search
LinkedInGithub
githubEdit

20.Privileged Access

hashtag
Windows (PowerShell)

hashtag
Enumerate RDP and WinRM Users:

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"
Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

hashtag
Establish a Secure WinRM Session:

$password = ConvertTo-SecureString "Klmcargo2" -AsPlainText -Force
$cred = New-Object System.Management.Automation.PSCredential ("INLANEFREIGHT\forend", $password)
Enter-PSSession -ComputerName ACADEMY-EA-MS01 -Credential $cred

To exit the session:

Exit-PSSession

hashtag
PowerUpSQL for SQL Server Enumeration:

cd .\PowerUpSQL\  # Navigate to PowerUpSQL directory
Import-Module .\PowerUpSQL.ps1  # Import PowerUpSQL module
Get-SQLInstanceDomain  # Enumerate SQL instances

hashtag
Execute SQL Query:

hashtag
Linux-Based Enumeration

hashtag
Install and Use Evil-WinRM:

hashtag
MSSQLClient for SQL Enumeration:

hashtag
BloodHound (Cypher Queries)

hashtag
Find WinRM Access:

hashtag
Find SQL Admin Access:

hashtag
Best Practices & Mitigations

  1. Restrict Privileged Access: Limit RDP and WinRM access to necessary personnel.

  2. Monitor Privileged Actions: Enable auditing for RDP logins and PowerShell execution logs.

  3. SQL Security: Disable xp_cmdshell and enforce strong authentication mechanisms.

  4. Least Privilege Principle: Regularly audit and limit high-privilege group memberships.

  5. Use MFA and Network Segmentation: Add extra security layers to critical services.

By implementing these best practices, organizations can significantly reduce the risk of privilege escalation attacks.

Previous8.Stacking The DeckNext21.Kerberos Double Hop Problem

Last updated