What is PoshC2?

PoshC2 is a command and control software. It is used to carry out post-exploitation tasks such as persistence, privilege escalation, lateral movements etc. during penetration testing and red teaming exercises. It supports Python3, PowerShell (v2 and v5), C# and C++. The official documentation is available here.

All of PoshC2 functionality can be divided into five components:

PoshC2 Server - Serves payloads that can be executed on target machine(s) and send a connection back to PoshC2. The server console also displays the output of command(s) executed on an implant. The server is written in Python.

Implants Receiver - Listens for the incoming implant connections and aggregates them. It is also used to load modules and execute commands on a single, multiple or all implants.

Payloads - Commands, shellcode, executable binaries that when executed on target machine(s) (aka implants) sends back a connection to Implant receiver. Payloads are developed using C#, Python, PowerShell, JavaScript, VBScript and support Windows, Linux (Python) and MacOS (Python).

Implants - Target machine(s) connected to PoshC2.

Modules - Scripts (PowerShell and Python) and executable binaries (C#) that help in conducting various post-exploitation tasks such as enumeration, privilege escalation, lateral movement, hash dump, port forwarding etc. A comprehensive list of modules is available here.

How to use?

The following video shows how to get PoshC2 up and running quickly. It covers:

• Installation on Kali Linux 2020.2

• Configuring PoshC2

• Running Posh-server and implants receiver

• Managing implants

• Modules

• Loading C# and PowerShell modules on an Implant

• Running commands on an implant

Read this to learn more about the lab environment used in this video.

Useful Commands (C# Implants)

Selecting Implant(s)

• To select a single implant, enter the ImplantID

• To select multiple implants, enter a comma separated list of ImplantIDs

• To select all implants, enter ALL

Quick Reference List of Commands

Issue the following command when connected to an implant(s)

help

Bypass AMSI

bypass-amsi

Upload files

upload-file <source file path> <destination file path>
Example: upload-file /usr/share/windows-binaries/nc.exe C:\Users\Public\nc.exe

Download files

download-file <file path>
Example: download-file 'C:\\Users\\Public\\supersecretdata.txt'

This will save a copy of the target file in the PoshC2 project directory.

List Modules

To list implant specific modules, select an implant and issue the following command:

 listmodules

To list all modules, issue the following command at implant selection prompt:

listmodules

Load a C# Module

loadmodule <module name>
Example: loadmodule SharpView.exe

Load a PowerShell Module

pslo <module name> 
Example: pslo powerview.ps1

You can also use loadmoduleforce to load modules.

Execute a PowerShell Command

sharpps <command> 
Example: sharpps Get-ChildItem -Force -Recurse

Convert Username and Password to a PSCredentials object

sharpps [string]$userName = 'IND\user.ind02'
sharpps [string]$userPassword = 'Sup3rStr0ngP@ssw0rd'
sharpps [securestring]$secStringPassword = ConvertTo-SecureString $userPassword -AsPlainText -Force
sharpps [pscredential]$credObject = New-Object System.Management.Automation.PSCredential ($userName, $secStringPassword)

After executing above commands, $credObject can be passed as a value to -Credential parameter in PowerShell commands which accept this parameter.

Enumerate an Implant

ls-recurse <directory path>
Example:  ls-recurse C:\Users
get-userinfo
get-computerinfo
loadmodule Seatbelt.exe
seatbelt all
sharpup

Port Scan

portscan <IP> <port> <delay-in-seconds> <max thread>
Example: portscan "192.168.3.8" "1-1000" 1 100

A well designed Command and Control (C2) infrastructure is critical to the success of an adversary emulation exercise. During an engagement, established C2 sessions may get disconnected frequently. Whenever this happens, there might be a temptation to re-exploit the target and establish another C2 session. This is not only time consuming but also not recommended during an active engagement. For one, it can put the entire engagement at risk as re-exploitation may lead to unwanted consequences. To avoid this, C2 mechanisms are deployed in a layered (or tiered) manner.

What are the three Command and Control tiers?

C2 mechanisms are generally deployed into following three tiers:

• Interactive - C2 mechanisms in this tier are used more frequently than others. They are primarily used for issuing commands, enumeration, scanning and data exfiltration. The callback time is usually within minutes. For example, C2 agents deployed on target machines.

• Short-Haul - C2 mechanisms in this tier are used to re-establish interactive mechanisms. The callback time is within 12-24 hours. For example, a cronjob that downloads the C2 agent and executes it every 12 hours.

