# Enumerating Security Controls After gaining a foothold, we could use this access to get a feeling for the defensive state of the hosts, enumerate the domain further now that our visibility is not as restricted, and, if necessary, work at "living off the land" by using tools that exist natively on the hosts. It is important to understand the security controls in place in an organization as the products in use can affect the tools we use for our AD enumeration, as well as exploitation and post-exploitation. Understanding the protections we may be up against will help inform our decisions regarding tool usage and assist us in planning our course of action by either avoiding or modifying certain tools. Some organizations have more stringent protections than others, and some do not apply security controls equally throughout. There may be policies applied to certain machines that can make our enumeration more difficult that are not applied on other machines. Note: This section is intended to showcase possible security controls in place within a domain, but does not have an interactive component. Enumerating and bypassing security controls are outside the scope of this module, but we wanted to give an overview of the possible technologies we may encounter during an assessment. *** ### Windows Defender Windows Defender (or [Microsoft Defender](https://en.wikipedia.org/wiki/Microsoft_Defender) after the Windows 10 May 2020 Update) has greatly improved over the years and, by default, will block tools such as `PowerView`. There are ways to bypass these protections. These ways will be covered in other modules. We can use the built-in PowerShell cmdlet [Get-MpComputerStatus](https://docs.microsoft.com/en-us/powershell/module/defender/get-mpcomputerstatus?view=win10-ps) to get the current Defender status. Here, we can see that the `RealTimeProtectionEnabled` parameter is set to `True`, which means Defender is enabled on the system. **Checking the Status of Defender with Get-MpComputerStatus** Enumerating Security Controls ```powershell-session PS C:\htb> Get-MpComputerStatus AMEngineVersion : 1.1.17400.5 AMProductVersion : 4.10.14393.0 AMServiceEnabled : True AMServiceVersion : 4.10.14393.0 AntispywareEnabled : True AntispywareSignatureAge : 1 AntispywareSignatureLastUpdated : 9/2/2020 11:31:50 AM AntispywareSignatureVersion : 1.323.392.0 AntivirusEnabled : True AntivirusSignatureAge : 1 AntivirusSignatureLastUpdated : 9/2/2020 11:31:51 AM AntivirusSignatureVersion : 1.323.392.0 BehaviorMonitorEnabled : False ComputerID : 07D23A51-F83F-4651-B9ED-110FF2B83A9C ComputerState : 0 FullScanAge : 4294967295 FullScanEndTime : FullScanStartTime : IoavProtectionEnabled : False LastFullScanSource : 0 LastQuickScanSource : 2 NISEnabled : False NISEngineVersion : 0.0.0.0 NISSignatureAge : 4294967295 NISSignatureLastUpdated : NISSignatureVersion : 0.0.0.0 OnAccessProtectionEnabled : False QuickScanAge : 0 QuickScanEndTime : 9/3/2020 12:50:45 AM QuickScanStartTime : 9/3/2020 12:49:49 AM RealTimeProtectionEnabled : True RealTimeScanDirection : 0 PSComputerName : ``` *** ### AppLocker An application whitelist is a list of approved software applications or executables that are allowed to be present and run on a system. The goal is to protect the environment from harmful malware and unapproved software that does not align with the specific business needs of an organization. [AppLocker](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker) is Microsoft's application whitelisting solution and gives system administrators control over which applications and files users can run. It provides granular control over executables, scripts, Windows installer files, DLLs, packaged apps, and packed app installers. It is common for organizations to block cmd.exe and PowerShell.exe and write access to certain directories, but this can all be bypassed. Organizations also often focus on blocking the `PowerShell.exe` executable, but forget about the other [PowerShell executable locations](https://www.powershelladmin.com/wiki/PowerShell_Executables_File_System_Locations) such as `%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe` or `PowerShell_ISE.exe`. We can see that this is the case in the `AppLocker` rules shown below. All Domain Users are disallowed from running the 64-bit PowerShell executable located at: `%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe` So, we can merely call it from other locations. Sometimes, we run into more stringent `AppLocker` policies that require more creativity to bypass. These ways will be covered in other modules. **Using Get-AppLockerPolicy cmdlet** Enumerating Security Controls ```powershell-session PS C:\htb> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections PathConditions : {%SYSTEM32%\WINDOWSPOWERSHELL\V1.0\POWERSHELL.EXE} PathExceptions : {} PublisherExceptions : {} HashExceptions : {} Id : 3d57af4a-6cf8-4e5b-acfc-c2c2956061fa Name : Block PowerShell Description : Blocks Domain Users from using PowerShell on workstations UserOrGroupSid : S-1-5-21-2974783224-3764228556-2640795941-513 Action : Deny PathConditions : {%PROGRAMFILES%\*} PathExceptions : {} PublisherExceptions : {} HashExceptions : {} Id : 921cc481-6e17-4653-8f75-050b80acca20 Name : (Default Rule) All files located in the Program Files folder Description : Allows members of the Everyone group to run applications that are located in the Program Files folder. UserOrGroupSid : S-1-1-0 Action : Allow PathConditions : {%WINDIR%\*} PathExceptions : {} PublisherExceptions : {} HashExceptions : {} Id : a61c8b2c-a319-4cd0-9690-d2177cad7b51 Name : (Default Rule) All files located in the Windows folder Description : Allows members of the Everyone group