Processes Enumeration and Tasks

What processes are running?:

tasklist /v net start sc query Get-ServiceGet-ProcessGet-WmiObject-Query "Select * from Win32_Process"|where{$_.Name-notlike"svchost*"} |Select Name,Handle,@{Label="Owner";Expression={$_.GetOwner().User}} |ft -AutoSize

Which processes are running as "system":

tasklist /v /fi "username eq system"

Do you have powershell magic?:

REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine"/v PowerShellVersion

List installed programs:

Get-ChildItem'C:\Program Files','C:\Program Files (x86)'|ft Parent,Name,LastWriteTime Get-ChildItem-path Registry::HKEY_LOCAL_MACHINE\SOFTWARE |ft Name

List services:

net start wmic service list brief tasklist /SVC

Enumerate scheduled tasks:

schtasks /query /fo LIST 2>nul |findstr TaskName

Then if we want to look after an specific task, we can copy the output in a .txt file and | grep -v Microsoft and then in the victim machine: schtasks /query /tn {task we are lookig for} /fo list /v

Other scheduled tasks enum commands: schtasks /query /fo LIST /v >schtasks.txt then cat schtask.txt |grep "SYSTEM\|Task To Run"|grep -B 1SYSTEM Get-ScheduledTask|where{$_.TaskPath-notlike"\Microsoft*"} |ft TaskName,TaskPath,State

If we can write any scheduled task we should add a payload and wait for it to be executed or we can try running it with: schtasks /run /tn {task we want to run}

Startup tasks:

wmic startup get caption,command reg query HKLM\Software\Microsoft\Windows\CurrentVersion reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce dir "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"dir "C:\Documents and Settings\%username%\Start Menu\Programs\Startup"