System/Kernel
*Evil-WinRM* PS C:\Users\tracy.white\Documents> cmd /c ver
Microsoft Windows [Version 10.0.20348.1850]
*Evil-WinRM* PS C:\Users\tracy.white\Documents> cmd /c ver
Microsoft Windows [Version 10.0.20348.1850]
*Evil-WinRM* PS C:\Users\tracy.white\Documents> systeminfo ; Get-ComputerInfo
Program 'systeminfo.exe' failed to run: Access is deniedAt line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~.
At line:1 char:1
+ systeminfo ; Get-ComputerInfo
+ ~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed
WindowsBuildLabEx : 20348.1.amd64fre.fe_release.210507-1500
WindowsCurrentVersion : 6.3
WindowsEditionId : ServerStandard
WindowsInstallationType : Server
WindowsInstallDateFromRegistry : 7/30/2023 10:23:49 AM
WindowsProductId : 00454-10000-00001-AA355
WindowsProductName : Windows Server 2022 Standard
WindowsRegisteredOrganization :
WindowsRegisteredOwner : Windows User
WindowsSystemRoot : C:\Windows
WindowsVersion : 2009
OSDisplayVersion : 21H2
OsServerLevel : FullServer
TimeZone : (UTC) Coordinated Universal Time
LogonServer : \\NARA
PowerPlatformRole : Desktop
DeviceGuardSmartStatus : Off
Microsoft Windows [Version 10.0.20348.1850]WindowsProductName : Windows Server 2022 Standard
Networks
*Evil-WinRM* PS C:\Users\tracy.white\Documents> ipconfig /all ; arp -a ; print route
Windows IP Configuration
Host Name . . . . . . . . . . . . : Nara
Primary Dns Suffix . . . . . . . : nara-security.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : nara-security.com
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : vmxnet3 Ethernet Adapter
Physical Address. . . . . . . . . : 00-50-56-9E-79-D5
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::b8e3:2bdc:774b:c6cd%4(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.209.30(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.209.254
DHCPv6 IAID . . . . . . . . . . . : 369119318
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2D-CB-DA-D9-00-50-56-95-F2-73
DNS Servers . . . . . . . . . . . : 192.168.209.254
NetBIOS over Tcpip. . . . . . . . : Enabled
Interface: 192.168.209.30 --- 0x4
Internet Address Physical Address Type
192.168.209.254 00-50-56-9e-8d-f2 dynamic
192.168.209.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Unable to initialize device PRN*Evil-WinRM* PS C:\Users\tracy.white\Documents> netstat -ano | Select-String LIST
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 936
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 372
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2380
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 536
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 824
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1316
TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49686 0.0.0.0:0 LISTENING 2276
TCP 0.0.0.0:49689 0.0.0.0:0 LISTENING 672
TCP 0.0.0.0:49693 0.0.0.0:0 LISTENING 684
TCP 0.0.0.0:49704 0.0.0.0:0 LISTENING 2304
TCP 0.0.0.0:49707 0.0.0.0:0 LISTENING 2348
TCP 0.0.0.0:49738 0.0.0.0:0 LISTENING 2392
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING 2348
TCP 192.168.209.30:53 0.0.0.0:0 LISTENING 2348
