /user:<USER> <COMMAND, ex. cmd> Start-Process cmd.exe -Verb runAs

You can also use Import-Module .\Invoke-RunasCs.ps1 Invoke-RunasCs <USER> <PASS> "cmd /c whoami /all"

Startup scripts in:

For all users (requires administrator privileges):
- %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
For single user:
- %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
- C:\Users\Marco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup