Windows Enumeration

Enumeration

Basic System Info
- hostname Displays the hostname of the current machine.
- qwinsta Lists users connected to the machine along with session details. Similar to Linux's w or who.
- query user Shows details about active sessions.
Detailed System Information
- systeminfo Retrieves comprehensive system details.
  Filter specific details:
  systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
- Using PowerShell:
  [System.Environment]::OSVersion.Version
Patch and Update Information
- CMD:
  - wmic qfe get Caption, Description, HotFixID, InstalledOn (List installed patches)
  - wmic qfe list brief (Quick overview of updates)
  - wmic product get name (List installed programs)
- PowerShell:
  - Get-HotFix | ft -AutoSize (List installed patches)
  - Get-WmiObject -Class Win32_Product | select Name, Version (Installed programs)
Running Processes
- CMD:
  tasklist /svc
  Lists all running processes and associated services.

PowerShell:
```
(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
```
Returns True if the machine is part of a domain.

AppLocker Policy Rules

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Testing AppLocker Policies

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

PowerShell History Retrieve the PowerShell command history for a specific user:

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

Firewall and Antivirus Status (CMD):
- View firewall profiles:
  netsh advfirewall show allprofiles
- Check Windows Defender status:
  sc query windefend
Windows Defender Status (PowerShell):
```
Get-MpComputerStatus
```

Current User Details:
- whoami /all
- whoami /priv
- whoami /groups
Local Users (CMD):
- List all users: net users
- Get user details: net user <USER>
- Current user's details: net user %username%
- Password policy:
  net accounts net accounts /domain
Create a New User:
```
net user /add <USERNAME> <PASSWORD>
```
User Domain and SID Information:
- Show domain:
  echo "%USERDOMAIN%"
- Check login server:
  echo %logonserver%
- Display domain, name, and SID:
  wmic USERACCOUNT Get Domain,Name,Sid

Local Groups:
- List all groups: net localgroup
- Group details: net localgroup Administrators
- Add a user to administrators:
  net localgroup administrators <USERNAME> /add
Domain Groups:
- Info about domain groups: net group /domain
- List users in a group: net group /domain <DOMAIN_GROUP_NAME>
- List connected computers:
  net group "Domain Computers" /domain
- Domain controllers:
  net group "Domain Controllers" /domain

Basic Networking Information:
- ifconfig
- ipconfig /all
Routing and Firewall Status:
- Routing table: route print
- ARP table: arp -a
- Open ports and connections: netstat -ano
- Firewall state:
  netsh advfirewall show state

Common Shares:
- C$: Administrative share for C:/.
- ADMIN$: Assigned to C:/Windows.
- IPC$: Used for interprocess communication (RPC).
- SYSVOL: Only on Domain Controllers (DCs).
- NETLOGON: Available on DCs for logon scripts and policies.

Commands:

Mount a share:

net use z: \\172.16.0.1\C$ /user:elliot "P@ssword123!"

Last updated 5 months ago