https://pastein.ru/t/mY8
Загрузка данных
Apr 17, 2024 @ 12:55:43.153
winlog.event_data.param3:
CommandInvocation(Write-XmlReport): "Write-XmlReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.xml"
event.original:
Pipeline execution details for command line: "XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName } . Context Information: DetailSequence=1 DetailTotal=2 SequenceNumber=244886 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName } Details: CommandInvocation(Write-XmlReport): "Write-XmlReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.xml"
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:55:43.153
winlog.keywords:
Classic
winlog.channel:
Windows PowerShell
winlog.record_id:
123,463
winlog.api:
wineventlog
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1:
"XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2:
DetailSequence=1 DetailTotal=2 SequenceNumber=244886 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.opcode:
Info
winlog.event_id:
800
winlog.task:
Pipeline Execution Details
winlog.provider_name:
PowerShell
log.level:
information
host.name:
maslov-o-pc.ferrumfox.corp
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.name:
Windows 10 Pro
host.os.platform:
windows
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:55:46.382
event.code:
800
_id:
YZIg7I4BjcmPCGzWrQjV
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:55:43.153
@version
1
_id
YZIg7I4BjcmPCGzWrQjV
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:55:46.382
event.kind
event
event.original
Pipeline execution details for command line: "XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.
Context Information:
DetailSequence=1
DetailTotal=2
SequenceNumber=244886
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
Details:
CommandInvocation(Write-XmlReport): "Write-XmlReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.xml"
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
"XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2
DetailSequence=1
DetailTotal=2
SequenceNumber=244886
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "XML" { Write-XmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param3
CommandInvocation(Write-XmlReport): "Write-XmlReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.xml"
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
123,463
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:55:43.081
winlog.event_data.param3:
CommandInvocation(Write-HtmlReport): "Write-HtmlReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.html"
event.original:
Pipeline execution details for command line: "HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName } . Context Information: DetailSequence=1 DetailTotal=2 SequenceNumber=244882 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName } Details: CommandInvocation(Write-HtmlReport): "Write-HtmlReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.html"
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:55:43.081
winlog.keywords:
Classic
winlog.channel:
Windows PowerShell
winlog.record_id:
123,436
winlog.api:
wineventlog
winlog.opcode:
Info
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1:
"HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2:
DetailSequence=1 DetailTotal=2 SequenceNumber=244882 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.task:
Pipeline Execution Details
winlog.event_id:
800
winlog.provider_name:
PowerShell
log.level:
information
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.name:
maslov-o-pc.ferrumfox.corp
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.name:
Windows 10 Pro
host.os.platform:
windows
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:55:46.268
event.code:
800
_id:
4pIg7I4BjcmPCGzWrQfT
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:55:43.081
@version
1
_id
4pIg7I4BjcmPCGzWrQfT
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:55:46.268
event.kind
event
event.original
Pipeline execution details for command line: "HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.
Context Information:
DetailSequence=1
DetailTotal=2
SequenceNumber=244882
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
Details:
CommandInvocation(Write-HtmlReport): "Write-HtmlReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.html"
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
"HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2
DetailSequence=1
DetailTotal=2
SequenceNumber=244882
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "HTML" { Write-HtmlReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param3
CommandInvocation(Write-HtmlReport): "Write-HtmlReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.html"
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
123,436
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:55:43.037
winlog.event_data.param3:
CommandInvocation(Write-CsvReport): "Write-CsvReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.csv" ParameterBinding(Out-File): name="InputObject"; value=""Id","Category","DisplayName","Description","Severity","ResultRawString"" ParameterBinding(Out-File): name="InputObject"; value=""NET_WLAN","TA0001 - Initial Access","Wi-Fi profiles","Get information about saved Wi-Fi profiles. Clear-text pre-shared keys (PSK) are displayed when possible, and potentially vulnerable 802.1x profiles are listed.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""NET_AIRSTRIKE","TA0001 - Initial Access","Network selection from lock screen","Check whether the 'Do not display network selection UI' policy is enabled on workstations (CVE-2021-28316 - Airstrike attack).","Low"," Key : HKLM\SOFTWARE\Policies\Microsoft\Windows\System Value : DontDisplayNetworkSelectionUI Data : (null) Description : The network selection UI is displayed on the logon screen (default). "" ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_FILE_EXTENSION_ASSOC","TA0001 - Initial Access","File extension associations","Check whether file extensions such as '.bat' or '.wsh' are associated to a text editor. Note that only basic text editors such as 'Notepad' are detected. If a rich text editor is set instead, this check could yield false positives.","Low"," Extension Command --------- ------- .application ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbApplication %1 .appref-ms ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbShortcut %1|%2 .bat ""%1"" %* .chm ""C:\Windows\hh.exe"" %1 .cmd ""%1"" %* .com ""%1"" %* .cpl C:\Windows\System32\control.exe ""%1"",%* .diagcab C:\Windows\system32\msdt.exe /cab ""%1"" .hta C:\Windows\SysWOW64\mshta.exe ""%1"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-8... .hlp C:\Windows\winhlp32.exe %1 .htm ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1 .html ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1 .js C:\Windows\System32\WScript.exe ""%1"" %* .JSE C:\Windows\System32\WScript.exe ""%1"" %* .library-ms C:\Windows\Explorer.exe .mht ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1 .mhtml ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1 .msc C:\Windows\system32\mmc.exe ""%1"" %* .msrcincident ""C:\Windows\system32\msra.exe"" -openfile ""%1"" .pif ""%1"" %* .ppkg ""C:\Windows\System32\provtool.exe"" ""%1"" /source ShellOpen .psc1 ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -p ""%1"" .reg regedit.exe ""%1"" .scf C:\Windows\explorer.exe .scr ""%1"" /S .searchConnector-ms C:\Windows\Explorer.exe .search-ms C:\Windows\Explorer.exe .theme C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction %1 .themepack C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction %1 .URL ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\ieframe.dll"",OpenURL %l .VBE ""C:\Windows\System32\WScript.exe"" ""%1"" %* .vbs ""C:\Windows\System32\WScript.exe"" ""%1"" %* .WSF ""C:\Windows\System32\WScript.exe"" ""%1"" %* .WSH ""C:\Windows\System32\WScript.exe"" ""%1"" %* "" ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BITLOCKER","TA0001 - Initial Access","BitLocker configuration","Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed.","High"," MachineRole : Workstation Description : BitLocker is not enabled. "" ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BIOS_MODE","TA0003 - Persistence","UEFI & Secure Boot","Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI.","None"," Name Vulnerable Description ---- ---------- ----------- UEFI False BIOS mode is UEFI. Secure Boot False "" ParameterBinding(Out-File): name="InputObject"; value=""MISC_STARTUP_LAST","TA0004 - Privilege Escalation","Last system startup time","Get information about the last startup date and time based on the machine's tick count. Note that the result might not be completely reliable.","None"," Time ---- 2024-04-16 - 12:37:58 "" ParameterBinding(Out-File): name="InputObject"; value=""NET_UDP_ENDPOINTS","TA0004 - Privilege Escalation","UDP endpoint servers","Get information about all the UDP ports that are in a LISTEN state. Note that the associated process is also listed. DNS is filtered out to minimize the output.","None"," IP Proto LocalAddress State PID Name -- ----- ------------ ----- --- ---- IPv4 UDP 0.0.0.0:123 N/A 1112 svchost IPv4 UDP 0.0.0.0:500 N/A 2948 svchost IPv4 UDP 0.0.0.0:3389 N/A 688 svchost IPv4 UDP 0.0.0.0:4500 N/A 2948 svchost IPv4 UDP 0.0.0.0:5050 N/A 6028 svchost IPv4 UDP 0.0.0.0:5353 N/A 1296 svchost IPv4 UDP 0.0.0.0:5353 N/A 3880 chrome IPv4 UDP 0.0.0.0:5355 N/A 1296 svchost IPv4 UDP 0.0.0.0:58558 N/A 9256 chrome IPv4 UDP 10.181.21.46:137 N/A 4 System IPv4 UDP 10.181.21.46:138 N/A 4 System IPv4 UDP 10.181.21.46:1900 N/A 976 svchost IPv4 UDP 10.181.21.46:63426 N/A 976 svchost IPv4 UDP 127.0.0.1:1900 N/A 976 svchost IPv4 UDP 127.0.0.1:61940 N/A 652 lsass IPv4 UDP 127.0.0.1:63427 N/A 976 svchost IPv4 UDP 127.0.0.1:65492 N/A 1460 svchost IPv4 UDP 127.0.0.1:65494 N/A 2092 svchost IPv6 UDP [::]:123 N/A 1112 svchost IPv6 UDP [::]:500 N/A 2948 svchost IPv6 UDP [::]:3389 N/A 688 svchost IPv6 UDP [::]:4500 N/A 2948 svchost IPv6 UDP [::1]:1900 N/A 976 svchost IPv6 UDP [::1]:63425 N/A 976 svchost "" ParameterBinding(Out-File): name="InputObject"; value=""NET_TCP_ENDPOINTS","TA0004 - Privilege Escalation","TCP endpoint servers","Get information about all the TCP ports that are in a LISTEN state. Note that the associated process is also listed.","None"," IP Proto LocalAddress State PID Name -- ----- ------------ ----- --- ---- IPv4 TCP 0.0.0.0:135 LISTENING 816 svchost IPv4 TCP 0.0.0.0:445 LISTENING 4 System IPv4 TCP 0.0.0.0:3389 LISTENING 688 svchost IPv4 TCP 0.0.0.0:5040 LISTENING 6028 svchost IPv4 TCP 0.0.0.0:7680 LISTENING 1040 svchost IPv4 TCP 0.0.0.0:49664 LISTENING 652 lsass IPv4 TCP 0.0.0.0:49665 LISTENING 504 wininit IPv4 TCP 0.0.0.0:49666 LISTENING 1372 svchost IPv4 TCP 0.0.0.0:49667 LISTENING 1348 svchost IPv4 TCP 0.0.0.0:49670 LISTENING 2248 svchost IPv4 TCP 0.0.0.0:49671 LISTENING 2800 spoolsv IPv4 TCP 0.0.0.0:49672 LISTENING 652 lsass IPv4 TCP 0.0.0.0:49692 LISTENING 644 services IPv4 TCP 10.181.21.46:139 LISTENING 4 System IPv6 TCP [::]:135 LISTENING 816 svchost IPv6 TCP [::]:445 LISTENING 4 System IPv6 TCP [::]:3389 LISTENING 688 svchost IPv6 TCP [::]:7680 LISTENING 1040 svchost IPv6 TCP [::]:49664 LISTENING 652 lsass IPv6 TCP [::]:49665 LISTENING 504 wininit IPv6 TCP [::]:49666 LISTENING 1372 svchost IPv6 TCP [::]:49667 LISTENING 1348 svchost IPv6 TCP [::]:49670 LISTENING 2248 svchost IPv6 TCP [::]:49671 LISTENING 2800 spoolsv IPv6 TCP [::]:49672 LISTENING 652 lsass IPv6 TCP [::]:49692 LISTENING 644 services "" ParameterBinding(Out-File): name="InputObject"; value=""USER_PRIVILEGES","TA0004 - Privilege Escalation","User privileges","Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM.","None"," Name State Description Exploitable ---- ----- ----------- ----------- SeShutdownPrivilege Disabled Shut down the system False SeChangeNotifyPrivilege Enabled Bypass traverse checking False SeUndockPrivilege Disabled Remove computer from docking station False SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False SeTimeZonePrivilege Disabled Change the time zone False "" ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX","TA0004 - Privilege Escalation","Latest updates installed","Check whether a Windows security update was installed within the last 31 days.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX_INFO","TA0004 - Privilege Escalation","Windows Update history","Get information about Windows Update history. Update packages are sorted by date in descending order, so that most recent ones are shown first. Note that the script might fail to retrieve install dates when run with PowerShell version 2.","None"," HotFixID Description InstalledBy InstalledOn -------- ----------- ----------- ----------- KB5036892 Security Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5036618 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5033052 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5015684 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5011048 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5037018 Security Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM KB5027122 Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM KB5011352 Security Update 4/3/2022 12:00:00 AM KB5003791 Update 4/3/2022 12:00:00 AM "" ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HISTORY","TA0004 - Privilege