TCP 192.168.209.30:139 0.0.0.0:0 LISTENING 4
TCP [::]:88 [::]:0 LISTENING 684
TCP [::]:135 [::]:0 LISTENING 936
TCP [::]:389 [::]:0 LISTENING 684
TCP [::]:445 [::]:0 LISTENING 4
TCP [::]:464 [::]:0 LISTENING 684
TCP [::]:593 [::]:0 LISTENING 936
TCP [::]:636 [::]:0 LISTENING 684
TCP [::]:3268 [::]:0 LISTENING 684
TCP [::]:3269 [::]:0 LISTENING 684
TCP [::]:3389 [::]:0 LISTENING 372
TCP [::]:5985 [::]:0 LISTENING 4
TCP [::]:9389 [::]:0 LISTENING 2380
TCP [::]:47001 [::]:0 LISTENING 4
TCP [::]:49664 [::]:0 LISTENING 684
TCP [::]:49665 [::]:0 LISTENING 536
TCP [::]:49666 [::]:0 LISTENING 824
TCP [::]:49667 [::]:0 LISTENING 1316
TCP [::]:49668 [::]:0 LISTENING 684
TCP [::]:49684 [::]:0 LISTENING 684
TCP [::]:49686 [::]:0 LISTENING 2276
TCP [::]:49689 [::]:0 LISTENING 672
TCP [::]:49693 [::]:0 LISTENING 684
TCP [::]:49704 [::]:0 LISTENING 2304
TCP [::]:49707 [::]:0 LISTENING 2348
TCP [::]:49738 [::]:0 LISTENING 2392
TCP [::1]:53 [::]:0 LISTENING 2348
TCP [fe80::b8e3:2bdc:774b:c6cd%4]:53 [::]:0 LISTENING 2348Users & Groups
*Evil-WinRM* PS C:\Users\tracy.white\Documents> net users ; net user /DOMAIN ; ls C:\Users
User accounts for \\
-------------------------------------------------------------------------------
Administrator Amelia.O'Brien Carolyn.Hill
Damian.Johnson Declan.Reynolds Guest
Helen.Robinson Jasmine.Roberts Jemma.Humphries
Jodie.Summers krbtgt Sara.O'Sullivan
Tracy.White
The command completed with one or more errors.
User accounts for \\
-------------------------------------------------------------------------------
Administrator Amelia.O'Brien Carolyn.Hill
Damian.Johnson Declan.Reynolds Guest
Helen.Robinson Jasmine.Roberts Jemma.Humphries
Jodie.Summers krbtgt Sara.O'Sullivan
Tracy.White
The command completed with one or more errors.
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 8/19/2024 8:49 PM Administrator
d-r--- 7/30/2023 10:24 AM Public
d----- 8/19/2024 8:45 PM tracy.white*Evil-WinRM* PS C:\Users\tracy.white\Documents> net localgroup ; net group /DOMAIN
Aliases for \\NARA
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enrollment
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Remote Access
*Schema Admins
*staff
The command completed with one or more errors.Processes
*Evil-WinRM* PS C:\Users\tracy.white\Documents> Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service | ? { $_.ProcessId -eq $_.ProcessId }).Name -join ", "; $u = $_.GetOwner(); [PSCustomObject]@{ Name = $_.Name; PID = $_.ProcessId; User = "$($u.Domain)$($u.User)"} } | ft -AutoSize
Access denied
At line:1 char:1
+ Get-WmiObject Win32_Process | % { $s = (Get-CimInstance Win32_Service ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Get-WmiObject], ManagementException
+ FullyQualifiedErrorId : GetWMIManagementException,Microsoft.PowerShell.Commands.GetWmiObjectCommand
*Evil-WinRM* PS C:\Users\tracy.white\Documents> cmd /c tasklist /svc ; ps
cmd.exe : ERROR: Access denied
+ CategoryInfo : NotSpecified: (ERROR: Access denied:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName
------- ------ ----- ----- ------ -- -- -----------
92 6 912 56 1868 0 AggregatorHost
