Powershell

The PowerView PowerUsage Series #5

This is the fifth post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of the entire series. The Scenario You discovered on an engagement that most user workstations contain the user’s Active Directory samaccount name, e.g. John Smith’s (jsmith@domain.local) machine …

The PowerView PowerUsage Series #5 Read More »

The PowerView PowerUsage Series #4

This is a short follow-up to my “A Guide to Attacking Domain Trusts” post, and the fourth post in my “PowerView PowerUsage” series. It follows the same Scenario/Solution/Explanation pattern as the previous entries, with the original post containing a constantly updated list of the entire series. One of the methods for trust hopping that I …

The PowerView PowerUsage Series #4 Read More »

The PowerView PowerUsage Series #3

This is the third post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of the entire series. Active Directory access control is something my workmates and I have been very interested in over the past year. So far, this has …

The PowerView PowerUsage Series #3 Read More »

Make PowerView Great Again

Yesterday’s commit to the PowerSploit dev branch is the biggest set of changes to PowerView since its inception. I’ve spent the last month or so rewriting PowerView from the ground up, squashing a number of bugs, adding a chunk of features, and standardizing the code base’s behavior. The commit message summarizes the modifications, but I wanted to spend …

Make PowerView Great Again Read More »

Kerberoasting Without Mimikatz

Just about two years ago, Tim Medin presented a new attack technique he christened “Kerberoasting“. While we didn’t realize the full implications of this at the time of release, this attack technique has been a bit of a game changer for us on engagements. More and more attention has been brought to Kerberoasting recently, with …

Kerberoasting Without Mimikatz Read More »

Command and Control Using Active Directory

‘Exotic’ command and control (C2) channels always interest me. As defenses start to get more sophisticated, standard channels that have been stealthy before (like DNS) may start to lose their efficacy. I’m always on the lookout for non-obvious, one-way (or ideally two-way) communication methods. This post will cover a proof of concept for an internal C2 approach that uses standard …

Command and Control Using Active Directory Read More »

PowerShell RC4

Every language needs an RC4 implementation. Despite its insecurities, RC4 is widely used due to its simple algorithm and the minimal amount of code it takes to implement it. Some people have even tried to fit implementations into single tweets. It’s commonly used by malware due to its low overhead, and I’m actually shocked that RosettaCode doesn’t have …

PowerShell RC4 Read More »

Upgrading PowerUp With PSReflect

PowerUp is something that I haven’t written about much in nearly two years. It recently went through a long overdue overhaul in preparation for our “Advanced PowerShell for Offensive Operations” training class, and I wanted to document the recent changes and associated development challenges. Being one of the first PowerShell scripts I ever wrote, there was a LOT to clean …

Upgrading PowerUp With PSReflect Read More »