Loggedon users:

crackmapexec smb 172.16.5.130 -u forend -p Klmcargo2 --loggedon-users

Share Enumeration: (spider_plus)

crackmapexec smb 172.16.5.5 -u forend -p Klmcargo2 -M spider_plus --share 'Department Shares'

We then obtain a recap of enumerated files:

head -n 10 /tmp/cme_spider_plus/172.16.5.5.json 

{
    "Department Shares": {
        "Accounting/Private/AddSelect.bat": {
            "atime_epoch": "2022-03-31 14:44:42",
            "ctime_epoch": "2022-03-31 14:44:39",
            "mtime_epoch": "2022-03-31 15:14:46",
            "size": "278 Bytes"
        },
        "Accounting/Private/ApproveConnect.wmf": {
            "atime_epoch": "2022-03-31 14:45:14",
     
<SNIP>

Psexec.py

Requires local admin privileges.

psexec.py creates a remote service by uploading a randomly-named executable to the ADMIN$ share.

Then it registers the service via RPC and the Windows Service Control manager.

Once established, it provides us a SYSTEM shell on the victim host.

Wmiexec.py

Wmiexec.py runs a semi-interactive shell using WMI.

Caught by EDR and AV.