Situational Awareness

# Who am I?
whoami                        # Current user
id                            # UID, GID, groups
groups                        # Group membership

# What OS?
uname -a                      # Kernel version, architecture
cat /etc/os-release           # Distro and version
cat /etc/issue                # Distribution banner
lsb_release -a                # Alternative distro info
hostname                      # Machine hostname
cat /proc/version             # Kernel and compiler info

# Interfaces and addresses
ip a                          # Network interfaces and IPs
ifconfig                      # Legacy alternative
hostname -I                   # Just IP addresses

# Routing
route -n                      # Routing table
ip route                      # Modern routing
cat /etc/resolv.conf          # DNS servers
cat /etc/hosts                # Static hostname mappings

# Active connections
ss -tlnp                      # Listening TCP ports with process info
ss -tunp                      # All TCP/UDP connections
netstat -tunlp                # Legacy alternative
arp -a                        # ARP cache (other hosts on the network)

# Firewall
iptables -L -n                # IPv4 firewall rules
cat /etc/hosts.allow          # TCP wrappers allowed hosts
cat /etc/hosts.deny           # TCP wrappers denied hosts

ps aux                        # All processes (BSD format)
ps auxf                       # Process tree view
ps aux | grep root            # Processes running as root
ls -la /proc/*/fd/            # File descriptors for all processes
top -n 1                      # Process resource usage snapshot
cat /proc/1/cgroup            # Check if in a container

# Who else is here?
who                           # Currently logged in users
w                             # Logged in users and their activity
lastlog                       # Last login times per user
cat /etc/passwd | grep sh$   # Users with shell access

# Environment variables
env                           # All environment variables
echo $PATH                    # Executable search path
echo $HOME                    # Home directory

# Scheduled tasks
cat /etc/crontab              # System-wide cron
ls -la /etc/cron.*/           # Cron directories (hourly, daily, weekly, monthly)
ls -la /var/spool/cron/crontabs/  # User crontabs
systemctl list-timers --all   # Systemd timers

# Mounted filesystems
mount                         # All mounts
df -h                         # Disk usage
fdisk -l                      # Partition table (requires root)
lsblk                         # Block devices

# Interesting directories
ls -la /opt/                  # Third-party software
ls -la /srv/                  # Service data
ls -la /home/                 # User home directories
ls -la /tmp/                  # Temporary files (writable)
ls -la /dev/shm/              # Ramdisk (writable, often used by exploits)

# Writable directories
find / -type d -writable 2>/dev/null | head -20

# Installed packages
dpkg -l                       # Debian/Ubuntu
rpm -qa                       # RHEL/CentOS

# Running services
systemctl list-units --type=service --state=running
service --status-all 2>/dev/null

# Installed compilers/interpreters
which gcc python python3 perl ruby lua

# SNMP check
ifconfig | grep -E "inet|netmask"
ss -lunp                       # Check UDP listeners (SNMP on 161)

whoami
whoami /all                   # Full token info: privileges, groups, user SID
whoami /priv                  # Enabled and disabled privileges
whoami /groups                # Group membership with SIDs
echo %username%
echo %userdomain%
hostname

ipconfig /all                 # All interfaces with DHCP/DNS info
route print                   # Routing table
arp -a                        # ARP cache
netstat -ano                  # All connections with owning PID
netstat -ano | findstr LIST   # Listening ports
netsh advfirewall show all    # Firewall rules

systeminfo                     # Full system info including hotfixes
wmic qfe get HotFixID          # Installed patches (for kernel exploit matching)
Get-HotFix                     # PowerShell equivalent
(Get-WmiObject Win32_OperatingSystem).Caption  # OS version

net user                       # Local users
net user <username>            # Details for a specific user
net localgroup                 # Local groups
net localgroup administrators  # Admin group members
net group /domain              # Domain groups (on domain-joined machine)
net accounts                   # Password policy

# Domain context
echo %logonserver%             # Which DC authenticated you
set l                          # Environment variables including LOGONSERVER
nltest /dclist:<domain>        # List domain controllers

