Toolsmith Tidbit: Windows Auditing with WINspect
WINSpect recently hit the toolsmith radar screen via Twitter, and the author, Amine Mehdaoui, just posted an update a couple of days ago, so no time like the present to give you a walk-through. WINSpect is a Powershell-based Windows Security Auditing Toolbox. According to Amine’s GitHub README, WINSpect “is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine aiming to identify security weaknesses and point to components that need further hardening. The main targets for the current version are domain-joined windows machines. However, some of the functions still apply for standalone workstations.“
The current script feature set includes audit checks and enumeration for:
- Installed security products
- World-exposed local filesystem shares
- Domain users and groups with local group membership
- Registry autoruns
- Local services that are configurable by Authenticated Users group members
- Local services for which corresponding binary is writable by Authenticated Users group members
- Non-system32 Windows Hosted Services and their associated DLLs
- Local services with unquoted path vulnerability
- Non-system scheduled tasks
- DLL hijackability
- User Account Control settings
- Unattended installs leftovers
WINSpect then confirmed that UAC was enabled, and that it should notify me only apps try to make changes, then checked my registry for autoruns; no worries on either front, all confirmed as expected.
*** This is a Security Bloggers Network syndicated blog from HolisticInfoSec™ authored by Russ McRee. Read the original post at: https://holisticinfosec.blogspot.com/2017/09/toolsmith-tidbit-windows-auditing-with.html