| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Added ability to specify domain controller to search (-Server parameter)
|
|
Added default value to parameter and got rid of value check later in the code.
Added validation of -Server value to ensure it is not $Null or an empty string
|
|
|
|
|
|
|
|
|
|
Invoke-Mimikatz was not not handling functions exported by ordinal.
Thank you @gentilkiwi for the suggested fix!
|
|
PowerUp: Remove badly encoded new lines from .bat output
|
|
PowerUp: Allocate enough space for TOKEN_GROUPS
|
|
PowerView: Fix Groups.xml parsing for multiple <Group>s
|
|
Added the ability for users to specify the domain controller that is searched, using the -Server parameter. The -Server parameter is optional and defaults to the user's current domain if not specified.
|
|
The current implementation results in a .bat like:
@echo off\n
start /b net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add\n
start /b "" cmd /c del "%~f0"&exit /b
With literal "\n" strings at the end of the first two lines.
A new line in a PowerShell string should be "`n". However, an extra new
line isn't actually necessary in this case.
|
|
Make an initial call to GetTokenInformation() with a NULL buffer to get
the actual buffer size required. Prevents "The data area passed to a system
call is too small" error being thrown.
|
|
|
|
Select all <Group> nodes and iterate through them, not just the root
<Groups> node.
|
|
instead of name
|
|
Invoke-CheckLocalAdminAccess...whoops
|
|
|
|
Fix Get-NetLocalGroup Recursion for LocalGroups
|
|
the current directory location
Fixed other logic bugs in Get-ModifiablePath
Fixed bug in Add-ServiceDacl when the [ServiceProcess.ServiceController] wasn't loaded yet by Get-Service
Error handling for Get-CachedGPPPassword
Changed some Write-Warnings to Write-Verbose
Updated Privesc Pester tests for PowerUp
|
|
|
|
Recurse if localgroup as well as domaingroup
Normalize output values to empty string
|
|
|
|
Changed domain/forest Write-Warning's to Write-Verbose
|
|
ID (i.e. domain users)
Modified Get-DomainSID to simplify
Changed group determination in Get-NetLocalGroup -API
Few optimizations to Find-ForeignUser and Find-ForeignGroup
Changed DNS resolution method for Invoke-UserHunter
Added 'PowerView.GPOLocalGroup' type to Find-GPOLocation
|
|
Fixed thread countdown timer in Invoke-ThreadedFunction, wasn't ever …
|
|
rogue jobs
|
|
Fixed Get-DomainSID to allow for a -DomainController parameter
Fixed Get-NetDomainTrust logic
|
|
Added attempted gpcfilesyspath resolution to Get-NetGPO
Added -ADSPath for Get-NetDomainTrust
|
|
|
|
|
|
Moved GPOType check to Get-NetGPOGroup
Expanded comments and help for GPO location cmdlets
|
|
|
|
Get-GPPPassword.
Added Pester tests for Get-CachedGPPPassword.
|
|
Find-GPOComputerAdmin
Rewrote/corrected logic for Find-GPOLocation
Added Get-IniContent and rewrote Get-GptTmpl to use Get-IniContent to parse GptTmpl.inf files
Rewrote Get-GroupsXML to not resolve SIDs and return the same object type as Get-GptTmpl
|
|
PowerUp PSReflect
|
|
Bug fixes
Corrected PowerUp Pester tests
Changed 'Path' field to 'ModifiablePath' in 'Get-ModifiablePath'
Get-ServiceUnquoted now filters paths through Get-ModifiablePath
|
|
Renamed Find-PathHijack to Find-PathDLLHijack
Fixed exposed functions in PowerSploit.psd1
|
|
|
|
-Additional error checking and documentation
-OpenProcessToken() call now uses TOKEN_QUERY instead of TOKEN_READ
|
|
with SID and attributes fields
|
|
user is a part of, regardless of being disabled.
Replaced 'whoami /groups' local admin + medium integrity check with comparison against Get-CurrentUserTokenGroupSid
|
|
file objects
-Service functions now accept just -Name (instead of -Service/-ServiceName) that accepts has ValueFromPipelineByPropertyName set in order to handle service objects on the pipeline
-Moved PSReflect signatures to the bottom of the script
-Function and help cleanup
|
|
|
|
-Get-VulnSchTask renamed to Get-ModifiableScheduledTaskFile
-Get-VulnAutoRun renamed Get-RegistryAutoRun
-Get-RegAutoLogon renamed Get-RegistryAutoLogon
-Find-DLLHijack renamed to Find-ProcessDLLHijack for clarification, code cleaned up, -Process parameter added, output object detail expanded, and help expanded
-Removed most of the code from Find-PathHijack, replacing it with Get-ModifiablePath
-Cleaned up logic for Write-HijackDll
-Expanded help for the registry enumeration cmdlets
-Added local user creation options to Write-HijackDll to match Write-ServiceBinary
-Increased pause between user creation commands
|
|
-Fixed parameter sets for Write-ServiceBinary and added -Credential and -Service params
-Simplified/corrected logic for Install-ServiceBinary
-Fixed parameter sets and simplified logic for Restore-ServiceBinary
-Added sanity check with Get-ModifiableFile for Install-ServiceBinary
-Cleaned up lingering spaces
|
|
Invoke-ServiceDisable
-Renamed Get-ServiceFilePermission to Get-ModifiableServiceFile
-Renamed Get-ServicePermission Get-ModifiableService
-Integrated PSReflect codebase from @mattifestation
-Modified Get-ModifiableFile to enumerate the ACLs for passed file paths, returning the path/permission set/identityreference for each modifable file (instead of opening file for modification)
-Added Add-ServiceDacl from @mattifestation to add service Dacls to Get-Service objects
-Added Set-ServiceBinPath replace "sc.exe config SERVICE binPath= X" - now modifies using the ChangeServiceConfig Win32 API call
-Revamped Test-ServiceDaclPermission to take advantage of Add-ServiceDacl. Service permissions are now matched up against the current user's group memberships and specified permission sets to check for.
-Functions that checked for service restarting now use Test-ServiceDaclPermission
-Get-ModifiableService now uses Test-ServiceDaclPermission
-Invoke-ServiceAbuse completely rebuilt to use native PowerShell functions and Set-ServiceBinPath to reconfiguring service binary paths for abuse
-Parameter sets rewritten for several functions to accept -Credential objects were applicable and -Service objects from Get-Service on the pipeline
TODO: Tune up Write-ServiceBinary, Install-ServiceBinary, Restore-ServiceBinary, Find-DLLHijack, Find-PathHijack, Write-HijackDll, and all the registry checks
|
|
|
|
|
|
General errors are now parsed with [ComponentModel.Win32Exception] and written with Write-Verbose
Write-Debug calls converted to Write-Verbose or removed
|