Basic Windows Commands

Turn off Windows Firewall

Check status:

netsh advfirewall show allprofiles state

Inspect current profile:

netsh advfirewall show currentprofile

Show rules:

netsh advfirewall firewall show rule name=all

Turn off:

netsh advfirewall set allprofiles state off

Turn on:

netsh advfirewall set allprofiles state on

Disable Real-time Monitoring

Set-MpPreference -DisableRealtimeMonitoring $true
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force

If it shows that it is managed by your organization, you may try:

Set-ItemProperty 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' DisableAntiSpyware 0
Restart-Computer

To disable every single engine:

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

NTP Sync

To force NTP Sync:

w32time /resync

Or use dirty trick:

net time stop
net time start

Turn off UAC

To turn off UAC (restart is needed):

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

To turn on UAC (restart is needed):

reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f

Enable RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Mount a Drive

net use X: \\DC01\SysVol
X:

Search from a file with its name

dir /s *.xml

Show folders, subfolders recursively

dir /S

Download files on CMD

certutil -urlcache -f <destination> <local_destination>

Check Scheduled Tasks

schtasks /query /fo LIST /v

Installed Apps and Patch

Applications:

wmic product get name, version, vendor

Windows Update:

wmic qfe get Caption, Description, HotFixID, InstalledOn

Enumerate Readable/Writable Files and Directories

accesschk.exe is from Sysinternal.

-u = suppress error, -w = write access permission, -s = recursive

accesschk.exe -uws "Everyone" "C:\Program Files"

We can use powershell as well:

Get-ChildItem "C:\Program Files" -Recurse | Get-ACL | ?{$_.AccessToString -match "Everyone\sAllow\s\sModify"}

Find Unmounted Disks

mountvol

Enumerate Device Drivers and Kernel Modules

powershell
driverquery.exe /v /fo csv | ConvertFrom-CSV | Select-Object 'Display Name', 'Start Mode', Path

We can specifically target drivers based on their name by using Where-Object:

Get-WMIObject <Driver_Name> | Select-Object DeviceName, DriverVersion, Manufacturer | % {$_.DeviceName -like "*VMware*" }

Enumerate Binaries that AutoElevate

On Windows, check the status of AlwaysInstallElevated registry - if set to 1 in either HKEY_CURRENT_USER or HKEY_LOCAL_MACHINE, any user can run Windows Installer packages with elevated privileges:

reg query HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer

If we find any "1", we can craft an MSI file and run it to elevate our privileges.

Check signature

sigcheck.exe -a -m C:\Windows\System32\fodhelper.exe

  • Can also check for opportunity for privilege escalation

  • autoelevate flag

List Services

List running services:

Get-WmiObject win32_service | Select-Object Name, State, PathName | ? {$_.State -like 'Running'}

WMIC list service excluding path with "c:\windows"

wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows"

Check Service Permissions

F (Full Access) M (Modify Access) RX (Read and Execute Access) R (Read-only Access) W (Write-only Access)

icacls "<filepath>"

Check DC name

Use nslookup:

set type=all
_ldap. _tcp. dc. _msdcs

Find file

Search for files

where /R C:\ *python*

Search for content

findstr /si "password"

PreviousLinux Privilege EscalationNextWindows Weaknesses

Last updated