Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
Hi Marcello, here is the pull request that I emailed you about. I added additional features, but could use a little help from you to complete my intended changes. Here are the additions I have made so far.
Optionally pull information on additional privileged domain groups via args
Optionally display information on domain computers via args (useful in a small environment)
Added a def to determine the exact Windows build number if running Windows 10
Use build number of Windows 10 to determine bypassuac method, since bypassuac_eventvwr does not work on builds >= 15007
Added code to perform powerdump, correctly grabs local administrator (RID 500) username and hash
Added def to submit new username/hash to creds - this is where i could use some help. Haven't really done much with JSON before, and I am having trouble pushing the information to Empire. There is a FIXME tag associated with this
Let me know if you are interested in working with me to finish some intended changes as well. I was planning to add local administrator pth (probably invoke_smbexec) for additional lateral movement, as i use this vector in most of my engagements.
Hi Marcello, here is the pull request that I emailed you about. I added additional features, but could use a little help from you to complete my intended changes. Here are the additions I have made so far.
Let me know if you are interested in working with me to finish some intended changes as well. I was planning to add local administrator pth (probably invoke_smbexec) for additional lateral movement, as i use this vector in most of my engagements.
Look forward to working with you! Cheers. Drew