Modules

Posh-SecMod

  • https://github.com/darkoperator/Posh-SecMod - PowerShell Module with Security cmdlets for security work
    • Discovery: Perform network discovery.
    • Parse: Parsers for Nmap, DNSRecon and other type of output files from security tools.
    • PostExploitation: Functions to help in performing post exploitation tasks.
    • Registry: Collection of functions for manipulating the registry in remote hosts using WMI.
    • Utilities: General purpose functions.
    • Audit: Functions that may be usful when performing audit of systems.
    • Database: Functions that are useful when interacting with databases.

PowerSploit

  • https://github.com/PowerShellMafia/PowerSploit - A PowerShell Post-Exploitation Framework
    • CodeExecution
      • Invoke-DllInjectionInjects a Dll into the process ID of your choosing.
      • Invoke-ReflectivePEInjectionReflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
      • Invoke-ShellcodeInjects shellcode into the process ID of your choosing or within PowerShell locally
      • .Invoke-WmiCommandExecutes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
    • ScriptModification
      • Out-EncodedCommandCompresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
      • Out-CompressedDllCompresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
      • Out-EncryptedScriptEncrypts text files/scripts.
      • Remove-CommentsStrips comments and extra whitespace from a script.
    • Persistence
      • New-UserPersistenceOptionConfigure user-level persistence options for the Add-Persistence function.
      • New-ElevatedPersistenceOptionConfigure elevated persistence options for the Add-Persistence function.
      • Add-PersistenceAdd persistence capabilities to a script.Install-SSPInstalls a security support provider (SSP) dll.
      • Get-SecurityPackagesEnumerates all loaded security packages (SSPs).
    • AntivirusBypass
      • Find-AVSignatureLocates single Byte AV signatures utilizing the same method as DSplit from "class101".
    • Exfiltration
      • Invoke-TokenManipulationLists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
        • Invoke-TokenManipulation -CreateProcess "cmd.exe" -Username "nt authority\system"
        • GetProcess lass | Invoke-TokenManipulation -ImperrsonateUser
      • Invoke-CredentialInjectionCreate logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
      • Invoke-NinjaCopyCopies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
        • Copy from NTDS.dit, SYSTEM, SAM Hive
      • Invoke-MimikatzReflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
        • Invoke-Mimikatz -DumpCreds
        • Invoke-Mimikatz -DumpCerts
      • Get-KeystrokesLogs keys pressed, time and the active window.
      • Get-GPPPasswordRetrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
        • KB2928120
      • Get-GPPAutologonRetrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
      • Get-TimedScreenshotA function that takes screenshots at a regular interval and saves them to a folder.
      • New-VolumeShadowCopyCreates a new volume shadow copy.
      • Get-VolumeShadowCopyLists the device paths of all local volume shadow copies.
      • Mount-VolumeShadowCopyMounts a volume shadow copy.
      • Remove-VolumeShadowCopyDeletes a volume shadow copy.
      • Get-VaultCredentialDisplays Windows vault credential objects including cleartext web credentials.
      • Out-MinidumpGenerates a full-memory minidump of a process.
      • Get-MicrophoneAudioRecords audio from system microphone and saves to disk
    • Mayhem
      • Set-MasterBootRecordProof of concept code that overwrites the master boot record with the message of your choice.
      • Set-CriticalProcessCauses your machine to blue screen upon exiting PowerShell.
    • Privesc
      • PowerUpClearing house of common privilege escalation checks, along with some weaponization vectors.
        • Service Enumeration:
          • Get-ServiceUnquoted - returns services with unquoted paths that also have a space in the name
          • Get-ModifiableServiceFile - returns services where the current user can write to the service binary path or its config
          • Get-ModifiableService - returns services the current user can modify
          • Get-ServiceDetail - returns detailed information about a specified service
        • Service Abuse:
          • Invoke-ServiceAbuse - modifies a vulnerable service to create a local admin or execute a custom command
          • Write-ServiceBinary - writes out a patched C# service binary that adds a local admin or executes a custom command
          • Install-ServiceBinary - replaces a service binary with one that adds a local admin or executes a custom command
          • Restore-ServiceBinary - restores a replaced service binary with the original executable
        • DLL Hijacking:
          • Find-ProcessDLLHijack - finds potential DLL hijacking opportunities for currently running processes
          • Find-PathDLLHijack - finds service %PATH% DLL hijacking opportunities
          • Write-HijackDll - writes out a hijackable DLL
        • Registry Checks:
          • Get-RegistryAlwaysInstallElevated - checks if the AlwaysInstallElevated registry key is set
          • Get-RegistryAutoLogon - checks for Autologon credentials in the registry
          • Get-ModifiableRegistryAutoRun - checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns
        • Miscellaneous Checks:
          • Get-ModifiableScheduledTaskFile - find schtasks with modifiable target files
          • Get-UnattendedInstallFile - finds remaining unattended installation files
          • Get-Webconfig - checks for any encrypted web.config strings
          • Get-ApplicationHost - checks for encrypted application pool and virtual directory passwords
          • Get-SiteListPassword - retrieves the plaintext passwords for any found McAfee's SiteList.xml files
          • Get-CachedGPPPassword - checks for passwords in cached Group Policy Preferences files
        • Other Helpers/Meta-Functions:
          • Get-ModifiablePath - tokenizes an input string and returns the files in it the current user can modify
          • Get-CurrentUserTokenGroupSid - returns all SIDs that the current user is a part of, whether they are disabled or not
          • Add-ServiceDacl - adds a Dacl field to a service object returned by Get-Service
          • Set-ServiceBinPath - sets the binary path for a service to a specified value through Win32 API methods
          • Test-ServiceDaclPermission - tests one or more passed services or service names against a given permission set
          • Write-UserAddMSI - write out a MSI installer that prompts for a user to be added
          • Invoke-AllChecks - runs all current escalation checks and returns a report
    • Recon
      • Invoke-PortscanDoes a simple port scan using regular sockets, based (pretty) loosely on nmap.
