Last active
July 16, 2024 13:02
Revisions
-
egre55 revised this gist
Oct 11, 2018 . 1 changed file with 0 additions and 2 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,5 +1,3 @@ <# Script will enumerate: -
Oct 11, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,244 @@ # Author: Ian Austin (@egre55) <# Script will enumerate: PowerShell Language Mode Current user details Current privileges Domain and Forest functional levels AD user information AD computer information System information Local user accounts Local Administrators Current Session ID Local sessions Local user profiles Installed software Running security products Domain password policy Keepass databases RunMRU (run command history) Networking Network connections Proxy settings DNS cache Shares Scheduled tasks Domain Admins Windows Event Forwarding Windows Update settings Domain Controllers Running processes AppLocker settings Outbound firewall rules #> $ErrorActionPreference = 'SilentlyContinue' # PowerShell Language Mode Write-Output "`n[*] Checking PowerShell Language Mode`n" $executioncontext.sessionstate.languagemode # Current user details Write-Output "`n[*] Checking user details`n" net user $env:UserName /domain net user $env:UserName # Current privileges Write-Output "`n[*] Checking privileges`n" whoami /priv # Domain and Forest functional levels Write-Output "`n[*] Checking Forest functional level`n" [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() Write-Output "`n[*] Checking Domain functional level`n" [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() # AD user information Write-Output "`n[*] Checking AD user information`n" $san = $env:UserName $getad = (([adsisearcher]"(&(objectCategory=User)(samaccountname=$san))").findall()).properties $getad # AD computer information Write-Output "`n[*] Checking AD computer information`n" $pc = $env:COMPUTERNAME $getad = (([adsisearcher]"(&(objectCategory=Computer)(name=$pc))").findall()).properties $getad # System information Write-Output "`n[*] Getting systeminfo`n" systeminfo # Local user accounts Write-Output "`n[*] Checking local user accounts" Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | Select Caption, SID | ft -hidetableheaders # Local Administrators Write-Output "`n[*] Checking local administrators`n" net localgroup administrators # Current Session ID Write-Output "[*] Checking current Session ID`n" (Get-Process -PID $pid).SessionID # Local sessions Write-Output "`n`n[*] Checking user sessions`n" qwinsta # Local user profiles Write-Output "`n`n[*] Checking user profiles" $OS = Get-WMiobject -Class Win32_operatingsystem dir ($OS.SystemDrive + "\Users\") # Installed software Write-Output "`n`n[*] Checking installed software" Get-WmiObject -Class Win32Reg_AddRemovePrograms | fl DisplayName, Version # Running security products Write-Output "[*] Checking for running security products" dir HKLM:\SYSTEM\CurrentControlSet\services\ | findstr /C:McAfee /C:Qualys /C:Symantec /C:Sophos /C:Kaspersky /C:CrowdStrike /C:CarbonBlack /C:Cylance # Domain password policy Write-Output "`n[*] Checking Domain password policy" Get-ADDefaultDomainPasswordPolicy # Keepass databases Write-Output "`n[*] Searching for Keepass databases" Get-ChildItem -Path ($OS.SystemDrive + "\Users\") -Include @("*.kdb*") -Recurse # RunMRU (Run command history) #Write-Output "`n[*] Querying RunMRU" #To do # Network connections Write-Output "`n[*] Checking network connections" $c = netstat -aonp TCP | select-string "ESTABLISHED"; $c # Proxy settings Write-Output "`n[*] Checking proxy settings" Get-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel" | Select Proxy Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select AutoConfigURL Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select AutoDetect Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select ProxyServer # DNS cache Write-Output "`n[*] Checking DNS cache" ipconfig /displaydns | select-string Record Name # Shares Write-Output "`n`n[*] Checking shares" get-WmiObject -class Win32_Share | ft -hidetableheaders # Scheduled tasks Write-Output "[*] Checking scheduled tasks" schtasks /Query # Domain Admins Write-Output "`n[*] Checking domain admins`n" Gwmi win32_groupuser |? {$_.groupcomponent like "*`"$('Domain Admins')`""} |%{ $_.partcomponent match .+Domain\=(.+)\,Name\=(.+)$|Out-Null $matches[1].trim('"') + \ + $matches[2].trim('"') } # Windows Event Forwarding Write-Output "`n`n[*] Checking if Windows Event Forwarding is enabled`n" reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager" # Windows Update settings Write-Output "`n[*] Checking Windows Update settings" Write-Output "`nUses WSUS server (1 if true):" reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer Write-Output "`nWSUS url:" reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer # Domain Information Write-Output "`n[*] Enumerating Domain Information`n" [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() Get-WMIObject Win32_NTDomain # Running processes Write-Output "`n`n[*] Checking running processes" tasklist /v Start-Sleep -s 3 # AppLocker settings Write-Output "`n[*] Checking AppLocker settings" dir 'HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe' # Outbound firewall rules Write-Output "`n[*] Checking outbound Firewall rules`n" $rules = (New-Object -comObject HNetCfg.FwPolicy2).rules $rules = $rules | where-object {$_.Enabled -eq $true} $rules = $rules | where-object {$_.Direction -eq "2"} $rules