System/Kernel
*evil-winrm* ps c:\Users\support\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 20348.859.amd64fre.fe_release_svc_prod2.220707-1832
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server Core
windowsinstalldatefromregistry : 5/19/2022 9:01:26 AM
windowsproductid : 00454-20165-01481-AA235
windowsproductname : Windows Server 2022 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 2009
osdisplayversion : 21H2
osserverlevel : ServerCore
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffNetworks
*Evil-WinRM* PS C:\Users\support\Documents> ipconfig /all ; arp -a
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc
Primary Dns Suffix . . . . . . . : support.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : support.htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-36-33
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.11.174(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.10.10.2
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 10.10.11.174 --- 0x6
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-d7-84 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
*Evil-WinRM* PS C:\Users\support\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 964
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 516
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 848
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1284
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49679 0.0.0.0:0 LISTENING 636
TCP 0.0.0.0:49686 0.0.0.0:0 LISTENING 652
TCP 0.0.0.0:49700 0.0.0.0:0 LISTENING 2080
TCP 0.0.0.0:53270 0.0.0.0:0 LISTENING 2060
TCP 10.10.11.174:53 0.0.0.0:0 LISTENING 2080
TCP 10.10.11.174:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2080
TCP [::]:88 [::]:0 LISTENING 652
TCP [::]:135 [::]:0 LISTENING 964
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 652
TCP [::]:593 [::]:0 LISTENING 964
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 820
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 652
TCP [::]:49665 [::]:0 LISTENING 516
TCP [::]:49666 [::]:0 LISTENING 848
TCP [::]:49667 [::]:0 LISTENING 1284
TCP [::]:49668 [::]:0 LISTENING 652
TCP [::]:49674 [::]:0 LISTENING 652
TCP [::]:49679 [::]:0 LISTENING 636
TCP [::]:49686 [::]:0 LISTENING 652
TCP [::]:49700 [::]:0 LISTENING 2080
TCP [::]:53270 [::]:0 LISTENING 2060
TCP [::1]:53 [::]:0 LISTENING 208010.10.10.2
Users & Groups
*evil-winrm* ps c:\Users\support\Documents> net user ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator anderson.damian bardot.mary
cromwell.gerard daughtler.mabel ford.victoria
Guest hernandez.stanley krbtgt
langley.lucy ldap levine.leopoldo
monroe.david raven.clifton smith.rosario
stoll.rachelle support thomas.raphael
west.laura wilson.shelby
The command completed with one or more errors.
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/28/2022 4:11 AM Administrator
d----- 7/26/2022 6:21 AM ldap
d-r--- 5/19/2022 2:13 AM Public
d----- 10/4/2023 2:21 AM support*evil-winrm* ps c:\Users\support\Documents> net localgroup ; net group /domain
Aliases for \\DC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
*Shared Support Accounts
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\support\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
153 11 6752 16568 2864 1 conhost
392 17 1860 6088 384 0 csrss
198 11 1828 6168 496 1 csrss
414 34 17048 25420 2060 0 dfsrs
194 12 2264 8388 2300 0 dfssvc
275 14 3864 14508 2916 0 dllhost
5384 3716 68656 70180 2080 0 dns
39 6 1196 3648 876 0 fontdrvhost
39 6 1312 4064 884 1 fontdrvhost
0 0 60 8 0 0 Idle
148 13 1916 6364 2152 0 ismserv
300 16 3116 15444 2768 1 LogonUI
1630 195 106072 91548 652 0 lsass
431 30 36224 46972 820 0 Microsoft.ActiveDirectory.WebServices
236 13 2992 11004 1308 0 msdtc
0 10 296 3628 100 0 Registry
455 13 4028 11056 636 0 services
57 3 1044 1244 284 0 smss
119 13 2396 6800 320 0 svchost
193 12 1520 7272 688 0 svchost
192 22 2576 10480 696 0 svchost
235 14 2848 12792 716 0 svchost
285 13 9480 14576 848 0 svchost
305 12 2684 10456 856 0 svchost
541 19 3372 10172 964 0 svchost
230 11 1828 7404 1016 0 svchost
272 16 2896 13204 1052 0 svchost
210 11 2244 11780 1064 0 svchost
422 9 2744 9180 1080 0 svchost
294 15 2904 9664 1088 0 svchost
210 9 1884 7112 1140 0 svchost
121 8 1216 5672 1244 0 svchost
308 16 3456 13508 1284 0 svchost
390 30 7064 15472 1320 0 svchost
202 12 2088 9380 1380 0 svchost
110 7 1144 5900 1428 0 svchost
116 7 1200 6024 1444 0 svchost
292 20 8948 16324 1536 0 svchost
359 15 2608 10952 1580 0 svchost
138 9 1480 7740 1640 0 svchost
374 15 3728 12248 1752 0 svchost
343 13 2432 10548 1824 0 svchost
197 11 2212 8900 1848 0 svchost
266 14 2492 8308 2116 0 svchost
129 9 3068 9940 2132 0 svchost
132 8 1464 6792 2180 0 svchost
367 15 8296 18092 2268 0 svchost
289 35 3352 13916 2320 0 svchost
169 9 1752 7304 2652 0 svchost
310 23 8000 15864 3200 0 svchost
232 14 9056 11924 3676 0 svchost
111 7 1216 5624 3760 0 svchost
1134 0 40 144 4 0 System
200 15 2272 10928 2676 0 vds
174 11 3136 12260 2236 0 VGAuthService
120 8 1436 6420 2228 0 vm3dservice
121 9 2020 7552 2432 1 vm3dservice
114 8 1408 6644 3240 1 vm3dservice
383 23 10016 23792 2260 0 vmtoolsd
151 11 1324 7020 516 0 wininit
211 11 2284 11012 568 1 winlogon
319 16 7252 16904 3028 0 WmiPrvSE
627 27 53480 69932 0.59 3580 0 wsmprovhostTasks
*evil-winrm* ps c:\Users\support\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\support\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
cmd.exe : Access is denied.
+ categoryinfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ fullyqualifiederrorid : NativeCommandErrorFirewall & AV
*Evil-WinRM* PS C:\Users\support\Documents> cmd /c netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\support\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*evil-winrm* ps c:\Users\support\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\support\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework
Volume in drive C has no label.
Volume Serial Number is 955A-5CBB
Directory of C:\Windows\Microsoft.NET\Framework
05/08/2021 01:27 AM <DIR> .
10/03/2023 08:36 PM <DIR> ..
05/08/2021 01:27 AM <DIR> v1.0.3705
05/08/2021 01:27 AM <DIR> v1.1.4322
05/08/2021 01:15 AM <DIR> v2.0.50727
10/03/2023 08:36 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 3,953,483,776 bytes free
*Evil-WinRM* PS C:\Users\support\Documents> cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.8.04161