Situational Awareness

Here's a checklist of what you should check for:

• 2FA methods
• Certificates
• Open ports
• Installed services
• COM objects
• Named pipes
• Scheduled tasks
• Mapped drives
• System PATH
• Installed drivers

• LSASS protected mode
• LLMNR/NBT-NS
• WDigest provider
• NTLMv1 status
• SMB Signing
• PowerShell logging
• Logon limitations
• LLMNR/NBT-NS status
• RID 500 account status
• FilterAdministratorToken
• UAC configuration
• SysMon

Find powershell engines

reg query  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowershellEngine /v PowershellVersion

reg query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowershellEngine /v PowershellVersion

powershell logging

reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

CLR versions

dir %WINDIR%\Microsoft.Net\Framework\ /s /b | find "System.dll”
[System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll")
[System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll")

Check for CLM

$ExecutionContext.SessionState.LanguageMode

Check Audit Policies

auditpol /get /categoryams:*

Check if LSASS is running in PPL

reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v RunAsPPL
Get-ItemProperty -Path 
HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

applocker policies

Get-AppLockerPolicy -Local).RuleCollections
Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\

RDP history

reg query HKCU\Software\Microsoft\Terminal Server Client\

Find recently used files

%AppData%\Microsoft\Windows\Recent

Find running application window titles

get-process | where-object {$_.mainwindowtitle -ne ""} | Select-Object mainwindowtitle

Detect Sysmon

Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

If assembly is .NET or not

[Reflection.AssemblyName]::GetAssemblyName("C:\Path\To\File.exe")

Enumerate general info from com objects:

$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("093FF999-1EA0-4079-9525-9614C3504B74"))
$o | gm
$o
$o.EnumNetworkDrives()

proxy settings

netsh winhttp show proxy
ping -n 1 wpad

PreviousEnumeration NextRecon Commands

Last updated 3 years ago

Was this helpful?

• 2FA methods • Certificates • Open ports • Installed services • COM objects • Named pipes • Scheduled tasks • Mapped drives • System PATH • Installed drivers • LSASS protected mode • LLMNR/NBT-NS • WDigest provider • NTLMv1 status • SMB Signing • PowerShell logging • Logon limitations • LLMNR/NBT-NS status • RID 500 account status • FilterAdministratorToken • UAC configuration • SysMon

reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription reg query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging

dir %WINDIR%\Microsoft.Net\Framework\ /s /b | find "System.dll” [System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll") [System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll")