| Category | Tools / Commands | | ------------------------------------------ | -------------------------------------------------------------------------------------------------- | | **Manual** | | | | `systeminfo` | | Host info | `hostname` | | | `winver` | | | `Get-MpPreference` | | User info | `whoami`<br>`whoami /priv`<br>`whoami /groups` | | Users/Groups info | [[net]] - Users and Groups | | Logged-on Users and Sessions | `queryuser` or `quser` | | | `tasklist /v` | | Environment and Registry | [[reg]] | | Network info | `arp -A` | | | `ipconfig /all` | | | `route PRINT` | | | `netstat -ano` | | Process info | `ps` | | Service info | [[wmic]] - CMD, PS | | | [[Get-Service]] - PS | | | sc | | | icacls | | | `net localgroup administrators <username> /add` | | | [[RunasCs.exe]] | | Kernel Exploits | | | - [[Kernel Exploits]] | wes.py | | [[Admin to System]] | PsExec64.exe | | [[AlwaysInstallElevated]] | msiexec | | Service Exploits | | | - [[Insecure Service Permissions]] | [[sc]]<br>[[accesschk.exe]] | | - [[Insecure Service Permissions 2]] | | | - [[Unquoted Service Paths]] | [[icacls]] | | - [[Unquoted Service Paths 2]] | | | - [[Weak Registry Permissions]] | | | - [[Insecure Service Executables]] | | | - [[DLL Hijacking]] | | | Passwords | | | - [[Searching the Registry for Passwds]] | | | - [[Hardcoded Sensitive Information]] | | | - [[Credential Manager]] | | | - [[Attacking Windows Credential Manager]] | [[Mimikatz]] | | - [[Attacking SAM, SYSTEM, and SECURITY]] | | | - [[Unattended Files]] | | | [[Scheduled Tasks]] | [[schtasks]] | | [[Insecure GUI Apps]] | | | [[SeBackup & SeRestore]] | | | [[SeTakeOwnership]] | | | [[SeImpersonate & SeAssignPrimaryToken]] | [[JuicyPotato]]<br>[[GodPotato]]<br>[[SweetPotato]]<br>[[incognito.exe]]<br>[[PrintSpoofer64.exe]] | | [[SeManageVolumePrivilege]] | SeManageVolumeExploit.exe | | **Automated** | [[winPEAS]] | | | [[PowerUp.ps1]] |