System/Kernel
*evil-winrm* ps c:\Users\legacyy\Documents> systeminfo ; Get-ComputerInfo
program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
at line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ fullyqualifiederrorid : NativeCommandFailed
windowsbuildlabex : 17763.1.amd64fre.rs5_release.180914-1434
windowscurrentversion : 6.3
windowseditionid : ServerStandard
windowsinstallationtype : Server
windowsinstalldatefromregistry : 10/23/2021 6:27:45 PM
windowsproductid : 00429-00521-62775-AA158
windowsproductname : Windows Server 2019 Standard
windowsregisteredowner : Windows User
windowssystemroot : C:\Windows
windowsversion : 1809
osserverlevel : FullServer
timezone : (UTC-08:00) Pacific Time (US & Canada)
powerplatformrole : Desktop
deviceguardsmartstatus : OffWindows Server 2019 Standard
6.3
17763.1.amd64fre.rs5_release.180914-1434
FullServer
Networks
*Evil-WinRM* PS C:\Users\legacyy\Documents> ipconfig /all ; arp -a
Windows IP Configuration
Host Name . . . . . . . . . . . . : dc01
Primary Dns Suffix . . . . . . . : timelapse.htb
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : timelapse.htb
htb
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : htb
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-B9-D4-F2
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : dead:beef::245(Preferred)
Lease Obtained. . . . . . . . . . : Tuesday, October 24, 2023 3:17:01 PM
Lease Expires . . . . . . . . . . : Tuesday, October 24, 2023 8:47:01 PM
IPv6 Address. . . . . . . . . . . : dead:beef::cc93:dbe2:8401:964(Preferred)
Link-local IPv6 Address . . . . . : fe80::cc93:dbe2:8401:964%13(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.11.152(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%13
10.10.10.2
DHCPv6 IAID . . . . . . . . . . . : 33574998
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-C9-FA-B0-00-50-56-B9-D4-F2
DNS Servers . . . . . . . . . . . : 127.0.0.1
NetBIOS over Tcpip. . . . . . . . : Enabled
Connection-specific DNS Suffix Search List :
htb
Interface: 10.10.11.152 --- 0xd
Internet Address Physical Address Type
10.10.10.2 00-50-56-b9-d7-84 dynamic
10.10.11.236 00-50-56-b9-08-59 dynamic
10.10.11.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
*Evil-WinRM* PS C:\Users\legacyy\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 908
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:5986 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2700
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 504
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1160
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1580
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING 648
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING 640
TCP 0.0.0.0:49696 0.0.0.0:0 LISTENING 2816
TCP 0.0.0.0:65460 0.0.0.0:0 LISTENING 2764
TCP 10.10.11.152:53 0.0.0.0:0 LISTENING 2816
TCP 10.10.11.152:139 0.0.0.0:0 LISTENING 4
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2816
TCP [::]:88 [::]:0 LISTENING 648
TCP [::]:135 [::]:0 LISTENING 908
TCP [::]:389 [::]:0 LISTENING 648
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 648
TCP [::]:593 [::]:0 LISTENING 908
TCP [::]:636 [::]:0 LISTENING 648
TCP [::]:3268 [::]:0 LISTENING 648
TCP [::]:3269 [::]:0 LISTENING 648
TCP [::]:5986 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2700
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 504
TCP [::]:49665 [::]:0 LISTENING 1160
TCP [::]:49666 [::]:0 LISTENING 1580
TCP [::]:49667 [::]:0 LISTENING 648
TCP [::]:49673 [::]:0 LISTENING 648
TCP [::]:49674 [::]:0 LISTENING 648
TCP [::]:49684 [::]:0 LISTENING 640
TCP [::]:49696 [::]:0 LISTENING 2816
TCP [::]:65460 [::]:0 LISTENING 2764
TCP [::1]:53 [::]:0 LISTENING 2816
TCP [dead:beef::245]:53 [::]:0 LISTENING 2816
TCP [dead:beef::cc93:dbe2:8401:964]:53 [::]:0 LISTENING 2816
TCP [fe80::cc93:dbe2:8401:964%13]:53 [::]:0 LISTENING 281610.10.11.236
Users & Groups
*evil-winrm* ps c:\Users\legacyy\Documents> net user ; net user /DOMAIN
User accounts for \\
-------------------------------------------------------------------------------
Administrator babywyrm Guest
krbtgt legacyy payl0ad
sinfulz svc_deploy thecybergeek
TRX
The command completed with one or more errors.
