System/Kernel

*evil-winrm* ps c:\Users\sql_svc\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
    + categoryinfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + fullyqualifiederrorid : NativeCommandFailed
 
 
windowsbuildlabex                                       : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion                                   : 6.3
windowseditionid                                        : ServerStandard
windowsinstallationtype                                 : Server
windowsinstalldatefromregistry                          : 7/20/2021 7:21:49 PM
windowsproductid                                        : 00429-00521-62775-AA802
windowsproductname                                      : Windows Server 2019 Standard
windowsregisteredowner                                  : Windows User
windowssystemroot                                       : C:\Windows
windowsversion                                          : 1809
osserverlevel                                           : FullServer
timezone                                                : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole                                       : Desktop
deviceguardsmartstatus                                  : Off

Windows Server 2019 Standard 17763.1.amd64fre.rs5_release.180914-1434 1809

Networks

*Evil-WinRM* PS C:\Users\sql_svc\Documents> ipconfig /all
 
Windows IP Configuration
 
   Host Name . . . . . . . . . . . . : dc
   Primary Dns Suffix  . . . . . . . : sequel.htb
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : sequel.htb
                                       htb
 
Ethernet adapter Ethernet0 2:
 
   Connection-specific DNS Suffix  . : htb
   Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
   Physical Address. . . . . . . . . : 00-50-56-B9-B2-33
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : dead:beef::21c(Preferred)
   Lease Obtained. . . . . . . . . . : Saturday, August 12, 2023 6:16:41 PM
   Lease Expires . . . . . . . . . . : Sunday, August 13, 2023 12:11:33 AM
   IPv6 Address. . . . . . . . . . . : dead:beef::31e1:eb54:2784:d5cd(Preferred)
   Link-local IPv6 Address . . . . . : fe80::31e1:eb54:2784:d5cd%4(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.10.11.202(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.254.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f330%4
                                       10.10.10.2
   DHCPv6 IAID . . . . . . . . . . . : 251678806
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-28-88-DA-51-00-0C-29-37-43-59
   DNS Servers . . . . . . . . . . . : 127.0.0.1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
                                       htb
 
*Evil-WinRM* PS C:\Users\sql_svc\Documents> arp -a
 
Interface: 10.10.11.202 --- 0x4
  Internet Address      Physical Address      Type
  10.10.10.2            00-50-56-b9-f3-30     dynamic
  10.10.11.255          ff-ff-ff-ff-ff-ff     static
  224.0.0.22            01-00-5e-00-00-16     static
  224.0.0.251           01-00-5e-00-00-fb     static
  224.0.0.252           01-00-5e-00-00-fc     static
  
*Evil-WinRM* PS C:\Users\sql_svc\Documents> netstat -ano | Select-String LIST
 
  TCP    0.0.0.0:88             0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       884
  TCP    0.0.0.0:389            0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:464            0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:593            0.0.0.0:0              LISTENING       884
  TCP    0.0.0.0:636            0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:1433           0.0.0.0:0              LISTENING       5280
  TCP    0.0.0.0:3268           0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:3269           0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:9389           0.0.0.0:0              LISTENING       2000
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       488
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1108
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1528
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:49687          0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:49688          0.0.0.0:0              LISTENING       640
  TCP    0.0.0.0:49702          0.0.0.0:0              LISTENING       1940
  TCP    0.0.0.0:49705          0.0.0.0:0              LISTENING       624
  TCP    0.0.0.0:49711          0.0.0.0:0              LISTENING       3116
  TCP    0.0.0.0:49767          0.0.0.0:0              LISTENING       5280
  TCP    0.0.0.0:53689          0.0.0.0:0              LISTENING       2788
  TCP    10.10.11.202:53        0.0.0.0:0              LISTENING       3116
  TCP    10.10.11.202:139       0.0.0.0:0              LISTENING       4
  TCP    127.0.0.1:53           0.0.0.0:0              LISTENING       3116

Users & Groups

*evil-winrm* ps c:\Users\sql_svc\Documents> ls -Force C:\Users ; net users
 
 
    directory: C:\Users
 
 
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-----         2/7/2023   8:58 AM                Administrator
d--hsl        9/15/2018  12:28 AM                All Users
d-rh--        7/20/2021  12:20 PM                Default
d--hsl        9/15/2018  12:28 AM                Default User
d-r---        7/20/2021  12:23 PM                Public
d-----         2/1/2023   6:37 PM                Ryan.Cooper
d-----         2/7/2023   8:10 AM                sql_svc
-a-hs-        9/15/2018  12:16 AM            174 desktop.ini
 
User accounts for \\
 
-------------------------------------------------------------------------------
Administrator            Brandon.Brown            Guest
James.Roberts            krbtgt                   Nicole.Thompson
Ryan.Cooper              sql_svc                  Tom.Henn
The command completed with one or more errors.

