System/Kernel
*evil-winrm* ps c:\Users\svc_backup\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 2/1/2020 7:04:40 PM
windowsproductid : 00429-00521-62775-AA435
windowsproductname : Windows Server 2019 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : Off17763.1.amd64fre.rs5_release.180914-1434
6.3
Windows Server 2019 Standard
1809
FullServer
Desktop
Networks
*Evil-WinRM* PS C:\Users\svc_backup\Documents> ipconfig /ALL ; route print
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC01
Primary Dns Suffix . . . . . . . : BLACKFIELD.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : BLACKFIELD.local
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-92-35
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::283b:32d2:12e8:c7b9(Preferred)
Link-local IPv6 Address . . . . . : fe80::283b:32d2:12e8:c7b9%17(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.10.192(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 385896534
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-26-05-64-77-08-00-27-2C-10-8A
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
===========================================================================
Interface List
17...00 50 56 b9 92 35 ......vmxnet3 Ethernet Adapter
1...........................Software Loopback Interface 1
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.10.10.2 10.10.10.192 271
10.10.10.0 255.255.255.0 On-link 10.10.10.192 271
10.10.10.192 255.255.255.255 On-link 10.10.10.192 271
10.10.10.255 255.255.255.255 On-link 10.10.10.192 271
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 10.10.10.192 271
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 10.10.10.192 271
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 192.168.86.1 Default
0.0.0.0 0.0.0.0 10.10.10.2 Default
0.0.0.0 0.0.0.0 10.10.10.2 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
1 331 ::1/128 On-link
17 271 dead:beef::/64 On-link
17 271 dead:beef::283b:32d2:12e8:c7b9/128
On-link
17 271 fe80::/64 On-link
17 271 fe80::283b:32d2:12e8:c7b9/128
On-link
1 331 ff00::/8 On-link
17 271 ff00::/8 On-link
===========================================================================
Persistent Routes:
None*Evil-WinRM* PS C:\Users\svc_backup\Documents> arp -a ; netstat -ano | Select-String LIST
Interface: 10.10.10.192 --- 0x11
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-10-14 dynamic
10.10.10.255 ff-ff-ff-ff-ff-ff static
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 940
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 940
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 3444
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 460
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1380
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1768
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 2268
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49677 0.0.0.0:0 LISTENING 3372
TCP 0.0.0.0:49686 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49689 0.0.0.0:0 LISTENING 3508
TCP 0.0.0.0:49705 0.0.0.0:0 LISTENING 3464
TCP 10.10.10.192:53 0.0.0.0:0 LISTENING 3508
TCP 10.10.10.192:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 3508
TCP [::]:88 [::]:0 LISTENING 620
TCP [::]:135 [::]:0 LISTENING 940
TCP [::]:389 [::]:0 LISTENING 620
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 620
TCP [::]:593 [::]:0 LISTENING 940
TCP [::]:636 [::]:0 LISTENING 620
TCP [::]:3268 [::]:0 LISTENING 620
TCP [::]:3269 [::]:0 LISTENING 620
TCP [::]:3389 [::]:0 LISTENING 696
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 3444
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 460
TCP [::]:49665 [::]:0 LISTENING 1380
TCP [::]:49666 [::]:0 LISTENING 1768
TCP [::]:49667 [::]:0 LISTENING 620
TCP [::]:49669 [::]:0 LISTENING 2268
TCP [::]:49674 [::]:0 LISTENING 620
TCP [::]:49675 [::]:0 LISTENING 620
TCP [::]:49677 [::]:0 LISTENING 3372
TCP [::]:49686 [::]:0 LISTENING 604
TCP [::]:49689 [::]:0 LISTENING 3508
TCP [::]:49705 [::]:0 LISTENING 3464
TCP [::1]:53 [::]:0 LISTENING 3508
TCP [dead:beef::283b:32d2:12e8:c7b9]:53 [::]:0 LISTENING 3508
TCP [fe80::283b:32d2:12e8:c7b9%17]:53 [::]:0 LISTENING 35080.0.0.0:3389
Users & Groups
*evil-winrm* ps c:\Users\svc_backup\Documents> net users ; dir C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator audit2020 BLACKFIELD103974
BLACKFIELD106360 BLACKFIELD107197 BLACKFIELD112766
BLACKFIELD114762 BLACKFIELD115148 BLACKFIELD118321
BLACKFIELD128775 BLACKFIELD129328 BLACKFIELD129387
BLACKFIELD131771 BLACKFIELD135403 BLACKFIELD135990
BLACKFIELD136203 BLACKFIELD136813 BLACKFIELD137694
BLACKFIELD146200 BLACKFIELD148067 BLACKFIELD150357
BLACKFIELD160610 BLACKFIELD160820 BLACKFIELD163183
BLACKFIELD169035 BLACKFIELD169876 BLACKFIELD171624
BLACKFIELD175204 BLACKFIELD184482 BLACKFIELD184493
BLACKFIELD186980 BLACKFIELD189208 BLACKFIELD191416
BLACKFIELD192642 BLACKFIELD194732 BLACKFIELD195757
BLACKFIELD195953 BLACKFIELD196444 BLACKFIELD198927
BLACKFIELD199889 BLACKFIELD201655 BLACKFIELD202900
BLACKFIELD204805 BLACKFIELD219324 BLACKFIELD219914
BLACKFIELD220786 BLACKFIELD224839 BLACKFIELD227380
BLACKFIELD228442 BLACKFIELD229506 BLACKFIELD230515
BLACKFIELD235930 BLACKFIELD236467 BLACKFIELD246388
BLACKFIELD247450 BLACKFIELD250576 BLACKFIELD251003
BLACKFIELD251977 BLACKFIELD252379 BLACKFIELD253047
BLACKFIELD253541 BLACKFIELD256791 BLACKFIELD266096
BLACKFIELD267457 BLACKFIELD268320 BLACKFIELD269538
BLACKFIELD274109 BLACKFIELD274367 BLACKFIELD274577
BLACKFIELD286615 BLACKFIELD289513 BLACKFIELD290325
BLACKFIELD290582 BLACKFIELD291678 BLACKFIELD307633
BLACKFIELD314351 BLACKFIELD315276 BLACKFIELD316850
BLACKFIELD318077 BLACKFIELD318250 BLACKFIELD319016
BLACKFIELD321206 BLACKFIELD327610 BLACKFIELD328983
BLACKFIELD329802 BLACKFIELD334058 BLACKFIELD336573
BLACKFIELD339143 BLACKFIELD348433 BLACKFIELD348835
BLACKFIELD350809 BLACKFIELD356727 BLACKFIELD357023
BLACKFIELD358090 BLACKFIELD359278 BLACKFIELD362337
BLACKFIELD371669 BLACKFIELD375924 BLACKFIELD382769
BLACKFIELD383108 BLACKFIELD385719 BLACKFIELD385928
BLACKFIELD390179 BLACKFIELD390192 BLACKFIELD395725
BLACKFIELD397679 BLACKFIELD402639 BLACKFIELD404213
BLACKFIELD404458 BLACKFIELD405242 BLACKFIELD410243
BLACKFIELD411132 BLACKFIELD411740 BLACKFIELD412798