      • Get-HttpStatusReturns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
      • Invoke-ReverseDnsLookupScans an IP address range for DNS PTR records.
      • PowerViewPowerView is series of functions that performs network and Windows domain enumeration and exploitation.
        • Misc
          • Export-PowerViewCSV- thread-safe CSV append
          • Set-MacAttribute - Sets MAC attributes for a file based on another file or input (from Powersploit)
          • Copy-ClonedFile - copies a local file to a remote location, matching MAC properties
          • Get-IPAddress - resolves a hostname to an IP
          • Test-Server - tests connectivity to a specified server
          • Convert-NameToSid - converts a given user/group name to a security identifier (SID)
          • Convert-SidToName - converts a security identifier (SID) to a group/user name
          • Convert-NT4toCanonical - converts a user/group NT4 name (i.e. dev/john) to canonical format
          • Get-Proxy - enumerates local proxy settings
          • Get-PathAcl - get the ACLs for a local/remote file path with optional group recursion
          • Get-UserProperty - returns all properties specified for users, or a set of user:prop names
          • Get-ComputerProperty - returns all properties specified for computers, or a set of computer:prop names
          • Find-InterestingFile - search a local or remote path for files with specific terms in the name
          • Invoke-CheckLocalAdminAccess - check if the current user context has local administrator access to a specified host
          • Get-DomainSearcher - builds a proper ADSI searcher object for a given domain
          • Get-ObjectAcl - returns the ACLs associated with a specific active directory object
          • Add-ObjectAcl - adds an ACL to a specified active directory object
          • Get-LastLoggedOn - return the last logged on user for a target host
          • Get-CachedRDPConnection - queries all saved RDP connection entries on a target host
          • Invoke-ACLScanner - enumerate -1000+ modifable ACLs on a specified domain
          • Get-GUIDMap - returns a hash table of current GUIDs -> display names
          • Get-DomainSID - return the SID for the specified domain
          • Invoke-ThreadedFunction - helper that wraps threaded invocation for other
        • net * Functions:
          • Get-NetDomain - gets the name of the current user's domain
          • Get-NetForest - gets the forest associated with the current user's domain
          • Get-NetForestDomain - gets all domains for the current forest
          • Get-NetDomainController - gets the domain controllers for the current computer's domain
          • Get-NetUser - returns all user objects, or the user specified (wildcard specifiable)
          • Add-NetUser - adds a local or domain user
          • Get-NetComputer - gets a list of all current servers in the domain
          • Get-NetPrinter - gets an array of all current computers objects in a domain
          • Get-NetOU - gets data for domain organization units
          • Get-NetSite - gets current sites in a domain
          • Get-NetSubnet - gets registered subnets for a domain
          • Get-NetGroup - gets a list of all current groups in a domain
          • Get-NetGroupMember - gets a list of all current users in a specified domain group
          • Get-NetLocalGroup - gets the members of a localgroup on a remote host or hosts
          • Add-NetGroupUser - adds a local or domain user to a local or domain group
          • Get-NetFileServer - get a list of file servers used by current domain users
          • Get-DFSshare - gets a list of all distribute file system shares on a domain
          • Get-NetShare - gets share information for a specified server
          • Get-NetLoggedon - gets users actively logged onto a specified server
          • Get-NetSession - gets active sessions on a specified server
          • Get-NetRDPSession - gets active RDP sessions for a specified server (like qwinsta)
          • Get-NetProcess - gets the remote processes and owners on a remote server
          • Get-UserEvent - returns logon or TGT events from the event log for a specified host
          • Get-ADObject - takes a domain SID and returns the user, group, or computer object associated with it
          • Set-ADObject - takes a SID, name, or SamAccountName to query for a specified domain object, and then sets a specified 'PropertyName' to a specified 'PropertyValue'
        • GPO functions:
          • Get-GptTmpl - parses a GptTmpl.inf to a custom object
          • Get-NetGPO - gets all current GPOs for a given domain
          • Get-NetGPOGroup - gets all GPOs in a domain that set "Restricted Groups" on on target machines
          • Find-GPOLocation - takes a user/group and makes machines they have effective rights over through GPO enumeration and correlation
          • Find-GPOComputerAdmin - takes a computer and determines who has admin rights over it through GPO enumeration
          • Get-DomainPolicy - returns the default domain or DC policy
        • User-Hunting Functions:
          • Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines
          • Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users
          • Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines
          • Invoke-UserEventHunter - hunts for user logon events in domain controller event logs
        • Domain Trust Functions:
          • Get-NetDomainTrust - gets all trusts for the current user's domain
          • Get-NetForestTrust - gets all trusts for the forest associated with the current user's domain
          • Find-ForeignUser - enumerates users who are in groups outside of their principal domain
          • Find-ForeignGroup - enumerates all the members of a domain's groups and finds users that are outside of the queried domain
          • Invoke-MapDomainTrust - try to build a relational mapping of all domain trusts
        • MetaFunctions:
          • Invoke-ShareFinder - finds (non-standard) shares on hosts in the local domain
          • Invoke-FileFinder - finds potentially sensitive files on hosts in the local domain
          • Find-LocalAdminAccess - finds machines on the domain that the current user has local admin access to
          • Find-ManagedSecurityGroups - searches for active directory security groups which are managed and identify users who have write access to those groups (i.e. the ability to add or remove members)
          • Find-UserField - searches a user field for a particular term
          • Find-ComputerField - searches a computer field for a particular term
          • Get-ExploitableSystem - finds systems likely vulnerable to common exploits
          • Invoke-EnumerateLocalAdmin - enumerates members of the local Administrators groups across all machines in the domain

