change #1
Open
change #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
-Standardized documentation, including adding output object types and required dependencies to all functions -Added Get-ProcessTokenPrivilege to enumerate the current (or remote) process token privileges, replacing Get-CurrentUserTokenGroupSid -Added Enable-Privilege to enable privileges using RtlAdjustPrivilege -Added @enigma0x3's Invoke-WScriptUACBypass function -Renamed Invoke-AllChecks to Invoke-PrivescAudit, added alias mapping -Added tests for Get-ProcessTokenPrivilege, Enable-Privilege, and Invoke-WScriptUACBypass -Renamed helper functions for consistency -Passes PSScriptAnalyzer!
-Lots of function cleanup/code rot removal and standardization
-Additional options added to Get-DomainSearcher in order to support new param sets
-Expanded parameter validation
-XML help format standardized
-PSScriptAnalyzer fixups- passes PS script analyzer now!
-Nearly all functions should tag custom types to output objectsx
-Identity supported by all appropriate functions
-Transformed all filters to functions
-Expanded the formats for Convert-ADName
-Get-SPNTicket returns enc part automatically now, and Hashcat output format added
-Write-Verbose/Write-Warning/Throw messages now have the function name tagged in the message
-Verb-Domain* functions now all include a -FindOne function to return one result
-Get-DomainUserEvent now uses -XPathFilter for a massive speedup
-ALL Verb-Domain* (LDAP) functions now return full data objects (no more -FullData). Use -Properties for paring down.
-Lots of bug fixes
-"Required Dependencies" for each function completed
-Fixed logic bugs for -ComputerIdentity in Get-DomainGPO, now enumerates domain-linked GPOs as well
-Added -UserIdentity to Get-DomainGPO to enumerate GPOs applied to a given user identity
New function naming scheme with proper Verb-PrefixNoun syntax to better match the 'real' AD cmdlets:
Verbs:
Get - retrieve full raw data sets
Find - 'find' specific data entries in a data set or execute threaded computer enumeration
Add - add a new object to a destination
Set - modify a given object
Invoke - lazy catch-all
Prefixes now give an indication of the data source:
Verb-DomainX - LDAP/.NET AD connections (e.g. Get-DomainUser)
Verb-WMIX - Uses WMI for connections/enumeration of a specific host (e.g. Get-WMIRegLastLoggedOn)
Verb-NetX - API access (e.g. Get-NetSession)
Nouns have been renamed to be more descriptive
Big gotcha:
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
-Parameter sets standardized - parameters shared as appropriate across functions
-Identity -> replaces -UserName/-GroupName/etc. Accepts samAccountName, GUID, distinguishedName, SID
-these can be used in tandem -> Get-DomainUser "S-1-5-21-890171859-3433809279-3366196753-1108","administrator"
-Properties -> return only the specified properties (i.e. Get-DomainUser -Properties samAccountName,lastLogon
-LDAPFilter replaces -Filter, -SearchBase replaces -ADSPath, -Server replaces -DomainController
-ServerTimeLimit, -SearchScope, -Tombstone, -SecurityMasks added for most functions
All functions (as appropriate) now support -Credential:
-Verb-Domain* (LDAP) functions use alternate creds for a DirectorySearcher through Get-DomainSearcher
-COM methods (i.e. Convert-ADName) use appropriate initializations
-Verb-WMI methods pass the -Credential through as appropriate
-Verb-Net* (API) functions use Invoke-UserImpersonation/Invoke-RevertToSelf implicitly for token impersonation
Removed functions:
Get-ComputerProperty, Get-UserProperty, Find-ComputerField, Find-UserField
Get-NameField (translated to ValueFromPipelineByPropertyName calls)
Invoke-DowngradeAccount - not used
Add-NetUser - split into New-DomainUser/others
Add-NetGroupUser - split into Add-DomainGroupMember/others
New-GPOImmediateTask - inconsistent and better done manually
Invoke-StealthUserHunter - combined into Find-DomainUserLocation
Get-ExploitableSystem
Added helper functions:
Get-PrincipalContext - helper to return a DirectoryServices.AccountManagement.PrincipalContext
Get-ForestSchemaClass - returns the forest schema for a specified object class
Added exported functions:
Add-RemoteConnection - 'mounts' a remote UNC path using WNetAddConnection2W
Remove-RemoteConnection - 'unmounts' a remote UNC path using WNetCancelConnection2
Invoke-UserImpersonation - creates a new "runas /netonly" type logon and impersonates the token in the current thread
Invoke-RevertToSelf - reverts any token impersonation
Invoke-Kerberoast - automates Kerberoasting
Find-DomainObjectPropertyOutlier - finds user/group/computer objects in AD that have 'outlier' properties sets
New-DomainUser - creates a new domain user
New-DomainGroup - creates a new domain group
Add-DomainGroupMember - adds a domain user (or group) to an existing domain group
Get-NetLocalGroup - now returns local *groups* themselves
Get-NetLocalGroupMember - returns local group *members* (old Get-NetLocalGroup)
