Enumeration

Automated

We can use tools like WinPEAS to automate enumeration for privilege escalation, but below are manual methods for enumerating the system.

System Information

PowerShell
Cmd

systeminfo                    # Get system information
Get-ComputerInfo              # Detailed system info (Win10+)
wmic os get Caption, Version  # OS version
Get-WmiObject Win32_OperatingSystem | Select-Object *

systeminfo                    # Get system details
wmic os get Caption, Version  # OS version info
ver                           # Windows version

User & Group Enumeration

PowerShell
Cmd

whoami                        # Current user
whoami /all                   # User privileges & groups
Get-LocalUser                 # List local users
Get-LocalGroupMember Administrators  # List admin users
net user                      # List all users
net localgroup                # List all groups
net localgroup Administrators # List admin group members

whoami                        # Current user
echo %USERNAME%
whoami /all                   # Show user privileges & groups
query user                    # Logged-in Users
net user                      # List all users
net localgroup                # List all groups  
net localgroup Administrators # Show members of the Administrators group
net accounts                  # Get password policy informations

Sudo & Privilege Checks

PowerShell
Cmd

whoami /priv                  # List privileges
whoami /groups                # List Current User Groups
Get-Process -Name explorer | Select-Object -ExpandProperty Path  # Check process owner

whoami /priv                  # Display assigned privileges

Running Processes

PowerShell
Cmd

Get-Process                   # List running processes
Get-WmiObject Win32_Process   # More detailed process info

tasklist /V                     # List all running processes
tasklist /svc                   # Verbose output with additional details

Scheduled Tasks

PowerShell
Cmd

Get-ScheduledTask             # List scheduled tasks
schtasks /query /fo LIST      # Detailed task listing

schtasks /query /fo LIST      # List scheduled tasks in detailed format

Network Information

PowerShell
Cmd

ipconfig /all                 # Network interfaces
arp -a                        # ARP Table
route print                   # Routing Table 
Get-NetIPAddress              # IP addresses
netstat -ano                  # Open ports and associated processes

ipconfig /all                 # Show all network adapter details
arp -a                        # ARP Table
route print                   # Routing Table
netstat -ano                  # Display active connections and listening ports

Firewall Rules

PowerShell
Cmd

Get-MpComputerStatus          # Check Windows Defender Status

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections # List AppLocker Rules
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone ## Test AppLocker Rules

Get-NetFirewallRule -All      # List all firewall rules

netsh advfirewall firewall show rule name=all  # Show all firewall rules

Installed Programs

PowerShell
Cmd

$INSTALLED = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |  Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED += Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, InstallLocation
$INSTALLED | ?{ $_.DisplayName -ne $null } | sort-object -Property DisplayName -Unique | Format-Table -AutoSize

wmic product get name,version # Display installed software with version

File System & Permissions

PowerShell
Cmd

Get-ACL C:\Windows\System32  # Check permissions on a folder

icacls C:\Windows\System32   # Show permissions for the specified directory

Environment Variable & Path

PowerShell
Cmd

set                # Display Environment Variables

set                # Display Environment Variables

Registry Enumeration

PowerShell
Cmd

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"

reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run  # List startup programs

Credentials & Stored Passwords

PowerShell
Cmd

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" | Select-Object AutoAdminLogon, DefaultUsername, DefaultPassword, DefaultDomainName

# Stored credentials
cmdkey /list

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"

# Show saved credentials
cmdkey /list

Exploit & Patch Checks

PowerShell
Cmd

Get-HotFix | ft -AutoSize # Check installed updates

wmic qfe get Caption,Description,HotFixID,InstalledOn  # Display installed Windows updates

Named Pipes

PowerShell
Cmd

## https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
accesschk.exe /accepteula \pipe\lsass -v # Check permission of named pipes
accesschk.exe -w \pipe\* -v         # Check permission of all named pipes 

## https://learn.microsoft.com/en-us/sysinternals/downloads/accesschk
accesschk.exe /accepteula \pipe\lsass -v # Check permission of named pipes
accesschk.exe -w \pipe\* -v         # Check permission of all named pipes 

Automated​

System Information​

User & Group Enumeration​

Sudo & Privilege Checks​

Running Processes​

Scheduled Tasks​

Network Information​

Firewall Rules​

Installed Programs​

File System & Permissions​

Environment Variable & Path​

Registry Enumeration​

Credentials & Stored Passwords​

Exploit & Patch Checks​

Named Pipes​

Automated

System Information

User & Group Enumeration

Sudo & Privilege Checks

Running Processes

Scheduled Tasks

Network Information

Firewall Rules

Installed Programs

File System & Permissions

Environment Variable & Path

Registry Enumeration

Credentials & Stored Passwords

Exploit & Patch Checks

Named Pipes