BLACKFIELD413242 BLACKFIELD415829 BLACKFIELD416532
BLACKFIELD419600 BLACKFIELD428532 BLACKFIELD429587
BLACKFIELD430864 BLACKFIELD433476 BLACKFIELD434395
BLACKFIELD438814 BLACKFIELD438923 BLACKFIELD441593
BLACKFIELD441759 BLACKFIELD446463 BLACKFIELD448641
BLACKFIELD454313 BLACKFIELD460131 BLACKFIELD464763
BLACKFIELD465267 BLACKFIELD468839 BLACKFIELD478410
BLACKFIELD478828 BLACKFIELD484290 BLACKFIELD488531
BLACKFIELD496547 BLACKFIELD497216 BLACKFIELD500073
BLACKFIELD512331 BLACKFIELD518316 BLACKFIELD520852
BLACKFIELD522135 BLACKFIELD532412 BLACKFIELD533060
BLACKFIELD533551 BLACKFIELD533886 BLACKFIELD534196
BLACKFIELD534956 BLACKFIELD538365 BLACKFIELD541148
BLACKFIELD544934 BLACKFIELD546640 BLACKFIELD548394
BLACKFIELD548464 BLACKFIELD549571 BLACKFIELD553715
BLACKFIELD558867 BLACKFIELD561870 BLACKFIELD566117
BLACKFIELD569313 BLACKFIELD569653 BLACKFIELD573498
BLACKFIELD576233 BLACKFIELD579344 BLACKFIELD579980
BLACKFIELD584113 BLACKFIELD586592 BLACKFIELD586934
BLACKFIELD591846 BLACKFIELD592556 BLACKFIELD594619
BLACKFIELD600999 BLACKFIELD601590 BLACKFIELD602567
BLACKFIELD606328 BLACKFIELD606964 BLACKFIELD607290
BLACKFIELD608914 BLACKFIELD609423 BLACKFIELD611993
BLACKFIELD613771 BLACKFIELD616527 BLACKFIELD617630
BLACKFIELD618519 BLACKFIELD622501 BLACKFIELD623122
BLACKFIELD624385 BLACKFIELD631162 BLACKFIELD631599
BLACKFIELD632329 BLACKFIELD634593 BLACKFIELD635996
BLACKFIELD639103 BLACKFIELD644281 BLACKFIELD651599
BLACKFIELD652779 BLACKFIELD653097 BLACKFIELD657263
BLACKFIELD665997 BLACKFIELD673073 BLACKFIELD676303
BLACKFIELD680939 BLACKFIELD682842 BLACKFIELD682949
BLACKFIELD683323 BLACKFIELD684814 BLACKFIELD686428
BLACKFIELD690642 BLACKFIELD691480 BLACKFIELD694429
BLACKFIELD695166 BLACKFIELD697473 BLACKFIELD701303
BLACKFIELD704154 BLACKFIELD706381 BLACKFIELD710285
BLACKFIELD713470 BLACKFIELD717683 BLACKFIELD724669
BLACKFIELD727512 BLACKFIELD732035 BLACKFIELD739227
BLACKFIELD739659 BLACKFIELD739765 BLACKFIELD744790
BLACKFIELD753480 BLACKFIELD753537 BLACKFIELD758945
BLACKFIELD759042 BLACKFIELD759079 BLACKFIELD763893
BLACKFIELD764430 BLACKFIELD765350 BLACKFIELD765982
BLACKFIELD767498 BLACKFIELD767820 BLACKFIELD768095
BLACKFIELD773118 BLACKFIELD773423 BLACKFIELD774376
BLACKFIELD775126 BLACKFIELD775986 BLACKFIELD781404
BLACKFIELD787464 BLACKFIELD787995 BLACKFIELD788523
BLACKFIELD789969 BLACKFIELD792484 BLACKFIELD793029
BLACKFIELD796301 BLACKFIELD802251 BLACKFIELD802875
BLACKFIELD813266 BLACKFIELD818863 BLACKFIELD819822
BLACKFIELD820995 BLACKFIELD826622 BLACKFIELD827906
BLACKFIELD828826 BLACKFIELD835725 BLACKFIELD837541
BLACKFIELD838710 BLACKFIELD839613 BLACKFIELD840481
BLACKFIELD842438 BLACKFIELD842593 BLACKFIELD843883
BLACKFIELD848660 BLACKFIELD859776 BLACKFIELD868068
BLACKFIELD869335 BLACKFIELD871753 BLACKFIELD875008
BLACKFIELD876916 BLACKFIELD877328 BLACKFIELD883784
BLACKFIELD884808 BLACKFIELD894905 BLACKFIELD895235
BLACKFIELD896715 BLACKFIELD898237 BLACKFIELD899238
BLACKFIELD899433 BLACKFIELD907614 BLACKFIELD908329
BLACKFIELD909590 BLACKFIELD911926 BLACKFIELD926559
BLACKFIELD932709 BLACKFIELD933887 BLACKFIELD937395
BLACKFIELD939200 BLACKFIELD939243 BLACKFIELD946435
