Windows Post Exploitation Discovery

Description

Techniques and tools for post-exploitation discovery using native Windows tools

Background

Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment.

Techniques

Identify current user ID and privileges
Identify network connections (for lateral movement)
Identify Running processes
Identify Chron jobs/scheduled tasks
Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem
If not AD, then find applications, firewalls, AV
Common Windows commandss to run on system:
- whoami
- tasklist
- systeminfo
- systeminfo && whoami /all

System Info with CMD

Description Command Example

Description	Command	Example
System info	`systeminfo`	`systeminfo`
OS Name/Version	`systeminfo`	`systeminfo` \| `findstr /B /C:"OS Name" /C:"OS Version`
System drives	`wmic logicaldisk`	`wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber`
Connected Devices	`wmic logicaldisk`	`wmic logicaldisk get caption,description,providername`
System Environment Table	`set`	`set`
Running System Processes	`tasklist`	`tasklist /v`
Services Running Inside Each Process	`tasklist`	`tasklist /svc`
Attributes of All Running Processes	`wmic process list`	`wmic process list full`
Started Windows Services	`net start`	`net start`
Scheduled Jobs	`schtasks`	`schtasks /query /fo LIST /v`
Windows Patches	`wmic qfe`	`wmic qfe get Caption,Description,HotFixID,InstalledOn`
Installed Application Names	`wmic product`	`wmic product get name`

System info

systeminfo

OS Name/Version

systeminfo

systeminfo | findstr /B /C:"OS Name" /C:"OS Version

System drives

wmic logicaldisk

wmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber

Connected Devices

wmic logicaldisk

wmic logicaldisk get caption,description,providername

System Environment Table

set

Running System Processes

tasklist

tasklist /v

Services Running Inside Each Process

tasklist

tasklist /svc

Attributes of All Running Processes

wmic process list

wmic process list full

Started Windows Services

net start

Scheduled Jobs

schtasks

schtasks /query /fo LIST /v

Windows Patches

wmic qfe

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Application Names

wmic product

wmic product get name

Network/Domain Info with CMD

Description Command Example

Description	Command	Example
IP and Interfaces	`ipconfig`	`ipconfig /all`
Copy IP info to clipboard	`ipconfig`	`ipconfig` \| `clip`
Routing Table	`route`	`route print`
ARP Table	`arp`	`arp -a`
Active TCP Connections	`netstat`	`netstat -an`
TCP and UDP activity every 1 second	`netstat`	`netstat -naob 1` \| `find "<IPADRR or PORT>`
Get domain	`echo`	`echo %USERDOMAIN%`
Domain Logon Server	`echo`	`echo %LOGONSERVER%`
Domain Password Policy	`net`	`net accounts /domain`
Local Password Policy	`net`	`net accounts`
DC Address, Domain Name, Roles	`wmic`	`wmic ntdomain`
Trusted Domain	`dsquery`	`dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection`
Network Shares	`net`	`net share`
View All Hosts in Domain/Workgroup	`net`	`net view`
Domain Trust Info	`nltest`	`nltest /trusted_domains`

IP and Interfaces

ipconfig

ipconfig /all

Copy IP info to clipboard

ipconfig

ipconfig | clip

Routing Table

route

route print

ARP Table

arp

arp -a

Active TCP Connections

netstat

netstat -an

TCP and UDP activity every 1 second

netstat

netstat -naob 1 | find "<IPADRR or PORT>

Get domain

echo

echo %USERDOMAIN%

Domain Logon Server

echo

echo %LOGONSERVER%

Domain Password Policy

net

net accounts /domain

Local Password Policy

net

net accounts

DC Address, Domain Name, Roles

wmic

wmic ntdomain

Trusted Domain

dsquery

dsquery * -filter "(objectclass=TrustedDomain)" -attr trustpartner,flatname,trustdirection

Network Shares

net

net share

View All Hosts in Domain/Workgroup

net

net view

Domain Trust Info

nltest

nltest /trusted_domains

Local User Info with CMD

Description Command Example

Description	Command	Example
Username of Current User	`whoami` or `echo %USERNAME%`	`whoami`
All whoami Access Token Info	`whoami`	`whoami /all`
Local Users	`net`	`net users`
Detailed User Info	`net`	`net user $USERNAME`
Users with RDP Priv	`qwinsta`	`qwinsta`
Local Groups	`net`	`net localgroup`
Local Administrators	`net`	`net localgroup administrators`

Username of Current User

whoami or echo %USERNAME%

whoami

All whoami Access Token Info

whoami

whoami /all

Local Users

net

net users

Detailed User Info

net

net user $USERNAME

Users with RDP Priv

qwinsta

Local Groups

net

net localgroup

Local Administrators

net

net localgroup administrators

Resources

Awesome Windows Post Exploitation: https://github.com/emilyanncr/Windows-Post-Exploitation
SANS PowerShell Port Scanner: https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/
A simple batch script with these commands: \tools\WinSysEnum.bat
A simple CMD script that outputs these commands to txt is here: \tools\WinUserEnum.bat

PreviousActive Directory Enumeration NextLinux Post Exploitation Discovery

Last updated 1 year ago