System/Kernel
*evil-winrm* ps c:\Users\sflowers\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 6/14/2022 5:28:53 PM
windowsproductid : 00429-00521-62775-AA339
windowsproductname : Windows Server 2019 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2019 Standard
Desktop
Networks
*Evil-WinRM* PS C:\Users\sflowers\Documents> ipconfig /all ; arp -a ; route print
Windows IP Configuration
Host Name . . . . . . . . . . . . : DC
Primary Dns Suffix . . . . . . . : outdated.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : outdated.htb
htb
Ethernet adapter Ethernet0 3:
Connection-specific DNS Suffix . : htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-E2-EF
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::1ef(Preferred)
Lease Obtained. . . . . . . . . . : Friday, January 5, 2024 9:25:25 PM
Lease Expires . . . . . . . . . . : Friday, January 5, 2024 10:25:25 PM
IPv6 Address. . . . . . . . . . . : dead:beef::554e:a6a1:8f40:d164(Preferred)
Link-local IPv6 Address . . . . . : fe80::554e:a6a1:8f40:d164%15(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.11.175(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:6c92%15
10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 486559830
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-2A-9C-9C-00-50-56-B9-E2-EF
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
htb
Ethernet adapter vEthernet (vSwitch):
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter
Physical Address. . . . . . . . . : 00-15-5D-19-AE-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.16.20.1(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 0.0.0.0
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 10.10.11.175 --- 0xf
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-6c-92 dynamic
10.10.11.241 00-50-56-b9-9a-73 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
Interface: 172.16.20.1 --- 0x11
Internet Address Physical Address Type
172.16.20.20 00-15-5d-19-ae-01 dynamic
172.16.20.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
===========================================================================
Interface List
15...00 50 56 b9 e2 ef ......vmxnet3 Ethernet Adapter
1...........................Software Loopback Interface 1
17...00 15 5d 19 ae 00 ......Hyper-V Virtual Ethernet Adapter
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 On-link 172.16.20.1 376
0.0.0.0 0.0.0.0 10.10.10.2 10.10.11.175 266
10.10.10.0 255.255.254.0 On-link 10.10.11.175 266
10.10.11.175 255.255.255.255 On-link 10.10.11.175 266
10.10.11.255 255.255.255.255 On-link 10.10.11.175 266
127.0.0.0 255.0.0.0 On-link 127.0.0.1 331
127.0.0.1 255.255.255.255 On-link 127.0.0.1 331
127.255.255.255 255.255.255.255 On-link 127.0.0.1 331
172.16.20.0 255.255.255.0 On-link 172.16.20.1 376
172.16.20.1 255.255.255.255 On-link 172.16.20.1 376
172.16.20.255 255.255.255.255 On-link 172.16.20.1 376
224.0.0.0 240.0.0.0 On-link 127.0.0.1 331
224.0.0.0 240.0.0.0 On-link 172.16.20.1 376
224.0.0.0 240.0.0.0 On-link 10.10.11.175 266
255.255.255.255 255.255.255.255 On-link 127.0.0.1 331
255.255.255.255 255.255.255.255 On-link 172.16.20.1 376
255.255.255.255 255.255.255.255 On-link 10.10.11.175 266
===========================================================================
Persistent Routes:
Network Address Netmask Gateway Address Metric
0.0.0.0 0.0.0.0 10.10.10.2 Default
0.0.0.0 0.0.0.0 172.16.20.1 Default
===========================================================================
IPv6 Route Table
===========================================================================
Active Routes:
If Metric Network Destination Gateway
15 266 ::/0 fe80::250:56ff:feb9:6c92
1 331 ::1/128 On-link
15 266 dead:beef::/64 On-link
15 266 dead:beef::1ef/128 On-link