Escalation","Last Windows Update date","Get information about the latest Windows update. Note that this check might be unreliable.","None"," Time TimeRaw ---- ------- 2024-04-17 - 12:48:36 4/17/2024 12:48:36 PM "" ParameterBinding(Out-File): name="InputObject"; value=""MISC_HIJACKABLE_DLL","TA0004 - Privilege Escalation","Known ghost DLLs","Get information about services that are known to be prone to ghost DLL hijacking. Note that their exploitation requires the current user to have write permissions on at least one system-wide PATH folder.","None"," Name : cdpsgshims.dll Description : Loaded by the Connected Devices Platform Service (CDPSvc) upon startup. RunAs : NT AUTHORITY\LocalService RebootRequired : True Link : https://nafiez.github.io/security/eop/2019/11/05/windows-service-host-process-eop.html Name : WptsExtensions.dll Description : Loaded by the Task Scheduler service (Schedule) upon startup. RunAs : LocalSystem RebootRequired : True Link : http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html Name : SprintCSP.dll Description : Loaded by the Storage Service (StorSvc) when the RPC procedure 'SvcRebootToFlashingMode' is invoked. RunAs : LocalSystem RebootRequired : False Link : https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc "" ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_PATH_FOLDERS","TA0004 - Privilege Escalation","PATH folder permissions","Check whether the current user has any write permissions on the system-wide PATH folders. If so, the system could be vulnerable to privilege escalation through ghost DLL hijacking.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""SCHTASKS_IMAGE_PERMISSIONS","TA0004 - Privilege Escalation","Scheduled task binary permissions","Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_MSI","TA0004 - Privilege Escalation","AlwaysInstallElevated","Check whether the 'AlwaysInstallElevated' policy is enabled system-wide and for the current user. If so, the current user may install a Windows Installer package with elevated (SYSTEM) privileges.","None"," LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LocalMachineValue : AlwaysInstallElevated LocalMachineData : (null) Description : AlwaysInstallElevated is not enabled in HKLM. ""
event.original:
Pipeline execution details for command line: "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } . Context Information: DetailSequence=1 DetailTotal=7 SequenceNumber=244878 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } Details: CommandInvocation(Write-CsvReport): "Write-CsvReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.csv" ParameterBinding(Out-File): name="InputObject"; value=""Id","Category","DisplayName","Description","Severity","ResultRawString"" ParameterBinding(Out-File): name="InputObject"; value=""NET_WLAN","TA0001 - Initial Access","Wi-Fi profiles","Get information about saved Wi-Fi profiles. Clear-text pre-shared keys (PSK) are displayed when possible, and potentially vulnerable 802.1x profiles are listed.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""NET_AIRSTRIKE","TA0001 - Initial Access","Network selection from lock screen","Check whether the 'Do not display network selection UI' policy is enabled on workstations (CVE-2021-28316 - Airstrike attack).","Low"," Key : HKLM\SOFTWARE\Policies\Microsoft\Windows\System Value : DontDisplayNetworkSelectionUI Data : (null) Description : The network selection UI is displayed on the logon screen (default). "" ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_FILE_EXTENSION_ASSOC","TA0001 - Initial Access","File extension associations","Check whether file extensions such as '.bat' or '.wsh' are associated to a text editor. Note that only basic text editors such as 'Notepad' are detected. If a rich text editor is set instead, this check could yield false positives.","Low"," Extension Command --------- ------- .application ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbApplication "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .appref-ms ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbShortcut "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } | DetailSequence=1 DetailTotal=7 SequenceNumber=244878 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .bat "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .chm ""C:\Windows\hh.exe"" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .cmd "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .com "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .cpl C:\Windows\System32\control.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "",%* .diagcab C:\Windows\system32\msdt.exe /cab "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" .hta C:\Windows\SysWOW64\mshta.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-8... .hlp C:\Windows\winhlp32.exe "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .htm ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .html ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .js C:\Windows\System32\WScript.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .JSE C:\Windows\System32\WScript.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .library-ms C:\Windows\Explorer.exe .mht ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .mhtml ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .msc C:\Windows\system32\mmc.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .msrcincident ""C:\Windows\system32\msra.exe"" -openfile "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" .pif "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .ppkg ""C:\Windows\System32\provtool.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" /source ShellOpen .psc1 ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -p "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" .reg regedit.