LOL Bins
Basic enum commands
Command | Result |
| Prints the PC's Name |
| Prints out the OS version and revision level |
| Prints the patches and hotfixes applied to the host |
| Prints out network adapter state and configurations |
| Displays a list of environment variables for the current session (ran from CMD-prompt) |
| Displays the domain name to which the host belongs (ran from CMD-prompt) |
| Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt) |
``` | |
systeminfo | |
``` |
Powershell
Cmd-Let | Description |
| Lists available modules loaded for use. |
| Will print the execution policy settings for each scope on a host. |
| This will change the policy for our current process using the |
| With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords. |
| Return environment values such as key paths, users, computer information, etc. |
| This is a quick and easy way to download a file from the web using PowerShell and call it from memory. |
Downgrade Powershell
Many defenders are unaware that several versions of PowerShell often exist on a host. If not uninstalled, they can still be used. Powershell event logging was introduced as a feature with Powershell 3.0 and forward. With that in mind, we can attempt to call Powershell version 2.0 or older. If successful, our actions from the shell will not be logged in Event Viewer.
Am I Alone?
Network Information
Networking Commands | Description |
| Lists all known hosts stored in the arp table. |
| Prints out adapter settings for the host. We can figure out the network segment from here. |
| Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host. |
| Displays the status of the host's firewall. We can determine if it is active and filtering traffic. |
WMI
Command | Description |
| Prints the patch level and description of the Hotfixes applied |
| Displays basic host information to include any attributes within the list |
| A listing of all processes on host |
| Displays information about the Domain and Domain Controllers |
| Displays information about all local accounts and any domain accounts that have logged into the device |
| Information about all local groups |
| Dumps information about any system accounts that are being used as service accounts. |
Net commands
Keep in mind that net.exe commands are typically monitored by EDR solutions and can quickly give up our location if our assessment has an evasive component.
If you believe the network defenders are actively logging/looking for any commands out of the normal, you can try this workaround to using net commands. Typing net1 instead of net will execute the same functions without the potential trigger from the net string.
Command | Description |
| Information about password requirements |
| Password and lockout policy |
| Information about domain groups |
| List users with domain admin privileges |
| List of PCs connected to the domain |
| List PC accounts of domains controllers |
| User that belongs to the group |
| List of domain groups |
| All available groups |
| List users that belong to the administrators group inside the domain (the group |
| Information about a group (admins) |
| Add user to administrators |
| Check current shares |
| Get information about a user within the domain |
| List all users of the domain |
| Information about the current user |
| Mount the share locally |
| Get a list of computers |
| Shares on the domains |
| List shares of a computer |
| List of PCs of the domain |
Domain group
Domain user
Dsquery
Can be found at C:\Windows\System32\dsquery.dll.
All we need is elevated privileges on a host or the ability to run an instance of Command Prompt or PowerShell from a SYSTEM context
User search
Computer search
Wildcard search
Users With Specific Attributes Set (PASSWD_NOTREQD)
Domain controllers
Last updated