sitrep: Extensible, configurable host triage
SitRep
Extensible, configurable host triage.
Purpose
SitRep is intended to provide a lightweight, extensible host triage alternative. Checks are loaded dynamically at runtime from stand-alone files. This allows operators to quickly modify existing checks, or add new checks as required.
Checks are grouped by category and can be marked as OpSec safe/unsafe. unsafe checks are only loaded if the /AllowUnsafe flag is provided.
Interesting results are highlighted with a “[*]”
Checks
Checks are separated into categories. This allows them to be displayed in appropriate groups. The following checks are currently available:
Environment
- CurrentUser.cs – the current user
- DomainName.cs – the domain name
- HostName.cs – the hostname
- LoggedOnUsers.cs – List all logged on users
- OSVersion.cs – OS version information
- VirtualEnvironment.cs – Checks if we are operating in a virtualised environment
- userEnvironmentVariables.cs – Grabs the environment variables applied to the current process
- SystemEnvironmentVariables.cs – Grabs system environment variables from the registry (HKLM)
- NameServers.cs – Gets the DNS servers for each network interface
Defenses
- AVProcesses.cs – Checks if any known AV processes are running
Permissions
- Integrity.cs – Get the integrity level of the current process
- LocalAdmin.cs – Check if we are a local admin
- Privileges.cs – List our current privileges.
- UACLevel.cs – Get the UAC level
- UserDomainGroups.cs – Gets the users domain group memberships
- ComputerDomainGroups.cs – Gets the domain groups the computer is a member of
Software
- InstalledBrowsers.cs – Lists the browsers installed on the endpoint
Credentials
- CredentialManager.cs – Retrieve credentials stored in Windows Credential Manager for the current user
The following checks are currently marked as being not OpSec safe:
- CredentialManager.cs
- ComputerDomainGroups.cs
- UserDomainGroups.cs
You should review this configuration and update the OpSec tags as required.
