System/Kernel
*evil-winrm* ps c:\Users\svc-alfresco\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\svc-alfresco\Documents> Get-ComputerInfo
windowsbuildlabex : 14393.2273.amd64fre.rs1_release_1.180427-1811
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server Core
windowsinstalldatefromregistry : 9/18/2019 5:07:59 PM
windowsproductid : 00376-30821-30176-AA930
windowsproductname : Windows Server 2016 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
osserverlevel : ServerCore
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2016 Standard
14393.2273.amd64fre.rs1_release_1.180427-1811
Networks
*Evil-WinRM* PS C:\Users\svc-alfresco> netstat -ano
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 812
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 812
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1888
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 452
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 920
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 988
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 1112
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49677 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:49706 0.0.0.0:0 LISTENING 1896
TCP 0.0.0.0:49931 0.0.0.0:0 LISTENING 1964
TCP 10.10.10.161:53 0.0.0.0:0 LISTENING 1896
TCP 10.10.10.161:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.161:389 10.10.10.161:49705 ESTABLISHED 584
TCP 10.10.10.161:389 10.10.10.161:49919 ESTABLISHED 584
TCP 10.10.10.161:389 10.10.10.161:49925 ESTABLISHED 584
TCP 10.10.10.161:389 10.10.10.161:54071 ESTABLISHED 584
TCP 10.10.10.161:389 10.10.10.161:61482 ESTABLISHED 584
TCP 10.10.10.161:389 10.10.10.161:61517 ESTABLISHED 584
TCP 10.10.10.161:389 10.10.10.161:61528 ESTABLISHED 584
TCP 10.10.10.161:5985 10.10.14.10:53832 TIME_WAIT 0
TCP 10.10.10.161:5985 10.10.14.10:58862 TIME_WAIT 0
TCP 10.10.10.161:5985 10.10.14.10:60618 TIME_WAIT 0
TCP 10.10.10.161:5985 10.10.14.10:60624 ESTABLISHED 4
TCP 10.10.10.161:49705 10.10.10.161:389 ESTABLISHED 1896
TCP 10.10.10.161:49919 10.10.10.161:389 ESTABLISHED 1964
TCP 10.10.10.161:49925 10.10.10.161:389 ESTABLISHED 1964
TCP 10.10.10.161:54071 10.10.10.161:389 ESTABLISHED 3696
TCP 10.10.10.161:61482 10.10.10.161:389 ESTABLISHED 3696
TCP 10.10.10.161:61517 10.10.10.161:389 ESTABLISHED 1888
TCP 10.10.10.161:61528 10.10.10.161:389 ESTABLISHED 1888
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 1896
TCP 127.0.0.1:389 127.0.0.1:49681 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:49683 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:49703 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:49728 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:50529 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:60730 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:61513 ESTABLISHED 584
TCP 127.0.0.1:389 127.0.0.1:61524 ESTABLISHED 584
TCP 127.0.0.1:49681 127.0.0.1:389 ESTABLISHED 1980
TCP 127.0.0.1:49683 127.0.0.1:389 ESTABLISHED 1980
TCP 127.0.0.1:49703 127.0.0.1:389 ESTABLISHED 1896
TCP 127.0.0.1:49728 127.0.0.1:389 ESTABLISHED 1888
TCP 127.0.0.1:50529 127.0.0.1:389 ESTABLISHED 1888
TCP 127.0.0.1:60730 127.0.0.1:389 ESTABLISHED 1888
TCP 127.0.0.1:61513 127.0.0.1:389 ESTABLISHED 1888
TCP 127.0.0.1:61524 127.0.0.1:389 ESTABLISHED 1888
UDP 0.0.0.0:123 *:* 928
UDP 0.0.0.0:389 *:* 584
UDP 0.0.0.0:500 *:* 988
UDP 0.0.0.0:4500 *:* 988
UDP 0.0.0.0:5353 *:* 996
UDP 0.0.0.0:5355 *:* 996
UDP 0.0.0.0:53050 *:* 996
UDP 0.0.0.0:54180 *:* 1896Users & Groups
*evil-winrm* ps c:\Users\svc-alfresco\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
$331000-VK4ADACQNUCA Administrator andy
DefaultAccount Guest HealthMailbox0659cc1
HealthMailbox670628e HealthMailbox6ded678 HealthMailbox7108a4e
HealthMailbox83d6781 HealthMailbox968e74d HealthMailboxb01ac64