Nishang

  • https://github.com/samratashok/nishang - framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming
    • ActiveDirectory
    • Antak - the Webshell
      • AntakExecute PowerShell scripts in memory, run commands, and download and upload files using this webshell.
    • Backdoors
      • HTTP-BackdoorA backdoor which can receive instructions from third party websites and execute PowerShell scripts in memory.
      • DNS_TXT_PwnageA backdoor which can receive commands and PowerShell scripts from DNS TXT queries, execute them on a target, and be remotely controlled using the queries.
      • Execute-OnTimeA backdoor which can execute PowerShell scripts at a given time on a target.
      • Gupt-BackdoorA backdoor which can receive commands and scripts from a WLAN SSID without connecting to it.
      • Add-ScrnSaveBackdoorA backdoor which can use Windows screen saver for remote command and script execution.
      • Invoke-ADSBackdoorA backdoor which can use alternate data streams and Windows Registry to achieve persistence.
      • Add-RegBackdoorA backdoor which uses well known Debugger trick to execute payload with Sticky keys and Utilman (Windows key + U).
      • Set-RemoteWMIModify permissions of DCOM and WMI namespaces to allow access to a non-admin user.
      • Set-RemotePSRemotingModify permissions of PowerShell remoting to allow access to a non-admin user.
    • Bypass
    • Client
      • Out-CHMCreate infected CHM files which can execute PowerShell commands and scripts.
      • Out-WordCreate Word files and infect existing ones to run PowerShell commands and scripts.
      • Out-ExcelCreate Excel files and infect existing ones to run PowerShell commands and scripts.
      • Out-HTACreate a HTA file which can be deployed on a web server and used in phishing campaigns.
      • Out-JavaCreate signed JAR files which can be used with applets for script and command execution.
      • Out-ShortcutCreate shortcut files capable of executing PowerShell commands and scripts.
      • Out-WebQueryCreate IQY files for phishing credentials and SMB hashes.
      • Out-JSCreate JS files capable of executing PowerShell commands and scripts.
      • Out-SCTCreate SCT files capable of executing PowerShell commands and scripts.
      • Out-SCFCreate a SCF file which can be used for capturing NTLM hash challenges.
    • Escalation
    • Execution
      • Download-Execute-PSDownload and execute a PowerShell script in memory.
      • Download_ExecuteDownload an executable in text format, convert it to an executable, and execute.
      • Execute-Command-MSSQLRun PowerShell commands, native commands, or SQL commands on a MSSQL Server with sufficient privileges.
      • Execute-DNSTXT-CodeExecute shellcode in memory using DNS TXT queries.
      • Out-RundllCommandExecute PowerShell commands and scripts or a reverse PowerShell session using rundll32.exe.
    • Gather
    • MITM
    • Pivot
    • Prasadhak
      • PrasadhakCheck running hashes of running process against the VirusTotal database.
    • Scan
      • Brute-ForceBrute force FTP, Active Directory, MSSQL, and Sharepoint.
      • Port-ScanA handy port scanner.
      • Powerpreter
      • PowerpreterAll the functionality of nishang in a single script module.
    • Shells
    • Utility

External Services

Scaning

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1 https://github.com/samratashok/nishang/blob/master/Scan/Invoke-PortScan.ps1

Brute Forcing

Database Attacks

  • Execute command over MSSQL: Nishang/Execute-Command-MSSQL.ps1

Encoding Payloads

https://github.com/samratashok/nishang/blob/master/Utility/Invoke-Encode.ps1

Capture NTLM

https://github.com/Kevin-Robertson/Inveigh

Obfuscation

Fileless Malware

Invoke-NoShell outputs a Microsoft Office Word .doc file with an embedded macro: https://github.com/G4lB1t/Invoke-NoShell