Skip to main content

2 posts tagged with "windows"

View All Tags

Windows PowerShell

Shubham
Cybersecurity Enthusiast

Introduction

okay let me go through it straight forward

PowerShell is basically Windows' upgraded command-line.
it replaces old cmd with something way more powerful because it works with objects instead of plain text.

lame language definition:
it's cmd but on steroids — lets you automate, manage system stuff, and chain commands easily

formal definition:
PowerShell is a task-based command-line shell and scripting language built on .NET, designed for system automation and configuration management.


Cmdlets (Commands)

PowerShell doesn't use traditional commands like ls, cat, etc.
it uses cmdlets which follow the pattern:
Verb-Noun

lame language definition:
cmdlets are special built-in functions that perform small, focused actions

formal definition:
cmdlets are lightweight .NET-based commands used within PowerShell for performing administrative tasks.

some basic cmdlets:

Get-Command
lists all available commands

Get-Help
shows documentation for any cmdlet

Get-Alias
shows shortcut names for commands

these three are your starting trio.


just like linux, you move around directories and view things.
but names are different in powershell.

Set-Location → change directory
Get-ChildItem → list files/folders
New-Item → create a file/folder
Remove-Item → delete things
Copy-Item / Move-Item → copy / move files

lame language definition:
same file operations as linux/mac, only the cmd names are different

formal definition:
PowerShell uses provider-based access to systems like filesystem, registry, etc., allowing cmdlets to interact with them as structured objects.


Piping & Filtering (MOST important)

this is where powershell becomes overpowered compared to cmd.

you pass objects, not text.
this means downstream commands can read properties directly.

example concepts:

Where-Object → filter
Select-Object → pick properties
Sort-Object → sort results

lame language definition:
you're not messing with strings. you're passing real data with fields like Name, Id, Path, etc.

formal definition:
PowerShell pipelines transfer .NET objects between cmdlets, enabling structured querying, transformation, and automation.


Managing Processes & Services

PowerShell is a system admin tool at heart.
so it gives full access to OS-level components:

Get-Process → list running processes
Stop-Process → kill a process
Get-Service → list services
Start-Service / Stop-Service → control services

lame language definition:
you can inspect or control what is running on the machine using simple commands

formal definition:
PowerShell exposes OS process and service management through object-based cmdlets, allowing precise control and automation.


System & Network Information

powershell can show system details cleanly:

  • network config
  • environment variables
  • event logs
  • hardware info
  • registry

some common areas:

Get-NetIPConfiguration
Test-Connection (like ping but object-based)
Get-EventLog


Why PowerShell is Important in Cybersecurity

attackers love powershell
admins love powershell
everyone basically uses it

because:

  • it’s preinstalled on all windows systems
  • lets you automate enumeration
  • can access registry, services, files, processes
  • can download payloads, run scripts, and move laterally
  • allows powerful recon without extra tools

lame language definition:
if you know powershell, you can control a windows machine like a pro

formal definition:
PowerShell is widely adopted in offensive and defensive security due to its deep system access, scripting capabilities, and ubiquity across Windows environments.


Conclusion

all powershell concepts boil down to this:

instead of text, you're working with objects — which makes system automation, enumeration, and control extremely powerful.

if you understand cmdlets, pipelines, filtering, and basic system commands,
you already understand the core of PowerShell.

`

Windows and Active Directory Fundamentals

Shubham
Cybersecurity Enthusiast

Windows Architecture

okay let me go through it straight forward

windows internally is divided into system components like kernel, services, processes, registry, users, permissions etc.
understanding these is important because almost all attacks or security issues come from misconfigured services, weak permissions, or exposed shares.

lame language definition:
windows is layers of background programs + settings + user accounts working together

formal definition:
Windows OS is a multitasking operating system built on the NT architecture, consisting of the kernel, system services, user mode processes, the registry database, and a security subsystem enforcing authentication and authorization.


Users, Groups & Permissions

windows security fundamentally relies on accounts and groups.

your machine has:

  • local accounts → users on the device
  • groups → collections of users (Admin, Users, Guests etc.)
  • privileges → what they can or cannot do

lame language definition:
groups decide your power level in the system

formal definition:
Windows uses discretionary access control (DAC) where access tokens containing SIDs (security identifiers) determine permissions on resources.

important ones:

Administrators → full control
Users → standard, limited
SYSTEM → highest privilege (more than admin)


File System & NTFS Permissions

NTFS is the default file system.
it supports ACLs (access control lists) — which define exactly who can read, write, execute something.

permissions include:

  • FullControl
  • Modify
  • ReadExecute
  • Write
  • Read

lame language definition:
every file/folder has a list of “allowed people” and “what they can do”

formal definition:
NTFS implements per-object discretionary access control using ACEs linked to user or group SIDs, enabling granular file system security.


