Updated

I’m pretty green when it comes to knowledge of windows commands & cli tools. From the security perspective, a large percent of businesses/corporations run windows on their platform, so some basic tools to introduce ideas is helpful!

WMI

With the command line you can use wmic or powershell to utilize WMI (Windows Management Instrumentation) which can give you insight into all sorts of things about your system!

Get Windows Version

> wmic os get Name,Version,BuildNumber,OSArchitecture,InstallDate
BuildNumber  InstallDate                Name                             OSArchitecture  Version
14393        20161028165102.000000-420  Microsoft Windows 10 Enterprise  64-bit          10.0.14393

Powershell

@todo Fill this out more!

:: List available objects
Get-WmiObject -List

:: Logged on users
Get-WmiObject Win32_LoggedOnUser

:: Users ...
Get-WmiObject Win32_SystemUsers

:: Get processes
Get-WmiObject Win32_Process | Format-Table -Wrap -Property Name,Path,ExecutablePath,ProcessId,CreationDate

:: What is running in startup?
Get-WmiObject Win32_StartupCommand

Hardware

I used to always use cpu-z to id the hardware, but there are plenty of other tools to figure out hardware is on the system you’re using.

> systeminfo

Host Name:                 REZEN
OS Name:                   Microsoft Windows 7 Professional
OS Version:                6.1.7601 Service Pack 1 Build 7601
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Multiprocessor Free
Registered Owner:          Andres
Registered Organization:
Product ID:                00371-153-6150126-85809
Original Install Date:     2/18/2013, 10:21:17 PM
System Boot Time:          1/31/2017, 9:22:30 PM
System Manufacturer:       To Be Filled By O.E.M.
System Model:              To Be Filled By O.E.M.
System Type:               x64-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: AMD64 Family 16 Model 4 Stepping 2 AuthenticAMD ~3000 Mhz
BIOS Version:              American Megatrends Inc. P1.90, 5/24/2010
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume3
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (UTC-08:00) Pacific Time (US & Canada)
.....
> wmic memphysical get MaxCapacity
MaxCapacity
16777216
> wmic baseboard list /format:LIST


ConfigOptions=
Depth=
Description=Base Board
Height=
HostingBoard=TRUE
HotSwappable=FALSE
InstallDate=
Manufacturer=ASRock
Model=
Name=Base Board
OtherIdentifyingInfo=
PartNumber=
PoweredOn=TRUE
Product=A780FullDisplayPort
Removable=FALSE
Replaceable=TRUE
RequiresDaughterBoard=FALSE
SpecialRequirements=
Status=OK
Tag=Base Board

Network

On linux tcpdump and netstat are gold but on Windows the you have different tools. Well, there is netstat, but it’s different.

Instead of tcpdump you can use netsh to capture traffic

netsh trace start capture=yes
netsh trace stop
Get-WmiObject Win32_IP4RouteTable | Format-Table -Wrap -Property Age,Caption,Mask,Destination,Name
> netsh int show int

Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Connected      Dedicated        VirtualBox Host-Only Network
Enabled        Connected      Dedicated        Npcap Loopback Adapter
Enabled        Connected      Dedicated        VirtualBox Host-Only Network #2
Enabled        Connected      Dedicated        VirtualBox Host-Only Network #3
Enabled        Connected      Dedicated        Ethernet 2
Enabled        Connected      Dedicated        vEthernet (DockerNAT)

Quickly find gateway address

> netsh interface ip show config | findstr "Default"
    Default Gateway:                      10.15.128.1

Let’s find DNS!

> netsh interface ip show config | findstr "DNS"
    DNS servers configured through DHCP:  10.8.1.90
    Statically Configured DNS Servers:    192.168.1.104
    Statically Configured DNS Servers:    None
    Statically Configured DNS Servers:    None
    Statically Configured DNS Servers:    None
    Statically Configured DNS Servers:    None
> netsh interface ipv4 show tcpconnections

MIB-II TCP Connection Entry
Local Address   Local Port      Remote Address  Remote Port     State
-----------------------------------------------------------------------------
        0.0.0.0       22               0.0.0.0          0       Listen
        0.0.0.0      135               0.0.0.0          0       Listen
      10.0.75.1      139               0.0.0.0          0       Listen
  10.15.130.204      139               0.0.0.0          0       Listen
 169.254.54.117      139               0.0.0.0          0       Listen
      127.0.0.1     2201               0.0.0.0          0       Listen
      127.0.0.1     2202             127.0.0.1      10240  Established
      127.0.0.1     2202             127.0.0.1      13370  Established
      127.0.0.1     2202               0.0.0.0          0       Listen
      127.0.0.1     2222             127.0.0.1      14513  Established
      127.0.0.1     2222               0.0.0.0          0       Listen
  10.15.130.204     3144         65.52.108.195        443  Established

netstat which is familiar is on Windows!