388 35 12844 592 2304 0 certsrv
136 10 6504 12464 0.02 9284 0 conhost
426 16 1944 1440 436 0 csrss
1154 59 2860 612 544 1 csrss
543 15 3280 244 0.09 564 1 ctfmon
414 34 16832 3628 2392 0 dfsrs
198 13 2404 1408 2480 0 dfssvc
303 15 3852 208 3196 0 dllhost
10379 9675 129728 3496 2348 0 dns
2119 62 70876 88116 360 1 dwm
558 36 11712 13912 0.42 172 1 explorer
1740 59 25860 32532 6.75 428 1 explorer
559 36 11976 13684 0.45 448 1 explorer
558 36 11768 13660 0.55 716 1 explorer
557 36 12060 13720 0.59 760 1 explorer
558 36 11624 13832 0.45 976 1 explorer
559 36 11548 13632 0.67 1016 1 explorer
555 36 11848 13628 0.48 1020 1 explorer
556 36 11828 13976 0.53 1032 1 explorer
559 36 11612 5552 0.58 1072 1 explorer
555 36 11724 8260 0.66 1196 1 explorer
561 36 11640 13652 0.58 1208 1 explorer
561 36 11924 5492 0.64 1228 1 explorer
558 36 11704 13676 0.52 1252 1 explorer
552 36 11804 14464 0.44 1264 1 explorer
557 36 11832 14516 0.55 1292 1 explorer
556 36 11636 13804 0.48 1344 1 explorer
562 36 12064 13616 0.58 1412 1 explorer
561 36 11732 13864 0.44 1428 1 explorer
554 36 11680 13804 0.41 1448 1 explorer
562 36 12092 8784 0.56 1456 1 explorer
559 36 12028 13664 0.59 1508 1 explorer
557 36 11940 5800 0.45 1632 1 explorer
556 36 11660 13740 0.42 1712 1 explorer
556 36 11648 13908 0.45 1820 1 explorer
564 37 11912 13748 0.67 2060 1 explorer
558 36 12060 13788 0.61 2180 1 explorer
561 36 11868 13720 0.38 2260 1 explorer
555 36 11624 5324 0.55 2356 1 explorer
562 36 11936 11128 0.59 2388 1 explorer
558 36 11732 13700 0.58 2476 1 explorer
560 36 11588 13704 0.64 2524 1 explorer
566 36 11868 13820 0.58 2544 1 explorer
554 36 11608 13848 0.50 2552 1 explorer
589 36 11856 51664 0.52 2580 1 explorer
560 36 11604 8284 0.44 2596 1 explorer
556 36 12000 14092 0.70 2648 1 explorer
564 36 12180 5480 0.55 2756 1 explorer
558 36 11776 13812 0.42 2988 1 explorer
556 36 11640 15160 0.50 3096 1 explorer
558 36 11588 13780 0.41 3148 1 explorer
558 36 11740 13724 0.56 3164 1 explorer
554 36 11540 13612 0.34 3172 1 explorer
559 36 12076 5496 0.55 3228 1 explorer
555 36 12044 14348 0.48 3284 1 explorer
562 36 11732 13732 0.38 3292 1 explorer
560 36 11812 13732 0.50 3336 1 explorer
558 36 11948 13612 0.44 3440 1 explorer
556 36 11696 5268 0.58 3456 1 explorer
560 36 12048 13792 0.61 3488 1 explorer
558 36 11616 13736 0.59 3512 1 explorer
557 36 12008 13612 0.69 3516 1 explorer
562 36 11644 13620 0.41 3636 1 explorer
560 36 11916 13672 0.50 3696 1 explorer
558 36 11824 13500 0.52 3700 1 explorer
558 36 11632 13716 0.56 3716 1 explorer
557 36 11536 13908 0.45 3752 1 explorer
560 36 11604 13848 0.45 3784 1 explorer
558 36 11828 13668 0.55 3876 1 explorer
556 36 12076 13880 0.55 4116 1 explorer
557 36 11612 14356 0.44 4136 1 explorer
556 36 11876 15020 0.47 4152 1 explorer
557 36 11884 13692 0.61 4168 1 explorer
555 36 11632 14164 0.47 4200 1 explorer
559 36 11964 13604 0.52 4264 1 explorer
556 36 11820 13640 0.50 4312 1 explorer
558 36 11700 13552 0.45 4316 1 explorer
563 36 11744 8880 0.47 4616 1 explorer
558 36 11872 13588 0.59 4620 1 explorer
557 36 11648 13724 0.53 4628 1 explorer
