- Changed Remove-VSC to have a single mandatory parameter (DevicePath)
- Updated New-VSC to check initial state of the VSS Service and return
VSS to its inital state after execution
The column headings in the log file are out of order, e.g.
```
"TypedKey","Time","WindowTitle"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:28"
"Document1 - Word","[Shift][Shift]","01-05-2015:20:53:29:31"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:38"
```
The "WindowTitle" should be the first column heading like this,
```
"WindowTitle","TypedKey","Time"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:28"
"Document1 - Word","[Shift][Shift]","01-05-2015:20:53:29:31"
"Document1 - Word","[Shift]","01-05-2015:20:53:29:38"
```
This fixes the URI bug submitted by @enigma0x3. Thank you for the PR as well! A legacy switch is added in case anyone is relying on this script and an older meterpreter handler.
Proxy support is added to grab the default proxy by way of a switch.
The default user-agent is grabbed from the registry instead of being a static string.
I tested this on a Windows 7 SP1 (both x86 and 64-bit) and Windows 8.1 (64-bit) with an older handler and an updated one.
Thanks, @aconite33 for the suggestion.
- TripleDESCryptoServiceProvider is now used as the crypto algorithm
because it won't break the script when FIPS compliance is enabled in the
registry.
- I actually implemented the InitializationVector parameter
- Cleaned up the output script
- Cleaned up comment-based help
Updated to the latest Mimikatz build. Added sanity checks to ensure that
32bit PowerShell isn't being run on a 64bit OS which will cause Mimikatz
to fail.
Thanks to Run Mariboe for the contribution to Invoke-TokenManipulation
adding the -PassThru flag for newly created processes. Version increased
to 1.11.
Fixed a bug where calling GetProcAddress by ordinal instead of procedure
name failed.
Fixed a bug where reflectively loading an EXE will cause the entry
function (main()) to be called twice instead of once as expected.
Added a ForceASLR flag to force ASLR to be used even if the PE file
doesn't officially support ASLR.
Some minor other changes.
Calling CreateRemoteThread on lsass.
Bug fix: Invoke-DllInjection was checking the processor architecture
when it should have been validating the OS architecture. This would
cause Invoke-DllInjection to fail on a 32-bit OS with a 64-bit
processor.
Latest version of Mimikatz now natively supports being reflectively
loaded by Invoke-ReflectivePEInjection, updating the script to take
advantage of this new version.
Added the following recon functions written by Joe Bialek
(@JosephBialek):
- Find-4648Logons
- Find-4624Logons
- Find-AppLockerLogs
- Find-PSScriptsInPSAppLog
- Find-RDPClientConnections
- Get-ComputerDetails (Combines all of the above functions into a single
function)
Matt Graeber
Jared Atkinson
Chris Campbell
Jonathan
clymb3r