Get-Process                    # All running processes
Get-Process | Sort-Object CPU -Descending  # By CPU usage
Get-Service                    # All services
Get-Service | Where-Object {$_.Status -eq "Running"}
sc query type=service          # Service list via sc command
sc qc <ServiceName>            # Service configuration (binary path, start type)

# Windows Defender status
Get-MpComputerStatus           # Full Defender status
Get-MpComputerStatus | select AntivirusEnabled,RealTimeProtectionEnabled

# AppLocker
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
# Check PowerShell language mode (ConstrainedLanguage = AppLocker)
$ExecutionContext.SessionState.LanguageMode

# Firewall
netsh advfirewall show allprofiles
Get-NetFirewallProfile | select Name,Enabled

# Running security products
Get-Process | Where-Object {$_.Name -match "defender|mcshield|sentinel|crowdstrike|csfalcon"}

schtasks /query /fo LIST /v    # Exhaustive scheduled task list
schtasks /query /fo TABLE      # Table format
Get-ScheduledTask              # PowerShell alternative

# Domain info
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
Get-ADDomain

# Domain controllers
nltest /dclist:<domain>
Get-ADDomainController

# Trusts
nltest /domain_trusts
Get-ADTrust -Filter *

# Machine account quota
Get-ADObject -Identity ((Get-ADDomain).distinguishedname) -Properties ms-DS-MachineAccountQuota

# Current user's domain groups
whoami /groups | findstr /i "domain"

## BloodHound: CE vs Legacy Comparison
# BloodHound CE (Docker, 2024+ standard):
docker compose up -d                    # Start via Docker
# Access: http://localhost:8080          # Web UI
# Default creds: admin / admin          # Change on first login
# Collection: Built-in SharpHound CE collector in web UI
# OR: rusthound-ce for Linux-based collection

# Legacy BloodHound (pre-CE):
sudo neo4j console                      # Start Neo4j DB
bloodhound                              # Start GUI (Java)
# Access: http://localhost:7474
# Collection: SharpHound.exe or bloodhound-python

# OPSEC comparison:
# SharpHound (on-target): Generates Event ID 4688 (process creation) + loads .NET (AMSI flagged)
# bloodhound-python (remote): Generates only Event ID 4662 (LDAP queries) — stealthier
# Stealth tip: SharpHound -c DCOnly collects only from DCs (fewer queries, less noise)

# PowerView — Essential AD enumeration toolkit (PowerSploit)
Import-Module .\PowerView.ps1
Get-DomainUser -Identity username -Properties *        # Detailed user info
Get-DomainComputer -Properties name,operatingsystem    # Computer enumeration
Get-DomainGroup -Identity "Domain Admins" -Properties * # Group membership
Find-LocalAdminAccess -ComputerName target              # Find machines where you have admin
Get-DomainTrust | ft                                   # Domain trust relationships
Get-DomainForeignUser                                   # Users in foreign domains
Get-DomainForeignGroupMember                             # Groups with foreign members
Get-DomainGPO | Get-DomainGPOComputer                   # GPO-to-computer mapping

# SharpView — C# equivalent of PowerView (no PowerShell, avoids AMSI/CLM)
# Use when PowerShell is monitored or in Constrained Language Mode

# Seatbelt — C# situational awareness (Ghostpack)
Seatbelt.exe -group=all          # All checks
Seatbelt.exe AntiVirus           # AV/EDR products installed
Seatbelt.exe AppLocker           # AppLocker policy
Seatbelt.exe WindowsDefender     # Defender configuration

# AMSI/CLM detection before running tools:
$ExecutionContext.SessionState.LanguageMode    # Check CLM (ConstrainedLanguage = locked)
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')  # Check AMSI

# OPSEC notes for situational awareness commands:
# whoami /all → Event ID 4624/4634 (commonly logged by SIEM)
# net user /domain → Event ID 4769 (Kerberos TGS request, logged by DC)
# net group /domain → Event ID 4768/4769 (logged by DC)
# BloodHound collection → Hundreds of Event ID 4662 entries on DCs