Windows Post Exploitation Discovery

Description

Techniques and tools for post-exploitation discovery using native Windows tools

• Background

• Techniques

• [Tools]

  • System Info with CMD

  • Network/Domain Info with CMD

  • Local User Info with CMD

  • Domain User Info with CMD

  • Enumerating with PowerShell

• Resources

Background

Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment.

Techniques

• Identify current user ID and privileges

• Identify network connections (for lateral movement)

• Identify Running processes

• Identify Chron jobs/scheduled tasks

• Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem

• If not AD, then find applications, firewalls, AV

• Common Windows commandss to run on system:

  • whoami

  • tasklist

  • systeminfo

  • systeminfo && whoami /all

System Info with CMD

Network/Domain Info with CMD

Local User Info with CMD

Resources

• Awesome Windows Post Exploitation: https://github.com/emilyanncr/Windows-Post-Exploitation

• SANS PowerShell Port Scanner: https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/

• A simple batch script with these commands: \tools\WinSysEnum.bat

• A simple CMD script that outputs these commands to txt is here: \tools\WinUserEnum.bat