Situational Awareness

Network Information

"Dual-homed" hosts: device connected with more than one network

Display Interface(s), IP Address(es), DNS Information

ipconfig /all

which display name of device and workgroup or domain info

Display ARP Table

which display all devices were communicated with this device

arp -a

Display Routing Table

route print

Enumerating Protections

discover all protection like EDR or Application Whitelisting (AppLocker)

Check Windows Defender Status

We can use the GetAppLockerPolicy cmdlet to enumerate the local, effective (enforced), and domain AppLocker policies.

Get-MpComputerStatus

List AppLocker Rules

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Test AppLocker Policy

PS C:\irix> Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

FilePath                    PolicyDecision MatchingRule
--------                    -------------- ------------
C:\Windows\System32\cmd.exe         Denied c:\windows\system32\cmd.exe

PreviousGetting the Lay of the Land NextInitial Enumeration

Last updated 7 months ago

hashtagSituational Awareness

hashtagNetwork Information

hashtagDisplay Interface(s), IP Address(es), DNS Information

hashtagDisplay ARP Table

hashtagDisplay Routing Table

hashtagEnumerating Protections

hashtagCheck Windows Defender Status

hashtagList AppLocker Rules

hashtagTest AppLocker Policy