Enumerating Security Controls

Windows Defender

PowerShell cmdlet Get-MpComputerStatus to get the current Defender status. Here, the RealTimeProtectionEnabled parameter is set to True, which means Defender is enabled on the system.

PS C:\xyz> Get-MpComputerStatus

AMEngineVersion                 : 1.1.17400.5
AMProductVersion                : 4.10.14393.0
AMServiceEnabled                : True
AMServiceVersion                : 4.10.14393.0
AntispywareEnabled              : True
AntispywareSignatureAge         : 1
AntispywareSignatureLastUpdated : 9/2/2020 11:31:50 AM
AntispywareSignatureVersion     : 1.323.392.0
AntivirusEnabled                : True
AntivirusSignatureAge           : 1
AntivirusSignatureLastUpdated   : 9/2/2020 11:31:51 AM
AntivirusSignatureVersion       : 1.323.392.0
BehaviorMonitorEnabled          : False
ComputerID                      : 07D23A51-F83F-4651-B9ED-110FF2B83A9C
ComputerState                   : 0
FullScanAge                     : 4294967295
FullScanEndTime                 :
FullScanStartTime               :
IoavProtectionEnabled           : False
LastFullScanSource              : 0
LastQuickScanSource             : 2
NISEnabled                      : False
NISEngineVersion                : 0.0.0.0
NISSignatureAge                 : 4294967295
NISSignatureLastUpdated         :
NISSignatureVersion             : 0.0.0.0
OnAccessProtectionEnabled       : False
QuickScanAge                    : 0
QuickScanEndTime                : 9/3/2020 12:50:45 AM
QuickScanStartTime              : 9/3/2020 12:49:49 AM
RealTimeProtectionEnabled       : True
RealTimeScanDirection           : 0
PSComputerName                  :

AppLocker

AppLocker is Microsoft's application whitelisting solution and gives system administrators control over which applications and files users can run. It is common for organizations to block cmd.exe and PowerShell.exe and write access to certain directories, but this can all be bypassed. Organizations also often focus on blocking the PowerShell.exe executable, but forget about the other PowerShell executable locations such as %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe or PowerShell_ISE.exe. We can see that this is the case in the AppLocker rules shown below. All Domain Users are disallowed from running the 64-bit PowerShell executable located at:

%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe

So, we can merely call it from other locations.

S C:\xyz> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

PathConditions      : {%SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 3d57af4a-6cf8-4e5b-acfc-c2c2956061fa
Name                : Block PowerShell
Description         : Blocks Domain Users from using PowerShell on workstations
UserOrGroupSid      : S-1-5-21-2974783224-3764228556-2640795941-513
Action              : Deny

PathConditions      : {%PROGRAMFILES%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 921cc481-6e17-4653-8f75-050b80acca20
Name                : (Default Rule) All files located in the Program Files folder
Description         : Allows members of the Everyone group to run applications that are located in the Program Files folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%WINDIR%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : a61c8b2c-a319-4cd0-9690-d2177cad7b51
Name                : (Default Rule) All files located in the Windows folder
Description         : Allows members of the Everyone group to run applications that are located in the Windows folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : fd686d83-a829-4351-8ff4-27c7de5755d2
Name                : (Default Rule) All files
Description         : Allows members of the local Administrators group to run all applications.
UserOrGroupSid      : S-1-5-32-544
Action              : Allow

PowerShell Constrained Language Mode

PowerShell Constrained Language Mode locks down many of the features needed to use PowerShell effectively, such as blocking COM objects, only allowing approved .NET types, XAML-based workflows, PowerShell classes, and more.

PS C:\xyz> $ExecutionContext.SessionState.LanguageMode

ConstrainedLanguage

LAPS

The Microsoft Local Administrator Password Solution (LAPS) is used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement. We can enumerate what domain users can read the LAPS password set for machines with LAPS installed and what machines do not have LAPS installed. The LAPSToolkit greatly facilitates this with several functions.

PS C:\xyz> Find-LAPSDelegatedGroups

OrgUnit                                             Delegated Groups
-------                                             ----------------
OU=Servers,DC=LEGALCORP,DC=LOCAL                LEGALCORP\Domain Admins
OU=Servers,DC=LEGALCORP,DC=LOCAL                LEGALCORP\LAPS Admins
OU=Workstations,DC=LEGALCORP,DC=LOCAL           LEGALCORP\Domain Admins
OU=Workstations,DC=LEGALCORP,DC=LOCAL           LEGALCORP\LAPS Admins
OU=Web Servers,OU=Servers,DC=LEGALCORP,DC=LOCAL LEGALCORP\Domain Admins
OU=Web Servers,OU=Servers,DC=LEGALCORP,DC=LOCAL LEGALCORP\LAPS Admins
OU=SQL Servers,OU=Servers,DC=LEGALCORP,DC=LOCAL LEGALCORP\Domain Admins
OU=SQL Servers,OU=Servers,DC=LEGALCORP,DC=LOCAL LEGALCORP\LAPS Admins
OU=File Servers,OU=Servers,DC=LEGALCORP,DC=L... LEGALCORP\Domain Admins
OU=File Servers,OU=Servers,DC=LEGALCORP,DC=L... LEGALCORP\LAPS Admins
OU=Contractor Laptops,OU=Workstations,DC=LEGALCOF... LEGALCORP\Domain Admins
OU=Contractor Laptops,OU=Workstations,DC=LEGALCOF... LEGALCORP\LAPS Admins
OU=Staff Workstations,OU=Workstations,DC=LEGALCOF... LEGALCORP\Domain Admins
OU=Staff Workstations,OU=Workstations,DC=LEGALCOF... LEGALCORP\LAPS Admins
OU=Executive Workstations,OU=Workstations,DC=INL... LEGALCORP\Domain Admins
OU=Executive Workstations,OU=Workstations,DC=INL... LEGALCORP\LAPS Admins
OU=Mail Servers,OU=Servers,DC=LEGALCORP,DC=L... LEGALCORP\Domain Admins
OU=Mail Servers,OU=Servers,DC=LEGALCORP,DC=L... LEGALCORP\LAPS Admins

The Find-AdmPwdExtendedRights checks the rights on each computer with LAPS enabled for any groups with read access and users with "All Extended Rights." Users with "All Extended Rights" can read LAPS passwords and may be less protected than users in delegated groups, so this is worth checking for.

PS C:\xyz> Find-AdmPwdExtendedRights

ComputerName                Identity                    Reason
------------                --------                    ------
EXCHG01.legalcorp.local LEGALCORP\Domain Admins Delegated
EXCHG01.legalcorp.local LEGALCORP\LAPS Admins   Delegated
SQL01.legalcorp.local   LEGALCORP\Domain Admins Delegated
SQL01.legalcorp.local   LEGALCORP\LAPS Admins   Delegated
WS01.legalcorp.local    LEGALCORP\Domain Admins Delegated
WS01.legalcorp.local    LEGALCORP\LAPS Admins   Delegated

We can use the Get-LAPSComputers function to search for computers that have LAPS enabled when passwords expire, and even the randomized passwords in cleartext if our user has access.

PS C:\xyz> Get-LAPSComputers

ComputerName                Password       Expiration
------------                --------       ----------
DC01.legalcorp.local    6DZ[+A/[]19d$F 08/26/2020 23:29:45
EXCHG01.legalcorp.local oj+2A+[hHMMtj, 09/26/2020 00:51:30
SQL01.legalcorp.local   9G#f;p41dcAe,s 09/26/2020 00:30:09
WS01.legalcorp.local    TCaG-F)3No;l8C 09/26/2020 00:46:04