Useful commands and Modules

gci -recurse . | select fullname # List all the files

Windows commands reference is very handy for performing manual enumeration tasks.

modules, cmdlets, resources :

• netstat Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table.

• schtasks command to enumerate scheduled tasks on the system.

• also enumerate scheduled tasks using the Get-ScheduledTask PowerShell cmdlet.

• Windows binary used for handling certificates certutil.

• rundll32 Used by Windows to execute dll files.

• enumerate the computer description field via PowerShell using the Get-WmiObject cmdlet with the Win32_OperatingSystem class.

• local users using the Get-LocalUser cmdlet.

• Windows diskshadow utility to create a shadow copy.

• robocopy Copies file data from one location to another.

• takeown Windows binary to change ownership of the file.

• PowerShell to list named pipes using gci (Get-ChildItem).

• Accesschk AccessChk is a console utility that reports effective permissions on securable objects, account rights for a user or group, or token details for a process.

• PipeList from the Sysinternals Suite to enumerate instances of named pipes.

• Get-AppLockerPolicy (Gets the local, the effective, or a domain AppLocker policy).

• Tasklist (Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool).

• set (Displays, sets, or removes cmd.exe environment variables. If used without parameters, set displays the current environment variable settings).

• Hotfixes (to get an idea of when the box has been patched).

• If systeminfo doesn't display hotfixes, we may use WMI with QFE (Quick Fix Engineering) to display patches.

• PowerShell as well using the Get-Hotfix cmdlet.

• ProcDump from the SysInternals suite dump process memory.

• Microsoft reference guide for all built-in Windows commands.

• dnscmd utility for managing DNS servers.

• query Windows events using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.

• Other logs include PowerShell Operational log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.

• PSSQLite module. to openand inspect sqllite files etc.

• The cmdkey command can be used to create, list, and delete stored usernames and passwords.

ipocnfig /all #Get interface, IP address and DNS information
arp -a #Get arp table
route print #Review routing table
Get-MpComputerStatus #Check Windows Defender status
Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections
#List AppLocker rules
Get-AppLockerPolicy -Local \| Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
#Test AppLocker policy
set #Display all environment variables
systeminfo #View detailed system configuration information
wmic qfe #Get patches and updates
wmic product get name	# get installed programs
tasklist /svc #Display running processes
query user #Get logged-in users
echo %USERNAME% #Get current user
whoami /priv #View current user privileges
whoami /groups #View current user group information
net user	#Get all system users
net localgroup	#Get all system groups
net localgroup #administrators	View details about a group
net accounts	#Get passsword policy
netstat -ano	#Display active network connections
pipelist.exe /accepteula	#List named pipes
gci \\.\pipe\	#List named pipes with PowerShell
accesschk.exe /accepteula \\.\Pipe\lsass -v	#Review permissions on a named pipe