User accounts for \\
-------------------------------------------------------------------------------
Administrator babywyrm Guest
krbtgt legacyy payl0ad
sinfulz svc_deploy thecybergeek
TRX
The command completed with one or more errors.
*evil-winrm* ps c:\Users\legacyy\Documents> dir C:\Users
directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/23/2021 11:27 AM Administrator
d----- 10/25/2021 8:22 AM legacyy
d-r--- 10/23/2021 11:27 AM Public
d----- 10/25/2021 12:23 PM svc_deploy
d----- 2/23/2022 5:45 PM TRXsvc_deploy
TRX
*evil-winrm* ps c:\Users\legacyy\Documents> net localgroup ; net group /DOMAIN
Aliases for \\DC01
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*Development
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*HelpDesk
*Key Admins
*LAPS_Readers
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Development
HelpDesk
LAPS_Readers
Processes
*Evil-WinRM* PS C:\Users\legacyy\Documents> ps
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
152 9 6540 12552 1.09 8 0 conhost
464 18 2192 5312 396 0 csrss
166 9 1696 4772 512 1 csrss
397 33 16508 23456 2764 0 dfsrs
183 12 2444 7868 2176 0 dfssvc
252 14 4036 13580 3416 0 dllhost
10388 7408 130356 128232 2816 0 dns
529 22 22972 41960 256 1 dwm
48 6 1616 4700 2640 1 fontdrvhost
48 6 1504 4496 2648 0 fontdrvhost
0 0 56 8 0 0 Idle
131 12 1968 5668 2860 0 ismserv
469 26 10628 47040 3700 1 LogonUI
2155 268 50764 66084 648 0 lsass
558 32 37468 51148 2700 0 Microsoft.ActiveDirectory.WebServices
225 13 3260 10540 4032 0 msdtc
788 86 263368 269080 3036 0 MsMpEng
210 28 3648 10068 4680 0 NisSrv
0 20 680 138352 88 0 Registry
241 12 2592 11308 1072 0 SecurityHealthService
578 14 5956 13172 640 0 services
53 3 484 1136 280 0 smss
263 13 4012 11244 320 0 svchost
188 11 1812 8268 348 0 svchost
122 16 3180 7356 772 0 svchost
206 12 1720 7300 784 0 svchost
86 5 904 3884 852 0 svchost
731 16 5216 14680 872 0 svchost
735 20 4424 11028 908 0 svchost
233 10 1808 6968 960 0 svchost
133 7 1216 5900 1020 0 svchost
214 9 2068 7544 1056 0 svchost
259 14 3384 9332 1124 0 svchost
360 13 10752 15128 1160 0 svchost
220 12 2056 7520 1256 0 svchost
405 32 10248 18948 1284 0 svchost
368 17 5320 13348 1304 0 svchost
339 15 11368 20496 1320 0 svchost
260 17 3364 12660 1384 0 svchost
233 12 2564 11572 1392 0 svchost
424 9 2640 8880 1400 0 svchost
116 7 1184 5644 1428 0 svchost
321 10 2428 8492 1520 0 svchost
162 10 1728 7984 1544 0 svchost
367 17 4812 14272 1580 0 svchost
229 12 2648 12336 1604 0 svchost
317 11 2032 8980 1632 0 svchost
183 11 1920 8148 1720 0 svchost
140 9 1540 6604 1796 0 svchost
224 12 2224 9264 1888 0 svchost
166 9 2224 7464 1912 0 svchost
178 9 1720 8360 1948 0 svchost
168 10 2092 12996 1960 0 svchost
470 18 3424 12468 2100 0 svchost
333 20 9088 15180 2356 0 svchost
210 11 2372 8736 2560 0 svchost
169 9 2752 7692 2632 0 svchost
126 7 1252 5732 2676 0 svchost
334 1360 48856 57404 2728 0 svchost
412 20 17376 31256 2792 0 svchost
262 13 2568 7912 2836 0 svchost
135 9 1648 6636 2888 0 svchost
138 8 1524 6232 2900 0 svchost
795 28 3752 13392 3052 0 svchost
189 15 6004 10220 3232 0 svchost
137 8 4048 11004 3936 0 svchost
155 9 2024 6872 4076 0 svchost
318 18 7076 23340 4880 0 svchost
405 26 3568 13096 4940 0 svchost
317 16 15584 17608 5184 0 svchost
1503 0 192 140 4 0 System
109 7 1204 6076 3228 0 taskhostw
3373 13 194360 178012 2216 0 TiWorker
136 8 1808 7248 3696 0 TrustedInstaller
214 16 2412 10616 3348 0 vds
176 12 3128 10680 2944 0 VGAuthService
140 10 1816 7596 2036 1 vm3dservice
146 8 1692 7132 2972 0 vm3dservice
387 22 10576 22364 2952 0 vmtoolsd
173 11 1512 6948 504 0 wininit
244 12 2648 18612 572 1 winlogon
349 16 8920 19004 3400 0 WmiPrvSE
926 36 67808 113548 3.25 4092 0 wsmprovhostNisSrv and MsMpEng; Defender
TiWorker
TrustedInstaller
Tasks
*evil-winrm* ps c:\Users\legacyy\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-ScheduledTask
*evil-winrm* ps c:\Users\legacyy\Documents> cmd /c schtasks /QUERY /FO TABLE | findstr /v /i "\Microsoft" | findstr /v /i "access level" | findstr /v /i "system32"
folder: \
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
Server Initial Configuration Task N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
