Windows Post Exploitation Discovery
Description
Techniques and tools for post-exploitation discovery using native Windows tools
Background
Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment.
Techniques
Identify current user ID and privileges
Identify network connections (for lateral movement)
Identify Running processes
Identify Chron jobs/scheduled tasks
Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem
If not AD, then find applications, firewalls, AV
Common Windows commandss to run on system:
whoami
tasklist
systeminfo
systeminfo && whoami /all
System Info with CMD
System info
systeminfo
systeminfo
OS Name/Version
systeminfo
systeminfo
| findstr /B /C:"OS Name" /C:"OS Version
System drives
wmic logicaldisk
wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber
Connected Devices
wmic logicaldisk
wmic logicaldisk get caption,description,providername
System Environment Table
set
set
Running System Processes
tasklist
tasklist /v
Services Running Inside Each Process
tasklist
tasklist /svc
Attributes of All Running Processes
wmic process list
wmic process list full
Started Windows Services
net start
net start
Scheduled Jobs
schtasks
schtasks /query /fo LIST /v
Windows Patches
wmic qfe
wmic qfe get Caption,Description,HotFixID,InstalledOn
Installed Application Names
wmic product
wmic product get name
Network/Domain Info with CMD
IP and Interfaces
ipconfig
ipconfig /all
Copy IP info to clipboard
ipconfig
ipconfig
| clip
Routing Table
route
route print
ARP Table
arp
arp -a
Active TCP Connections
netstat
netstat -an
TCP and UDP activity every 1 second
netstat
netstat -naob 1
| find "<IPADRR or PORT>
Get domain
echo
echo %USERDOMAIN%
Domain Logon Server
echo
echo %LOGONSERVER%
Domain Password Policy
net
net accounts /domain
Local Password Policy
net
net accounts
DC Address, Domain Name, Roles
wmic
wmic ntdomain
Trusted Domain
dsquery
dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection
Network Shares
net
net share
View All Hosts in Domain/Workgroup
net
net view
Domain Trust Info
nltest
nltest /trusted_domains
Local User Info with CMD
Username of Current User
whoami
or echo %USERNAME%
whoami
All whoami Access Token Info
whoami
whoami /all
Local Users
net
net users
Detailed User Info
net
net user $USERNAME
Users with RDP Priv
qwinsta
qwinsta
Local Groups
net
net localgroup
Local Administrators
net
net localgroup administrators
Resources
Awesome Windows Post Exploitation: https://github.com/emilyanncr/Windows-Post-Exploitation
SANS PowerShell Port Scanner: https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/
A simple batch script with these commands: \tools\WinSysEnum.bat
A simple CMD script that outputs these commands to txt is here: \tools\WinUserEnum.bat
Last updated