This guide is currently under development, and I greatly welcome any suggestions or feedback or at reaper.gitbook@gmail.com

Enumeration strategies

Windows environments are significantly more complex than UNIX-based systems, with many layers of configuration spread across services, the registry, scheduled tasks, COM objects, file permissions, and more. The key to exploiting misconfigurations lies in proper enumeration based on the current access level.

Whether you're operating as a local user, a service account, or a restricted identity such as IIS APPPOOL\Web, your enumeration approach must adapt to what the system reveals under that context.

Enumeration is not a one-time step—it should be repeated after every access upgrade. Each privilege level reveals new information, files, and accessible components.

Enumeration Mindset

  • Always adapt to context. What works for nt authority\system will not work for a restricted IIS pool.

  • Repeat enumeration after any privilege or context change.

  • Leverage both built-in tools (CMD/PowerShell) and external tools if allowed (e.g., winPEAS, Seatbelt, custom scripts).

  • Log everything. Often, the smallest overlooked detail becomes the key to full compromise.

1. System Information Enumeration

What We're Looking For:

  • OS version and patch level (identifies kernel exploit opportunities)

  • Architecture (x86/x64) (determines exploit compatibility)

  • Installed hotfixes (reveals missing security patches)

  • System uptime (indicates patch installation frequency)

  • Hardware information (identifies virtualization/physical environment)

  • Domain membership status

  • PowerShell version and execution policy

Commands:

systeminfo
ver
hostname
wmic os get Caption,Version,BuildNumber,OSArchitecture
wmic qfe list full
echo %PROCESSOR_ARCHITECTURE%
wmic computersystem get TotalPhysicalMemory,NumberOfProcessors
wmic bios get serialnumber,version
wmic computersystem get domain,domainrole
echo %USERDOMAIN%

PowerShell:

Get-ComputerInfo
Get-WmiObject -Class Win32_OperatingSystem
Get-WmiObject -Class Win32_ComputerSystem
Get-HotFix | Sort-Object InstalledOn -Descending
[Environment]::OSVersion
$env:PROCESSOR_ARCHITECTURE
$PSVersionTable
Get-ExecutionPolicy -List
Test-ComputerSecureChannel -Verbose

How This Benefits Attack Identification:

  • OS Version Analysis: Windows 7/8.1 systems are more vulnerable to kernel exploits (MS16-032, MS16-135)

  • Missing Patches: Unpatched systems reveal specific CVE vulnerabilities for Print Spooler attacks (PrintNightmare)

  • Architecture Matching: Ensures payload compatibility for DLL hijacking attacks

  • Domain Status: Domain-joined machines may have GPP passwords or Kerberos delegation vulnerabilities

  • PowerShell Version: Older versions lack security features, enabling PowerShell-based privilege escalation

  • Uptime Analysis: Long uptimes suggest poor patch management practices

Potential Attacks:

  • Kernel-level privilege escalation

  • UAC bypass techniques

  • Print Spooler-related attacks

  • Group Policy Preferences (GPP) password retrieval

2. User and Group Enumeration

What We're Looking For:

  • Current user context and privileges (identifies available privilege escalation paths)

  • SeImpersonatePrivilege presence (enables token impersonation attacks)

  • Local users and groups (reveals potential lateral movement targets)

  • Domain information (identifies domain privilege escalation opportunities)

  • Administrator group members (shows privilege escalation targets)

  • Service account context (IIS APPPOOL, SQL service accounts)

Commands:

whoami
whoami /all
whoami /priv
whoami /groups
net user
net user %username%
net localgroup
net localgroup administrators
net localgroup "Remote Desktop Users"
net localgroup "Backup Operators"
net group /domain
net group "Domain Admins" /domain
net group "Enterprise Admins" /domain
net accounts
net accounts /domain
query user

PowerShell:

Get-LocalUser
Get-LocalGroup
Get-LocalGroupMember Administrators
Get-LocalGroupMember "Remote Desktop Users"
Get-WmiObject -Class Win32_UserAccount
Get-WmiObject -Class Win32_Group
[Security.Principal.WindowsIdentity]::GetCurrent()
Get-WmiObject -Class Win32_LoggedOnUser
Get-CimInstance -ClassName Win32_UserProfile

How This Benefits Attack Identification:

  • SeImpersonatePrivilege: Present on IIS APPPOOL and SQL service accounts, enables JuicyPotato/PrintSpoofer attacks

  • Service Account Context: Service accounts often have elevated privileges or access to sensitive resources

  • Local Admin Members: Identifies if current user is already in administrators group (UAC bypass opportunity)

  • Domain Groups: Domain Admin membership reveals high-value targets for lateral movement

  • Backup Operators: Members can backup SAM/SYSTEM files for offline password cracking

  • Logged On Users: Shows other active sessions that could be targeted for token theft

Potential Attacks:

  • Token impersonation and SeImpersonatePrivilege abuse

  • UAC bypass techniques

  • Group Policy Preferences (GPP) password retrieval

  • Named pipe impersonation

3. Service Enumeration

What We're Looking For:

  • Running services and their configurations (identifies service-based attack vectors)

  • Service executable paths (quoted/unquoted) (reveals path injection vulnerabilities)

  • Service permissions (shows modifiable services)

  • Service accounts (identifies high-privilege service contexts)

  • Service startup types (auto-start services are better persistence targets)

  • Service dependencies (reveals attack chains)

Commands:

sc query
sc query type=service state=all
wmic service list full
wmic service get name,displayname,pathname,startmode,startname
tasklist /svc
net start
sc qc [ServiceName]
sc enumdepend [ServiceName]
accesschk.exe -uwcqv "Authenticated Users" *
accesschk.exe -uwcqv "Everyone" *
accesschk.exe -ucqv [ServiceName]

PowerShell:

Get-Service
Get-WmiObject -Class Win32_Service | Select Name,DisplayName,PathName,StartMode,State,StartName
Get-CimInstance -ClassName Win32_Service
Get-Service | Where-Object {$_.StartType -eq "Automatic"}
Get-WmiObject -Class Win32_DependentService

How This Benefits Attack Identification:

  • Unquoted Service Paths: Services with spaces in paths and no quotes allow path injection attacks

  • Writable Service Binaries: Services with weak permissions can be replaced with malicious executables

  • High-Privilege Service Accounts: Services running as SYSTEM or LocalService provide privilege escalation targets

  • Auto-Start Services: Automatically starting services provide reliable persistence mechanisms

  • Service Dependencies: Understanding dependencies helps chain multiple service exploits

  • Third-Party Services: Non-Microsoft services often have weaker security configurations

Potential Attacks:

  • Service misconfigurations and unquoted paths

  • DLL hijacking and search order manipulation

  • Registry-based privilege escalation

  • Token impersonation and SeImpersonatePrivilege abuse

  • Named pipe impersonation

4. Process Enumeration

What We're Looking For:

  • Running processes and their users (identifies high-privilege processes for token theft)

  • Process command lines (reveals credentials or interesting parameters)

  • Process integrity levels (shows UAC bypass opportunities)

  • Parent-child relationships (reveals process injection opportunities)

  • Processes running as SYSTEM (prime targets for token impersonation)

  • Process modules and DLLs (identifies DLL hijacking opportunities)

Commands:

tasklist /v
tasklist /fo csv
tasklist /m
tasklist /svc
wmic process list full
wmic process get name,processid,parentprocessid,executablepath,commandline
wmic process where "name='explorer.exe'" get processid,parentprocessid

PowerShell:

Get-Process | Select ProcessName,Id,Path,Company
Get-WmiObject -Class Win32_Process | Select ProcessId,Name,CommandLine,ParentProcessId
Get-Process -IncludeUserName
Get-CimInstance -ClassName Win32_Process
Get-Process | Where-Object {$_.ProcessName -eq "lsass"}
Get-Process | Get-Member

How This Benefits Attack Identification:

