Enumerating Security Controls
Bypassing security controls is out of scope of this module, but some security controls that we are likely to come accros are listed.
Windows Defender
Get the current state of Windows Defender using Powershell.
AppLocker
Microsoft Application whitelist restrict the software and scripts that are allows to run over a Windows system. AppLocker can be bypassed in many ways. For example, an AppLocker policy may only blocks the Powershell.exe executable located at:
and omits all others location.
It is possible to enumerate AppLocker policies with the following cmdlet:
Powershell Constrained Language Mode
The Constraint Language Mode blocks many Windows features that could prevent an attacker from leveraging the full capacity of Powershell.
To identify if we are running Powershell in a Full or Constrained Mode:
LAPS
The Local Administrator Password Solution (LAPS) is a Windows features allowing automatic rotation and password management of local administrators accounts for domain joined computers. Only some specifics users and delegated groups have the rights to read LAPS passwords on a host.
The LAPSTookit is a tool written based on a previous version of Powerview and can be used to enumerate what hosts have LAPS enabled and which users/groups can read LAPS passwords. Amongst others things this Powershell cmdlet can list all users with "All Extended Rights", which grant them access read to LAPS passwords.
Last updated