Renamed functions (aliases created for old functions):
Get-IPAddress -> Resolve-IPAddress
Convert-NameToSid -> ConvertTo-SID
Convert-SidToName -> ConvertFrom-SID
Request-SPNTicket -> Get-DomainSPNTicket
Get-DNSZone -> Get-DomainDNSZone
Get-DNSRecord -> Get-DomainDNSRecord
Get-NetDomain -> Get-Domain
Get-NetDomainController -> Get-DomainController
Get-NetForest -> Get-Forest
Get-NetForestDomain -> Get-ForestDomain
Get-NetForestCatalog -> Get-ForestGlobalCatalog
Get-NetUser -> Get-DomainUser
Get-UserEvent -> Get-DomainUserEvent
Get-NetComputer -> Get-DomainComputer
Get-ADObject -> Get-DomainObject
Set-ADObject -> Set-DomainObject
Get-ObjectAcl -> Get-DomainObjectAcl
Add-ObjectAcl -> Add-DomainObjectAcl
Invoke-ACLScanner -> Find-InterestingDomainAcl
Get-GUIDMap -> Get-DomainGUIDMap
Get-NetOU -> Get-DomainOU
Get-NetSite -> Get-DomainSite
Get-NetSubnet -> Get-DomainSubnet
Get-NetGroup -> Get-DomainGroup
Find-ManagedSecurityGroups -> Get-DomainManagedSecurityGroup
Get-NetGroupMember -> Get-DomainGroupMember
Get-NetFileServer -> Get-DomainFileServer
Get-DFSshare -> Get-DomainDFSShare
Get-NetGPO -> Get-DomainGPO
Get-NetGPOGroup -> Get-DomainGPOLocalGroup
Find-GPOLocation -> Get-DomainGPOUserLocalGroupMapping
Find-GPOComputerAdmin -> Get-DomainGPOComputerLocalGroupMappin
Get-LoggedOnLocal -> Get-RegLoggedOn
Test-AdminAccess -> Invoke-CheckLocalAdminAccess
Get-SiteName -> Get-NetComputerSiteName
Get-Proxy -> Get-WMIRegProxy
Get-LastLoggedOn -> Get-WMIRegLastLoggedOn
Get-CachedRDPConnection -> Get-WMIRegCachedRDPConnection
Get-RegistryMountedDrive -> Get-WMIRegMountedDrive
Get-NetProcess -> Get-WMIProcess
Invoke-ThreadedFunction -> New-ThreadedFunction
Invoke-UserHunter -> Find-DomainUserLocation
Invoke-ProcessHunter -> Find-DomainProcess
Invoke-EventHunter -> Find-DomainUserEvent
Invoke-ShareFinder -> Find-DomainShare
Invoke-FileFinder -> Find-InterestingDomainShareFile
Invoke-EnumerateLocalAdmin -> Find-DomainLocalGroupMember
Get-NetDomainTrust -> Get-DomainTrust
Get-NetForestTrust -> Get-ForestTrust
Find-ForeignUser -> Get-DomainForeignUser
Find-ForeignGroup -> Get-DomainForeignGroupMember
Invoke-MapDomainTrust -> Get-DomainTrustMapping
Reformatted documentation.
Modified Convert-LDAPProperty to break out sections of ntsecuritydescriptor
-More error handling
-PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
-PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
-PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
-PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
-PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
-(More) PSScriptAnalyzering
-Tweaking of synopsis blocks in order to support platyPS
-Code standardization
-Generated docs
-Domain bug fix in Find-DomainUserLocation stealth
…oken type and impersonation level Added Get-ProcessTokenType to enumerate type/impersonation level of a specified process
…Verb-Domain* functions, the object's domain is now extracted from the dn and the directory searcher is rebound to the proper domain.
…UACEnum enumeration
Example: Get-DomainUser -UACFilter DONT_REQ_PREAUTH,NOT_PASSWORD_EXPIRED
Returns users with kerberos preauth not set AND where the password isn't expired
-Integrated New-DynamicParameter from beatcracker in order to accomplish the dynamic params
-Corrected from help typos
This is a fix for PowerShellMafia#151
Fix for unable to index into object of type System.Diagnostic.Process on PSv2.
Fixed alias typo for Find-GPOComputerAdmin
Make sure System.Core is loaded before creating an AES object. PowerShellMafia#247
If a user does not manually specify $GroupName it defaults to "Administrators" which may not be valid in specific regions. I added a check to pull out the Group Name from the Admin SID, see: PowerShellMafia#176
When removing the persistence, the profile is not cleaned up. This is a temporary fix for that which should leave any legitemate profile content in tact. This psm may need a rework though. Related to: PowerShellMafia#165
Changed version check to be of type "System.Version". This fixes: PowerShellMafia#163
This is a fix for: PowerShellMafia#248
Add-DomainGroupMember allows for adding users to a group, and is especially useful given its ability to supply alternate credentials when establishing the connection to the DC. Remove-DomainGroupMember is intended to act as a "cleanup" function for attack paths that abuse DACL misconfigurations, where we need to remove a principal from a group after we are done abusing that group's existing permissions.
Add Remove-DomainGroupMember function
Adds dlls from knowndll paths to knowndlls
Host parsing extension for IP ranges
Improve output of Invoke-PrivescAudit
-Added WhenCreated/WhenChanged as default output for Get-DomainTrust
-fixed Get-DomainForeignUser / Get-DomainForeignGroupMember when using a global catalog
-target group/member domains are now extracted from found DN names
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
10 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.