System/Kernel
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cmd /c ver
Microsoft Windows [Version 10.0.20348.2700]
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> systeminfo ; Get-ComputerInfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 3/14/2024 10:43:33 AM
WindowsProductId : 00454-20165-01481-AA720
WindowsProductName : Windows Server 2022 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 2009
OSDisplayVersion : 21H2
OsServerLevel : FullServer
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : Off10.0.20348.2700
Windows Server 2022 Standard
FullServer
Networks
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> arp -a ; print route
Interface: 10.129.41.192 --- 0x6
Internet Address Physical Address Type
10.129.0.1 00-50-56-94-39-11 dynamic
10.129.1.78 00-50-56-94-f2-f5 dynamic
10.129.1.131 00-50-56-94-46-37 dynamic
10.129.1.255 00-50-56-94-29-42 dynamic
10.129.3.12 00-50-56-94-37-b5 dynamic
10.129.3.158 00-50-56-94-7d-b1 dynamic
10.129.5.159 00-50-56-94-ee-ea dynamic
10.129.7.46 00-50-56-94-60-67 dynamic
10.129.8.234 00-50-56-94-59-8e dynamic
10.129.9.103 00-50-56-94-5d-1e dynamic
10.129.9.169 00-50-56-94-e5-a9 dynamic
10.129.11.55 00-50-56-94-f4-1c dynamic
10.129.11.187 00-50-56-94-73-00 dynamic
10.129.14.101 00-50-56-94-3f-9a dynamic
10.129.16.108 00-50-56-94-19-30 dynamic
10.129.16.178 00-50-56-94-95-1e dynamic
10.129.16.201 00-50-56-94-c4-98 dynamic
10.129.16.218 00-50-56-94-8f-bf dynamic
10.129.19.144 00-50-56-94-46-eb dynamic
10.129.22.222 00-50-56-94-d0-c0 dynamic
10.129.23.15 00-50-56-94-51-58 dynamic
10.129.24.214 00-50-56-94-48-37 dynamic
10.129.26.14 00-50-56-94-9e-6d dynamic
10.129.26.156 00-50-56-94-b2-75 dynamic
10.129.27.45 00-50-56-94-4a-00 dynamic
10.129.28.68 00-50-56-94-db-3a dynamic
10.129.28.123 00-50-56-94-80-14 dynamic
10.129.29.141 00-50-56-94-d7-d8 dynamic
10.129.29.173 00-50-56-94-16-95 dynamic
10.129.29.244 00-50-56-94-16-fc dynamic
10.129.30.91 00-50-56-94-84-b5 dynamic
10.129.31.53 00-50-56-94-4c-1d dynamic
10.129.31.186 00-50-56-94-41-48 dynamic
10.129.32.25 00-50-56-94-52-21 dynamic
10.129.32.207 00-50-56-94-e7-00 dynamic
10.129.35.241 00-50-56-94-70-2e dynamic
10.129.36.26 00-50-56-94-12-6f dynamic
10.129.37.24 00-50-56-94-d2-86 dynamic
10.129.41.9 00-50-56-94-82-59 dynamic
10.129.42.143 00-50-56-94-0a-d6 dynamic
10.129.42.236 00-50-56-94-45-43 dynamic
10.129.44.61 00-50-56-94-31-5d dynamic
10.129.44.85 00-50-56-94-0c-80 dynamic
10.129.44.86 00-50-56-94-5b-28 dynamic
10.129.44.148 00-50-56-94-bc-13 dynamic
10.129.45.15 00-50-56-94-6d-5e dynamic
10.129.45.58 00-50-56-94-7d-6a dynamic
10.129.45.84 00-50-56-94-9a-64 dynamic
10.129.46.215 00-50-56-94-92-07 dynamic
