Windows and Networking

What You Will Learn

  • How to enumerate Windows systems using WMI and PowerShell
  • How Windows file system permissions work with icacls
  • What the Windows Registry is and how it is used for persistence
  • What SAM, UAC, WMI, and Security Identifiers (SIDs) are
  • How SMB sharing and Kerberos/NTLM authentication work

Introduction to Windows

Useful WMI Classes for Enumeration

Get-WmiObject -Class win32_OperatingSystem   # OS information
Get-WmiObject -Class win32_Bios              # BIOS information
Get-WmiObject -Class win32_Service           # Running services
Get-WmiObject -Class win32_Process           # Running processes

Windows Directory Structure

Directory Purpose
Perflogs Windows performance logs
Program Files Installed 64-bit program files
Program Files (x86) Installed 32-bit program files
ProgramData Application data shared across users
Users User profile directories
Windows Core Windows OS files
Windows\System32 Core 64-bit DLLs and system executables
Windows\SysWOW64 32-bit compatibility DLLs on 64-bit systems

Windows File System

Windows uses two main file systems:

  • FAT32: Older, simpler file system. No permissions or journaling.
  • NTFS: Modern Windows file system. Supports permissions, journaling, encryption (EFS), and large volumes.

The icacls Utility

icacls lists and manages NTFS permissions on a specific directory or file.

Inheritance flags:

Flag Meaning
(I) Permission inherited from parent container
(OI) Object inherit — this folder and files
(CI) Container inherit — this folder and subfolders
(IO) Inherit only — ACE does not apply to the current folder
(NP) Do not propagate inherit

Combinations:

Combo Scope
(OI)(CI) This folder, files, and subfolders
(CI)(IO) Subfolders only
(OI)(IO) Files only
(OI)(CI)(IO) Files and subfolders only

File permissions:

Flag Permission
(F) Full access
(M) Modify access
(RX) Read and execute access
(R) Read-only
(W) Write-only
(D) Delete access
(N) No access
# List permissions
icacls <directory>

# Remove permissions
icacls <directory> /remove <user>:<permission>

# Grant permissions
icacls <directory> /grant <user>:<permission>

Windows Service Commands

# Query a service
sc qc <servicename>

# Stop a service
sc stop <servicename>

# Configure a service
sc configure <servicename> <configuration>

Windows Users

The built-in Administrator account is not the most powerful account in Windows. The most powerful is the SYSTEM user account — this is the Windows equivalent of root in Linux.

Service Accounts

Account Privilege Description
NT AUTHORITY\LocalService Limited Limited local system access
NT AUTHORITY\NetworkService Limited + network Can authenticate to network services
NT AUTHORITY\SYSTEM Highest Full system access

Windows Sessions

  • Interactive Session: A session created when a user logs in at the console or via RDP.
  • Non-Interactive Session: Account with no password (used for services and scheduled tasks).

Windows WMI

Windows Management Instrumentation is used for:

  • Code execution
  • Scheduling processes
  • Setting up logging
  • Managing user and group permissions
  • Modifying and setting system properties
wmic os list brief
Get-WmiObject -Class Win32_OperatingSystem

Windows Security Identifier (SID)

SIDs are unique IDs stored in the security database that Windows uses to identify users on a system. They are assigned at account creation and never reused.

Windows SAM

The Security Account Manager is a registry file on Windows that stores local user account password hashes. The file is stored at C:\Windows\system32\config. It is not accessible while Windows is running — Windows keeps an exclusive lock on it until the computer is shut down.

# Extract SAM hash (from offline system or shadow volume)
reg save hklm\sam %tmp%/sam.reg

Windows UAC (User Account Control)

UAC is a Windows security feature that prevents unauthorized changes to the operating system. When an app tries to perform a privileged action, UAC prompts the user for approval. Attackers try to bypass UAC to escalate privileges silently.

Windows Registry

The registry stores system and application configuration in a hierarchical key-value database.

Common value types:

Type Description
REG_BINARY Binary data
REG_DWORD 32-bit integer
REG_QWORD 64-bit integer
REG_SZ Null-terminated Unicode or ANSI string
REG_EXPAND_SZ String with unexpanded environment variable references

Persistence registry keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Windows API

Windows APIs allow user applications to interact with the operating system, separated into:

  • System Services
  • Multimedia
  • Networking
  • User Interface
  • Window Registry

Evading Malware Detection (Awareness)

Common techniques attackers use to bypass AV/EDR:

  • Syscalls (bypassing hooked APIs)
  • Use of ordinals (calling DLL functions by number, not name)
  • Hooks (redirecting execution flow)
  • IAT patching (modifying the Import Address Table)

IAT (Import Address Table)

The IAT contains the list of DLLs, function names, and function addresses that a PE (Portable Executable) depends on to run.

Windows Rights and Privileges

  • Rights: Deal with permission to access objects such as files.
  • Privileges: Grant users permission to perform an action, such as running a program with elevated access.

SMB Shares

Server Message Block (SMB) is a networking protocol that allows file sharing and storage among users. It uses a client-server relationship and operates on port 445. A user can remotely access a file share even without being in the physical location of the server. It supports both anonymous and password-protected authentication.

# Enumerate SMB shares
smbclient -L //<IP> -U username

# Connect to a share
smbclient //<IP>/SHARENAME -U username

Privilege Escalation Using PsExec

Download PsExec from Windows PsTools:

psexec -sid cmd.exe

Resources


This site uses Just the Docs, a documentation theme for Jekyll.