to run applications that are located in the Windows folder. UserOrGroupSid : S-1-1-0 Action : Allow PathConditions : {*} PathExceptions : {} PublisherExceptions : {} HashExceptions : {} Id : fd686d83-a829-4351-8ff4-27c7de5755d2 Name : (Default Rule) All files Description : Allows members of the local Administrators group to run all applications. UserOrGroupSid : S-1-5-32-544 Action : Allow ``` *** ### PowerShell Constrained Language Mode PowerShell [Constrained Language Mode](https://devblogs.microsoft.com/powershell/powershell-constrained-language-mode/) locks down many of the features needed to use PowerShell effectively, such as blocking COM objects, only allowing approved .NET types, XAML-based workflows, PowerShell classes, and more. We can quickly enumerate whether we are in Full Language Mode or Constrained Language Mode. **Enumerating Language Mode** Enumerating Security Controls ```powershell-session PS C:\htb> $ExecutionContext.SessionState.LanguageMode ConstrainedLanguage ``` *** ### LAPS The Microsoft [Local Administrator Password Solution (LAPS)](https://www.microsoft.com/en-us/download/details.aspx?id=46899) is used to randomize and rotate local administrator passwords on Windows hosts and prevent lateral movement. We can enumerate what domain users can read the LAPS password set for machines with LAPS installed and what machines do not have LAPS installed. The [LAPSToolkit](https://github.com/leoloobeek/LAPSToolkit) greatly facilitates this with several functions. One is parsing `ExtendedRights` for all computers with LAPS enabled. This will show groups specifically delegated to read LAPS passwords, which are often users in protected groups. An account that has joined a computer to a domain receives `All Extended Rights` over that host, and this right gives the account the ability to read passwords. Enumeration may show a user account that can read the LAPS password on a host. This can help us target specific AD users who can read LAPS passwords. **Using Find-LAPSDelegatedGroups** Enumerating Security Controls ```powershell-session PS C:\htb> Find-LAPSDelegatedGroups OrgUnit Delegated Groups ------- ---------------- OU=Servers,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\Domain Admins OU=Servers,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\LAPS Admins OU=Workstations,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\Domain Admins OU=Workstations,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\LAPS Admins OU=Web Servers,OU=Servers,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\Domain Admins OU=Web Servers,OU=Servers,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\LAPS Admins OU=SQL Servers,OU=Servers,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\Domain Admins OU=SQL Servers,OU=Servers,DC=INLANEFREIGHT,DC=LOCAL INLANEFREIGHT\LAPS Admins OU=File Servers,OU=Servers,DC=INLANEFREIGHT,DC=L... INLANEFREIGHT\Domain Admins OU=File Servers,OU=Servers,DC=INLANEFREIGHT,DC=L... INLANEFREIGHT\LAPS Admins OU=Contractor Laptops,OU=Workstations,DC=INLANEF... INLANEFREIGHT\Domain Admins OU=Contractor Laptops,OU=Workstations,DC=INLANEF... INLANEFREIGHT\LAPS Admins OU=Staff Workstations,OU=Workstations,DC=INLANEF... INLANEFREIGHT\Domain Admins OU=Staff Workstations,OU=Workstations,DC=INLANEF... INLANEFREIGHT\LAPS Admins OU=Executive Workstations,OU=Workstations,DC=INL... INLANEFREIGHT\Domain Admins OU=Executive Workstations,OU=Workstations,DC=INL... INLANEFREIGHT\LAPS Admins OU=Mail Servers,OU=Servers,DC=INLANEFREIGHT,DC=L... INLANEFREIGHT\Domain Admins OU=Mail Servers,OU=Servers,DC=INLANEFREIGHT,DC=L... INLANEFREIGHT\LAPS Admins ``` The `Find-AdmPwdExtendedRights` checks the rights on each computer with LAPS enabled for any groups with read access and users with "All Extended Rights." Users with "All Extended Rights" can read LAPS passwords and may be less protected than users in delegated groups, so this is worth checking for. **Using Find-AdmPwdExtendedRights** Enumerating Security Controls ```powershell-session PS C:\htb> Find-AdmPwdExtendedRights ComputerName Identity Reason ------------ -------- ------ EXCHG01.INLANEFREIGHT.LOCAL INLANEFREIGHT\Domain Admins Delegated EXCHG01.INLANEFREIGHT.LOCAL INLANEFREIGHT\LAPS Admins Delegated SQL01.INLANEFREIGHT.LOCAL INLANEFREIGHT\Domain Admins Delegated SQL01.INLANEFREIGHT.LOCAL INLANEFREIGHT\LAPS Admins Delegated WS01.INLANEFREIGHT.LOCAL INLANEFREIGHT\Domain Admins Delegated WS01.INLANEFREIGHT.LOCAL INLANEFREIGHT\LAPS Admins Delegated ``` We can use the `Get-LAPSComputers` function to search for computers that have LAPS enabled when passwords expire, and even the randomized passwords in cleartext if our user has access. **Using Get-LAPSComputers** Enumerating Security Controls ```powershell-session PS C:\htb> Get-LAPSComputers ComputerName Password Expiration ------------ -------- ---------- DC01.INLANEFREIGHT.LOCAL 6DZ[+A/[]19d$F 08/26/2020 23:29:45 EXCHG01.INLANEFREIGHT.LOCAL oj+2A+[hHMMtj, 09/26/2020 00:51:30 SQL01.INLANEFREIGHT.LOCAL 9G#f;p41dcAe,s 09/26/2020 00:30:09 WS01.INLANEFREIGHT.LOCAL TCaG-F)3No;l8C 09/26/2020 00:46:04 ``` *** ### Conclusion As we have seen in this section, several other helpful AD enumeration techniques are available to us to determine what protections are in place. It is worth familiarizing yourself with all of these tools and techniques, and adding them to your arsenal of options. Now, let's continue our enumeration of the INLANEFREIGHT.LOCAL domain from a credentialed standpoint. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://notes.cavementech.com/pentesting-quick-reference/active-directory/password-spraying/enumerating-security-controls.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.