System/Kernel
*evil-winrm* ps c:\Users\melanie\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\melanie\Documents> Get-ComputerInfo
windowsbuildlabex : 14393.3321.amd64fre.rs1_release.191016-1811
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server Core
windowsinstalldatefromregistry : 9/25/2019 5:17:51 PM
windowsproductid : 00376-30821-30176-AA312
windowsproductname : Windows Server 2016 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
osserverlevel : ServerCore
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2016 Standard
Server Core
14393.3321.amd64fre.rs1_release.191016-1811
Networks
*Evil-WinRM* PS C:\Users\melanie\Documents> netstat -ano | Select-String list
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 812
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 812
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1992
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 452
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 928
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 980
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 1040
TCP 0.0.0.0:49678 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49679 0.0.0.0:0 LISTENING 584
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING 576
TCP 0.0.0.0:49716 0.0.0.0:0 LISTENING 1288
TCP 0.0.0.0:61034 0.0.0.0:0 LISTENING 2324
TCP 10.10.10.169:53 0.0.0.0:0 LISTENING 2324
TCP 10.10.10.169:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2324
TCP [::]:88 [::]:0 LISTENING 584
TCP [::]:135 [::]:0 LISTENING 812
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 584
TCP [::]:593 [::]:0 LISTENING 812
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 1992
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 452
TCP [::]:49665 [::]:0 LISTENING 928
TCP [::]:49666 [::]:0 LISTENING 980
TCP [::]:49667 [::]:0 LISTENING 584
TCP [::]:49671 [::]:0 LISTENING 1040
TCP [::]:49678 [::]:0 LISTENING 584
TCP [::]:49679 [::]:0 LISTENING 584
TCP [::]:49684 [::]:0 LISTENING 576
TCP [::]:49716 [::]:0 LISTENING 1288
TCP [::]:61034 [::]:0 LISTENING 2324
TCP [::1]:53 [::]:0 LISTENING 2324*Evil-WinRM* PS C:\Users\melanie\Documents> ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : Resolute
Primary Dns Suffix . . . . . . . : megabank.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : megabank.local
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-50-56-B9-F0-62
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.169(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 8.8.8.8
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{A20A4417-3DC7-47B7-8F00-87CC59D9F43F}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes*Evil-WinRM* PS C:\Users\melanie\Documents> arp -a
Interface: 10.10.10.169 --- 0x2
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-f3-30 dynamic
10.10.10.172 00-50-56-b9-50-2f dynamic
10.10.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.252 01-00-5e-00-00-fc static10.10.10.172
Users & Groups
*evil-winrm* ps c:\Users\melanie\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
abigail Administrator angela
annette annika claire
claude DefaultAccount felicia
fred Guest gustavo
krbtgt marcus marko
melanie naoki paulo
per ryan sally
simon steve stevie
sunita ulf zach
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/25/2019 10:43 AM Administrator
d----- 12/4/2019 2:46 AM melanie
d-r--- 11/20/2016 6:39 PM Public
d----- 9/27/2019 7:05 AM ryanryan
*evil-winrm* ps c:\Users\melanie\Documents> net localgroup ; net group
Aliases for \\RESOLUTE
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*System Managed Accounts Group
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Contractors
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Contractors
Processes
*Evil-WinRM* PS C:\Users\melanie\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
39 4 1556 2444 3904 1 cmd
94 8 4956 9508 0.00 3112 0 conhost
110 9 5300 11204 3912 1 conhost
265 12 1824 4092 368 0 csrss
152 13 1520 6168 460 1 csrss
346 32 13572 22216 1288 0 dfsrs
153 12 2064 7236 1688 0 dfssvc
214 13 3624 12420 2312 0 dllhost
5309 3694 69088 68040 860 0 dns
0 0 0 4 0 0 Idle
118 12 1944 5628 1128 0 ismserv
3607 185 69748 84512 584 0 lsass
489 41 55364 72064 1992 0 Microsoft.ActiveDirectory.WebServices
190 13 2432 9484 2452 0 msdtc
477 60 151220 174128 2000 0 MsMpEng
276 11 3804 9272 576 0 services
51 2 368 1168 292 0 smss
256 16 5596 14916 572 0 svchost
391 33 7356 14240 648 0 svchost
362 14 2996 9852 756 0 svchost
421 19 3060 8708 812 0 svchost
706 24 6228 14460 920 0 svchost
376 15 9300 14556 928 0 svchost
1066 40 18360 37948 980 0 svchost
621 44 8688 23064 988 0 svchost
136 11 1392 6644 1040 0 svchost
199 13 2144 8164 1816 0 svchost
242 19 7488 13768 3712 0 svchost
98 7 1696 7416 4076 0 svchost
754 0 128 120 4 0 System
163 12 1772 9172 3784 1 taskhostw
194 16 2332 10656 2244 0 vds
146 11 3048 9948 1328 0 VGAuthService
326 21 9676 23064 2032 0 vmtoolsd
169 15 3388 12984 4044 1 vmtoolsd
92 8 956 4932 452 0 wininit
188 10 1956 9052 528 1 winlogon
280 15 6948 15652 2468 0 WmiPrvSE
1007 34 101904 128112 1.75 2564 0 wsmprovhost
*Evil-WinRM* PS C:\Users\melanie\Documents> tasklist /svc
tasklist.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\melanie\Documents> wmic product get name,version,vendor
WMIC.exe : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Description = Access denied
*Evil-WinRM* PS C:\Users\melanie\Documents> query process
USERNAME SESSIONNAME ID PID IMAGE
>(unknown) id 0 0 0
*Evil-WinRM* PS C:\Users\melanie\Documents> query session
query.exe : No session exists for *
+ CategoryInfo : NotSpecified: (No session exists for *:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\melanie\Documents> query user
query.exe : No User exists for *
+ CategoryInfo : NotSpecified: (No User exists for *:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorTasks
*evil-winrm* ps c:\Users\melanie\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\melanie\Documents> schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
program 'schtasks.exe' failed to run: Access is deniedAt line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~.
at line:1 char:1
+ schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v / ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailedFirewall & AV
*Evil-WinRM* PS C:\Users\melanie\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Domain profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
ICMP configuration for Standard profile:
Mode Type Description
-------------------------------------------------------------------
Enable 2 Allow outbound packet too big
Enable 8 Allow inbound echo request
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at http://go.microsoft.com/fwlink/?linkid=121488 .Firewall is DISABLED
*Evil-WinRM* PS C:\Users\melanie\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatusSession Architecture
*evil-winrm* ps c:\Users\melanie\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\melanie\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is D1AC-5AF6
Directory of C:\Windows\Microsoft.NET\Framework
07/16/2016 06:18 AM <DIR> .
07/16/2016 06:18 AM <DIR> ..
07/16/2016 06:18 AM <DIR> v1.0.3705
07/16/2016 06:18 AM <DIR> v1.1.4322
07/16/2016 06:18 AM <DIR> v2.0.50727
06/10/2023 06:53 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 2,462,023,680 bytes free
*Evil-WinRM* PS C:\Users\melanie\Documents> cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
*Evil-WinRM* PS C:\Users\melanie\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x60632
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.6.01586
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.6.01586