Enumeration

Basic Microsoft Windows Enumeration

whoami /all
whoami /user
systeminfo
net accounts
net user
net user /domain
net user <USERNAME>
Get-LocalUser
Get-LocalGroup
Get LocalGroupMember <GROUP>
Get-Process
tree /f C:\Users\
tasklist /SVC
sc query
sc qc <SERVICE>
netsh firewall show state
schtasks /query /fo LIST /v
wmic qfe get Caption,Description,HotFixID,InstalledOn
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

User & Group Information

Logged-In Users

query user

Current User

echo %USERNAME%
whoami

Current User Privileges

whoami /priv

Current User Group Information

whoami /groups

Get All Users

net user
PS > Get-LocalUser

Get All Groups

net localgroup
PS > Get-LocalGroup

Details About a Group

net localgroup administrators
PS > Get-LocalGroupMember Administrators

Get Password Policy & Other Account Information

net accounts

System Information

Tasklist

Using the tasklist command to look at running processes will give us a better idea of what applications are currently running on the system.

tasklist /svc

Display All Environment Variables

set

View Detailed Configuration Information

systeminfo
wmic qfe

// PowerShell
Get-HotFix | ft -AutoSize

Installed Programs

wmic product get name

// Powershell
Get-WmiObject -Class Win32_Product |  select Name, Version

Display Running Processes

The netstat command will display active TCP and UDP connections which will give us a better idea of what services are listening on which port(s) both locally and accessible to the outside.

netstat -ano

Listing Named Pipes with Pipelist

pipelist.exe /accepteula

After obtaining a listing of named pipes, we can use Accesschk to enumerate the permissions assigned to a specific named pipe by reviewing the Discretionary Access List (DACL), which shows us who has the permissions to modify, write, read, or execute a resource.

accesschk.exe /accepteula \\.\Pipe\lsass -v

Check all named pipes that allow write access

accesschk.exe -w \pipe\* -v

Identifying Common Applications

dir "C:\Program Files"

# 32 bits Applications
PS > Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

# 64 bits Applications
PS > Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

One liner

PS > $INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
PS > $INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
PS > $INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

Check which applications are running

PS > Get-Process

Check the path of a process

PS > Get-Process | Where-Object {$_.ProcessName -eq "ProcessName"} | Select-Object Path

Network Information

Interface(s), IP Address(es), DNS Information

ipconfig /all

ARP Table

arp -a 

Routing Table

route print

Enumerating Protections

Check Windows Defender Status

Get-MpComputerStatus

List AppLocker Rules

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Show hidden Files and Folders

dir /a                          // show hidden folders
dir /a:d                        // show all hidden directories
dir /a:h                        // show all hidden files
cmd /c dir /A                   // show hidden folders
cmd /c dir /A:D                 // show all hidden directories
cmd /c dir /A:H                 // show all hidden files
powershell ls -force            // show all hidden files

User Handling

Adding Users to Groups

net user <USERNAME> <PASSWORD> /add /domain
net group "Exchange Windows Permissions" /add <USERNAME>
net localgroup "Remote Management Users" /add <USERNAME>