System/Kernel
*evil-winrm* ps c:\Users\winrm_svc\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\winrm_svc\Documents> Get-ComputerInfo
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 7/20/2021 7:21:49 PM
windowsproductid : 00429-00521-62775-AA275
windowsproductname : Windows Server 2019 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2019 Standard
17763.1.amd64fre.rs5_release.180914-1434
1809
Networks
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc01
Primary Dns Suffix . . . . . . . : rebound.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : rebound.htb
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-1E-8E
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.11.231(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> arp -a
Interface: 10.10.11.231 --- 0xb
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-9d-31 dynamic
10.10.11.152 00-50-56-b9-40-ba dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 912
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 912
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2836
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1148
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1548
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 1824
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49685 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49688 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49709 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:49718 0.0.0.0:0 LISTENING 2952
TCP 0.0.0.0:49725 0.0.0.0:0 LISTENING 2852
TCP 0.0.0.0:59263 0.0.0.0:0 LISTENING 2916
TCP 10.10.11.231:53 0.0.0.0:0 LISTENING 2952
TCP 10.10.11.231:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2952
TCP [::]:88 [::]:0 LISTENING 648
TCP [::]:135 [::]:0 LISTENING 912
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 648
TCP [::]:593 [::]:0 LISTENING 912
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2836
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 492
TCP [::]:49665 [::]:0 LISTENING 1148
TCP [::]:49666 [::]:0 LISTENING 1548
TCP [::]:49667 [::]:0 LISTENING 648
TCP [::]:49671 [::]:0 LISTENING 1824
TCP [::]:49684 [::]:0 LISTENING 648
TCP [::]:49685 [::]:0 LISTENING 648
TCP [::]:49688 [::]:0 LISTENING 648
TCP [::]:49709 [::]:0 LISTENING 628
TCP [::]:49718 [::]:0 LISTENING 2952
TCP [::]:49725 [::]:0 LISTENING 2852
TCP [::]:59263 [::]:0 LISTENING 2916
TCP [::1]:53 [::]:0 LISTENING 2952Users & Groups
*evil-winrm* ps c:\Users\winrm_svc\Documents> net users ; dir C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator batch_runner fflock
Guest jjones krbtgt
ldap_monitor llune mmalone
nnoon oorend ppaul
tbrady winrm_svc
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/28/2023 8:23 PM Administrator
d-r--- 7/20/2021 12:23 PM Public
d----- 8/22/2023 12:05 PM tbrady
d----- 4/8/2023 2:08 AM winrm_svcbatch_runner
tbrady
*evil-winrm* ps c:\Users\winrm_svc\Documents> net localgroup ; net group /domain
Aliases for \\DC01
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*ServiceMgmt
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
397 34 13092 22516 2852 0 certsrv
84 5 868 3704 2268 0 CompatTelRunner
151 9 6636 12612 0.02 5764 0 conhost
156 9 6620 4160 7876 0 conhost
666 20 2456 5800 388 0 csrss
284 16 2148 5288 512 1 csrss
359 15 3512 14920 5900 1 ctfmon
405 34 17444 26080 2916 0 dfsrs
189 12 2372 8136 3364 0 dfssvc
285 14 3872 13792 3808 0 dllhost
5372 3698 69672 71960 2952 0 dns
579 24 19488 43296 256 1 dwm
1415 55 20748 81004 1036 1 explorer
53 6 1784 5440 2800 1 fontdrvhost
53 6 1532 4748 2808 0 fontdrvhost
0 0 56 8 0 0 Idle
148 13 2260 6100 2972 0 ismserv
2696 187 70892 90524 648 0 lsass
497 36 53792 67432 2836 0 Microsoft.ActiveDirectory.WebServices
254 13 2836 10772 4508 0 msdtc
646 91 303984 323964 2476 0 MsMpEng
144 9 1520 8232 640 1 PickerHost
145 9 1496 8208 3788 1 PickerHost
145 9 1520 8228 4224 1 PickerHost
110 7 1288 6948 6340 1 PickerHost
110 7 1268 6944 7680 1 PickerHost
145 9 1508 8216 7984 1 PickerHost
0 13 352 24232 88 0 Registry
314 17 19860 33248 508 1 RuntimeBroker
236 12 2732 17184 6084 1 RuntimeBroker
230 12 2456 13100 6316 1 RuntimeBroker
670 32 20192 63004 4784 1 SearchUI
277 12 2932 12620 4616 0 SecurityHealthService
624 14 6608 14152 628 0 services
780 30 17268 47636 5328 1 ShellExperienceHost
454 17 4956 25048 112 1 sihost
53 3 524 1216 300 0 smss
119 7 1212 5936 192 0 svchost
214 12 1984 10076 292 0 svchost
130 16 3596 7964 332 0 svchost
210 12 1688 7556 364 0 svchost
89 5 940 4020 848 0 svchost
945 21 7196 23292 868 0 svchost
944 20 5856 13836 912 0 svchost
174 9 1780 12044 932 0 svchost
210 9 1840 7084 956 0 svchost
256 10 1980 7976 960 0 svchost
255 13 3064 9292 1064 0 svchost
395 13 13500 18180 1148 0 svchost
