There are a lot of PowerShell commands that can be used for enumerating Windows.
# List all AD users (IFF the machine is joined to a domain!)#Get-ADUser -Filter *# List AD users within a particular LDAP subtree#Get-ADUser -Filter * -SearchBase "CN=Users,DC=example,DC=com"# Enumerate antivirus#Get-CimInstance -Namespace root/SecurityCenter2 ` -ClassName AntivirusProduct# Check if the Windows Defender service is running#Get-Service WinDefend# Check if real-time protection is enabled for Windows# Defender#Get-MpComputerStatus | select RealTimeProtectionEnabled# Get information about potential threats recently detected by# Windows Defender#Get-MpThreat# Check the status of the Windows Firewall#Get-NetFirewallProfile | Format-Table Name,Enabled# Disable all WIndows Firewall profiles#Set-NetFirewallProfile -Profile Domain,Public,Private ` -Enabled False# List Windows Firewall rules#Get-NetFirewallRule | select DisplayName,Enabled,Description# Two ways to check if a port can be connected to (the first# provides more output, while the second is more suitable for# scripting)#Test-NetConnection -ComputerName $IP_OR_HOSTNAME -Port $PORT(New-Object System.Net.Sockets.TcpClient("$IP_OR_HOSTNAME", "$PORT")).Connected# List all current Windows logs#Get-EventLog -List# Sysmon is dangerous for an attacker! Three ways to check if# it's running...#Get-Process | Where-Object { $_.ProcessName -eq "Sysmon" }Get-CimInstance win32_service ` -Filter "Description = 'System Monitor service'"Get-Service | where-object {$_.DisplayName -like "sysm"}# List hidden directories#Get-ChildItem -Hidden -Path $SOME_PATH# Get a process with a particular "image name" (generally example.exe has an image name of "example")#Get-Process -Name $IMAGE_NAME
When checking to see if Sysmon is running, you can also examine the HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Sysmon\Operational Registry entry.