559 36 11564 13104 0.44 4632 1 explorer
560 36 11644 13808 0.42 4812 1 explorer
560 37 11900 13880 0.38 4836 1 explorer
557 36 11704 13788 0.47 4860 1 explorer
558 36 11548 14772 0.53 4872 1 explorer
557 36 11952 13612 0.67 4900 1 explorer
556 36 11756 15256 0.44 5024 1 explorer
558 36 12052 13932 0.64 5040 1 explorer
556 36 11608 13764 0.41 5168 1 explorer
572 36 11936 14568 0.45 5240 1 explorer
558 36 11852 13868 0.42 5276 1 explorer
554 36 11560 13704 0.48 5288 1 explorer
556 36 12092 14984 0.70 5332 1 explorer
558 36 11948 14452 0.58 5388 1 explorer
556 36 11728 13648 0.63 5512 1 explorer
558 36 11708 14904 0.44 5568 1 explorer
558 36 11728 5868 0.56 5692 1 explorer
561 36 12068 5212 0.53 5696 1 explorer
557 36 11876 13900 0.42 5704 1 explorer
557 36 11992 13708 0.61 5764 1 explorer
558 36 12092 13728 0.59 5796 1 explorer
560 36 11856 13684 0.50 5820 1 explorer
557 36 11956 5956 0.52 5844 1 explorer
557 36 11484 13764 0.52 5848 1 explorer
556 37 11716 13988 0.47 5864 1 explorer
560 36 11568 13740 0.39 5928 1 explorer
559 36 11684 5360 0.53 5936 1 explorer
562 36 11896 7020 0.50 5964 1 explorer
558 36 11732 16128 0.48 6004 1 explorer
554 36 11800 13628 0.64 6040 1 explorer
558 36 11744 13664 0.70 6052 1 explorer
561 37 12376 6628 0.64 6056 1 explorer
559 36 11804 14304 0.56 6076 1 explorer
556 36 11720 5772 0.50 6096 1 explorer
564 36 11956 13756 0.61 6132 1 explorer
558 36 11852 14400 0.44 6168 1 explorer
558 36 11692 13856 0.45 6292 1 explorer
559 36 11896 13972 0.44 6360 1 explorer
556 36 11896 13904 0.41 6388 1 explorer
557 36 11724 13860 0.44 6408 1 explorer
558 36 12108 16696 0.52 6428 1 explorer
556 36 11716 14468 0.45 6512 1 explorer
560 36 11984 13744 0.55 6532 1 explorer
554 36 11748 13940 0.45 6544 1 explorer
558 36 12004 13988 0.42 6576 1 explorer
559 36 11712 13752 0.42 6596 1 explorer
561 36 11576 24104 0.38 6616 1 explorer
556 36 11772 13860 0.53 6632 1 explorer
558 36 11572 14792 0.45 6636 1 explorer
558 36 11420 13844 0.50 6652 1 explorer
560 36 11968 13768 0.39 6660 1 explorer
554 37 11520 15028 0.42 6668 1 explorer
556 36 11900 13780 0.55 6676 1 explorer
556 36 12072 14512 0.47 6684 1 explorer
557 36 11604 13804 0.39 6688 1 explorer
557 36 12048 13932 0.45 6704 1 explorer
562 36 11792 15256 0.41 6732 1 explorer
556 36 11468 13816 0.45 6788 1 explorer
556 36 11480 13724 0.36 6872 1 explorer
559 36 11688 13168 0.50 6948 1 explorer
556 36 11880 14032 0.50 6952 1 explorer
563 36 12156 5836 0.59 6968 1 explorer
557 36 11580 13860 0.42 6972 1 explorer
558 36 11640 13968 0.48 7008 1 explorer
557 36 11472 13648 0.44 7028 1 explorer
557 36 11656 13808 0.41 7052 1 explorer
558 36 11528 14268 0.42 7080 1 explorer
559 36 11544 13904 0.44 7176 1 explorer
559 36 11684 13940 0.48 7212 1 explorer
557 36 11792 16304 0.44 7288 1 explorer
559 37 11868 13856 0.63 7316 1 explorer
558 36 11712 14872 0.47 7340 1 explorer
556 36 11972 13656 0.47 7352 1 explorer
562 36 11796 15504 0.48 7368 1 explorer
561 37 11928 14004 0.53 7400 1 explorer
556 36 11504 9396 0.47 7440 1 explorer
557 36 12092 13860 0.53 7472 1 explorer
554 36 11956 15088 0.38 7604 1 explorer