10.129.47.219 00-50-56-94-60-57 dynamic
10.129.47.238 00-50-56-94-14-87 dynamic
10.129.49.85 00-50-56-94-70-5a dynamic
10.129.49.198 00-50-56-94-15-dc dynamic
10.129.50.163 00-50-56-94-14-7d dynamic
10.129.50.226 00-50-56-94-e9-f3 dynamic
10.129.51.61 00-50-56-94-2f-a2 dynamic
10.129.52.9 00-50-56-94-68-03 dynamic
10.129.52.45 00-50-56-94-f6-c3 dynamic
10.129.54.46 00-50-56-94-fe-66 dynamic
10.129.54.198 00-50-56-94-b1-c2 dynamic
10.129.54.207 00-50-56-94-b3-a3 dynamic
10.129.55.20 00-50-56-94-8c-ea dynamic
10.129.55.162 00-50-56-94-4c-68 dynamic
10.129.55.184 00-50-56-94-17-da dynamic
10.129.57.80 00-50-56-94-86-56 dynamic
10.129.58.133 00-50-56-94-f8-69 dynamic
10.129.59.74 00-50-56-94-72-a0 dynamic
10.129.59.95 00-50-56-94-1d-bb dynamic
10.129.60.86 00-50-56-94-7e-a0 dynamic
10.129.61.108 00-50-56-94-8d-78 dynamic
10.129.61.139 00-50-56-94-60-16 dynamic
10.129.61.255 00-50-56-94-e6-80 dynamic
10.129.64.143 00-50-56-94-2c-7d dynamic
10.129.66.169 00-50-56-94-2e-f4 dynamic
10.129.66.170 00-50-56-94-f3-db dynamic
10.129.67.73 00-50-56-94-d8-f8 dynamic
10.129.67.123 00-50-56-94-94-4b dynamic
10.129.67.155 00-50-56-94-e5-8a dynamic
10.129.68.77 00-50-56-94-89-b0 dynamic
10.129.69.201 00-50-56-94-c7-b7 dynamic
10.129.70.41 00-50-56-94-e9-4d dynamic
10.129.72.80 00-50-56-94-97-4d dynamic
10.129.72.216 00-50-56-94-dd-4f dynamic
10.129.74.93 00-50-56-94-81-eb dynamic
10.129.74.140 00-50-56-94-f1-fe dynamic
10.129.74.143 00-50-56-94-f3-54 dynamic
10.129.78.250 00-50-56-94-3b-c3 dynamic
10.129.79.59 00-50-56-94-a6-a1 dynamic
10.129.80.126 00-50-56-94-4a-0e dynamic
10.129.83.16 00-50-56-94-e4-d6 dynamic
10.129.83.28 00-50-56-94-3a-f7 dynamic
10.129.83.221 00-50-56-94-90-7c dynamic
10.129.84.101 00-50-56-94-3e-1d dynamic
10.129.86.14 00-50-56-94-36-8e dynamic
10.129.86.18 00-50-56-94-59-b8 dynamic
10.129.86.149 00-50-56-94-81-6e dynamic
10.129.86.191 00-50-56-94-ac-8b dynamic
10.129.86.198 00-50-56-94-58-5d dynamic
10.129.87.216 00-50-56-94-6d-d1 dynamic
10.129.87.232 00-50-56-94-2c-a6 dynamic
10.129.88.145 00-50-56-94-9c-42 dynamic
10.129.89.26 00-50-56-94-da-e2 dynamic
10.129.89.186 00-50-56-94-11-5f dynamic
10.129.89.241 00-50-56-94-13-34 dynamic
10.129.93.140 00-50-56-94-0b-3e dynamic
10.129.95.84 00-50-56-94-07-36 dynamic
10.129.97.108 00-50-56-94-3a-c9 dynamic
10.129.100.208 00-50-56-94-46-72 dynamic
10.129.101.8 00-50-56-94-5b-df dynamic
10.129.102.193 00-50-56-94-b1-2a dynamic
10.129.103.101 00-50-56-94-eb-1c dynamic
10.129.103.206 00-50-56-94-98-eb dynamic
10.129.104.63 00-50-56-94-0f-8e dynamic
10.129.104.113 00-50-56-94-d6-7a dynamic
10.129.104.178 00-50-56-94-e8-a3 dynamic
10.129.104.202 00-50-56-94-cc-e8 dynamic
10.129.104.253 00-50-56-94-c3-ea dynamic
