Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks

Red Teaming Experiments

linkedin github @spotheplanet patreon

Search…

What is ired.team?

Pinned

Pentesting Cheatsheets

Active Directory & Kerberos Abuse

reversing, forensics & misc

Internals

Cloud

Neo4j

Dump Virtual Box Memory

AES Encryption Using Crypto++ .lib in Visual Studio C++

Reversing Password Checking Routine

Enumerating Users without net, Services without sc and Scheduled Tasks without schtasks

It is possible to use MMC snap-ins to enumerate local users and local groups, services, scheduled tasks, SMB shares and sessions on a system if you have an interactive desktop session on the compromised system either via RDP or if you are simulating an insider threat during a pentest and you are given a company's laptop.
Why would you do it?
The use of well known lolbins like net, sc and schtasks on a host where an EDR solution is running is risky and may get you caught. Using snap-ins may help evade commandline detections SOC may be relying on. 
Of course, marketing department is unlikely to run mmc snap-ins either, so beware :)
Enumerating Users and Local Groups
Launch mmc.exe, click File > Add\remove snap-in > Local users and Groups:
Enumerating Services
Same could be done for enumerating services running on the system:
Note that services.msc could give you the same view.
Enumerating Scheduled Tasks
Persistence anyone? Note that taskschd.msc could give you the same view:
Shares and Sessions

Enumerating COM Objects and their Methods

Enumerating Windows Domains with rpcclient through SocksProxy == Bypassing Command Line Logging

Last modified 3yr ago

Copy link

Contents

Why would you do it?

Enumerating Users and Local Groups

Enumerating Services

Enumerating Scheduled Tasks

Shares and Sessions