BLACKFIELD946509 BLACKFIELD962495 BLACKFIELD962999
BLACKFIELD969352 BLACKFIELD971417 BLACKFIELD978938
BLACKFIELD990638 BLACKFIELD991588 BLACKFIELD994577
BLACKFIELD995218 BLACKFIELD996878 BLACKFIELD997545
BLACKFIELD998321 Guest krbtgt
lydericlefebvre support svc_backup
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/5/2020 8:40 PM Administrator
d-r--- 2/1/2020 11:05 AM Public
d----- 11/4/2021 11:52 AM svc_backup*evil-winrm* ps c:\Users\svc_backup\Documents> net localgroup ; net group /DOMAIN
Aliases for \\DC01
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cmd /c tasklist /SVC
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\svc_backup\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
150 10 6688 12416 0.05 5932 0 conhost
499 19 2208 5356 388 0 csrss
263 12 2160 5056 472 1 csrss
359 15 3528 14612 5796 1 ctfmon
393 33 16116 22964 3464 0 dfsrs
153 8 2036 6180 3756 0 dfssvc
254 14 3980 13444 4160 0 dllhost
10374 9592 130852 128968 3508 0 dns
599 25 24268 53416 336 1 dwm
1491 58 23700 118960 6000 1 explorer
49 6 1440 4240 832 0 fontdrvhost
49 6 1800 5228 840 1 fontdrvhost
0 0 56 8 0 0 Idle
132 12 2004 5712 3552 0 ismserv
1734 183 57524 71496 620 0 lsass
563 30 36932 47172 3444 0 Microsoft.ActiveDirectory.WebServices
223 13 2980 10368 4504 0 msdtc
684 70 190256 232384 3660 0 MsMpEng
190 39 3192 8828 4772 0 NisSrv
0 13 336 13900 88 0 Registry
286 15 4956 16324 5140 1 RuntimeBroker
235 12 2736 16864 6028 1 RuntimeBroker
230 12 2360 12748 6432 1 RuntimeBroker
668 33 19964 63440 1736 1 SearchUI
639 14 6128 13644 604 0 services
781 31 17640 60404 5488 1 ShellExperienceHost
451 17 5040 24396 5432 1 sihost
53 3 496 1172 284 0 smss
471 22 5856 16756 3372 0 spoolsv
284 13 3752 11312 452 0 svchost
504 18 4176 12788 696 0 svchost
85 5 872 3784 812 0 svchost
842 20 6952 29864 848 0 svchost
900 20 5380 11932 940 0 svchost
293 11 2348 9960 992 0 svchost
130 17 4236 8160 1044 0 svchost
148 9 1824 6776 1052 0 svchost
208 12 1628 7260 1064 0 svchost
210 12 1976 9784 1100 0 svchost
189 12 2064 12012 1140 0 svchost
150 9 1704 11756 1152 0 svchost
141 7 1296 5704 1176 0 svchost
214 9 2088 7540 1204 0 svchost
241 13 2884 8940 1268 0 svchost
242 15 2436 9968 1328 0 svchost
395 13 11056 15176 1380 0 svchost
398 32 8268 17208 1472 0 svchost
366 16 4600 12884 1516 0 svchost
152 9 1408 6804 1600 0 svchost
276 16 3240 12312 1612 0 svchost
180 10 1912 8756 1640 0 svchost
229 12 2496 11324 1672 0 svchost
435 9 2776 8928 1688 0 svchost
144 7 1268 5732 1712 0 svchost
373 17 5116 21988 1768 0 svchost
171 10 1780 8024 1848 0 svchost
321 10 2532 8420 1928 0 svchost
193 9 1508 6612 1944 0 svchost
310 11 2000 8812 1956 0 svchost
140 9 1604 6536 2088 0 svchost
171 11 2504 13204 2096 0 svchost
159 8 1964 7252 2212 0 svchost
281 16 2788 11316 2268 0 svchost
225 10 2432 9288 2364 0 svchost
390 15 13344 22612 2400 0 svchost
461 17 3288 11884 2536 0 svchost
169 9 2992 7864 2964 0 svchost
206 11 2432 8552 3216 0 svchost
236 25 3976 13152 3456 0 svchost
444 20 19212 33872 3492 0 svchost
261 13 2568 7944 3520 0 svchost
133 9 1616 6592 3572 0 svchost
136 8 1432 6160 3592 0 svchost
