Links
Comment on page

Overview

Guides

Manual

Current users privs
whoami /priv
Current user details (all)
whoami /all
List users
net user
User details
net user <username>
List other logged in users
qwinsta
query session
List user groups
net localgroup
Group details
net localgroup <groupname>
Add user (interactive, requires user interaction)
net user <username> <password> /add
Add user (non-interactive)
net user <username> /add
net user <username> <password>
Add user to group (e.g. administrators)
net localgroup administrators <username> /add
Change password
net user <username> <password>
System info
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
hostname
Patch level
wmic qfe get Caption,Description,HotFixID,InstalledOn
Network connections
netstat -ano
Scheduled tasks
schtasks
schtasks /query /fo LIST /v
Driver
driverquery
Installed software (slow)
wmic product get name,version,vendor
Alternative
wmic service list brief
Services
sc query
sc start <service>
sc stop <service>
sc config <service> <options>
Antivirus
sc query windefend
sc queryex type=service
Searching files
findstr /si <term> <ext>
findstr /si password *.txt

DLL hijacking

Find a program with a missing dll, or make use for search path order, to execute your own dll.

Unquoted service path

Finding unqoated service paths
wmic service get name,displayname,pathname,startmode
sc qc <service>
Check if we have write permission in a suitable path.
.\accesschk64.exe /accepteula -uwdq <path>

PowerShell

SMB

Mount smb share
New-PSDrive -Name "<share-name>" -PSProvider "FileSystem" -Root "\\<ip>\<smb-share>"
Access with
cd <share-name>:

Automated

Exploit Suggester

This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. GitHub - AonCyberLabs/Windows-Exploit-Suggester Windows Exploit Suggester - Next Generation (WES-NG)
windows-exploit-suggester.py –update
windows-exploit-suggester.py --database 2021-09-21-mssb.xls --systeminfo sysinfo_output.txt

winPEAS

winPEAS
winpeas.exe > <output-file>

PowerSploit

JAWS

JAWS

Watson

Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities GitHub - rasta-mouse/Watson
Watson.exe

Seatbelt

Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. GitHub - GhostPack/Seatbelt
Seatbelt.exe -group=all -outputfile=<path>

Sherlock

Deprecated. Have a look at Watson instead.
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. GitHub - rasta-mouse/Sherlock
Sherlock.ps1
FindAllVulns

Misc

File inside a file

dir /r
powershell (Get-Content hm.txt -Stream root.txt)

Run as

runas /netonly /user:<user> cmd

Weak services

Replace files/programs running with SYSTEM permissions with exploited ones -> Check permissions icacls <file>