Windows Enumeration
Enumeration
System Information
Basic System Info
hostname
Displays the hostname of the current machine.qwinsta
Lists users connected to the machine along with session details. Similar to Linux'sw
orwho
.query user
Shows details about active sessions.
Detailed System Information
systeminfo
Retrieves comprehensive system details.Filter specific details:
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
Using PowerShell:
[System.Environment]::OSVersion.Version
Patch and Update Information
CMD:
wmic qfe get Caption, Description, HotFixID, InstalledOn
(List installed patches)wmic qfe list brief
(Quick overview of updates)wmic product get name
(List installed programs)
PowerShell:
Get-HotFix | ft -AutoSize
(List installed patches)Get-WmiObject -Class Win32_Product | select Name, Version
(Installed programs)
Running Processes
CMD:
tasklist /svc
Lists all running processes and associated services.
Domain Status
PowerShell:
(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
Returns
True
if the machine is part of a domain.
PowerShell and AppLocker Policies
PowerShell Execution Policy
Get-ExecutionPolicy -List
AppLocker Policy Rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Testing AppLocker Policies
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
PowerShell History Retrieve the PowerShell command history for a specific user:
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
Environment Variables
CMD:
set
PowerShell:
Get-ChildItem Env: | ft Key,Value
Windows Defender
Firewall and Antivirus Status (CMD):
View firewall profiles:
netsh advfirewall show allprofiles
Check Windows Defender status:
sc query windefend
Windows Defender Status (PowerShell):
Get-MpComputerStatus
Users
Current User Details:
whoami /all
whoami /priv
whoami /groups
Local Users (CMD):
List all users:
net users
Get user details:
net user <USER>
Current user's details:
net user %username%
Password policy:
net accounts net accounts /domain
Create a New User:
net user /add <USERNAME> <PASSWORD>
User Domain and SID Information:
Show domain:
echo "%USERDOMAIN%"
Check login server:
echo %logonserver%
Display domain, name, and SID:
wmic USERACCOUNT Get Domain,Name,Sid
Groups
Local Groups:
List all groups:
net localgroup
Group details:
net localgroup Administrators
Add a user to administrators:
net localgroup administrators <USERNAME> /add
Domain Groups:
Info about domain groups:
net group /domain
List users in a group:
net group /domain <DOMAIN_GROUP_NAME>
List connected computers:
net group "Domain Computers" /domain
Domain controllers:
net group "Domain Controllers" /domain
Network Enumeration
Basic Networking Information:
ifconfig
ipconfig /all
Routing and Firewall Status:
Routing table:
route print
ARP table:
arp -a
Open ports and connections:
netstat -ano
Firewall state:
netsh advfirewall show state
Shared Resources
Common Shares:
C$
: Administrative share forC:/
.ADMIN$
: Assigned toC:/Windows
.IPC$
: Used for interprocess communication (RPC).SYSVOL
: Only on Domain Controllers (DCs).NETLOGON
: Available on DCs for logon scripts and policies.
Commands:
List SMB shares:
Get-SMBShare net share
Mount a share:
net use z: \\172.16.0.1\C$ /user:elliot "P@ssword123!"
Unmount a share:
net use /delete z:
View shared resources on a host:
net view \\172.16.0.1 /all
References
Last updated