$ uname -r
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
########## | |
# Tweaked Win10 Initial Setup Script | |
# Primary Author: Disassembler <disassembler@dasm.cz> | |
# Original Version: 1.4, 2016-01-16 | |
# Tweaked based on personal preferences for @alirobe 2016-03-23 - v1.4.1 | |
# NOTE: MAKE SURE YOU READ THIS SCRIPT CAREFULLY BEFORE RUNNING IT + ADJUST COMMENTING AS APPROPRIATE | |
########## | |
# Ask for elevated permissions if required | |
If (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]"Administrator")) { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
spawnto | count | |
---|---|---|
WUAUCLT.exe | 1 | |
WerFault.exe | 3 | |
batchexe | 2 | |
cmstp.exe | 1 | |
compact.exe | 1 | |
dllhost.exe | 3 | |
eventvwr.exe | 1 | |
gpresult.exe | 2 | |
gpupdate.exe | 16 |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
- Triggering machine authentication over HTTP via either MS-RPRN or MS-EFSRPC (as demonstrated by @tifkin_). This requires a set of credentials for the RPC call.
- Relaying that machine authentication to LDAPS for configuring RBCD
- RBCD takeover
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003"> | |
<!-- This inline task executes c# code. --> | |
<!-- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe SimpleTasks.csproj --> | |
<!-- Save This File And Execute The Above Command --> | |
<!-- Original Author: Casey Smith, Twitter: @subTee --> | |
<!-- Modified by John Baek, @exploitpreacher to use ntqueueapcthread (https://github.com/FuzzySecurity/Sharp-Suite/tree/master/UrbanBishop) --> | |
<!-- License: BSD 3-Clause --> | |
<Target Name="Hello"> | |
<ClassExample /> | |
</Target> |