10.129.105.238 00-50-56-94-2c-e8 dynamic
10.129.106.0 00-50-56-94-dd-ac dynamic
10.129.109.181 00-50-56-94-9c-b4 dynamic
10.129.109.190 00-50-56-94-9d-2a dynamic
10.129.111.183 00-50-56-94-4f-ac dynamic
10.129.113.0 00-50-56-94-f5-6e dynamic
10.129.113.158 00-50-56-94-51-d7 dynamic
10.129.115.169 00-50-56-94-ad-ba dynamic
10.129.118.121 00-50-56-94-43-2f dynamic
10.129.121.136 00-50-56-94-c8-ea dynamic
10.129.121.204 00-50-56-94-54-7c dynamic
10.129.123.22 00-50-56-94-2b-f4 dynamic
10.129.123.145 00-50-56-94-15-21 dynamic
10.129.123.146 00-50-56-94-53-ff dynamic
10.129.127.168 00-50-56-94-22-ce dynamic
10.129.127.178 00-50-56-94-30-48 dynamic
10.129.129.27 00-50-56-94-83-c3 dynamic
10.129.129.29 00-50-56-94-13-ec dynamic
10.129.130.117 00-50-56-94-90-70 dynamic
10.129.130.202 00-50-56-94-31-d5 dynamic
10.129.132.3 00-50-56-94-09-d6 dynamic
10.129.132.16 00-50-56-94-7e-bc dynamic
10.129.133.236 00-50-56-94-c0-4b dynamic
10.129.134.85 00-50-56-94-b2-9a dynamic
10.129.135.45 00-50-56-94-5c-1e dynamic
10.129.136.37 00-50-56-94-3e-29 dynamic
10.129.136.190 00-50-56-94-6d-7d dynamic
10.129.137.43 00-50-56-94-be-65 dynamic
10.129.137.74 00-50-56-94-4e-18 dynamic
10.129.137.80 00-50-56-94-4d-1c dynamic
10.129.137.85 00-50-56-94-9b-f6 dynamic
10.129.137.108 00-50-56-94-03-14 dynamic
10.129.137.133 00-50-56-94-1f-82 dynamic
10.129.137.147 00-50-56-94-90-79 dynamic
10.129.138.74 00-50-56-94-2a-d3 dynamic
10.129.139.59 00-50-56-94-46-fd dynamic
10.129.139.142 00-50-56-94-61-4c dynamic
10.129.139.148 00-50-56-94-0a-29 dynamic
10.129.139.228 00-50-56-94-7d-a6 dynamic
10.129.140.98 00-50-56-94-46-8b dynamic
10.129.140.131 00-50-56-94-91-35 dynamic
10.129.142.155 00-50-56-94-fb-7e dynamic
10.129.143.100 00-50-56-94-19-5a dynamic
10.129.145.139 00-50-56-94-28-3c dynamic
10.129.146.15 00-50-56-94-d1-1a dynamic
10.129.147.21 00-50-56-94-45-00 dynamic
10.129.149.69 00-50-56-94-e4-d7 dynamic
10.129.149.157 00-50-56-94-e5-f7 dynamic
10.129.150.21 00-50-56-94-cf-8c dynamic
10.129.151.238 00-50-56-94-d6-8b dynamic
10.129.152.163 00-50-56-94-04-65 dynamic
10.129.153.33 00-50-56-94-c8-5e dynamic
10.129.153.83 00-50-56-94-64-f5 dynamic
10.129.153.192 00-50-56-94-51-3d dynamic
10.129.154.150 00-50-56-94-ef-62 dynamic
10.129.155.84 00-50-56-94-a0-2e dynamic
10.129.158.125 00-50-56-94-00-8f dynamic
10.129.159.177 00-50-56-94-aa-e5 dynamic
10.129.160.238 00-50-56-94-a7-9e dynamic
10.129.162.76 00-50-56-94-8b-f4 dynamic
10.129.163.70 00-50-56-94-0f-b3 dynamic
10.129.164.105 00-50-56-94-57-54 dynamic
10.129.164.124 00-50-56-94-b3-98 dynamic
10.129.164.206 00-50-56-94-b4-5e dynamic
10.129.165.181 00-50-56-94-f9-1d dynamic
10.129.166.143 00-50-56-94-f2-a0 dynamic
