🔐Enumerating Security Controls

Windows Defender

Get-MpComputerStatus

Code

Get-MpComputerStatus

Example

RealTimeProtectionEnabled       : True

RealTimeProtectionEnabled parameter is set to True, which means Defender is enabled on the system

AppLocker

Code

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Example

PathConditions      : {%SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 3d57af4a-6cf8-4e5b-acfc-c2c2956061fa
Name                : Block PowerShell
Description         : Blocks Domain Users from using PowerShell on workstations
UserOrGroupSid      : S-1-5-21-2974783224-3764228556-2640795941-513
Action              : Deny

PathConditions      : {%PROGRAMFILES%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 921cc481-6e17-4653-8f75-050b80acca20
Name                : (Default Rule) All files located in the Program Files folder
Description         : Allows members of the Everyone group to run applications that are located in the Program Files folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%WINDIR%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : a61c8b2c-a319-4cd0-9690-d2177cad7b51
Name                : (Default Rule) All files located in the Windows folder
Description         : Allows members of the Everyone group to run applications that are located in the Windows folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : fd686d83-a829-4351-8ff4-27c7de5755d2
Name                : (Default Rule) All files
Description         : Allows members of the local Administrators group to run all applications.
UserOrGroupSid      : S-1-5-32-544
Action              : Allow

Organizations also often focus on blocking the PowerShell.exe executable, but forget about the other PowerShell executable locations

%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PowerShell_ISE.exe

PowerShell Constrained Language Mode

Code

$ExecutionContext.SessionState.LanguageMode

Example

ConstrainedLanguage

LAPS

Find-LAPSDelegatedGroups

The Microsoft Local Administrator Password Solution (LAPS) is used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement.

Code

Find-LAPSDelegatedGroups

Find-AdmPwdExtendedRights

Checks the rights on each computer with LAPS enabled for any groups with read access and users with "All Extended Rights."
Users with "All Extended Rights" can read LAPS passwords and may be less protected than users in delegated groups.

Code

Find-AdmPwdExtendedRights

Example

ComputerName                Identity                    Reason
------------                --------                    ------
EXCHG01.example.LOCAL example\Domain Admins Delegated
EXCHG01.example.LOCAL example\LAPS Admins   Delegated
SQL01.example.LOCAL   example\Domain Admins Delegated
SQL01.example.LOCAL   example\LAPS Admins   Delegated
WS01.example.LOCAL    example\Domain Admins Delegated
WS01.example.LOCAL    example\LAPS Admins   Delegated

Get-LAPSComputers

To search for computers that have LAPS enabled when passwords expire, and even the randomized passwords in cleartext if our user has access.

Code

Get-LAPSComputers

Example

ComputerName                Password       Expiration
------------                --------       ----------
DC01.example.LOCAL    6DZ[+A/[]19d$F 08/26/2020 23:29:45
EXCHG01.example.LOCAL oj+2A+[hHMMtj, 09/26/2020 00:51:30
SQL01.example.LOCAL   9G#f;p41dcAe,s 09/26/2020 00:30:09
WS01.example.LOCAL    TCaG-F)3No;l8C 09/26/2020 00:46:04

PreviousPassword Policies (from Linux)NextCredentialed Enumeration

Last updated 3 years ago