15 266 dead:beef::554e:a6a1:8f40:d164/128
On-link
15 266 fe80::/64 On-link
15 266 fe80::554e:a6a1:8f40:d164/128
On-link
1 331 ff00::/8 On-link
15 266 ff00::/8 On-link
===========================================================================
Persistent Routes:
None
*Evil-WinRM* PS C:\Users\sflowers\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING 2492
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 940
TCP 0.0.0.0:143 0.0.0.0:0 LISTENING 2492
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:587 0.0.0.0:0 LISTENING 2492
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 940
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:2179 0.0.0.0:0 LISTENING 3108
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8530 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8531 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2948
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 520
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1204
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1560
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49685 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49686 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49916 0.0.0.0:0 LISTENING 656
TCP 0.0.0.0:49922 0.0.0.0:0 LISTENING 2040
TCP 0.0.0.0:49955 0.0.0.0:0 LISTENING 2968
TCP 10.10.11.175:53 0.0.0.0:0 LISTENING 2040
TCP 10.10.11.175:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2040
TCP 172.16.20.1:53 0.0.0.0:0 LISTENING 2040
TCP 172.16.20.1:139 0.0.0.0:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 684
TCP [::]:135 [::]:0 LISTENING 940
TCP [::]:389 [::]:0 LISTENING 684
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 684
TCP [::]:593 [::]:0 LISTENING 940
TCP [::]:636 [::]:0 LISTENING 684
TCP [::]:2179 [::]:0 LISTENING 3108
TCP [::]:3268 [::]:0 LISTENING 684
TCP [::]:3269 [::]:0 LISTENING 684
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:8530 [::]:0 LISTENING 4
TCP [::]:8531 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2948
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 520
TCP [::]:49665 [::]:0 LISTENING 1204
TCP [::]:49666 [::]:0 LISTENING 1560
TCP [::]:49667 [::]:0 LISTENING 684
TCP [::]:49685 [::]:0 LISTENING 684
TCP [::]:49686 [::]:0 LISTENING 684
TCP [::]:49916 [::]:0 LISTENING 656
TCP [::]:49922 [::]:0 LISTENING 2040
TCP [::]:49955 [::]:0 LISTENING 2968
TCP [::1]:53 [::]:0 LISTENING 2040
TCP [dead:beef::1ef]:53 [::]:0 LISTENING 2040
TCP [dead:beef::554e:a6a1:8f40:d164]:53 [::]:0 LISTENING 2040
TCP [fe80::554e:a6a1:8f40:d164%15]:53 [::]:0 LISTENING 2040dc.outdated.htb
10.10.11.175
172.16.20.1
0.0.0.0:143
0.0.0.0:587
0.0.0.0:2179
Users & Groups
*evil-winrm* ps c:\Users\sflowers\Documents> net user ; net user /DOMAIN ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator btables Guest
krbtgt sflowers
The command completed with one or more errors.
User accounts for \\
-------------------------------------------------------------------------------
Administrator btables Guest
krbtgt sflowers
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/15/2022 7:33 AM .NET v4.5
d----- 6/15/2022 7:33 AM .NET v4.5 Classic
d----- 12/13/2023 4:16 PM Administrator
d-r--- 6/14/2022 10:29 AM Public
d----- 6/15/2022 10:48 PM sflowers*evil-winrm* ps c:\Users\sflowers\Documents> net localgroup ; net group /DOMAIN
Aliases for \\DC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
*WSUS Administrators
*WSUS Reporters
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*ITStaff
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Hyper-V Administrators
IIS_IUSRS
WSUS Administrators
WSUS Reporters
Processes
*Evil-WinRM* PS C:\Users\sflowers\Documents> tasklist /svc
