z3f1r0

Windows Enumeration

 
  • Jan 26, 2024

The following list of commands can be used in a local Windows environment to enumerate all useful information.

Windows Operating System Enumeration

Basic OS Information

Get-ComputerInfo

Installed Patches

Get-CimInstance -query 'select * from win32_quickfixengineering' | foreach $_.hotfixid {Get-Hotfix}

Use the attribute -description "Security update" of Get-Hotfix to list only security updates.

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Drivers (requires elevated privileges)

Get-WindowsDriver -Online -All

CPU Version and Architecture

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

[System.Environment]::OSVersion

wmic os get OSArchitecture

Installed Software

Get-CimInstance -namespace "root/cimv2" -ClassName Win32_Product

User Software

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)'

File System

Desktop Data

Get-ChildItem 'C:\Users\<USER>\Desktop\'

User Data and Documents

Get-ChildItem 'C:\Users\<USER>\Documents\'

‘.lnk’ Files

Get-ChildItem 'C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Recent\*'

Shared Folders

Get-CimInstance -namespace "root/cimv2" -ClassName Win32_Share

Volumes

Get-Partition

Environment Variables

Get-ChildItem Env:

Sources

Network Enumeration

Network Enumeration via cmd

Network Discovery

net view /all

net view \\<HOST NAME>
Basic ping scan and write output to a file
for /L %i in (1,1,254) do ping -w 30 -n 1 192.168.1.%i | find "Reply" >> <OUTPUT FILE NAME>.txt

Network Interfaces

ipconfig /all

Active Connections

netstat -ano

Routing Table

netstat -r

Hosts File

type %SYSTEMROOT%\system32\drivers\etc\hosts

ARP Cache

arp -a

NETBIOS

Basic nbtstat scan
nbtstat -A <IP ADDRESS>

Cached NetBIOS info on localhost

nbtstat -c
Script loop scan
for /L %i in (1,2,254) do nbstat -An 192.168.1.%i

Network Enumeration via Powershell

Connection Profile

Get-NetConnectionProfile

Network Interfaces

Get-NetAdapter

Routes

Get-NetRoute

Active Connections

Get-NetTCPConnection

ARP Table

Get-NetNeighbor

Users and Groups Enumeration

Users Information

Get-LocalUser | Select *

net user <USER>

Local Users

Get-LocalUser | Format-Table Name,Enabled,LastLogon,SID

Get-CimInstance -class Win32_UserAccount

net users

Users Home Folder List

Get-ChildItem 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { $_.GetValue('ProfileImagePath') }

Local Groups

Get-LocalGroup | Format-Table Name,SID,Description

net localgroup

Members of the Administrators Group

Get-LocalGroupMember Administrators | Format-Table Name,PrincipalSource,SID

net localgroup Administrators

Display Who is Currently Logged In

qwinsta

Sources

Services Enumeration

Services Enumeration via Powershell or cmd

Running Services

Get-Service | Where-Object {$_.Status -eq 'Running'}

List of all services with their ProcessID for those running (cmd.exe): wmic service list brief

Unquoted Service Paths

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Another way to enumerate unquoted service paths is through the use of the tool winPEAS.

Sources

Security Systems Enumeration

Security Systems Enumeration via cmd and Powershell

Antivirus Enumeration

wmic /namespace:\\root\securitycenter2 path antivirusproduct

AV Software Enumeration with Powershell

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Checking Windows Defender Service Status

Get-Service WinDefend

Current Status of Security Tools, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc.

Get-MpComputerStatus

Check Real-Time Protection

Get-MpComputerStatus | select RealTimeProtectionEnabled

Check if the Firewall is Enabled

Get-NetFirewallProfile -All | Format-Table Name, Enabled

Firewall Rules Enumeration

Get-NetFirewallRule | select DisplayName, Enabled, Description

Disable Firewall (requires admin privileges)

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False

Check if an Incoming Connection on Port 80 is Open and Allowed in the Firewall

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

Details of Threats Detected by MS Defender

Get-MpThreat

Check if there is a Process Named “Sysmon”

Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

Check Sysmon Services

Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"` or `Get-Service | where-object {$_.DisplayName -like "*sysm*"}

Check Windows Event Log for Sysmon

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

Search for Sysmon Configuration File

findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

Sources:

Security Systems Enumeration via Scripts

Invoke-EDRChecker

Enumerates the target host by querying running processes, process metadata, DLLs loaded in the current process and every metadata dlls, known installation paths, installed services, registry, and running drivers, then checks the output against a list of known defensive products such as AV, EDR, and logging tools.

_EXAMPLE
PS C:\> Invoke-EDRChecker
PS C:\> Invoke-EDRChecker -Force
PS C:\> Invoke-EDRChecker -Remote <hostname>
PS C:\> Invoke-EDRChecker -Remote <hostname> -Ignore

Sources:

SharpEDRChecker

A new and improved C# implementation of Invoke-EDRChecker. Checks running processes, process metadata, DLLs loaded in the current process and the metadata of each DLL, common installation directories, installed services and the metadata of each service binary, installed drivers and the metadata of each driver, all for the presence of known defensive products like AV, EDR, and logging tools. Catches even hidden EDRs through its metadata checks, more information can be found in this blog post.

.\SharpEDRChecker.exe
run-exe SharpEDRChecker.Program SharpEDRChecker

Sources:

Windows System Enumeration via Tools

winPEAS

winPEAS is a tool included in the PEASS-ng (Privilege Escalation Awesome Scripts SUITE next generation) repository on GitHub. It is designed for privilege escalation and system enumeration in Windows environments. The tool offers a comprehensive set of checks and gathers valuable system information to identify potential vulnerabilities.

In terms of enumeration, winPEAS can perform a wide variety of checks on different aspects of the system, including:

  • System and configuration information: Details about the operating system, network configuration, installed patches, running services, etc.
  • Credentials: Searching for stored credentials, configuration files with possible credentials.
  • User permissions and rights: Enumeration of users, their groups, file permissions, and security policies.
  • Scheduled tasks and auto-start applications: Identifying tasks that could be exploited for privilege escalation.
  • Common vulnerabilities: Checking for misconfigurations, known vulnerabilities, and missing patches.
  • File and directory information: Enumeration of files and directories with improper permissions or suspicious configurations.

Using winPEAS can provide a detailed view of the security status of a Windows system, highlighting areas that might be vulnerable or misconfigured.

Sources

Search