Beyond
This is the beyond page that an additional post enumeration and assessment are conducted after compromising the target domain
System
PS C:\Users> systeminfo
systeminfo
Host Name: ATSSERVER
OS Name: Microsoft Windows Server 2019 Datacenter
OS Version: 10.0.17763 N/A Build 17763
OS Manufacturer: Microsoft Corporation
OS Configuration: Primary Domain Controller
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00430-10710-91142-AA235
Original Install Date: 20/12/2021, 20:34:38
System Boot Time: 07/11/2023, 04:29:50
System Manufacturer: VMware, Inc.
System Model: VMware7,1
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
[02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2295 Mhz
BIOS Version: VMware, Inc. VMW71.00V.16707776.B64.2008070230, 07/08/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-gb;English (United Kingdom)
Input Locale: en-gb;English (United Kingdom)
Time Zone: (UTC+00:00) Dublin, Edinburgh, Lisbon, London
Total Physical Memory: 6,143 MB
Available Physical Memory: 2,187 MB
Virtual Memory: Max Size: 7,167 MB
Virtual Memory: Available: 3,117 MB
Virtual Memory: In Use: 4,050 MB
Page File Location(s): C:\pagefile.sys
Domain: acute.local
Logon Server: N/A
Hotfix(s): 6 Hotfix(s) Installed.
[01]: KB5009472
[02]: KB4535680
[03]: KB4589208
[04]: KB5005112
[05]: KB5009557
[06]: KB5008287
Network Card(s): 2 NIC(s) Installed.
[01]: Hyper-V Virtual Ethernet Adapter
Connection Name: vEthernet (VSwitch1)
DHCP Enabled: No
IP address(es)
[01]: 172.16.22.1
[02]: fe80::30d2:fb97:8091:2846
[02]: vmxnet3 Ethernet Adapter
Connection Name: Ethernet0 2
DHCP Enabled: No
IP address(es)
[01]: 10.10.11.145
[02]: fe80::78a4:cbc4:b505:36bb
[03]: dead:beef::78a4:cbc4:b505:36bb
[04]: dead:beef::249
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.Scheduled Tasks
PS C:\> Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*" } | ft TaskName,TaskPath,State
TaskName TaskPath State
-------- -------- -----
ClearAdmins \ Ready
Groups \ Ready
Keep_Me_On \ ReadyClearAdmins
PS C:\> cmd /c schtasks /QUERY /TN \ClearAdmins /V /FO LIST
Folder: \
HostName: ATSSERVER
TaskName: \ClearAdmins
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 07/11/2023 15:32:12
Last Result: 0
Author: ACUTE\administrator
Task To Run: powershell.exe c:\users\Administrator\Documents\Clear-Admins.ps1
Start In: c:\users\Administrator\Documents
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/Ac:\users\Administrator\Documents\Clear-Admins.ps1
Clear-Admins.ps1
PS C:\> cat c:\users\Administrator\Documents\Clear-Admins.ps1
Import-Module ActiveDirectory
Get-ADGroupMember 'site_admin' | ForEach-Object {Remove-ADGroupMember 'site_admin' $_ -Confirm:$false}
Get-ADGroupMember 'Domain Admins' | ForEach-Object {Remove-ADGroupMember 'Domain Admins' $_ -Confirm:$false}
Add-ADGroupMember -Identity 'Domain Admins' -Members Site_admin,AdministratorGroups
PS C:\> cmd /c schtasks /QUERY /TN \Groups /V /FO LIST
Folder: \
HostName: ATSSERVER
TaskName: \Groups
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 07/11/2023 15:35:54
Last Result: 0
Author: ACUTE\administrator
Task To Run: dsacls.exe "CN=Site_Admin,OU=Sites,DC=acute,DC=local" /G ACUTE\lhopkins:GA
Start In: N/A
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: Administrator
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/Adsacls.exe "CN=Site_Admin,OU=Sites,DC=acute,DC=local" /G ACUTE\lhopkins:GA
dsacls.exe: This is a command-line utility used to display or modify access control lists (ACLs) on Active Directory objects."CN=Site_Admin,OU=Sites,DC=acute,DC=local": This is the distinguished name (DN) of the Active Directory object for which you want to modify permissions. In this case, it refers to an object named “Site_Admin” located in the “Sites” organizational unit (OU) within the “acute.local” domain./G ACUTE\lhopkins:GA: This part of the command is specifying the permissions you want to grant. Let’s break it down:/G: This flag is used to specify that you want to grant permissions.ACUTE\lhopkins: This is the security principal (in this case, a user or group) to which you are granting permissions. “ACUTE\lhopkins” refers to the “lhopkins” user account in the “ACUTE” domain.:GA: This is specifying the permissions being granted. “GA” stands for “Generic All,” which grants full control over the object.
In summary, the command is granting the user “lhopkins” in the “ACUTE” domain full control (Generic All permissions) over the “Site_Admin” object located in the “Sites” organizational unit within the “acute.local” domain in Active Directory. This means that the user “lhopkins” will have the highest level of permissions and control over this specific Active Directory object.
Keep_Me_on
PS C:\> cmd /c schtasks /QUERY /TN \Keep_Me_On /V /FO LIST
Folder: \
HostName: ATSSERVER
TaskName: \Keep_Me_On
Next Run Time: N/A
Status: Ready
Logon Mode: Interactive/Background
Last Run Time: 07/11/2023 15:35:54
Last Result: 0
Author: MARVEL\Administrator
Task To Run: %programfiles%\keepmeon\keepmeon.bat
Start In: %programfiles%\keepmeon
Comment: N/A
Scheduled Task State: Enabled
Idle Time: Disabled
Power Management: Stop On Battery Mode, No Start On Batteries
Run As User: lhopkins
Delete Task If Not Rescheduled: Disabled
Stop Task If Runs X Hours and X Mins: 72:00:00
Schedule: Scheduling data is not available in this format.
Schedule Type: At system start up
Start Time: N/A
Start Date: N/A
End Date: N/A
Days: N/A
Months: N/A
Repeat: Every: N/A
Repeat: Until: Time: N/A
Repeat: Until: Duration: N/A
Repeat: Stop If Still Running: N/ASite_Admin
adPEAS
Certificate
Group
administrator