  • SYSTEM Processes: winlogon.exe, services.exe, lsass.exe are high-value targets for token theft

  • Command Line Arguments: May reveal database connections, API keys, or other credentials

  • Process Relationships: Child processes of explorer.exe run in user context, while others may be elevated

  • Service Processes: Processes associated with services can be targeted for service account token theft

  • DLL Loading: Processes loading many DLLs provide opportunities for DLL hijacking attacks

  • Process Architecture: x86 processes on x64 systems have different DLL search paths

Potential Attacks:

  • Token impersonation and SeImpersonatePrivilege abuse

  • DLL hijacking and search order manipulation

  • Named pipe impersonation

5. Network Enumeration

What We're Looking For:

  • Open ports and listening services (identifies attack surfaces)

  • Network connections (reveals communication channels)

  • Network shares (shows accessible resources)

  • Named pipes (identifies named pipe impersonation opportunities)

  • Network interfaces (reveals network topology)

  • Firewall status (shows network security posture)

Commands:

netstat -ano
netstat -an | findstr LISTENING
netstat -rn
ipconfig /all
net share
net use
arp -a
netsh advfirewall show allprofiles
netsh firewall show state
route print
net view
net view /domain

PowerShell:

Get-NetTCPConnection | Where-Object {$_.State -eq "Listen"}
Get-NetUDPEndpoint
Get-NetAdapter
Get-SmbShare
Get-NetRoute
Get-NetFirewallRule
Test-NetConnection
Get-SmbConnection
Get-SmbMapping

How This Benefits Attack Identification:

  • Named Pipes: Listening named pipes can be targeted for impersonation attacks (\.\pipe*)

  • Local Services: Services listening on localhost may have weak authentication

  • SMB Shares: Writable shares provide opportunities for DLL planting or file replacement

  • Network Topology: Understanding routing helps identify lateral movement opportunities

  • Firewall Rules: Disabled firewalls or permissive rules indicate poor security posture

  • Active Connections: Shows what services are actively communicating

Potential Attacks:

  • Named pipe impersonation

  • Token impersonation and SeImpersonatePrivilege abuse

6. File System Enumeration

What We're Looking For:

  • Writable directories (enables DLL hijacking and file replacement attacks)

  • Configuration files with credentials (reveals stored passwords)

  • Backup files (may contain sensitive information)

  • Log files (could contain credentials or system information)

  • File permissions (shows modifiable system files)

  • Interesting file extensions (reveals potential credential stores)

Commands:

dir /s C:\*config*.txt
dir /s C:\*pass*.txt
dir /s C:\*cred*.txt
dir /s C:\*.config
dir /s C:\*backup*
dir /s C:\*.log
findstr /si password *.txt *.xml *.ini *.config
icacls "C:\Program Files"
icacls "C:\Program Files (x86)"
icacls "C:\Windows\System32"
cacls "C:\Windows\System32\config"
dir C:\Users\%username%\Desktop
dir C:\Users\%username%\Documents
dir C:\inetpub\wwwroot
dir C:\xampp

PowerShell:

Get-ChildItem -Path C:\ -Include *password*,*config*,*admin*,*login*,*cred* -Recurse -ErrorAction SilentlyContinue
Get-Acl "C:\Program Files" | Format-List
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue | Where-Object { $_.Attributes -match "Archive|Hidden" }
Get-ChildItem -Path C:\Windows\System32 -Filter "*.dll" | Get-Acl
Get-ChildItem -Path $env:PATH.Split(';') -Filter "*.dll" -ErrorAction SilentlyContinue

How This Benefits Attack Identification:

  • Writable System Directories: Enable DLL hijacking attacks by placing malicious DLLs in PATH

  • Configuration Files: Often contain plaintext passwords, database connections, or API keys

  • PATH Analysis: Directories in PATH that are writable enable search order hijacking

  • Service Directories: Writable service installation directories allow binary replacement

  • Web Directories: Web application configs often contain database credentials

  • User Directories: May contain stored credentials, SSH keys, or other sensitive files

