Useful commands and Modules

PreviousEOP Windows Tools and Resources NextActive Directory

Last updated 3 years ago

Useful commands and Modules

gci -recurse . | select fullname # List all the files

is very handy for performing manual enumeration tasks.

modules, cmdlets, resources :

Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table.
command to enumerate scheduled tasks on the system.
also enumerate scheduled tasks using the PowerShell cmdlet.
Windows binary used for handling certificates .
Used by Windows to execute dll files.
enumerate the computer description field via PowerShell using the cmdlet with the class.
local users using the cmdlet.
Windows utility to create a shadow copy.
Copies file data from one location to another.
Windows binary to change ownership of the file.
PowerShell to list named pipes using gci (Get-ChildItem).
AccessChk is a console utility that reports effective permissions on securable objects, account rights for a user or group, or token details for a process.
from the Sysinternals Suite to enumerate instances of named pipes.
(Gets the local, the effective, or a domain AppLocker policy).
(Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool).
(Displays, sets, or removes cmd.exe environment variables. If used without parameters, set displays the current environment variable settings).
(to get an idea of when the box has been patched).
If systeminfo doesn't display hotfixes, we may use with to display patches.
PowerShell as well using the cmdlet.
from the suite dump process memory.
Microsoft reference for all built-in Windows commands.
utility for managing DNS servers.
query Windows events using the utility and the PowerShell cmdlet.
Other logs include log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.
. to openand inspect sqllite files etc.
The command can be used to create, list, and delete stored usernames and passwords.

ipocnfig /all #Get interface, IP address and DNS information
arp -a #Get arp table
route print #Review routing table
Get-MpComputerStatus #Check Windows Defender status
Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections
#List AppLocker rules
Get-AppLockerPolicy -Local \| Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
#Test AppLocker policy
set #Display all environment variables
systeminfo #View detailed system configuration information
wmic qfe #Get patches and updates
wmic product get name	# get installed programs
tasklist /svc #Display running processes
query user #Get logged-in users
echo %USERNAME% #Get current user
whoami /priv #View current user privileges
whoami /groups #View current user group information
net user	#Get all system users
net localgroup	#Get all system groups
net localgroup #administrators	View details about a group
net accounts	#Get passsword policy
netstat -ano	#Display active network connections
pipelist.exe /accepteula	#List named pipes
gci \\.\pipe\	#List named pipes with PowerShell
accesschk.exe /accepteula \\.\Pipe\lsass -v	#Review permissions on a named pipe

PreviousEOP Windows Tools and Resources NextActive Directory

Last updated 3 years ago

gci -recurse . | select fullname # List all the files

is very handy for performing manual enumeration tasks.

modules, cmdlets, resources :

Displays active TCP connections, ports on which the computer is listening, Ethernet statistics, the IP routing table.
command to enumerate scheduled tasks on the system.
also enumerate scheduled tasks using the PowerShell cmdlet.
Windows binary used for handling certificates .
Used by Windows to execute dll files.
enumerate the computer description field via PowerShell using the cmdlet with the class.
local users using the cmdlet.
Windows utility to create a shadow copy.
Copies file data from one location to another.
Windows binary to change ownership of the file.
PowerShell to list named pipes using gci (Get-ChildItem).
AccessChk is a console utility that reports effective permissions on securable objects, account rights for a user or group, or token details for a process.
from the Sysinternals Suite to enumerate instances of named pipes.
(Gets the local, the effective, or a domain AppLocker policy).
(Displays a list of currently running processes on the local computer or on a remote computer. Tasklist replaces the tlist tool).
(Displays, sets, or removes cmd.exe environment variables. If used without parameters, set displays the current environment variable settings).
(to get an idea of when the box has been patched).
If systeminfo doesn't display hotfixes, we may use with to display patches.
PowerShell as well using the cmdlet.
from the suite dump process memory.
Microsoft reference for all built-in Windows commands.
utility for managing DNS servers.
query Windows events using the utility and the PowerShell cmdlet.
Other logs include log, may also contain sensitive information or credentials if script block or module logging is enabled. This log is accessible to unprivileged users.
. to openand inspect sqllite files etc.
The command can be used to create, list, and delete stored usernames and passwords.

ipocnfig /all #Get interface, IP address and DNS information
arp -a #Get arp table
route print #Review routing table
Get-MpComputerStatus #Check Windows Defender status
Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections
#List AppLocker rules
Get-AppLockerPolicy -Local \| Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
#Test AppLocker policy
set #Display all environment variables
systeminfo #View detailed system configuration information
wmic qfe #Get patches and updates
wmic product get name	# get installed programs
tasklist /svc #Display running processes
query user #Get logged-in users
echo %USERNAME% #Get current user
whoami /priv #View current user privileges
whoami /groups #View current user group information
net user	#Get all system users
net localgroup	#Get all system groups
net localgroup #administrators	View details about a group
net accounts	#Get passsword policy
netstat -ano	#Display active network connections
pipelist.exe /accepteula	#List named pipes
gci \\.\pipe\	#List named pipes with PowerShell
accesschk.exe /accepteula \\.\Pipe\lsass -v	#Review permissions on a named pipe