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" .scf C:\Windows\explorer.exe .scr "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" /S .searchConnector-ms C:\Windows\Explorer.exe .search-ms C:\Windows\Explorer.exe .theme C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .themepack C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } .URL ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\ieframe.dll"",OpenURL %l .VBE ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .vbs ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .WSF ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* .WSH ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName } "" %* "" ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BITLOCKER","TA0001 - Initial Access","BitLocker configuration","Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed.","High"," MachineRole : Workstation Description : BitLocker is not enabled. "" ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BIOS_MODE","TA0003 - Persistence","UEFI & Secure Boot","Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI.","None"," Name Vulnerable Description ---- ---------- ----------- UEFI False BIOS mode is UEFI. Secure Boot False "" ParameterBinding(Out-File): name="InputObject"; value=""MISC_STARTUP_LAST","TA0004 - Privilege Escalation","Last system startup time","Get information about the last startup date and time based on the machine's tick count. Note that the result might not be completely reliable.","None"," Time ---- 2024-04-16 - 12:37:58 "" ParameterBinding(Out-File): name="InputObject"; value=""NET_UDP_ENDPOINTS","TA0004 - Privilege Escalation","UDP endpoint servers","Get information about all the UDP ports that are in a LISTEN state. Note that the associated process is also listed. DNS is filtered out to minimize the output.","None"," IP Proto LocalAddress State PID Name -- ----- ------------ ----- --- ---- IPv4 UDP 0.0.0.0:123 N/A 1112 svchost IPv4 UDP 0.0.0.0:500 N/A 2948 svchost IPv4 UDP 0.0.0.0:3389 N/A 688 svchost IPv4 UDP 0.0.0.0:4500 N/A 2948 svchost IPv4 UDP 0.0.0.0:5050 N/A 6028 svchost IPv4 UDP 0.0.0.0:5353 N/A 1296 svchost IPv4 UDP 0.0.0.0:5353 N/A 3880 chrome IPv4 UDP 0.0.0.0:5355 N/A 1296 svchost IPv4 UDP 0.0.0.0:58558 N/A 9256 chrome IPv4 UDP 10.181.21.46:137 N/A 4 System IPv4 UDP 10.181.21.46:138 N/A 4 System IPv4 UDP 10.181.21.46:1900 N/A 976 svchost IPv4 UDP 10.181.21.46:63426 N/A 976 svchost IPv4 UDP 127.0.0.1:1900 N/A 976 svchost IPv4 UDP 127.0.0.1:61940 N/A 652 lsass IPv4 UDP 127.0.0.1:63427 N/A 976 svchost IPv4 UDP 127.0.0.1:65492 N/A 1460 svchost IPv4 UDP 127.0.0.1:65494 N/A 2092 svchost IPv6 UDP [::]:123 N/A 1112 svchost IPv6 UDP [::]:500 N/A 2948 svchost IPv6 UDP [::]:3389 N/A 688 svchost IPv6 UDP [::]:4500 N/A 2948 svchost IPv6 UDP [::1]:1900 N/A 976 svchost IPv6 UDP [::1]:63425 N/A 976 svchost "" ParameterBinding(Out-File): name="InputObject"; value=""NET_TCP_ENDPOINTS","TA0004 - Privilege Escalation","TCP endpoint servers","Get information about all the TCP ports that are in a LISTEN state. Note that the associated process is also listed.","None"," IP Proto LocalAddress State PID Name -- ----- ------------ ----- --- ---- IPv4 TCP 0.0.0.0:135 LISTENING 816 svchost IPv4 TCP 0.0.0.0:445 LISTENING 4 System IPv4 TCP 0.0.0.0:3389 LISTENING 688 svchost IPv4 TCP 0.0.0.0:5040 LISTENING 6028 svchost IPv4 TCP 0.0.0.0:7680 LISTENING 1040 svchost IPv4 TCP 0.0.0.0:49664 LISTENING 652 lsass IPv4 TCP 0.0.0.0:49665 LISTENING 504 wininit IPv4 TCP 0.0.0.0:49666 LISTENING 1372 svchost IPv4 TCP 0.0.0.0:49667 LISTENING 1348 svchost IPv4 TCP 0.0.0.0:49670 LISTENING 2248 svchost IPv4 TCP 0.0.0.0:49671 LISTENING 2800 spoolsv IPv4 TCP 0.0.0.0:49672 LISTENING 652 lsass IPv4 TCP 0.0.0.0:49692 LISTENING 644 services IPv4 TCP 10.181.21.46:139 LISTENING 4 System IPv6 TCP [::]:135 LISTENING 816 svchost IPv6 TCP [::]:445 LISTENING 4 System IPv6 TCP [::]:3389 LISTENING 688 svchost IPv6 TCP [::]:7680 LISTENING 1040 svchost IPv6 TCP [::]:49664 LISTENING 652 lsass IPv6 TCP [::]:49665 LISTENING 504 wininit IPv6 TCP [::]:49666 LISTENING 1372 svchost IPv6 TCP [::]:49667 LISTENING 1348 svchost IPv6 TCP [::]:49670 LISTENING 2248 svchost IPv6 TCP [::]:49671 LISTENING 2800 spoolsv IPv6 TCP [::]:49672 LISTENING 652 lsass IPv6 TCP [::]:49692 LISTENING 644 services "" ParameterBinding(Out-File): name="InputObject"; value=""USER_PRIVILEGES","TA0004 - Privilege Escalation","User privileges","Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM.","None"," Name State Description Exploitable ---- ----- ----------- ----------- SeShutdownPrivilege Disabled Shut down the system False SeChangeNotifyPrivilege Enabled Bypass traverse checking False SeUndockPrivilege Disabled Remove computer from docking station False SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False SeTimeZonePrivilege Disabled Change the time zone False "" ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX","TA0004 - Privilege Escalation","Latest updates installed","Check whether a Windows security update was installed within the last 31 days.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX_INFO","TA0004 - Privilege Escalation","Windows Update history","Get information about Windows Update history. Update packages are sorted by date in descending order, so that most recent ones are shown first. Note that the script might fail to retrieve install dates when run with PowerShell version 2.","None"," HotFixID Description InstalledBy InstalledOn -------- ----------- ----------- ----------- KB5036892 Security Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5036618 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5033052 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5015684 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5011048 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM KB5037018 Security Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM KB5027122 Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM KB5011352 Security Update 4/3/2022 12:00:00 AM KB5003791 Update 4/3/2022 12:00:00 AM "" ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HISTORY","TA0004 - Privilege Escalation","Last Windows Update date","Get information about the latest Windows update. Note that this check might be unreliable.","None"," Time TimeRaw ---- ------- 2024-04-17 - 12:48:36 4/17/2024 12:48:36 PM "" ParameterBinding(Out-File): name="InputObject"; value=""MISC_HIJACKABLE_DLL","TA0004 - Privilege Escalation","Known ghost DLLs","Get information about services that are known to be prone to ghost DLL hijacking. Note that their exploitation requires the current user to have write permissions on at least one system-wide PATH folder.","None"," Name : cdpsgshims.dll Description : Loaded by the Connected Devices Platform Service (CDPSvc) upon startup. RunAs : NT AUTHORITY\LocalService RebootRequired : True Link : https://nafiez.github.io/security/eop/2019/11/05/windows-service-host-process-eop.html Name : WptsExtensions.dll Description : Loaded by the Task Scheduler service (Schedule) upon startup. RunAs : LocalSystem RebootRequired : True Link : http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html Name : SprintCSP.dll Description : Loaded by the Storage Service (StorSvc) when the RPC procedure 'SvcRebootToFlashingMode' is invoked. RunAs : LocalSystem RebootRequired : False Link : https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc "" ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_PATH_FOLDERS","TA0004 - Privilege Escalation","PATH folder permissions","Check whether the current user has any write permissions on the system-wide PATH folders. If so, the system could be vulnerable to privilege escalation through ghost DLL hijacking.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""SCHTASKS_IMAGE_PERMISSIONS","TA0004 - Privilege Escalation","Scheduled task binary permissions","Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks.","None",""" ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_MSI","TA0004 - Privilege Escalation","AlwaysInstallElevated","Check whether the 'AlwaysInstallElevated' policy is enabled system-wide and for the current user. If so, the current user may install a Windows Installer package with elevated (SYSTEM) privileges.","None"," LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer LocalMachineValue : AlwaysInstallElevated LocalMachineData : (null) Description : AlwaysInstallElevated is not enabled in HKLM. ""
