Enumerating Security Controls

Bypassing security controls is out of scope of this module, but some security controls that we are likely to come accros are listed.

Windows Defender

Get the current state of Windows Defender using Powershell.

PS C:\htb> Get-MpComputerStatus

AppLocker

Microsoft Application whitelist restrict the software and scripts that are allows to run over a Windows system. AppLocker can be bypassed in many ways. For example, an AppLocker policy may only blocks the Powershell.exe executable located at:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

and omits all others location.

It is possible to enumerate AppLocker policies with the following cmdlet:

PS C:\htb> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Powershell Constrained Language Mode

The Constraint Language Mode blocks many Windows features that could prevent an attacker from leveraging the full capacity of Powershell.

To identify if we are running Powershell in a Full or Constrained Mode:

PS C:\htb> $ExecutionContext.SessionState.LanguageMode

LAPS

The Local Administrator Password Solution (LAPS) is a Windows features allowing automatic rotation and password management of local administrators accounts for domain joined computers. Only some specifics users and delegated groups have the rights to read LAPS passwords on a host.

The LAPSTookit is a tool written based on a previous version of Powerview and can be used to enumerate what hosts have LAPS enabled and which users/groups can read LAPS passwords. Amongst others things this Powershell cmdlet can list all users with "All Extended Rights", which grant them access read to LAPS passwords.

GitHub - leoloobeek/LAPSToolkit: Tool to audit and attack LAPS environmentsGitHub

LAPSToolkit Github Repo

Find-LAPSDelegatedGroups  # Check for groups that have read access to LAPS passwords
Find-AdmPwdExtendedRights # Check all users with All Extended Rights enabled
Get-LAPSComputers         #Check for all hosts with LAPS enabled