.NET Framework NGEN v4.0.30319 N/A Ready
.NET Framework NGEN v4.0.30319 64 N/A Ready
.NET Framework NGEN v4.0.30319 64 Critic N/A Disabled
.NET Framework NGEN v4.0.30319 Critical N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
AD RMS Rights Policy Template Management N/A Disabled
AD RMS Rights Policy Template Management N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
PolicyConverter N/A Disabled
VerifiedPublisherCertStoreCheck N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
microsoft compatibility appraiser 10/25/2023 3:07:13 AM Ready
ProgramDataUpdater N/A Ready
StartupAppTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
appuriverifierdaily N/A Ready
appuriverifierinstall N/A Ready
CleanupTemporaryState N/A Ready
DsSvcCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Pre-staged app cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Proxy N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BitLocker Encrypt All Drives N/A Ready
BitLocker MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UninstallDeviceTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
BgTaskRegistrationMaintenanceTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ProactiveScan N/A Ready
SyspartRepair N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
consolidator 10/25/2023 12:00:00 AM Ready
UsbCeip N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
data integrity scan 11/22/2023 10:14:25 PM Ready
Data Integrity Scan for Crash Recovery N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScheduledDefrag N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
device 10/25/2023 3:12:10 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Scheduled N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
DXGIAdapterCache N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SilentCleanup N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Microsoft-Windows-DiskDiagnosticDataColl N/A Ready
Microsoft-Windows-DiskDiagnosticResolver N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Diagnostics N/A Ready
StorageSense N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
EDP App Launch Task N/A Ready
EDP Auth Task N/A Ready
StorageCardEncryption Task N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ExploitGuard MDM policy Refresh N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Property Definition Sync N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
TaskName Next Run Time Status
======================================== ====================== ===============
ReconcileFeatures N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
refreshcache 10/25/2023 8:54:46 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ScanForUpdates N/A Disabled
ScanForUpdatesAsUser N/A Disabled
WakeUpAndContinueUpdates N/A Disabled
WakeUpAndScanForUpdates N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Notifications N/A Ready
WindowsActionDialog N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
WinSAT N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
MapsToastTask N/A Disabled
MapsUpdateTask N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
ProcessMemoryDiagnosticEvents N/A Disabled
RunFullMemoryDiagnostic N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MNO Metadata Parser N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
LPRemove N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SystemSoundsService N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
GatherNetworkInfo N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Background Synchronization N/A Disabled
Logon Synchronization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Server Manager Performance Monitor N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Device Install Group Policy N/A Ready
Device Install Reboot Required N/A Ready
Sysprep Generalize Drivers N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
AnalyzeSystem N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
VerifyWinRE N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CleanupOldPerfLogs N/A Ready
ServerManager N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
StartComponentCleanup N/A Running
TaskName Next Run Time Status