10.129.166.251 00-50-56-94-75-03 dynamic
10.129.167.5 00-50-56-94-d9-38 dynamic
10.129.167.49 00-50-56-94-7f-d4 dynamic
10.129.168.88 00-50-56-94-e7-39 dynamic
10.129.169.207 00-50-56-94-c4-cc dynamic
10.129.169.216 00-50-56-94-6f-4b dynamic
10.129.170.82 00-50-56-94-51-65 dynamic
10.129.172.172 00-50-56-94-ed-94 dynamic
10.129.174.13 00-50-56-94-50-53 dynamic
10.129.174.77 00-50-56-94-88-6d dynamic
10.129.174.245 00-50-56-94-4d-91 dynamic
10.129.176.183 00-50-56-94-e7-fd dynamic
10.129.176.237 00-50-56-94-47-c9 dynamic
10.129.178.141 00-50-56-94-6f-93 dynamic
10.129.178.157 00-50-56-94-53-dc dynamic
10.129.179.60 00-50-56-94-d1-c1 dynamic
10.129.179.250 00-50-56-94-d1-0b dynamic
10.129.180.51 00-50-56-94-fb-e7 dynamic
10.129.180.156 00-50-56-94-3c-bd dynamic
10.129.181.47 00-50-56-94-81-b0 dynamic
10.129.182.93 00-50-56-94-12-cf dynamic
10.129.182.97 00-50-56-94-38-fa dynamic
10.129.182.242 00-50-56-94-c6-9d dynamic
10.129.182.248 00-50-56-94-83-bd dynamic
10.129.183.61 00-50-56-94-92-b2 dynamic
10.129.183.91 00-50-56-94-90-a9 dynamic
10.129.183.99 00-50-56-94-d3-2b dynamic
10.129.183.163 00-50-56-94-da-4c dynamic
10.129.183.187 00-50-56-94-2b-6f dynamic
10.129.184.77 00-50-56-94-26-eb dynamic
10.129.186.50 00-50-56-94-66-17 dynamic
10.129.186.159 00-50-56-94-42-c2 dynamic
10.129.186.238 00-50-56-94-44-94 dynamic
10.129.187.93 00-50-56-94-5d-77 dynamic
10.129.188.205 00-50-56-94-f9-ff dynamic
10.129.188.251 00-50-56-94-2e-72 dynamic
10.129.189.109 00-50-56-94-86-50 dynamic
10.129.189.129 00-50-56-94-a8-09 dynamic
10.129.189.188 00-50-56-94-db-ce dynamic
10.129.190.50 00-50-56-94-0c-a9 dynamic
10.129.190.234 00-50-56-94-89-03 dynamic
10.129.192.149 00-50-56-94-fe-c8 dynamic
10.129.192.198 00-50-56-94-a8-10 dynamic
10.129.192.218 00-50-56-94-14-b1 dynamic
10.129.193.231 00-50-56-94-dc-0a dynamic
10.129.194.138 00-50-56-94-cb-df dynamic
10.129.195.147 00-50-56-94-10-73 dynamic
10.129.196.32 00-50-56-94-cb-77 dynamic
10.129.196.186 00-50-56-94-ee-da dynamic
10.129.196.232 00-50-56-94-5c-93 dynamic
10.129.198.143 00-50-56-94-91-b1 dynamic
10.129.199.170 00-50-56-94-db-15 dynamic
10.129.204.108 00-50-56-94-dd-ed dynamic
10.129.204.245 00-50-56-94-dc-b4 dynamic
10.129.209.31 00-50-56-94-76-ac dynamic
10.129.209.138 00-50-56-94-8d-c9 dynamic
10.129.209.145 00-50-56-94-57-82 dynamic
10.129.209.245 00-50-56-94-68-21 dynamic
10.129.210.19 00-50-56-94-22-f7 dynamic
10.129.211.132 00-50-56-94-9d-d8 dynamic
10.129.212.204 00-50-56-94-2a-f5 dynamic
10.129.213.103 00-50-56-94-88-ca dynamic
10.129.213.115 00-50-56-94-4b-f0 dynamic
10.129.215.7 00-50-56-94-e4-2a dynamic
10.129.215.38 00-50-56-94-9c-2f dynamic
10.129.215.121 00-50-56-94-65-12 dynamic
