Initial Enumeration

TL;DR

The minimum-viable enumeration suite for any Windows shell. Every command in this set produces high-signal information that maps directly to an escalation primitive: whoami /priv to token-abuse pages, systeminfo to kernel-exploit candidacy, net localgroup to group-attack pages. Run all of these before reaching for winPEAS or Seatbelt.

# Identity and privileges
whoami                                # who am I
whoami /priv                          # what tokens do I hold
whoami /groups                        # what groups grant me what

# System identity and patch level
systeminfo                            # OS version, build, hotfixes
wmic qfe                              # alternative hotfix view
Get-HotFix                            # PowerShell hotfix view

# Software footprint
wmic product get name,version         # installed products (MSI)
Get-WmiObject -Class Win32_Product | Select Name, Version
tasklist /svc                         # running processes + services
netstat -ano                          # open ports + PIDs

# User and group inventory
net user                              # local users
net localgroup                        # local groups
net localgroup administrators         # local admin members
net accounts                          # local password policy
query user                            # logged-in users

# Environment
set                                   # env vars (PATH, HOMEDRIVE, etc.)

Success indicator: you can describe the host’s OS version, missing patches, your privileges, the local admin set, and which programs are installed in under five minutes.

Identity and privileges

The three-line baseline. Always start here.

whoami - who am I

C:\> whoami
winlpe-srv01\htb-student

Reads as MACHINENAME\username (local account) or DOMAIN\username (domain account). The presence of a domain in the output indicates this host is domain-joined and the current session has domain context - important for credential reuse and lateral-movement planning.

For SYSTEM, whoami returns nt authority\system. For local service accounts you might see nt service\mssqlserver, nt service\<servicename>, or similar.

whoami /priv - what tokens

C:\> whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== ========
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

This is the most operationally important command in Windows privilege escalation. Each line is a privilege. The State field is either Enabled (privilege active right now) or Disabled (privilege held but not active - most can be enabled programmatically; see the individual privilege pages for the technique).

Privileges that directly enable escalation - if any of these appear, regardless of State, jump to the linked page:

Privilege	What it enables	See
SeImpersonatePrivilege	Impersonate authentication tokens	SeImpersonate
SeAssignPrimaryTokenPrivilege	Set primary token on processes	SeImpersonate
SeDebugPrivilege	Read/write any process memory	SeDebugPrivilege
SeTakeOwnershipPrivilege	Take ownership of any object	SeTakeOwnership
SeBackupPrivilege	Read any file (backup semantics)	Backup Operators
SeRestorePrivilege	Write any file (restore semantics)	Backup Operators
SeLoadDriverPrivilege	Load kernel drivers	Other privileged groups

A service account context with SeImpersonatePrivilege enabled - common after web shell upload to IIS or RCE through MSSQL - is the canonical “potato-family” win. Service-account-to-SYSTEM is sometimes a single command away.

Privileges that don’t directly escalate but indicate elevated context - SeSecurityPrivilege, SeSystemEnvironmentPrivilege, SeIncreaseQuotaPrivilege and others appear for local administrator contexts. If you see them while non-admin, something is misconfigured.

If whoami /priv from a non-elevated cmd shows only the default two privileges (SeChangeNotifyPrivilege, SeIncreaseWorkingSetPrivilege), you’re an unprivileged user with no obvious token-level wins. Proceed to group membership and software enumeration.

whoami /groups - what groups

C:\> whoami /groups

GROUP INFORMATION
-----------------

Group Name                             Type             SID          Attributes
====================================== ================ ============ ==================================================
Everyone                               Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Desktop Users           Alias            S-1-5-32-555 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192

Standard membership for a normal user: Everyone, BUILTIN\Users, NT AUTHORITY\Authenticated Users, plus mandatory integrity level.

Privileged group memberships that map to escalation paths - these are the ones to look for:

Group	Attack page
BUILTIN\Administrators	Already local admin - focus on SYSTEM via UAC bypass or service abuse
BUILTIN\Backup Operators	Backup Operators
BUILTIN\Event Log Readers	Other privileged groups
BUILTIN\DnsAdmins / DOMAIN\DnsAdmins	DnsAdmins
BUILTIN\Hyper-V Administrators	Other privileged groups
BUILTIN\Print Operators	Other privileged groups
BUILTIN\Server Operators	Other privileged groups
BUILTIN\Account Operators	Can modify most non-protected users/groups
BUILTIN\Schema Admins (AD)	Can modify AD schema - broad lateral implications
BUILTIN\Group Policy Creator Owners	Can create GPOs (needs link delegation to apply them)

Mandatory Integrity Level is shown at the bottom - Low, Medium, Medium Plus, High, System. A standard user runs at Medium. UAC-elevated processes run at High. SYSTEM processes run at System. Some operations require a minimum integrity level regardless of privileges.

