System/Kernel
*evil-winrm* ps c:\Users\FSmith\Documents> systeminfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
*evil-winrm* ps c:\Users\FSmith\Documents> Get-ComputerInfo
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerDatacenter
windowsinstallationtype : Server
windowsinstalldatefromregistry : 1/23/2020 5:32:10 AM
windowsproductid : 00430-10710-91142-AA957
windowsproductname : Windows Server 2019 Datacenter
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2019 Datacenter
17763.1.amd64fre.rs5_release.180914-1434
Networks
*Evil-WinRM* PS C:\Users\FSmith\Documents> arp -a
Interface: 10.10.10.175 --- 0x7
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-ee-c2 dynamic
10.10.10.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
*Evil-WinRM* PS C:\Users\FSmith\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 892
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 892
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 1888
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 488
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1084
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1564
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 628
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 2604
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING 620
TCP 0.0.0.0:49695 0.0.0.0:0 LISTENING 3140
TCP 0.0.0.0:49719 0.0.0.0:0 LISTENING 3060
TCP 10.10.10.175:53 0.0.0.0:0 LISTENING 3140
TCP 10.10.10.175:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 3140
TCP [::]:80 [::]:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 628
TCP [::]:135 [::]:0 LISTENING 892
TCP [::]:389 [::]:0 LISTENING 628
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 628
TCP [::]:593 [::]:0 LISTENING 892
TCP [::]:636 [::]:0 LISTENING 628
TCP [::]:3268 [::]:0 LISTENING 628
TCP [::]:3269 [::]:0 LISTENING 628
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 1888
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 488
TCP [::]:49665 [::]:0 LISTENING 1084
TCP [::]:49666 [::]:0 LISTENING 1564
TCP [::]:49667 [::]:0 LISTENING 628
TCP [::]:49673 [::]:0 LISTENING 628
TCP [::]:49674 [::]:0 LISTENING 628
TCP [::]:49676 [::]:0 LISTENING 2604
TCP [::]:49684 [::]:0 LISTENING 620
TCP [::]:49695 [::]:0 LISTENING 3140
TCP [::]:49719 [::]:0 LISTENING 3060
TCP [::1]:53 [::]:0 LISTENING 3140
TCP [dead:beef::17a]:53 [::]:0 LISTENING 3140
TCP [dead:beef::64df:5bff:4879:1d8b]:53 [::]:0 LISTENING 3140
TCP [fe80::64df:5bff:4879:1d8b%7]:53 [::]:0 LISTENING 3140Users & Groups
*evil-winrm* ps c:\Users\FSmith\Documents> net user
User accounts for \\
-------------------------------------------------------------------------------
Administrator FSmith Guest
HSmith krbtgt svc_loanmgr
The command completed with one or more errors.
*evil-winrm* ps c:\Users\FSmith\Documents> dir -Force C:\Users
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 1/25/2020 1:05 PM Administrator
d--hsl 9/15/2018 12:28 AM All Users
d-rh-- 1/22/2020 9:31 PM Default
d--hsl 9/15/2018 12:28 AM Default User
d----- 1/23/2020 9:52 AM FSmith
d-r--- 1/22/2020 9:32 PM Public
d----- 1/24/2020 4:05 PM svc_loanmgr
-a-hs- 9/15/2018 12:16 AM 174 desktop.ini*evil-winrm* ps c:\Users\FSmith\Documents> net localgroup
Aliases for \\SAUNA
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
*evil-winrm* ps c:\Users\FSmith\Documents> net group /domain
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\FSmith\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
148 9 6560 12096 0.03 616 0 conhost
463 18 2140 5236 380 0 csrss
162 9 1580 4556 496 1 csrss
388 32 15944 22064 3060 0 dfsrs
153 8 1948 5992 3412 0 dfssvc
253 13 3832 13024 3976 0 dllhost
10361 9604 129780 126940 3140 0 dns
