# Situational Awareness Here's a checklist of what you should check for: ``` • 2FA methods • Certificates • Open ports • Installed services • COM objects • Named pipes • Scheduled tasks • Mapped drives • System PATH • Installed drivers • LSASS protected mode • LLMNR/NBT-NS • WDigest provider • NTLMv1 status • SMB Signing • PowerShell logging • Logon limitations • LLMNR/NBT-NS status • RID 500 account status • FilterAdministratorToken • UAC configuration • SysMon ``` Find powershell engines ``` reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowershellEngine /v PowershellVersion reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowershellEngine /v PowershellVersion ``` powershell logging ``` reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging ``` CLR versions ``` dir %WINDIR%\Microsoft.Net\Framework\ /s /b | find "System.dll” [System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll") [System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll") ``` Check for CLM ``` $ExecutionContext.SessionState.LanguageMode ``` Check Audit Policies ``` auditpol /get /categoryams:* ``` Check if LSASS is running in PPL ``` reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" ``` applocker policies ``` Get-AppLockerPolicy -Local).RuleCollections Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\ ``` Check for Non-standard MS services/processes: RDP history ``` reg query HKCU\Software\Microsoft\Terminal Server Client\ ``` Find recently used files ``` %AppData%\Microsoft\Windows\Recent ``` Find running application window titles ``` get-process | where-object {$_.mainwindowtitle -ne ""} | Select-Object mainwindowtitle ``` Detect Sysmon ``` Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" } ``` If assembly is .NET or not ``` [Reflection.AssemblyName]::GetAssemblyName("C:\Path\To\File.exe") ``` EDR presence: Enumerate general info from com objects: ``` $o = [activator]::CreateInstance([type]::GetTypeFromCLSID("093FF999-1EA0-4079-9525-9614C3504B74")) $o | gm $o $o.EnumNetworkDrives() ``` proxy settings ``` netsh winhttp show proxy ping -n 1 wpad ```