LOTL
System Information Enumeration
Retrieve basic information about the local machine and OS.
# Get computer name, domain, manufacturer, model, username, and roles
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List
# Get OS version and architecture details
wmic os get Caption,Version,BuildNumber,OSArchitecture
# List all installed hotfixes and updates
wmic qfe get Caption,Description,HotFixID,InstalledOn
# List running processes
wmic process list /format:list
# Check system uptime
wmic os get LastBootUpTime
# Get BIOS information
wmic bios get SerialNumber,Manufacturer,SMBIOSBIOSVersion
User & Group Enumeration
Identify users, groups, and privilege levels.
# List all local user accounts
wmic useraccount list /format:list
# List all local groups
wmic group list /format:list
# List all members of the Administrators group
net localgroup Administrators
# List currently logged-in users
query user
# List all domain users (if on a domain)
net user /domain
# List all domain groups
net group /domain
# Get currently logged-in user details
whoami /all
# Users With 'PASSWD_NOTREQD' Attributes
dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32))" -attr distinguishedName userAccountControl
Domain & Active Directory Enumeration
# Get domain information
wmic ntdomain list /format:list
# Get domain controllers in the environment
nltest /dclist:<DomainName>
# Get the current domain controller for the machine
nltest /dsgetdc:<DomainName>
# List domain trusts
nltest /domain_trusts
# List domain users (alternative)
dsquery user
# List all domain groups
dsquery group
# List all domain computers
dsquery computer
# Get detailed info on a domain controller
netdom query fsmo
# Check if the current user has domain admin privileges
whoami /priv
Network Enumeration
Find details about network interfaces, routes, and active connections.
# Get local IP address configuration
ipconfig /all
# Display active network connections and open ports
netstat -ano
# List network shares on the machine
net share
# List shares on a remote machine
net view \\<TargetMachine>
# List all available network connections
net use
# List all current ARP entries
arp -a
# Display routing table
route print
Session & Service Enumeration
Check active sessions, services, and tasks.
# List all active network sessions
net session
# List active SMB sessions
net use
# List services running on the machine
wmic service list brief
# List scheduled tasks
schtasks /query /fo LIST /v
File & Registry Enumeration
Search for sensitive files and check registry settings.
# Find all files with a specific extension (e.g., .xml for config files)
dir /s /b C:\*.xml
# Search for password-related files
findstr /si password *.txt *.xml *.ini
# Query registry for saved credentials
reg query HKLM /f password /t REG_SZ /s
# List autostart programs from the registry
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run