smith
Checking for the home directory of the smith user after making a Lateral Movement
*evil-winrm* ps c:\Users\smith> tree /F /A
Folder PATH listing
Volume serial number is 212C-60B7
c:.
+---Desktop
+---Documents
+---Downloads
+---Favorites
+---Links
+---Music
+---Pictures
+---Saved Games
\---VideosThere appears to be pretty much nothing in the home directory of the smith user
*evil-winrm* ps c:\Users\smith> tree AppData /F /A
Folder PATH listing
Volume serial number is 212C-60B7
c:\USERS\SMITH\APPDATA
+---Local
| +---Microsoft
| | +---InputPersonalization
| | | \---TrainedDataStore
| | +---Windows
| | | +---CloudStore
| | | +---GameExplorer
| | | +---PowerShell
| | | | ModuleAnalysisCache
| | | | StartupProfileData-NonInteractive
| | | |
| | | +---SchCache
| | | | object.local.sch
| | | |
| | | +---Shell
| | | | DefaultLayouts.xml
| | | |
| | | \---WinX
| | | +---Group1
| | | | 1 - Desktop.lnk
| | | |
| | | +---Group2
| | | | 1 - Run.lnk
| | | | 2 - Search.lnk
| | | | 3 - Windows Explorer.lnk
| | | | 4 - Control Panel.lnk
| | | | 5 - Task Manager.lnk
| | | |
| | | \---Group3
| | | 01 - Command Prompt.lnk
| | | 01a - Windows PowerShell.lnk
| | | 02 - Command Prompt.lnk
| | | 02a - Windows PowerShell.lnk
| | | 03 - Computer Management.lnk
| | | 04 - Disk Management.lnk
| | | 04-1 - NetworkStatus.lnk
| | | 05 - Device Manager.lnk
| | | 06 - SystemAbout.lnk
| | | 07 - Event Viewer.lnk
| | | 08 - PowerAndSleep.lnk
| | | 09 - Mobility Center.lnk
| | | 10 - AppsAndFeatures.lnk
| | |
| | \---Windows Sidebar
| | | settings.ini
| | |
| | \---Gadgets
| \---Temp
+---LocalLow
\---Roaming
*evil-winrm* ps c:\Users\smith\AppData\LocalLow> tree /F /A
Folder PATH listing
Volume serial number is 212C-60B7
c:.
No subfolders exist
*evil-winrm* ps c:\Users\smith\AppData\LocalLow> dir -Force
*evil-winrm* ps c:\Users\smith\AppData\LocalLow> cd ../Roaming
*evil-winrm* ps c:\Users\smith\AppData\Roaming> tree /F /A ; dir -Force
Folder PATH listing
Volume serial number is 212C-60B7
c:.
No subfolders exist
directory: C:\Users\smith\AppData\Roaming
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 9/15/2018 12:28 AM Microsoft
*evil-winrm* ps c:\Users\smith\AppData\Roaming> cd Microsoft ; tree /F /A ; dir -Force
Folder PATH listing
Volume serial number is 212C-60B7
c:.
+---Internet Explorer
| \---Quick Launch
| Control Panel.lnk
| Server Manager.lnk
| Shows Desktop.lnk
| Window Switcher.lnk
|
\---Windows
+---CloudStore
+---Network Shortcuts
+---Printer Shortcuts
+---Recent
+---SendTo
| Compressed (zipped) Folder.ZFSendToTarget
| Desktop (create shortcut).DeskLink
| Mail Recipient.MAPIMail
|
+---Start Menu
| \---Programs
| +---Accessibility
| | Magnify.lnk
| | Narrator.lnk
| | On-Screen Keyboard.lnk
| |
| +---Accessories
| | Notepad.lnk
| |
| +---Maintenance
| +---System Tools
| | Administrative Tools.lnk
| | Command Prompt.lnk
| | computer.lnk
| | Control Panel.lnk
| | File Explorer.lnk
| | Run.lnk
| |
| \---Windows PowerShell
| Windows PowerShell (x86).lnk
| Windows PowerShell ISE (x86).lnk
| Windows PowerShell ISE.lnk
| Windows PowerShell.lnk
|
\---Templates
directory: C:\Users\smith\AppData\Roaming\Microsoft
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:28 AM Internet Explorer
d----- 9/15/2018 12:19 AM WindowsSame with the AppData directory