aboutsummaryrefslogtreecommitdiff
path: root/Exfiltration
AgeCommit message (Collapse)AuthorFilesLines
2015-10-30Update Invoke-TokenManipulation.ps1FixTheExchange1-2/+0
Removed 2 unnecessary lines.
2015-10-30Update Invoke-TokenManipulation.ps1FixTheExchange1-4/+11
Windows 10 breaks the current version of Invoke-TokenManipulation.ps1 because wininit is now a protected processes. Rather than hardcoding to a specific process to obtain a SYSTEM token, it's better to enumerate all processes running as SYSTEM and find one that works. I have updated the script to version 1.12 and added logic on lines 1689-1696 to make sure it can successfully grab a SYSTEM token necessary to function.
2015-09-30Merge pull request #77 from clymb3r/masterMatt Graeber1-1/+18
Fix for multi-processor systems
2015-09-30Fix for multi-processor systemsclymb3r1-1/+18
Fix processor architecture detection for multi-processor systems.
2015-07-08Cleaned up Remove-VSC and New-VSCJared Atkinson1-34/+12
- Changed Remove-VSC to have a single mandatory parameter (DevicePath) - Updated New-VSC to check initial state of the VSS Service and return VSS to its inital state after execution
2015-07-08Added New-VolumeShadowCopy and Remove-VolumeShadowCopy CmdletsJared Atkinson1-1/+168
2015-05-10Fix for headings in wrong orderJonathan1-1/+1
The column headings in the log file are out of order, e.g. ``` "TypedKey","Time","WindowTitle" "Document1 - Word","[Shift]","01-05-2015:20:53:29:28" "Document1 - Word","[Shift][Shift]","01-05-2015:20:53:29:31" "Document1 - Word","[Shift]","01-05-2015:20:53:29:38" ``` The "WindowTitle" should be the first column heading like this, ``` "WindowTitle","TypedKey","Time" "Document1 - Word","[Shift]","01-05-2015:20:53:29:28" "Document1 - Word","[Shift][Shift]","01-05-2015:20:53:29:31" "Document1 - Word","[Shift]","01-05-2015:20:53:29:38" ```
2015-02-16Update to latest Mimikatz, add sanity checksclymb3r1-4/+11
Updated to the latest Mimikatz build. Added sanity checks to ensure that 32bit PowerShell isn't being run on a 64bit OS which will cause Mimikatz to fail.
2014-10-01Merge pull request #56 from clymb3r/masterMatt Graeber1-5/+35
Added -PassThru to Invoke-TokenManipulation
2014-09-28Added -PassThru to Invoke-TokenManipulationclymb3r1-5/+35
Thanks to Run Mariboe for the contribution to Invoke-TokenManipulation adding the -PassThru flag for newly created processes. Version increased to 1.11.
2014-06-30Get-VaultCredential now takes the singular form.mattifestation3-6/+6
2014-05-31Updated Get-VaultCredentials - Package SIDmattifestation2-1/+19
Package SIDs are now displayed for Win8 apps. Both the package SID and secret key are requirements for authenticating to Win8 app servers.
2014-05-30Issue #43 - Adding Get-VaultCredentialsmattifestation3-41/+422
Displays Windows vault credential objects including cleartext web credentials.
2014-05-20Update to latest Mimikatz (crash fix on Win7/8)clymb3r1-4/+4
The latest version of Mimikatz fixes a crash that happens on Windows7/8 (and server versions) after installing the latest Windows updates.
2014-05-04Updated to latest Mimikatzclymb3r1-10/+24
Latest version of Mimikatz now natively supports being reflectively loaded by Invoke-ReflectivePEInjection, updating the script to take advantage of this new version.
2014-04-16Merge branch 'master' of https://github.com/mattifestation/PowerSploitclymb3r299-16383/+308
Conflicts: Recon/Get-ComputerDetails.ps1 Recon/Recon.psd1
2014-04-16Updating Invoke-Mimikatz to Mimikatz 2.0 alphaclymb3r1-9/+9
2014-03-21Missing File NamesChris Campbell1-2/+2
Added printers.xml and drives.xml to the search.
