This is a C# tool that uses .NET (rather than net user, net group, ipconfig, and other common command-line utilities) for gathering initial data of interest and situational awareness from a Windows host that an attacker gains access to. This tool can be run directly on the host (ex: via RDP) or remotely via attack tools (ex: Cobalt Strike's execute-assembly).

Credit to Brandon Dennis (https://github.com/Slyth11907) for writing the .NET code to list DNS cache entries using dnsapi.dll.

Credit to HarleyQu1nn for EDR detection research that I leveraged and ported over to C# (https://github.com/harleyQu1nn/AggressorScripts/blob/master/EDR.cna)

Once run this tool gathers the following information:

-local admin group members

-local user accounts

-internal IP addresses found

-list of running processes

-list of running services

-antivirus products found (note: code invokes wmi for this check)

-endpoint detection & response products found

-list of AD groups belonging to the current user context (if joined to a domain)

-list of domain admin accounts (if joined to a domain)

-list of domain controllers (if joined to a domain)

-dump of DNS cache entries (using dnsapi.dll)

This tool was written as a Visual Studio Console App (.NET Framework) and uses .net for the checks above (except for using wmi to enumerate antivirus products)

This code serves as a proof of concept for alternate methods of gathering Windows host data of interest using .NET.