Situational Awareness
Fingerprint Security Products
#List environment variables
set
Get-ADRootDSE
#Process Listing
wmic process get executablepath, commandline
ps
tasklist /v
#Service listing
wmic service get state,name,pathname
#Installed drivers
Check \windows\system32\drivers & \windows\sysnative\drivers folders
#WMI Namespaces to check: root\SecurityCenter, root\SecurityCenter2
wmic /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct Get DisplayName | findstr /V /B /C:displayName
#List Defender Exclusions (Requires local admin privileges)
Get-MpPreference | select Exclusion*
#Identify is Sysmon is running (Driver, Service, Reg Key)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon/Operational
#PowerShell Logging Status
[Bool](Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\Transcription' -ErrorAction SilentlyContinue).EnableTranscripting
[Bool](Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging' -ErrorAction SilentlyContinue).EnableModuleLogging
[Bool](Get-ItemProperty 'HKLM:\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -ErrorAction SilentlyContinue).EnableScriptBlockLogging
System Enumeration
#List PowerShell versions (May not necessarily mean we can execute PowerShell 2.0))
(Get-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\*\PowerShellEngine -Name PowerShellVersion).PowerShellVersion
#Identify running PowerShell version
$PSVersionTable.PSVersion
#Identify CLR version
Test-Path $env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll
Test-Path $env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll
Network Enumeration
#List Interfaces
ipconfig /all
#Routing table
route print
netstat -r
#Active connections
netstat -afnoi
netstat -abfnoi
#Identify Domain controllers
nltest /dclist:<dom.local>
nslookup <dom.local>
#Identify AD CS server
certutil
User Profiling
#System uptime
#PowerShell history
type C:\Users\localuser\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
Get-History | Where-Object {$_.CommandLine -like "*password*"}
Get-PSReadlineOption
From Web Browsers
Browser History\Saved Credentials\Cookies
Keylogging
Screen Captures
Last updated