├── Client-Checker.ps1 ├── LICENSE └── README.md /Client-Checker.ps1: -------------------------------------------------------------------------------- 1 | <# 2 | This is such an awesome script - not 3 | Better run twice, 1x as admin because some shit can not be queried without (e.g. BitLocker status) and 1x as low priv user to check things like software installable as low priv user or access to systemtools like registry etc. 4 | Green = good 5 | Red = Not good 6 | Purple = possibly not good 7 | 8 | Author: @LuemmelSec 9 | License: BSD 3-Clause 10 | 11 | #> 12 | 13 | 14 | $results = @() 15 | $elevated = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) 16 | function Client-Checker{ 17 | 18 | Write-host "##########################################################################################" -ForegroundColor DarkGray 19 | Write-host "####################################################################+=####################" -ForegroundColor DarkGray 20 | Write-host "#################################################################*######**################" -ForegroundColor DarkGray 21 | Write-host "################################################################*=######++################" -ForegroundColor DarkGray 22 | Write-host "####################################################################**####################" -ForegroundColor DarkGray 23 | Write-host "###%%%%%%%%%%###########%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%###########+=####################" -ForegroundColor DarkGray 24 | Write-host "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%@#+======================#%###############################" -ForegroundColor DarkGray 25 | Write-host "%%%**********%%%%%%%%%%%*******#" -ForegroundColor DarkRed -NoNewline; Write-Host "@::::::::::--::-=::::::::-@###############################" -ForegroundColor DarkGray 26 | Write-host "+++++++++++++++++++++++++++++++*" -ForegroundColor Red -NoNewline; Write-Host "@::::=-::::::::=+=:::-:::-@%#%%###########################" -ForegroundColor DarkGray 27 | Write-host "+++----------=++++++++++-------+" -ForegroundColor DarkYellow -NoNewline; Write-Host "@:::::::::::::+****=:-:::-@@%**%%#########################" -ForegroundColor DarkGray 28 | Write-host "------------------------+++++--=" -ForegroundColor Yellow -NoNewline; Write-Host "@:::::::::--::%+===**=++++#====@@#########################" -ForegroundColor DarkGray 29 | Write-host "----------------------=#*" -ForegroundColor Green -NoNewline; Write-Host "++*@##%@:::::--::::::%+=====+++++=====@@#########################" -ForegroundColor DarkGray 30 | Write-host "----------------------+##" -ForegroundColor Blue -NoNewline; Write-Host "*****#%@:::-::::::-*@+===:=+======:-+==*@########################" -ForegroundColor DarkGray 31 | Write-host "-------------------------++++@%%" -ForegroundColor DarkBlue -NoNewline; Write-Host "@:::-:::::::=@+===*%%-==*#-*%%-=*@########################" -ForegroundColor DarkGray 32 | Write-host "-------------------------------+" -ForegroundColor Magenta -NoNewline; Write-Host "@::::-:::=-:=@+---=++-=++=-*+=--+@########################" -ForegroundColor DarkGray 33 | Write-host "---==========-----------======#%" -ForegroundColor DarkMagenta -NoNewline; Write-Host "@::::-:::::::-#+=-=#@%%@@%%@#-=%%#########################" -ForegroundColor DarkGray 34 | Write-host "++++++++++++++++++++++++++++#####@#++++++++++++%@*************@###########################" -ForegroundColor DarkGray 35 | Write-host "+++##########*++++++++++####@+=+%%@%**%@%%%%%%%%@**%@%@#**@%##############################" -ForegroundColor DarkGray 36 | Write-host "############################%%%%###%%%%%#########%%%%##%%%%###############################" -ForegroundColor DarkGray 37 | Write-host "##########################################################################################" -ForegroundColor DarkGray 38 | Write-host "##########################################################################################" -ForegroundColor DarkGray 39 | Write-host "##################################### Client-Checker #####################################" -ForegroundColor DarkGray 40 | Write-host "##################################### by @LuemmelSec #####################################" -ForegroundColor DarkGray 41 | Write-host "############################ Automated Client Security Checks ############################" -ForegroundColor DarkGray 42 | Write-host "##########################################################################################" -ForegroundColor DarkGray 43 | Write-host "" 44 | Write-Host "Stuff marked in green is good" -ForegroundColor Green 45 | Write-Host "Stuff marked in magenta is a 'might be' finding" -ForegroundColor Magenta 46 | Write-Host "Stuff marked in red is bad stuff" -ForegroundColor Red 47 | Write-Host "Stuff marked yellow are errors" -ForegroundColor Yellow 48 | Write-Host "" 49 | Write-Host "If you happen to use PwnDoc or PwnDoc-ng, you can use my templates alongside this tool:" 50 | Write-Host "https://github.com/LuemmelSec/PwnDoc-Vulns/blob/main/SystemSecurity.yml" 51 | Write-Host "" 52 | 53 | ########### Preflight Checks ########### 54 | 55 | # Check if we run in elevated context so all checks can be done 56 | if($elevated -eq $true){ 57 | Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Green 58 | Write-Host "We have superpowers. All checks should go okay." -ForegroundColor DarkGray 59 | Write-Host "" 60 | } 61 | else{ 62 | Write-Host "Local Admin: " -ForegroundColor white -NoNewline; Write-Host $elevated -ForegroundColor Red 63 | Write-Host "You don't have super powers. Some checks might fail!" -ForegroundColor DarkGray 64 | Write-Host "" 65 | } 66 | 67 | # Check if all needed PS modules are installed that we need for the tests 68 | # Array of module names to check 69 | Write-Host "Checking for installed PowerShell modules..." 70 | $moduleNames = @("ActiveDirectory", "BitLocker") 71 | 72 | # Check if modules are installed 73 | $missingModules = @() 74 | $installedModules = @() 75 | foreach ($moduleName in $moduleNames) { 76 | if (Get-Module -ListAvailable -Name $moduleName) { 77 | $installedModules += $moduleName 78 | Write-Host "The '$moduleName' module is installed." -ForegroundColor Green 79 | } else { 80 | $missingModules += $moduleName 81 | Write-Host "The '$moduleName' module is not installed." -ForegroundColor Red 82 | } 83 | } 84 | 85 | # Prompt to install missing modules 86 | if ($missingModules.Count -gt 0) { 87 | $installModules = Read-Host "Do you want to install the missing modules? (Y/N)" 88 | if ($installModules -eq "Y" -or $installModules -eq "y") { 89 | foreach ($module in $missingModules) { 90 | Write-Host "Installing module '$module'..." 91 | Install-Module -Name $module -Scope CurrentUser 92 | } 93 | } 94 | } 95 | 96 | ########### Beginning of the actual checks ########### 97 | 98 | # Domain Password Policy checks 99 | Write-Host "" 100 | Write-Host "##############################################" 101 | Write-Host "# Now checking Default Domain Password stuff #" 102 | Write-Host "##############################################" 103 | Write-Host "References: https://learn.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide" -ForegroundColor DarkGray 104 | Write-Host "References: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-duration" -ForegroundColor DarkGray 105 | Write-Host "References: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/account-lockout-threshold" -ForegroundColor DarkGray 106 | Write-Host "References: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption" -ForegroundColor DarkGray 107 | Write-Host "" 108 | 109 | try { 110 | $defaultPolicy = Get-ADDefaultDomainPasswordPolicy 111 | 112 | if ($defaultPolicy.ComplexityEnabled -eq $false){ 113 | Write-Host "Complexity Enabled: $false" -ForegroundColor Red 114 | $pwpolicy_complexity = 2 115 | } 116 | else { 117 | Write-Host "Complexity Enabled: $true" -ForegroundColor Green 118 | $pwpolicy_complexity = 0 119 | } 120 | 121 | if ($defaultPolicy.lockoutduration.TotalMinutes -gt 14){ 122 | Write-Host "Lockout Duration: $($defaultPolicy.lockoutduration.TotalMinutes)" -ForegroundColor Green 123 | $pwpolicy_lockoutduration = 0 124 | } 125 | elseif ($defaultPolicy.lockoutduration.TotalMinutes -eq 0) { 126 | Write-Host "Lockout Duration: Will never lock" -ForegroundColor Red 127 | $pwpolicy_lockoutduration = 2 128 | } 129 | else { 130 | Write-Host "Lockout Duration: $($defaultPolicy.lockoutduration.TotalMinutes)" -ForegroundColor Magenta 131 | $pwpolicy_lockoutduration = 1 132 | } 133 | 134 | if ($defaultPolicy.lockoutthreshold -eq 0) { 135 | Write-Host "Lockout Threshold: Will never lock" -ForegroundColor Red 136 | $pwpolicy_lockoutthreshold = 2 137 | } 138 | elseif ($defaultPolicy.lockoutthreshold -lt 11){ 139 | Write-Host "Lockout Threshold: $($defaultPolicy.lockoutthreshold)" -ForegroundColor Green 140 | $pwpolicy_lockoutthreshold = 0 141 | } 142 | else { 143 | Write-Host "Lockout Threshold: $($defaultPolicy.lockoutthreshold)" -ForegroundColor Magenta 144 | $pwpolicy_lockoutthreshold = 1 145 | } 146 | 147 | if ($defaultPolicy.MinPasswordLength -lt 12){ 148 | Write-Host "Min Password Length: $($defaultPolicy.MinPasswordLength)" -ForegroundColor Red 149 | $pwpolicy_pwlength = 2 150 | } 151 | else { 152 | Write-Host "Min Password Length: $($defaultPolicy.MinPasswordLength)" -ForegroundColor Green 153 | $pwpolicy_pwlength = 0 154 | } 155 | 156 | if ($defaultPolicy.ReversibleEncryptionEnabled -eq $true){ 157 | Write-Host "Reversible Encryption Enabled: $true" -ForegroundColor Red 158 | $pwpolicy_revenc = 2 159 | } 160 | else { 161 | Write-Host "Reversible Encryption Enabled: $false" -ForegroundColor Green 162 | $pwpolicy_revenc = 0 163 | } 164 | 165 | Write-Host "Lockout Duration: $($defaultPolicy.LockoutDuration)" -ForegroundColor DarkGray 166 | Write-Host "Lockout Observation Window: $($defaultPolicy.LockoutObservationWindow)" -ForegroundColor DarkGray 167 | } 168 | catch { 169 | Write-Host "Failed to query domain information. Check if the domain is accessible." -ForegroundColor Yellow 170 | $pwpolicy_error = 1 171 | } 172 | 173 | 174 | # Run As PPL checks 175 | Write-host "" 176 | Write-host "#####################################" 177 | Write-host "# Now checking LSA Protection stuff #" 178 | Write-host "#####################################" 179 | Write-host "References: https://itm4n.github.io/lsass-runasppl/" -ForegroundColor DarkGray 180 | Write-host "References: https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection" -ForegroundColor DarkGray 181 | Write-host "" 182 | try { 183 | $value = Get-ItemPropertyvalue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "RunAsPPL" -ErrorAction Stop 184 | 185 | if ($value -eq 1) { 186 | Write-Host "RunAsPPL: Enabled with UEFI Lock" -ForegroundColor Green 187 | $RunAsPPL = 0 188 | } 189 | if ($value -eq 2) { 190 | Write-Host "RunAsPPL: Enabled without UEFI Lock" -ForegroundColor Green 191 | $RunAsPPL = 0 192 | } 193 | elseif ($value -eq 0) { 194 | Write-Host "RunAsPPL: Disabled" -ForegroundColor Red 195 | $RunAsPPL = 2 196 | } 197 | else { 198 | Write-Host "RunAsPPL: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 199 | $RunAsPPL = 1 200 | } 201 | } 202 | catch { 203 | Write-Host "RunAsPPL: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 204 | $RunAsPPL = 1 205 | } 206 | 207 | <# Deprecated due to WDAC checks. According to MS Device Guard is no longer used: https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control 208 | # Device Guard checks 209 | Write-host "" 210 | Write-host "###################################" 211 | Write-host "# Now checking Device Guard stuff #" 212 | Write-host "###################################" 213 | Write-host "References: https://techcommunity.microsoft.com/t5/iis-support-blog/windows-10-device-guard-and-credential-guard-demystified/ba-p/376419" -ForegroundColor DarkGray 214 | Write-host "References: https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control" -ForegroundColor DarkGray 215 | Write-host "" 216 | $computerInfo = Get-ComputerInfo 217 | $DeviceGuardStatus = $computerInfo.DeviceGuardSmartStatus 218 | 219 | if ($DeviceGuardStatus -eq "Running") { 220 | Write-Host "Device Guard is enabled." -ForegroundColor Green 221 | } else { 222 | Write-Host "Device Guard is not enabled." -ForegroundColor Red 223 | } #> 224 | 225 | # WDAC checks 226 | Write-host "" 227 | Write-host "###########################" 228 | Write-host "# Now checking WDAC stuff #" 229 | Write-host "###########################" 230 | Write-host "References: https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control" -ForegroundColor DarkGray 231 | Write-host "References: https://learn.microsoft.com/en-us/answers/questions/536416/checking-microsoft-defender-application-control-is" -ForegroundColor DarkGray 232 | Write-host "References: https://www.stigviewer.com/stig/windows_paw/2017-11-21/finding/V-78163" -ForegroundColor DarkGray 233 | Write-host "References: https://www.stigviewer.com/stig/windows_paw/2017-11-21/finding/V-78157" -ForegroundColor DarkGray 234 | Write-host "" 235 | $deviceGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard 236 | 237 | $CodeIntegrityPolicyEnforcementStatus = $deviceGuard.CodeIntegrityPolicyEnforcementStatus 238 | $UsermodeCodeIntegrityPolicyEnforcementStatus = $deviceGuard.UsermodeCodeIntegrityPolicyEnforcementStatus 239 | 240 | if ($CodeIntegrityPolicyEnforcementStatus -eq 2) { 241 | Write-Host "Code Integrity Policy Enforcement is enabled." -ForegroundColor Green 242 | $wdac_codeintegrity = 0 243 | } 244 | elseif ($CodeIntegrityPolicyEnforcementStatus -eq 0) { 245 | Write-Host "Code Integrity Policy Enforcement is disabled." -ForegroundColor Red 246 | $wdac_codeintegrity = 2 247 | } 248 | elseif ($CodeIntegrityPolicyEnforcementStatus -eq 1) { 249 | Write-Host "Code Integrity Policy Enforcement is set to observe." -ForegroundColor Magenta 250 | $wdac_codeintegrity = 1 251 | } 252 | else { 253 | Write-Host "Code Integrity Policy Enforcement status is unknown." -ForegroundColor Red 254 | $wdac_codeintegrity = 2 255 | } 256 | 257 | if ($UsermodeCodeIntegrityPolicyEnforcementStatus -eq 2) { 258 | Write-Host "Usermode Code Integrity Policy Enforcement is enabled." -ForegroundColor Green 259 | $wdac_usercodeintegrity = 0 260 | } 261 | elseif ($UsermodeCodeIntegrityPolicyEnforcementStatus -eq 0) { 262 | Write-Host "Usermode Code Integrity Policy Enforcement is disabled." -ForegroundColor Red 263 | $wdac_usercodeintegrity = 2 264 | } 265 | elseif ($UsermodeCodeIntegrityPolicyEnforcementStatus -eq 1) { 266 | Write-Host "Usermode Code Integrity Policy Enforcement is set to observe." -ForegroundColor Magenta 267 | $wdac_usercodeintegrity = 1 268 | } 269 | else { 270 | Write-Host "Usermode Code Integrity Policy Enforcement status is unknown." -ForegroundColor Red 271 | $wdac_usercodeintegrity = 2 272 | } 273 | 274 | # AppLocker checks 275 | Write-host "" 276 | Write-host "#################################" 277 | Write-host "# Now checking AppLocker stuff #" 278 | Write-host "################################" 279 | Write-host "References: https://learn.microsoft.com/de-de/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview" -ForegroundColor DarkGray 280 | Write-host "" 281 | $appLockerService = Get-Service -Name AppIDSvc 282 | if ($appLockerService.Status -eq "Running") { 283 | Write-Host "AppLocker is running." -ForegroundColor Green 284 | $applocker = 0 285 | } else { 286 | Write-Host "AppLocker is not running." -ForegroundColor Red 287 | $applocker = 2 288 | } 289 | 290 | # UAC checks 291 | Write-host "" 292 | Write-host "##################################" 293 | Write-host "# Now checking if UAC is enabled #" 294 | Write-host "##################################" 295 | Write-host "References: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/user-account-control/how-it-works" -ForegroundColor DarkGray 296 | Write-host "" 297 | $uacStatus = Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "EnableLUA" 298 | 299 | if ($uacStatus.EnableLUA -eq 1) { 300 | Write-Host "UAC is enabled." -ForegroundColor Green 301 | $uac = 0 302 | } else { 303 | Write-Host "UAC is disabled." -ForegroundColor Red 304 | $uac = 2 305 | } 306 | 307 | # Guest Account check 308 | Write-host "" 309 | Write-host "############################################" 310 | Write-host "# Now checking if Guest Account is enabled #" 311 | Write-host "############################################" 312 | Write-host "References: https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status" -ForegroundColor DarkGray 313 | Write-host "" 314 | # Get local user accounts 315 | $guestAccount = Get-CimInstance -ClassName Win32_UserAccount | Where-Object { 316 | $_.SID -match "-501" # The local Guest Account always has RID 501 317 | } 318 | 319 | # Check if the Guest account exists 320 | if ($guestAccount) { 321 | # Check if the Guest account is enabled 322 | if ($guestAccount.Disabled -eq $false) { 323 | Write-Host "Guest account enabled" -ForegroundColor Red 324 | $guestacc = 2 325 | } else { 326 | Write-Host "Guest account disabled" -ForegroundColor Green 327 | $guestacc = 0 328 | } 329 | } else { 330 | Write-Host "Guest account not found" -ForegroundColor Yellow 331 | $guestacc = 3 332 | } 333 | 334 | # System Tools as Low Priv User check 335 | # We only want to check if not ran as admin 336 | if($elevated -eq $false){ 337 | Write-host "" 338 | Write-host "#######################################################" 339 | Write-host "# Now checking if Low Priv User can run System Tools #" 340 | Write-host "#######################################################" 341 | Write-host "References: " -ForegroundColor DarkGray 342 | Write-host "" 343 | 344 | Write-host "We are now trying to open several system tools with our low priv user. Please do only close them manually if they do not autoclose after the test." -ForegroundColor yellow 345 | Write-host "You may observe error messages when programs were run with UAC, which is absolutely normal, and can be ignored." -ForegroundColor yellow 346 | Write-host "You need to answer the questions in this PowerShell window!!!" -ForegroundColor yellow 347 | $response = Read-Host "ARE YOU READY FOR THE TESTS???? (y/n)(Choosing n will skip the tests)" 348 | if ($response -eq 'y') { 349 | # Check if can run registry 350 | $registrySuccess = $null 351 | try { 352 | $registrySuccess = Start-Process 'regedit.exe' -PassThru 353 | $response = Read-Host "Was the registry editor started successfully? (y/n)" 354 | if ($response -eq 'y') { 355 | Write-Host "Normal user can run regedit" -ForegroundColor Red 356 | $stregedit = 2 357 | } else { 358 | Write-Host "Normal user cannot run regedit" -ForegroundColor Green 359 | $stregedit = 0 360 | } 361 | } catch { 362 | Write-Host "An error occured" -ForegroundColor yellow 363 | $stregedit = 3 364 | } finally { 365 | if ($registrySuccess) { 366 | Stop-Process -Id $registrySuccess.Id -Force 367 | } 368 | } 369 | 370 | # Check if can run cmd 371 | $cmdSuccess = $null 372 | try { 373 | $cmdSuccess = Start-Process 'cmd.exe' -PassThru 374 | $response = Read-Host "Was the command prompt started successfully? (y/n)" 375 | if ($response -eq 'y') { 376 | Write-Host "Normal user can run cmd" -ForegroundColor Red 377 | $stcmd = 2 378 | } else { 379 | Write-Host "Normal user cannot run cmd" -ForegroundColor Green 380 | $stcmd = 0 381 | } 382 | } catch { 383 | Write-Host "An error occured" -ForegroundColor yellow 384 | $stcmd = 3 385 | } finally { 386 | if ($cmdSuccess) { 387 | Stop-Process -Id $cmdSuccess.Id -Force 388 | } 389 | } 390 | 391 | # Check if can run PowerShell 392 | $powershellSuccess = $null 393 | try { 394 | $powershellSuccess = Start-Process 'powershell.exe' -PassThru 395 | $response = Read-Host "Was PowerShell started successfully? (y/n)" 396 | if ($response -eq 'y') { 397 | Write-Host "Normal user can run PowerShell" -ForegroundColor Red 398 | $stpowershell = 2 399 | } else { 400 | Write-Host "Normal user cannot run PowerShell" -ForegroundColor Green 401 | $stpowershell = 0 402 | } 403 | } catch { 404 | Write-Host "An error occured" -ForegroundColor yellow 405 | $stpowershell = 3 406 | } finally { 407 | if ($powershellSuccess) { 408 | Stop-Process -Id $powershellSuccess.Id -Force 409 | } 410 | } 411 | } 412 | elseif ($response -eq 'n') { 413 | Write-Host "Okay, we will skip those" -ForegroundColor Red 414 | } 415 | else { 416 | Write-Host "God dammit, only y or n!!!" -ForegroundColor yellow 417 | } 418 | } 419 | 420 | # Always install elevated active? 