Gh0st
/
PowerSploit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Separating out functions & bug fix 

All info gathering pieces of this script can now be called individually.
Fixed a bug where the user SID wasn't being converted to a username in
the RDP function.
This commit is contained in:
clymb3r 2014-03-02 21:18:28 -08:00
parent 308042f493
commit 77bcb336e0
1 changed files with 495 additions and 352 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
Recon/Get-ComputerDetails.ps1
View File

@ -9,7 +9,7 @@ Function: Get-ComputerDetails
Author: Joe Bialek, Twitter: @JosephBialek Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None Required Dependencies: None
Optional Dependencies: None Optional Dependencies: None
Version: 1.0 Version: 1.1
.DESCRIPTION .DESCRIPTION
@ -51,11 +51,77 @@ Github repo: https://github.com/clymb3r/PowerShell
Set-StrictMode -Version 2 Set-StrictMode -Version 2
#Retrieve the 4648 logon event. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
#the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
#for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action. $SecurityLog = Get-EventLog -LogName Security
function Find-ExplicitLogons $Filtered4624 = Find-4624Logons $SecurityLog
$Filtered4648 = Find-4648Logons $SecurityLog
$AppLockerLogs = Find-AppLockerLogs
$PSLogs = Find-PSScriptsInPSAppLog
$RdpClientData = Find-RDPClientConnections
if ($ToString)
{ {
Write-Output "Event ID 4624 (Logon):"
Write-Output $Filtered4624.Values | Format-List
Write-Output "Event ID 4648 (Explicit Credential Logon):"
Write-Output $Filtered4648.Values | Format-List
Write-Output "AppLocker Process Starts:"
Write-Output $AppLockerLogs.Values | Format-List
Write-Output "PowerShell Script Executions:"
Write-Output $PSLogs.Values | Format-List
Write-Output "RDP Client Data:"
Write-Output $RdpClientData.Values | Format-List
}
else
{
$Properties = @{
LogonEvent4624 = $Filtered4624.Values
LogonEvent4648 = $Filtered4648.Values
AppLockerProcessStart = $AppLockerLogs.Values
PowerShellScriptStart = $PSLogs.Values
RdpClientData = $RdpClientData.Values
}
$ReturnObj = New-Object PSObject -Property $Properties
return $ReturnObj
}
}
function Find-4648Logons
{
<#
.SYNOPSIS
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
Function: Find-4648Logons
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Retrieve the unique 4648 logon events. This will often find cases where a user is using remote desktop to connect to another computer. It will give the
the account that RDP was launched with and the account name of the account being used to connect to the remote computer. This is useful
for identifying normal authenticaiton patterns. Other actions that will trigger this include any runas action.
.EXAMPLE
Find-4648Logons
Gets the unique 4648 logon events.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
Param( Param(
$SecurityLog $SecurityLog
) )
@ -152,10 +218,37 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo return $ReturnInfo
} }
#Find all Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
# network logons in to the server, what accounts RDP in, what accounts log in locally, etc... <#
# This is event 4624. .SYNOPSIS
function Find-AllLogons
Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
Function: Find-4624Logons
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Find all unique 4624 Logon events to the server. This will tell you who is logging in and how. You can use this to figure out what accounts do
network logons in to the server, what accounts RDP in, what accounts log in locally, etc...
.EXAMPLE
Find-4624Logons
Find unique 4624 logon events.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
function Find-4624Logons
{ {
Param ( Param (
$SecurityLog $SecurityLog
@ -272,9 +365,36 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo return $ReturnInfo
} }
#Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
function Find-AppLockerLogs function Find-AppLockerLogs
{ {
<#
.SYNOPSIS
Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
Function: Find-AppLockerLogs
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Look through the AppLocker logs to find processes that get run on the server. You can then backdoor these exe's (or figure out what they normally run).
.EXAMPLE
Find-AppLockerLogs
Find process creations from AppLocker logs.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
$ReturnInfo = @{} $ReturnInfo = @{}
$AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002} $AppLockerLogs = Get-WinEvent -LogName "Microsoft-Windows-AppLocker/EXE and DLL" -ErrorAction SilentlyContinue | Where {$_.Id -eq 8002}
@ -310,10 +430,38 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo return $ReturnInfo
} }
#Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
#You can then backdoor these scripts or do other malicious things.
Function Find-PSScriptsInPSAppLog Function Find-PSScriptsInPSAppLog
{ {
<#
.SYNOPSIS
Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
You can then backdoor these scripts or do other malicious things.