297 21 3808 14432 3648 0 svchost
168 10 2128 13228 3668 0 svchost
221 12 2060 7460 3796 0 svchost
399 26 3536 12796 4088 0 svchost
381 19 26888 44176 5240 0 svchost
163 9 4152 11844 5372 0 svchost
266 13 2876 13900 5440 1 svchost
393 19 6760 29872 5468 1 svchost
198 11 2576 11568 5620 0 svchost
171 9 1496 7156 5720 0 svchost
249 14 3056 13688 5912 0 svchost
275 20 7952 13264 6212 0 svchost
269 14 3752 12888 6452 0 svchost
186 15 6004 10080 6752 0 svchost
129 7 1572 6292 7096 0 svchost
310 15 15396 17384 7140 0 svchost
1896 0 192 108 4 0 System
177 11 2612 11392 5516 1 taskhostw
211 16 2460 10548 4104 0 vds
174 12 3216 10336 3640 0 VGAuthService
385 22 9616 36492 3632 0 vmtoolsd
241 18 3896 17816 6564 1 vmtoolsd
290 14 3156 11076 5708 0 wermgr
170 11 1476 6956 460 0 wininit
271 12 2668 12604 532 1 winlogon
347 16 9072 25504 2792 0 WmiPrvSE
836 31 104512 128760 1.16 4012 0 wsmprovhost
2376 34 104676 143952 1.56 5288 0 wsmprovhostwermgr
Services
*evil-winrm* ps c:\Users\svc_backup\Documents> services
Path Privileges Service
---- ---------- -------
c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
\??\c:\ProgramData\Microsoft\Windows Defender\Definition Updates\{B8BB2183-2CD7-4456-80E7-3E78CDEDE255}\MpKslDrv.sys False MpKslb46fe811
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
c:\Windows\SysWow64\perfhost.exe False PerfHost
"c:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
c:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"c:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"c:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"c:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\CommAmqpListener.exe" False VMwareCAFCommAmqpListener
"c:\Program Files\VMware\VMware Tools\VMware CAF\pme\bin\ManagementAgentHost.exe" False VMwareCAFManagementAgentHost
"c:\ProgramData\Microsoft\Windows Defender\platform\4.18.2009.7-0\NisSrv.exe" True WdNisSvc
"c:\ProgramData\Microsoft\Windows Defender\platform\4.18.2009.7-0\MsMpEng.exe" True WinDefend
"c:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvcTasks
*Evil-WinRM* PS C:\Users\svc_backup\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\svc_backup\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorFirewall & AV
*evil-winrm* ps c:\Users\svc_backup\Documents> cmd /c netsh firewall show config
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .FW is enabled
*evil-winrm* ps c:\Users\svc_backup\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
at line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpPreferenceAV is likely enabled
Session Architecture
*Evil-WinRM* PS C:\Users\svc_backup\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*evil-winrm* ps c:\Users\svc_backup\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 5BDD-68B4
directory of c:\Windows\Microsoft.NET\Framework
09/14/2018 11:19 PM <DIR> .
09/14/2018 11:19 PM <DIR> ..
09/14/2018 11:19 PM <DIR> v1.0.3705
09/14/2018 11:19 PM <DIR> v1.1.4322
09/14/2018 11:19 PM <DIR> v2.0.50727
12/22/2023 05:36 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 6,925,500,416 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190