1.Situational-awareness

Windows Network Information

# IP configuration
ipconfig /all

# ARP table
arp -a

# Routing table
route print

Windows Protections Enumeration

# Windows Defender status
Get-MpComputerStatus

# AppLocker policy (effective)
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# AppLocker policy (local)
Get-AppLockerPolicy -Local | select -ExpandProperty RuleCollections

# Test AppLocker policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

General Enumeration

# Running processes (Windows)
tasklist
# Running processes (Linux)
ps aux
# File system enumeration (Windows)
dir /s C:\
# File system enumeration (Linux)
find / -type f -print

Key Concepts:

  • Situational Awareness: Understanding your environment to make informed decisions.

  • Enumeration: Gathering information about the target system.

  • Lateral Movement: Moving from one compromised system to another.

  • Dual-Homed Hosts: Systems with multiple network interfaces.

  • EDR/Antivirus: Endpoint Detection and Response and Antivirus software.

  • Application Whitelisting: Controlling which applications can run.

Importance of Situational Awareness:

  • Effective planning and execution of attacks.

  • Identifying additional attack vectors.

  • Avoiding detection by security systems.

  • Efficient use of time and resources.

Enumeration Techniques:

  1. Network Information:

    • ipconfig /all (Windows): Displays network interface configurations.

    • arp -a (Windows): Displays the ARP cache.

    • route print (Windows): Displays the routing table.

    • Purpose: Identifies network interfaces, IP addresses, DNS servers, routing paths, and other connected devices.

    • Importance: Reveals potential lateral movement opportunities and network architecture.

  2. Enumerating Protections:

    • Get-MpComputerStatus (PowerShell): Checks Windows Defender status.

    • Get-AppLockerPolicy (PowerShell): Enumerates AppLocker policies.

    • Test-AppLockerPolicy (PowerShell): Tests AppLocker policies.

    • Purpose: Identifies antivirus, EDR, and application whitelisting solutions.

    • Importance: Helps determine which tools and techniques are likely to be detected or blocked.

Key Enhancements and Considerations:

  • Linux Equivalents:

    • Mention Linux commands like ifconfig, ip addr, arp, and route -n for network information.

    • Mention linux tools like lynis and chkrootkit for enumeration of protections.

  • EDR Evasion:

    • Discuss basic EDR evasion techniques, such as modifying payloads and using obfuscation.

    • Emphasize that EDR evasion is a constant cat and mouse game.

  • Active Directory Enumeration:

    • If the target is part of an Active Directory domain, emphasize the importance of enumerating domain controllers and other domain resources.

    • Tools like PowerView can be used.

  • Process Enumeration:

    • Tasklist (windows) and ps (linux) are also very important to enumerate running processes.

  • File System Enumeration:

    • Enumerating the file system to find sensitive information or misconfigurations is also very important.

  • Log Analysis:

    • Mention the importance of checking system logs for suspicious activity.

  • Real-World Considerations:

    • Stress the importance of adapting enumeration techniques to the specific environment.

    • Emphasize the need for thorough testing in a lab environment before using advanced techniques on a client system.

  • Documentation:

    • Stress the importance of documenting all findings during the enumeration process.

  • Threat Intelligence:

    • Using public threat intelligence can help to understand the most common attacks against the target operating system.

Previous1.Getting the Lay of the LandNext2.Initial-enumeration

Last updated