Windows Enumeration Essentials

Windows Enumeration Essentials

Comprehensive system enumeration reveals the attack surface available for privilege escalation. Begin with basic system information: OS version (systeminfo), architecture, hotfixes, and domain membership. Windows versions and patch levels directly influence available exploits, with older systems like Windows 7 or Server 2008 containing numerous unpatched vulnerabilities. Missing patches for critical vulnerabilities like MS17-010 (EternalBlue) provide direct escalation paths.

User and group enumeration establishes current privileges and potential targets. Commands like whoami /all reveal user context, group memberships, and privileges. Local administrators group membership indicates existing elevated access. Special groups like "Backup Operators" or "Server Operators" possess implicit privileges exploitable for escalation. User enumeration (net user) identifies potential lateral movement targets and service accounts often configured with weak passwords.

Service enumeration uncovers misconfigurations and vulnerable software running with SYSTEM privileges. Windows services frequently run with highest privileges, making service exploitation particularly valuable. Use sc query, wmic service list, or PowerShell equivalents to enumerate services. Pay special attention to non-default services, third-party software, and custom applications likely containing vulnerabilities or misconfigurations.

Scheduled task analysis reveals automated processes potentially exploitable for privilege escalation. Unlike Linux cron jobs, Windows scheduled tasks support complex triggers and conditions. Commands like schtasks /query /fo LIST /v provide comprehensive task information. Tasks running as SYSTEM with modifiable scripts or writable directories in execution paths offer direct escalation opportunities.