situational_awareness_-_harmj0y

SITUATIONAL AWARENESS - HARMJ0Y Windows version: reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system: ls C:\Users\

System env variables: reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections: reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers

more info example: reg query x64 HKCU\Software\Microsoft\Terminal Server Client\Servers\10.10.10.25

IE proxy settings: reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings reg query x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections reg queryv x64 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections DefaultConnectionSettings

From https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1:

Check system policies (token filter policy/etc.) reg query x64 HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Audit settings: reg query x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit

Command line process auditing: reg queryv x64 HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit ProcessCreationIncludeCmdLine_Enabled

Check if PS version 2 is installed: reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine PowerShellVersion

Check if PS version 5 is installed: reg queryv x64 HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine PowerShellVersion

Check if CLR 2.0 installed: ls C:\Windows\Microsoft.Net\Framework\v2.0.50727\

Check if CLR 4.0 installed: ls C:\Windows\Microsoft.Net\Framework\v4.0.30319\

PowerShell transcription settings: reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription

PowerShell module logging: reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging

PowerShell script block logging: reg query x64 HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

LSA settings (NTLM, PPL, etc.) reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Lsa

LAPS enabled: reg query x64 HKLM\Software\Policies\Microsoft Services\AdmPwd

WEF settings: reg query x64 HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager\1

MS Cached Logon Count: reg queryv x64 HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon CachedLogonsCount

Putty: reg query x64 HKCU\SOFTWARE\SimonTatham\Putty\

Sysmon: reg query x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters reg queryv x64 HKLM\SYSTEM\CurrentControlSet\Services\SysmonDrv\Parameters Rules

Users logged onto the machine: net logons

Local admins: net localgroup administrators

Local drives: drives

Local shares: net share

From https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1:

Recently typed "run" commands: reg query x64 HKCU\software\microsoft\windows\currentversion\explorer\runmru