situational-awareweness

Windows Network Information

# IP configuration
ipconfig /all

# ARP table
arp -a

# Routing table
route print

Windows Protections Enumeration

# Windows Defender status
Get-MpComputerStatus

# AppLocker policy (effective)
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# AppLocker policy (local)
Get-AppLockerPolicy -Local | select -ExpandProperty RuleCollections

# Test AppLocker policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

General Enumeration

# Running processes (Windows)
tasklist

# Running processes (Linux)
ps aux

# File system enumeration (Windows)
dir /s C:\

# File system enumeration (Linux)
find / -type f -print

Key Concepts:

• Situational Awareness: Understanding your environment to make informed decisions.

• Enumeration: Gathering information about the target system.

• Lateral Movement: Moving from one compromised system to another.

• Dual-Homed Hosts: Systems with multiple network interfaces.

• EDR/Antivirus: Endpoint Detection and Response and Antivirus software.

• Application Whitelisting: Controlling which applications can run. Importance of Situational Awareness:

• Effective planning and execution of attacks.

• Identifying additional attack vectors.

• Avoiding detection by security systems.

• Efficient use of time and resources. Enumeration Techniques:

1. Network Information: - ipconfig /all (Windows): Displays network interface configurations. - arp -a (Windows): Displays the ARP cache. - route print (Windows): Displays the routing table. - Purpose: Identifies network interfaces, IP addresses, DNS servers, routing paths, and other connected devices. - Importance: Reveals potential lateral movement opportunities and network architecture.

2. Enumerating Protections: - Get-MpComputerStatus (PowerShell): Checks Windows Defender status. - Get-AppLockerPolicy (PowerShell): Enumerates AppLocker policies. - Test-AppLockerPolicy (PowerShell): Tests AppLocker policies. - Purpose: Identifies antivirus, EDR, and application whitelisting solutions. - Importance: Helps determine which tools and techniques are likely to be detected or blocked

Key Enhancements and Considerations:

• Linux Equivalents: - Mention Linux commands like ifconfig, ip addr, arp, and route -n for network information. - Mention linux tools like lynis and chkrootkit for enumeration of protections.

• EDR Evasion: - Discuss basic EDR evasion techniques, such as modifying payloads and using obfuscation. - Emphasize that EDR evasion is a constant cat and mouse game.

• Active Directory Enumeration: - If the target is part of an Active Directory domain, emphasize the importance of enumerating domain controllers and other domain resources. - Tools like PowerView can be used.

• Process Enumeration: - Tasklist (windows) and ps (linux) are also very important to enumerate running processes.

• File System Enumeration: - Enumerating the file system to find sensitive information or misconfigurations is also very important.

• Log Analysis: - Mention the importance of checking system logs for suspicious activity.

• Real-World Considerations: - Stress the importance of adapting enumeration techniques to the specific environment. - Emphasize the need for thorough testing in a lab environment before using advanced techniques on a client system.

• Documentation: - Stress the importance of documenting all findings during the enumeration process.

• Threat Intelligence: - Using public threat intelligence can help to understand the most common attacks against the target operating system.