Get-Service | where DisplayName -like ‘*Defender*’ → find defender in services Get-Service | where DisplayName -like ‘Defender’ | Select-Object -Property * → show properties
Enumerating for files
Get-Childitem –Path C:\Users\MTanaka\ -File -Recurse -ErrorAction SilentlyContinue | where {($_. Name -like "*.txt" -or $_. Name -like "*.py" -or $_. Name -like "*.ps1" -or $_. Name -like "*.md" -or $_. Name -like "*.csv")} | sls "Password","credential","key","UserName"
Helpful Directories to Check
While looking for valuable files and other content, we can check many more valuable files in many different places. The list below contains just a few tips and tricks that can be used in our search for loot.
- Looking in a Users
\AppData\folder is a great place to start. Many applications storeconfiguration files,temp savesof documents, and more. - A Users home folder
C:\Users\User\is a common storage place; things like VPN keys, SSH keys, and more are stored. Typically inhiddenfolders. (Get-ChildItem -Hidden) - The Console History files kept by the host are an endless well of information, especially if you land on an administrator’s host. You can check two different points:
C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txtGet-Content (Get-PSReadlineOption).HistorySavePath
- Checking a user’s clipboard may also yield useful information. You can do so with
Get-Clipboard - Looking at Scheduled tasks can be helpful as well.