# Post Exploitation

You should approach to first machine in AD as regular standalone windows machine. Lateral movement or privilege escalation as well. Movement is not so hard. You must do post exploitation very well.

You can do post exploitation steps as follows:

Check groups where the user is in. Check the user in some privileged group.

Check another users in the domain.

Search files in the system for finding passwords, important notes and information, mail etc.

Check services on the system.

Some services contains cleartext passwords, hashes in some files.

Extract hashes, secrets, kerberos tickets with mimikatz etc. (requires system shell)

{% content-ref url="password-extraction" %}
[password-extraction](https://cel1s0.gitbook.io/offsec-notes/readme/windows/password-extraction)
{% endcontent-ref %}

Try pass the hash methods like using psexec or crackmapexec from impacket, evil-winrm, xfreerdp etc. (If the target user has not Administrator rights, you cannot get shell with impacket).

Try cracking extracted hashes.

{% content-ref url="../password-cracking" %}
[password-cracking](https://cel1s0.gitbook.io/offsec-notes/readme/password-cracking)
{% endcontent-ref %}

Check SPNs. If there is SPN in system, try extract and crack it.

{% content-ref url="useful-ps-scripts/getuserspns.ps1" %}
[getuserspns.ps1](https://cel1s0.gitbook.io/offsec-notes/readme/windows/useful-ps-scripts/getuserspns.ps1)
{% endcontent-ref %}

Check GMSA. If there is gmsa account in the system, try extract and crack it.

{% content-ref url="privesc/gmsa" %}
[gmsa](https://cel1s0.gitbook.io/offsec-notes/readme/windows/privesc/gmsa)
{% endcontent-ref %}

If you have cleartext password you can use Spray-Passwords.ps1 to identify the another user is using the same password.

{% content-ref url="useful-ps-scripts/spray-passwords.ps1" %}
[spray-passwords.ps1](https://cel1s0.gitbook.io/offsec-notes/readme/windows/useful-ps-scripts/spray-passwords.ps1)
{% endcontent-ref %}

Check the user has capabilities for exploitable GPO.

{% content-ref url="privesc/abuse-gpo" %}
[abuse-gpo](https://cel1s0.gitbook.io/offsec-notes/readme/windows/privesc/abuse-gpo)
{% endcontent-ref %}

You can try recent AD exploits to get domain admin privileges.

There are perfect tools to using in AD. These can be helpful.

You will find a way, people build systems that so there is always a weakness.

never give up!


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cel1s0.gitbook.io/offsec-notes/readme/windows/post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.