• Long-Haul  - C2 mechanisms in this tier are used to re-establish short-haul mechanisms. The callback time is 24 hours or more. This is the slowest mechanism of all three and should not be used for interactive purposes. For example, a start-up script to create the cronjob mentioned before.

What to keep in mind while deploying multiple C2 tiers?

• Use a tier for it's intended purpose only. For example, a short-haul C2 mechanism should not be used to run commands interactively.

• Use different C2 channels (HTTPS, DNS, SSH, SMB etc.) for different tiers. This will ensure that even if one channel gets blocked an alternate is available to use.

• Use encryption to avoid detection via network security devices.

• Minimize C2 callback volume wherever possible. This will help in avoiding unnecessary exposure.

• Avoid dropping binaries on target machines as this may trigger the anti-malware solution and alert the Blue team.

Other posts in this series

• What is adversary emulation?

• Red Team Operations Attack Lifecycle

• Introduction to MITRE ATT&CK Framework

• PoshC2: A Red Teamer’s Notes

If you want to beat your adversaries, think like them. A common adage we have all heard. MITRE ATT&CK is just that. A framework to think like adversaries and beat them in their game. It is a culmination of years of efforts of studying various cyber Adversaries' Tactics, Techniques and turning them into Common Knowledge (ATT&CK).

What is ATT&CK framework?

As per ATT&CK's design and philosophy document, ATT&CK is a behavioral model that consists of the following core components:

• Tactics, denoting short-term, tactical adversary goals during an attack;

• Techniques, describing the means by which adversaries achieve tactical goals;

• Sub-techniques, describing more specific means by which adversaries achieve tactical goals at a lower level than techniques;

• Documented adversary usage of techniques, their procedures,and other metadata;

• Software, used by adversaries to implement a technique or a sub-technique; and

• Mitigations, preventing adversaries from achieving their tactical goal by blocking the execution of a technique or a sub-technique.

The following figure will help in understanding the relationship between various ATT&CK components.

Why was ATT&CK created?

MITRE's goal behind creating this framework was to improve post-compromise detection of threats by tracing out the steps that could have been taken by an adversary. It was born out of the need to categorize adversary behavior as part of conducting adversary emulation exercises within MITRE’s Fort Meade Experiment (FMX) research environment.

What does it contain?

There are three variants of ATT&CK framework:

• Enterprise

• Mobile

• ICS (Industrial Control Systems)

Originally, the Enterprise variant focused only on Microsoft Windows. However, later it was expanded to include macOS, Linux, PRE, AWS, GCP, Azure, Azure AD, Office 365, SaaS, Network platforms as well.

Each variant contains various tactics, techniques, sub-techniques and procedures that could be used by an adversary. The best way to visualize the framework is ATT&CK Navigator. It is an interactive web application, through which you can create layered views of the framework, as per your requirement.

Use cases

ATT&CK can be used for various purposes, such as:

• Adversary emulation

• Red teaming

• SOC assessments

• Defensive gap assessments

• Behavioral analytics development

• Cyber threat intelligence enrichment

MITRE provides an excellent getting started guide that shows how to utilize ATT&CK framework for these use cases.

Adversary Emulation is a form of cybersecurity assessment. During this assessment assessors replicate a specific threat scenario. For example, assessors may assume the role of cyber criminals who want to exfiltrate customer data out of the organization. Another scenario could be assessors trying to infect the organization's software product(s) and mimic a supply chain attack.

How to perform Adversary Emulation?

These exercises are performed by red teams. The responsibility of defending lies with blue teams. Usually an attack methodology is created or followed to conduct these exercise. This can be in form of a process, such Red Team Operations Attack Lifecycle. Or well defined attack plans such as MITRE Adversary Emulation Plans. Cyber threat intelligence sources also play a key role during this exercise. They often serve as a starting point for most exercises.

Benefits

The aim of this exercise is to see how the organization's defenses will fare in the event of a real cyber attack. Such exercises are helpful in identifying vulnerabilities missed during other assessments (such as penetration testing) as such assessments are usually limited in scope and attack surface. For example, Facebook is leveraging adversary emulation to protect their infrastructure from sophisticated attacks.

Featured Image Source: Freepik

This post is part of our course Adversary Emulation 101: Mimicking a real-world cyber attack.