554 36 11564 14116 0.38 7608 1 explorer
556 36 11572 13644 0.48 7660 1 explorer
554 36 11420 13732 0.44 7868 1 explorer
557 36 11528 13512 0.42 7908 1 explorer
557 36 11804 13896 0.36 7944 1 explorer
561 36 11712 13944 0.45 7964 1 explorer
560 36 11852 13864 0.45 8028 1 explorer
556 36 11744 13860 0.48 8096 1 explorer
559 36 11484 13868 0.41 8104 1 explorer
558 36 11776 13856 0.42 8116 1 explorer
558 36 11648 13664 0.53 8136 1 explorer
560 36 11576 15068 0.53 8152 1 explorer
566 36 11692 13196 0.45 8200 1 explorer
556 36 11972 13412 0.47 8264 1 explorer
558 36 11536 13520 0.47 8360 1 explorer
560 37 11868 13968 0.44 8404 1 explorer
558 36 11552 14180 0.34 8524 1 explorer
558 36 11716 13772 0.42 8708 1 explorer
566 36 11732 12944 0.48 8736 1 explorer
560 36 11632 23744 0.45 8872 1 explorer
572 37 12044 51352 0.45 8956 1 explorer
561 36 11520 14416 0.53 8984 1 explorer
557 36 11872 13800 0.44 9100 1 explorer
555 36 11596 15952 0.39 10060 1 explorer
707 39 12144 52172 0.42 12028 1 explorer
40 6 1420 12 3812 0 fontdrvhost
40 6 1636 416 3820 1 fontdrvhost
0 0 60 8 0 0 Idle
143 13 1792 484 2360 0 ismserv
3235 249 70840 22668 684 0 lsass
400 32 37008 10828 2380 0 Microsoft.ActiveDirectory.WebServices
211 14 1936 460 3944 0 MicrosoftEdgeUpdate
259 14 2736 0 3368 0 msdtc
994 199 263184 71880 2600 0 MsMpEng
213 32 3536 2572 3156 0 NisSrv
0 12 2444 13436 100 0 Registry
164 10 2372 1044 0.02 620 1 RuntimeBroker
198 12 2656 11240 0.11 1768 1 RuntimeBroker
325 18 19292 14804 0.69 5216 1 RuntimeBroker
234 13 2388 3196 0.13 5444 1 RuntimeBroker
673 34 32148 1820 0.97 328 1 SearchApp
208 11 2216 10336 8660 0 SecurityHealthService
447 14 4524 4764 672 0 services
626 29 11552 904 0.30 4600 1 ShellExperienceHost
518 17 5100 14160 0.34 5088 1 sihost
57 4 1072 52 340 0 smss
453 23 5524 0 2276 0 spoolsv
575 28 13644 5488 0.36 4876 1 StartMenuExperienceHost
563 21 4780 3356 372 0 svchost
193 12 1552 492 392 0 svchost
996 66 9380 5436 812 0 svchost
655 21 18048 11216 824 0 svchost
908 24 6848 11376 892 0 svchost
710 38 13868 6884 912 0 svchost
1529 21 12172 14404 936 0 svchost
727 43 7820 10388 1052 0 svchost
415 32 11028 4024 1232 0 svchost
2157 66 30548 22432 1316 0 svchost
159 10 1772 628 1392 0 svchost
284 13 1988 1200 1396 0 svchost
457 25 3632 840 1620 0 svchost
205 11 2376 2932 2192 0 svchost
349 17 18652 7288 2332 0 svchost
539 24 16380 10596 2340 0 svchost
206 12 9340 7800 2432 0 svchost
282 35 3316 4812 2568 0 svchost
191 11 2492 1040 0.00 3732 1 svchost
216 15 3028 10280 4224 0 svchost
427 20 6972 15976 0.23 5096 1 svchost
7178 0 40 76 4 0 System
387 20 3956 3256 0.23 772 1 taskhostw
527 23 9832 4732 0.23 4820 1 TextInputHost
203 16 2404 48 2156 0 vds
175 11 2840 0 2496 0 VGAuthService
120 8 1420 0 2528 0 vm3dservice
120 9 1532 8 2760 1 vm3dservice
426 24 11040 9116 2516 0 vmtoolsd
257 18 5076 1812 0.11 5756 1 vmtoolsd
152 11 1336 0 536 0 wininit
266 12 2452 13232 604 1 winlogon
443 22 11088 9504 3464 0 WmiPrvSE
1158 34 64484 63924 1.33 9640 0 wsmprovhostcertsrvspoolsv
Tasks
*Evil-WinRM* PS C:\Users\tracy.white\Documents> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft ...