541 21 17704 40012 64 1 dwm
49 6 1588 4604 4648 1 fontdrvhost
49 6 1444 4380 4656 0 fontdrvhost
0 0 56 8 0 0 Idle
129 12 1960 5488 3168 0 ismserv
471 26 12336 45608 4836 1 LogonUI
1786 265 84344 84680 628 0 lsass
374 30 38880 49396 1888 0 Microsoft.ActiveDirectory.WebServices
223 13 3100 10064 3956 0 msdtc
610 76 163256 147096 3348 0 MsMpEng
0 12 312 35916 88 0 Registry
596 14 5472 12944 620 0 services
53 3 380 1076 276 0 smss
483 22 5920 16844 2604 0 spoolsv
125 15 3128 7012 260 0 svchost
205 11 1608 7052 304 0 svchost
186 10 1628 7828 404 0 svchost
116 7 1140 5688 656 0 svchost
85 5 796 3672 828 0 svchost
653 16 5172 14292 852 0 svchost
710 19 3932 10308 892 0 svchost
228 10 1652 6640 940 0 svchost
159 9 2584 7112 956 0 svchost
215 9 2000 7260 992 0 svchost
354 13 10264 14496 1084 0 svchost
258 15 3328 8464 1116 0 svchost
258 13 3328 10540 1176 0 svchost
365 17 5188 12972 1352 0 svchost
246 15 3112 11696 1396 0 svchost
225 12 2472 10956 1444 0 svchost
401 32 9088 17856 1456 0 svchost
423 9 2616 8664 1472 0 svchost
115 7 1104 5396 1500 0 svchost
360 18 4976 13696 1564 0 svchost
128 8 1244 5568 1668 0 svchost
308 10 2360 8124 1696 0 svchost
315 11 2032 8740 1744 0 svchost
237 13 2248 9728 1812 0 svchost
138 9 1552 6340 1904 0 svchost
176 10 1680 8180 1980 0 svchost
161 8 2204 7296 1992 0 svchost
216 12 2196 8916 2000 0 svchost
136 8 3016 9364 2036 0 svchost
125 7 1152 5460 2088 0 svchost
418 16 10068 19220 2144 0 svchost
464 17 3416 12080 2208 0 svchost
180 22 2420 9580 2436 0 svchost
165 11 3728 10456 2464 0 svchost
339 17 4564 15548 2480 0 svchost
148 9 1732 6516 2620 0 svchost
163 10 1932 7272 2632 0 svchost
175 11 2336 12756 2832 0 svchost
394 67 15964 25836 2880 0 svchost
253 13 2868 11136 3000 0 svchost
103 6 1048 5120 3096 0 svchost
136 8 1352 5948 3200 0 svchost
231 13 2236 7968 3232 0 svchost
232 14 4596 11680 3248 0 svchost
344 21 4504 14504 3328 0 svchost
160 10 1976 12404 3364 0 svchost
133 9 1540 6356 3548 0 svchost
181 10 1844 8312 3896 0 svchost
439 19 18016 35020 4088 0 svchost
400 26 3412 12348 4436 0 svchost
186 15 5920 9816 4944 0 svchost
279 20 7892 13456 5192 0 svchost
309 15 15076 16960 5268 0 svchost
228 12 2656 11804 5568 0 svchost
1472 0 192 152 4 0 System
168 12 3024 10024 3240 0 VGAuthService
132 8 1516 6208 1340 0 vm3dservice
383 22 10624 21420 3224 0 vmtoolsd
171 11 1400 6708 488 0 wininit
241 12 2548 15524 552 1 winlogon
387 20 11136 21176 2928 0 WmiPrvSE
1145 33 104396 129896 1.22 2724 0 wsmprovhostspoolsv
Tasks
*evil-winrm* ps c:\Users\FSmith\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\FSmith\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ categoryinfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandErrorFirewall & AV
*Evil-WinRM* PS C:\Users\FSmith\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound Allow WinRM
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
5985 TCP Enable Inbound Allow WinRM
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .Firewall is enabled
*Evil-WinRM* PS C:\Users\FSmith\Documents> Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
*Evil-WinRM* PS C:\Users\FSmith\Documents> Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpPreference | Select-Object -Property ExclusionPath
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*evil-winrm* ps c:\Users\FSmith\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\FSmith\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 489C-D8FC
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
03/25/2023 08:35 AM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 7,707,799,552 bytes free
*Evil-WinRM* PS C:\Users\FSmith\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190