10.129.215.230 00-50-56-94-c2-6d dynamic
10.129.216.15 00-50-56-94-a8-92 dynamic
10.129.217.91 00-50-56-94-6b-96 dynamic
10.129.217.151 00-50-56-94-b1-c0 dynamic
10.129.217.255 00-50-56-94-b8-02 dynamic
10.129.218.6 00-50-56-94-4b-d3 dynamic
10.129.218.136 00-50-56-94-d8-f0 dynamic
10.129.218.239 00-50-56-94-43-0c dynamic
10.129.220.9 00-50-56-94-01-74 dynamic
10.129.220.55 00-50-56-94-99-3b dynamic
10.129.220.182 00-50-56-94-d9-32 dynamic
10.129.220.244 00-50-56-94-27-8a dynamic
10.129.221.88 00-50-56-94-59-2d dynamic
10.129.222.236 00-50-56-94-0b-25 dynamic
10.129.223.7 00-50-56-94-39-c2 dynamic
10.129.223.55 00-50-56-94-fa-06 dynamic
10.129.223.227 00-50-56-94-66-11 dynamic
10.129.224.158 00-50-56-94-47-52 dynamic
10.129.225.39 00-50-56-94-f0-eb dynamic
10.129.225.41 00-50-56-94-4b-7f dynamic
10.129.225.54 00-50-56-94-7d-d6 dynamic
10.129.226.221 00-50-56-94-b2-0d dynamic
10.129.227.80 00-50-56-94-f0-c4 dynamic
10.129.227.109 00-50-56-94-4c-80 dynamic
10.129.230.10 00-50-56-94-e6-64 dynamic
10.129.230.134 00-50-56-94-aa-80 dynamic
10.129.230.191 00-50-56-94-87-e7 dynamic
10.129.231.149 00-50-56-94-80-c6 dynamic
10.129.231.205 00-50-56-94-28-e3 dynamic
10.129.232.174 00-50-56-94-05-3a dynamic
10.129.234.251 00-50-56-94-6c-cf dynamic
10.129.236.130 00-50-56-94-00-c4 dynamic
10.129.239.82 00-50-56-94-86-0c dynamic
10.129.239.138 00-50-56-94-5a-e3 dynamic
10.129.240.211 00-50-56-94-f5-ea dynamic
10.129.241.44 00-50-56-94-be-62 dynamic
10.129.241.148 00-50-56-94-c1-16 dynamic
10.129.243.97 00-50-56-94-cb-b2 dynamic
10.129.243.178 00-50-56-94-c3-72 dynamic
10.129.244.41 00-50-56-94-df-ed dynamic
10.129.244.84 00-50-56-94-72-09 dynamic
10.129.244.252 00-50-56-94-68-dd dynamic
10.129.245.59 00-50-56-94-26-d4 dynamic
10.129.245.210 00-50-56-94-1d-69 dynamic
10.129.250.218 00-50-56-94-60-37 dynamic
10.129.251.150 00-50-56-94-2e-d9 dynamic
10.129.252.95 00-50-56-94-ac-c9 dynamic
10.129.253.242 00-50-56-94-7b-33 dynamic
10.129.254.54 00-50-56-94-73-76 dynamic
10.129.255.117 00-50-56-94-0e-f7 dynamic
10.129.255.255 ff-ff-ff-ff-ff-ff static
169.254.26.215 00-50-56-94-c1-16 dynamic
169.254.82.89 00-50-56-94-31-d5 dynamic
169.254.97.10 00-50-56-94-9b-f6 dynamic
169.254.105.165 00-50-56-94-e6-64 dynamic
169.254.127.145 00-50-56-94-c6-9d dynamic
169.254.141.255 00-50-56-94-97-4d dynamic
169.254.150.3 00-50-56-94-e6-80 dynamic
169.254.152.209 00-50-56-94-ee-da dynamic
169.254.196.91 00-50-56-94-4a-00 dynamic
169.254.201.224 00-50-56-94-3a-f7 dynamic
169.254.207.104 00-50-56-94-b2-9a dynamic
169.254.247.247 00-50-56-94-14-87 dynamic
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Unable to initialize device PRN*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : CICADA-DC
