Searching For Sensitive Files
Here are some commands to look for sensitive files. Be careful, stay quiet my friend.
dir
dir /A C:\Users\
dir /s/b *.log
dir /s/b *.txt
dir /s/b *.kdbx
env & path
When a program is executed, the system first searches the current working directory and then searches the path. Check for any PATH variables that may have write privileges.
$env
$env:path
Get-ChildItem
Here are some useful searches using Get-ChildItem
NOTE: Searching like this can LOUD! Be careful!
Search for KeePass Files
Get-ChildItem -Path C:\ -Include *.kdbx -File -Recurse -ErrorAction SilentlyContinue
Search for Files within a Directory
Get-ChildItem -Path C:\xampp -Include *.txt,*.ini -File -Recurse -ErrorAction SilentlyContinue
Search for Files in Home Directory
Get-ChildItem -Path C:\Users\dave\ -Include *.txt,*.pdf,*.xls,*.xlsx,*.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
Useful Commands
Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\Recent\*" -Recurse -Force -ErrorAction SilentlyContinue
Get-ChildItem "C:\Users\*\AppData\Local\Temp\*" -Recurse -Force -ErrorAction SilentlyContinue
Get-ChildItem "C:\`$Recycle.Bin\*" -Recurse -Force -ErrorAction SilentlyContinue
Get-ChildItem "C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" -Force -ErrorAction SilentlyContinue
Type (Grep in Powershell)
Return Console History
PS C:\Users\dave> type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
clientwk220\dave
PS C:\Users> type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
type C:\Users\dave\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
whoami
ls
$PSVersionTable
Register-SecretVault -Name pwmanager -ModuleName SecretManagement.keepass -VaultParameters $VaultParams
Set-Secret -Name "Server02 Admin PW" -Secret "paperEarMonitor33@" -Vault pwmanager
cd C:\
ls
cd C:\xampp
ls
type passwords.txt
Clear-History
Start-Transcript -Path "C:\Users\Public\Transcripts\transcript01.txt"
Enter-PSSession -ComputerName CLIENTWK220 -Credential $cred
exit
Stop-Transcript
Runas Other User
PS C:\Users> net user
User accounts for \\CLIENTWK221
-------------------------------------------------------------------------------
Administrator damian DefaultAccount
Guest mac milena
moss offsec richmond
roy WDAGUtilityAccount
The command completed successfully.
If we have found credentials, we should try them on all users.
PS C:\Users\steve> runas /user:roy cmd
Last updated