Potential Attacks:

  • DLL hijacking and search order manipulation

  • Service misconfigurations and unquoted paths

  • Registry-based privilege escalation

  • Scheduled task abuse

  • UAC bypass techniques

7. Registry Enumeration

What We're Looking For:

  • Auto-run entries (identifies persistence mechanisms and hijacking opportunities)

  • Service configurations (reveals service registry vulnerabilities)

  • AlwaysInstallElevated setting (enables MSI privilege escalation)

  • Stored credentials (reveals plaintext passwords in registry)

  • Registry permissions (shows modifiable registry keys)

  • Uninstall entries (reveals installed software)

Commands:

reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
reg query HKLM\SYSTEM\CurrentControlSet\Services
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
reg query HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v DefaultPassword
reg query "HKLM\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities"

PowerShell:

Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Get-ChildItem -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKCU:\SOFTWARE\Policies\Microsoft\Windows\Installer" -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue

How This Benefits Attack Identification:

  • Auto-Run Entries: Programs in Run keys execute at startup and can be hijacked for persistence

  • AlwaysInstallElevated: When enabled, MSI packages install with SYSTEM privileges

  • Service Registry Keys: Weak permissions on service keys allow reconfiguration attacks

  • Stored Passwords: Registry often contains plaintext credentials for services or applications

  • Unquoted Registry Paths: Similar to service paths, registry entries with spaces can be hijacked

  • User-Specific Keys: HKCU keys can be modified by current user for privilege persistence

Potential Attacks:

  • Registry-based privilege escalation

  • Exploiting AlwaysInstallElevated

  • Service misconfigurations and unquoted paths

  • Scheduled task abuse

  • UAC bypass techniques

8. Scheduled Tasks Enumeration

What We're Looking For:

  • Scheduled tasks and their configurations (identifies automation-based attack vectors)

  • Task executable paths (reveals hijacking opportunities)

  • Task permissions (shows modifiable tasks)

  • Task triggers (reveals when tasks execute)

  • Tasks running as SYSTEM (high-value privilege escalation targets)

  • Task history and logs (shows execution patterns)

Commands:

schtasks /query /fo LIST /v
schtasks /query /fo csv
schtasks /query /tn "TaskName" /v
wmic job list full
at
dir C:\Windows\System32\Tasks
dir C:\Windows\Tasks

PowerShell:

Get-ScheduledTask
Get-ScheduledTask | Where-Object {$_.State -ne "Disabled"} | Select TaskName,TaskPath,State
Get-ScheduledTask | Get-ScheduledTaskInfo
Get-ScheduledTask | Where-Object {$_.Principal.UserId -eq "SYSTEM"}
Get-ScheduledTaskInfo -TaskName "*" | Where-Object {$_.LastRunTime -gt (Get-Date).AddDays(-7)}

How This Benefits Attack Identification:

  • SYSTEM Tasks: Tasks running as SYSTEM provide direct privilege escalation if modifiable

  • Writable Task Files: Tasks with writable executables can be replaced with malicious code

  • Task Triggers: Understanding when tasks run helps time attacks or establish persistence

  • User Context: Tasks running as specific users provide lateral movement opportunities

  • Missing Executables: Tasks pointing to non-existent files can be hijacked

  • Regular Execution: Frequently running tasks provide reliable persistence mechanisms

Potential Attacks:

  • Scheduled task abuse

  • DLL hijacking and search order manipulation

  • Registry-based privilege escalation

  • Token impersonation and SeImpersonatePrivilege abuse

  • UAC bypass techniques

9. Installed Software Enumeration

What We're Looking For:

  • Installed programs and versions (identifies vulnerable software)

  • Software installation paths (reveals potential DLL hijacking opportunities)

  • Third-party software (often has weaker security than Microsoft products)

  • Service-related software (may run with elevated privileges)

  • Development tools (reveals additional attack surfaces)