421 | Write-host "" 422 | Write-host "######################################################" 423 | Write-host "# Now checking if Always Install Elevated is enabled #" 424 | Write-host "######################################################" 425 | Write-host "References: https://learn.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated" -ForegroundColor DarkGray 426 | Write-host "References: https://pentestlab.blog/2017/02/28/always-install-elevated/" -ForegroundColor DarkGray 427 | Write-host "" 428 | $keysToCheck = @( 429 | "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer", 430 | "Registry::HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Installer" 431 | ) 432 | 433 | $enabled = $false 434 | 435 | foreach ($keyPath in $keysToCheck) { 436 | $alwaysInstallElevated = Get-ItemProperty -Path $keyPath -Name "AlwaysInstallElevated" -ErrorAction SilentlyContinue 437 | 438 | if ($alwaysInstallElevated -ne $null) { 439 | if ($alwaysInstallElevated.AlwaysInstallElevated -eq 1) { 440 | $enabled = $true 441 | break # Exit the loop if enabled in any of the keys 442 | } 443 | } 444 | } 445 | 446 | if ($enabled) { 447 | Write-Host "Always install elevated is active." -ForegroundColor Red 448 | $aie = 2 449 | } else { 450 | Write-Host "Always install elevated is not active." -ForegroundColor Green 451 | $aie = 0 452 | } 453 | 454 | # Credential Guard checks 455 | Write-host "" 456 | Write-host "#######################################" 457 | Write-host "# Now checking Credential Guard stuff #" 458 | Write-host "#######################################" 459 | Write-host "References: https://itm4n.github.io/credential-guard-bypass/" -ForegroundColor DarkGray 460 | Write-host "References: https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage" -ForegroundColor DarkGray 461 | Write-host "" 462 | $credentialGuardEnabled = (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning 463 | 464 | if ($credentialGuardEnabled -eq 1) { 465 | Write-Host "Credential Guard is enabled." -ForegroundColor Green 466 | $credguard = 0 467 | } else { 468 | Write-Host "Credential Guard is not enabled." -ForegroundColor red 469 | $credguard = 2 470 | } 471 | 472 | # Co-Installer checks 473 | Write-host "" 474 | Write-host "###################################" 475 | Write-host "# Now checking Co-installer stuff #" 476 | Write-host "###################################" 477 | Write-host "References: https://learn.microsoft.com/en-us/windows-hardware/drivers/install/registering-a-device-specific-co-installer" -ForegroundColor DarkGray 478 | Write-host "References: https://www.bleepingcomputer.com/news/microsoft/how-to-block-windows-plug-and-play-auto-installing-insecure-apps" -ForegroundColor DarkGray 479 | Write-host "References: https://www.scip.ch/en/?labs.20211209" -ForegroundColor DarkGray 480 | Write-host "" 481 | try { 482 | $value = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Device Installer" -Name "DisableCoInstallers" -ErrorAction Stop 483 | 484 | if ($value -eq 1) { 485 | Write-Host "Allow installation of Co-installers: Disabled" -ForegroundColor Green 486 | $coinstaller = 0 487 | } 488 | elseif ($value -eq 0) { 489 | Write-Host "Allow installation of Co-installers: Enabled" -ForegroundColor Red 490 | $coinstaller = 2 491 | } 492 | } 493 | catch { 494 | Write-Host "Allow installation of Co-installers: Error (probably regkey doesn't exist - hence enabled)" -ForegroundColor Red 495 | $coinstaller = 2 496 | } 497 | 498 | # DMA protection related stuff 499 | Write-host "" 500 | Write-host "#####################################" 501 | Write-host "# Now checking DMA Protection stuff #" 502 | Write-host "#####################################" 503 | Write-host "References: https://www.synacktiv.com/en/publications/practical-dma-attack-on-windows-10.html" -ForegroundColor DarkGray 504 | Write-host "References: https://www.scip.ch/?labs.20211209" -ForegroundColor DarkGray 505 | Write-host "References: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-dataprotection" -ForegroundColor DarkGray 506 | Write-host "" 507 | try { 508 | $value = Get-ItemPropertyValue -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\DeviceLock" -Name "AllowDirectMemoryAccess" -ErrorAction Stop 509 | 510 | if ($value -eq 1) { 511 | Write-Host "AllowDirectMemoryAccess: Enabled" -ForegroundColor Red 512 | $dma_access = 2 513 | } 514 | elseif ($value -eq 0) { 515 | Write-Host "AllowDirectMemoryAccess: Disabled" -ForegroundColor Green 516 | $dma_access = 0 517 | } 518 | else { 519 | Write-Host "AllowDirectMemoryAccess: Error (probably regkey doesn't exist - hence enabled)" -ForegroundColor Magenta 520 | $dma_access = 1 521 | } 522 | } 523 | catch { 524 | Write-Host "AllowDirectMemoryAccess: Error (probably regkey doesn't exist - hence enabled)" -ForegroundColor Magenta 525 | $dma_access = 1 526 | } 527 | 528 | try { 529 | $value = Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -ErrorAction Stop 530 | 531 | if ($value -eq 1) { 532 | Write-Host "EnableVirtualizationBasedSecurity: Enabled" -ForegroundColor Green 533 | $dma_vbs = 0 534 | } 535 | elseif ($value -eq 0) { 536 | Write-Host "EnableVirtualizationBasedSecurity: Disabled" -ForegroundColor Red 537 | $dma_vbs = 2 538 | } 539 | else { 540 | Write-Host "EnableVirtualizationBasedSecurity: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 541 | $dma_vbs = 1 542 | } 543 | } 544 | catch { 545 | Write-Host "EnableVirtualizationBasedSecurity: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 546 | $dma_vbs = 1 547 | } 548 | 549 | try { 550 | $value = Get-ItemPropertyValue -Path Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "Enabled" -ErrorAction Stop 551 | 552 | if ($value -eq 1) { 553 | Write-Host "HypervisorEnforcedCodeIntegrity: Enabled" -ForegroundColor Green 554 | $dma_heci = 0 555 | } 556 | elseif ($value -eq 0) { 557 | Write-Host "HypervisorEnforcedCodeIntegrity: Disabled" -ForegroundColor Red 558 | $dma_heci = 2 559 | } 560 | else { 561 | Write-Host "HypervisorEnforcedCodeIntegrity: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 562 | $dma_heci = 1 563 | } 564 | } 565 | catch { 566 | Write-Host "HypervisorEnforcedCodeIntegrity: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 567 | $dma_heci = 1 568 | } 569 | 570 | try { 571 | $value = Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" -Name "LockConfiguration" -ErrorAction Stop 572 | 573 | if ($value -eq 1) { 574 | Write-Host "HypervisorEnforcedCodeIntegrity Config Locked: Enabled" -ForegroundColor Green 575 | $dma_heci_locked = 0 576 | } 577 | elseif ($value -eq 0) { 578 | Write-Host "HypervisorEnforcedCodeIntegrity Config Locked: Disabled" -ForegroundColor Red 579 | $dma_heci_locked = 2 580 | } 581 | else { 582 | Write-Host "HypervisorEnforcedCodeIntegrity Config Locked: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 583 | $dma_heci_locked = 1 584 | } 585 | } 586 | catch { 587 | Write-Host "HypervisorEnforcedCodeIntegrity Config Locked: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Magenta 588 | $dma_heci_locked = 1 589 | } 590 | 591 | # BitLocker status 592 | Write-host "" 593 | Write-host "###################################" 594 | Write-host "# Now checking BitLocker settings #" 595 | Write-host "# If TPM only > possibly insecure #" 596 | Write-host "###################################" 597 | Write-host "References: https://learn.microsoft.com/en-us/powershell/module/bitlocker/add-bitlockerkeyprotector?view=windowsserver2022-ps" -ForegroundColor DarkGray 598 | Write-host "References: https://luemmelsec.github.io/Go-away-BitLocker-you-are-drunk/" -ForegroundColor DarkGray 599 | Write-host "" 600 | $volumes = $null 601 | $bl_greenCount = 0 602 | $bl_magentaCount = 0 603 | $bl_redCount = 0 604 | $bl_yellowCount = 0 605 | try { 606 | $volumes = Get-BitLockerVolume -ErrorAction Stop 607 | foreach ($volume in $volumes) { 608 | $volumeLabel = $volume.MountPoint 609 | $bitLockerStatus = $volume.ProtectionStatus 610 | $keyProtectorType = $volume.KeyProtector.KeyProtectorType 611 | 612 | if ($bitLockerStatus -eq "On") { 613 | Write-Host "BitLocker on volume $volumeLabel - enabled" -ForegroundColor Green 614 | $bl_greenCount++ 615 | 616 | if ($keyProtectorType -like "*ExternalKey*") { 617 | Write-Host "Protection of key material on volume $volumeLabel - possibly insecure" -ForegroundColor Magenta 618 | $bl_magentaCount++ 619 | } 620 | elseif ($keyProtectorType -like "*key*" -or $keyProtectorType -like "*pin*") { 621 | Write-Host "Protection of key material on volume $volumeLabel - okay" -ForegroundColor Green 622 | $bl_greenCount++ 623 | } 624 | else { 625 | Write-Host "Protection of key material on volume $volumeLabel - possibly insecure" -ForegroundColor Magenta 626 | $bl_magentaCount++ 627 | } 628 | } 629 | else { 630 | Write-Host "BitLocker on volume $volumeLabel - disabled" -ForegroundColor Red 631 | $bl_redCount++ 632 | } 633 | } 634 | } catch { 635 | $errorMessage = $_.Exception.Message 636 | if ($errorMessage -like "*Access Denied*") { 637 | Write-Host "Could not query the information with current rights." -ForegroundColor Yellow 638 | $bl_yellowCount++ 639 | } else { 640 | Write-Host "An error occurred: $errorMessage" -ForegroundColor Red 641 | $bl_redCount++ 642 | } 643 | } 644 | 645 | # Secure Boot enabled? 646 | Write-host "" 647 | Write-host "#####################################" 648 | Write-host "# Now checking Secure Boot settings #" 649 | Write-host "#####################################" 650 | Write-host "References: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-secure-boot" -ForegroundColor DarkGray 651 | Write-host "" 652 | try { 653 | $value = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State" -Name "UEFISecureBootEnabled" -ErrorAction Stop 654 | 655 | if ($value.UEFISecureBootEnabled -eq 1) { 656 | Write-Host "Secure Boot is enabled" -ForegroundColor Green 657 | $secureboot = 0 658 | } 659 | elseif ($value.UEFISecureBootEnabled -eq 0) { 660 | Write-Host "Secure Boot is disabled" -ForegroundColor Red 661 | $secureboot = 2 662 | } 663 | } 664 | catch { 665 | Write-Host "Secure Boot settings: Error (probably regkey doesn't exist - hence disabled)" -ForegroundColor Red 666 | $secureboot = 2 667 | } 668 | 669 | # Can the Users group write to SYSTEM PATH folders > Hijacking possibilities? 