Host Situational Awareness

Empire has a few modules to assist with host based situational awareness.

The situational_awareness/host/dnsserver module, from DarkOperator’s Posh-SecMod, allows you to enumerate the DNS servers used by a particular host.

The situational_awareness/host/computerdetails module, from PowerSploit, enumerates useful information on the system. It can enumerate 4648 login information from the event log (RDPs to another machine), 4624 events (logons to the target), AppLocker logs, PSScripts run, and saved RDP sessions. It requires administrative privileges on the target.

The situational_awareness/host/winenum module runs a series of common host enumeration actions without needing local administrator. It will pull local/AD group memberships, last password set times, interesting files, clipboard contents, basic system information, AV solutions, network adapter information, and more.