| Age | Commit message (Collapse) | Author | Files | Lines | 
|---|
|  | Adds the ability to return the encrypted part of the ticket. 
This portion is the encrypted data that can be brute-forced with Kerberoast/Hashcat/JtR | 
|  | Added ability to specify domain controller to search (-Server parameter) | 
|  | Added default value to parameter and got rid of value check later in the code.
Added validation of -Server value to ensure it is not $Null or an empty string | 
|  |  | 
|  |  | 
|  |  | 
|  |  | 
|  | Invoke-Mimikatz was not not handling functions exported by ordinal.
Thank you @gentilkiwi for the suggested fix! | 
|  | PowerUp: Remove badly encoded new lines from .bat output | 
|  | PowerUp: Allocate enough space for TOKEN_GROUPS | 
|  | PowerView: Fix Groups.xml parsing for multiple <Group>s | 
|  | Added the ability for users to specify the domain controller that is searched, using the -Server parameter. The -Server parameter is optional and defaults to the user's current domain if not specified. | 
|  | The current implementation results in a .bat like:
  @echo off\n
  start /b net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add\n
  start /b "" cmd /c del "%~f0"&exit /b
With literal "\n" strings at the end of the first two lines.
A new line in a PowerShell string should be "`n". However, an extra new
line isn't actually necessary in this case. | 
|  | Make an initial call to GetTokenInformation() with a NULL buffer to get
the actual buffer size required. Prevents "The data area passed to a system
call is too small" error being thrown. | 
|  |  | 
|  | Select all <Group> nodes and iterate through them, not just the root
<Groups> node. | 
|  | instead of name | 
|  | Invoke-CheckLocalAdminAccess...whoops | 
|  |  | 
|  | Fix Get-NetLocalGroup Recursion for LocalGroups | 
|  | the current directory location
Fixed other logic bugs in Get-ModifiablePath
Fixed bug in Add-ServiceDacl when the [ServiceProcess.ServiceController] wasn't loaded yet by Get-Service
Error handling for Get-CachedGPPPassword
Changed some Write-Warnings to Write-Verbose
Updated Privesc Pester tests for PowerUp | 
|  |  | 
|  | Recurse if localgroup as well as domaingroup
Normalize output values to empty string | 
|  |  | 
|  | Changed domain/forest Write-Warning's to Write-Verbose | 
|  | ID (i.e. domain users)
Modified Get-DomainSID to simplify
Changed group determination in Get-NetLocalGroup -API
Few optimizations to Find-ForeignUser and Find-ForeignGroup
Changed DNS resolution method for Invoke-UserHunter
Added 'PowerView.GPOLocalGroup' type to Find-GPOLocation | 
|  | Fixed thread countdown timer in Invoke-ThreadedFunction, wasn't ever … | 
|  | rogue jobs | 
|  | Fixed Get-DomainSID to allow for a -DomainController parameter
Fixed Get-NetDomainTrust logic | 
|  | Added attempted gpcfilesyspath resolution to Get-NetGPO
Added -ADSPath for Get-NetDomainTrust | 
|  |  | 
|  |  | 
|  | Moved GPOType check to Get-NetGPOGroup
Expanded comments and help for GPO location cmdlets | 
|  |  | 
|  | Get-GPPPassword.
Added Pester tests for Get-CachedGPPPassword. | 
|  | Find-GPOComputerAdmin
Rewrote/corrected logic for Find-GPOLocation
Added Get-IniContent and rewrote Get-GptTmpl to use Get-IniContent to parse GptTmpl.inf files
Rewrote Get-GroupsXML to not resolve SIDs and return the same object type as Get-GptTmpl | 
|  | PowerUp PSReflect | 
|  | Bug fixes
Corrected PowerUp Pester tests
Changed 'Path' field to 'ModifiablePath' in 'Get-ModifiablePath'
Get-ServiceUnquoted now filters paths through Get-ModifiablePath | 
|  | Renamed Find-PathHijack to Find-PathDLLHijack
Fixed exposed functions in PowerSploit.psd1 | 
|  |  | 
|  | -Additional error checking and documentation
-OpenProcessToken() call now uses TOKEN_QUERY instead of TOKEN_READ | 
|  | with SID and attributes fields | 
|  | user is a part of, regardless of being disabled.
Replaced 'whoami /groups' local admin + medium integrity check with comparison against Get-CurrentUserTokenGroupSid | 
|  | file objects
-Service functions now accept just -Name (instead of -Service/-ServiceName) that accepts has ValueFromPipelineByPropertyName set in order to handle service objects on the pipeline
-Moved PSReflect signatures to the bottom of the script
-Function and help cleanup | 
|  |  | 
|  | -Get-VulnSchTask renamed to Get-ModifiableScheduledTaskFile
-Get-VulnAutoRun renamed Get-RegistryAutoRun
-Get-RegAutoLogon renamed Get-RegistryAutoLogon
-Find-DLLHijack renamed to Find-ProcessDLLHijack for clarification, code cleaned up, -Process parameter added, output object detail expanded, and help expanded
-Removed most of the code from Find-PathHijack, replacing it with Get-ModifiablePath
-Cleaned up logic for Write-HijackDll
-Expanded help for the registry enumeration cmdlets
-Added local user creation options to Write-HijackDll to match Write-ServiceBinary
-Increased pause between user creation commands | 
|  | -Fixed parameter sets for Write-ServiceBinary and added -Credential and -Service params
-Simplified/corrected logic for Install-ServiceBinary
-Fixed parameter sets and simplified logic for Restore-ServiceBinary
-Added sanity check with Get-ModifiableFile for Install-ServiceBinary
-Cleaned up lingering spaces | 
|  | Invoke-ServiceDisable
-Renamed Get-ServiceFilePermission to Get-ModifiableServiceFile
-Renamed Get-ServicePermission Get-ModifiableService
-Integrated PSReflect codebase from @mattifestation
-Modified Get-ModifiableFile to enumerate the ACLs for passed file paths, returning the path/permission set/identityreference for each modifable file (instead of opening file for modification)
-Added Add-ServiceDacl from @mattifestation to add service Dacls to Get-Service objects
-Added Set-ServiceBinPath replace "sc.exe config SERVICE binPath= X" - now modifies using the ChangeServiceConfig Win32 API call
-Revamped Test-ServiceDaclPermission to take advantage of Add-ServiceDacl. Service permissions are now matched up against the current user's group memberships and specified permission sets to check for.
-Functions that checked for service restarting now use Test-ServiceDaclPermission
-Get-ModifiableService now uses Test-ServiceDaclPermission
-Invoke-ServiceAbuse completely rebuilt to use native PowerShell functions and Set-ServiceBinPath to reconfiguring service binary paths for abuse
-Parameter sets rewritten for several functions to accept -Credential objects were applicable and -Service objects from Get-Service on the pipeline
TODO: Tune up Write-ServiceBinary, Install-ServiceBinary, Restore-ServiceBinary, Find-DLLHijack, Find-PathHijack, Write-HijackDll, and all the registry checks | 
|  |  | 
|  |  |