Syslifters Handbook

English

Deutsch

English

Deutsch

Appearance

Host enumeration

Client-Checker

Client-Checker is a PowerShell script to automate client checks on a Windows system. You should run it as admin, as certain stuff can only be queried with elevated rights.

It is used to check a client for common misconfigurations. The list currently includes:

  • Default Domain Password Policy
  • LSA Protection Settings
  • WDAC Usage
  • AppLocker Usage
  • Credential Guard Settings
  • Co-installer Settings
  • DMA Protection Settings
  • BitLocker Settings
  • Secure Boot Settings
  • System PATH ACL checks
  • Unquoted Service Path checks
  • Always Install Elevated checks
  • UAC checks
  • Guest Account checks
  • System Tool access as low priv user checks
  • WSUS Settings
  • PowerShell Settings
  • IPv6 Settings
  • NetBIOS / LLMNR Settings / mDNS
  • SMB Server Settings
  • Firewall Settings
  • AV Settings
  • Proxy Settings
  • Windows Updates
  • 3rd Party Installations
  • RDP Settings
  • WinRM Settings
  • PrintNightmare checks
  • Recall checks
  • Autologon checks

WinPEAS

PEAS is a suite of tools designed to identify local privilege escalation pathways on Windows, Linux, Unix-like, and macOS systems. These tools are provided in multiple formats, including batch scripts (.bat), PowerShell scripts (.ps1), and executables (.exe).

Seatbelt

Seatbelt.exe is part of the GhostPack suite of tools that performs many security checks on a Windows host and collects system data that can be useful for privilege escalation or persistence.

Example (run all checks; produces a lot of output):

powershell
Seatbelt.exe -group=all -full

BloodyAD

Perform manual LDAP queries to a domain controller using bloodyAD. This tool is especially useful for running LDAP queries on a non-Windows system.

bloodyAD supports authentication using cleartext passwords, pass-the-hash, pass-the-ticket, or certificates and binds to LDAP services of a domain controller to perform AD privilege escalation.

powershell
Usage:
    bloodyAD --host 172.16.1.15 -d bloody.local -u jane.doe -p :70016778cb0524c799ac25b439bd6a31 set password john.doe 'Password123!'

SharpSCCM

SharpSCCM can be used for local enumeration on a Windows host to retrieve Microsoft Endpoint Configuration Manager (formerly SCCM) configuration details via WMI (for example the management point endpoint and site code). The enumeration part is done via WMI, so we can use either SharpSCCM or the WMI interface.

powershell
# SharpSCCM
SharpSCCM.exe local site-info --no-banner

# WMI
Get-WmiObject -Class SMS_Authority -Namespace root\\CCM | select Name, CurrentManagementPoint | fl

We can also check for systems which have GenericAll permissions on the CN=System Management container - these are likely systems which are used to set up / configure SCCM in the first place (as these are required to set up SCCM):

powershell
SharpSCCM.exe get site-info -d mydomain --no-banner

If we want to list containers which are readable by a specific user, we need to run the query as that user, due to SCCM’s RBAC model.

Standalone commands

Checking WDAC and Credential Guard

Run msinfo32 and find values for:

  • Virtualization-based security Services Configured - look for Credential Guard
  • Virtualization-based security Services Running - look for Credential Guard
  • App Control for Business policy (WDAC, kernel)
  • App Control for Business user mode policy (WDAC, user)

Alternatively, use powershell:

powershell
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
select SecurityServicesConfigured,SecurityServicesRunning,CodeIntegrityPolicyEnforcementStatus,UsermodeCodeIntegrityPolicyEnforcementStatus

All values are listed in the Microsoft docs.

CodeIntegrityPolicyEnforcementStatus applies to the kernel, e.g. preventing loading malicious drivers, while UsermodeCodeIntegrityPolicyEnforcementStatus indicates whether users are only allowed to execute programs or load DLLs listed in the policies. This also ensures that Powershell runs in the Constrained Language mode. By default, only kernel-mode CI is enforced. Possible values are:

  • 0 - Disabled
  • 1 - Audit Mode
  • 2 - Enforced

SecurityServicesConfigured and SecurityServicesRunning contain a list of possible security services:

  • 0 - No services running.
  • 1 - Credential Guard is running.
  • 2 - memory integrity is running.
  • 3 - System Guard Secure Launch is running.
  • 4 - SMM Firmware Measurement is running.
  • 5 - Kernel-mode Hardware-enforced Stack Protection is running.
  • 6 - Kernel-mode Hardware-enforced Stack Protection is running in Audit mode.
  • 7 - Hypervisor-Enforced Paging Translation is running.

Credential Guard is only supported in Windows Education or Enterprise (Microsoft docs).

Some notes on WDAC

  • WDAC policies are located in C:\Windows\System32\CodeIntegrity\CIPolicies\Active\ and are usually .cip files.
  • Check for signed policies: Get-AuthenticodeSignature 'C:\Windows\System32\CodeIntegrity\CIPolicies\*\*.cip'
  • Policies can be signed with code signing certs (some are pre-signed by MS). Signed policies cannot directly be tampered with becuase the signature check is based on secure boot. Disable secure boot and no signature check will be performed.