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_ScheduledTask:String) [Get-ScheduledTask], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-ScheduledTask
*Evil-WinRM* PS C:\Users\tracy.white\Documents> cmd /c schtasks /QUERY /FO TABLE
cmd.exe : Access is denied.
+ CategoryInfo : NotSpecified: (Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandErrorServices
*Evil-WinRM* PS C:\Users\tracy.white\Documents> wmic service where "State='Running'" get Name,PathName,StartName | Out-String -Stream | Where-Object { $_ -match 'S' -and $_ -notmatch 'C:\Windows\System32' } | Select-Object
WMIC.exe : ERROR:
+ CategoryInfo : NotSpecified: (ERROR::String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
*Evil-WinRM* PS C:\Users\tracy.white\Documents> Get-Service
Cannot open Service Control Manager on computer '.'. This operation might require other privileges.
At line:1 char:1
+ Get-Service
+ ~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Service], InvalidOperationException
+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.GetServiceCommand
*Evil-WinRM* PS C:\Users\tracy.white\Documents> Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
Access denied
At line:1 char:1
+ Get-CimInstance -ClassName win32_service | Select Name,State,PathName ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : PermissionDenied: (root\cimv2:win32_service:String) [Get-CimInstance], CimException
+ FullyQualifiedErrorId : HRESULT 0x80041003,Microsoft.Management.Infrastructure.CimCmdlets.GetCimInstanceCommand
*Evil-WinRM* PS C:\Users\tracy.white\Documents> services
Path Privileges Service
---- ---------- -------
C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe False ADWS
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe False aspnet_state
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc False edgeupdate
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc False edgeupdatem
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe False FontCache3.0.0.0
"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.105\elevation_service.exe" False MicrosoftEdgeElevationService
\??\C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{3AADB0A5-A109-4E08-AB0B-E9745DF85F52}\MpKslDrv.sys False MpKsl103239e6
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe True NetTcpPortSharing
C:\Windows\SysWow64\perfhost.exe False PerfHost
"C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe" False Sense
C:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
"C:\Program Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe" False VGAuthService
"C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" False VMTools
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\NisSrv.exe" True WdNisSvc
"C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.23050.9-0\MsMpEng.exe" True WinDefend
"C:\Program Files\Windows Media Player\wmpnetwk.exe" False WMPNetworkSvcC:\Windows\servicing\TrustedInstaller.exe False TrustedInstaller
Installed Programs
*Evil-WinRM* PS C:\Users\tracy.white\Documents> Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*", "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" -ErrorAction SilentlyContinue | Select-Object -ExpandProperty DisplayName -ErrorAction SilentlyContinue | Where-Object { $_ } | Sort-Object -Unique ; ls "C:\Program Files" ; ls "C:\Program Files (x86)"
Microsoft Edge
Microsoft Edge Update
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31326
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.32.31326
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.32.31326
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.32.31326
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.32.31326
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.32.31326
VMware Tools
Directory: C:\Program Files
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 7/30/2023 10:24 AM Common Files
d----- 7/30/2023 10:43 AM Internet Explorer
