System/Kernel
*evil-winrm* ps c:\Users\svc-printer\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\svc-printer\Documents> Get-ComputerInfo
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 5/20/2021 7:09:32 PM
windowsproductid : 00429-00521-62775-AA814
windowsproductname : Windows Server 2019 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2019 Standard
Networks
*Evil-WinRM* PS C:\Users\svc-printer\Documents> arp -a
Interface: 10.10.11.108 --- 0xa
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-ee-c2 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static*Evil-WinRM* PS C:\Users\svc-printer\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2832
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 488
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1088
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1524
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 1828
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49679 0.0.0.0:0 LISTENING 2792
TCP 0.0.0.0:49682 0.0.0.0:0 LISTENING 632
TCP 0.0.0.0:49694 0.0.0.0:0 LISTENING 2952
TCP 0.0.0.0:54510 0.0.0.0:0 LISTENING 2892
TCP 10.10.11.108:53 0.0.0.0:0 LISTENING 2952
TCP 10.10.11.108:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2952
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 652
TCP [::]:135 [::]:0 LISTENING 908
TCP [::]:389 [::]:0 LISTENING 652
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 652
TCP [::]:593 [::]:0 LISTENING 908
TCP [::]:636 [::]:0 LISTENING 652
TCP [::]:3268 [::]:0 LISTENING 652
TCP [::]:3269 [::]:0 LISTENING 652
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2832
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 488
TCP [::]:49665 [::]:0 LISTENING 1088
TCP [::]:49666 [::]:0 LISTENING 1524
TCP [::]:49667 [::]:0 LISTENING 652
TCP [::]:49671 [::]:0 LISTENING 1828
TCP [::]:49674 [::]:0 LISTENING 652
TCP [::]:49675 [::]:0 LISTENING 652
TCP [::]:49679 [::]:0 LISTENING 2792
TCP [::]:49682 [::]:0 LISTENING 632
TCP [::]:49694 [::]:0 LISTENING 2952
TCP [::]:54510 [::]:0 LISTENING 2892
TCP [::1]:53 [::]:0 LISTENING 2952
TCP [dead:beef::1a2]:53 [::]:0 LISTENING 2952
TCP [dead:beef::3ca0:8079:2c38:f2ac]:53 [::]:0 LISTENING 2952
TCP [fe80::3ca0:8079:2c38:f2ac%10]:53 [::]:0 LISTENING 2952Users & Groups
*evil-winrm* ps c:\Users\svc-printer\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest krbtgt
svc-printer
The command completed with one or more errors.*evil-winrm* ps c:\Users\svc-printer\Documents> net localgroup
Aliases for \\PRINTER
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
*evil-winrm* ps c:\Users\svc-printer\Documents> net group /domain
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\svc-printer\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
148 9 6628 12272 0.06 768 0 conhost
467 18 2280 5396 380 0 csrss
162 9 1668 4716 496 1 csrss
392 32 16332 23000 2892 0 dfsrs
153 8 2036 6044 1800 0 dfssvc
250 14 4020 13460 3696 0 dllhost
10373 7409 129600 127848 2952 0 dns
527 22 16384 35088 316 1 dwm
49 6 1604 4176 2700 1 fontdrvhost
49 6 1512 3940 2716 0 fontdrvhost
0 0 56 8 0 0 Idle
129 12 1992 5676 2980 0 ismserv
463 26 9996 42788 4132 1 LogonUI
1774 260 88120 84900 652 0 lsass
432 30 37300 47756 2832 0 Microsoft.ActiveDirectory.WebServices
223 13 2972 10288 3952 0 msdtc
0 12 376 10492 88 0 Registry
580 14 5800 13280 632 0 services
53 3 496 1188 264 0 smss
467 23 5824 16200 2792 0 spoolsv
258 13 3588 10756 308 0 svchost
119 14 3424 7456 480 0 svchost
205 12 1744 7176 708 0 svchost
312 15 14368 16760 728 0 svchost
321 20 9924 15436 740 0 svchost
85 5 884 3824 852 0 svchost
645 16 5128 14340 876 0 svchost
174 10 1752 8072 892 0 svchost
707 18 3864 10468 908 0 svchost
228 10 1668 6756 956 0 svchost
228 13 2708 12052 976 0 svchost
116 7 1308 5876 1028 0 svchost
210 9 2048 7444 1068 0 svchost
345 13 11328 15448 1088 0 svchost
248 14 3676 9316 1132 0 svchost
366 17 4604 12860 1228 0 svchost
413 32 6440 15732 1324 0 svchost
248 15 3148 11928 1340 0 svchost
468 18 3476 12472 1380 0 svchost
318 10 2524 8380 1424 0 svchost
177 10 1740 8412 1484 0 svchost
357 17 4840 13992 1524 0 svchost
225 12 2444 11460 1580 0 svchost
428 9 2672 8868 1596 0 svchost
115 7 1176 5532 1612 0 svchost
168 11 2396 13020 1632 0 svchost
130 8 1320 5728 1724 0 svchost
302 11 2004 8816 1772 0 svchost
261 13 2592 7860 1812 0 svchost
154 9 2296 7424 1820 0 svchost
167 12 1880 7504 1828 0 svchost
182 11 2032 8136 1836 0 svchost
388 15 10992 20252 1924 0 svchost
138 9 1556 6688 2008 0 svchost
213 12 2256 8984 2108 0 svchost
161 10 2024 12628 2160 0 svchost
123 7 1564 6192 2208 0 svchost
206 11 2308 8432 2544 0 svchost
237 13 2976 12320 2596 0 svchost
166 12 3820 10744 2840 0 svchost
125 7 1228 5628 2848 0 svchost
187 22 2540 9960 2864 0 svchost
493 19 14484 27596 2920 0 svchost
133 9 1628 6564 3024 0 svchost
136 8 1496 6168 3052 0 svchost
233 14 4752 11892 3060 0 svchost
299 21 4340 14332 3068 0 svchost
384 24 3448 12280 3268 0 svchost
193 15 6004 10040 3284 0 svchost
154 9 1988 6748 4260 0 svchost
341 19 17560 34304 4776 0 svchost
133 8 2864 9460 4868 0 svchost
1450 0 192 100 4 0 System
169 12 3228 10564 2436 0 VGAuthService
132 8 1624 6576 1416 0 vm3dservice
382 22 9712 21768 2472 0 vmtoolsd
171 11 1476 6860 488 0 wininit
240 12 2640 14712 552 1 winlogon
352 16 8372 18104 3556 0 WmiPrvSE
1198 33 75536 101292 1.30 4692 0 wsmprovhostspoolsv
Tasks
*evil-winrm* ps c:\Users\svc-printer\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\svc-printer\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access le
vel" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ categoryinfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandErrorFirewall & AV
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound winrm
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound winrm
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .Firewall is disabled
*Evil-WinRM* PS C:\Users\svc-printer\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
*Evil-WinRM* PS C:\Users\svc-printer\Documents> Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpPreference | Select-Object -Property ExclusionPath
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*evil-winrm* ps c:\Users\svc-printer\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 3A0C-428E
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
03/23/2023 01:25 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 8,821,944,320 bytes free
*Evil-WinRM* PS C:\Users\svc-printer\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190