1 - Situational Awarness

Get an idea of the environment before starting deeper enumeration.

Network Information

Interfaces

ipconfig /all

ARP Table

arp -a

Routing Table

route print

Protections

Windows Defender Status

Get-MpComputerStatus

List AppLocker Rules

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

Initial Enumeration

Processes & Related Services

tasklist /svc

Environment Variables

set

System Informations (OS, Version, Hot Fixes...)

systeminfo

Hot Fixes (Patches)

wmic qfe

Installed Programs

wmic product get name

Get-WmiObject -Class Win32_Product |  select Name, Version

Sockets (TCP/UPD)

netstat -ano

Get Process Name Associated to PID

tasklist /FI "PID eq <PID>"

User & Group Information

Logged-In Users

query user

Current User

echo %USERNAME%

Current User Privileges

whoami /priv

Current User Group Information

whoami /groups

Get all Users

net user

Get all Groups

net localgroup

Get Group Details

net localgroup administrators

Get Password Policy & Other Account Information

net accounts

Named Pipes

Listing Named Pipes

pipelist.exe /accepteula

gci \\.\pipe\

Retrieve Pipe DACL

accesschk.exe /accepteula \\.\Pipe\lsass -v

Find all writtable Named Pipes

accesschk.exe -w \pipe\* -v

Privesc Cheatsheets

• https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20Privilege%20Escalation.md