286 13 3924 11684 1164 0 svchost
375 18 4628 13032 1244 0 svchost
410 33 7420 16804 1300 0 svchost
278 16 3660 12988 1332 0 svchost
236 12 2708 12024 1340 0 svchost
440 9 2888 9324 1368 0 svchost
162 7 1268 5932 1384 0 svchost
415 16 13160 22620 1436 0 svchost
174 11 1776 8388 1492 0 svchost
334 10 2528 8836 1540 0 svchost
381 18 5960 15520 1548 0 svchost
318 13 1992 9192 1616 0 svchost
191 12 2072 12240 1712 0 svchost
161 8 1992 7492 1764 0 svchost
268 13 2472 8104 1816 0 svchost
168 12 1784 7640 1824 0 svchost
145 9 1748 7068 1840 0 svchost
220 12 2180 9528 1964 0 svchost
223 10 2452 9560 1972 0 svchost
247 25 4052 13660 2124 0 svchost
467 17 3164 11828 2136 0 svchost
177 11 2188 13752 2496 0 svchost
205 11 2404 8808 2560 0 svchost
146 7 1304 5984 2844 0 svchost
449 20 17772 33640 2928 0 svchost
138 9 1524 6736 3024 0 svchost
138 8 1532 6480 3032 0 svchost
309 21 5204 15940 3228 0 svchost
223 12 2088 7804 3288 0 svchost
203 11 2104 9752 3956 0 svchost
387 19 6884 29476 4280 1 svchost
169 9 2876 7712 4376 0 svchost
228 12 2684 12972 4388 1 svchost
322 18 6360 22968 4684 0 svchost
409 26 3512 13472 4808 0 svchost
254 14 2960 14012 5192 0 svchost
173 11 2420 13320 5384 0 svchost
158 9 1912 7008 5544 0 svchost
205 11 2720 12104 5696 0 svchost
161 9 3524 11668 5840 0 svchost
118 8 1616 6240 5892 0 svchost
172 9 1504 7544 5924 0 svchost
188 15 5996 10308 6048 0 svchost
319 16 17080 19292 7000 0 svchost
303 20 8772 15980 7084 0 svchost
1920 0 192 160 4 0 System
180 11 2076 11348 4344 1 taskhostw
213 16 2468 11312 3752 0 vds
174 11 2940 11232 2180 0 VGAuthService
148 8 1692 7540 2260 0 vm3dservice
141 9 1792 8040 3356 1 vm3dservice
141 9 1800 7960 5292 1 vm3dservice
395 23 10884 23188 2236 0 vmtoolsd
265 19 5308 17172 6612 1 vmtoolsd
173 11 1392 7148 492 0 wininit
283 12 2588 12780 560 1 winlogon
325 20 12544 24312 3764 0 WmiPrvSE
2422 28 97896 116316 1.13 644 0 wsmprovhost
563 25 50240 66788 0.38 1416 0 wsmprovhost
2028 32 94316 120088 0.91 6128 0 wsmprovhost
633 29 52084 68164 1.02 6896 0 wsmprovhostcertsrv
explorer
PickerHost
Tasks
*evil-winrm* ps c:\Users\winrm_svc\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\winrm_svc\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Disabled
VerifiedPublisherCertStoreCheck N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
microsoft compatibility appraiser 9/13/2023 4:25:52 AM Running
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
consolidator 9/12/2023 6:00:00 AM Ready
UsbCeip N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
data integrity scan 9/24/2023 4:56:59 PM Ready
Data Integrity Scan for Crash Recovery N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
device 9/13/2023 4:40:08 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Ready
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
StorageCardEncryption Task N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
ReconcileFeatures N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
refreshcache 9/12/2023 10:46:06 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
SecureBootEncodeUEFI N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
speechmodeldownloadtask 9/13/2023 3:27:50 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Windows Defender Cache Maintenance N/A Ready
Windows Defender Cleanup N/A Ready
windows defender scheduled scan 9/13/2023 2:46:22 AM Ready
Windows Defender Verification N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
queuereporting 9/12/2023 5:15:44 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UpdateLibrary N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
scheduled start 9/12/2023 8:29:01 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Running
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Ready
Recovery-Check N/A Disabled
*evil-winrm* ps c:\Users\winrm_svc\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32" | findstr /i "Running"
microsoft compatibility appraiser 9/13/2023 3:40:56 AM Running
CacheTask N/A RunningFirewall & AV
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\winrm_svc\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cmd /c 'C:\Program Files\Windows Defender\MpCmdRun.exe' -GetScanParameters
CmdTool: Failed with hr = 0x80070667. Check C:\Users\WINRM_~1\AppData\Local\Temp\MpCmdRun.log for more information
CmdTool: Invalid command line argumentSession Architecture
*evil-winrm* ps c:\Users\winrm_svc\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 9C6D-5B8F
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
09/11/2023 10:29 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 3,187,281,920 bytes free
*Evil-WinRM* PS C:\Users\winrm_svc\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.04.7.03190