πŸ”Situational Awareness

🎯 Overview

Situational awareness is the first critical step in Windows privilege escalation. Before attempting any escalation techniques, we must understand:

  • Network topology and dual-homed systems

  • Security protections in place (AV, EDR, AppLocker)

  • System context and current privileges

  • Network connectivity and potential lateral movement paths

"We cannot function and react effectively without an understanding of our current surroundings"

🌐 Network Information Gathering

Interface and IP Address Enumeration

Basic Network Configuration

# Complete network interface information
ipconfig /all

# Quick IP address overview
ipconfig

# DNS configuration
ipconfig /displaydns

Key Network Details to Note

# Look for:
- Multiple network interfaces (dual-homed systems)
- DNS servers and domain information
- DHCP configuration
- IPv6 addresses and tunneling adapters

Example Output Analysis:

# Dual-homed system identified
IPv4 Address: 10.129.43.8     # External/DMZ network
IPv4 Address: 192.168.20.56   # Internal network

# Domain information
Primary Dns Suffix: .htb
DNS Suffix Search List: .htb

ARP Cache Analysis

# View ARP cache for recent communications
arp -a

# Analyze per interface
arp -a -N [interface_ip]

Strategic Value:

  • Recent communications - Shows hosts recently contacted

  • Network discovery - Identifies active hosts on each network

  • Lateral movement targets - Potential next hop systems

  • Administrative patterns - RDP/WinRM connection evidence

Routing Table Examination

# Complete routing information
route print

# IPv4 routes only
route print -4

# IPv6 routes only
route print -6

Analysis Points:

# Network segments accessible:
Network Destination    Netmask          Gateway       Interface
10.129.0.0            255.255.0.0      10.129.0.1    10.129.43.8  # External
192.168.20.0          255.255.255.0    192.168.20.1  192.168.20.56 # Internal

# Default routes - potential egress points
0.0.0.0               0.0.0.0          10.129.0.1    # Primary route
0.0.0.0               0.0.0.0          192.168.20.1  # Secondary route

Advanced Network Discovery

# Active TCP connections
netstat -an

# Processes and associated connections
netstat -anb

# Network statistics
netstat -s

# Network interfaces with statistics
netstat -i
# PowerShell network cmdlets
Get-NetIPConfiguration
Get-NetRoute
Get-NetAdapter
Get-NetTCPConnection -State Established

πŸ›‘οΈ Security Protection Enumeration

Windows Defender Status

# Comprehensive Defender status
Get-MpComputerStatus

# Key status indicators
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, BehaviorMonitorEnabled

# Threat detection settings
Get-MpPreference | Select-Object DisableRealtimeMonitoring, DisableBehaviorMonitoring

Critical Status Fields:

  • AntivirusEnabled - AV engine status

  • RealTimeProtectionEnabled - Live scanning

  • BehaviorMonitorEnabled - Behavioral analysis

  • OnAccessProtectionEnabled - File access monitoring

AppLocker Policy Assessment

# Current effective AppLocker rules
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# Local AppLocker policy only
Get-AppLockerPolicy -Local

# Domain AppLocker policy
Get-AppLockerPolicy -Domain

# Test specific executable against policy
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone

AppLocker Rule Types:

  • Executable Rules - Controls .exe, .com files

  • Windows Installer Rules - Controls .msi, .msp files

  • Script Rules - Controls .ps1, .bat, .cmd files

  • Packaged App Rules - Controls Windows Store apps

  • DLL Rules - Controls .dll files (rarely used)

AppLocker Bypass Indicators

# Look for path-based rules that can be bypassed
PathConditions: {%PROGRAMFILES%\*}  # May allow unsigned executables in Program Files
PathConditions: {%WINDIR%\*}        # May allow execution from Windows directory

Additional Security Services

# Running services (potential EDR)
net start | findstr /i "carbon\|crowd\|cylinder\|defend\|fire\|malware\|secure"

# Process list for security tools
tasklist | findstr /i "carbon\|crowd\|cylinder\|defend\|fire\|malware\|secure"

# Windows Firewall status
netsh advfirewall show allprofiles
# PowerShell security service enumeration
Get-Service | Where-Object {$_.Name -match "Defend|Malware|Antivirus|Carbon|Crowd|Fire"}

# Check for common EDR processes
Get-Process | Where-Object {$_.ProcessName -match "cb|crowd|fire|defend|malware"}

πŸ” System Context Assessment

Current User and Privileges

# Current user information
whoami /all

# User privileges
whoami /priv

# Group memberships
whoami /groups

# Current user only
whoami
# PowerShell user context
[System.Security.Principal.WindowsIdentity]::GetCurrent().Name
Get-LocalUser | Where-Object {$_.Enabled -eq $true}
Get-LocalGroupMember -Group "Administrators"

System Information

# System details
systeminfo | findstr /i "system\|os\|service\|hotfix"

# OS version
ver

# Environment variables
set

# Installed software
wmic product get name,version
# PowerShell system information
Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, TotalPhysicalMemory
Get-WmiObject -Class Win32_OperatingSystem
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10

πŸ“‹ Situational Awareness Checklist

Network Assessment

Security Posture

System Context

🎯 HTB Academy Lab - Situational Awareness

Lab Environment

  • Target: Windows system accessible via RDP

  • Credentials: htb-student:HTB_@cademy_stdnt!

  • Objective: Identify network configuration and security restrictions

Lab Questions

Question 1: Network Interface Discovery

Objective: Find the IP address of the other NIC attached to the target host

# Solution approach
ipconfig /all

# Look for multiple Ethernet adapters
# Identify IP addresses on different network segments
# Answer format: X.X.X.X (IP address of secondary interface)

Question 2: AppLocker Executable Restrictions

Objective: Identify which executable (other than cmd.exe) is blocked by AppLocker

# Solution approach
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

# Test common executables
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\powershell.exe -User Everyone
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\net.exe -User Everyone

# Look for PolicyDecision: Denied

Common Blocked Executables:

  • powershell.exe - PowerShell interpreter

  • cmd.exe - Command prompt (mentioned as blocked)

  • net.exe - Network configuration utility

  • wmic.exe - Windows Management Instrumentation tool

Expected Results

# Network discovery result
Interface 1: 10.129.43.8    (External/HTB network)
Interface 2: 192.168.20.56  (Internal network)

# AppLocker restriction result
powershell.exe: DENIED
cmd.exe: DENIED  
net.exe: ALLOWED

πŸ’‘ Key Takeaways

  1. Network topology understanding - Dual-homed systems provide lateral movement opportunities

  2. Security awareness - Early protection enumeration prevents detection

  3. Context establishment - Know your current privileges before escalation attempts

  4. Tool restrictions - AppLocker policies affect available attack vectors

  5. Systematic approach - Complete situational awareness before technical exploitation

This guide covers the essential first step in Windows privilege escalation - gathering comprehensive situational awareness to inform subsequent attack strategies.

PreviousModule OverviewNextInitial Enumeration

Last updated