The lifecycle consisted of following phases, with phases 3-6 being cyclic in nature:

1. Recon (Information Gathering) – In this phase, publicly available information (website, company profile, social media pages, employee profiles etc.) is gathered about the target organization.

2. Initial Compromise (Foothold) – In this phase, information from Recon phase is analysed to identify and exploit a vulnerability or launch a phishing attack that helps in establishing a foothold within the target network.

3. Privilege Escalation - In this phase, the attacker attempts to escalate privileges to an administrator (Windows) or root (Linux) account on the compromised host. Usually, this is done each time a new host is compromised.

4. Establishing Persistence – In this phase, the attacker installs a persistence mechanism (usually a Command and Control (C2) agent) to maintain presence in the target network. This enables the attacker to communicate with compromised hosts without having to exploit it again in case the original connection dies out. Usually, this is done each time a new host is compromised.

5. Internal Recon – In this phase, the attacker leverages the compromised host to gather information about the internal network. Usually, this is done each time a new host is compromised and is thought to have access to more resources. For example, if an attacker compromises an Active Directory domain joined machine, they can use that machine to enumerate the Active Directory network.

6. Lateral Movement – In this phase, the attacker tries to expand their access by compromising new hosts within the target network. The information collected during Internal Recon phase is leveraged here.

7. Data Analysis – As new hosts are compromised, the attacker scans each of them for interesting information (employee records, financial statements, PII, credit card information, customer databases etc.).

8. Exfiltration – Anything that the attacker deems useful is pulled out and downloaded onto the attacker machine (or their chosen location).

9. Deleting footprints – Once the attacker has achieved their objective, they delete all files, logs, emails etc. created by them during the exercise to hide their presence.

This course covers Immunity Debugger in and out. You will learn both, well-known and lesser-known, features. A few topics taught in this course are as follows:

Download and Installation
Views
Stack Operations
Disassembler Operations
Breakpoints, stepping through, tracing etc.
PyCommands and Mona Library
Just-in-time debugging
... and a lot more

Immunity Debugger is extremly useful while creating exploits, backdooring PE files, encoding binaries to evade anti-malware software. Therefore, a good understanding of this tool is must for security professionals, specially for people studying for security certifications from Offensive Security (OSCP, OSCE, OSED etc.), eLearnSecurity (ePTP, ePTX etc.) and various other organizations.

I have created this course with the vision that it becomes your go to reference guide for Immunity Debugger and other similar debuggers (Ollydbg, Evans debugger etc).

This is a FREE course and you can enrol here.

Who this course is for:

- Cyber security professionals
- Reverse Engineers
- Beginners in Exploit Development
- Security Researchers / Engineers/ Analysts

What you’ll learn

- Basics of Immunity Debugger
- Get familiar with various Views / Windows
- Stack operations available in Immunity Debugger
- Disassembler operations available in Immunity Debugger
- Get started with PyCommands & Mona Library
- Just-in-time debugging with Immunity Debugger
- How to set breakpoints, step through and trace
- Immunity Debugger command line

Requirements

- Familiarity with Assembly Language (good to have)
- Understanding of x86 CPU architecture (registers, flags, stack etc.)

Note: This website is not associated or owned by Immunity Inc. Immunity Debugger logo is a copyright of Immunity Inc. and is used here for representational purposes only.

This lab is part of the course Red Team Adversary Emulation by Yaksas CSC. In this course, you will look at an organization’s security from a real-world adversary perspective. You are hired by a FinTech startup, Tax First Labz (http://taxfirstlabz.xyz) to conduct an adversary emulation exercise and steal their customer data (before an actual adversary). This exercise assumes zero knowledge about the target network.

n this lab, you will mimic a real world cyber attack with a specific objective, stealing Tax Fist Labz customer data. You will follow the Red Team Operations Attack Lifecycle to conduct this exercise. You will go through each phase in a step-by-step manner and build our attack path as you move ahead. You will employee a variety of techniques, such as

• Active and passive information gathering

• Weaponizing an exploit

• Internal reconnaissance

• Brute-forcing Exchange server via custom username and password lists

• Spear phishing a senior employee

• Privilege Escalation (Linux and Windows)

• Automated Active Directory domain enumeration

• Persistence via command and control center

• Active Directory attacks

• Pivoting

• Data Exfilteration

This is a beginner friendly course and lab. If you have just started your career in offensive cybersecurity or are preparing for penetration testing exams (OSCP, eJPT, eCPT, eCPTx, CRTP, CRTO etc.) then this course is for you. If you are already a penetration tester or a red teamer, you will enjoy following a live adversary emulation exercise from scope creation to reporting.