Primary Dns Suffix . . . . . . . : cicada.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : cicada.htb
htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : .htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-94-FB-10
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::29(Preferred)
Lease Obtained. . . . . . . . . . : Thursday, September 26, 2024 11:06:38 AM
Lease Expires . . . . . . . . . . : Saturday, September 28, 2024 10:06:39 PM
IPv6 Address. . . . . . . . . . . : dead:beef::46c0:3971:5ebf:3844(Preferred)
Link-local IPv6 Address . . . . . : fe80::f65a:ca26:f7f6:2508%6(Preferred)
IPv4 Address. . . . . . . . . . . : 10.129.41.192(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Lease Obtained. . . . . . . . . . : Thursday, September 26, 2024 11:06:33 AM
Lease Expires . . . . . . . . . . : Saturday, September 28, 2024 10:06:33 PM
Default Gateway . . . . . . . . . : fe80::250:56ff:fe94:3911%6
10.129.0.1
DHCP Server . . . . . . . . . . . : 10.129.0.1
DHCPv6 IAID . . . . . . . . . . . : 369119318
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2E-87-5A-F3-00-50-56-94-FB-10
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List : htbUsers & Groups
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator david.orelious emily.oscars
Guest john.smoulder krbtgt
michael.wrightson sarah.dantelia
The command completed with one or more errors.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/26/2024 1:10 PM Administrator
d----- 8/22/2024 2:22 PM emily.oscars.CICADA
d-r--- 3/14/2024 3:45 AM Publicemily.oscars.CICADA
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> net localgroup ; net group /DOMAIN
Aliases for \\CICADA-DC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Dev Support
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Groups
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Dev Support
Groups
Processes
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
114 8 3564 8476 3512 0 AggregatorHost
143 10 6564 12700 0.03 1176 0 conhost
141 10 6528 12644 0.05 5164 0 conhost
499 21 2060 6408 400 0 csrss
179 11 1820 6000 504 1 csrss
415 34 18508 26960 2928 0 dfsrs
205 14 2488 9024 1500 0 dfssvc
280 15 3916 14868 3724 0 dllhost
10411 7481 130796 129992 3040 0 dns
624 26 24772 47656 348 1 dwm
39 6 1480 4064 4352 1 fontdrvhost
39 6 1408 3916 4360 0 fontdrvhost
0 0 60 8 0 0 Idle
152 13 1844 6424 3020 0 ismserv
450 27 11396 51224 4848 1 LogonUI
2148 277 81216 91576 672 0 lsass
723 32 37600 49448 1620 0 Microsoft.ActiveDirectory.WebServices
238 14 2920 11184 3904 0 msdtc
0 7 1528 62620 100 0 Registry
247 13 8264 5680 1752 0 rundll32
583 15 5408 13936 652 0 services
57 3 1076 1244 304 0 smss
