| ### NTFS exercise setup | |
| ## 1. download some files to test various content and add ADS to simulate manual download from a browser | |
| $downloads = ( | |
| "https://live.sysinternals.com/PsExec64.exe", | |
| "https://live.sysinternals.com/procdump64.exe", | |
| "https://live.sysinternals.com/sdelete64.exe", | |
| "https://github.com/limbenjamin/nTimetools/raw/master/nTimestomp_v1.2_x64.exe" | |
| ) |
| # in addition to the profile, a stage0 loader is also required (default generated payloads are caught by signatures) | |
| # as stage0, remote injecting a thread into a suspended process works | |
| set host_stage "false"; | |
| set useragent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62"; | |
| set sleeptime "10000"; | |
| stage { | |
| set allocator "MapViewOfFile"; | |
| set name "notevil.dll"; |
An example of building a Windows Server 2019 AMI on AWS with Packer. The AMI will include Firefox, Putty, VSCode and extensions.
This is heavily based on the AWS Windows examples from https://www.packer.io/docs/builders/amazon/ebs
packer build custom-windows.pkr.hcl
# Nmap scan as: nmap -A -v -T4 -Pn -oN intial.nmap intelligence.htb
Increasing send delay for 10.129.80.199 from 0 to 5 due to 25 out of 61 dropped probes since last increase.
adjust_timeouts2: packet supposedly had rtt of 10052524 microseconds. Ignoring time.
adjust_timeouts2: packet supposedly had rtt of 10052524 microseconds. Ignoring time.
Increasing send delay for 10.129.80.199 from 5 to 10 due to 14 out of 34 dropped probes since last increase.
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
| // To compile: gcc64.exe run.c -o run.exe | |
| // To run: run.exe cmd.exe "/c whoami" | |
| #include <Windows.h> | |
| #include <stdio.h> | |
| int main(int argc, char **argv) { | |
| CHAR cDesktop[] = "hiddendesktop"; | |
| HDESK hDesk = CreateDesktop(cDesktop, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL); |
In the default configuration of Active Directory, it is possible to remotely take over Workstations (Windows 7/10/11) and possibly servers (if Desktop Experience is installed) when their WebClient service is running. This is accomplished in short by;
The caveat to this is that the WebClient service does not automatically start at boot. However, if the WebClient service has been triggered to start on a workstation (for example, via some SharePoint interactions), you can remotely take over that system. In addition, there are several ways to coerce the WebClient service to start remotely which I cover in a section below.
| function PNValidate { | |
| $Results = [PSCustomObject]@{ | |
| Spooler = $null | |
| PatchInstalled = $false | |
| RestrictDriverInstallationToAdministrators = $null | |
| NoWarningNoElevationOnInstall = $null | |
| UpdatePromptSettings = $null | |
| Expoitable = $true | |
| Explanation = $null | |
| } |
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: >- | |
| AWS CloudFormation template to create a linux bastion host with a GUI that can | |
| be accessed via x2go. | |
| Parameters: | |
| KeyName: | |
| Description: Name of an existing EC2 KeyPair to enable SSH access to the instances | |
| Type: String | |
| VPC: |
| $WMI = @{ | |
| Query = "SELECT * FROM __InstanceModificationEvent WITHIN 5 WHERE TargetInstance ISA 'MSFT_MpPreference' AND TargetInstance.DisableRealtimeMonitoring=True" | |
| Action = { | |
| #$Global:Data = $Event | |
| Write-Host "Defender Configuration change - DisableRealtimeMonitoring:"$Event.SourceEventArgs.NewEvent.TargetInstance.DisableRealtimeMonitoring"(Old Value:"$Event.SourceEventArgs.NewEvent.PreviousInstance.DisableRealtimeMonitoring")" | |
| } | |
| Namespace = 'root\microsoft\windows\defender' | |
| SourceIdentifier = "Defender.DisableRealtimeMonitoring" | |
| } | |
| $Null = Register-WMIEvent @WMI |
| @echo off | |
| :: Author: Ryan Watson | |
| :: Twitter: @gentlemanwatson | |
| :: Version: 1.0 | |
| :: Credits: Credit to Syspanda.com and their Sysmon GPO article for the kick off point | |
| :: https://www.syspanda.com/index.php/2017/02/28/deploying-sysmon-through-gpo/ | |
| :: ** IMPORTANT ** | |
| :: 1) Create a Sysmon folder with the SYSVOL share on your domain controller | |
| :: 2) Download Sysmon from Microsoft and place both sysmon.exe and sysmon64.exe in |