Useful commands and Modules

gci -recurse . | select fullname # List all the files

Windows commands reference is very handy for performing manual enumeration tasks.

modules, cmdlets, resources :

  • netstat Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table.

  • schtasks command to enumerate scheduled tasks on the system.

  • also enumerate scheduled tasks using the Get-ScheduledTask PowerShell cmdlet.

  • Windows binary used for handling certificates certutil.

  • rundll32 Used by Windows to execute dll files.

  • enumerate the computer description field via PowerShell using the Get-WmiObject cmdlet with the Win32_OperatingSystem class.

  • local users using the Get-LocalUser cmdlet.

  • Windows diskshadow utility to create a shadow copy.

  • robocopy Copies file data from one location to another.

  • takeown Windows binary to change ownership of the file.

  • PowerShell to list named pipes using gci (Get-ChildItem).

  • Accesschk AccessChk is a console utility that reports effective permissions on securable objects, account rights for a user or group, or token details for a process.

  • PipeList from the Sysinternals Suite to enumerate instances of named pipes.

  • Get-AppLockerPolicy (Gets the local, the effective, or a domain AppLocker policy).

  • Tasklist (Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool).

  • set (Displays, sets, or removes cmd.exe environment variables. If used without parameters, set displays the current environment variable settings).

  • Hotfixes (to get an idea of when the box has been patched).

  • If systeminfo doesn't display hotfixes, we may use WMI with QFE (Quick Fix Engineering) to display patches.

  • PowerShell as well using the Get-Hotfix cmdlet.

  • ProcDump from the SysInternals suite dump process memory.

  • Microsoft reference guide for all built-in Windows commands.

  • dnscmd utility for managing DNS servers.

  • query Windows events using the wevtutil utility and the Get-WinEvent PowerShell cmdlet.

  • Other logs include PowerShell Operational log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.

  • PSSQLite module. to openand inspect sqllite files etc.

  • The cmdkey command can be used to create, list, and delete stored usernames and passwords.

ipocnfig /all #Get interface, IP address and DNS information
arp -a #Get arp table
route print #Review routing table
Get-MpComputerStatus #Check Windows Defender status
Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections
#List AppLocker rules
Get-AppLockerPolicy -Local \| Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
#Test AppLocker policy
set #Display all environment variables
systeminfo #View detailed system configuration information
wmic qfe #Get patches and updates
wmic product get name	# get installed programs
tasklist /svc #Display running processes
query user #Get logged-in users
echo %USERNAME% #Get current user
whoami /priv #View current user privileges
whoami /groups #View current user group information
net user	#Get all system users
net localgroup	#Get all system groups
net localgroup #administrators	View details about a group
net accounts	#Get passsword policy
netstat -ano	#Display active network connections
pipelist.exe /accepteula	#List named pipes
gci \\.\pipe\	#List named pipes with PowerShell
accesschk.exe /accepteula \\.\Pipe\lsass -v	#Review permissions on a named pipe

PreviousEOP Windows Tools and ResourcesNextActive Directory

Last updated