478 25 5920 19032 2888 0 spoolsv
274 14 3460 11872 800 0 svchost
777 15 5140 15096 872 0 svchost
724 19 4248 11228 912 0 svchost
232 11 1824 7736 972 0 svchost
194 11 1840 8660 1044 0 svchost
118 8 1348 5776 1076 0 svchost
125 14 3088 7584 1084 0 svchost
197 12 1668 7612 1092 0 svchost
129 8 1376 6352 1100 0 svchost
229 11 2064 8188 1168 0 svchost
303 17 4036 11264 1188 0 svchost
342 14 12532 17516 1240 0 svchost
359 14 2552 10840 1360 0 svchost
421 32 10992 21000 1364 0 svchost
394 17 4184 13656 1448 0 svchost
275 17 3256 13724 1468 0 svchost
199 12 2272 11672 1504 0 svchost
429 10 2828 9392 1516 0 svchost
122 8 1276 6176 1524 0 svchost
134 9 1348 6172 1600 0 svchost
370 18 4952 15792 1640 0 svchost
420 14 2760 11052 1656 0 svchost
289 12 1876 9184 1692 0 svchost
179 12 1884 8840 1716 0 svchost
141 10 1588 7104 1736 0 svchost
225 13 2196 10024 1824 0 svchost
171 10 1928 8036 1976 0 svchost
155 9 1652 8048 2072 0 svchost
247 14 2260 9308 2140 0 svchost
391 16 10660 20732 2204 0 svchost
252 26 3452 13720 2364 0 svchost
128 9 1472 11392 2504 0 svchost
292 35 3536 14376 2624 0 svchost
251 14 3068 14968 2688 0 svchost
138 9 1464 7100 2696 0 svchost
211 11 2332 9444 2804 0 svchost
476 23 14288 31084 2916 0 svchost
271 14 2608 8712 2940 0 svchost
125 8 1296 6352 2948 0 svchost
139 9 1684 7104 2984 0 svchost
154 42 1680 7404 3008 0 svchost
135 9 3200 10468 3824 0 svchost
193 16 6168 10892 4220 0 svchost
237 14 2704 12344 4380 0 svchost
125 9 1404 7540 4480 0 svchost
154 9 1520 8188 4568 0 svchost
401 26 3628 14192 4736 0 svchost
206 12 2232 11716 5732 0 svchost
301 17 12064 17656 5804 0 svchost
242 13 3436 10872 5896 0 svchost
286 20 8284 16536 6024 0 svchost
1551 0 40 136 4 0 System
205 16 2256 10984 3404 0 vds
172 12 3260 12372 2644 0 VGAuthService
126 8 1444 6488 2712 0 vm3dservice
125 9 1552 6948 3260 1 vm3dservice
121 9 1436 6720 3984 1 vm3dservice
399 24 11264 25204 2520 0 vmtoolsd
151 11 1400 7184 528 0 wininit
224 13 2796 18468 564 1 winlogon
358 22 12308 24728 4016 0 WmiPrvSE
1461 32 81504 103876 0.55 4036 0 wsmprovhost
1426 33 105660 129544 0.84 5700 0 wsmprovhostspoolsv
Tasks
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorFirewall & AV
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\emily.oscars.CICADA\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 1B60-8905
Directory of C:\Windows\Microsoft.NET\Framework
05/08/2021 01:34 AM <DIR> .
09/28/2024 01:06 PM <DIR> ..
05/08/2021 01:34 AM <DIR> v1.0.3705
05/08/2021 01:34 AM <DIR> v1.1.4322
05/08/2021 01:20 AM <DIR> v2.0.50727
09/28/2024 01:06 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 1,086,349,312 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.8.04161