Situational Awareness

Fingerprint Security Products

#List environment variables
set
Get-ADRootDSE

#Process Listing
wmic process get executablepath, commandline
ps
tasklist /v

#Service listing 
wmic service get state,name,pathname

#Installed drivers
Check \windows\system32\drivers & \windows\sysnative\drivers folders

#WMI Namespaces to check: root\SecurityCenter, root\SecurityCenter2
wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName

#List Defender Exclusions (Requires local admin privileges)
Get-MpPreference | select Exclusion*

#Identify is Sysmon is running (Driver, Service, Reg Key)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational

#PowerShell Logging Status
[Bool](Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription' -ErrorAction SilentlyContinue).EnableTranscripting
[Bool](Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -ErrorAction SilentlyContinue).EnableModuleLogging
[Bool](Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -ErrorAction SilentlyContinue).EnableScriptBlockLogging

System Enumeration

#List PowerShell versions (May not necessarily mean we can execute PowerShell 2.0))
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\*\PowerShellEngine -Name PowerShellVersion).PowerShellVersion

#Identify running PowerShell version
$PSVersionTable.PSVersion

#Identify CLR version
Test-Path $env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll
Test-Path $env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll

Network Enumeration

#List Interfaces
ipconfig /all

#Routing table
route print
netstat -r

#Active connections
netstat -afnoi
netstat -abfnoi

#Identify Domain controllers
nltest /dclist:<dom.local>
nslookup <dom.local>

#Identify AD CS server
certutil

User Profiling

#System uptime

#PowerShell history
type C:\Users\localuser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Get-History | Where-Object {$_.CommandLine -like "*password*"}
Get-PSReadlineOption

From Web Browsers

  • Browser History\Saved Credentials\Cookies

Keylogging

Screen Captures

PreviousMalicious Outlook RulesNextEnumeration

Last updated