Enumerating Security Controls

After gaining a foothold in an AD environment, enumerate the defensive state of hosts to understand what security controls are in place. The products in use affect which tools work for AD enumeration, exploitation, and post-exploitation. Understanding protections informs tool selection and helps plan a course of action — either avoiding or modifying certain tools. Protections may vary across machines in the same environment; policies applied to some hosts may not apply to others.

Windows Defender

Windows Defender (Microsoft Defender after Windows 10 May 2020 Update) blocks many common offensive tools (e.g. PowerView) by default. Check its status with the built-in Get-MpComputerStatus cmdlet.

Checking Defender Status

Get-MpComputerStatus

Key fields to check:

If RealTimeProtectionEnabled is True, Defender is actively scanning — tools may need obfuscation or bypass techniques.

AppLocker

AppLocker is Microsoft’s application whitelisting solution. It gives administrators control over which applications and files users can run, providing granular control over:

• Executables
• Scripts
• Windows Installer files
• DLLs
• Packaged apps and packed app installers

Common AppLocker Configurations

Organizations often block cmd.exe and PowerShell.exe and restrict write access to certain directories. A common mistake is blocking only the default 64-bit PowerShell path while leaving others accessible:

Enumerating AppLocker Policies

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Look for:

• Deny rules — what executables/paths are blocked and for which groups
• Allow rules — what paths are allowed (e.g. %PROGRAMFILES%\*, %WINDIR%\*)
• User/group scope — rules targeting Domain Users vs. Administrators

PowerShell Constrained Language Mode

Constrained Language Mode (CLM) restricts many PowerShell features needed for offensive operations:

• Blocks COM objects
• Only allows approved .NET types
• Blocks XAML-based workflows
• Blocks PowerShell classes

Checking Language Mode

$ExecutionContext.SessionState.LanguageMode

LAPS (Local Administrator Password Solution)

Microsoft LAPS randomizes and rotates local administrator passwords on Windows hosts to prevent lateral movement. Key enumeration goals:

• Which domain users/groups can read LAPS passwords
• Which machines have LAPS installed (and which do not)

LAPSToolkit

The LAPSToolkit provides several useful functions for LAPS enumeration.

Find Delegated Groups

Parses ExtendedRights for all computers with LAPS enabled. Shows groups specifically delegated to read LAPS passwords (often users in protected groups):

Find-LAPSDelegatedGroups

Find Extended Rights

Checks rights on each LAPS-enabled computer for groups with read access and users with “All Extended Rights.” Users with this right can read LAPS passwords and may be less protected than users in delegated groups. An account that has joined a computer to the domain receives All Extended Rights over that host:

Find-AdmPwdExtendedRights

Get LAPS Passwords

Search for LAPS-enabled computers, password expiration times, and the cleartext passwords (if your user has access):

Get-LAPSComputers

Summary