Lab access (self-hosted)

If you want to hack the Tax First Labz network, you can do so by hosting the lab network in your own AWS account. To check self-hosting prerequisites and eligibility please fill the form below. Once the instructor approves, you will be provided access to AKSH, our lab management bot on Discord. You can ask AKSH to automatically deploy / destroy the lab environment in your AWS account, list machines, check lab status, start, stop, reboot and revert machines.

We do not charge anything for self-hosted labs. However, you will have to pay AWS charges for hosting the lab network. The charges are approximately USD 0.38 per hour when the lab is running and approximately USD 0.033 per hour when the lab is stopped. The amount will be charged by Amazon on the credit card you have configured for billing in your AWS account. Charges will be incurred until you destroy the lab environment. Check the ‘Lab Setup’ section of the course for more details.

Once the lab has been deployed, you will be provided access to a pre-configured attacker machine (Kali Linux) via browser-based interface (Apache Guacamole). This machine contains all tools required to attack the target organization and exfiltrate the data.

Red Team Adversary Emulation Lab - Self-hosting Prerequisites and Eligibility Form

Why opt for self-hosted version?

Here are few reasons we think you will enjoy the self-hosted lab:

• You have full-control of the lab. Through our lab management bot, AKSH, you will be able to start and stop the lab as per your convenience. AKSH can do a lot more (check Lab Management via AKSH video in the lab setup section).

• You can reverse engineer the lab setup and understand how to create an red team lab on AWS.

• There’s no time limit. You will have access to the lab network as long as you want.

• It’s free (in the sense that you don’t have to pay anything to us). You only pay AWS charges ($0.38 / hour when running and $0.033 / hour when stopped).

Lab FAQs

Lab FAQs are available here

Support

Lab support will be provided via Discord. Please join Yaksas Security Discord server.

During this adversary emulation exercise you mimic a real world cyber attack with a specific objective, stealing Tax Fist Labz customer data. You will follow the Red Team Operations Attack Lifecycle to conduct this exercise. You will go through each phase in a step-by-step manner and build our attack path as you move ahead. You will employee a variety of techniques, such as

- Active and passive information gathering
- Weaponizing an exploit
- Internal reconnaissance
- Brute-forcing via custom username and password lists
- Spear phishing a senior employee
- Privilege Escalation (Linux and Windows)
- Automated Active Directory domain enumeration
- Persistence via command and control center
- Active Directory attacks

to achieve your objective. Upon completion of the exercise, you will prepare and submit a report to the organization’s management.

Through this course you will learn how to use tools such as, PoshC2, Mentalist, BloodHound, Mimikatz, Metasploit, PowerUp, icacls, PowerShell etc.

This is a beginner friendly course. If you have just started your career in offensive cybersecurity or are preparing for penetration testing exams (OSCP, eJPT, eCPT, eCPTx, CRTP etc.) then this course is for you. If you are already a penetration tester or a red teamer, you will enjoy following a live adversary emulation exercise from scope creation to reporting.

Course introduction

What you’ll learn

- How to plan and manage adversary emulation exercise
- Difference between red teaming and adversary emulation
- MITRE ATT&CK Framework
- Red team operations attack lifecycle
- How to conduct adversary emulation exercise on a real-world organization
- Open Source Intelligence (OSINT) techniques to gather information
- Weaponizing exploits to gain foothold into the network
- Password brute-forcing using custom username and password lists
- Spear phishing a senior employee
- Escalating Privileges on Linux and Windows systems
- Active Directory enumeration using BloodHound
- Active Directory attacks
- Establishing persistence via PoshC2 (command and control center software)
- Creating an engagement report

Requirements

- Basic knowledge of Kali Linux
- Basic knowledge of PowerShell
- Basic understanding of penetration testing and red teaming
- Curious mind

Who this course is for

- OSCP, eCPPT, eCPTX, CRTE aspirants
- Penetration testers, red teamers, offensive cyber security professionals
- Professionals seeking a deeper understanding of real-world cyber attacks
- Executives seeking to understand how an organization can be breached

Enroll in the course

Course Lab

Here’s a replica of their webserver, your aim is to find as many vulnerabilities as you can and ultimately pwn the root user.

Tax First Labs Website (Production)

How to get started?

