# Situational Awareness Here's a checklist of what you should check for: ``` • 2FA methods • Certificates • Open ports • Installed services • COM objects • Named pipes • Scheduled tasks • Mapped drives • System PATH • Installed drivers • LSASS protected mode • LLMNR/NBT-NS • WDigest provider • NTLMv1 status • SMB Signing • PowerShell logging • Logon limitations • LLMNR/NBT-NS status • RID 500 account status • FilterAdministratorToken • UAC configuration • SysMon ``` Find powershell engines ``` reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowershellEngine /v PowershellVersion reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowershellEngine /v PowershellVersion ``` powershell logging ``` reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging ``` CLR versions ``` dir %WINDIR%\Microsoft.Net\Framework\ /s /b | find "System.dll” [System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll") [System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll") ``` Check for CLM ``` $ExecutionContext.SessionState.LanguageMode ``` Check Audit Policies ``` auditpol /get /categoryams:* ``` Check if LSASS is running in PPL ``` reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL" ``` applocker policies ``` Get-AppLockerPolicy -Local).RuleCollections Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\ ``` Check for Non-standard MS services/processes: RDP history ``` reg query HKCU\Software\Microsoft\Terminal Server Client\ ``` Find recently used files ``` %AppData%\Microsoft\Windows\Recent ``` Find running application window titles ``` get-process | where-object {$_.mainwindowtitle -ne ""} | Select-Object mainwindowtitle ``` Detect Sysmon ``` Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" } ``` If assembly is .NET or not ``` [Reflection.AssemblyName]::GetAssemblyName("C:\Path\To\File.exe") ``` EDR presence: Enumerate general info from com objects: ``` $o = [activator]::CreateInstance([type]::GetTypeFromCLSID("093FF999-1EA0-4079-9525-9614C3504B74")) $o | gm $o $o.EnumNetworkDrives() ``` proxy settings ``` netsh winhttp show proxy ping -n 1 wpad ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kwcsec.gitbook.io/the-red-team-handbook/techniques/enumeration/situational-awareness.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.