Windows Enumeration
Overview
Windows post-exploitation enumeration determines system configuration, user context, network position, installed defenses, and privilege escalation paths. Windows provides extensive built-in commands (whoami, systeminfo, net, wmic, PowerShell) that require no tool transfers. Enumeration on Windows is divided into local system checks (this file) and Active Directory enumeration (separate file).
ATT&CK Mapping
- Tactic: TA0007 - Discovery
- Technique: T1082 - System Information Discovery
- Technique: T1033 - System Owner/User Discovery
- Technique: T1016 - System Network Configuration Discovery
- Technique: T1049 - System Network Connections Discovery
- Technique: T1057 - Process Discovery
- Technique: T1083 - File and Directory Discovery
- Technique: T1087.001 - Account Discovery: Local Account
- Technique: T1518 - Software Discovery
- Technique: T1007 - System Service Discovery
Prerequisites
- Shell access on target Windows system (reverse shell, RDP, WinRM, web shell)
- For automated enumeration: ability to transfer winPEAS or run PowerShell scripts
Techniques
Situational Awareness
# Current user and full privilege listing
whoami
whoami /all
whoami /priv
whoami /groups
# Hostname and system info
hostname
systeminfo
# OS version (quick)
ver
[environment]::OSVersion
# Architecture
echo %PROCESSOR_ARCHITECTURE%
[Environment]::Is64BitOperatingSystem
# Check if PowerShell is available and version
powershell -Command "$PSVersionTable"
Key whoami /priv privileges to look for:
| Privilege | Escalation Path |
|---|---|
| SeImpersonatePrivilege | Potato attacks (JuicyPotato, PrintSpoofer, GodPotato) |
| SeAssignPrimaryTokenPrivilege | Token impersonation |
| SeBackupPrivilege | Read any file (SAM, NTDS.dit) |
| SeRestorePrivilege | Write any file (DLL hijacking) |
| SeDebugPrivilege | Process injection, LSASS dump |
| SeTakeOwnershipPrivilege | Take ownership of any object |
| SeLoadDriverPrivilege | Load vulnerable kernel drivers |
User and Group Enumeration
:: Local users
net user
:: Detailed user info
net user <username>
:: Local administrators
net localgroup administrators
:: All local groups
net localgroup
:: Members of a specific group
net localgroup "Remote Desktop Users"
net localgroup "Remote Management Users"
# PowerShell equivalents
Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember -Group "Administrators"
Network Configuration
:: Network interfaces
ipconfig /all
:: Routing table
route print
:: DNS cache (reveals recently accessed hosts)
ipconfig /displaydns
:: ARP cache
arp -a
:: Listening and established connections
netstat -ano
:: Find process for a specific port
netstat -ano | findstr :<port>
:: Firewall status
netsh advfirewall show allprofiles
netsh advfirewall firewall show rule name=all
:: Shares
net share
# PowerShell network enumeration
Get-NetIPAddress
Get-NetRoute
Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'}
Get-NetFirewallRule | Where-Object {$_.Enabled -eq 'True'} | Select-Object DisplayName, Direction, Action
Process and Service Enumeration
:: Running processes
tasklist /v
tasklist /svc
:: Services
sc query state= all
wmic service list brief
:: Services running as SYSTEM or specific user
wmic service get name,startname | findstr /i "system"
# PowerShell process/service enumeration
Get-Process | Select-Object ProcessName, Id, Path
Get-Service | Where-Object {$_.Status -eq 'Running'}
Get-WmiObject Win32_Service | Select-Object Name, StartName, PathName, State
Installed Software
:: Installed programs
wmic product get name,version,vendor
:: 32-bit and 64-bit programs via registry
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr "DisplayName DisplayVersion"
reg query "HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall" /s | findstr "DisplayName DisplayVersion"