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:55:43.037
winlog.keywords:
Classic
winlog.record_id:
123,414
winlog.api:
wineventlog
winlog.channel:
Windows PowerShell
winlog.event_data.param1:
"CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2:
DetailSequence=1 DetailTotal=7 SequenceNumber=244878 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.opcode:
Info
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.event_id:
800
winlog.task:
Pipeline Execution Details
winlog.provider_name:
PowerShell
log.level:
information
host.name:
maslov-o-pc.ferrumfox.corp
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.name:
Windows 10 Pro
host.os.platform:
windows
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:55:46.267
event.code:
800
_id:
zJIg7I4BjcmPCGzWrQfT
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:55:43.037
@version
1
_id
zJIg7I4BjcmPCGzWrQfT
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:55:46.267
event.kind
event
event.original
Pipeline execution details for command line: "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.
Context Information:
DetailSequence=1
DetailTotal=7
SequenceNumber=244878
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
Details:
CommandInvocation(Write-CsvReport): "Write-CsvReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.csv"
ParameterBinding(Out-File): name="InputObject"; value=""Id","Category","DisplayName","Description","Severity","ResultRawString""
ParameterBinding(Out-File): name="InputObject"; value=""NET_WLAN","TA0001 - Initial Access","Wi-Fi profiles","Get information about saved Wi-Fi profiles. Clear-text pre-shared keys (PSK) are displayed when possible, and potentially vulnerable 802.1x profiles are listed.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""NET_AIRSTRIKE","TA0001 - Initial Access","Network selection from lock screen","Check whether the 'Do not display network selection UI' policy is enabled on workstations (CVE-2021-28316 - Airstrike attack).","Low","
Key : HKLM\SOFTWARE\Policies\Microsoft\Windows\System
Value : DontDisplayNetworkSelectionUI
Data : (null)
Description : The network selection UI is displayed on the logon screen (default).
""
ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_FILE_EXTENSION_ASSOC","TA0001 - Initial Access","File extension associations","Check whether file extensions such as '.bat' or '.wsh' are associated to a text editor. Note that only basic text editors such as 'Notepad' are detected. If a rich text editor is set instead, this check could yield false positives.","Low","
Extension Command
--------- -------
.application ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbApplication "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.appref-ms ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbShortcut "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
| DetailSequence=1
DetailTotal=7
SequenceNumber=244878
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.bat "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.chm ""C:\Windows\hh.exe"" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.cmd "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.com "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.cpl C:\Windows\System32\control.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"",%*
.diagcab C:\Windows\system32\msdt.exe /cab "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
""
.hta C:\Windows\SysWOW64\mshta.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-8...
.hlp C:\Windows\winhlp32.exe "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.htm ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.html ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.js C:\Windows\System32\WScript.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.JSE C:\Windows\System32\WScript.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.library-ms C:\Windows\Explorer.exe
.mht ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.mhtml ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.msc C:\Windows\system32\mmc.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.msrcincident ""C:\Windows\system32\msra.exe"" -openfile "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
""
.pif "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.ppkg ""C:\Windows\System32\provtool.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" /source ShellOpen
.psc1 ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -p "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
""
.reg regedit.exe "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
""
.scf C:\Windows\explorer.exe
.scr "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" /S
.searchConnector-ms C:\Windows\Explorer.exe
.search-ms C:\Windows\Explorer.exe
.theme C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.themepack C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.URL ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\ieframe.dll"",OpenURL %l
.VBE ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.vbs ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.WSF ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
.WSH ""C:\Windows\System32\WScript.exe"" "" "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
"" %*
""
ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BITLOCKER","TA0001 - Initial Access","BitLocker configuration","Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed.","High","
MachineRole : Workstation
Description : BitLocker is not enabled.
""
ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BIOS_MODE","TA0003 - Persistence","UEFI & Secure Boot","Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI.","None","
Name Vulnerable Description
---- ---------- -----------
UEFI False BIOS mode is UEFI.