2014-03-05Bug fix of from v3 XML expanding to $CountChris Campbell1-2/+2
This bug fix was from @jakxx
2014-03-05Update to version 2.4.0 from @jakxxChris Campbell1-3/+14
Removed unnecessary comment, merged update with printers.xml and drives.xml from @jackxx
2014-03-01Added Get-VolumeShadowCopy and Mount-VolumeShadowCopymattifestation2-1/+149
2014-02-21Update Get-GPPPassword.ps1Chris Campbell1-3/+3
2014-02-21Update Get-GPPPassword.ps1Chris Campbell1-1/+1
2014-02-21Changed the direction of XML parsingChris Campbell1-70/+63
Used Select-XML to ensure compatibility with v2
2014-02-21Update Get-GPPPassword.ps1Chris Campbell1-1/+1
Iterate version.
2014-02-21Update Get-GPPPassword.ps1Chris Campbell1-5/+5
2014-02-21Update Get-GPPPassword.ps1Chris Campbell1-12/+12
Bug fix of variables.
2014-02-21Major Revision of Get-GPPPasswordsmattifestation1-59/+141
Thanks @obscuresec!
2014-02-12Merge pull request #28 from clymb3r/masterMatt Graeber5-3423/+3432
Inject-LogonCredentials has been renamed to Invoke-CredentialInjection.
2014-02-12Inject-LogonCredentials has been renamed to Invoke-CredentialInjection.clymb3r5-3423/+3432
Added a check to ensure the script isn't being run from Session0 with the "NewWinLogon" flag. This flag does not work in Session0 because winlogon.exe tries to load stuff from user32.dll which requires a desktop is present. This is not possible in Session0 because there is no desktop/GUI, so it causes winlogon to load and then immediately close with error code c0000142 indicating a DLL failed to initialize. There is no way to fix this that I know of, if you need to run the script from Session0 use the "ExistingWinLogon" flag.
2014-02-03Removed mimikatz.mattifestation289-16310/+0
This doesn't need to reside in PowerSploit. Those that are truly paranoid should validate that the embedded executable in Invoke-Mimikatz.ps1 is indeed mimikatz. This was causing AV to flag upon downloading PowerSploit.
2014-01-11Merge pull request #25 from clymb3r/masterMatt Graeber1-32/+142
Bug fixes for Invoke-TokenManipulation
2014-01-10Bug fixes for Invoke-TokenManipulationclymb3r1-32/+142
Processes could not be started when the script was being run from Session 0. The fix is to use the CreateProcessAsUserW function when running in Session 0. This API requires SeAssignPrimaryTokenPrivilege priviege, so for non-session0 calls I still use CreateProcessWithTokenW which does not require special privileges.
2014-01-01Fixes #23 - $Password was not being clearedmattifestation1-0/+1
2013-11-18Merge pull request #21 from clymb3r/masterMatt Graeber18-1/+4428
Adding Inject-LogonCredentials
2013-11-17Adding Inject-LogonCredentialsclymb3r18-1/+4428
2013-11-13Normalized all scripts to ASCII encodingmattifestation9-12/+12
2013-11-04Updated Invoke-TokenManipulation helpclymb3r1-2/+2
2013-11-03Adding Invoke-TokenManipulationclymb3r2-1/+1774
2013-10-01Switching to ANSI from UTF8 encodingclymb3r2-6/+6
Scripts now work in 2008r2. I thought I tested before uploading but something broke somehow... Now the scripts work in 2008r2 and win8+
2013-10-01Adding Invoke-Mimikatz and Invoke-Ninjacopyclymb3r318-1/+29481
2013-08-17Get-Keystrokes now accepts relative pathsMatt Graeber1-1/+3
2013-08-17Out-Minidump now provides descriptive outputMatt Graeber1-2/+2
Out-Minidump now outputs a FileInfo object (i.e. the same output as Get-ChildItem) upon successfully creating a dump file.
2013-08-17Added additional error handling to Get-GPPPasswordMatt Graeber1-3/+10
2013-08-12added ErrorAction SilentlyContinue to Get-ChildItemhajdbo1-2/+2
Sometimes you will have a denied access to a directory. "ErrorAction SilentlyContinue" will continue searching recursively in \SYSVOL even when it encounters a directory where access is denied.
2013-07-03Update Get-TimedScreenshot.ps1Chris Campbell1-5/+5
Fix error handling and various style problems
2013-07-03Fix improper use of $Error[0]Chris Campbell1-1/+1
2013-07-03Terminating Errors AddedChris Campbell1-1/+5
Added checks to ensure that the script is being ran on a domain-joined machine and with a domain account.
2013-07-03Updated Get-GPPPasswordMatt Graeber2-1/+127
2013-06-30Added Get-KeystrokesMatt Graeber2-1/+248
Get-Keystrokes is a PowerShell keylogger
generated by cgit v1.2.3 (git 2.39.1) at 2025-05-29 10:46:01 +0000