Post

Windows Enumeration

Posted
By z3f1r0
5 min read
Windows Enumeration

The following list of commands can be used in a local Windows environment to enumerate all useful information.

Windows Operating System Enumeration

Basic OS Information

1

Get-ComputerInfo

Installed Patches

1

Get-CimInstance -query 'select * from win32_quickfixengineering' | foreach $_.hotfixid {Get-Hotfix}

Use the attribute -description "Security update" of Get-Hotfix to list only security updates.

1

wmic qfe get Caption,Description,HotFixID,InstalledOn

Installed Drivers (requires elevated privileges)

1

Get-WindowsDriver -Online -All

CPU Version and Architecture

1

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

1

[System.Environment]::OSVersion

1

wmic os get OSArchitecture

Installed Software

1

Get-CimInstance -namespace "root/cimv2" -ClassName Win32_Product

User Software

1

Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)'

File System

Desktop Data

1

Get-ChildItem 'C:\Users\<USER>\Desktop\'

User Data and Documents

1

Get-ChildItem 'C:\Users\<USER>\Documents\'

‘.lnk’ Files

1

Get-ChildItem 'C:\Users\<USER>\AppData\Roaming\Microsoft\Windows\Recent\*'

Shared Folders

1

Get-CimInstance -namespace "root/cimv2" -ClassName Win32_Share

Volumes

1

Get-Partition

Environment Variables

1

Get-ChildItem Env:

Sources

Network Enumeration

Network Enumeration via cmd

Network Discovery

1
2
3

net view /all

net view \\<HOST NAME>
Basic ping scan and write output to a file
1

for /L %i in (1,1,254) do ping -w 30 -n 1 192.168.1.%i | find "Reply" >> <OUTPUT FILE NAME>.txt

Network Interfaces

1

ipconfig /all

Active Connections

1

netstat -ano

Routing Table

1

netstat -r

Hosts File

1

type %SYSTEMROOT%\system32\drivers\etc\hosts

ARP Cache

1

arp -a

NETBIOS

Basic nbtstat scan
1

nbtstat -A <IP ADDRESS>

Cached NetBIOS info on localhost

1

nbtstat -c
Script loop scan
1

for /L %i in (1,2,254) do nbstat -An 192.168.1.%i

Network Enumeration via Powershell

Connection Profile

1

Get-NetConnectionProfile

Network Interfaces

1

Get-NetAdapter

Routes

1

Get-NetRoute

Active Connections

1

Get-NetTCPConnection

ARP Table

1

Get-NetNeighbor

Users and Groups Enumeration

Users Information

1

Get-LocalUser | Select *

1

net user <USER>

Local Users

1

Get-LocalUser | Format-Table Name,Enabled,LastLogon,SID

1

Get-CimInstance -class Win32_UserAccount

1

net users

Users Home Folder List

1

Get-ChildItem 'HKLM:\Software\Microsoft\Windows NT\CurrentVersion\ProfileList' | ForEach-Object { $_.GetValue('ProfileImagePath') }

Local Groups

1

Get-LocalGroup | Format-Table Name,SID,Description

1

net localgroup

Members of the Administrators Group

1

Get-LocalGroupMember Administrators | Format-Table Name,PrincipalSource,SID

1

net localgroup Administrators

Display Who is Currently Logged In

1

qwinsta

Sources

Services Enumeration

Services Enumeration via Powershell or cmd

Running Services

1

Get-Service | Where-Object {$_.Status -eq 'Running'}

List of all services with their ProcessID for those running (cmd.exe): wmic service list brief

Unquoted Service Paths

1

Get-WmiObject -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select Name,DisplayName,StartMode,PathName

1

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """

Another way to enumerate unquoted service paths is through the use of the tool winPEAS.

Sources

Security Systems Enumeration

Security Systems Enumeration via cmd and Powershell

Antivirus Enumeration

1

wmic /namespace:\\root\securitycenter2 path antivirusproduct

AV Software Enumeration with Powershell

1

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Checking Windows Defender Service Status

1

Get-Service WinDefend

Current Status of Security Tools, including Anti-Spyware, Antivirus, LoavProtection, Real-time protection, etc.

1

Get-MpComputerStatus

Check Real-Time Protection

1

Get-MpComputerStatus | select RealTimeProtectionEnabled

Check if the Firewall is Enabled

1

Get-NetFirewallProfile -All | Format-Table Name, Enabled

Firewall Rules Enumeration

1

Get-NetFirewallRule | select DisplayName, Enabled, Description

Disable Firewall (requires admin privileges)

1

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False

Check if an Incoming Connection on Port 80 is Open and Allowed in the Firewall

1

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

Details of Threats Detected by MS Defender

1

Get-MpThreat

Check if there is a Process Named “Sysmon”

1

Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

Check Sysmon Services

1

Get-CimInstance win32_service -Filter "Description = 'System Monitor service'"` or `Get-Service | where-object {$_.DisplayName -like "*sysm*"}

Check Windows Event Log for Sysmon

1

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

Search for Sysmon Configuration File

1

findstr /si '<ProcessCreate onmatch="exclude">' C:\tools\*

Sources:

Security Systems Enumeration via Scripts

Invoke-EDRChecker

Enumerates the target host by querying running processes, process metadata, DLLs loaded in the current process and every metadata dlls, known installation paths, installed services, registry, and running drivers, then checks the output against a list of known defensive products such as AV, EDR, and logging tools.

1
2
3
4
5

_EXAMPLE
PS C:\> Invoke-EDRChecker
PS C:\> Invoke-EDRChecker -Force
PS C:\> Invoke-EDRChecker -Remote <hostname>
PS C:\> Invoke-EDRChecker -Remote <hostname> -Ignore

Sources:

SharpEDRChecker

A new and improved C# implementation of Invoke-EDRChecker. Checks running processes, process metadata, DLLs loaded in the current process and the metadata of each DLL, common installation directories, installed services and the metadata of each service binary, installed drivers and the metadata of each driver, all for the presence of known defensive products like AV, EDR, and logging tools. Catches even hidden EDRs through its metadata checks, more information can be found in this blog post.

1
2

.\SharpEDRChecker.exe
run-exe SharpEDRChecker.Program SharpEDRChecker

Sources:

Windows System Enumeration via Tools

winPEAS

winPEAS is a tool included in the PEASS-ng (Privilege Escalation Awesome Scripts SUITE next generation) repository on GitHub. It is designed for privilege escalation and system enumeration in Windows environments. The tool offers a comprehensive set of checks and gathers valuable system information to identify potential vulnerabilities.

In terms of enumeration, winPEAS can perform a wide variety of checks on different aspects of the system, including:

  • System and configuration information: Details about the operating system, network configuration, installed patches, running services, etc.
  • Credentials: Searching for stored credentials, configuration files with possible credentials.
  • User permissions and rights: Enumeration of users, their groups, file permissions, and security policies.
  • Scheduled tasks and auto-start applications: Identifying tasks that could be exploited for privilege escalation.
  • Common vulnerabilities: Checking for misconfigurations, known vulnerabilities, and missing patches.
  • File and directory information: Enumeration of files and directories with improper permissions or suspicious configurations.

Using winPEAS can provide a detailed view of the security status of a Windows system, highlighting areas that might be vulnerable or misconfigured.

Sources

Blog
Windows Enumeration
This post is licensed under CC BY 4.0 by the author.