Windows Post Exploitation Discovery
Description
Techniques and tools for post-exploitation discovery using native Windows tools
Background
Windows post-exploitation techniques during a red-team engagement often involve discovering and leveraging weaknesses in the target environment, such as misconfigurations, unpatched vulnerabilities, or insecure permissions, to further exploit and compromise the system. These discoveries can include locating stored credentials, identifying vulnerable services or applications, enumerating network resources, or discovering ways to move laterally within the network. By leveraging these post-exploitation findings, attackers can extend their control over the compromised system and potentially expand their reach to other interconnected systems within the target environment.
Techniques
Identify current user ID and privileges
Identify network connections (for lateral movement)
Identify Running processes
Identify Chron jobs/scheduled tasks
Identify if Active Directory environment then identify users/groups/computers if in cloud or on-prem
If not AD, then find applications, firewalls, AV
Common Windows commandss to run on system:
whoami
tasklist
systeminfo
systeminfo && whoami /all
System Info with CMD
Description | Command | Example |
---|---|---|
System info |
|
|
OS Name/Version |
|
|
System drives |
|
|
Connected Devices |
|
|
System Environment Table |
|
|
Running System Processes |
|
|
Services Running Inside Each Process |
|
|
Attributes of All Running Processes |
|
|
Started Windows Services |
|
|
Scheduled Jobs |
|
|
Windows Patches |
|
|
Installed Application Names |
|
|
Network/Domain Info with CMD
Description | Command | Example |
---|---|---|
IP and Interfaces |
|
|
Copy IP info to clipboard |
|
|
Routing Table |
|
|
ARP Table |
|
|
Active TCP Connections |
|
|
TCP and UDP activity every 1 second |
|
|
Get domain |
|
|
Domain Logon Server |
|
|
Domain Password Policy |
|
|
Local Password Policy |
|
|
DC Address, Domain Name, Roles |
|
|
Trusted Domain |
|
|
Network Shares |
|
|
View All Hosts in Domain/Workgroup |
|
|
Domain Trust Info |
|
|
Local User Info with CMD
Description | Command | Example |
---|---|---|
Username of Current User |
|
|
All whoami Access Token Info |
|
|
Local Users |
|
|
Detailed User Info |
|
|
Users with RDP Priv |
|
|
Local Groups |
|
|
Local Administrators |
|
|
Resources
Awesome Windows Post Exploitation: https://github.com/emilyanncr/Windows-Post-Exploitation
SANS PowerShell Port Scanner: https://www.sans.org/blog/pen-test-poster-white-board-powershell-built-in-port-scanner/
A simple batch script with these commands: \tools\WinSysEnum.bat
A simple CMD script that outputs these commands to txt is here: \tools\WinUserEnum.bat
Last updated