7/22/2023 0 Comments Stolen realm cheat# Request a TGT as the target user and pass it into the current session # NOTE: Make sure to clear tickets in the current session (with 'klist purge') to ensure you don't have multiple active TGTs. Examples below use the PowerShell variant but arguments are identical. Both can be run reflectively, get them here. Use Invoke-BloodHound from SharpHound.ps1, or use SharpHound.exe. # Look for users or computers with Constrained Delegation enabled # If available and you have user/computer hash, access service machine as DA (see below) Get-DomainUser -TrustedToAuth | select userprincipalname, msds-allowedtodelegateto Get-DomainComputer -TrustedToAuth | select name, msds-allowedtodelegateto BloodHound # Look for servers with Unconstrained Delegation enabled # If available and you have admin privs on this server, get user TGT (see below) Get-DomainComputer -Unconstrained # Get OUs for current domain Get-DomainOU -FullData # Find interesting shares in the domain, ignore default shares, and check access Find-DomainShare -ExcludeStandard -ExcludePrint -ExcludeIPC -CheckShareAccess # Get all computers in the current domain Get-DomainComputer # Get all domains in current forest Get-ForestDomain # Get domain/forest trusts Get-DomainTrust Get-ForestTrust # Get information for the DA group Get-DomainGroup "Domain Admins" # Find members of the DA group Get-DomainGroupMember "Domain Admins" | select -ExpandProperty membername # Get all users in the current domain Get-DomainUser | select -ExpandProperty cn Obfuscate, or even better, eliminate the need for an AMSI bypass altogether by altering your scripts to beat signature-based detection. Do not use as-is in covert operations, as they will get flagged □. Patching the Anti-Malware Scan Interface (AMSI) will help bypass AV warnings triggered when executing PowerShell scripts (or other AMSI-enabled content, such as JScript) that are marked as malicious. I will likely have missed some though, so make sure you understand what you are running before you run it! General PowerShell AMSI Bypass Note: I tried to highlight some poor OpSec choices for typical red teaming engagements with □. If you are looking for the cheat sheet and command reference I used for OSCP, please refer to this post. Many items of this list are shamelessly stolen from certification courses (that come highly recommended) that discuss Active Directory, such as CRTP, CRTE, OSEP, and CRTO. I will try to keep it updated as much as possible! If you feel any important tips, tricks, commands or techniques are missing from this list just get in touch. That being said - it is far from an exhaustive list. It is largely aimed at completing these two certifications, but should be useful in a lot of cases when dealing with Windows / AD exploitation. Since I recently completed my CRTP and CRTE exams, I decided to compile a list of my most-used techniques and commands for Microsoft Windows and Active Directory (post-)exploitation. Some other changes and clarifications have been made throughout the post. Notable changes have been made in the sections on delegation, inter-forest exploitation, and lateral movement through MSSQL servers. Updated March 26th, 2021: This blog post has been updated based on some tools and techniques from Offensive Security’s PEN-300 course (for the accompanying OSEP certification). Notable changes have been made to the the sections on LAPS, AppLocker & CLM, PowerView, and Overpass-the-Hash with Rubeus. New sections have been added on DPAPI and GPO abuse. I’ve re-written and improved many sections. Updated June 5th, 2021: I have made some more changes to this post based on (among others) techniques discussed in ZeroPointSecurity’s ‘Red Team Ops’ course (for the CRTO certification). Changes made to the Defender evasion, RBCD, Domain Enumeration, Rubeus, and Mimikatz sections. Updated November 3rd, 2021: Included several fixes and actualized some techniques. Abusing the Data Protection API (DPAPI) with Mimikatz.Modifying DC registry security descriptors for remote hash retrieval using DAMP.Modifying security descriptors for PowerShell Remoting access.Modifying security descriptors for remote WMI access.Grant specific user DCSync rights with PowerView.Abusing Group Policy Objects for lateral movement.Abusing MSSQL databases for lateral movement.Command execution with PowerShell Remoting.Lateral Movement Enumeration With PowerView.
0 Comments
Leave a Reply. |