Ryan.Cooper

*evil-winrm* ps c:\Users\sql_svc\Documents> net localgroup ; net groups /domain
 
Aliases for \\DC
 
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*SQLServer2005SQLBrowserUser$DC
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
 
 
Group Accounts for \\
 
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

Processes

*Evil-WinRM* PS C:\Users\sql_svc\Documents> ps
 
Handles  NPM(K)    PM(K)      WS(K)     CPU(s)     Id  SI ProcessName
-------  ------    -----      -----     ------     --  -- -----------
    387      31    12016      20712              1940   0 certsrv
    151       9     6696      12672       0.02   5060   0 conhost
    504      19     2276       5416               380   0 csrss
    171      13     1708       4836               496   1 csrss
    394      33    16276      22992              2788   0 dfsrs
    155       8     1992       6260              3304   0 dfssvc
    257      14     3872      13508              3212   0 dllhost
  10383    7395   130152     128048              3116   0 dns
    529      22    20804      39456                64   1 dwm
     49       6     1496       3972              4780   0 fontdrvhost
     49       6     1636       4280              4784   1 fontdrvhost
      0       0       56          8                 0   0 Idle
    131      12     1888       5612              3132   0 ismserv
    469      27    11112      47900              4180   1 LogonUI
   2243     244    81488      88720               640   0 lsass
    457      31    38436      50988              2000   0 Microsoft.ActiveDirectory.WebServices
    225      13     2952      10328              4228   0 msdtc
      0      14      292      12240                88   0 Registry
    608      14     5856      13272               624   0 services
     53       3      524       1216               296   0 smss
    770      31    38816      51692              4928   0 sqlceip
    828      59   395440     301760              5280   0 sqlservr
    139       9     1856       7880              3268   0 sqlwriter
    273      13     4116      11204                68   0 svchost
    188      11     1736       8252               360   0 svchost
    316      16    15764      17712               500   0 svchost
    135       7     1300       5992               684   0 svchost
    206      12     1636       7328               760   0 svchost
    122      15     4052       8176               824   0 svchost
     86       5      884       3908               832   0 svchost
    758      17     5540      15436               852   0 svchost
    728      19     3768      10908               884   0 svchost
    235      10     1700       6968               940   0 svchost
    211       9     2016       7508              1092   0 svchost
    347      13     9888      14324              1108   0 svchost
    246      14     2980       9024              1152   0 svchost
    368      18     4776      12980              1240   0 svchost
    178       9     1740       8384              1264   0 svchost
    399      32    10168      18864              1328   0 svchost
    250      15     2912      11960              1344   0 svchost
    234      12     2688      11968              1420   0 svchost
    429       9     2692       9012              1428   0 svchost
    118       7     1212       5696              1444   0 svchost
    322      10     2404       8544              1500   0 svchost
    361      18     4712      14408              1528   0 svchost
    133       9     1348       5876              1584   0 svchost
    188      15     5992      10156              1640   0 svchost
    315      13     2052       9004              1668   0 svchost
    189      12     1832       8128              1720   0 svchost
    140       9     1636       6892              1808   0 svchost
    409      16    13032      22608              1852   0 svchost
    223      12     2172       9276              1900   0 svchost
    112       7     1132       5500              1944   0 svchost
    154       8     1760       7152              1968   0 svchost
    231      13     2752      12348              1988   0 svchost
    238      25     3324      12616              2016   0 svchost
    467      19     3328      12388              2140   0 svchost
    126       7     1244       5760              2384   0 svchost
    350      18     7428      24296              2440   0 svchost
    164      10     1984       7600              2584   0 svchost
    408      26     3460      13064              2672   0 svchost
    133       8     2952       9704              2924   0 svchost
    174      11     2456      13112              2932   0 svchost
    205      11     2188       8524              3048   0 svchost
    422      20    19688      32568              3068   0 svchost
    135       9     1528       6628              3188   0 svchost
    138       8     1448       6264              3220   0 svchost
    220      12     2100       7648              3320   0 svchost
    167      10     2140      13124              3336   0 svchost
    297      21     4116      14712              3656   0 svchost
    165       9     3092       7824              4368   0 svchost
    122       8     1508       6228              4540   0 svchost
    149       9     1708       6744              5172   0 svchost
    302      20    11080      15616              5396   0 svchost
   1608       0      188        152                 4   0 System
    213      16     2356      10600              4040   0 vds
    174      11     3224      12004              3244   0 VGAuthService
    137       9     1708       7492              2852   1 vm3dservice
    148       8     1712       7280              3236   0 vm3dservice
    141      10     1796       7732              3800   1 vm3dservice
    401      23    10616      23196              3228   0 vmtoolsd
    173      11     1388       6912               488   0 wininit
    244      12     2560      16928               556   1 winlogon
    355      16    15040      25204              2980   0 WmiPrvSE
    779      32    64944      91828       1.31    484   0 wsmprovhost
    777      25    51700      70420       0.98   5164   0 wsmprovhost