Secure Boot False
""
ParameterBinding(Out-File): name="InputObject"; value=""MISC_STARTUP_LAST","TA0004 - Privilege Escalation","Last system startup time","Get information about the last startup date and time based on the machine's tick count. Note that the result might not be completely reliable.","None","
Time
----
2024-04-16 - 12:37:58
""
ParameterBinding(Out-File): name="InputObject"; value=""NET_UDP_ENDPOINTS","TA0004 - Privilege Escalation","UDP endpoint servers","Get information about all the UDP ports that are in a LISTEN state. Note that the associated process is also listed. DNS is filtered out to minimize the output.","None","
IP Proto LocalAddress State PID Name
-- ----- ------------ ----- --- ----
IPv4 UDP 0.0.0.0:123 N/A 1112 svchost
IPv4 UDP 0.0.0.0:500 N/A 2948 svchost
IPv4 UDP 0.0.0.0:3389 N/A 688 svchost
IPv4 UDP 0.0.0.0:4500 N/A 2948 svchost
IPv4 UDP 0.0.0.0:5050 N/A 6028 svchost
IPv4 UDP 0.0.0.0:5353 N/A 1296 svchost
IPv4 UDP 0.0.0.0:5353 N/A 3880 chrome
IPv4 UDP 0.0.0.0:5355 N/A 1296 svchost
IPv4 UDP 0.0.0.0:58558 N/A 9256 chrome
IPv4 UDP 10.181.21.46:137 N/A 4 System
IPv4 UDP 10.181.21.46:138 N/A 4 System
IPv4 UDP 10.181.21.46:1900 N/A 976 svchost
IPv4 UDP 10.181.21.46:63426 N/A 976 svchost
IPv4 UDP 127.0.0.1:1900 N/A 976 svchost
IPv4 UDP 127.0.0.1:61940 N/A 652 lsass
IPv4 UDP 127.0.0.1:63427 N/A 976 svchost
IPv4 UDP 127.0.0.1:65492 N/A 1460 svchost
IPv4 UDP 127.0.0.1:65494 N/A 2092 svchost
IPv6 UDP [::]:123 N/A 1112 svchost
IPv6 UDP [::]:500 N/A 2948 svchost
IPv6 UDP [::]:3389 N/A 688 svchost
IPv6 UDP [::]:4500 N/A 2948 svchost
IPv6 UDP [::1]:1900 N/A 976 svchost
IPv6 UDP [::1]:63425 N/A 976 svchost
""
ParameterBinding(Out-File): name="InputObject"; value=""NET_TCP_ENDPOINTS","TA0004 - Privilege Escalation","TCP endpoint servers","Get information about all the TCP ports that are in a LISTEN state. Note that the associated process is also listed.","None","
IP Proto LocalAddress State PID Name
-- ----- ------------ ----- --- ----
IPv4 TCP 0.0.0.0:135 LISTENING 816 svchost
IPv4 TCP 0.0.0.0:445 LISTENING 4 System
IPv4 TCP 0.0.0.0:3389 LISTENING 688 svchost
IPv4 TCP 0.0.0.0:5040 LISTENING 6028 svchost
IPv4 TCP 0.0.0.0:7680 LISTENING 1040 svchost
IPv4 TCP 0.0.0.0:49664 LISTENING 652 lsass
IPv4 TCP 0.0.0.0:49665 LISTENING 504 wininit
IPv4 TCP 0.0.0.0:49666 LISTENING 1372 svchost
IPv4 TCP 0.0.0.0:49667 LISTENING 1348 svchost
IPv4 TCP 0.0.0.0:49670 LISTENING 2248 svchost
IPv4 TCP 0.0.0.0:49671 LISTENING 2800 spoolsv
IPv4 TCP 0.0.0.0:49672 LISTENING 652 lsass
IPv4 TCP 0.0.0.0:49692 LISTENING 644 services
IPv4 TCP 10.181.21.46:139 LISTENING 4 System
IPv6 TCP [::]:135 LISTENING 816 svchost
IPv6 TCP [::]:445 LISTENING 4 System
IPv6 TCP [::]:3389 LISTENING 688 svchost
IPv6 TCP [::]:7680 LISTENING 1040 svchost
IPv6 TCP [::]:49664 LISTENING 652 lsass
IPv6 TCP [::]:49665 LISTENING 504 wininit
IPv6 TCP [::]:49666 LISTENING 1372 svchost
IPv6 TCP [::]:49667 LISTENING 1348 svchost
IPv6 TCP [::]:49670 LISTENING 2248 svchost
IPv6 TCP [::]:49671 LISTENING 2800 spoolsv
IPv6 TCP [::]:49672 LISTENING 652 lsass
IPv6 TCP [::]:49692 LISTENING 644 services
""
ParameterBinding(Out-File): name="InputObject"; value=""USER_PRIVILEGES","TA0004 - Privilege Escalation","User privileges","Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM.","None","
Name State Description Exploitable
---- ----- ----------- -----------
SeShutdownPrivilege Disabled Shut down the system False
SeChangeNotifyPrivilege Enabled Bypass traverse checking False
SeUndockPrivilege Disabled Remove computer from docking station False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False
SeTimeZonePrivilege Disabled Change the time zone False
""
ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX","TA0004 - Privilege Escalation","Latest updates installed","Check whether a Windows security update was installed within the last 31 days.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX_INFO","TA0004 - Privilege Escalation","Windows Update history","Get information about Windows Update history. Update packages are sorted by date in descending order, so that most recent ones are shown first. Note that the script might fail to retrieve install dates when run with PowerShell version 2.","None","
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB5036892 Security Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5036618 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5033052 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5015684 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5011048 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5037018 Security Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM
KB5027122 Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM
KB5011352 Security Update 4/3/2022 12:00:00 AM
KB5003791 Update 4/3/2022 12:00:00 AM
""
ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HISTORY","TA0004 - Privilege Escalation","Last Windows Update date","Get information about the latest Windows update. Note that this check might be unreliable.","None","
Time TimeRaw
---- -------
2024-04-17 - 12:48:36 4/17/2024 12:48:36 PM
""
ParameterBinding(Out-File): name="InputObject"; value=""MISC_HIJACKABLE_DLL","TA0004 - Privilege Escalation","Known ghost DLLs","Get information about services that are known to be prone to ghost DLL hijacking. Note that their exploitation requires the current user to have write permissions on at least one system-wide PATH folder.","None","
Name : cdpsgshims.dll
Description : Loaded by the Connected Devices Platform Service (CDPSvc) upon startup.