tasklist.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\sflowers\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
433 32 12444 20136 2968 0 certsrv
82 5 936 3768 2692 0 CompatTelRunner
79 5 872 3604 2976 0 CompatTelRunner
154 10 6676 12632 1428 0 conhost
148 9 6644 12412 0.05 2200 0 conhost
154 10 6680 12648 4492 0 conhost
155 9 6616 3888 7088 0 conhost
575 21 2196 4616 412 0 csrss
168 10 1712 4164 528 1 csrss
401 33 16008 22168 1752 0 dfsrs
179 11 2396 7540 3120 0 dfssvc
267 14 4116 13236 4064 0 dllhost
5392 5810 68868 69744 2040 0 dns
540 22 23624 48224 404 1 dwm
48 6 1608 4032 2912 1 fontdrvhost
48 6 1540 3828 2920 0 fontdrvhost
418 39 15132 19752 2492 0 hMailServer
0 0 56 8 0 0 Idle
197 16 6588 15132 1668 0 inetinfo
142 12 2304 5912 1476 0 ismserv
470 27 13136 49164 5156 1 LogonUI
44 6 1240 3252 672 0 LsaIso
2206 176 61816 62248 684 0 lsass
456 32 39508 50788 2948 0 Microsoft.ActiveDirectory.WebServices
235 14 2952 9924 4608 0 msdtc
638 36 107780 120888 696 0 powershell
0 17 5480 93564 92 0 Registry
0 0 168 13316 48 0 Secure System
651 12 5308 10536 656 0 services
53 3 500 1216 288 0 smss
675 50 280756 200756 5916 0 sqlservr
132 10 1704 7640 2604 0 sqlwriter
125 7 1332 6144 360 0 svchost
226 12 2616 12088 376 0 svchost
103 7 1144 5056 396 0 svchost
270 14 3512 10800 516 0 svchost
195 15 6292 10164 812 0 svchost
85 5 932 3860 872 0 svchost
685 16 5552 14332 892 0 svchost
929 20 4484 10836 940 0 svchost
236 10 1696 6740 992 0 svchost
131 16 3600 7428 1032 0 svchost
118 7 1376 5720 1040 0 svchost
220 12 1824 7500 1052 0 svchost
148 9 1840 6584 1060 0 svchost
192 11 1832 8044 1120 0 svchost
218 9 2092 7280 1128 0 svchost
251 14 3360 9252 1196 0 svchost
365 13 13596 17916 1204 0 svchost
369 16 4936 12984 1324 0 svchost
402 32 10248 18868 1352 0 svchost
245 16 3004 12404 1436 0 svchost
263 13 3100 13188 1480 0 svchost
440 9 2788 8796 1512 0 svchost
397 18 5400 14360 1560 0 svchost
327 10 2556 8328 1572 0 svchost
131 8 1340 5628 1636 0 svchost
312 11 2056 8768 1724 0 svchost
187 12 2044 8100 1760 0 svchost
261 13 2604 7796 1880 0 svchost
138 9 1700 6668 1892 0 svchost
156 8 1800 6904 1948 0 svchost
212 12 2224 8832 1992 0 svchost
154 10 2360 7480 2024 0 svchost
434 15 12092 21004 2072 0 svchost
183 10 1860 8328 2164 0 svchost
251 25 3508 12396 2180 0 svchost
454 15 3160 11144 2192 0 svchost
401 21 16652 28592 2368 0 svchost
133 9 1688 6492 2532 0 svchost
165 10 1972 7400 2576 0 svchost
136 8 1560 6108 2632 0 svchost
204 11 2320 8276 2720 0 svchost
397 16 3876 13800 2816 0 svchost
296 15 11780 11700 2932 0 svchost
165 12 3864 10576 2960 0 svchost
125 7 1288 5520 2980 0 svchost
240 15 5092 12096 3084 0 svchost
285 21 3812 13688 3168 0 svchost
161 10 2100 12532 3176 0 svchost
169 11 2156 9312 3200 0 svchost
323 24 7852 15608 3220 0 svchost
221 12 2116 7416 3388 0 svchost
159 9 1812 7532 4340 0 svchost
449 32 11072 18048 5096 0 svchost
238 13 2992 12504 5212 0 svchost
170 11 2396 12868 5328 0 svchost
408 26 3664 13112 5760 0 svchost
325 20 10224 15220 5776 0 svchost
131 8 3272 9732 6308 0 svchost
1978 0 188 140 4 0 System
286 15 12280 15036 2452 0 taskhostw
2093 10 8532 12836 5948 0 TiWorker
142 9 2040 7232 2464 0 TrustedInstaller
215 16 2524 10276 3972 0 vds
167 11 3248 11548 2620 0 VGAuthService
144 8 1704 6784 3100 0 vm3dservice
137 10 1792 7244 3488 1 vm3dservice
132 9 1668 7200 6356 1 vm3dservice
176 10 2416 9484 4456 0 vmcompute
697 24 41128 25888 3108 0 vmms
434 23 10708 22740 3092 0 vmtoolsd
408 19 10196 21048 5548 0 vmwp
1175 55 206720 141372 756 0 w3wp
174 11 1572 6380 520 0 wininit
239 12 2720 17952 584 1 winlogon
394 17 7788 17636 2652 0 WmiPrvSE
412 20 39128 48296 4936 0 WmiPrvSE
1141 32 75404 101752 1.52 1780 0 wsmprovhost
615 30 46872 58876 3560 0 WsusServicecertsrv
hMailServer
Secure System?
