search
SecurityVulnerabilityTerminalCode

Windows

HELP

help help <COMMAND> <COMMAND> ? <COMMAND> /?

Hostname

hostname

Sistema Operativo, Versione, Architettura

systeminfo [environment]::OSVersion.Version

Username

echo %USERNAME% whoami whoami /user (also SID) whoami /groups

SID

wmic useraccount get domain,name,sid

wmic useraccount where name="<NAME>" get sid wmic group get name,sid

Privileges

whoami /priv (also with System cmd) To enable privileges (DOWNLOADarrow-up-right) .\EnableAllTokenPrivs.ps1

Users

net user net user <USER> (user info, also groups he/she is in) Get-LocalUser Create new user net user <USER> <PASSWORD> /add New-LocalUser -Name "<USER>" -Password (ConvertTo-SecureString "<PASSWORD>" -AsPlainText -Force)

Groups

net localgroup net localgroup <GROUP> (info on who is part of it) Get-LocalGroup Get-LocalGroupMember <GROUP> whoami /groups Create new group net localgroup <GROUP> /add New-LocalGroup -Name "<GROUP>" Assigning a user to a group net localgroup <GROUP> <USER> /add Add-LocalGroupMember -Group "Administrators" -Member "<USER>"

Descriptions

Get-LocalUser (users) Get-WmiObject -Class Win32_UserAccount (domain users) Get-WmiObject -Class Win32_OperatingSystem | select Description (machine)

Account policy

net accounts

Other connected users

query user qwinsta

File/Directory permissions

icacls icacls <PATH> /grant <USER>:f icacls <PATH> /remove <USER>:f (DOCarrow-up-right: f= FullAccess, W=Write, R=Read)

Execution Policy

Get-ExecutionPolicy -List Change the execution policy for the current process (session) Set-ExecutionPolicy Bypass -Scope Process (No blocks) powershell -ep bypass

Defenses enabled

sc query windefend (Windows Defender da cmd) netsh advfirewall show allprofiles Get-MpComputerStatus | findstr "True" Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections (AppLocker blocks, path bypassing?)

Hotfixarrow-up-right

systeminfo wmic qfe wmic qfe list brief Get-HotFix | ft -AutoSize

LAPS

Find-LAPSDelegatedGroups Find-AdmPwdExtendedRights Get-LAPSComputers

Network information

ipconfig /all route print arp -a netstat -ano (Active Network Connections, for service name see PID and then tasklist /SVC | findstr <PID>)

Pipe

pipelist.exearrow-up-right /accepteula gci \\.\pipe\ accesschk.exearrow-up-right /accepteula <PIPE> [/v] (enumerate permissions assigned to a pipe) <PIPE> = \pipe\ to see all, otherwise <PATH>, ex. \\.\Pipe\lsass)

Installed applications

wmic product get name Get-WmiObject -Class Win32_Product | select Name, Version

32bit

reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName" Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select DisplayName, DisplayVersion, InstallLocation

64bit reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr /i "DisplayName" Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select DisplayName, DisplayVersion, InstallLocation

$COMMAND_ABOVE | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Look in C:\Program Files

Service list

Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartMode | ? {$_.State -like 'Running'} wmic service get name,pathname,state,startmode,<OTHER_FIELDS> | findstr /i /v "<STRING>" (/i caseInsensitive, /v NOT) Get-Service | ? {$_.Status -eq "Running"} | select -First 2 |fl GUI: Services

Running processes

tasklist tasklist /SVC Get-Process Get-Process | select ProcessName, Path

Task Manager

taskmgr GUI: Task Manager GUI: Process Explorerarrow-up-right (to download, also shows DLLs used for each process)

Scheduled tasks

schtasks /query /fo LIST /v Get-ScheduledTask

Environment variables

set Get-ChildItem Env: | ft key,value

Variable PATH

$env:path

Alias

get-alias New-Alias -Name "<NAME>" <COMMAND>

View Share/Drive

net share net view \\<COMPUTER> /all net use net use X: \\<COMPUTER>\<SHARE>

Logs

GUI: Event Viewer

Various info

GUI: Computer Management GUI: Local Security Policy GUI: Local Group Policy Editor

hashtag
Warnings

  • To access a user with RDP, they must be part of the Remote Desktop Users group.

  • To access a user with WinRM, they must be part of the Remote Management Users group.

  • Startup scripts in:

    • For all users (requires administrator privileges):

      • %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\

    • For single user:

      • %APPDATA%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

      • C:\Users\Marco\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Last updated