Skip to main content

CMD ENUMERATION

Identity

whoami
whoami /priv
whoami /groups
echo %USERNAME%
hostname

System Information

systeminfo
ver
wmic os get Caption,Version,BuildNumber,OSArchitecture

Users & Groups

net user
net user %USERNAME%
net localgroup
net localgroup administrators

Network

ipconfig /all
route print
arp -a
netstat -ano

Running Processes

tasklist /v

Services

sc query
wmic service get name,displayname,pathname,startmode

Scheduled Tasks

schtasks /query /fo LIST /v

Drives

wmic logicaldisk get name

Installed Updates / Kernel Exploits

wmic qfe

POWERSHELL ENUMERATION

Identity

whoami
whoami /priv
whoami /groups
$env:USERNAME
$env:COMPUTERNAME

System Information

Get-ComputerInfo
Get-CimInstance Win32_OperatingSystem | select Caption,Version,BuildNumber,OSArchitecture
Get-ChildItem Env:

Users & Groups

Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember "Administrators"

Network

Get-NetIPAddress
Get-NetRoute
Get-NetTCPConnection

Installed Software

64-bit Programs

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select DisplayName,DisplayVersion,Publisher

32-bit Programs

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select DisplayName,DisplayVersion,Publisher

Processes

Get-Process

Services

Get-Service
Get-CimInstance Win32_Service | select Name,DisplayName,PathName,StartMode

Scheduled Tasks

Get-ScheduledTask

Drives

Get-PSDrive -PSProvider FileSystem

Hotfixes / Patches

Get-HotFix

Defender Status

Get-MpComputerStatus

Loot & Credential Hunting

# Search documents (possible credentials)
Get-ChildItem -Path C:\Users\ -Include .txt,.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue

# PowerShell command history (very important!)
(Get-PSReadlineOption).HistorySavePath

# Searc documents with PASS string (CMD)
findstr /SIM /C:"pass" *.ini *.cfg *.xml