1. Download the VM from the above link and extract the Zip file.

2. Import / Open OVF with VMWare Player or VMWare Workstation or VirtualBox

3. Run the VM

4. The VM is configured to run over a host-only network and obtains the IP address automatically via DHCP. You will need to discover the IP address of the machine by using a network scanning tool, such as nmap.

5. Once you have discovered the IP address, note it down for the next step.

6. To access the Tax Firt Labz website (http://taxfirstlabz.xyz) create the following entry in the /etc/hosts file on your attacking machine (Kali Linux, Parrot OS etc.):
   <IP address discovered in step 4> taxfirstlabz.xyz

Rewards

Tax First Labs has hidden a few surprise gifts within this machine as a reward for your efforts. First 10 users to pwn root will earn a special reward (don’t forget to check flag.txt).

How to get a free enrollment in Red Team Adversary Emulation course?

1. Solve this CTF

2. Create a write-up and share it.

3. Tag Yaksas CSC when you share your write-up.

4. Everyone who posts a write-up will get a free course pass.

5. Successful participants will be listed in hall of fame and their write-ups will be featured on https://adversaryemulation.com

How to enter the Hall of fame?

Just tweet us at @yaksas443 once you have pwned either the user or root.

Hall of fame

• User blood: Mickhat

• System blood: Mickhat

• User owns: 8

• Root owns: 8

First 10 people to pwn this machine

• Mickhat

• ARINJOY MANNA

• Lucas José Rodriguês da Silva

• Himanshu

• Arron

• Mattia Campagnano

• Aman Kumar Maurya

• Cyb3r Cen

Support

Tweet us at @yaksassecurity or join our discord channel.

Happy hacking!

• No. At present students who wish to avail the lab can only opt for self-host option.

Do you plan to launch lab access packages in the near future?

• No. We don’t have any plans to launch paid lab packages.

How much time will it take for the request to be processed after submitting the Self-hosting Prerequisites and Eligibility Form?

• You should hear back from us within 24 hours.

Are all students eligible for self-host option?

• Yes. All students who have signed up for the course either on Teachable or Udemy are eligible for self-host option.

Can I avail lab access without signing up for the course?

• You will need to sign up for the course to be eligible for this option.

How can I check the charges I am incurring for hosting the lab?

• You can check the charges in AWS Billing section.

Can I reverse engineer your lab?

• Yes. Infact, we are counting on you for that. Not only will it be a good exercise in understanding how labs are created on AWS, it will enable you to create and share your labs in a similar manner.

How to reach the lab support team?

• Once your request to self-host has been approved, you will be added to a student support channel on Discord. You can post all your queries there.

How will lab access be provided?

• Lab access will be provided via browser-based interface. Through this interface you will be able to access a pre-configured Kali Linux machine via both, GUI and SSH.

Lab deployment got stuck or errored out in between, what should I do?

1. Run the !destroy command. That should clean up resources created during the failed depployment.

2. Once !destroy command has finished doing it’s magic, run !deploy command again.

3. If this doesn’t work, follow these steps to clean up your AWS account:

   • a. Login to your AWS account > EC2 - > Terminate all running instances whose name starts with “TFL-“ and “RTR-“. Wait for instances to terminate.

   • b. In EC2 go to Key Pairs -> Select all key pairs starting with “tfl-box” and “rtr-attacker-box” -> delete them

   • c. Go to VPC -> Select VPC whose name starts with “TFL-LAB” -> delete it (This operation should also delete all other network resources created by AKSH)

   • d. If you see multiple VPCs whose name starts with “TFL-LAB”, delete them one by one

   • e. Go to VPC -> Internet gateways -> Select internet gateway whose name starts with “TFL-LAB” -> delete it (Note: this step is required in certain scenarios only).

I have a question that is not listed here. Where should I post it?

• Please join Yaksas Security on Discord. You can post your questions in the #general channel of this course.

As a pentester, you can leverage PowerView to find out information about domain users. Following commands will help you with that (watch the video for demonstration):

• Get-NetUser

  • Get a list of all users in current domain

• Get-NetUser –Domain ycsccorp.local

  • Get a list of all users in the specified domain

• Invoke-UserHunter

  • Finds machines on the local domain where specified users are logged into. By default checks for domain admin accounts

• Find-LocalAdminAccess

  • Finds machines on the domain that the current user has local admin access to

• Invoke-EnumerateLocalAdmin

  • Enumerates members of the local Administrators groups across all machines in the domain

• Invoke-CheckLocalAdminAccess

  • Check if the current user context has local administrator access to a specified host

Watch the video demonstration

PowerView, developed by Will Schroeder (@harmj0y), is a PowerShell tool to gain Active Directory network situational awareness on Windows domains. It is now a part of PowerSploit suite. You can download PowerView from here.

