Skip to the content.

Windows/Active Directory enumeration tricks

Enumerate installed .Net framework versions (check subkeys and values under Client of subkeys)

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP"

Get status and startup type of service

sc qc spooler

Check if DCOM enabled (Y is enabled)

reg query hklm\software\Microsoft\OLE\ /v EnableDCOM

Get a bunch of info including OS version, patches etc

systeminfo

Get name and account for services

wmic service get name,startname

Get details for non microsoft services

WMIC service where "Not PathName like '%Micro%' AND Not PathName like '%Windows%'" get Name,DisplayName,PathName,State,Status,StartName

Local account remote restriction check (LocalAccountTokenFilterPolicy must be present and set to 1 to disable)

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Get Powershell version (old and new)

reg query HKLM\Software\Microsoft\PowerShell\1\PowerShellEngine /v RuntimeVersion
reg query HKLM\Software\Microsoft\PowerShell\3\PowerShellEngine /v RuntimeVersion

Get around registry editing restrictions - ERROR: Registry editing has been disabled by your administrator. (0 disables, 2 enables again)

powershell -command set-itemproperty -Path hkcu:software\microsoft\windows\currentversion\policies\system -Name DisableRegistryTools -Value 0
powershell -command set-itemproperty -Path hkcu:software\microsoft\windows\currentversion\policies\system -Name DisableRegistryTools -Value 2

Check for DAMP backdoor

powershell -command "Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg | Format-List"

Windows local profile listing (in powershell)

Get-WmiObject -Class Win32_UserProfile -ea 0 | Select LocalPath, RoamingConfigured

Powershell network connection test

(New-Object System.Net.Sockets.TcpClient).ConnectAsync("google.com", 80).Wait(100)

Identify Read only domain controllers

The primaryGroupID attribute for the computer object in AD will be 521 - the RID of the "Read-only Domain Controllers" group

That command you run to execute non signed Powershell stuff

Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

Remote registry operations example with impacket

reg.py user@host query -keyName 'hklm\software'

Remote firewall checking (there are also profiles StandardProfile and PublicProfile)

reg.py -k hostname query -keyName HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile

Powershell search for strings in files

ls C:\Windows\System32\* -Include '*.exe', '*.dll' | Select-String 'RunHTMLApplication' -Encoding ascii | Format-List

Get SIDS for users

wmic useraccount get name,sid

Get Defender exclusions

Get-MpPreference | Select-Object -ExpandProperty ExclusionPath