System identity and patch level

systeminfo

C:\> systeminfo

The output is verbose; the operationally important fields:

• OS Name + OS Version + OS Build Type - Identifies the operating system. Microsoft Windows Server 2016 Standard / 10.0.14393 N/A Build 14393 maps to a specific patch baseline. The build number is the precise identifier; cross-reference against Windows release history.
• System Boot Time - How long the host has been up. A boot time three weeks ago + no recent hotfixes = unpatched live system.
• Hotfix(s) - KBs applied. Critical for kernel-exploit candidacy. Cross-reference the KB list against WES-NG or Watson to find missing patches.
• Domain - WORKGROUP means standalone; otherwise the AD domain name. Tells you whether AD-context attacks are in play.
• Logon Server - The DC that authenticated this session.
• System Manufacturer + System Model - VMware, Inc. or Microsoft Corporation (Hyper-V) confirms virtualization. Bare metal indicates a physical workstation/server.
• System Locale + Time Zone - Useful context for where in the world this host lives, particularly for engagement timing.

Hotfix enumeration

If systeminfo doesn’t print hotfixes (some configurations hide them), query directly:

C:\> wmic qfe

Caption                                     CSName        Description      HotFixID   InstallDate  InstalledBy          InstalledOn
http://support.microsoft.com/?kbid=3199986  WINLPE-SRV01  Update           KB3199986               NT AUTHORITY\SYSTEM  11/21/2016
https://support.microsoft.com/help/5001078  WINLPE-SRV01  Security Update  KB5001078               NT AUTHORITY\SYSTEM  3/25/2021
http://support.microsoft.com/?kbid=4103723  WINLPE-SRV01  Security Update  KB4103723               NT AUTHORITY\SYSTEM  3/25/2021

Or with PowerShell:

PS> Get-HotFix | ft -AutoSize

Source       Description     HotFixID  InstalledBy                InstalledOn
------       -----------     --------  -----------                -----------
WINLPE-SRV01 Update          KB3199986 NT AUTHORITY\SYSTEM        11/21/2016 12:00:00 AM
WINLPE-SRV01 Update          KB4054590 WINLPE-SRV01\Administrator 3/30/2021 12:00:00 AM
WINLPE-SRV01 Security Update KB5001078 NT AUTHORITY\SYSTEM        3/25/2021 12:00:00 AM

Save the systeminfo output to a file and feed it to WES-NG on the attacker side:

$ python3 wes.py systeminfo.txt

This returns a list of likely-missing patches with associated CVEs and links to public exploits. The output volume can be large; filter for what’s actually exploitable in your context (kernel privilege-escalation primarily - bypass denial-of-service and RCE entries for local-context escalation).

When patches are old - what to look for

Patch dates more than 6-12 months stale are the strongest signal of kernel-exploit candidacy. Specific dates and what they imply:

Last hotfix before	Likely vulnerable to
March 2017	EternalBlue (MS17-010)
April 2018	DoublePulsar, SambaCry
Sept 2018	ALPC Task Scheduler 0-day
Sept 2019	CVE-2019-1322 (UsoSvc weak ACL window - already patched)
June 2021	PrintNightmare (CVE-2021-1675 / CVE-2021-34527)
July 2021	HiveNightmare / SeriousSam (CVE-2021-36934)

Match the boot-time-versus-patch-date gap. A host last patched in 2019 booted yesterday is missing two years of fixes; expect kernel exploits to land.

Software footprint

Knowing what’s installed tells you both the legitimate attack surface (vulnerable third-party services) and the operator’s available tooling (PowerShell version, .NET version, etc.).

Installed products

C:\> wmic product get name,version

Name                                                       Version
Microsoft Visual C++ 2019 X64 Additional Runtime           14.24.28127
Java 8 Update 231 (64-bit)                                 8.0.2310.11
VMware Tools
Microsoft Visual C++ 2019 X64 Minimum Runtime              14.24.28127
SQL Server 2016 Database Engine Services                   13.2.5026.0

Or with PowerShell (which is slow on large software sets - wmic is faster for first-pass):

PS> Get-WmiObject -Class Win32_Product | Select Name, Version

wmic product enumerates only MSI-installed software. Programs installed via other means (manual extracts to Program Files, portable apps in AppData, sideloaded DLLs) may not appear. For a more complete view, check the registry directly:

PS> Get-ItemProperty 'HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select DisplayName, DisplayVersion
PS> Get-ItemProperty 'HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*' | Select DisplayName, DisplayVersion

The second path (Wow6432Node) catches 32-bit installations on 64-bit Windows.