Commands:

wmic product list full
wmic product get name,version,vendor
dir "C:\Program Files"
dir "C:\Program Files (x86)"
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall
dir C:\ProgramData
dir "%ProgramFiles%\*" /AD
dir "%ProgramFiles(x86)%\*" /AD

PowerShell:

Get-WmiObject -Class Win32_Product | Select Name,Version,Vendor
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select DisplayName,DisplayVersion,Publisher
Get-Package
Get-ChildItem "C:\Program Files" | Select Name
Get-ChildItem "C:\Program Files (x86)" | Select Name

How This Benefits Attack Identification:

  • Vulnerable Software: Outdated software versions may have known exploits

  • Development Tools: Visual Studio, Git, etc. may have elevated privileges or sensitive configs

  • Third-Party Services: Non-Microsoft services often have default credentials or weak configurations

  • Installation Directories: Software directories may have weak permissions enabling DLL hijacking

  • Service Software: Database servers, web servers may run with service account privileges

  • Security Software: AV/EDR products help understand detection capabilities

Potential Attacks:

  • DLL hijacking and search order manipulation

  • Service misconfigurations and unquoted paths

  • Registry-based privilege escalation

  • UAC bypass techniques

10. Credential and Authentication Enumeration

What We're Looking For:

  • Stored credentials (reveals saved passwords and tokens)

  • Authentication tokens (enables token theft attacks)

  • Cached credentials (shows previously authenticated users)

  • Credential manager entries (Windows credential storage)

  • Security policies (reveals authentication requirements)

  • Kerberos tickets (in domain environments)

Commands:

cmdkey /list
net accounts
net accounts /domain
vaultcmd /listcreds
vaultcmd /listschema
rundll32.exe keymgr.dll,KRShowKeyMgr
dir /a %userprofile%\AppData\Local\Microsoft\Credentials\
dir /a %userprofile%\AppData\Roaming\Microsoft\Credentials\

PowerShell:

Get-WmiObject -Class Win32_LogonSession
Get-ChildItem -Path "$env:USERPROFILE\AppData\Local\Microsoft\Credentials" -Force
Get-ChildItem -Path "$env:USERPROFILE\AppData\Roaming\Microsoft\Credentials" -Force
[void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime]
$vault = New-Object Windows.Security.Credentials.PasswordVault
$vault.RetrieveAll()

How This Benefits Attack Identification:

  • Stored Credentials: Windows Credential Manager may contain plaintext passwords

  • Cached Credentials: Domain credentials cached locally can be extracted and cracked

  • Token Sessions: Active logon sessions provide tokens that can be stolen or impersonated

  • Credential Files: DPAPI-protected credential files can be decrypted if user context is available

  • Service Accounts: Service account tokens may have SeImpersonatePrivilege

  • Domain Tickets: Kerberos tickets can be used for lateral movement

Potential Attacks:

  • Token impersonation and SeImpersonatePrivilege abuse

  • Group Policy Preferences (GPP) password retrieval

  • Registry-based privilege escalation

11. Windows Subsystem for Linux (WSL) Enumeration

What We're Looking For:

  • WSL installation status (identifies cross-platform attack opportunities)

  • WSL distributions (reveals Linux environments accessible from Windows)

  • WSL file system access (shows cross-platform file access)

  • WSL processes (identifies Linux processes running on Windows)

  • Cross-platform vulnerabilities (WSL-specific security issues)

Commands:

wsl --list
wsl --list --verbose
wsl --status
dir C:\Users\%username%\AppData\Local\Packages\*Linux*
dir \\wsl$\
wsl uname -a
wsl whoami
wsl ps aux

PowerShell:

Get-ChildItem "C:\Users\$env:USERNAME\AppData\Local\Packages" | Where-Object {$_.Name -like "*Linux*"}
Get-ChildItem "\\wsl$\" -ErrorAction SilentlyContinue
wsl bash -c "find / -perm -4000 2>/dev/null"
wsl bash -c "cat /etc/passwd"

How This Benefits Attack Identification:

  • Cross-Platform File Access: WSL can access Windows files, potentially bypassing Windows security

