diff options
| author | Will <HarmJ0y@users.noreply.github.com> | 2017-09-17 14:25:04 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-09-17 14:25:04 -0400 |
| commit | 41cef58b7510f94f49bf443bbfcf5d3c4a8f56a9 (patch) | |
| tree | 0f57a3030d8220e86d3e9ddca174c40a87f436dc | |
| parent | 1864095c2e637685c4d1d05f28e8a8ba66c5b9ff (diff) | |
| parent | 0a894991dc4b62006c8b2c66a5c87ba239ca9f11 (diff) | |
| download | PowerSploit-41cef58b7510f94f49bf443bbfcf5d3c4a8f56a9.tar.gz PowerSploit-41cef58b7510f94f49bf443bbfcf5d3c4a8f56a9.zip | |
Merge pull request #253 from davehull/dev
Adds dlls from knowndll paths to knowndlls
| -rw-r--r-- | Privesc/PowerUp.ps1 | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/Privesc/PowerUp.ps1 b/Privesc/PowerUp.ps1 index 062045c..edd31b9 100644 --- a/Privesc/PowerUp.ps1 +++ b/Privesc/PowerUp.ps1 @@ -3047,7 +3047,9 @@ https://www.mandiant.com/blog/malware-persistence-windows-registry/ # the known DLL cache to exclude from our findings # http://blogs.msdn.com/b/larryosterman/archive/2004/07/19/187752.aspx $Keys = (Get-Item "HKLM:\System\CurrentControlSet\Control\Session Manager\KnownDLLs") - $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName) }) | Where-Object { $_.EndsWith(".dll") } + $KnownDLLs = $(ForEach ($KeyName in $Keys.GetValueNames()) { $Keys.GetValue($KeyName).tolower() }) | Where-Object { $_.EndsWith(".dll") } + $KnownDLLPaths = $(ForEach ($name in $Keys.GetValueNames()) { $Keys.GetValue($name).tolower() }) | Where-Object { -not $_.EndsWith(".dll") } + $KnownDLLs += ForEach ($path in $KnownDLLPaths) { ls -force $path\*.dll | Select-Object -ExpandProperty Name | ForEach-Object { $_.tolower() }} $CurrentUser = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name # get the owners for all processes |