670 | Write-host "" 671 | Write-host "###########################################################" 672 | Write-host "# Now checking ACLs on folders from `$PATH System variable #" 673 | Write-host "###########################################################" 674 | Write-host "References: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc" -ForegroundColor DarkGray 675 | Write-host "" 676 | $spa_greenCount = 0 677 | $spa_redCount = 0 678 | $env:Path -split ';' | ForEach-Object { 679 | $folder = $_ 680 | 681 | if (Test-Path -Path $folder) { 682 | $acl = Get-Acl -Path $folder 683 | $usersGroup = New-Object System.Security.Principal.NTAccount("BUILTIN", "Users") 684 | $usersAccess = $acl.Access | Where-Object { $_.IdentityReference -eq $usersGroup -and $_.FileSystemRights -band [System.Security.AccessControl.FileSystemRights]::Write } 685 | 686 | if ($usersAccess -ne $null) { 687 | Write-Host "Members of the Users Group can write to folder: $folder" -ForegroundColor Red 688 | $spa_redCount++ 689 | } else { 690 | Write-Host "Members of the Users Group cannot write to folder: $folder" - -ForegroundColor Green 691 | $spa_greenCount++ 692 | } 693 | } else { 694 | Write-Host "Folder does not exist: $folder" 695 | } 696 | } 697 | 698 | # Do we have unqoted service paths? > Hijacking possibilities? 699 | Write-host "" 700 | Write-host "###########################################" 701 | Write-host "# Now checking for unquoted service paths #" 702 | Write-host "###########################################" 703 | Write-host "References: https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/dll-hijacking/writable-sys-path-+dll-hijacking-privesc" -ForegroundColor DarkGray 704 | Write-Host "References: https://github.com/itm4n/PrivescCheck/tree/master" -ForegroundColor DarkGray 705 | Write-host "" 706 | $uqsp_redcount = 0 707 | $services = Get-CimInstance -Class Win32_Service -Property Name, DisplayName, PathName, StartMode | 708 | Where-Object { 709 | $_.PathName -notlike "C:\Windows*" -and 710 | $_.PathName -notlike '"*"*' -and 711 | $_.PathName -ne $null 712 | } 713 | 714 | foreach ($service in $services) { 715 | $serviceName = $service.Name 716 | $path = $service.PathName 717 | $displayName = $service.DisplayName 718 | $startMode = $service.StartMode 719 | 720 | Write-Host "Service Name: $($serviceName)" -ForegroundColor Red 721 | Write-Host "Path: $($path)" -ForegroundColor Red 722 | Write-Host "Display Name: $($displayName)" -ForegroundColor Red 723 | Write-Host "Start Mode: $($startMode)" -ForegroundColor Red 724 | Write-Host "" -ForegroundColor Red 725 | $uqsp_redcount++ 726 | } 727 | 728 | # Check if WSUS is fetching updates over HTTP instaed of HTTPS? 729 | Write-host "" 730 | Write-host "##############################" 731 | Write-host "# Now checking WSUS settings #" 732 | Write-host "##############################" 733 | Write-host "References: https://www.gosecure.net/blog/2020/09/03/wsus-attacks-part-1-introducing-pywsus/" -ForegroundColor DarkGray 734 | Write-host "" 735 | try { 736 | $wsusPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" 737 | 738 | if (Test-Path -Path $wsusPath) { 739 | $wsusConfiguration = Get-ItemProperty -Path $wsusPath -Name "WUServer" 740 | $wsusServerUrl = $wsusConfiguration.WUServer 741 | 742 | if ($wsusServerUrl -match "^http://") { 743 | Write-Host "WSUS updates are fetched over HTTP." -ForegroundColor Red 744 | $wsus = 2 745 | } else { 746 | Write-Host "WSUS updates are not fetched over HTTP." -ForegroundColor Green 747 | $wsus = 0 748 | } 749 | } else { 750 | Write-Host "WSUS is not configured." -ForegroundColor Green 751 | $wsus = 0 752 | } 753 | } catch { 754 | Write-Host "An error occurred while checking the WSUS configuration." 755 | $wsus = 3 756 | } 757 | 758 | # PowerShell related checks 759 | Write-host "" 760 | Write-host "####################################" 761 | Write-host "# Now checking PowerShell settings #" 762 | Write-host "####################################" 763 | Write-host "References: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3" -ForegroundColor DarkGray 764 | Write-host "" 765 | 766 | # Check if PowerShell v2 can be run 767 | $psVersion2Enabled = $false 768 | 769 | $psInfo = New-Object System.Diagnostics.ProcessStartInfo 770 | $psInfo.FileName = 'powershell.exe' 771 | $psInfo.Arguments = '-Version 2 -NoExit -Command "exit"' 772 | $psInfo.RedirectStandardOutput = $true 773 | $psInfo.RedirectStandardError = $true 774 | $psInfo.UseShellExecute = $false 775 | $psInfo.CreateNoWindow = $true 776 | 777 | $psProcess = New-Object System.Diagnostics.Process 778 | $psProcess.StartInfo = $psInfo 779 | 780 | try { 781 | [void]$psProcess.Start() 782 | [void]$psProcess.WaitForExit() 783 | 784 | if ($psProcess.ExitCode -eq 0) { 785 | $psVersion2Enabled = $true 786 | } 787 | } finally { 788 | [void]$psProcess.Dispose() 789 | } 790 | 791 | if ($psVersion2Enabled) { 792 | Write-Host "PowerShell v2 can be run." -ForegroundColor Red 793 | $ps_v2 = 2 794 | } else { 795 | Write-Host "PowerShell v2 cannot be run." -ForegroundColor Green 796 | $ps_v2 = 0 797 | } 798 | 799 | # Check the execution policy 800 | $executionPolicy = Get-ExecutionPolicy 801 | if ($executionPolicy -eq "AllSigned") { 802 | Write-Host "Execution Policy is $executionPolicy" -ForegroundColor Green 803 | $ps_ep = 0 804 | } elseif ($executionPolicy -eq "Unrestricted" -or $executionPolicy -eq "Bypass") { 805 | Write-Host "Execution Policy is $executionPolicy" -ForegroundColor Red 806 | $ps_ep = 2 807 | } else { 808 | Write-Host "Execution Policy is $executionPolicy" -ForegroundColor Magenta 809 | $ps_ep = 1 810 | } 811 | 812 | # Check the language mode 813 | $languageMode = $ExecutionContext.SessionState.LanguageMode 814 | if ($languageMode -eq "FullLanguage") { 815 | Write-Host "Language Mode is $languageMode" -ForegroundColor Red 816 | $ps_lm = 2 817 | } else { 818 | Write-Host "Language Mode is $languageMode" -ForegroundColor Green 819 | $ps_lm = 0 820 | } 821 | 822 | # IPv6 settings 823 | Write-host "" 824 | Write-host "##############################" 825 | Write-host "# Now checking IPv6 settings #" 826 | Write-host "##############################" 827 | Write-host "References: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/" -ForegroundColor DarkGray 828 | Write-host "References: https://www.blackhillsinfosec.com/mitm6-strikes-again-the-dark-side-of-ipv6/" -ForegroundColor DarkGray 829 | Write-host "" 830 | 831 | $adapterStatus = Get-NetAdapterBinding | Where-Object {$_.ComponentID -eq "ms_tcpip6"} | Select-Object -Property Name, Enabled 832 | $adapterStatus | ForEach-Object { 833 | $adapterName = $_.Name 834 | if (-not $_.Enabled) { 835 | Write-Host "IPv6 is disabled on Adapter $adapterName." -ForegroundColor Green 836 | $ipv6 = 0 837 | } else { 838 | Write-Host "IPv6 is enabled on Adapter $adapterName." -ForegroundColor Red 839 | $ipv6 = 2 840 | } 841 | } 842 | 843 | # NetBIOS Name Resolution,LLMNR and mDNS checks 844 | Write-host "" 845 | Write-host "################################################" 846 | Write-host "# Now checking NetBIOS / LLMNR / mDNS settings #" 847 | Write-host "################################################" 848 | Write-host "References: https://luemmelsec.github.io/Relaying-101/" -ForegroundColor DarkGray 849 | Write-host "" 850 | 851 | # Check if LLMNR is enabled or disabled 852 | $dnsClientKey = "HKLM:\Software\Policies\Microsoft\Windows NT\DNSClient" 853 | try { 854 | $llmnrValue = (Get-ItemProperty -Path $dnsClientKey -Name "EnableMulticast" -ErrorAction Stop).EnableMulticast 855 | 856 | if ($llmnrValue -eq 0) { 857 | Write-Host "LLMNR status: disabled" -ForegroundColor Green 858 | $llmnr = 0 859 | } elseif ($llmnrValue -eq 1) { 860 | Write-Host "LLMNR status: enabled" -ForegroundColor Red 861 | $llmnr = 2 862 | } 863 | } catch { 864 | Write-Host "LLMNR status: reg key not found - hence enabled" -ForegroundColor Red 865 | $llmnr = 2 866 | } 867 | 868 | # Check if mDNS is enabled or disabled 869 | $mDNSParametersKey = "HKLM:\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters" 870 | try { 871 | $mdnsValue = (Get-ItemProperty -Path $mDNSParametersKey -Name "EnableMDNS" -ErrorAction Stop).EnableMDNS 872 | 873 | if ($mdnsValue -eq 0) { 874 | Write-Host "mDNS status: disabled" -ForegroundColor Green 875 | $mdns= 0 876 | } elseif ($mdnsValue -eq 1) { 877 | Write-Host "mDNS status: enabled" -ForegroundColor Red 878 | $mdns = 2 879 | } 880 | } catch { 881 | Write-Host "mDNS status: reg key not found - hence enabled" -ForegroundColor Red 882 | $mdns = 2 883 | } 884 | 885 | # Check if NetBIOS is enabled for each network adapter 886 | $netbtInterfacePath = "HKLM:\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\Interfaces" 887 | $adapterKeys = Get-ChildItem -Path $netbtInterfacePath -ErrorAction SilentlyContinue 888 | 889 | $netbiosEnabled = $false 890 | $enabledAdapters = @() 891 | 892 | foreach ($adapterKey in $adapterKeys) { 893 | $adapterName = $adapterKey.PSChildName 894 | if ($adapterName -like "Tcpip_*") { 895 | $adapterName = $adapterName -replace "^Tcpip_", "" 896 | 897 | $netbiosOptions = (Get-ItemProperty -Path "$netbtInterfacePath\$($adapterKey.PSChildName)" -Name "NetbiosOptions" -ErrorAction SilentlyContinue).NetbiosOptions 898 | 899 | if ($netbiosOptions -eq 1 -or $netbiosOptions -eq 0) { 900 | $netbiosEnabled = $true 901 | $enabledAdapters += $adapterName 902 | } 903 | } 904 | } 905 | 906 | if ($netbiosEnabled) { 907 | Write-Host "NetBIOS status: Enabled on at least one network adapter" -ForegroundColor Red 908 | $netbios = 2 909 | Write-Host "" 910 | foreach ($adapter in $enabledAdapters) { 911 | $adapterInstance = Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration | Where-Object { $_.SettingID -like "*$adapter*" } 912 | Write-Host $adapterInstance.Description -ForegroundColor Red 913 | } 914 | } 915 | else { 916 | Write-Host "NetBIOS status: Not enabled on any network adapter" -ForegroundColor Green 917 | $netbios = 0 918 | } 919 | 920 | 921 | # SMB Checks 922 | Write-host "" 923 | Write-host "####################################" 924 | Write-host "# Now checking SMB Server settings #" 925 | Write-host "####################################" 926 | Write-host "References: https://luemmelsec.github.io/Relaying-101/" -ForegroundColor DarkGray 927 | Write-host "References: https://techcommunity.microsoft.com/t5/storage-at-microsoft/configure-smb-signing-with-confidence/ba-p/2418102" -ForegroundColor DarkGray 928 | Write-host "" 929 | 930 | $smbConfig = Get-SmbServerConfiguration 931 | 932 | # Check SMB1 settings 933 | if ($smbConfig.EnableSMB1Protocol) { 934 | Write-Host "SMB version 1 is used. No Signing available here!!!" -ForegroundColor Red 935 | $smb_v1 = 2 936 | } else { 937 | Write-Host "SMB version 1 is not used" -ForegroundColor Green 938 | $smb_v1 = 0 939 | } 940 | 941 | # Check SMB Signing settings 942 | if ($smbConfig.RequireSecuritySignature) { 943 | Write-Host "SMB signing is enabled for SMB2 and newer" -ForegroundColor Green 944 | $smb_sig = 0 945 | } else { 946 | Write-Host "SMB signing is disabled for SMB2 and newer" -ForegroundColor Red 947 | $smb_sig = 2 948 | } 949 | 950 | # Firewall Checks 951 | Write-host "" 952 | Write-host "##################################" 953 | Write-host "# Now checking Firewall settings #" 954 | Write-host "##################################" 955 | Write-host "References: https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring" -ForegroundColor DarkGray 956 | Write-host "" 957 | 958 | try { 959 | $firewallProfile = Get-NetFirewallProfile -Profile Domain, Public, Private -ErrorAction Stop 960 | 961 | if ($firewallProfile.Enabled) { 962 | Write-Host "Windows Firewall is enabled." -ForegroundColor Magenta 963 | Write-Host "Firewall Rules (check them for dangerous stuff):" -ForegroundColor Magenta 964 | 965 | # Get all Firewall rules 966 | $firewallRules = Get-NetFirewallRule 2>&1 967 | 968 | if ($firewallRules -match "Access is denied") { 969 | Write-Host "Could not query the information with current rights." -ForegroundColor Yellow 970 | $firewall = 3 971 | } 972 | elseif ($firewallRules) { 973 | $ruleTable = @() 974 | $firewall = 1 975 | foreach ($rule in $firewallRules) { 976 | $ruleName = $rule.Name 977 | 978 | # The ports are not stored directly in the rules but in the associated Port Filter set 979 | $portFilters = Get-NetFirewallPortFilter -AssociatedNetFirewallRule $rule -ErrorAction SilentlyContinue 980 | 981 | $localAddresses = @() 982 | $remoteAddresses = @() 983 | 984 | # Local and remote addresses are not directly stored in the rule but in the associated Address Filter set 985 | $addressFilters = Get-NetFirewallAddressFilter -AssociatedNetFirewallRule $rule -ErrorAction SilentlyContinue 986 | foreach ($addressFilter in $addressFilters) { 987 | if ($addressFilter.LocalAddress -ne "*") { 988 | $localAddresses += $addressFilter.LocalAddress 989 | } 990 | 991 | if ($addressFilter.RemoteAddress -ne "*") { 992 | $remoteAddresses += $addressFilter.RemoteAddress 993 | } 994 | } 995 | 996 | $localAddress = if ($localAddresses) { $localAddresses -join ', ' } else { "N/A" } 997 | $remoteAddress = if ($remoteAddresses) { $remoteAddresses -join ', ' } else { "N/A" } 998 | 999 | $ruleEntry = [PSCustomObject]@{ 1000 | "Rule Name" = $rule.DisplayName 1001 | "Action" = $rule.Action 1002 | "Enabled" = $rule.Enabled 1003 | "Protocol" = $rule.Protocol 1004 | "Allowed Ports" = if ($portFilters) { $portFilters.LocalPort -join ', ' } else { "None" } 1005 | "Direction" = $rule.Direction 1006 | "Local Address" = $localAddress 1007 | "Remote Address" = $remoteAddress 1008 | } 1009 | 1010 | $ruleTable += $ruleEntry 1011 | } 1012 | 1013 | $ruleTable | Format-Table -AutoSize 1014 | } else { 1015 | Write-Host "No firewall rules found." -ForegroundColor Green 1016 | $firewall = 0 1017 | } 1018 | } else { 1019 | Write-Host "Windows Firewall is disabled." -ForegroundColor Red 1020 | $firewall = 2 1021 | } 1022 | } catch { 1023 | Write-Host "An error occurred: $($_.Exception.Message)" -ForegroundColor Yellow 1024 | $firewall = 3 1025 | } 1026 | 1027 | 1028 | 1029 | # AV Checks 1030 | Write-host "" 1031 | Write-host "############################" 1032 | Write-host "# Now checking AV settings #" 1033 | Write-host "############################" 1034 | Write-host "References: https://www.itnator.net/antivirus-status-auslesen-mit-powershell/" -ForegroundColor DarkGray 1035 | Write-host "" 1036 | 1037 | # Produkt Status Flags 1038 | [Flags()] enum ProductState { 1039 | Off = 0x0000 1040 | On = 0x1000 1041 | Snoozed = 0x2000 1042 | Expired = 0x3000 1043 | } 1044 | 1045 | # Signature Status Flags 1046 | [Flags()] enum SignatureStatus { 1047 | UpToDate = 0x00 1048 | OutOfDate = 0x10 1049 | } 1050 | 1051 | # Product Owner Flags 1052 | [Flags()] enum ProductOwner { 1053 | NotMS = 0x000 1054 | Windows = 0x100 1055 | } 1056 | 1057 | [Flags()] enum ProductFlags { 1058 | SignatureStatus = 0x00F0 1059 | ProductOwner = 0x0F00 1060 | ProductState = 0xF000 1061 | } 1062 | 1063 | # Get installed AV software 1064 | $avinfo = Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct 1065 | 1066 | # if more AV installed... 1067 | foreach ($av in $avinfo) { 1068 | # get status in decimal 1069 | $state = $av.productState 1070 | # convert decimal to hex 1071 | $state = '0x{0:x}' -f $state 1072 | 1073 | # decode flags 1074 | $productStatus = [ProductState]($state -band [ProductFlags]::ProductState) 1075 | $signatureStatus = [SignatureStatus]($state -band [ProductFlags]::SignatureStatus) 1076 | 1077 | if ($productStatus -eq "On") { 1078 | Write-Host "Name: $($av.displayName)" 1079 | Write-Host "Product Status: $($productStatus.ToString())" -ForegroundColor Green 1080 | $av_on = 0 1081 | 1082 | if ($signatureStatus -ne "UpToDate") { 1083 | Write-Host "Signature Status: $($signatureStatus.ToString())" -ForegroundColor Red 1084 | $av_utd = 2 1085 | } else { 1086 | Write-Host "Signature Status: $($signatureStatus.ToString())" -ForegroundColor Green 1087 | $av_utd = 0 1088 | } 1089 | 1090 | Write-Host "" 1091 | } elseif ($productStatus -eq "Snoozed") { 1092 | Write-Host "Name: $($av.displayName)" 1093 | Write-Host "Product Status: $($productStatus.ToString())" -ForegroundColor Magenta 1094 | $av_on = 1 1095 | 1096 | if ($signatureStatus -ne "UpToDate") { 1097 | Write-Host "Signature Status: $($signatureStatus.ToString())" -ForegroundColor Red 1098 | $av_utd = 2 1099 | } else { 1100 | Write-Host "Signature Status: $($signatureStatus.ToString())" -ForegroundColor Green 1101 | $av_utd = 0 1102 | } 1103 | 1104 | Write-Host "" 1105 | } else { 1106 | Write-Host "Name: $($av.displayName)" 1107 | Write-Host "Product Status: $($productStatus.ToString())" -ForegroundColor Red 1108 | $av_on = 2 1109 | 1110 | if ($signatureStatus -ne "UpToDate") { 1111 | Write-Host "Signature Status: $($signatureStatus.ToString())" -ForegroundColor Red 1112 | $av_utd = 2 1113 | } else { 1114 | Write-Host "Signature Status: $($signatureStatus.ToString())" -ForegroundColor Green 1115 | $av_utd = 0 1116 | } 1117 | 1118 | Write-Host "" 1119 | } 1120 | } 1121 | Write-Host "Don't forget to check exclusions!" -ForegroundColor Magenta 1122 | 1123 | # Proxy Checks 1124 | Write-host "" 1125 | Write-host "###############################" 1126 | Write-host "# Now checking Proxy settings #" 1127 | Write-host "###############################" 1128 | Write-host "References: " -ForegroundColor DarkGray 1129 | Write-host "" 1130 | 1131 | $proxySettings = Get-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Internet Settings' 1132 | 1133 | if ($proxySettings.ProxyEnable) { 1134 | Write-Host "Proxy enabled: Yes - check if it does a good job or not" -ForegroundColor Magenta 1135 | Write-Host "Proxy Server: $($proxySettings.ProxyServer)" -ForegroundColor Magenta 1136 | Write-Host "Bypass list: $($proxySettings.ProxyOverride)" -ForegroundColor Magenta 1137 | $proxy_enabled = 1 1138 | } else { 1139 | Write-Host "Proxy enabled: No" -ForegroundColor Red 1140 | $proxy_enabled = 2 1141 | } 1142 | 1143 | if ($proxySettings.AutoConfigUrl) { 1144 | Write-Host "Auto Config set: Yes - check if it does a good job or not" -ForegroundColor Magenta 1145 | Write-Host "Automatic Configuration URL: $($proxySettings.AutoConfigUrl)" -ForegroundColor Magenta 1146 | $proxy_autoconfig = 1 1147 | } else { 1148 | Write-Host "Auto Config set: No" -ForegroundColor Red 1149 | $proxy_autoconfig = 2 1150 | } 1151 | 1152 | 1153 | # Windows Update Checks 1154 | Write-host "" 1155 | Write-host "################################" 1156 | Write-host "# Now checking Windows Updates #" 1157 | Write-host "################################" 1158 | Write-host "References: " -ForegroundColor DarkGray 1159 | Write-host "" 1160 | 1161 | $UpdateSession = New-Object -ComObject "Microsoft.Update.Session" 1162 | $UpdateSearcher = $UpdateSession.CreateUpdateSearcher() 1163 | $SearchResult = $UpdateSearcher.Search("IsInstalled=0 and IsHidden=0") 1164 | $pendingUpdates = $SearchResult.Updates | Where-Object { $_.Categories.Count -eq 0 -or $_.Categories.CategoryID -notcontains "Installed" } 1165 | $importantUpdates = $pendingUpdates | Where-Object { $_.Categories.CategoryID -eq "ImportantUpdates" } 1166 | $systemUpToDate = $importantUpdates.Count -eq 0 1167 | 1168 | if ($systemUpToDate) { 1169 | Write-Host "System is up-to-date." -ForegroundColor Green 1170 | $winupdate = 0 1171 | } else { 1172 | Write-Host "System is not up-to-date." -ForegroundColor Red 1173 | $winupdate = 2 1174 | } 1175 | 1176 | Write-Host "" 1177 | 1178 | if ($importantUpdates.Count -gt 0) { 1179 | Write-Host "Pending Important Updates:" -ForegroundColor Red 1180 | foreach ($update in $importantUpdates) { 1181 | Write-Host "- $($update.Title)" -ForegroundColor Red 1182 | } 1183 | } 1184 | 1185 | $otherUpdates = $pendingUpdates | Where-Object { $_.Categories.CategoryID -ne "ImportantUpdates" } 1186 | 1187 | if ($otherUpdates.Count -gt 0) { 1188 | Write-Host "Pending Other Updates:" -ForegroundColor Magenta 1189 | $winupdate = 1 1190 | foreach ($update in $otherUpdates) { 1191 | Write-Host "- $($update.Title)" -ForegroundColor Magenta 1192 | } 1193 | } 1194 | 1195 | if ($systemUpToDate -and $otherUpdates.Count -eq 0) { 1196 | Write-Host "No pending updates." -ForegroundColor