  • Linux Tools: Linux enumeration and exploitation tools available within Windows environment

  • Process Contexts: WSL processes may run with different privilege contexts

  • File System Bridging: Opportunities to move between Windows and Linux file systems

  • Service Accounts: WSL may run under service accounts with elevated privileges

  • Container-like Isolation: WSL provides some isolation that may be bypassable

Potential Attacks:

  • Abusing Windows Subsystem for Linux (WSL)

  • DLL hijacking and search order manipulation

  • Registry-based privilege escalation

  • Token impersonation and SeImpersonatePrivilege abuse

  • UAC bypass techniques

12. Accessibility Features Enumeration

What We're Looking For:

  • Accessibility features configuration (identifies backdoor opportunities)

  • Sticky Keys, Utilman registry entries (shows if features are hijacked)

  • Login screen accessibility (reveals pre-authentication access)

  • Accessibility service permissions (shows modifiable accessibility services)

  • Image File Execution Options (debugger redirection settings)

Commands:

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe"
dir C:\Windows\System32\sethc.exe
dir C:\Windows\System32\utilman.exe
fc /b C:\Windows\System32\sethc.exe C:\Windows\System32\cmd.exe

PowerShell:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" -ErrorAction SilentlyContinue
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" -ErrorAction SilentlyContinue
Get-FileHash C:\Windows\System32\sethc.exe
Get-FileHash C:\Windows\System32\cmd.exe
Compare-Object (Get-FileHash C:\Windows\System32\sethc.exe) (Get-FileHash C:\Windows\System32\cmd.exe)

How This Benefits Attack Identification:

  • Registry Debuggers: Debugger entries redirect accessibility features to malicious executables

  • File Replacement: Accessibility executables replaced with cmd.exe provide backdoor access

  • Login Screen Access: Compromised accessibility features provide SYSTEM access from login screen

  • Physical Access: Accessible during physical compromise scenarios

  • Persistence: Accessibility backdoors survive user logoffs and reboots

  • Pre-Authentication: Access available before user authentication

Potential Attacks:

  • Misusing accessibility features

  • UAC bypass techniques

  • Registry-based privilege escalation

13. Print Spooler Enumeration

What We're Looking For:

  • Print Spooler service status (identifies Print Spooler attack availability)

  • Printer configurations (reveals printer-based attack vectors)

  • Print driver permissions (shows modifiable print drivers)

  • Spooler directory permissions (identifies writable spooler directories)

  • Print queue status (shows active print jobs)

  • Print Spooler vulnerabilities (PrintNightmare, etc.)

Commands:

sc query spooler
sc qc spooler
wmic printer list full
wmic printer get name,drivername,portname
dir C:\Windows\System32\spool\drivers
icacls C:\Windows\System32\spool\drivers
dir C:\Windows\System32\spool\drivers\x64\3\
net use \\localhost\print$

PowerShell:

Get-Printer
Get-Service Spooler
Get-PrinterDriver
Get-PrinterPort
Get-ChildItem "C:\Windows\System32\spool\drivers" -Recurse
Get-Acl "C:\Windows\System32\spool\drivers"
Get-WmiObject -Class Win32_Printer

How This Benefits Attack Identification:

  • Service Status: Running Print Spooler enables PrintNightmare and PrintSpoofer attacks

  • Driver Directories: Writable driver directories enable malicious driver installation

  • Print Queues: Active print jobs may contain sensitive information

  • Driver Permissions: Weak driver permissions allow malicious driver replacement

  • Network Printing: Print shares may provide lateral movement opportunities

  • Spooler Process: Print Spooler runs as SYSTEM, making it high-value for token theft

Potential Attacks:

  • Print Spooler-related attacks

  • DLL hijacking and search order manipulation

  • Registry-based privilege escalation

  • Token impersonation and SeImpersonatePrivilege abuse

  • UAC bypass techniques

PreviousWindows Privilege EscalationNextService misconfigurations and unquoted paths

Last updated

Was this helpful?