> netstat -ab

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:22             console-10:0           LISTENING
  SshProxy
 [svchost.exe]
  TCP    0.0.0.0:135            console-10:0           LISTENING
  RpcSs
 [svchost.exe]
  TCP    0.0.0.0:445            console-10:0           LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:1536           console-10:0           LISTENING
 Can not obtain ownership information
  TCP    0.0.0.0:1537           console-10:0           LISTENING
  EventLog
 [svchost.exe]
> netstat -ao

Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:22             console-10:0           LISTENING       2720
  TCP    0.0.0.0:135            console-10:0           LISTENING       892
  TCP    0.0.0.0:445            console-10:0           LISTENING       4
  TCP    0.0.0.0:1536           console-10:0           LISTENING       592
  TCP    0.0.0.0:1537           console-10:0           LISTENING       372
  TCP    0.0.0.0:1538           console-10:0           LISTENING       1332
  TCP    0.0.0.0:1539           console-10:0           LISTENING       2024
  TCP    0.0.0.0:1541           console-10:0           LISTENING       732
  TCP    0.0.0.0:1550           console-10:0           LISTENING       748
  TCP    0.0.0.0:2179           console-10:0           LISTENING       2680
  TCP    0.0.0.0:3389           console-10:0           LISTENING       292

Processes

You need to be able to quickly check processes for anything phishy!

> schtasks

Folder: \
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
G2MUpdateTask-S-1-5-21-3622734366-314535 2/10/2017 4:07:00 PM   Ready
G2MUploadTask-S-1-5-21-3622734366-314535 2/10/2017 4:31:00 PM   Ready
GoogleUpdateTaskMachineCore              2/11/2017 1:58:09 PM   Ready
GoogleUpdateTaskMachineUA                2/10/2017 3:58:09 PM   Ready
klcp_update                              2/25/2017 7:10:00 PM   Ready
OneDrive Standalone Update Task v2       2/11/2017 4:41:36 PM   Ready
RtHDVBg_LENOVO_MICPKEY                   N/A                    Running
RTKCPL                                   N/A                    Running

Folder: \Microsoft
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

Folder: \Microsoft\Office
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
Office Automatic Updates                 2/12/2017 4:01:03 AM   Ready
Office ClickToRun Service Monitor        2/11/2017 8:58:46 AM   Ready
Office Subscription Maintenance          2/11/2017 8:25:18 AM   Ready
OfficeTelemetryAgentFallBack2016         N/A                    Ready
OfficeTelemetryAgentLogOn2016            N/A                    Ready

Folder: \Microsoft\Windows
TaskName                                 Next Run Time          Status
======================================== ====================== ===============
INFO: There are no scheduled tasks presently available at your access level.

.....
> tasklist                                                                        
                                                                                  
Image Name                     PID Session Name        Session#    Mem Usage      
========================= ======== ================ =========== ============      
System Idle Process              0 Services                   0          4 K      
System                           4 Services                   0         32 K      
smss.exe                       324 Services                   0        336 K      
csrss.exe                      500 Services                   0      1,592 K      
wininit.exe                    592 Services                   0        836 K      
csrss.exe                      600 Console                    1      3,972 K      
winlogon.exe                   680 Console                    1      3,116 K      
services.exe                   732 Services                   0      4,660 K      
lsass.exe                      748 Services                   0     10,104 K      
svchost.exe                    840 Services                   0     10,992 K      
svchost.exe                    892 Services                   0      8,520 K      
svchost.exe                    292 Services                   0     19,944 K      
svchost.exe                    372 Services                   0     17,176 K      
svchost.exe                    384 Services                   0     15,152 K      
svchost.exe                   1104 Services                   0     15,980 K      
nvvsvc.exe                    1140 Services                   0      3,424 K      
nvSCPAPISvr.exe               1148 Services                   0      2,136 K      
svchost.exe                   1180 Services                   0     18,308 K      
svchost.exe                   1332 Services                   0     64,384 K      
nvxdsync.exe                  1380 Console                    1     13,292 K      
nvvsvc.exe                    1452 Console                    1      7,852 K      
svchost.exe                   1960 Services                   0      7,104 K      
svchost.exe                   2004 Services                   0      1,960 K      
spoolsv.exe                   2024 Services                   0      8,512 K      
svchost.exe                   2236 Services                   0     23,336 K      
com.docker.service            2252 Services                   0      2,552 K      
dirmngr.exe                   2280 Services                   0      1,568 K      
IpOverUsbSvc.exe              2296 Services                   0      2,576 K      
.....