Skip to content

Instantly share code, notes, and snippets.

@egre55

egre55/Get-SituationalAwareness.ps1

Last active July 16, 2024 13:02
Show Gist options
  • Save egre55/db41cc2df355e8591eacff561facf34e to your computer and use it in GitHub Desktop.
Save egre55/db41cc2df355e8591eacff561facf34e to your computer and use it in GitHub Desktop.
Download ZIP
Get-SituationalAwareness.ps1
Raw
Get-SituationalAwareness.ps1
<#
Script will enumerate:
PowerShell Language Mode
Current user details
Current privileges
Domain and Forest functional levels
AD user information
AD computer information
System information
Local user accounts
Local Administrators
Current Session ID
Local sessions
Local user profiles
Installed software
Running security products
Domain password policy
Keepass databases
RunMRU (run command history)
Networking
Network connections
Proxy settings
DNS cache
Shares
Scheduled tasks
Domain Admins
Windows Event Forwarding
Windows Update settings
Domain Controllers
Running processes
AppLocker settings
Outbound firewall rules
#>
$ErrorActionPreference = 'SilentlyContinue'
# PowerShell Language Mode
Write-Output "`n[*] Checking PowerShell Language Mode`n"
$executioncontext.sessionstate.languagemode
# Current user details
Write-Output "`n[*] Checking user details`n"
net user $env:UserName /domain
net user $env:UserName
# Current privileges
Write-Output "`n[*] Checking privileges`n"
whoami /priv
# Domain and Forest functional levels
Write-Output "`n[*] Checking Forest functional level`n"
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
Write-Output "`n[*] Checking Domain functional level`n"
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# AD user information
Write-Output "`n[*] Checking AD user information`n"
$san = $env:UserName
$getad = (([adsisearcher]"(&(objectCategory=User)(samaccountname=$san))").findall()).properties
$getad
# AD computer information
Write-Output "`n[*] Checking AD computer information`n"
$pc = $env:COMPUTERNAME
$getad = (([adsisearcher]"(&(objectCategory=Computer)(name=$pc))").findall()).properties
$getad
# System information
Write-Output "`n[*] Getting systeminfo`n"
systeminfo
# Local user accounts
Write-Output "`n[*] Checking local user accounts"
Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | Select Caption, SID | ft -hidetableheaders
# Local Administrators
Write-Output "`n[*] Checking local administrators`n"
net localgroup administrators
# Current Session ID
Write-Output "[*] Checking current Session ID`n"
(Get-Process -PID $pid).SessionID
# Local sessions
Write-Output "`n`n[*] Checking user sessions`n"
qwinsta
# Local user profiles
Write-Output "`n`n[*] Checking user profiles"
$OS = Get-WMiobject -Class Win32_operatingsystem
dir ($OS.SystemDrive + "\Users\")
# Installed software
Write-Output "`n`n[*] Checking installed software"
Get-WmiObject -Class Win32Reg_AddRemovePrograms | fl DisplayName, Version
# Running security products
Write-Output "[*] Checking for running security products"
dir HKLM:\SYSTEM\CurrentControlSet\services\ | findstr /C:McAfee /C:Qualys /C:Symantec /C:Sophos /C:Kaspersky /C:CrowdStrike /C:CarbonBlack /C:Cylance
# Domain password policy
Write-Output "`n[*] Checking Domain password policy"
Get-ADDefaultDomainPasswordPolicy
# Keepass databases
Write-Output "`n[*] Searching for Keepass databases"
Get-ChildItem -Path ($OS.SystemDrive + "\Users\") -Include @("*.kdb*") -Recurse
# RunMRU (Run command history)
#Write-Output "`n[*] Querying RunMRU"
#To do
# Network connections
Write-Output "`n[*] Checking network connections"
$c = netstat -aonp TCP | select-string "ESTABLISHED"; $c
# Proxy settings
Write-Output "`n[*] Checking proxy settings"
Get-ItemProperty -Path "HKCU:\Software\Policies\Microsoft\Internet Explorer\Control Panel" | Select Proxy
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select AutoConfigURL
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select AutoDetect
Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings" | Select ProxyServer
# DNS cache
Write-Output "`n[*] Checking DNS cache"
ipconfig /displaydns | select-string “Record Name”
# Shares
Write-Output "`n`n[*] Checking shares"
get-WmiObject -class Win32_Share | ft -hidetableheaders
# Scheduled tasks
Write-Output "[*] Checking scheduled tasks"
schtasks /Query
# Domain Admins
Write-Output "`n[*] Checking domain admins`n"
Gwmi win32_groupuser |? {$_.groupcomponent –like "*`"$('Domain Admins')`""} |%{
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$”|Out-Null
$matches[1].trim('"') + “\” + $matches[2].trim('"')
}
# Windows Event Forwarding
Write-Output "`n`n[*] Checking if Windows Event Forwarding is enabled`n"
reg query "HKLM\SOFTWARE\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager"
# Windows Update settings
Write-Output "`n[*] Checking Windows Update settings"
Write-Output "`nUses WSUS server (1 if true):"
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU /v UseWUServer
Write-Output "`nWSUS url:"
reg query HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate /v WUServer
# Domain Information
Write-Output "`n[*] Enumerating Domain Information`n"
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()
Get-WMIObject Win32_NTDomain
# Running processes
Write-Output "`n`n[*] Checking running processes"
tasklist /v
Start-Sleep -s 3
# AppLocker settings
Write-Output "`n[*] Checking AppLocker settings"
dir 'HKLM:Software\Policies\Microsoft\Windows\SrpV2\Exe'
# Outbound firewall rules
Write-Output "`n[*] Checking outbound Firewall rules`n"
$rules = (New-Object -comObject HNetCfg.FwPolicy2).rules
$rules = $rules | where-object {$_.Enabled -eq $true}
$rules = $rules | where-object {$_.Direction -eq "2"}
$rules
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment