Rubeus createnetonly (Kerberos)

Overview of Rubeus createnetonly The createnetonly action will use the CreateProcessWithLogonW() API to create a new hidden (unless /show is specified) process with a SECURITY_LOGON_TYPE of 9 (NewCredentials), the equivalent of runas /netonly. The process ID and LUID (logon session ID) are returned. This […]

Abuse SilentCleanup Task

Overview of Abuse SilentCleanup Task There’s a task in Windows Task Scheduler called “SilentCleanup” which, while it’s executed as Users, automatically runs with elevated privileges. When it runs, it executes the file “%windir%\system32\cleanmgr.exe”. Since it runs as Users, and its possible to control user’s […]

PowerSploit PsExec for PowerShell

Overview of PowerSploit PsExec PowerSploit PowerShell script (Invoke-PsExec.ps1) from Empire is a function (cmdlet) that lets you execute PowerShell and batch/cmd.exe code asynchronously on target Windows computers, using PsExec.exe.   References https://github.com/EmpireProject/Empire/blob/master/data/module_source/lateral_movement/Invoke-PsExec.ps1   Request Access to Use Case Repository