Windows
General
Check for additional drives
List installed programs
Check linux subsystem
Search writeable directories
Search files by name
Search Files by content
Search Files by owner
Search files in meterpreter
Search for alternate data streams (ads)
Check named pipes in PowerShell
Grep file contents in PowerShell
Enumerate SMB
Grant permissions with icacls
Search registry
Print wlan keys
PowerShell port scan
Get User SID
Deploy TightVNC
Grep Registry for Keywords:
Find Files by Date
Bypass Execution Policy (for domain users) by changing registry as local administrator
Useful Commands in Rpcclient
Dumping Processes
We can also use a short custom program to avoid using procdump.
If we dump lsass, this dump can be read using mimikatz:
Credentials
Check for stored credentials:
Company Files
This lead to success on numerous occasions. While not technical make sure you look at the files that are on the system. This includes configuration backups, documents, notes, technical documentation and more.
Invoke-PrivescCheck
Great Script to collection information about the host and possible EoP Paths.
Seatbelt
Good Host Enumeration Tool: https://github.com/GhostPack/Seatbelt.
SharpDPAPI
Get Passwords from Chrome & Windows via https://github.com/GhostPack/SharpDPAPI.
Check for running services
SMBClient
List Shares
Connect to Share
Without credentials:
With credentials:
Other
Usually you want to run the scripts/tools from the Privilege Escalation Section. Other than that these are interesting as well:
Screenshot
Keylogger
Last updated