# Información general

## Sistema

```bash
systeminfo
hostname
wmic os get osarchitecture
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
# PowerShell
[System.Environment]::OSVersion.Version
Get-ChildItem Env: | ft Key,Value
```

## Usuarios y grupos

```sh
whoami
whoami /priv
whoami /groups
net users
net user <username>
net localgroup
net localgroup <groupname>
wmic useraccount list /format:list
wmic group list /format:list
```

## Sesiones

```
qwinsta
```

## Servicios

```sh
wmic service get name,displayname,pathname,startmode | findstr /v /i "C:\Windows"
```

## Procesos

```sh
tasklist /v
tasklist /v /fi "username eq <user>"
wmic process list /format:list
# PowerShell
Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id
```

## Tareas programadas

```bash
# PowerShell
Get-ScheduledTask | ft TaskName, TaskPath, State
Get-ScheduledTask | ? State -ne disable | ft TaskName, TaskPath, State
Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName, TaskPath, State
```

## Aplicaciones

```bash
# Desde sesión de meterpreter
run post/windows/gather/enum_applications
```

## Información y servicios de red

```sh
ipconfig /all
arp -a
route print
```

### netstat <a href="#netstat" id="netstat"></a>

```sh
netstat -ano -p <protocolo>
```

* -a = todos los sockets.
* -n = hosts y puertos en formato numérico.
* -o = PID (Process Identification Number).
* -p = TCP, UDP, TCPv6 o UDPv6.

## Actualización de seguridad

```sh
wmic qfe get Caption,Description,HotFixID,InstalledOn
```

## Medidas de defensa

```shell
# Windows Defender Firewall
netsh firewall show state
netsh advfirewall show allprofiles
Get-MpComputerStatus

# Windows Defender
sc query windefend
```

## AppLocker

```
secpol.msc
```

* <https://github.com/MrW0l05zyn/pentesting/blob/master/windows/privesc/applocker/applocker-bypass-checker.ps1>