RunAs : NT AUTHORITY\LocalService
RebootRequired : True
Link : https://nafiez.github.io/security/eop/2019/11/05/windows-service-host-process-eop.html
Name : WptsExtensions.dll
Description : Loaded by the Task Scheduler service (Schedule) upon startup.
RunAs : LocalSystem
RebootRequired : True
Link : http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
Name : SprintCSP.dll
Description : Loaded by the Storage Service (StorSvc) when the RPC procedure 'SvcRebootToFlashingMode' is invoked.
RunAs : LocalSystem
RebootRequired : False
Link : https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
""
ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_PATH_FOLDERS","TA0004 - Privilege Escalation","PATH folder permissions","Check whether the current user has any write permissions on the system-wide PATH folders. If so, the system could be vulnerable to privilege escalation through ghost DLL hijacking.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""SCHTASKS_IMAGE_PERMISSIONS","TA0004 - Privilege Escalation","Scheduled task binary permissions","Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_MSI","TA0004 - Privilege Escalation","AlwaysInstallElevated","Check whether the 'AlwaysInstallElevated' policy is enabled system-wide and for the current user. If so, the current user may install a Windows Installer package with elevated (SYSTEM) privileges.","None","
LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LocalMachineValue : AlwaysInstallElevated
LocalMachineData : (null)
Description : AlwaysInstallElevated is not enabled in HKLM.
""
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
"CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2
DetailSequence=1
DetailTotal=7
SequenceNumber=244878
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "CSV" { Write-CsvReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param3
CommandInvocation(Write-CsvReport): "Write-CsvReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.csv"
ParameterBinding(Out-File): name="InputObject"; value=""Id","Category","DisplayName","Description","Severity","ResultRawString""
ParameterBinding(Out-File): name="InputObject"; value=""NET_WLAN","TA0001 - Initial Access","Wi-Fi profiles","Get information about saved Wi-Fi profiles. Clear-text pre-shared keys (PSK) are displayed when possible, and potentially vulnerable 802.1x profiles are listed.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""NET_AIRSTRIKE","TA0001 - Initial Access","Network selection from lock screen","Check whether the 'Do not display network selection UI' policy is enabled on workstations (CVE-2021-28316 - Airstrike attack).","Low","
Key : HKLM\SOFTWARE\Policies\Microsoft\Windows\System
Value : DontDisplayNetworkSelectionUI
Data : (null)
Description : The network selection UI is displayed on the logon screen (default).
""
ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_FILE_EXTENSION_ASSOC","TA0001 - Initial Access","File extension associations","Check whether file extensions such as '.bat' or '.wsh' are associated to a text editor. Note that only basic text editors such as 'Notepad' are detected. If a rich text editor is set instead, this check could yield false positives.","Low","
Extension Command
--------- -------
.application ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbApplication %1
.appref-ms ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\dfshim.dll"",ShOpenVerbShortcut %1|%2
.bat ""%1"" %*
.chm ""C:\Windows\hh.exe"" %1
.cmd ""%1"" %*
.com ""%1"" %*
.cpl C:\Windows\System32\control.exe ""%1"",%*
.diagcab C:\Windows\system32\msdt.exe /cab ""%1""
.hta C:\Windows\SysWOW64\mshta.exe ""%1"" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}%U{1E460BD7-F1C3-4B2E-8...
.hlp C:\Windows\winhlp32.exe %1
.htm ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1
.html ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1
.js C:\Windows\System32\WScript.exe ""%1"" %*
.JSE C:\Windows\System32\WScript.exe ""%1"" %*
.library-ms C:\Windows\Explorer.exe
.mht ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1
.mhtml ""C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"" --single-argument %1
.msc C:\Windows\system32\mmc.exe ""%1"" %*
.msrcincident ""C:\Windows\system32\msra.exe"" -openfile ""%1""
.pif ""%1"" %*
.ppkg ""C:\Windows\System32\provtool.exe"" ""%1"" /source ShellOpen
.psc1 ""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -p ""%1""
.reg regedit.exe ""%1""
.scf C:\Windows\explorer.exe
.scr ""%1"" /S
.searchConnector-ms C:\Windows\Explorer.exe
.search-ms C:\Windows\Explorer.exe
.theme C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction %1
.themepack C:\Windows\system32\rundll32.exe C:\Windows\system32\themecpl.dll,OpenThemeAction %1
.URL ""C:\Windows\System32\rundll32.exe"" ""C:\Windows\System32\ieframe.dll"",OpenURL %l
.VBE ""C:\Windows\System32\WScript.exe"" ""%1"" %*
.vbs ""C:\Windows\System32\WScript.exe"" ""%1"" %*
.WSF ""C:\Windows\System32\WScript.exe"" ""%1"" %*
.WSH ""C:\Windows\System32\WScript.exe"" ""%1"" %*
""
ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BITLOCKER","TA0001 - Initial Access","BitLocker configuration","Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed.","High","
MachineRole : Workstation
Description : BitLocker is not enabled.
""
ParameterBinding(Out-File): name="InputObject"; value=""HARDEN_BIOS_MODE","TA0003 - Persistence","UEFI & Secure Boot","Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI.","None","
Name Vulnerable Description
---- ---------- -----------
UEFI False BIOS mode is UEFI.
