These commands can be run using cmd. To check the username of the currently logged in user:

whoami

To determine what groups the current user is member of, use the command below. This will include the group name, SID and attributes. From the result, check which groups are notable such as Administrators, Helpdesk, Remote Desktop Users, etc.

whoami /groups

The following commands must be run using PowerShell. This will list all local users in the system. It will also display whether the local user is enabled or disabled.

Get-LocalUser

This command will list all local groups in the system. The output will include the description of the group. Built-In groups in Windows OS are Administrators, Backup Operators, Remote Desktop Users (can RDP to system), Remote Management Users (can winrm to system), etc. Look for groups that can be interesting.

Get-LocalGroup

Get members of local groups. This will be useful in determining who else can be local administrators or other users with other privileges.

Get-LocalGroupMember <GROUP_NAME>

This command will help obtain system information such as hostname, operating system and version, platform type, domain and network information. This will also help determine whether the system is using a dynamic or a static IP address (DHCP Enabled).

systeminfo

Ethernet Adapter and IP Address Information

ipconfig

Routing Table – look for interesting routes such as static, persistent and active routes that may be useful for lateral movement.

route print

Getting all active network connections using netstat.

netstat -ano

Some notable results of netstat are as follows:

• Listening to ports 80/443 means the target is a web server.
• Listening to port 3389 means it allows RDP connection.
• Established connection from a remote IP Address to port 3389 means someone is connected via RDP.

Check the registry for installed applications using the PowerShell command below.

Get-ItemProperty "HKLM:\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" | select displayname

Aside from checking the registry, enumerate the contents of Program Files folders (32 Bit and 64 Bit), C:\ Drive, Downloads folder, AppData, etc. After determining the installed applications, next step is to search for public exploits for installed application versions.

Run this command to get the current running processes:

Get-Process

This is similar to opening Task Manager in Windows. It will show what processes are currently running in the system. This will also help determine what other applications exist in the system.