powershell

AD & Windows native tools

Basic enumeration commands

Get PC name

hostname

Get OS version information

[System.Environment]::OSVersion.Version

Print patches and hotfixes

wmic qfe get Caption,Description,HotFixID,InstalledOn

Print network adaptors

ffconfig /all

Display a list of environment variable

cmd /c set

Print domain name

echo %USERDOMAIN%

Print domain controller name

echo %logonserver%

System information

Systeminfo

Powershell (quick check)

Get-Module

Get-ExecutionPolicy -List

whoami

Get-ChildItem Env: | ft key,value

There are many version of powershell exists on system and powershell event logging introduced with powershell 3.0 and forward. If we can spawn powershell 2.0 or older, our actions will not be logged in event viewer.

Downgrade powershell (event log bypass technique)

Print current version

Get-host

Downgrade

powershell.exe -version 2

Network commands

Firewall check

netsh advfirewall show allprofiles

Windows defender check

sc query windefend

Check antimalware software is installed on the system

Get-MpComputerStatus

Logged on users check

qwinsta

ARP table

arp -a

Routing table

route print

Display the status of firewall

netsh advfirewall show state

PreviousLocal admin password reuse Nextpowerview

Last updated 1 day ago

hashtagAD & Windows native tools

hashtagDowngrade powershell (event log bypass technique)

AD & Windows native tools

Downgrade powershell (event log bypass technique)