The Registry

registry = the huge configuration database for windows.
everything from installed programs to startup items to system policies lives here.

important hives:

  • HKEY_LOCAL_MACHINE (HKLM) → system-wide settings
  • HKEY_CURRENT_USER (HKCU) → settings for the logged-in user

lame language definition:
registry is windows’ brain storing all configuration

formal definition:
the Windows Registry is a hierarchical database storing system, user, and application configuration accessed via registry APIs.

attackers often abuse registry for persistence.


Windows Services & Processes

services = background programs
processes = running programs

you’ll often check them during enumeration.

useful concepts:

  • services can run as SYSTEM
  • misconfigured services can be escalated
  • startup type: auto, manual, disabled
  • process tree shows parent-child relationships

lame language definition:
services are programs that run even when no one is logged in

formal definition:
Windows services are long-running executables managed by the Service Control Manager (SCM), often running with elevated privileges.


Event Viewer (Logs)

windows logs everything meaningful: logons, errors, privilege changes, network events, etc.
important logs for security:

  • Security
  • System
  • Application

lame language definition:
event viewer is where you spy on what happened on the system

formal definition:
event logs are structured records generated by system components, applications, and security subsystems stored using the Windows Event Log API.


Networking (Windows Context)

important tools:

  • ipconfig → interface info
  • netstat → active connections
  • net commands → users, shares, groups
  • ping, tracert, nslookup → basic diagnostics

common enum areas:

  • open shares
  • firewall rules
  • RDP status
  • running services over ports

Windows Shares (SMB)

SMB allows sharing folders/printers across network.
enumeration often reveals misconfigured shares.

share types:

  • C$, ADMIN$, IPC$ → administrative
  • custom shares → may expose sensitive files

lame language definition:
SMB is like “network folders” that anyone on LAN can access if allowed

formal definition:
Server Message Block (SMB) is a network file-sharing protocol enabling access to files and services over TCP/IP.


PowerShell (Quick Summary)

PowerShell is the backbone of Windows automation and recon.

important ideas:

  • everything is an object
  • pipelines pass objects
  • cmdlets follow Verb-Noun pattern
  • easy access to registry, services, WMI, CIM, processes

you've already covered this in detail in the previous writeup.


Active Directory (AD)

What is Active Directory

AD is basically identity + permission management for large networks (like companies) using Windows machines.

lame language definition:
AD is a system that controls “who you are” and “what you can do” inside a company network

formal definition:
Active Directory is a directory service built on LDAP and Kerberos, providing centralized authentication, authorization, and policy management within Windows domains.


Domain, OU, Users, Groups

in AD, machines and users belong to a domain (example: corp.local).

objects inside AD are organized into:

  • Users
  • Groups
  • Computers
  • Organizational Units (OUs)

lame language definition:
domain = company network
OU = folders to organize users/computers

formal definition:
OUs are containers in AD enabling hierarchical organization and targeted Group Policy application.


Domain Controllers (DC)

domain controller = server that runs AD services.

it handles:

  • login authentication (Kerberos)
  • directory lookups (LDAP)
  • group policies

lame language definition:
DC is the boss server that decides if you can log in or not

formal definition:
a Domain Controller is a Windows server hosting AD DS, responsible for authentication, authorization, and domain policy enforcement.


Kerberos (Authentication)

Kerberos is default authentication in AD.

flow (very simplified):

  1. user requests a TGT
  2. DC verifies identity
  3. DC issues a TGT
  4. user uses TGT to access services

lame language definition:
kerberos gives you a “ticket” proving who you are

formal definition:
Kerberos is a network authentication protocol using symmetric cryptography and ticket-based identity validation.


Group Policy (GPO)

GPOs apply settings to many users/computers at once:

  • password policies
  • software restrictions
  • login scripts
  • firewall rules
  • drive mappings

lame language definition:
admins use GPOs so they don’t have to configure 500 computers manually

formal definition:
Group Policy is a centralized configuration management feature applying domain-level policies via AD.


AD Enumeration (Security Context)

attackers and defenders both enumerate AD for:

  • user lists
  • group memberships
  • misconfigured permissions
  • service accounts
  • SPNs (for kerberoasting)
  • unconstrained delegation
  • password policy weaknesses

tools commonly used:

  • net commands
  • PowerShell (Get-ADUser, Get-ADComputer, Get-ADGroup)
  • bloodhound / sharphound

Conclusion

windows fundamentals + active directory fundamentals combine into one big idea:

windows controls security using accounts, permissions, groups, services, registry, and processes — and AD extends this model to whole networks using domains, policies, and centralized authentication.

understanding these core systems is enough to navigate almost any Windows/AD cybersecurity task.

`