PoSHMagiC0de Posted May 12, 2017 Share Posted May 12, 2017 So, some people got the same idea. Out there on github are all kinds of payloads you can play with that do some crazy things Here are some links to some. First one is Powersploit. Its been talked about all over. This is a good starter. Also contains some good utility scripts for modifying your scripts. https://github.com/PowerShellMafia/PowerSploit Next is my favorite. Empire. I am going to link the stable branch but under the 2.0 branch you can find python payloads as well for your nix and OSX needs. Root Project: https://github.com/EmpireProject/Empire Subfolder with all the Powershell stuff: https://github.com/EmpireProject/Empire/tree/master/data/module_source And just for kicks, hey Dav-ee, look, an agent. https://github.com/EmpireProject/Empire/tree/master/data/agent I couldn't help it. That agent is way beyond mine. Of course mine isn't design to communicate across the internet so securing connection not a big deal. Quote Link to comment Share on other sites More sharing options...
RazerBlade Posted May 12, 2017 Share Posted May 12, 2017 I just need to add Nishang. Like PowerSploit but a little bigger https://github.com/samratashok/nishang Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 15, 2017 Author Share Posted May 15, 2017 Here is a little snippet I made into a function to see if your current Powershell instance is high integrity or not (if your Powershell process that is currently running has bypassed UAC.). At this present time I cannot tell you the usefulness of this in the BB world except to limit scripts if the process if not UAC bypassed but may come in handy. function Get-isHighIntegrity { $isAdmin = $false #If the process is running as System then we are in a high integrity process. if(([Environment]::UserName).ToLower() -eq 'system') { $isAdmin = $true }else{ # otherwise check the token groups $isadmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] 'Administrator') } return $isAdmin } I believe this is a snippet from Empire's agent. My old way was a huge C# routine to check pointers which looks to only be needed for processes you are not in. This function returns a Boolean true if it is high integrity or false if not. Quote Link to comment Share on other sites More sharing options...
rottingsun Posted May 15, 2017 Share Posted May 15, 2017 The latest Empire stagers actually have a bunny target. Quote Link to comment Share on other sites More sharing options...
PoSHMagiC0de Posted May 15, 2017 Author Share Posted May 15, 2017 2 hours ago, rottingsun said: The latest Empire stagers actually have a bunny target. Yeah, I was speaking with the author on Github through his push request about it. Was discussing if the way he did it was compatible with all versions of the bunny. 1.0 and up after I suggested making it for latest version. He had a better point about making it just work across the board. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.