Windows Post Exploitation Discovery

Description

Techniques and tools for post-exploitation discovery using native Windows tools

Background

Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment.

Techniques

  • Identify current user ID and privileges

  • Identify network connections (for lateral movement)

  • Identify Running processes

  • Identify Chron jobs/scheduled tasks

  • Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem

  • If not AD, then find applications, firewalls, AV

  • Common Windows commandss to run on system:

    • whoami

    • tasklist

    • systeminfo

    • systeminfo && whoami /all

System Info with CMD

Description
Command
Example

System info

systeminfo

systeminfo

OS Name/Version

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version

System drives

wmic logicaldisk

wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Connected Devices

wmic logicaldisk

wmic logicaldisk get caption,description,providername

System Environment Table

set

set

Running System Processes

tasklist

tasklist /v

Services Running Inside Each Process

tasklist

tasklist /svc

Attributes of All Running Processes

wmic process list

wmic process list full

Started Windows Services

net start

net start

Scheduled Jobs

schtasks

schtasks /query /fo LIST /v

Windows Patches

wmic qfe

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Application Names

wmic product

wmic product get name

Network/Domain Info with CMD

Description
Command
Example

IP and Interfaces

ipconfig

ipconfig /all

Copy IP info to clipboard

ipconfig

ipconfig | clip

Routing Table

route

route print

ARP Table

arp

arp -a

Active TCP Connections

netstat

netstat -an

TCP and UDP activity every 1 second

netstat

netstat -naob 1 | find "<IPADRR or PORT>

Get domain

echo

echo %USERDOMAIN%

Domain Logon Server

echo

echo %LOGONSERVER%

Domain Password Policy

net

net accounts /domain

Local Password Policy

net

net accounts

DC Address, Domain Name, Roles

wmic

wmic ntdomain

Trusted Domain

dsquery

dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection

Network Shares

net

net share

View All Hosts in Domain/Workgroup

net

net view

Domain Trust Info

nltest

nltest /trusted_domains

Local User Info with CMD

Description
Command
Example

Username of Current User

whoami or echo %USERNAME%

whoami

All whoami Access Token Info

whoami

whoami /all

Local Users

net

net users

Detailed User Info

net

net user $USERNAME

Users with RDP Priv

qwinsta

qwinsta

Local Groups

net

net localgroup

Local Administrators

net

net localgroup administrators

Resources

Last updated