whoami /groups # adm group gives read access to the log files on the system, etc
whoami /priv
net user
net accounts
net localgroup
net user john
query user john
Get-LocalUser
dir -Force
C:\Users> tree /F
net share
# Enumerate existing groups
net localgroup or Get-LocalGroup
net localgroup Administrators
# Review the members of a Group
Get-LocalGroupMember Administrators
# Check the operating system, version, & architecture
systeminfo
# List all network Interfaces
ipconfig /all
# Routing table
route print
Get-NetRoute -AddressFamily IPv4 | ft DestinationPrefix,NextHop,RouteMetric,ifIndex
# List all active network Connections
netstat -ano
Test-NetConnection -ComputerName 192.168.45.206 -Port 443
# PS & PSReadline History
Get-History
(Get-PSReadlineOption).HistorySavePath
# May store credentials for a auto logged in users
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"
# All installed Applications
32: Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
64: Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
# Running Applications
Get-Process
Get-Process | Select-Object Id, ProcessName, @{Name='FilePath';Expression={$_.MainModule.FileName}}
# Check if service is installed
Get-CimInstance -ClassName Win32_Service -Filter "Name like 'FJTWSVIC'" | Select-Object Name, PathName, StartName, State
# Identify Sensitive Info
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Users\john\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
# Locate Flag
Get-ChildItem -Path C:\ -Include flag.txt -Recurse -File -ErrorAction SilentlyContinue | ForEach-Object {Get-Content $_.FullName} 2>$null
Get-ChildItem -Path '\\client74.corp.com\C$\Users\' -Recurse -Include *flag*, *proof*, *local* -Force 2>$null
