HarmJ0y

function Get-NonstandardService {
<#
.SYNOPSIS

Returns services where the associated binaries are either not signed, or are
signed by an issuer not matching 'Microsoft'.

Author: Will Schroeder (@harmj0y)  
License: BSD 3-Clause  
Required Dependencies: None  

HarmJ0y

BSides LV 2015 - "Building an Empire with PowerShell" - https://www.youtube.com/watch?v=Pq9t59w0mUI

BSides DC 2015 - "Bridging the Gap: Lessons in Adversarial Tradecraft" - https://www.youtube.com/watch?v=xHkRhRo3l8o
BSides DC 2015 - "** It, Do it Live (PowerShell Digital Forensics)" - https://www.youtube.com/watch?v=RcDq9GgiUB4

PowerShell Summit 2016 - "Digital Forensics with PowerShell" - https://www.youtube.com/watch?v=gm9A7FaWTkY

BSides LV 2016 - "Building an EmPyre with Python" - https://www.youtube.com/watch?v=79qzgVTP3Yc

DerbyCon 2016 - "A Year in the Empire" - https://www.youtube.com/watch?v=ngvHshHCt_8

HarmJ0y

function ConvertFrom-UserParameter {
<#
.SYNOPSIS

Converts a userparameters encoded blob into an ordered dictionary of decoded values.

Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None

HarmJ0y

# import PowerView and Invoke-Mimikatz
Import-Module .\powerview.ps1
Import-Module .\mimikatz.ps1

# map all reachable domain trusts
Invoke-MapDomainTrust

# enumerate groups with 'foreign' users users, and convert the foreign principal SIDs to names
Find-ForeignGroup -Domain external.local
Find-ForeignGroup -Domain external.local | Select-Object -ExpandProperty UserName | Convert-SidToName

HarmJ0y

$RSA = New-RSAKeyPair

# local tests
$ComputerName = 'localhost'
$StorePath = 'C:\Temp\temp.bin'
Write-Host "`n[$ComputerName] AES Storepath : $StorePath"
".\secret.txt" | Write-EncryptedStore -StorePath $StorePath -Key 'Password123!'
Read-EncryptedStore -StorePath $StorePath -Key 'Password123!' -List
Get-EncryptedStoreData -StorePath $StorePath | Remove-EncryptedStore

HarmJ0y

function Rotate-Byte {
<#
    .SYNOPSIS
    
        Performs left/right binary rotation on individual bytes.
        Author: @harmj0y

    .DESCRIPTION

        Implements the logic to perform per-byte binary rotates right and left.

HarmJ0y

A few clarification points for the "KeeThief – A Case Study in Attacking KeePass Part 2" post:

1. KeeThief doesn't require local administrator rights, only rights to access the KeePass.exe process space you're targeting.

2. KeeThief.ps1 is fully-self self-contained (no dependencies and no files dropped to disk) and PowerShell Version 2 compliant (so it will work on Windows 7+).

3. Secure desktop doesn't matter/come into play as a keylogger isn't used or needed.

4. This approach is different from KeeFarce - KeeThief recovers the plaintext master password and other key material from memory instead of calling internal methods to export the database contents.

HarmJ0y

function Set-LNKBackdoor {
<#
    .SYNOPSIS
    
        Backdoors an existing .LNK shortcut to trigger the original binary and a payload specified by
        -ScriptBlock or -Command.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None

HarmJ0y

function Find-KeePassconfig {
<#
    .SYNOPSIS

        Finds and parses any KeePass.config.xml (2.X) and KeePass.ini (1.X) files.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None

HarmJ0y

function Restore-UserDPAPI {
<#
    .SYNOPSIS

        Restores a user account's DPAPI master key on a new system.

        Author: @harmj0y
        License: BSD 3-Clause
        Required Dependencies: None
        Optional Dependencies: None