System/Kernel
*evil-winrm* ps c:\Users\svc-print\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\svc-print\Documents> Get-ComputerInfo
windowsbuildlabex : 14393.3686.amd64fre.rs1_release.200504-1524
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server Core
windowsinstalldatefromregistry : 5/27/2020 5:36:00 AM
windowsproductid : 00376-30821-30176-AA796
windowsproductname : Windows Server 2016 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
osserverlevel : ServerCore
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2016 Standard
Networks
*Evil-WinRM* PS C:\Users\svc-print\Documents> netstat -ano -p tcp
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 868
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 868
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1800
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 480
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 960
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 276
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49680 0.0.0.0:0 LISTENING 1388
TCP 0.0.0.0:49683 0.0.0.0:0 LISTENING 612
TCP 0.0.0.0:49691 0.0.0.0:0 LISTENING 2152
TCP 0.0.0.0:49699 0.0.0.0:0 LISTENING 2060
TCP 10.10.10.193:53 0.0.0.0:0 LISTENING 2152
TCP 10.10.10.193:139 0.0.0.0:0 LISTENING 4
TCP 10.10.10.193:5985 10.10.14.5:43068 TIME_WAIT 0
TCP 10.10.10.193:5985 10.10.14.5:43082 ESTABLISHED 4
TCP 10.10.10.193:5985 10.10.14.5:43550 TIME_WAIT 0
TCP 10.10.10.193:51837 10.11.0.250:9100 SYN_SENT 1388
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2152Users & Groups
*evil-winrm* ps c:\Users\svc-print\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator astein bhult
bnielson dandrews DefaultAccount
dmuir Guest krbtgt
mberbatov pmerton sthompson
svc-print svc-scan tlavel
The command completed with one or more errors.*evil-winrm* ps c:\Users\svc-print\Documents> net groups
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*IT_Accounts
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\svc-print\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
39 3 1520 2568 3236 1 cmd
109 10 5352 11252 3332 1 conhost
93 8 4960 9492 0.02 3936 0 conhost
304 13 1852 4256 396 0 csrss
158 14 2116 11120 492 1 csrss
356 32 14656 22304 2060 0 dfsrs
157 12 2120 7228 2168 0 dfssvc
218 13 3764 12688 2908 0 dllhost
10332 12398 248716 239132 2152 0 dns
0 0 0 4 0 0 Idle
119 12 1712 5356 1380 0 ismserv
1778 264 55480 69544 620 0 lsass
417 38 53032 65136 1800 0 Microsoft.ActiveDirectory.WebServices
194 13 2836 9596 2016 0 msdtc
391 58 119248 84516 2096 0 MsMpEng
129 8 1748 5876 2196 0 pcpl
157 12 3376 11380 3240 0 PrintIsolationHost
312 11 4508 9512 612 0 services
51 2 372 1220 320 0 smss
483 25 6356 18140 1388 0 spoolsv
1344 87 30164 51700 276 0 svchost
653 46 9420 23348 336 0 svchost
386 33 9164 15932 424 0 svchost
365 15 3272 10128 812 0 svchost
449 18 3204 8868 868 0 svchost
382 16 9348 14580 960 0 svchost
708 24 6596 14820 968 0 svchost
85 7 1004 5088 1048 0 svchost
198 14 4456 11276 1424 0 svchost
136 9 1768 6820 1612 0 svchost
261 16 5264 14412 1780 0 svchost
243 15 2828 10956 1888 0 svchost
136 11 3684 10456 2080 0 svchost
88 7 1008 5104 2088 0 svchost
241 19 8304 13372 2128 0 svchost
102 7 2244 8216 3224 0 svchost
783 0 124 144 4 0 System
163 12 1792 9208 3880 1 taskhostw
196 16 2332 10696 2628 0 vds
150 11 2928 9808 8 0 VGAuthService
330 21 9156 22344 2028 0 vmtoolsd
173 15 3428 12968 3204 1 vmtoolsd
96 8 940 4912 480 0 wininit
193 10 1980 9392 560 1 winlogon
296 15 7564 16840 3004 0 WmiPrvSE
1148 31 109980 132504 2.08 1312 0 wsmprovhostTasks
*evil-winrm* ps c:\Users\svc-print\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ categoryinfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandError
*evil-winrm* ps c:\Users\svc-print\Documents> Get-ScheduledTask
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTaskFirewall & AV
*Evil-WinRM* PS C:\Users\svc-print\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound Allow Port 5985
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound Allow Port 5985
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\svc-print\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
*Evil-WinRM* PS C:\Users\svc-print\Documents> Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpPreference | Select-Object -Property ExclusionPath
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*evil-winrm* ps c:\Users\svc-print\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\svc-print\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is E6C8-44FE
Directory of C:\Windows\Microsoft.NET\Framework
07/16/2016 05:18 AM <DIR> .
07/16/2016 05:18 AM <DIR> ..
06/01/2020 01:01 AM <DIR> v1.0.3705
07/16/2016 05:18 AM <DIR> v1.1.4322
07/16/2016 05:18 AM <DIR> v2.0.50727
02/02/2023 08:41 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 28,119,576,576 bytes free
*Evil-WinRM* PS C:\Users\svc-print\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.04.6.01586