Skip to main content

Safety Checks

Seatbelt - local and remote safety checks​

Seatbelt.exe -group=<all|user|system|slack|chrome|remote|misc> [-full]
Seatbelt.exe -group=<remote> -computername=<hostname[.evilcorp.com]> [-username=<domain>\<user> -password=<password>]  
Seatbelt.exe -group=user -outputfile="<C:\Temp\out.txt|C:\Temp\out.json">
Seatbelt.exe <checks1> <checks2> <checks3> [-q]

Scout - remote safety checks​

scout <hostname|ip>

Antivirus​

wmic /namespace:\\root\securitycenter2 path antivirusproduct

Antivirus exclusion

windows/gather/enum_av_excluded

Sysmon​

Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }

Proxy settings​

netsh winhttp show proxy
ping -n 1 wpad

PowerShell​

Engines

reg query HKLM\SOFTWARE\Microsoft\PowerShell\
reg query HKLM\SOFTWARE\Microsoft\PowerShell\<X>

Logging

reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\Transcription
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ModuleLogging
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging

CLM

$ExecutionContext.SessionState.LanguageMode

AppLocker​

Get-AppLockerPolicy -Effective -XML

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

DeviceGuard​

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
PropertiesDescriptionValid values
AvailableSecurityPropertiesThis field helps to enumerate and report state on the relevant security properties for Device Guard.
  • 0. If present, no relevant properties exist on the device.
  • 1. If present, hypervisor support is available.
  • 2. If present, Secure Boot is available.
  • 3. If present, DMA protection is available.
  • 4. If present, Secure Memory Overwrite is available.
  • 5. If present, NX protections are available.
  • 6. If present, SMM mitigations are available.
Note: 4, 5, and 6 were added as of Windows 10, version 1607.
RequiredSecurityPropertiesThis field describes the required security properties to enable virtualization-based security.
  • 0. Nothing is required.
  • 1. If present, hypervisor support is needed.
  • 2. If present, Secure Boot is needed.
  • 3. If present, DMA protection is needed.
  • 4. If present, Secure Memory Overwrite is needed.
  • 5. If present, NX protections are needed.
  • 6. If present, SMM mitigations are needed.
Note: 4, 5, and 6 were added as of Windows 10, version 1607.
SecurityServicesConfiguredThis field indicates whether the Credential Guard or HVCI service has been configured.
  • 0. No services configured.
  • 1. If present, Credential Guard is configured.
  • 2. If present, HVCI is configured.
SecurityServicesRunningThis field indicates whether the Credential Guard or HVCI service is running.
  • 0. No services running.
  • 1. If present, Credential Guard is running.
  • 2. If present, HVCI is running.
VirtualizationBasedSecurityStatusThis field indicates whether VBS is enabled and running.
  • 0. VBS is not enabled.
  • 1. VBS is enabled but not running.
  • 2. VBS is enabled and running.

Users​

Logged on users

Get-EventLog -LogName Security [-Newest 100] | Where-Object {$_.EventID -eq 4624}

List Processes with potential creds embedded in executable or config file 

Get-EventLog -LogName Security -Newest 100 | Where-Object {$_.EventID -eq 4648} | Select-Object -Property *

Available CLR​

dir %WINDIR%\Microsoft.Net\Framework\ /s /b | find "System.dll"
[System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v2.0.50727\System.dll")
[System.IO.File]::Exists("$env:windir\Microsoft.Net\Framework\v4.0.30319\System.dll")

Audit policy​

auditpol /get /categoryams:*

RDP history​

reg query HKCU\Software\Microsoft\Terminal Server Client\