d----- 5/8/2021 8:20 AM ModifiableWindowsApps
d----- 7/30/2023 2:03 PM MSBuild
d----- 7/30/2023 2:03 PM Reference Assemblies
d----- 7/30/2023 10:24 AM VMware
d----- 7/30/2023 2:19 PM Windows Defender
d----- 7/30/2023 10:43 AM Windows Defender Advanced Threat Protection
d----- 7/30/2023 10:43 AM Windows Mail
d----- 7/30/2023 10:43 AM Windows Media Player
d----- 5/8/2021 9:35 AM Windows NT
d----- 3/3/2022 3:58 AM Windows Photo Viewer
d----- 7/30/2023 2:23 PM WindowsPowerShell
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/8/2021 8:34 AM Common Files
d----- 7/30/2023 10:43 AM Internet Explorer
d----- 7/30/2023 10:35 AM Microsoft
d----- 5/8/2021 8:34 AM Microsoft.NET
d----- 7/30/2023 2:03 PM MSBuild
d----- 7/30/2023 2:03 PM Reference Assemblies
d----- 5/8/2021 9:35 AM Windows Defender
d----- 7/30/2023 10:43 AM Windows Mail
d----- 7/30/2023 10:43 AM Windows Media Player
d----- 5/8/2021 9:35 AM Windows NT
d----- 3/3/2022 3:58 AM Windows Photo Viewer
d----- 5/8/2021 8:34 AM WindowsPowerShellFirewall & AV
*Evil-WinRM* PS C:\Users\tracy.white\Documents> netsh firewall show config
Domain profile configuration (current):
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Domain profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable No Remote Desktop
Allowed programs configuration for Domain profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Domain profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Standard profile configuration:
-------------------------------------------------------------------
Operational mode = Enable
Exception mode = Enable
Multicast/broadcast response mode = Enable
Notification mode = Disable
Service configuration for Standard profile:
Mode Customized Name
-------------------------------------------------------------------
Enable No File and Printer Sharing
Enable Yes Network Discovery
Enable No Remote Desktop
Allowed programs configuration for Standard profile:
Mode Traffic direction Name / Program
-------------------------------------------------------------------
Port configuration for Standard profile:
Port Protocol Mode Traffic direction Name
-------------------------------------------------------------------
Log configuration:
-------------------------------------------------------------------
File location = C:\Windows\system32\LogFiles\Firewall\pfirewall.log
Max file size = 4096 KB
Dropped packets = Disable
Connections = Disable
IMPORTANT: Command executed successfully.
However, "netsh firewall" is deprecated;
use "netsh advfirewall firewall" instead.
For more information on using "netsh advfirewall firewall" commands
instead of "netsh firewall", see KB article 947709
at https://go.microsoft.com/fwlink/?linkid=121488 .*Evil-WinRM* PS C:\Users\tracy.white\Documents> Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property ExclusionPath
Cannot connect to CIM server. Access denied
At line:1 char:1
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpComputerStatus:String) [Get-MpComputerStatus], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpComputerStatus
Cannot connect to CIM server. Access denied
At line:1 char:24
+ Get-MpComputerStatus ; Get-MpPreference | Select-Object -Property Exc ...
+ ~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (MSFT_MpPreference:String) [Get-MpPreference], CimJobException
+ FullyQualifiedErrorId : CimJob_BrokenCimSession,Get-MpPreferenceSession Architecture
*Evil-WinRM* PS C:\Users\tracy.white\Documents> [Environment]::Is64BitProcess
TrueInstalled .NET Frameworks
*Evil-WinRM* PS C:\Users\tracy.white\Documents> cmd /c dir /A:D C:\Windows\Microsoft.NET\Framework ; cmd /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP" ; cmd /c reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP" /s
Volume in drive C has no label.
Volume Serial Number is 2465-43A2
Directory of C:\Windows\Microsoft.NET\Framework
07/30/2023 02:03 PM <DIR> .
07/01/2025 12:06 PM <DIR> ..
