Useful commands and Modules
Windows commands reference is very handy for performing manual enumeration tasks.
modules, cmdlets, resources :
netstat Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table.
schtasks command to enumerate scheduled tasks on the system.
also enumerate scheduled tasks using the Get-ScheduledTask PowerShell cmdlet.
Windows binary used for handling certificates certutil.
rundll32 Used by Windows to execute dll files.
enumerate the computer description field via PowerShell using the Get-WmiObject cmdlet with the Win32_OperatingSystem class.
local users using the Get-LocalUser cmdlet.
Windows diskshadow utility to create a shadow copy.
robocopy Copies file data from one location to another.
takeown Windows binary to change ownership of the file.
PowerShell to list named pipes using
gci
(Get-ChildItem
).Accesschk AccessChk is a console utility that reports effective permissions on securable objects, account rights for a user or group, or token details for a process.
PipeList from the Sysinternals Suite to enumerate instances of named pipes.
Get-AppLockerPolicy (Gets the local, the effective, or a domain AppLocker policy).
Tasklist (Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool).
set (Displays, sets, or removes cmd.exe environment variables. If used without parameters, set displays the current environment variable settings).
Hotfixes (to get an idea of when the box has been patched).
If
systeminfo
doesn't display hotfixes, we may use WMI with QFE (Quick Fix Engineering) to display patches.PowerShell as well using the Get-Hotfix cmdlet.
ProcDump from the SysInternals suite dump process memory.
Microsoft reference guide for all built-in Windows commands.
dnscmd utility for managing DNS servers.
query Windows events using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.
Other logs include PowerShell Operational log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.
PSSQLite module. to openand inspect sqllite files etc.
The cmdkey command can be used to create, list, and delete stored usernames and passwords.
Last updated