sqlservr
sqlwriter
TrustedInstaller
WsusService
Services
*evil-winrm* ps c:\Users\sflowers\Documents> services
Path Privileges Service
---- ---------- -------
c:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe False aspnet_state
c:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe False FontCache3.0.0.0
"c:\Program Files (x86)\hMailServer\Bin\hMailServer.exe" RunAsService False hMailServer
c:\Windows\WID\Binn\sqlservr.exe -SMSWIN8.SQLWID -sMICROSOFT##WID False MSSQL$MICROSOFT##WID
c:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
c:\Windows\SysWow64\perfhost.exe False PerfHost
"c:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
c:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"c:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"c:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"c:\Program Files\Windows Defender\NisSrv.exe" True WdNisSvc
c:\Windows\WID\Binn\sqlwriter.exe -w False WIDWriter
"c:\Program Files\Windows Defender\MsMpEng.exe" True WinDefend
"c:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc
"c:\Program Files\Update Services\Services\WSusCertServer.exe" False WSusCertServer
"c:\Program Files\Update Services\Services\WsusService.exe" False WsusService hMailServer
NetTcpPortSharing
MSSQL$MICROSOFT##WID
TrustedInstaller
WinDefend
WSusCertServer
WSusService
Tasks
*Evil-WinRM* PS C:\Users\sflowers\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\sflowers\Documents> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
Program 'schtasks.exe' failed to run: Access is deniedAt line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~.
At line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailedFirewall & AV
*evil-winrm* ps c:\Users\sflowers\Documents> netsh firewall show config
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8531 TCP Enable Inbound WSUS
8530 TCP Enable Inbound WSUS
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
8531 TCP Enable Inbound WSUS
8530 TCP Enable Inbound WSUS
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .FW is enabled
8530 and 8531 for WSUS
*evil-winrm* ps c:\Users\sflowers\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
at line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\sflowers\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*evil-winrm* ps c:\Users\sflowers\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 2170-25D8
directory of c:\Windows\Microsoft.NET\Framework
06/15/2022 10:39 AM <DIR> .
06/15/2022 10:39 AM <DIR> ..
09/14/2018 11:19 PM <DIR> v1.0.3705
09/14/2018 11:19 PM <DIR> v1.1.4322
06/17/2022 09:49 PM <DIR> v2.0.50727
06/15/2022 10:39 AM <DIR> v3.0
06/15/2022 10:39 AM <DIR> v3.5
01/05/2024 09:34 PM <DIR> v4.0.30319
0 File(s) 0 bytes
8 Dir(s) 5,981,790,208 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727
CBS REG_DWORD 0x1
Increment REG_SZ 4927
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
SP REG_DWORD 0x2
Version REG_SZ 2.0.50727.4927
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1028
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1029
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1030
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1031
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1032
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1033
CBS REG_DWORD 0x1
Increment REG_SZ 4927
SP REG_DWORD 0x2
Version REG_SZ 2.0.50727.4927
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1035
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1036
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1038
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1040
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1041
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1042
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1043
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1044
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1045
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1046
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1049
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1053
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1055
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\2052
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\2070
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\3076
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\3082
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0
CBS REG_DWORD 0x1
Increment REG_SZ 4926
Install REG_DWORD 0x1
SP REG_DWORD 0x2
Version REG_SZ 3.0.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Servicing\Windows Workflow Foundation
CBS REG_DWORD 0x1
Hotfix REG_SZ
Install REG_DWORD 0x1
SP REG_DWORD 0x2
SPIndex REG_DWORD 0x0
SPName REG_SZ SP2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup
InstallSuccess REG_DWORD 0x1
Version REG_SZ 3.0.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\1033
CBS REG_DWORD 0x1
Increment REG_SZ 4926
Install REG_DWORD 0x1
InstallSuccess REG_DWORD 0x1
SP REG_DWORD 0x2
Version REG_SZ 3.0.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Communication Foundation
InstallSuccess REG_DWORD 0x1
referenceinstallpath reg_sz c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
runtimeinstallpath reg_sz c:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\
Version REG_SZ 3.0.4506.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Presentation Foundation
(Default) REG_SZ WPF v3.0.6920.4902
installroot reg_sz c:\Windows\Microsoft.NET\Framework64\v3.0\WPF\
InstallSuccess REG_DWORD 0x1
ProductVersion REG_SZ 3.0.6920.4902
Version REG_SZ 3.0.6920.4902
wpfcommonassembliespathx64 reg_sz c:\Windows\System32\
wpfnonreferenceassembliespathx64 reg_sz c:\Windows\Microsoft.NET\Framework64\v3.0\WPF\
wpfreferenceassembliespathx64 reg_sz c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Workflow Foundation
(Default) REG_SZ Windows Workflow Foundation
FileVersion REG_SZ 3.0.4203.4926
installdir reg_sz c:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
InstallSuccess REG_DWORD 0x1
MajorBuildNum REG_SZ 4203
ProductVersion REG_SZ 3.0.0.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v3.5\
SP REG_DWORD 0x1
Version REG_SZ 3.5.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
SP REG_DWORD 0x1
Version REG_SZ 3.5.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190