HealthMailboxc0a90c9 HealthMailboxc3d7722 HealthMailboxfc9daad
HealthMailboxfd87238 krbtgt lucinda
mark santi sebastien
SM_1b41c9286325456bb SM_1ffab36a2f5f479cb SM_2c8eef0a09b545acb
SM_681f53d4942840e18 SM_75a538d3025e4db9a SM_7c96b981967141ebb
SM_9b69f1b9d2cc45549 SM_c75ee099d0a64c91b SM_ca8c2ed5bdab4dc9b
svc-alfresco
The command completed with one or more errors.$331000-VK4ADACQNUCA
andy
lucinda
mark
santi
sebastien
*evil-winrm* ps c:\Users\svc-alfresco\Documents> net localgroup
Aliases for \\FOREST
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*System Managed Accounts Group
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
*evil-winrm* ps c:\Users\svc-alfresco\Documents> net group
Group Accounts for \\
-------------------------------------------------------------------------------
*$D31000-NSEL5BRJ63V7
*Cloneable Domain Controllers
*Compliance Management
*Delegated Setup
*Discovery Management
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Exchange Servers
*Exchange Trusted Subsystem
*Exchange Windows Permissions
*ExchangeLegacyInterop
*Group Policy Creator Owners
*Help Desk
*Hygiene Management
*Key Admins
*Managed Availability Servers
*Organization Management
*Privileged IT Accounts
*Protected Users
*Public Folder Management
*Read-only Domain Controllers
*Recipient Management
*Records Management
*Schema Admins
*Security Administrator
*Security Reader
*Server Management
*Service Accounts
*test
*UM Management
*View-Only Organization Management
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
93 8 4968 9548 0.17 2496 0 conhost
106 9 1656 7336 2596 1 conhost
93 8 1708 1204 3404 0 conhost
260 12 1904 4272 364 0 csrss
125 9 1404 7324 452 1 csrss
346 31 13404 22012 1912 0 dfsrs
132 8 1740 5452 1444 0 dfssvc
216 13 3584 12396 2328 0 dllhost
5332 3698 69732 69944 1904 0 dns
0 0 0 4 0 0 Idle
120 12 1868 5572 1920 0 ismserv
257 15 2640 12852 2556 1 LogonUI
9094 187 192120 204088 580 0 lsass
784 50 59068 75052 1880 0 Microsoft.ActiveDirectory.WebServices
190 13 2900 9916 2444 0 msdtc
393 71 181292 121056 1928 0 MsMpEng
409 43 467504 424100 3380 0 powershell
275 11 3732 9292 572 0 services
51 2 368 1184 268 0 smss
388 32 7196 14156 368 0 svchost
359 14 3040 9684 752 0 svchost
336 19 2728 8400 812 0 svchost
691 23 5836 14144 920 0 svchost
371 16 8044 13400 928 0 svchost
1008 38 17224 36360 988 0 svchost
615 43 9544 23560 996 0 svchost
136 11 1368 6632 1148 0 svchost
201 12 2124 8336 1716 0 svchost
251 16 4912 13824 1888 0 svchost
266 20 10428 14752 4028 0 svchost
755 0 128 136 4 0 System
194 16 2332 10668 2164 0 vds
146 11 3068 10096 1936 0 VGAuthService
327 21 9072 22460 2044 0 vmtoolsd
92 8 932 4948 444 0 wininit
157 9 1792 8992 520 1 winlogon
287 15 7296 16364 2700 0 WmiPrvSE
1400 31 92552 115620 1.98 2728 0 wsmprovhostTasks
*evil-winrm* ps c:\Users\svc-alfresco\Documents> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level"
program 'schtasks.exe' failed to run: Access is deniedAt line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~.
at line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\svc-alfresco\Documents> Get-ScheduledTask
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTaskFirewall & AV
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatusSession Architecture
*evil-winrm* ps c:\Users\svc-alfresco\Documents> [Environment]::Is64BitProcess
True
Installed .NET Frameworks
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 61F2-A88F
Directory of C:\Windows\Microsoft.NET\Framework
07/16/2016 05:18 AM <DIR> .
07/16/2016 05:18 AM <DIR> ..
07/16/2016 05:18 AM <DIR> v1.0.3705
07/16/2016 05:18 AM <DIR> v1.1.4322
07/16/2016 05:18 AM <DIR> v2.0.50727
01/22/2023 03:36 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 10,428,194,816 bytes free
*Evil-WinRM* PS C:\Users\svc-alfresco\Documents> reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0