Local

Privs

whoami /privs

whoami /all

Process

ps

Seatbelt

Seatbelt.exe -group=system

On Havoc

bofbelt

On Sliver

seatbelt -p C:\\Windows\\System32\\werfault.exe -- "-group=user"

SharpUp

On Havoc

dotnet inline-execute /home/jay/prolabs/cybernatics/SharpUp.exe audit

On Sliver

execute-assembly /home/jay/prolabs/cybernatics/SharpUp.exe audit

sharpup audit

PrivescCheck

Import-Module ./PrivescCheck.ps1

Invoke-PrivescCheck

Scheduled Task


Get-ScheduledTask

# Get the scheduled task
$task = Get-ScheduledTask -TaskName "OpenEmail"

# Get the action associated with the task
$action = $task.Actions | Select-Object -First 1

# Extract the executable path from the action
$executablePath = $action.Arguments.Split('"')[1]

# Output the executable path
Write-Output "Executable Path: $executablePath"

Network Enumeration

netstat -na

arp -a

systeminfo | findstr Domain

Get-ADUser -Filter *

Get-ADUser -Filter * -SearchBase "CN=Users,DC=THMREDTEAM,DC=COM"

Get-ADUser -Filter * -SearchBase "OU=THM,DC=THMREDTEAM,DC=COM"

wmic /namespace:\\root\securitycenter2 path antivirusproduct

Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntivirusProduct

Get-Service WinDefend

Get-MpComputerStatus | select RealTimeProtectionEnabled

 Get-MpThreat

Get-NetFirewallProfile | Format-Table Name, Enabled

Set-NetFirewallProfile -Profile Domain, Public, Private -Enabled False

Get-NetFirewallRule | select DisplayName, Enabled, Description

Test-NetConnection -ComputerName 127.0.0.1 -Port 80

(New-Object System.Net.Sockets.TcpClient("127.0.0.1", "80")).Connected

Get-NetFirewallRule | findstr "port"

Get-EventLog

Applications Enumeration

wmic product get name,version

Get-ChildItem -Hidden -Path C:\Users\kkidd\Desktop\

Lists all services that are currently running on the machine.

net start

Retrieves information about a specific service (THM Demo), showing its name and path to the executable.

wmic service where "name like 'THM Demo'" get Name,PathName

Get-Process -Name thm-demo

netstat -noa |findstr "LISTENING" |findstr "3212"

Domain Joined

Powerview

Powerview Enumeration

Malleum Knowledge Base

Explorer

4. Host Recon

Local

Privs

Process

Seatbelt

On Havoc

On Sliver

SharpUp

On Havoc

On Sliver

PrivescCheck

Scheduled Task

Network Enumeration

Applications Enumeration

Domain Joined

Powerview

Graph View

Table of Contents

Backlinks

Malleum Knowledge Base

Explorer

4. Host Recon

Local

Privs

Process

Seatbelt

On Havoc

On Sliver

SharpUp

On Havoc

On Sliver

PrivescCheck

Scheduled Task

Network Enumeration

Antivirus related enum

Firewall related enum

Applications Enumeration

Domain Joined

Powerview

Graph View

Table of Contents

Backlinks