certsrv LogonUI

Tasks

*evil-winrm* ps c:\Users\sql_svc\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
 
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft  ...
+ ~~~~~~~~~~~~~~~~~
    + categoryinfo          : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
    + fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
 
*evil-winrm* ps c:\Users\sql_svc\Documents> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
 
folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Server Initial Configuration Task        N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319           N/A                    Ready
.NET Framework NGEN v4.0.30319 64        N/A                    Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A                    Disabled
.NET Framework NGEN v4.0.30319 Critical  N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A                    Disabled
AD RMS Rights Policy Template Management N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
PolicyConverter                          N/A                    Disabled
VerifiedPublisherCertStoreCheck          N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
microsoft compatibility appraiser        8/13/2023 4:26:12 AM   Ready
ProgramDataUpdater                       N/A                    Ready
StartupAppTask                           N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
appuriverifierdaily                      N/A                    Ready
appuriverifierinstall                    N/A                    Ready
CleanupTemporaryState                    N/A                    Ready
DsSvcCleanup                             N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Pre-staged app cleanup                   N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Proxy                                    N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
BitLocker Encrypt All Drives             N/A                    Ready
BitLocker MDM policy Refresh             N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
UninstallDeviceTask                      N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask        N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ProactiveScan                            N/A                    Ready
SyspartRepair                            N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CreateObjectTask                         N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
consolidator                             8/13/2023 12:00:00 AM  Ready
UsbCeip                                  N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
data integrity scan                      8/29/2023 6:29:24 AM   Ready
Data Integrity Scan for Crash Recovery   N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ScheduledDefrag                          N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
device                                   8/13/2023 4:09:05 AM   Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Scheduled                                N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
DXGIAdapterCache                         N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SilentCleanup                            N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A                    Disabled
Microsoft-Windows-DiskDiagnosticResolver N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Diagnostics                              N/A                    Ready
StorageSense                             N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
EDP App Launch Task                      N/A                    Ready
EDP Auth Task                            N/A                    Ready
StorageCardEncryption Task               N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh          N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Property Definition Sync                 N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ReconcileFeatures                        N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
refreshcache                             8/13/2023 5:16:12 AM   Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ScanForUpdates                           N/A                    Disabled
ScanForUpdatesAsUser                     N/A                    Disabled
WakeUpAndContinueUpdates                 N/A                    Disabled
WakeUpAndScanForUpdates                  N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Notifications                            N/A                    Ready
WindowsActionDialog                      N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
WinSAT                                   N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
MapsToastTask                            N/A                    Disabled
MapsUpdateTask                           N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents            N/A                    Disabled
RunFullMemoryDiagnostic                  N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
MNO Metadata Parser                      N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
LPRemove                                 N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SystemSoundsService                      N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
GatherNetworkInfo                        N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Background Synchronization               N/A                    Disabled
Logon Synchronization                    N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Server Manager Performance Monitor       N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Device Install Group Policy              N/A                    Ready
Device Install Reboot Required           N/A                    Ready
Sysprep Generalize Drivers               N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
AnalyzeSystem                            N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
VerifyWinRE                              N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CleanupOldPerfLogs                       N/A                    Ready
ServerManager                            N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
StartComponentCleanup                    N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Account Cleanup                          N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CreateObjectTask                         N/A                    Ready