What to look for in installed software:

• Vulnerable third-party services - search each product+version against known CVEs. Druva inSync, Splunk Universal Forwarder, various VPN clients (Windscribe, NordVPN), PCProtect, and dozens of other consumer/enterprise products have shipped weak service ACLs over the years.
• Password manager presence - KeePass, 1Password, LastPass installations indicate password databases worth hunting later.
• Backup software - Veeam, Acronis, Restic, etc. Backups often contain NTDS.dit, SAM/SYSTEM hives, or sensitive config files.
• Old runtime versions - Java 8u231 indicates the host hasn’t been updated; Java has dozens of known privilege-escalation vectors in versions of that era.
• Development tools - Visual Studio, JDKs, Python, Node.js - useful for compiling exploits locally and indicate this is a developer workstation.

Running processes

C:\> tasklist /svc

Output columns: Image Name, PID, Services. The “Services” column maps process PIDs to the Windows services they host, which is useful because svchost.exe hosts dozens of services - knowing which services are in which svchost lets you target service-specific abuse.

Look for:

• Non-standard services - Anything not in the Windows default set. Third-party services running as LocalSystem or service accounts are often abuse-worthy.
• Outdated services - Old versions of FileZilla, FTP servers, web frameworks, message brokers, etc. Cross-reference versions against CVE databases.
• AV/EDR - As covered in Situational awareness, processes like MsMpEng.exe (Defender), CSFalconService.exe (CrowdStrike), etc.

Cross-reference with port listeners via netstat -ano - PIDs match between the two outputs.

Open ports

C:\> netstat -ano | findstr LISTENING

The PID column ties listeners back to processes. Key things to look for:

• Localhost-only services (127.0.0.1:port) - typically unauthenticated admin interfaces
• Non-standard ports that don’t correspond to obvious services
• Services bound to specific interfaces rather than 0.0.0.0 - sometimes indicates intentional segmentation
• Established connections - what this host is talking to

The netstat -ano filter pattern 127.0.0.1: or [::1]: quickly reveals localhost-only listeners:

PS> netstat -ano | Select-String '127\.0\.0\.1:|\[::1\]:'

User and group inventory

Local users

C:\> net user

User accounts for \\WINLPE-SRV01

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
helpdesk                 htb-student              jordan
sarah                    secsvc

Reads for:

• Non-default accounts - Anything besides Administrator, DefaultAccount, Guest, and WDAGUtilityAccount. The presence of helpdesk, jordan, sarah, secsvc suggests this is a real workstation with a history of users.
• Service-account-style names - secsvc, backupsvc, sql_svc, iis_svc. These often have elevated rights and may be reused across systems (the “common service account password” pattern).
• Admin-style names - Names with _adm, adm_, admin_ suggixes/prefixes are operator-assigned admin alter-egos.

Get details for a specific account:

C:\> net user secsvc

User name                    secsvc
Full Name
Comment                      Network scanner - do not change password
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                             High-signal - comment field sometimes leaks info
Account active               Yes
Account expires              Never
Password last set            ...

The Comment field is sometimes used by admins to document service account purpose; in low-discipline environments it occasionally contains the password itself. Worth checking on every account.

Local groups

C:\> net localgroup

Output enumerates all local groups. The groups that matter from an escalation perspective are the ones listed in whoami /groups - but it’s worth knowing all groups exist on the host because some may be domain-pushed and indicate the host’s purpose.

Get group membership:

C:\> net localgroup administrators

Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
helpdesk
sarah
secsvc

The members of administrators are your immediate-promotion targets if you can capture their credentials. Domain accounts here (e.g., INLANEFREIGHT\jordan_adm) indicate a domain user with local admin rights - useful for lateral movement to other domain hosts.

Repeat for any operationally interesting group (net localgroup "Backup Operators", net localgroup "Server Operators", etc.).

Password policy

C:\> net accounts

Force user logoff how long after time expires?:       Never
Minimum password age (days):                          0
Maximum password age (days):                          42
Minimum password length:                              0
Length of password history maintained:                None
Lockout threshold:                                    Never
Lockout duration (minutes):                           30
Lockout observation window (minutes):                 30
Computer role:                                        SERVER

Read for:

• Lockout threshold - Never means no lockout. Password spraying is unconstrained. Any positive integer caps spraying attempts before account lockout (typically 3, 5, or 10).
• Minimum password length - Low values indicate weak password constraints exist.
• Password complexity - Not shown in net accounts; check secpol.msc if GUI access exists, or query Group Policy.

Logged-in users

C:\> query user

 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
>administrator         rdp-tcp#2           1  Active          .  3/25/2021 9:27 AM

> marks the current session. Other sessions belong to other logged-in users.

