-Lots of function cleanup/code rot removal and standardization
-Additional options added to Get-DomainSearcher in order to support new param sets
-Expanded parameter validation
-XML help format standardized
-PSScriptAnalyzer fixups- passes PS script analyzer now!
-Nearly all functions should tag custom types to output objectsx
-Identity supported by all appropriate functions
-Transformed all filters to functions
-Expanded the formats for Convert-ADName
-Get-SPNTicket returns enc part automatically now, and Hashcat output format added
-Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message
-Verb-Domain* functions now all include a -FindOne function to return one result
-Get-DomainUserEvent now uses -XPathFilter for a massive speedup
-ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down.
-Lots of bug fixes
-"Required Dependencies" for each function completed
-Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well
-Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity
New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets:
Verbs:
Get - retrieve full raw data sets
Find - 'find' specific data entries in a data set or execute threaded computer enumeration
Add - add a new object to a destination
Set - modify a given object
Invoke - lazy catch-all
Prefixes now give an indication of the data source:
Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser)
Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn)
Verb-NetX - API access (e.g. Get-NetSession)
Nouns have been renamed to be more descriptive
Big gotcha:
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
-Parameter sets standardized - parameters shared as appropriate across functions
-Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID
-these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
-Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon
-LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController
-ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions
All functions (as appropriate) now support -Credential:
-Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher
-COM methods (i.e. Convert-ADName) use appropriate initializations
-Verb-WMI methods pass the -Credential through as appropriate
-Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation
Removed functions:
Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField
Get-NameField (translated to ValueFromPipelineByPropertyName calls)
Invoke-DowngradeAccount - not used
Add-NetUser - split into New-DomainUser/others
Add-NetGroupUser - split into Add-DomainGroupMember/others
New-GPOImmediateTask - inconsistent and better done manually
Invoke-StealthUserHunter - combined into Find-DomainUserLocation
Get-ExploitableSystem
Added helper functions:
Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext
Get-ForestSchemaClass - returns the forest schema for a specified object class
Added exported functions:
Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W
Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2
Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread
Invoke-RevertToSelf - reverts any token impersonation
Invoke-Kerberoast - automates Kerberoasting
Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets
New-DomainUser - creates a new domain user
New-DomainGroup - creates a new domain group
Add-DomainGroupMember - adds a domain user (or group) to an existing domain group
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
Renamed functions (aliases created for old functions):
Get-IPAddress -> Resolve-IPAddress
Convert-NameToSid -> ConvertTo-SID
Convert-SidToName -> ConvertFrom-SID
Request-SPNTicket -> Get-DomainSPNTicket
Get-DNSZone -> Get-DomainDNSZone
Get-DNSRecord -> Get-DomainDNSRecord
Get-NetDomain -> Get-Domain
Get-NetDomainController -> Get-DomainController
Get-NetForest -> Get-Forest
Get-NetForestDomain -> Get-ForestDomain
Get-NetForestCatalog -> Get-ForestGlobalCatalog
Get-NetUser -> Get-DomainUser
Get-UserEvent -> Get-DomainUserEvent
Get-NetComputer -> Get-DomainComputer
Get-ADObject -> Get-DomainObject
Set-ADObject -> Set-DomainObject
Get-ObjectAcl -> Get-DomainObjectAcl
Add-ObjectAcl -> Add-DomainObjectAcl
Invoke-ACLScanner -> Find-InterestingDomainAcl
Get-GUIDMap -> Get-DomainGUIDMap
Get-NetOU -> Get-DomainOU
Get-NetSite -> Get-DomainSite
Get-NetSubnet -> Get-DomainSubnet
Get-NetGroup -> Get-DomainGroup
Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup
Get-NetGroupMember -> Get-DomainGroupMember
Get-NetFileServer -> Get-DomainFileServer
Get-DFSshare -> Get-DomainDFSShare
Get-NetGPO -> Get-DomainGPO
Get-NetGPOGroup -> Get-DomainGPOLocalGroup
Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping
Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin
Get-LoggedOnLocal -> Get-RegLoggedOn
Test-AdminAccess -> Invoke-CheckLocalAdminAccess
Get-SiteName -> Get-NetComputerSiteName
Get-Proxy -> Get-WMIRegProxy
Get-LastLoggedOn -> Get-WMIRegLastLoggedOn
Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection
Get-RegistryMountedDrive -> Get-WMIRegMountedDrive
Get-NetProcess -> Get-WMIProcess
Invoke-ThreadedFunction -> New-ThreadedFunction
Invoke-UserHunter -> Find-DomainUserLocation
Invoke-ProcessHunter -> Find-DomainProcess
Invoke-EventHunter -> Find-DomainUserEvent
Invoke-ShareFinder -> Find-DomainShare
Invoke-FileFinder -> Find-InterestingDomainShareFile
Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember
Get-NetDomainTrust -> Get-DomainTrust
Get-NetForestTrust -> Get-ForestTrust
Find-ForeignUser -> Get-DomainForeignUser
Find-ForeignGroup -> Get-DomainForeignGroupMember
Invoke-MapDomainTrust -> Get-DomainTrustMapping
-Standardized documentation, including adding output object types and required dependencies to all functions
-Added Get-ProcessTokenPrivilege to enumerate the current (or remote) process token privileges, replacing Get-CurrentUserTokenGroupSid
-Added Enable-Privilege to enable privileges using RtlAdjustPrivilege
-Added @enigma0x3's Invoke-WScriptUACBypass function
-Renamed Invoke-AllChecks to Invoke-PrivescAudit, added alias mapping
-Added tests for Get-ProcessTokenPrivilege, Enable-Privilege, and Invoke-WScriptUACBypass
-Renamed helper functions for consistency
-Passes PSScriptAnalyzer!
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>,
PSDataCollection<TOutput>) method[1] is used to collect output from
each job into a buffer. This can be read whilst the jobs are still
running. Being able to return partial results is particularly useful for
long running background threads, such as Invoke-UserHunter -Poll.
PowerShell 2.0 doesn't play nicely with generic methods. The technique
described in [2] is used to allow this version of BeginInvoke() to be
used.
[1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx
[2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
Repeatedly poll a set of target computers for user sessions. This could
be a useful technique for building a much better picture of current
sessions, but without having to communicate with every host.
The -Poll parameter is used to specify the duration for which polling
should occur. Each target computer is dedicated with a thread with
-Delay and -Jitter specifying how long to sleep between each session
enumeration attempt of an individual host.
Added default value to parameter and got rid of value check later in the code.
Added validation of -Server value to ensure it is not $Null or an empty string
HarmJ0y
HarmJ0y
Antonio Quina
Oddvar Moe
Matt Graeber
Meatballs
Nick Landers
Matan Hart
Jon Cave
Dennis Maldonado