Green 1197 | $winupdate = 0 1198 | } 1199 | 1200 | # Installed Software Checks 1201 | Write-host "" 1202 | Write-host "###################################" 1203 | Write-host "# Now checking installed Software #" 1204 | Write-host "###################################" 1205 | Write-host "References: " -ForegroundColor DarkGray 1206 | Write-host "" 1207 | 1208 | $InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall" | 1209 | Get-ItemProperty | 1210 | Select-Object DisplayName, DisplayVersion, @{n='InstallDate';e={([datetime]::ParseExact($_.InstallDate,'yyyyMMdd',$null)).ToString('dd-MM-yyyy')}} 1211 | 1212 | $InstalledSoftware += Get-ChildItem "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | 1213 | Get-ItemProperty | 1214 | Select-Object DisplayName, DisplayVersion, @{n='InstallDate';e={([datetime]::ParseExact($_.InstallDate,'yyyyMMdd',$null)).ToString('dd-MM-yyyy')}} 1215 | 1216 | $InstalledSoftware += Get-ChildItem "HKCU:\Software\Microsoft\Windows\CurrentVersion\Uninstall" | 1217 | Get-ItemProperty | 1218 | Select-Object DisplayName, DisplayVersion, @{n='InstallDate';e={([datetime]::ParseExact($_.InstallDate,'yyyyMMdd',$null)).ToString('dd-MM-yyyy')}} 1219 | $InstalledSoftware | Sort-Object DisplayName | Format-Table -AutoSize 1220 | 1221 | 1222 | # RDP Checks 1223 | Write-host "" 1224 | Write-host "##########################" 1225 | Write-host "# Now checking RDP stuff #" 1226 | Write-host "##########################" 1227 | Write-host "References: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SECURITY_LAYER_POLICY" -ForegroundColor DarkGray 1228 | Write-host "References: https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/adversary-in-the-middle/rdp-mitm" -ForegroundColor DarkGray 1229 | Write-host "References: https://www.tenable.com/plugins/nessus/18405" -ForegroundColor DarkGray 1230 | Write-host "" 1231 | 1232 | # Check if RDP is enabled 1233 | $rdpEnabled = Get-CimInstance -Namespace "root/CIMv2/TerminalServices" -ClassName "Win32_TerminalServiceSetting" | Select-Object -ExpandProperty AllowTSConnections 1234 | if ($rdpEnabled -eq 1) { 1235 | Write-Host "Remote Desktop is enabled." -ForegroundColor Magenta 1236 | $rdp_enabled = 1 1237 | } else { 1238 | Write-Host "Remote Desktop is disabled." -ForegroundColor Green 1239 | $rdp_enabled = 0 1240 | } 1241 | 1242 | # Check Security Settings for RDP 1243 | $regPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" 1244 | $securityLayer = (Get-ItemProperty -Path $regPath -Name "SecurityLayer").SecurityLayer 1245 | switch ($securityLayer) { 1246 | 0 { 1247 | Write-Host "RDP Security Layer: Disabled" -ForegroundColor Red 1248 | $rdp_sec = 2 1249 | break 1250 | } 1251 | 1 { 1252 | Write-Host "RDP Security Layer: Negotiate" -ForegroundColor Magenta 1253 | $rdp_sec = 1 1254 | break 1255 | } 1256 | 2 { 1257 | Write-Host "RDP Security Layer: SSL" -ForegroundColor Green 1258 | $rdp_sec = 0 1259 | break 1260 | } 1261 | default { 1262 | Write-Host "RDP Security Layer: Unknown" -ForegroundColor Yellow 1263 | $rdp_sec = 3 1264 | break 1265 | } 1266 | } 1267 | 1268 | # Check local NLA enforcement 1269 | $regKeyPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' 1270 | $regValueName = 'UserAuthentication' 1271 | 1272 | $userAuthentication = (Get-ItemProperty -Path $regKeyPath -Name $regValueName).$regValueName 1273 | 1274 | if ($userAuthentication -eq 1) { 1275 | Write-Host "NLA (Network Level Authentication) is enforced." -ForegroundColor Green 1276 | $rdp_nla = 0 1277 | } else { 1278 | Write-Host "NLA (Network Level Authentication) is not enforced." -ForegroundColor Red 1279 | $rdp_nla = 2 1280 | } 1281 | 1282 | # WinRM Checks 1283 | Write-host "" 1284 | Write-host "############################" 1285 | Write-host "# Now checking WinRM stuff #" 1286 | Write-host "############################" 1287 | Write-host "References: https://learn.microsoft.com/en-us/powershell/scripting/learn/remoting/winrmsecurity?view=powershell-7.3" -ForegroundColor DarkGray 1288 | Write-host "" 1289 | 1290 | # Check if WinRM service is running 1291 | $winrmService = Get-Service -Name "winrm" 1292 | 1293 | if ($winrmService.Status -eq "Running") { 1294 | Write-Host "WinRM service is running." -ForegroundColor Magenta 1295 | $winrm = 1 1296 | 1297 | # Retrieve WinRM configuration 1298 | $winrmSettings = winrm get winrm/config 1299 | 1300 | # Display the security settings 1301 | Write-Host "WinRM Security Settings:" -ForegroundColor Magenta 1302 | $winrmSettings 1303 | } 1304 | else { 1305 | Write-Host "WinRM service is not running." -ForegroundColor Green 1306 | $winrm = 0 1307 | } 1308 | 1309 | # PrintNightmare Checks 1310 | Write-host "" 1311 | Write-host "#####################################" 1312 | Write-host "# Now checking PrintNightmare stuff #" 1313 | Write-host "#####################################" 1314 | Write-host "References: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::RestrictDriverInstallationToAdministrators" -ForegroundColor DarkGray 1315 | Write-host "References: https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.Printing::PointAndPrint_Restrictions" -ForegroundColor DarkGray 1316 | Write-host "References: https://support.microsoft.com/en-gb/topic/kb5005652-manage-new-point-and-print-default-driver-installation-behavior-cve-2021-34481-873642bf-2634-49c5-a23b-6d8e9a302872" -ForegroundColor DarkGray 1317 | Write-host "References: https://itm4n.github.io/printnightmare-exploitation/" -ForegroundColor DarkGray 1318 | Write-host "" 1319 | 1320 | # Check if normal users can install package aware printer drivers 1321 | try { 1322 | $value = Get-ItemPropertyvalue -Path "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "RestrictDriverInstallationToAdministrators" -ErrorAction Stop 1323 | 1324 | if ($value -eq 1) { 1325 | Write-Host "Only Admins can install package aware printer drivers." -ForegroundColor Green 1326 | $printnightmare_pa = 0 1327 | } 1328 | elseif ($value -eq 0) { 1329 | Write-Host "Normal users can install package aware printer drivers." -ForegroundColor Red 1330 | $printnightmare_pa = 2 1331 | } 1332 | else { 1333 | Write-Host "Install package aware printer driver as lowpriv user: regkey doesn't exist - hence disabled" -ForegroundColor Green 1334 | $printnightmare_pa = 0 1335 | } 1336 | } 1337 | catch { 1338 | Write-Host "Install package aware printer driver as lowpriv user: regkey doesn't exist - hence disabled" -ForegroundColor Green 1339 | $printnightmare_pa = 0 1340 | } 1341 | 1342 | # Check if normal users can install non package aware printer drivers 1343 | # Drivers for new connections 1344 | try { 1345 | $value = Get-ItemPropertyvalue -Path "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "NoWarningNoElevationOnInstall" -ErrorAction Stop 1346 | 1347 | if ($value -eq 0) { 1348 | Write-Host "Only Admins can install non package aware printer drivers for new connections." -ForegroundColor Green 1349 | $printnightmare_npa_new = 0 1350 | } 1351 | elseif ($value -eq 1) { 1352 | Write-Host "Normal users can install non package aware printer drivers for new connections." -ForegroundColor Red 1353 | $printnightmare_npa_new = 2 1354 | } 1355 | else { 1356 | Write-Host "Install non package aware printer driver as lowpriv user for new connections: regkey doesn't exist - hence disabled" -ForegroundColor Green 1357 | $printnightmare_npa_new = 0 1358 | } 1359 | } 1360 | catch { 1361 | Write-Host "Install non package aware printer driver as lowpriv user for new connections: regkey doesn't exist - hence disabled" -ForegroundColor Green 1362 | $printnightmare_npa_new = 0 1363 | } 1364 | 1365 | # Drivers for updated connections 1366 | try { 1367 | $value = Get-ItemPropertyvalue -Path "HKLM:\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrint" -Name "UpdatePromptSettings" -ErrorAction Stop 1368 | 1369 | if ($value -eq 0) { 1370 | Write-Host "Only Admins can install non package aware printer drivers for updated connections." -ForegroundColor Green 1371 | $printnightmare_npa_upd = 0 1372 | } 1373 | elseif ($value -eq 1) { 1374 | Write-Host "Normal users can install non package aware printer drivers for updated connections." -ForegroundColor Red 1375 | $printnightmare_npa_upd = 2 1376 | } 1377 | elseif ($value -eq 2) { 1378 | Write-Host "Normal users can install non package aware printer drivers for updated connections." -ForegroundColor Red 1379 | $printnightmare_npa_upd = 2 1380 | } 1381 | else { 1382 | Write-Host "Install non package aware printer driver as lowpriv user for updated connections: regkey doesn't exist - hence disabled" -ForegroundColor Green 1383 | $printnightmare_npa_upd = 0 1384 | } 1385 | } 1386 | catch { 1387 | Write-Host "Install non package aware printer driver as lowpriv user for updated connections: regkey doesn't exist - hence disabled" -ForegroundColor Green 1388 | $printnightmare_npa_upd = 0 1389 | } 1390 | 1391 | # Recall / AI Checks 1392 | Write-host "" 1393 | Write-host "#############################" 1394 | Write-host "# Now checking Recall stuff #" 1395 | Write-host "#############################" 1396 | Write-host "References: https://support.microsoft.com/en-us/windows/privacy-and-control-over-your-recall-experience-d404f672-7647-41e5-886c-a3c59680af15" -ForegroundColor DarkGray 1397 | Write-host "References: https://learn.microsoft.com/da-dk/windows/client-management/mdm/policy-csp-windowsai" -ForegroundColor DarkGray 1398 | Write-host "References: https://github.com/xaitax/TotalRecall" -ForegroundColor DarkGray 1399 | Write-host "" 1400 | 1401 | # Check all user folders 1402 | $results_basefolder = @() 1403 | $results_database = @() 1404 | $results_imagefolder = @() 1405 | $usersPath = "C:\Users" 1406 | $users = Get-ChildItem -Path $usersPath -Directory 1407 | 1408 | # Iterate over all user folders and check if the Recall folder, the subfolders for images or the database file exist 1409 | foreach ($user in $users) { 1410 | $username = $user.Name 1411 | $basePath = "C:\Users\$username\AppData\Local\CoreAIPlatform.00\UKP" 1412 | 1413 | if (-Not (Test-Path -Path $basePath)) { 1414 | Write-Host "No Recall data found for user: $username" -ForegroundColor Green 1415 | $results_basefolder += 0 1416 | continue 1417 | } 1418 | 1419 | $guidFolders = Get-ChildItem -Path $basePath -Directory 1420 | foreach ($guidFolder in $guidFolders) { 1421 | $guidFolderPath = $guidFolder.FullName 1422 | $dbPath = Join-Path -Path $guidFolderPath -ChildPath "ukg.db" 1423 | $imageStorePath = Join-Path -Path $guidFolderPath -ChildPath "ImageStore" 1424 | 1425 | if (Test-Path -Path $dbPath) { 1426 | Write-Host "Recall database file 'ukg.db' found at $dbPath for user: $username" -ForegroundColor Red 1427 | $results_database += 2 1428 | } 1429 | 1430 | if (Test-Path -Path $imageStorePath) { 1431 | $imageStoreFiles = Get-ChildItem -Path $imageStorePath 1432 | if ($imageStoreFiles) { 1433 | Write-Host "Recall folder 'ImageStore' with data found at $imageStorePath for user: $username" -ForegroundColor red 1434 | $results_imagefolder += 2 1435 | } 1436 | } 1437 | } 1438 | } 1439 | 1440 | # Evaluate the results 1441 | $recall_basefolder = if ($results_basefolder -contains 2) { 2 } elseif ($results_basefolder -contains 1) { 1 } else { 0 } 1442 | $recall_database = if ($results_database -contains 2) { 2 } elseif ($results_database -contains 1) { 1 } else { 0 } 1443 | $recall_imagefolder = if ($results_imagefolder -contains 2) { 2 } elseif ($results_imagefolder -contains 1) { 1 } else { 0 } 1444 | 1445 | # Check the registry settings for current user 1446 | $currentSID = [System.Security.Principal.WindowsIdentity]::GetCurrent().User.Value 1447 | $userRegKeyPath = "Registry::HKEY_USERS\$currentSID\Software\Policies\Microsoft\Windows\WindowsAI" 1448 | $userRegValue = "DisableAIDataAnalysis" 1449 | $userRegValueData = Get-ItemPropertyValue -Path $userRegKeyPath -Name $userRegValue -ErrorAction SilentlyContinue 1450 | if ($userRegValueData -eq 1) { 1451 | Write-Host "Registry key 'DisableAIDataAnalysis' is set for current user" -ForegroundColor Green 1452 | $recall_regkey_user = 0 1453 | } 1454 | else { 1455 | Write-Host "The registry key to disable Recall for the current user is NOT set!!!" -ForegroundColor Red 1456 | $recall_regkey_user = 2 1457 | } 1458 | 1459 | # Check registry key for local machine. Currently NOT supported by Microsoft!!!! Only treated as maybe finding 1460 | $machineRegKeyPath = "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsAI" 1461 | $machineRegValue = "DisableAIDataAnalysis" 1462 | $machineRegKey = Get-ItemProperty -Path $machineRegKeyPath -ErrorAction SilentlyContinue 1463 | 1464 | if ($machineRegKey -and ($machineRegKey.$machineRegValue -eq 1)) { 1465 | Write-Host "Registry key 'DisableAIDataAnalysis' is set for the machine" -ForegroundColor Green 1466 | $recall_regkey_machine = 0 1467 | } 1468 | else { 1469 | Write-Host "The registry key to disable Recall system wide is NOT set!!!" -ForegroundColor Magenta 1470 | $recall_regkey_machine = 1 1471 | } 1472 | 1473 | # Autologon Checks 1474 | Write-host "" 1475 | Write-host "###############################" 1476 | Write-host "# Now checking Autologn stuff #" 1477 | Write-host "###############################" 1478 | Write-host "References: https://learn.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon" -ForegroundColor DarkGray 1479 | Write-host "" 1480 | 1481 | # Check registry entry for status 1482 | try { 1483 | $value = Get-ItemPropertyvalue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "AutoAdminLogon" -ErrorAction Stop 1484 | 1485 | if ($value -eq 0) { 1486 | Write-Host "Auto logon is disabled. You should still check for DefaultUserName and DefaultPassword" -ForegroundColor Magenta 1487 | $autologon = 1 1488 | } 1489 | elseif ($value -eq 1) { 1490 | Write-Host "Autologon enabled. You should check DefaultUserName and DefaultPassword" -ForegroundColor Red 1491 | $autologon = 2 1492 | } 1493 | else { 1494 | Write-Host "Autologon: regkey doesn't exist - hence disabled" -ForegroundColor Green 1495 | $autologon = 0 1496 | } 1497 | } 1498 | catch { 1499 | Write-Host "Autologon: regkey doesn't exist - hence disabled" -ForegroundColor Green 1500 | $autologon = 0 1501 | } 1502 | 1503 | # Check registry entry for username 1504 | try { 1505 | $value = Get-ItemPropertyvalue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultUserName" -ErrorAction Stop 1506 | 1507 | if ([string]::IsNullOrEmpty($value)) { 1508 | Write-Host "Autologon Username not present." -ForegroundColor Green 1509 | $autologonuser = 0 1510 | } 1511 | else { 1512 | Write-Host "Autologon Username: "$value -ForegroundColor Red 1513 | $autologonuser = 2 1514 | } 1515 | } 1516 | catch { 1517 | Write-Host "Autologon username: regkey doesn't exist" -ForegroundColor Green 1518 | $autologonuser = 0 1519 | } 1520 | 1521 | # Check registry entry for password 1522 | try { 1523 | $value = Get-ItemPropertyvalue -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "DefaultPassword" -ErrorAction Stop 1524 | 1525 | if ([string]::IsNullOrEmpty($value)) { 1526 | Write-Host "Autologon Password not present." -ForegroundColor Green 1527 | $autologonpassword = 0 1528 | } 1529 | else { 1530 | Write-Host "Autologon Password: "$value -ForegroundColor Red 1531 | $autologonpassword = 2 1532 | } 1533 | } 1534 | catch { 1535 | Write-Host "Autologon Password: regkey doesn't exist" -ForegroundColor Green 1536 | $autologonpassword = 0 1537 | } 1538 | 1539 | # Summary 1540 | Write-host "" 1541 | Write-host "###########" -ForegroundColor DarkCyan 1542 | Write-host "# Summary #" -ForegroundColor DarkCyan 1543 | Write-host "###########" -ForegroundColor DarkCyan 1544 | Write-host "" 1545 | 1546 | if ($elevated -eq $true) { 1547 | Add-Result "Ran as Admin" "-" "OK" 1548 | } 1549 | else { 1550 | Add-Result "Ran as Admin" "-" "BAD" 1551 | } 1552 | 1553 | switch ($pwpolicy_complexity){ 1554 | 0 {Add-Result "Password Policy" "Password complexity" "OK"} 1555 | 2 {Add-Result "Password Policy" "Password complexity" "BAD"} 1556 | } 1557 | switch ($pwpolicy_lockoutduration){ 1558 | 0 {Add-Result "Password Policy" "Lockout duration" "OK"} 1559 | 2 {Add-Result "Password Policy" "Lockout duration" "BAD"} 1560 | } 1561 | switch ($pwpolicy_lockoutthreshold){ 1562 | 0 {Add-Result "Password Policy" "Lockout threshold" "OK"} 1563 | 1 {Add-Result "Password Policy" "Lockout threshold" "MAYBE"} 1564 | 2 {Add-Result "Password Policy" "Lockout threshold" "BAD"} 1565 | } 1566 | switch ($pwpolicy_pwlength){ 1567 | 0 {Add-Result "Password Policy" "Password length" "OK"} 1568 | 2 {Add-Result "Password Policy" "Password length" "BAD"} 1569 | } 1570 | switch ($pwpolicy_revenc){ 1571 | 0 {Add-Result "Password Policy" "Reverse encryption" "OK"} 1572 | 1 {Add-Result "Password Policy" "Reverse encryption" "MAYBE"} 1573 | 2 {Add-Result "Password Policy" "Reverse encryption" "BAD"} 1574 | } 1575 | switch ($pwpolicy_error){ 1576 | 0 {} 1577 | 1 {Add-Result "Password Policy" "-" "Error"} 1578 | } 1579 | 1580 | switch ($RunAsPPL){ 1581 | 0 {Add-Result "RunAsPPL" "-" "OK"} 1582 | 1 {Add-Result "RunAsPPL" "-" "MAYBE"} 1583 | 2 {Add-Result "RunAsPPL" "-" "BAD"} 1584 | } 1585 | 1586 | switch ($wdac_usercodeintegrity){ 1587 | 0 {Add-result "WDAC" "User Mode Code Integrity Policy Enforcement" "OK"} 1588 | 1 {Add-result "WDAC" "User Mode Code Integrity Policy Enforcement" "MAYBE"} 1589 | 2 {Add-result "WDAC" "User Mode Code Integrity Policy Enforcement" "BAD"} 1590 | } 1591 | switch ($wdac_codeintegrity){ 1592 | 0 {Add-result "WDAC" "Code Integrity Policy Enforcement" "OK"} 1593 | 1 {Add-result "WDAC" "Code Integrity Policy Enforcement" "MAYBE"} 1594 | 2 {Add-result "WDAC" "Code Integrity Policy Enforcement" "BAD"} 1595 | } 1596 | 1597 | switch ($applocker){ 1598 | 0 {Add-Result "Applocker" "-" "OK"} 1599 | 2 {Add-Result "Applocker" "-" "BAD"} 1600 | } 1601 | 1602 | switch ($uac){ 1603 | 0 {Add-Result "UAC" "-" "OK"} 1604 | 2 {Add-Result "UAC" "-" "BAD"} 1605 | } 1606 | switch ($guestacc){ 1607 | 0 {Add-Result "Guest Account" "-" "OK"} 1608 | 1 {Add-Result "Guest Account" "-" "MAYBE"} 1609 | 2 {Add-Result "Guest Account" "-" "BAD"} 1610 | 3 {Add-Result "Guest Account" "-" "Error"} 1611 | } 1612 | 1613 | switch ($stregedit){ 1614 | 0 {Add-result "System Tools" "regedit" "OK"} 1615 | 2 {Add-result "System Tools" "regedit" "BAD"} 1616 | 3 {Add-result "System Tools" "regedit" "Error"} 1617 | } 1618 | 1619 | switch ($stcmd){ 1620 | 0 {Add-result "System Tools" "cmd" "OK"} 1621 | 2 {Add-result "System Tools" "cmd" "BAD"} 1622 | 3 {Add-result "System Tools" "cmd" "Error"} 1623 | } 1624 | 1625 | switch ($stpowershell){ 1626 | 0 {Add-result "System Tools" "PowerShell" "OK"} 1627 | 2 {Add-result "System Tools" "PowerShell" "BAD"} 1628 | 3 {Add-result "System Tools" "PowerShell" "Error"} 1629 | } 1630 | 1631 | switch ($aie){ 1632 | 0 {Add-Result "Always Install Elevated" "-" "OK"} 1633 | 2 {Add-Result "Always Install Elevated" "-" "BAD"} 1634 | } 1635 | 1636 | switch ($credguard){ 1637 | 0 {Add-Result "Credential Guard" "-" "OK"} 1638 | 2 {Add-Result "Credential Guard" "-" "BAD"} 1639 | } 1640 | 1641 | switch ($coinstaller){ 1642 | 0 {Add-Result "Co-installer" "-" "OK"} 1643 | 2 {Add-Result "Co-installer" "-" "BAD"} 1644 | } 1645 | 1646 | switch ($dma_access){ 1647 | 0 {Add-Result "DMA" "Status" "OK"} 1648 | 1 {Add-Result "DMA" "Status" "MAYBE"} 1649 | 2 {Add-Result "DMA" "Status" "BAD"} 1650 | } 1651 | switch ($dma_vbs){ 1652 | 0 {Add-Result "DMA" "VBS" "OK"} 1653 | 1 {Add-Result "DMA" "VBS" "MAYBE"} 1654 | 2 {Add-Result "DMA" "VBS" "BAD"} 1655 | } 1656 | switch ($dma_heci){ 1657 | 0 {Add-Result "DMA" "HECI" "OK"} 1658 | 1 {Add-Result "DMA" "HECI" "MAYBE"} 1659 | 2 {Add-Result "DMA" "HECI" "BAD"} 1660 | } 1661 | switch ($dma_heci_locked){ 1662 | 0 {Add-Result "DMA" "HECI Lock" "OK"} 1663 | 1 {Add-Result "DMA" "HECI Lock" "MAYBE"} 1664 | 2 {Add-Result "DMA" "HECI Lock" "BAD"} 1665 | } 1666 | 1667 | if ($bl_redCount -gt 0) { 1668 | Add-Result "Bitlocker" "-" "BAD" -ForegroundColor Red 1669 | } 1670 | elseif ($bl_yellowCount -gt 0) { 1671 | Add-Result "Bitlocker" "-" "Error" 1672 | } 1673 | elseif ($bl_magentaCount -gt 0) { 1674 | Add-Result "Bitlocker" "-" "MAYBE" 1675 | } 1676 | elseif ($bl_greenCount -gt 0) { 1677 | Add-Result "Bitlocker" "-" "OK" 1678 | } 1679 | 1680 | switch ($secureboot){ 1681 | 0 {Add-Result "Secure Boot" "-" "OK"} 1682 | 2 {Add-Result "Secure Boot" "-" "BAD"} 1683 | 3 {Add-Result "Secure Boot" "-" "Error"} 1684 | } 1685 | 1686 | if ($spa_redCount -gt 0) { 1687 | Add-result "System Path ACLs" "-" "BAD" 1688 | } 1689 | elseif ($spa_greenCount -gt 0) { 1690 | Add-result "System Path ACLs" "-" "OK" 1691 | } 1692 | 1693 | if ($uqsp_redcount -gt 0) { 1694 | Add-Result "Unquoted Service Paths" "-" "BAD" 1695 | } 1696 | else { 1697 | Add-Result "Unquoted Service Paths" "-" "OK" 1698 | } 1699 | 1700 | switch ($wsus){ 1701 | 0 {Add-Result "WSUS" "-" "OK"} 1702 | 2 {Add-Result "WSUS" "-" "RED"} 1703 | 3 {Add-Result "WSUS" "-" "Error"} 1704 | } 1705 | 1706 | switch ($ps_v2){ 1707 | 0 {Add-Result "PowerShell" "V2" "OK"} 1708 | 2 {Add-Result "PowerShell" "V2" "BAD"} 1709 | } 1710 | switch ($ps_ep){ 1711 | 0 {Add-Result "PowerShell" "Executiuon Policy" "OK"} 1712 | 1 {Add-Result "PowerShell" "Executiuon Policy" "MAYBE"} 1713 | 2 {Add-Result "PowerShell" "Executiuon Policy" "BAD"} 1714 | } 1715 | switch ($ps_lm){ 1716 | 0 {Add-Result "PowerShell" "Language Mode" "OK"} 1717 | 2 {Add-Result "PowerShell" "Language Mode" "BAD"} 1718 | } 1719 | 1720 | switch ($ipv6){ 1721 | 0 {Add-Result "IPv6" "-" "OK"} 1722 | 2 {Add-Result "IPv6" "-" "BAD"} 1723 | } 1724 | 1725 | switch ($llmnr){ 1726 | 0 {Add-Result "LLMNR" "-" "OK"} 1727 | 2 {Add-Result "LLMNR" "-" "BAD"} 1728 | } 1729 | 1730 | switch ($mdns){ 1731 | 0 {Add-Result "mDNS" "-" "OK"} 1732 | 2 {Add-Result "mDNS" "-" "BAD"} 1733 | } 1734 | 1735 | switch ($netbios){ 1736 | 0 {Add-Result "NetBIOS" "-" "OK"} 1737 | 2 {Add-Result "NetBIOS" "-" "BAD"} 1738 | } 1739 | 1740 | switch ($smb_v1){ 1741 | 0 {Add-Result "SMB" "V1" "OK"} 1742 | 2 {Add-Result "SMB" "V1" "BAD"} 1743 | } 1744 | switch ($smb_sig){ 1745 | 0 {Add-Result "SMB" "Signing" "OK"} 1746 | 2 {Add-Result "SMB" "Signing" "BAD"} 1747 | } 1748 | 1749 | switch ($secureboot){ 1750 | 0 {Add-Result "Secure Boot" "-" "OK"} 1751 | 1 {Add-Result "Secure Boot" "-" "MAYBE"} 1752 | 2 {Add-Result "Secure Boot" "-" "BAD"} 1753 | 3 {Add-Result "Secure Boot" "-" "Error"} 1754 | } 1755 | 1756 | switch ($av_on){ 1757 | 0 {Add-Result "AV" "Status" "OK"} 1758 | 1 {Add-Result "AV" "Status" "MAYBE"} 1759 | 2 {Add-Result "AV" "Status" "BAD"} 1760 | } 1761 | switch ($av_utd){ 1762 | 0 {Add-Result "AV" "Pattern" "OK"} 1763 | 2 {Add-Result "AV" "Pattern" "BAD"} 1764 | } 1765 | 1766 | switch ($proxy_enabled){ 1767 | 1 {Add-Result "Proxy" "Status" "MAYBE"} 1768 | 2 {Add-Result "Proxy" "Status" "BAD"} 1769 | } 1770 | switch ($proxy_autoconfig){ 1771 | 1 {Add-Result "Proxy" "Autoconfig" "MAYBE"} 1772 | 2 {Add-Result "Proxy" "Autoconfig" "BAD"} 1773 | } 1774 | 1775 | switch ($winupdate){ 1776 | 0 {Add-Result "Windows Updates" "-" "OK"} 1777 | 1 {Add-Result "Windows Updates" "-" "MAYBE"} 1778 | 2 {Add-Result "Windows Updates" "-" "BAD"} 1779 | } 1780 | 1781 | switch ($rdp_enabled){ 1782 | 0 {Add-Result "RDP" "Status" "OK"} 1783 | 1 {Add-Result "RDP" "Status" "MAYBE"} 1784 | } 1785 | switch ($rdp_sec){ 1786 | 0 {Add-Result "RDP" "Security Layer" "OK"} 1787 | 1 {Add-Result "RDP" "Security Layer" "MAYBE"} 1788 | 2 {Add-Result "RDP" "Security Layer" "BAD"} 1789 | 3 {Add-Result "RDP" "Security Layer" "Error"} 1790 | } 1791 | switch ($rdp_nla){ 1792 | 0 {Add-Result "RDP" "NLA" "OK"} 1793 | 2 {Add-Result "RDP" "NLA" "BAD"} 1794 | } 1795 | 1796 | switch ($winrm){ 1797 | 0 {Add-Result "WinRM" "Status" "OK"} 1798 | 1 {Add-Result "WinRM" "Status" "MAYBE"} 1799 | } 1800 | 1801 | switch ($printnightmare_pa){ 1802 | 0 {Add-Result "PrintNightmare" "Package Aware" "OK"} 1803 | 2 {Add-Result "PrintNightmare" "Package Aware" "BAD"} 1804 | } 1805 | 1806 | switch ($printnightmare_npa_new){ 1807 | 0 {Add-Result "PrintNightmare" "Non Package Aware New" "OK"} 1808 | 2 {Add-Result "PrintNightmare" "Non Package Aware New" "BAD"} 1809 | } 1810 | 1811 | switch ($printnightmare_npa_upd){ 1812 | 0 {Add-Result "PrintNightmare" "Non Package Aware Update" "OK"} 1813 | 2 {Add-Result "PrintNightmare" "Non Package Aware Update" "BAD"} 1814 | } 1815 | 1816 | switch ($recall_basefolder){ 1817 | 0 {Add-Result "Recall" "Data" "OK"} 1818 | 1 {Add-Result "Recall" "Data" "MAYBE"} 1819 | 2 {Add-Result "Recall" "Data" "BAD"} 1820 | 3 {Add-Result "Recall" "Data" "Error"} 1821 | } 1822 | 1823 | switch ($recall_database){ 1824 | 0 {Add-Result "Recall" "Database" "OK"} 1825 | 1 {Add-Result "Recall" "Database" "MAYBE"} 1826 | 2 {Add-Result "Recall" "Database" "BAD"} 1827 | 3 {Add-Result "Recall" "Database" "Error"} 1828 | } 1829 | 1830 | switch ($recall_imagefolder){ 1831 | 0 {Add-Result "Recall" "Images" "OK"} 1832 | 1 {Add-Result "Recall" "Images" "MAYBE"} 1833 | 2 {Add-Result "Recall" "Images" "BAD"} 1834 | 3 {Add-Result "Recall" "Images" "Error"} 1835 | } 1836 | 1837 | switch ($recall_regkey_user){ 1838 | 0 {Add-Result "Recall" "Registry_User" "OK"} 1839 | 1 {Add-Result "Recall" "Registry_User" "MAYBE"} 1840 | 2 {Add-Result "Recall" "Registry_User" "BAD"} 1841 | 3 {Add-Result "Recall" "Registry_User" "Error"} 1842 | } 1843 | 1844 | switch ($recall_regkey_machine){ 1845 | 0 {Add-Result "Recall" "Registry_Machine" "OK"} 1846 | 1 {Add-Result "Recall" "Registry_Machine" "MAYBE"} 1847 | 2 {Add-Result "Recall" "Registry_Machine" "BAD"} 1848 | 3 {Add-Result "Recall" "Registry_Machine" "Error"} 1849 | } 1850 | 1851 | switch ($autologon){ 1852 | 0 {Add-Result "Autologon" "-" "OK"} 1853 | 1 {Add-Result "Autologon" "-" "MAYBE"} 1854 | 2 {Add-Result "Autologon" "-" "BAD"} 1855 | 3 {Add-Result "Autologon" "-" "Error"} 1856 | } 1857 | 1858 | switch ($autologonuser){ 1859 | 0 {Add-Result "Autologon" "User" "OK"} 1860 | 1 {Add-Result "Autologon" "User" "MAYBE"} 1861 | 2 {Add-Result "Autologon" "User" "BAD"} 1862 | 3 {Add-Result "Autologon" "User" "Error"} 1863 | } 1864 | 1865 | switch ($autologon){ 1866 | 0 {Add-Result "Autologon" "Password" "OK"} 1867 | 1 {Add-Result "Autologon" "Password" "MAYBE"} 1868 | 2 {Add-Result "Autologon" "Password" "BAD"} 1869 | 3 {Add-Result "Autologon" "Password" "Error"} 1870 | } 1871 | 1872 | $results | Format-Table -AutoSize 1873 | 1874 | Write-host "" 1875 | Write-host "########################################################" -ForegroundColor DarkCyan 1876 | Write-host "# Thats it, all checks done. Off to the report baby ^^ #" -ForegroundColor DarkCyan 1877 | Write-host "########################################################" -ForegroundColor DarkCyan 1878 | Write-host "" 1879 | } 1880 | 1881 | # Function to add results to the custom object 1882 | function Add-Result($category, $subcategory, $result) { 1883 | $resultObject = [PSCustomObject]@{ 1884 | Category = $category 1885 | Subcategory = $subcategory 1886 | Result = $result 1887 | } 1888 | $global:results += $resultObject 1889 | } 1890 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2023, LuemmelSec 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions are met: 7 | 8 | 1. Redistributions of source code must retain the above copyright notice, this 9 | list of conditions and the following disclaimer. 10 | 11 | 2. Redistributions in binary form must reproduce the above copyright notice, 12 | this list of conditions and the following disclaimer in the documentation 13 | and/or other materials provided with the distribution. 14 | 15 | 3. Neither the name of the copyright holder nor the names of its 16 | contributors may be used to endorse or promote products derived from 17 | this software without specific prior written permission. 18 | 19 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 20 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 22 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 23 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 25 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 26 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 27 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 28 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Overview 2 | This is a PowerShell script to automate client pentests / checkups - at least to a certain extend. 3 | You can use it together with my PwnDoc vulns to further get rid of unneccessary work -> https://github.com/LuemmelSec/PwnDoc-Vulns 4 | 5 | # How 6 | ![image](https://github.com/LuemmelSec/Client-Checker/assets/58529760/5324bf2e-efc8-47d2-87f1-cecc5a8b7f3a) 7 | 8 | 9 | If possible run as Admin, otherwise some checks might / will fail. 10 | 11 | ``` 12 | . .\Client-Checker.ps1 13 | ``` 14 | or 15 | ``` 16 | import-module .\Client-Checker.ps1 17 | ``` 18 | or 19 | ``` 20 | iex(new-object net.webclient).downloadstring("https://raw.githubusercontent.com/LuemmelSec/Client-Checker/main/Client-Checker.ps1") 21 | ``` 22 | then just 23 | ``` 24 | Client-Checker 25 | ``` 26 | 27 | # What does it do 28 | You should run it as admin, as certain stuff can only be queried with elevated rights. 29 | It is used to check a client for common misconfigurations. The list currently includes: 30 | - Default Domain Password Policy 31 | - LSA Protection Settings 32 | - WDAC Usage 33 | - AppLocker Usage 34 | - Credential Guard Settings 35 | - Co-installer Settings 36 | - DMA Protection Settings 37 | - BitLocker Settings 38 | - Secure Boot Settings 39 | - System PATH ACL checks 40 | - Unquoted Service Path checks 41 | - Always Install Elevated checks 42 | - UAC checks 43 | - Guest Account checks 44 | - System Tool access as low priv user checks 45 | - WSUS Settings 46 | - PowerShell Settings 47 | - IPv6 Settings 48 | - NetBIOS / LLMNR Settings / mDNS 49 | - SMB Server Settings 50 | - Firewall Settings 51 | - AV Settings 52 | - Proxy Settings 53 | - Windows Updates 54 | - 3rd Party Installations 55 | - RDP Settings 56 | - WinRM Settings 57 | - PrintNightmare checks 58 | - Recall checks 59 | - Autologon checks 60 | 61 | # The looks 62 | You will have a detailed section which gets generated on the fly with a category, what the script found as well as links to resources for more detail, abuse paths and remmediations. 63 | ![image](https://github.com/LuemmelSec/Client-Checker/assets/58529760/b65e34d6-38d2-4274-a402-84a5b20c584d) 64 | 65 | 66 | At the very end you will get a tabular overview that will help you to quickly get an overview of all checks done. 67 | ![image](https://github.com/LuemmelSec/Client-Checker/assets/58529760/7bc04ff0-acb0-4277-b249-d175ca61b66c) 68 | 69 | --------------------------------------------------------------------------------