Why this matters:

• Concurrent admin sessions - If a domain admin is logged in alongside you, their tokens are in process memory. Privilege escalation to SYSTEM lets you steal their token (token impersonation) or extract their credentials from LSASS.
• Avoiding detection - If a user is actively logged in, loud actions (creating users, defacing things, popping consoles) are more likely to be noticed. Plan accordingly.

Environment

C:\> set

This dumps all environment variables. Read for:

• PATH - Order matters. Windows searches the current working directory first, then each PATH directory left-to-right. A writable directory early in the PATH (especially anything left of C:\Windows\System32) is a DLL-injection or binary-substitution opportunity. The WindowsApps entry inside the user profile is a textbook example.
• PATHEXT - Which extensions Windows treats as executable. Standard is .COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC. Additions like .PY or .PL indicate scripting languages with shebang-style execution.
• PSModulePath - Where PowerShell looks for modules. A writable directory here lets you ship malicious modules to autoload.
• TEMP / TMP - Per-user temp directory. Writable, often missed by file monitors.
• HOMEDRIVE / HOMEPATH - Sometimes maps to a network share. The presence of H: mapped to \\server\users$\username indicates roaming profiles; navigating to that share may reveal other users’ folders if ACLs are loose.
• LOGONSERVER - Same data as in systeminfo, confirms which DC handled auth.
• USERDNSDOMAIN / USERDOMAIN - Confirms domain context.
• USERPROFILE - Your home directory. Always check Desktop, Documents, Downloads, AppData\Local, and AppData\Roaming for credential files (covered in later rounds).

A common operator-targeted thing: any non-standard entries in PATH. If you see C:\CustomApps\bin\ left of C:\Windows\System32, the CustomApps\bin\ directory is high-priority - if writable, you can shadow standard Windows binaries by dropping a same-named binary there.

Putting it together

A typical first-five-minutes session on a new shell:

whoami && whoami /priv && whoami /groups
systeminfo
net user && net localgroup administrators && net accounts
tasklist /svc
netstat -ano | findstr LISTENING
set
query user

Save the output to a file (> enum.txt) for offline review. Feed systeminfo output to WES-NG on the attacker side. Cross-reference tasklist /svc against AV/EDR indicator lists.

From the data this produces, the decision tree is:

1. Did whoami /priv show a token privilege from the escalation list? → Jump to that privilege’s page.
2. Did whoami /groups show a privileged group from the escalation list? → Jump to that group’s page.
3. Are missing patches old enough to suggest kernel-exploit candidacy? → Run WES-NG, pick the best match.
4. Is there interesting installed software with known vulnerabilities? → Search for that product+version.
5. None of the above? → Run winPEAS or Seatbelt for misconfiguration sweep, then proceed to credential hunting.

Quick reference

Task	Command
Current user	whoami
Current user privileges	whoami /priv
Current user group membership	whoami /groups
OS version + hotfixes (verbose)	systeminfo
Hotfix list (compact)	wmic qfe / Get-HotFix
Installed MSI products	wmic product get name,version
Installed apps via registry	Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion
Process + service mapping	tasklist /svc
Listening ports + PIDs	netstat -ano | findstr LISTENING
Local users	net user
Specific user details	net user USERNAME
Local groups	net localgroup
Local admin members	net localgroup administrators
Password policy	net accounts
Currently logged-in users	query user
Environment variables	set
Saved hotfix → exploit match	wes.py systeminfo.txt (on attacker host)
Local exploit suggester (Meterpreter)	post/multi/recon/local_exploit_suggester

Once enumeration data is captured, follow the decision tree above. Token-privilege wins are usually the fastest; see SeImpersonate, SeDebugPrivilege, SeTakeOwnership, Backup Operators. For group-membership wins, see DnsAdmins and Other privileged groups. The IPC-channel angle is covered in Named pipes.

Next move

• whoami /priv shows SeImpersonate / SeAssignPrimaryToken → SeImpersonate → SYSTEM via potato (fastest win on service-account contexts)
• whoami /priv shows SeDebugPrivilege → SeDebugPrivilege → LSASS dump for domain hashes
• whoami /priv shows SeBackupPrivilege or SeRestorePrivilege → Backup Operators flow - even off a DC, you can read protected files
• whoami /priv shows SeTakeOwnership → SeTakeOwnership for service-binary overwrite
• In Backup Operators / DnsAdmins / Server Operators / Print Operators / Hyper-V Admins / Event Log Readers → Other privileged groups
• systeminfo shows old patch level (no 2020+ hotfixes) → kernel exploit candidate; check Watson / Sherlock / WindowsExploitSuggester output against the patch list
• Service running as SYSTEM with writable named pipe → Named pipes for impersonation
• Nothing privileged found → look for misconfigured services (accesschk -wuvqc *), credential files (unattend.xml, GPP cpassword, web.config), AlwaysInstallElevated, or scheduled tasks running as SYSTEM