======================================== ====================== ===============
Account Cleanup N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
CreateObjectTask N/A Ready
IndexerAutomaticMaintenance N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Collection N/A Disabled
Configuration N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SpaceAgentTask N/A Ready
SpaceManagerTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
HeadsetButtonPress N/A Ready
speechmodeldownloadtask 10/25/2023 2:32:28 AM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Storage Tiers Management Initialization N/A Ready
Storage Tiers Optimization N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
MsCtfMonitor N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
ForceSynchronizeTime N/A Ready
SynchronizeTime N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
SynchronizeTimeZone N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UPnPHostConfig N/A Disabled
TaskName Next Run Time Status
======================================== ====================== ===============
Windows Defender Cache Maintenance N/A Ready
Windows Defender Cleanup N/A Ready
windows defender scheduled scan 10/25/2023 2:55:38 AM Ready
Windows Defender Verification N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
queuereporting 10/24/2023 8:38:20 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
BfeOnServiceStartTypeChange N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
UpdateLibrary N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Calibration Loader N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
scheduled start 10/25/2023 3:16:08 PM Ready
TaskName Next Run Time Status
======================================== ====================== ===============
CacheTask N/A Ready
TaskName Next Run Time Status
======================================== ====================== ===============
Automatic-Device-Join N/A Ready
Recovery-Check N/A DisabledServices
*Evil-WinRM* PS C:\Users\legacyy\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{228B40E7-7733-4E85-8197-ACFEAF9BDD53}\MpKslDrv.sys False MpKsl5ab06165
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2202.4-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvc Firewall & AV
*evil-winrm* ps c:\Users\legacyy\Documents> cmd /c netsh firewall show config
domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
service configuration for standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
allowed programs configuration for standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
port configuration for standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
log configuration:
-------------------------------------------------------------------
file location = c:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
important: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .Firewall is enabled but nothing seems to be filtered. just default setting
*evil-winrm* ps c:\Users\legacyy\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
at line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
at line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ categoryinfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ fullyqualifiederrorid : CimJob_BrokenCimSession,Get-MpPreferenceFirewall is certainly enabled
Session Architecture
*Evil-WinRM* PS C:\Users\legacyy\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*evil-winrm* ps c:\Users\legacyy\Documents> cmd /c dir /s C:\Windows\Microsoft.NET\Framework\msbuild ; cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 22CC-AE66
directory of c:\Windows\Microsoft.NET\Framework\v4.0.30319
09/15/2018 12:19 AM <DIR> MSBuild
0 File(s) 0 bytes
total files listed:
0 File(s) 0 bytes
1 Dir(s) 9,161,109,504 bytes free
Volume in drive C has no label.
Volume Serial Number is 22CC-AE66
directory of c:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
10/24/2023 04:28 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 9,161,109,504 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
smsvchostpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
installpath reg_sz c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190