Key information

collect

• username and hostname

  • whoami

  • hostname

• group memberships

  • whoami /groups

• existing users and groups

  • Get-LocalUser

  • Get-LocalGroup

  • Get-LocalGroupMember <groupname>

  • net user <username>

• User privileges

  • whoami /priv

  • user can use anything on the list - if the state is disabled it needs to be done manually

• OS, version and architecture

  • systeminfo

• network info

  • ipconfig /all

  • netstat

  • route print

  • netstat -ano

• installed applications

  • Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

  • Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

• running processes

  • Get-Process

• Search for files

  • Get-ChildItem -Path C:\Users\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx,*.ini -File -Recurse -ErrorAction SilentlyContinue

  • Search for keepass files

    • Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

• Get user powershell/cmd history

  • Get-History

  • (Get-PSReadlineOption).HistorySavePath

• Get running processes

  • Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

  • ignore anything under system32 or windows

ICACLS

Mask	Permissions
F	Full access
M	Modify access
RX	Read and execute access
R	Read-only access
W	Write-only access

Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}

icacls "C:\xampp\apache\bin\httpd.exe"

view access to file

icacls "<path to file>"

run cmd as another user

runas /user:username cmd