System/Kernel
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> cmd /c ver
Microsoft Windows [Version 10.0.17763.2145]
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> systeminfo ; Get-ComputerInfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
WindowsBuildLabEx : 17763.1.amd64fre.rs5_release.180914-1434
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandardEval
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 5/28/2021 10:52:51 AM
WindowsProductId : 00431-10000-00000-AA710
WindowsProductName : Windows Server 2019 Standard Evaluation
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 1809
OsServerLevel : FullServer
TimeZone : (UTC-08:00) Pacific Time (US & Canada)
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : OffMicrosoft Windows [Version 10.0.17763.2145]WindowsProductName : Windows Server 2019 Standard Evaluation
Networks
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : ResourceDC
Primary Dns Suffix . . . . . . . : resourced.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : resourced.local
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-9E-89-B3
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.169.175(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.169.254
DNS Servers . . . . . . . . . . . : 192.168.169.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 192.168.169.175 --- 0x10
Internet Address Physical Address Type
192.168.169.254 00-50-56-9e-b9-f7 dynamic
192.168.169.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Unable to initialize device PRN*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 820
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2116
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 492
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 372
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 996
TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING 996
TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 1568
TCP 0.0.0.0:49675 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 604
TCP 0.0.0.0:49683 0.0.0.0:0 LISTENING 596
TCP 0.0.0.0:49694 0.0.0.0:0 LISTENING 2132
TCP 0.0.0.0:49712 0.0.0.0:0 LISTENING 2140
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2132
TCP 192.168.169.175:53 0.0.0.0:0 LISTENING 2132
TCP 192.168.169.175:139 0.0.0.0:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 604
TCP [::]:135 [::]:0 LISTENING 820
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 604
TCP [::]:593 [::]:0 LISTENING 820
TCP [::]:3389 [::]:0 LISTENING 952
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2116
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 492
TCP [::]:49665 [::]:0 LISTENING 372
TCP [::]:49666 [::]:0 LISTENING 604
TCP [::]:49668 [::]:0 LISTENING 996
TCP [::]:49669 [::]:0 LISTENING 996
TCP [::]:49672 [::]:0 LISTENING 1568
TCP [::]:49675 [::]:0 LISTENING 604
TCP [::]:49676 [::]:0 LISTENING 604
TCP [::]:49683 [::]:0 LISTENING 596
TCP [::]:49694 [::]:0 LISTENING 2132
TCP [::]:49712 [::]:0 LISTENING 2140
TCP [::1]:53 [::]:0 LISTENING 2132Users & Groups
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> net users ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator D.Durant G.Goldberg
Guest J.Johnson K.Keen
krbtgt L.Livingstone M.Mason
P.Parker R.Robinson S.Swanson
V.Ventz
The command completed with one or more errors.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 10/5/2021 1:51 AM Administrator
d----- 10/1/2021 4:15 AM L.Livingstone
d-r--- 5/28/2021 3:53 AM Public*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> net localgroup ; net group /DOMAIN
Aliases for \\RESOURCEDC
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service | ? { $_.ProcessId -eq $_.ProcessId }).Name -join ", "; $u = $_.GetOwner(); [PSCustomObject]@{ Name = $_.Name; PID = $_.ProcessId; User = "$($u.Domain)$($u.User)"; Services = $s } } | ft -AutoSize
Access denied
At line:1 char:1
+ Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
81 5 852 248 300 0 CompatTelRunner
84 5 860 3784 2344 0 CompatTelRunner
155 9 6608 2300 2904 0 conhost
159 10 6644 12724 3832 0 conhost
150 9 6624 13024 0.02 3932 0 conhost
412 15 2212 5300 376 0 csrss
166 9 1704 4880 476 1 csrss
395 32 15776 22268 2140 0 dfsrs
147 8 1976 6060 2308 0 dfssvc
275 14 4144 13716 2944 0 dllhost
5346 4790 68220 68664 2132 0 dns
542 22 22492 47848 900 1 dwm
48 6 1644 4804 1028 1 fontdrvhost
48 6 1516 4608 2072 0 fontdrvhost
245 9 2856 9320 2572 0 GenValObj
0 0 56 8 0 0 Idle
141 12 2104 5892 2124 0 ismserv
475 27 12816 49264 4032 1 LogonUI
1560 105 48544 54772 604 0 lsass
441 28 34880 44296 2116 0 Microsoft.ActiveDirectory.WebServices
237 14 3236 10672 3508 0 msdtc
660 78 182520 176468 2188 0 MsMpEng
0 26 1808 30204 68 0 Registry
460 20 10656 13188 596 0 services
53 3 504 1160 264 0 smss
205 14 4104 12316 3120 0 SppExtComObj
251 12 7484 17696 2384 0 sppsvc
206 12 1676 7228 240 0 svchost
457 29 10448 19532 312 0 svchost
583 18 16028 22752 372 0 svchost
840 47 9936 25900 660 0 svchost
677 18 4656 14668 784 0 svchost
681 21 3740 10460 820 0 svchost
511 19 4148 13064 952 0 svchost
215 12 3636 12084 980 0 svchost
1914 70 34984 70248 996 0 svchost
860 30 8396 24880 1016 0 svchost
153 9 1700 7116 1036 0 svchost
423 34 8900 17740 1172 0 svchost
312 12 1988 8996 1228 0 svchost
209 11 2288 8536 1252 0 svchost
436 25 3560 13028 1556 0 svchost
169 13 1948 7800 1568 0 svchost
195 12 4820 14340 2044 0 svchost
163 9 2116 7384 2080 0 svchost
524 21 14668 28180 2108 0 svchost
1512 0 192 136 4 0 System
175 50 21668 26604 1128 0 TiWorker
149 9 1980 7800 1812 0 TrustedInstaller
224 16 2472 10716 2952 0 vds
171 12 3104 10676 2216 0 VGAuthService
144 8 1708 7128 2148 0 vm3dservice
138 10 1816 7600 2372 1 vm3dservice
396 22 10532 22176 2164 0 vmtoolsd
173 11 1456 6996 492 0 wininit
243 12 2612 18264 528 1 winlogon
55 4 716 3272 2156 0 wlms
341 16 7396 17092 2772 0 WmiPrvSE
317 15 27812 37328 3344 0 WmiPrvSE
2001 36 97872 125712 0.66 3960 0 wsmprovhostTasks
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> cmd /c schtasks /QUERY /FO TABLE
cmd.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorServices
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch 'C:\Windows\System32' } | Select-Object -First 100
WMIC.exe : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> net start
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-Service
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ Get-Service
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommandInstalled Programs
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisplayName -ErrorAction SilentlyContinue | Where-Object { $_ } | Sort-Object -Unique
Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.24.28127
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.24.28127
Microsoft Visual C++ 2019 X64 Additional Runtime - 14.24.28127
Microsoft Visual C++ 2019 X64 Minimum Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.24.28127
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.24.28127
VMware Tools
Windows 10 Update AssistantFirewall & AV
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Disable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Enable No Remote Desktop
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .N/ASession Architecture
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\L.Livingstone\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 5C30-DCD7
Directory of C:\Windows\Microsoft.NET\Framework
09/15/2018 12:19 AM <DIR> .
09/15/2018 12:19 AM <DIR> ..
09/15/2018 12:19 AM <DIR> v1.0.3705
09/15/2018 12:19 AM <DIR> v1.1.4322
09/15/2018 12:19 AM <DIR> v2.0.50727
04/22/2025 01:45 PM <DIR> v4.0.30319
0 File(s) 0 bytes
6 Dir(s) 11,139,985,408 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x70bf6
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.7.03190
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.7.03190