IndexerAutomaticMaintenance              N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Collection                               N/A                    Disabled
Configuration                            N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SpaceAgentTask                           N/A                    Ready
SpaceManagerTask                         N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
HeadsetButtonPress                       N/A                    Ready
speechmodeldownloadtask                  8/13/2023 12:38:43 AM  Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Storage Tiers Management Initialization  N/A                    Ready
Storage Tiers Optimization               N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
MsCtfMonitor                             N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
ForceSynchronizeTime                     N/A                    Ready
SynchronizeTime                          N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
SynchronizeTimeZone                      N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
UPnPHostConfig                           N/A                    Disabled
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
queuereporting                           8/12/2023 11:56:33 PM  Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange              N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
UpdateLibrary                            N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Calibration Loader                       N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
scheduled start                          8/13/2023 6:15:19 PM   Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
CacheTask                                N/A                    Ready
 
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Automatic-Device-Join                    N/A                    Ready
Recovery-Check                           N/A                    Disabled

Firewall & AV

*Evil-WinRM* PS C:\Users\sql_svc\Documents> netsh firewall show config
 
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Disable
 
Service configuration for Domain profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing
 
Allowed programs configuration for Domain profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------
 
Port configuration for Domain profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------
1433   TCP       Enable  Inbound               SQL Server
 
Standard profile configuration:
-------------------------------------------------------------------
Operational mode                  = Enable
Exception mode                    = Enable
Multicast/broadcast response mode = Enable
Notification mode                 = Disable
 
Service configuration for Standard profile:
Mode     Customized  Name
-------------------------------------------------------------------
Enable   No          File and Printer Sharing
 
Allowed programs configuration for Standard profile:
Mode     Traffic direction    Name / Program
-------------------------------------------------------------------
 
Port configuration for Standard profile:
Port   Protocol  Mode    Traffic direction     Name
-------------------------------------------------------------------
1433   TCP       Enable  Inbound               SQL Server
 
Log configuration:
-------------------------------------------------------------------
File location   = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size   = 4096 KB
Dropped packets = Disable
Connections     = Disable
 
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .

*Evil-WinRM* PS C:\Users\sql_svc\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
    + FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus

Session Architecture

*evil-winrm* ps c:\Users\sql_svc\Documents> [Environment]::Is64BitProcess
True

Installed .NET Frameworks

*Evil-WinRM* PS C:\Users\sql_svc\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
 Volume in drive C has no label.
 Volume Serial Number is EB33-4140
 
 Directory of C:\Windows\Microsoft.NET\Framework
 
09/15/2018  12:19 AM    <DIR>          .
09/15/2018  12:19 AM    <DIR>          ..
09/15/2018  12:19 AM    <DIR>          v1.0.3705
09/15/2018  12:19 AM    <DIR>          v1.1.4322
09/15/2018  12:19 AM    <DIR>          v2.0.50727
08/12/2023  06:26 PM    <DIR>          v4.0.30319
               0 File(s)              0 bytes
               6 Dir(s)   6,019,461,120 bytes free
 
*Evil-WinRM* PS C:\Users\sql_svc\Documents> cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
 
*Evil-WinRM* PS C:\Users\sql_svc\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
    HttpNamespaceReservationInstalled    REG_DWORD    0x1
    NetTcpPortSharingInstalled    REG_DWORD    0x1
    NonHttpActivationInstalled    REG_DWORD    0x1
    SMSvcHostPath    REG_SZ    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
    WMIInstalled    REG_DWORD    0x1
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
    CBS    REG_DWORD    0x1
    Install    REG_DWORD    0x1
    InstallPath    REG_SZ    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
    Release    REG_DWORD    0x70bf6
    Servicing    REG_DWORD    0x0
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.7.03190
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
    CBS    REG_DWORD    0x1
    Install    REG_DWORD    0x1
    Release    REG_DWORD    0x70bf6
    Servicing    REG_DWORD    0x0
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.7.03190
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
    CBS    REG_DWORD    0x1
    Install    REG_DWORD    0x1
    InstallPath    REG_SZ    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
    Release    REG_DWORD    0x70bf6
    Servicing    REG_DWORD    0x0
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.7.03190
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
    CBS    REG_DWORD    0x1
    Install    REG_DWORD    0x1
    Release    REG_DWORD    0x70bf6
    Servicing    REG_DWORD    0x0
    TargetVersion    REG_SZ    4.0.0
    Version    REG_SZ    4.7.03190
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
    (Default)    REG_SZ    deprecated
 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
    Install    REG_DWORD    0x1
    Version    REG_SZ    4.0.0.0

.NET 4.7.03190

InfoSec LAB

Explorer

Escape_Initial_Foothold_WIN

System/Kernel

Networks

Users & Groups

Processes

Tasks

Firewall & AV

Session Architecture

Installed .NET Frameworks

Interactive Graph View

Table of Contents

Backlinks