Windows Version

[C9H13NO3]

I have a need to test applocker bypass techniques but limited time to setup an environment and came across this. I know its a few years old, do you know what version of Windows 10 you were using when running this? The link pulls down 1809 and whilst it seems to work, I got errors running the ps1 script.... they were too quick to capture, will rerun and look to update if I can capture them in a log file.

Users have been created, restricted1 and kiosk2 behave as expected by running scripts and logging off once done, just dont know if the errors in running the initial ps1 script will cause me issues further down the line?

[C9H13NO3]

PS C:\Windows\system32> C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1 [+] Disabling Notification Centre [+] Disabling Windows Defender [+] Disabling SmartScreen [+] Disabling Windows Update [+] Disabling AutoLogin for Admin [+] Disabling Sign-in Animation [+] Setting UI to Best Performance [+] Creating NoApplocker group [+] Fixing Applocker Services [+] Starting AppIDSvc service [+] Applying AppLocker Policy [+] Adding restricted1 and restricted2 users to NoAppLocker group [+] Invoking restricted2 [+] Applying restrictions to restricted2 reg : ERROR: The parameter is incorrect. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:399 char:1 reg add HKU\$RestrictedSID\Software\Microsoft\Windows\CurrentVersion\ ... CategoryInfo : NotSpecified: (ERROR: The parameter is incorrect.:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError reg : ERROR: The parameter is incorrect. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:400 char:1 reg add HKU\$RestrictedSID\Software\Microsoft\Windows\CurrentVersion\ ... CategoryInfo : NotSpecified: (ERROR: The parameter is incorrect.:String) [], RemoteException FullyQualifiedErrorId : NativeCommandError [+] Adding Kiosk1 and Kiosk2 users to NoAppLocker group [+] Invoking Kiosk1 [+] Applying kiosk lockdown to kiosk1 New-Item : The registry key at the specified path does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:420 char:1 New-Item -Path HKU:\$KioskSID1\Software\Microsoft\Windows\CurrentVers ...

• CategoryInfo : InvalidArgument: (HKEY_USERS\S-1-...ersion\Policies:String) [New-Item], ArgumentException
• FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand Set-ItemProperty : Cannot find path 'HKU:\S-1-5-21-3461203602-4096304019-2269080069-1008\Software\Microsoft\Windows\CurrentVersion\Policies\System' because it does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:421 char:1 Set-ItemProperty -Path HKU:\$KioskSID1\Software\Microsoft\Windows\Cur ...
• CategoryInfo : ObjectNotFound: (HKU:\S-1-5-21-3...Policies\System:String) [Set-ItemProperty], ItemNotFoundException
• FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand [+] Creating onlogon scheduled task for restricted1 and kiosk2 [+] Invoking lowpriv [+] Adding lowpriv to NoAppLocker group [+] Creating folder structures for vulnerable services [+] Applying folder restrictions to 'Vuln Folder 1' and 'VulnFolder3' [+] Creating vulnerable services [+] Modifying permissions on vulnService3 [+] Inserting password in registry [+] Creating Unattend folder and file [+] Creating folder structure for vulnerable scheduled task [+] Creating mock log files [+] Creating sample FTP config file [+] Creating vulnerable scheduled task [+] Enabling AlwaysInstallElevated registry key New-Item : The registry key at the specified path does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:680 char:1 New-Item -Path HKU:\$LowprivSID\SOFTWARE\Policies\Microsoft\Windows\I ... CategoryInfo : InvalidArgument: (HKEY_USERS\S-1-...crosoft\Windows:String) [New-Item], ArgumentException FullyQualifiedErrorId : System.ArgumentException,Microsoft.PowerShell.Commands.NewItemCommand Set-ItemProperty : Cannot find path 'HKU:\S-1-5-21-3461203602-4096304019-2269080069-1010\SOFTWARE\Policies\Microsoft\Windows\Installer' because it does not exist. At C:\Users\IEUser\Downloads\DefCon24-master\DefCon24-master\Windows_Breakout_PrivEsc_Setup_v1.2.ps1:681 char:1 Set-ItemProperty -Path HKU:\$LowprivSID\SOFTWARE\Policies\Microsoft\W ... CategoryInfo : ObjectNotFound: (HKU:\S-1-5-21-3...ndows\Installer:String) [Set-ItemProperty], ItemNotFoundException FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.SetItemPropertyCommand [+] Renaming IEUser to Admin and changing password to '123' [+] Done

[C9H13NO3]

Tired a Windows 10 Pro 1607 as that was released same time as script, downloaded an ISO and setup as a new install with the default using being IEUser so the script would work without updating, that actually has more issues; same registry ones plus some wmic ones, so VM looks best option.... just need to figure out the registry key issues

[C9H13NO3]

Fixed... sort of! The reg add/new-item lines dont work until the SID exists in HKU; which doesnt happen until a user logs on, so ran the setup script, logged on as every user and then reran the lines that failed.