[Edit 8/13/15] – Here is how the old version 1.9 cmdlets in this post translate to PowerView 2.0:
- Invoke-CopyFile -> Copy-ClonedFile
- Additionally, the -ExcludeIPC and -ExcludePrint flags for Invoke-ShareFinder are no longer needed
So you’re on an engagement and everything seems pretty locked down. Group Policy Preferences doesn’t have any deployment passwords left lying around, you’re not a local administrator on the machine, and PowerUp can’t find any common escalation vectors. You even try to see where else your current user token might have local administrator rights but nothing pops. How can you go about spreading laterally?
One method, related to mining file shares for sensitive data, is backdooring commonly used executables found throughout the network. This used to be a fairly manual and time-intensive process, but PowerView has recently incorporated a few functions that can help facilitate the search. Your first step will be finding what shares you have read access to, the same step as described in the data hunting post:
- PS C:\> Invoke-ShareFinder -ExcludeIPC -ExcludePrint -CheckShareAccess | Out-File -Encoding ascii found_shares.txt
This will spit out a readable share list that you can then filter/prune a bit. Recursive listings/searches can take quite a bit of time, so the fewer targets you’re searching, the faster everything will go. Now that you have your candidate share list, let’s hunt for some executables. The ‘-FreshEXES‘ flag that’s been added to Invoke-FileFinder will search for executable files that have an LastAccessTime during the past week. The -CheckWriteAccess flag will then check any found exe’s for write access:
- PS C:> Invoke-FileFinder -ShareList .\found_shares.txt -FreshEXEs -ExcludeHidden -CheckWriteAccess
This should spit out a list of all recently used executables that your current user has write access to. Now that you have some targets in your sights, the next step is actually trojanating the exes. Copy off one of the writeable targets to your attack box and fire up Joshua Pitts’ (@midnite_runr) awesome Backdoor Factory, either standalone or through Veil-Evasion:
Now we can take our shiny new backdoored executable and overwrite the original binary hosted on the remote share. For a final touch, we can clone the MAC properties so the trojaned executable matches the original by using information from @obscuresec’s post Modifying MAC Properties with Powershell. His Set-MacAttribute function has been integrated into PowerView, and is invoked automatically by Invoke-CopyFile:
- PS C:> Invoke-CopyFile trojaned_file.exe \\TARGET\folder\file.exe
Now sit back, relax, and wait for the shells to role in :)