Function: Find-AppLockerLogs
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Go through the PowerShell operational log to find scripts that run (by looking for ExecutionPipeline logs eventID 4100 in PowerShell app log).
You can then backdoor these scripts or do other malicious things.
.EXAMPLE
Find-PSScriptsInPSAppLog
Find unique PowerShell scripts being executed from the PowerShell operational log.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
$ReturnInfo = @{} $ReturnInfo = @{}
$Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100} $Logs = Get-WinEvent -LogName "Microsoft-Windows-PowerShell/Operational" -ErrorAction SilentlyContinue | Where {$_.Id -eq 4100}
@ -363,29 +511,60 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo return $ReturnInfo
} }
#Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
#usually RDP's to.
Function Find-RDPClientConnections Function Find-RDPClientConnections
{ {
<#
.SYNOPSIS
Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
usually RDP's to.
Function: Find-RDPClientConnections
Author: Joe Bialek, Twitter: @JosephBialek
Required Dependencies: None
Optional Dependencies: None
Version: 1.1
.DESCRIPTION
Search the registry to find saved RDP client connections. This shows you what connections an RDP client has remembered, indicating what servers the user
usually RDP's to.
.EXAMPLE
Find-RDPClientConnections
Find unique saved RDP client connections.
.NOTES
.LINK
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
#>
$ReturnInfo = @{} $ReturnInfo = @{}
New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null New-PSDrive -Name HKU -PSProvider Registry -Root Registry::HKEY_USERS | Out-Null
#Attempt to enumerate the servers for all users #Attempt to enumerate the servers for all users
$Users = Get-ChildItem -Path "HKU:\" $Users = Get-ChildItem -Path "HKU:\"
foreach ($User in $Users.PSChildName) foreach ($UserSid in $Users.PSChildName)
{ {
$Servers = Get-ChildItem "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue $Servers = Get-ChildItem "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers" -ErrorAction SilentlyContinue
foreach ($Server in $Servers) foreach ($Server in $Servers)
{ {
$Server = $Server.PSChildName $Server = $Server.PSChildName
$UsernameHint = (Get-ItemProperty -Path "HKU:\$($User)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint $UsernameHint = (Get-ItemProperty -Path "HKU:\$($UserSid)\Software\Microsoft\Terminal Server Client\Servers\$($Server)").UsernameHint
$Key = $User + "::::" + $Server + "::::" + $UsernameHint $Key = $UserSid + "::::" + $Server + "::::" + $UsernameHint
if (!$ReturnInfo.ContainsKey($Key)) if (!$ReturnInfo.ContainsKey($Key))
{ {
$SIDObj = New-Object System.Security.Principal.SecurityIdentifier($UserSid)
$User = ($SIDObj.Translate([System.Security.Principal.NTAccount])).Value
$Properties = @{ $Properties = @{
CurrentUser = $User CurrentUser = $User
Server = $Server Server = $Server
@ -400,39 +579,3 @@ Github repo: https://github.com/clymb3r/PowerShell
return $ReturnInfo return $ReturnInfo
} }
$SecurityLog = Get-EventLog -LogName Security
$Filtered4624 = Find-AllLogons $SecurityLog
$Filtered4648 = Find-ExplicitLogons $SecurityLog
$AppLockerLogs = Find-AppLockerLogs
$PSLogs = Find-PSScriptsInPSAppLog
$RdpClientData = Find-RDPClientConnections
if ($ToString)
{
Write-Output "Event ID 4624 (Logon):"
Write-Output $Filtered4624.Values | Format-List
Write-Output "Event ID 4648 (Explicit Credential Logon):"
Write-Output $Filtered4648.Values | Format-List
Write-Output "AppLocker Process Starts:"
Write-Output $AppLockerLogs.Values | Format-List
Write-Output "PowerShell Script Executions:"
Write-Output $PSLogs.Values | Format-List
Write-Output "RDP Client Data:"
Write-Output $RdpClientData.Values | Format-List
}
else
{
$Properties = @{
LogonEvent4624 = $Filtered4624.Values
LogonEvent4648 = $Filtered4648.Values
AppLockerProcessStart = $AppLockerLogs.Values
PowerShellScriptStart = $PSLogs.Values
RdpClientData = $RdpClientData.Values
}
$ReturnObj = New-Object PSObject -Property $Properties
return $ReturnObj
}
}