As a pentester, you can leverage PowerView to find out information about an Active Directory network. Following commands will help you with that (watch the video for demonstration):

• Get-NetComputer

  • Gets a list of all current servers in the domain

• Get-IPAddress

  • Resolves a hostname to an IP

• Get-NetForest

  • Gets the forest associated with the current user's domain

• Get-NetForestDomain

  • Gets all domains for the current forest

• Get-NetDomainController

  • Gets the domain controllers for the current computer's domain

• Get-DomainSID

  • Return the SID for the specified domain

• Get-NetShare

  • Gets share information for a specified server

Watch the video demonstration

• CIFS

• host

• HTTP

• https

• IMAP

• mongod

• mongos

• MSSQL

• MSSQLSvc

• SMTP

• POP

• vnc

• vpn

A comprehensive list of SPNs is available here

How to scan for SPN using ADSI?

In Part 2 of this series we covered how to use filters with ADSI Searcher class. We can use the filter property to search an Active Directory for a particular SPN:

$adsiSearcherObj.Filter = “serviceprincipalname=<spn>”

Using the SPN list above and a bit of Powershell scripting, we can automate this task to search for a vast range of SPNs. The video below demonstrates this and the PowerShell script could be found here

• Example:

  • $adsiSearcherObj = New-Object –TypeName System.DirectoryServices.DirectorySearcher

    • takes the LDAP path to current domain by default

    • Pass ADSI Directory Entry object type as ArgumentList to change the search path

      • -ArgumentList @([ADSI]”LDAP://dc=ycsccorp,dc=local”)

OR

• $adsiObj = [ADSI]”LDAP://dc=ind,dc=ycsccorp,dc=local”

  • $adsiSearcherObj = [adsisearcher]$adsiObj

OR

• $adsiSearcherObj = [adsisearcher][ADSI]”LDAP://dc=ycsccorp,dc=local”

ADSISearcher Functions

To perform search operations, via ADSISearcher, on the specified search root we use FineOne() and FindAll() methods

• Syntax:

  • Search for single object

    • $adsiSearcherObj.FindOne() – by default returns information about the search root

  • Search for multiple objects

    • $adsiSearcherObj.FindAll() – by default returns information about all objects within the search root

ADSISearcher Filters

We can search the search root for specific objects by using the Filter property offered by ADSISearcher object.

• Syntax:

  • Filter for single object

    • $adsiSearcherObj.Filter = “samAccountName=user.ind02”

  • Filter using wild cards

    • $adsiSearcherObj.Filter = “cn=*user*”

    • $adsiSearcherObj.Filter = “ou=*”

  • Combining multiple filters

    • $adsiSearcherObj.Filter = “(&(cn=*admin*)(objectCategory=group))”

    • $adsiSearcherObj.Filter = “(|(cn=*sql*)(objectCategory=computer))”

    • $adsiSearcherObj.Filter = “(&(!name=*ind*)(objectCategory=user))”

Watch the video

• Enables reading, adding and managing Active Directory Objects

• Part of .NET framework:

  • System.DirectoryServices.DirectoryEntry (ADSI)

  • System.DirectoryServices.DirectorySearcher (ADSISearcher)

• Can be accessed via PowerShell by creating objects for above classes

• Example:

  • $domain = New-Object –TypeName System.DirectoryServices.DirectoryEntry

  • $domain2 = [System.DirectoryServices.DirectoryEntry]”LDAP://dc=ycsccorp,dc=local”

  • $domain3 = [ADSI]”LDAP://dc=ycsccorp,dc=local”

Using ADSI

• Creating OU

  • $domainOU = $domain1.Create(“organizationalUnit”,”ou=YCSCTest”)

  • $domainOU.SetInfo()

• Creating User

  • $domainUser = $domain1.Create(“user”,”cn=YCSCUser”)

  • $domainOU.SetInfo()

Pros and Cons

• Pros

  • It is available on most Windows machines by default

  • Does not require AD-Module, RSAT or any other special libraries

  • Not easily detected

  • Can be used to create custom tools leveraging ADSI and ADSISearcher

• Cons

  • Takes some time to learn

  • Lack of documentation

Watch the video