Option 4 & 5 - from Offline_WinPwn.ps1 not working as expected

[sp00ks-git]

When using the Offline_WinPwn.ps1 and selecting option 4 from the menu - powershell version 5.1 and using rasta-mouses's AMSI bypass im seeing the following error message display to the terminal.

Option 4 Please choose wisely, master:: 4 Find-InterestingDomainShareFile : The term 'Find-InterestingDomainShareFile' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\temp\Offline_WinPwn.ps1:1963 char:16

• 4{Find-InterestingDomainShareFile >> "$currentPath\Domai ...

• 
  + CategoryInfo          : ObjectNotFound: (Find-InterestingDomainShareFile:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

Option 5 Please choose wisely, master:: 5 Creating/Checking Log Folders in C:\temp directory: iex : At line:1 char:1 + This script contains malicious content and has been blocked by your antivirus software. At C:\temp\Offline_WinPwn.ps1:3396 char:337014

• ... bDMyJ10NCiR2SlhjZW1kYlZoTnlOUUMgPSAkVHlwZXNbJ3d0c2FwaTMyJ10=")) | iex

• 
  + CategoryInfo          : ParserError: (:) [Invoke-Expression], ParseException
  + FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand

Searching for sensitive Files on the Domain-Network, this can take a while: Claire : The term 'Claire' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\temp\Offline_WinPwn.ps1:3398 char:25

• if(!$consoleoutput){Claire >> $currentPath\SensitiveFiles.txt}els ...

• 
  + CategoryInfo          : ObjectNotFound: (Claire:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

shift : The term 'shift' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At C:\temp\Offline_WinPwn.ps1:3399 char:25

• if(!$consoleoutput){shift -qgsNZggitoinaTA >> $currentPath\Networ ...

• 
  + CategoryInfo          : ObjectNotFound: (shift:String) [], CommandNotFoundException
  + FullyQualifiedErrorId : CommandNotFoundException

[sp00ks-git]

Interesting that the 5 option has been detected by AV. Maybe this was the cause for option5. "This script contains malicious content and has been blocked by your antivirus software"

[S3cur3Th1sSh1t]

Thanks for testing, i did not have the time so far. 👍

Looks like i forgot to import Powerview for Find-InterestingDomainShareFile The other functions are from the string replaced PowerView version. I´ll fix that.

If you applied an AMSI bypass you should´t get any This script contains malicious content and has been blocked by your antivirus software. messages. Depending on the AV-Software installed its possible that it hooks every single command and checks it via AMSI. If thats the case your AMSI bypass is useless and you need a new process with BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON set.

[sp00ks-git]

Yes i also thought this was odd. Im looking again now and starting with a fresh powershell window, powershell -exec bypass , AMSI bypass then just going into menu 3 i see the same AV message which wasnt doing that before.

There is things like Crowd Strike and Alienvault in play which might be playing a part?

"================ WinPwn ================ Please choose wisely, master:: 7 ================ WinPwn ================

1. Execute Inveigh - ADIDNS/LLMNR/mDNS/NBNS spoofer!
2. Local recon menu!
3. Domain recon menu!
4. Local privilege escalation check menu!
5. Get SYSTEM using Windows vulnerabilities!
6. Bypass UAC!
7. Get a SYSTEM Shell!
8. Kerberoasting!
9. Loot local Credentials!
10. Create an ADIDNS node or remove it!
11. Sessiongopher!
12. Kill the event log services for stealth!
13. PowerSharpPack menu!
14. Load custom C# Binaries from a webserver to Memory and execute them!
15. DomainPasswordSpray Attacks!
16. Reflectively load Mimik@tz into memory!
17. Exit. ================ WinPwn ================ Please choose wisely, master:: 3 Creating/Checking Log Folders in C:\temp directory: iex : At line:1 char:1 + This script contains malicious content and has been blocked by your antivirus software. At C:\temp\Offline_WinPwn.ps1:1887 char:98
    • ... 8.GetString([System.Convert]::FromBase64String("$viewdevobfs")) | iex
    • CategoryInfo : ParserError: (:) [Invoke-Expression], ParseException
    • FullyQualifiedErrorId : ScriptContainedMaliciousContent,Microsoft.PowerShell.Commands.InvokeExpressionCommand "

[S3cur3Th1sSh1t]

There is things like Crowd Strike and Alienvault in play - most likely a hook.

1) If you find out which DLL is hooking your process you can also bypass this with SharpBlock.

2) BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON, for example ThisOne with the command Run-SecurePS. In the new Powershell process the hook should be blocked.

[S3cur3Th1sSh1t]

The missing function name issue should be fixed here 672436941047b6e521aff7b02d51046d1324ce31

[sp00ks-git]

Thanks. I'll test again tomorrow and report back.

[sp00ks-git]

I've got another machine that doesn't require the AMSI bypassing, just to test for option 4.

in option3 -> option 4 im now seeing "dnshostname" cannot be found.

[S3cur3Th1sSh1t]

Thats not a WinPwn issue but a Powerview issue. Is the System domain joined?

[sp00ks-git]

Ah yes you're right, my mistake also it is using Powershell version 4,

[S3cur3Th1sSh1t]

If you find more feel free to open the issue again ;-)