:: Check PATH
echo %PATH%
:: Installed hotfixes/patches
wmic qfe list
systeminfo | findstr /i "kb"
# PowerShell
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, DisplayVersion
Get-HotFix | Sort-Object InstalledOn -Descending
Scheduled Tasks
:: List all scheduled tasks
schtasks /query /fo LIST /v
:: Filter for non-Microsoft tasks
schtasks /query /fo LIST /v | findstr /i "TaskName Author Run"
# PowerShell
Get-ScheduledTask | Where-Object {$_.State -eq 'Ready'} | Select-Object TaskName, TaskPath
Get-ScheduledTask | Get-ScheduledTaskInfo
File System Enumeration
:: Search for sensitive files
dir /s /b C:\*.txt C:\*.ini C:\*.cfg C:\*.config C:\*.xml 2>nul | findstr /i "pass cred config"
:: Search for files containing passwords
findstr /si "password" C:\*.txt C:\*.ini C:\*.cfg C:\*.config C:\*.xml 2>nul
:: Writable directories in PATH
for %A in ("%path:;=" "%") do @echo %A & icacls %A 2>nul | findstr /i "(F) (M) (W)"
:: Check common backup locations
dir /s /b C:\Backups\ C:\backup\ 2>nul
dir /s /b C:\inetpub\ 2>nul
:: Unattended install files (may contain credentials)
dir /s /b C:\unattend.xml C:\sysprep.xml C:\unattended.xml 2>nul
type C:\Windows\Panther\Unattend.xml 2>nul
type C:\Windows\Panther\unattend\Unattend.xml 2>nul
# PowerShell file search
Get-ChildItem -Path C:\ -Include *.txt,*.ini,*.cfg,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"
Credential Hunting
:: Saved credentials
cmdkey /list
:: WiFi passwords
netsh wlan show profiles
netsh wlan show profile name="<SSID>" key=clear
:: Registry autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" 2>nul | findstr /i "DefaultUserName DefaultPassword"
:: SAM and SYSTEM (usually requires SYSTEM privileges)
reg save HKLM\SAM sam.bak
reg save HKLM\SYSTEM system.bak
:: DPAPI credential files
dir /s /b C:\Users\*\AppData\Local\Microsoft\Credentials\* 2>nul
dir /s /b C:\Users\*\AppData\Roaming\Microsoft\Credentials\* 2>nul
:: IIS web.config
type C:\inetpub\wwwroot\web.config 2>nul
:: PowerShell history
type %APPDATA%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt 2>nul
# PowerShell history for all users (requires admin)
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { Write-Host "`n=== $($_.FullName) ==="; Get-Content $_ }
Defense Posture
:: Windows Defender status
sc query WinDefend
Get-MpComputerStatus
:: Check for AV products via WMI
wmic /namespace:\\root\SecurityCenter2 path AntiVirusProduct get displayname,pathToSignedProductExe
:: AppLocker rules
Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections
:: Check if AMSI is active (test in PowerShell)
"AmsiUtils"
:: UAC settings
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" | findstr /i "EnableLUA ConsentPrompt"
:: PowerShell execution policy
Get-ExecutionPolicy -List
:: Audit policy
auditpol /get /category:*
:: Check for Sysmon
sc query Sysmon64
sc query Sysmon
Automated Enumeration
# winPEAS
# https://github.com/peass-ng/PEASS-ng
# Transfer to target and run
.\winPEASx64.exe
# Quiet mode (less output)
.\winPEASx64.exe quiet
# Specific checks
.\winPEASx64.exe userinfo
.\winPEASx64.exe servicesinfo
.\winPEASx64.exe networkinfo
winPEAS checks for misconfigurations, writable service paths, unquoted service paths, credential files, AlwaysInstallElevated, token privileges, and hundreds of other Windows privilege escalation vectors. On Kali, available at /usr/share/peass/winpeas/.
References
Official Documentation
Pentest Guides & Research
MITRE ATT&CK
- T1082 - System Information Discovery
- T1033 - System Owner/User Discovery
- T1016 - System Network Configuration Discovery
- T1049 - System Network Connections Discovery
- T1057 - Process Discovery
- T1083 - File and Directory Discovery
- T1087.001 - Account Discovery: Local Account
- T1518 - Software Discovery
- T1007 - System Service Discovery