Identify

Windows Defender

Get-MpComputerStatus

If RealTimeProtection: True, we have defender enabled

AppLocker

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

💡

Organizations often block the PowerShell.exe executable, but forget about the other PowerShell executable locations such as %SystemRoot%\SysWOW64\WindowsPowerShell\v1.0\powershell.exe or PowerShell_ISE.exe

PowerShell Constrained Language Mode

Will prevent tons of useful powershell features

$ExecutionContext.SessionState.LanguageMode

LAPS

Embed GitHub

Can help us find ADUsers that have permissions to read LAPS passwords

Find-LAPSDelegatedGroups

The Find-AdmPwdExtendedRights checks the rights on each computer with LAPS enabled for any groups with read access and users with "All Extended Rights." Users with "All Extended Rights" can read LAPS passwords and may be less protected than users in delegated groups, so this is worth checking for.

Find-AdmPwdExtendedRights

Find computers with laps enabled

Get-LAPSComputers

Enumerating Security Controls

Identify

Windows Defender

AppLocker

PowerShell Constrained Language Mode

LAPS