πEnumerating Security Controls
It is important to understand the security controls in place at an organisation as this can affect the tools we use for AD enumeration.
Windows Defender
It will block many tools such as Powerview, but there are ways to bypass this. We can see the current Defender status in Powershell with the following command
Get-MPComputerStatusNote the status of RealTimeProtectionEnabled
AppLocker
Applocker uses a whitelisting solution to give admins control over which applications and files users can run. Organisations often block PoweShell.exe but forget about other PowerShell executable locations such as %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe or PowerShell_ISE.exe. This means we can call it from other locations
Get Applocker Policy
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionsPowerShell Constrained Language Mode
Locks down many of the features of PowerShell such as blocking COM objects, allowing only .NET types, PowerShell classes etc.
Checking Language Mode
$ExecutionContext.SessionState.LanguageModeLAPS
The (Local Administrator Password Solution) is used to randomize and rotate local admin passwords on Windows hosts. We can enumerate what domain users can read the LAPS password set for machines and what machines don't have this installed.
An account that has joined a computer to a domain receives All Extended Rights over that host giving it the ability to read passwords. The LAPSToolkit will help with this
Using Find-LAPSDelegatedGroups
We can show user accounts that can read the LAPS password on a host.
Find-LAPSDelegatedGroupsUsing Find-AdmPwExtendedRights
This command checks the rights on each computer with LAPS enabled for any groups with read access AD users with "All Extended Rights."
Find-AdmPwdExtendedRightsUsing Get-LAPSComputers
This command searches for computers that have LAPS enabled when passwords expire and even the randomized password in cleartext if our user has access.
Get-LAPSComputersLast updated
Was this helpful?