05/08/2021 08:34 AM <DIR> v1.0.3705
05/08/2021 08:34 AM <DIR> v1.1.4322
07/30/2023 02:03 PM <DIR> v2.0.50727
07/30/2023 02:03 PM <DIR> v3.0
07/30/2023 02:03 PM <DIR> v3.5
07/01/2025 12:06 PM <DIR> v4.0.30319
0 File(s) 0 bytes
8 Dir(s) 14,374,023,168 bytes free
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v2.0.50727
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v3.5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\CDF\v4.0
HttpNamespaceReservationInstalled REG_DWORD 0x1
NetTcpPortSharingInstalled REG_DWORD 0x1
NonHttpActivationInstalled REG_DWORD 0x1
SMSvcHostPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
WMIInstalled REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727
CBS REG_DWORD 0x1
Increment REG_SZ 4927
Install REG_DWORD 0x1
OCM REG_DWORD 0x1
SP REG_DWORD 0x2
Version REG_SZ 2.0.50727.4927
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1028
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1029
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1030
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1031
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1032
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1033
CBS REG_DWORD 0x1
Increment REG_SZ 4927
SP REG_DWORD 0x2
Version REG_SZ 2.0.50727.4927
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1035
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1036
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1038
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1040
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1041
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1042
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1043
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1044
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1045
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1046
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1049
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1053
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\1055
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\2052
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\2070
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\3076
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v2.0.50727\3082
Install REG_DWORD 0x1
MSI REG_DWORD 0x1
OCM REG_DWORD 0x1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0
CBS REG_DWORD 0x1
Increment REG_SZ 4926
Install REG_DWORD 0x1
SP REG_DWORD 0x2
Version REG_SZ 3.0.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Servicing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Servicing\Windows Workflow Foundation
CBS REG_DWORD 0x1
Hotfix REG_SZ
Install REG_DWORD 0x1
SP REG_DWORD 0x2
SPIndex REG_DWORD 0x0
SPName REG_SZ SP2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup
InstallSuccess REG_DWORD 0x1
Version REG_SZ 3.0.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\1033
CBS REG_DWORD 0x1
Increment REG_SZ 4926
Install REG_DWORD 0x1
InstallSuccess REG_DWORD 0x1
SP REG_DWORD 0x2
Version REG_SZ 3.0.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Communication Foundation
InstallSuccess REG_DWORD 0x1
ReferenceInstallPath REG_SZ C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
RuntimeInstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\
Version REG_SZ 3.0.4506.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Presentation Foundation
(Default) REG_SZ WPF v3.0.6920.4902
InstallRoot REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\
InstallSuccess REG_DWORD 0x1
ProductVersion REG_SZ 3.0.6920.4902
Version REG_SZ 3.0.6920.4902
WPFCommonAssembliesPathx64 REG_SZ C:\Windows\System32\
WPFNonReferenceAssembliesPathx64 REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\
WPFReferenceAssembliesPathx64 REG_SZ C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.0\Setup\Windows Workflow Foundation
(Default) REG_SZ Windows Workflow Foundation
FileVersion REG_SZ 3.0.4203.4926
InstallDir REG_SZ C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\
InstallSuccess REG_DWORD 0x1
MajorBuildNum REG_SZ 4203
ProductVersion REG_SZ 3.0.0.0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v3.5\
SP REG_DWORD 0x1
Version REG_SZ 3.5.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v3.5\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
SP REG_DWORD 0x1
Version REG_SZ 3.5.30729.4926
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Client\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
InstallPath REG_SZ C:\Windows\Microsoft.NET\Framework64\v4.0.30319\
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4\Full\1033
CBS REG_DWORD 0x1
Install REG_DWORD 0x1
Release REG_DWORD 0x81041
Servicing REG_DWORD 0x0
TargetVersion REG_SZ 4.0.0
Version REG_SZ 4.8.04161
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0
(Default) REG_SZ deprecated
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Net Framework Setup\NDP\v4.0\Client
Install REG_DWORD 0x1
Version REG_SZ 4.0.0.0.NET 4.8.04161