Secure Boot False
""
ParameterBinding(Out-File): name="InputObject"; value=""MISC_STARTUP_LAST","TA0004 - Privilege Escalation","Last system startup time","Get information about the last startup date and time based on the machine's tick count. Note that the result might not be completely reliable.","None","
Time
----
2024-04-16 - 12:37:58
""
ParameterBinding(Out-File): name="InputObject"; value=""NET_UDP_ENDPOINTS","TA0004 - Privilege Escalation","UDP endpoint servers","Get information about all the UDP ports that are in a LISTEN state. Note that the associated process is also listed. DNS is filtered out to minimize the output.","None","
IP Proto LocalAddress State PID Name
-- ----- ------------ ----- --- ----
IPv4 UDP 0.0.0.0:123 N/A 1112 svchost
IPv4 UDP 0.0.0.0:500 N/A 2948 svchost
IPv4 UDP 0.0.0.0:3389 N/A 688 svchost
IPv4 UDP 0.0.0.0:4500 N/A 2948 svchost
IPv4 UDP 0.0.0.0:5050 N/A 6028 svchost
IPv4 UDP 0.0.0.0:5353 N/A 1296 svchost
IPv4 UDP 0.0.0.0:5353 N/A 3880 chrome
IPv4 UDP 0.0.0.0:5355 N/A 1296 svchost
IPv4 UDP 0.0.0.0:58558 N/A 9256 chrome
IPv4 UDP 10.181.21.46:137 N/A 4 System
IPv4 UDP 10.181.21.46:138 N/A 4 System
IPv4 UDP 10.181.21.46:1900 N/A 976 svchost
IPv4 UDP 10.181.21.46:63426 N/A 976 svchost
IPv4 UDP 127.0.0.1:1900 N/A 976 svchost
IPv4 UDP 127.0.0.1:61940 N/A 652 lsass
IPv4 UDP 127.0.0.1:63427 N/A 976 svchost
IPv4 UDP 127.0.0.1:65492 N/A 1460 svchost
IPv4 UDP 127.0.0.1:65494 N/A 2092 svchost
IPv6 UDP [::]:123 N/A 1112 svchost
IPv6 UDP [::]:500 N/A 2948 svchost
IPv6 UDP [::]:3389 N/A 688 svchost
IPv6 UDP [::]:4500 N/A 2948 svchost
IPv6 UDP [::1]:1900 N/A 976 svchost
IPv6 UDP [::1]:63425 N/A 976 svchost
""
ParameterBinding(Out-File): name="InputObject"; value=""NET_TCP_ENDPOINTS","TA0004 - Privilege Escalation","TCP endpoint servers","Get information about all the TCP ports that are in a LISTEN state. Note that the associated process is also listed.","None","
IP Proto LocalAddress State PID Name
-- ----- ------------ ----- --- ----
IPv4 TCP 0.0.0.0:135 LISTENING 816 svchost
IPv4 TCP 0.0.0.0:445 LISTENING 4 System
IPv4 TCP 0.0.0.0:3389 LISTENING 688 svchost
IPv4 TCP 0.0.0.0:5040 LISTENING 6028 svchost
IPv4 TCP 0.0.0.0:7680 LISTENING 1040 svchost
IPv4 TCP 0.0.0.0:49664 LISTENING 652 lsass
IPv4 TCP 0.0.0.0:49665 LISTENING 504 wininit
IPv4 TCP 0.0.0.0:49666 LISTENING 1372 svchost
IPv4 TCP 0.0.0.0:49667 LISTENING 1348 svchost
IPv4 TCP 0.0.0.0:49670 LISTENING 2248 svchost
IPv4 TCP 0.0.0.0:49671 LISTENING 2800 spoolsv
IPv4 TCP 0.0.0.0:49672 LISTENING 652 lsass
IPv4 TCP 0.0.0.0:49692 LISTENING 644 services
IPv4 TCP 10.181.21.46:139 LISTENING 4 System
IPv6 TCP [::]:135 LISTENING 816 svchost
IPv6 TCP [::]:445 LISTENING 4 System
IPv6 TCP [::]:3389 LISTENING 688 svchost
IPv6 TCP [::]:7680 LISTENING 1040 svchost
IPv6 TCP [::]:49664 LISTENING 652 lsass
IPv6 TCP [::]:49665 LISTENING 504 wininit
IPv6 TCP [::]:49666 LISTENING 1372 svchost
IPv6 TCP [::]:49667 LISTENING 1348 svchost
IPv6 TCP [::]:49670 LISTENING 2248 svchost
IPv6 TCP [::]:49671 LISTENING 2800 spoolsv
IPv6 TCP [::]:49672 LISTENING 652 lsass
IPv6 TCP [::]:49692 LISTENING 644 services
""
ParameterBinding(Out-File): name="InputObject"; value=""USER_PRIVILEGES","TA0004 - Privilege Escalation","User privileges","Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM.","None","
Name State Description Exploitable
---- ----- ----------- -----------
SeShutdownPrivilege Disabled Shut down the system False
SeChangeNotifyPrivilege Enabled Bypass traverse checking False
SeUndockPrivilege Disabled Remove computer from docking station False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False
SeTimeZonePrivilege Disabled Change the time zone False
""
ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX","TA0004 - Privilege Escalation","Latest updates installed","Check whether a Windows security update was installed within the last 31 days.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HOTFIX_INFO","TA0004 - Privilege Escalation","Windows Update history","Get information about Windows Update history. Update packages are sorted by date in descending order, so that most recent ones are shown first. Note that the script might fail to retrieve install dates when run with PowerShell version 2.","None","
HotFixID Description InstalledBy InstalledOn
-------- ----------- ----------- -----------
KB5036892 Security Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5036618 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5033052 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5015684 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5011048 Update NT AUTHORITY\SYSTEM 4/13/2024 12:00:00 AM
KB5037018 Security Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM
KB5027122 Update NT AUTHORITY\SYSTEM 4/12/2024 12:00:00 AM
KB5011352 Security Update 4/3/2022 12:00:00 AM
KB5003791 Update 4/3/2022 12:00:00 AM
""
ParameterBinding(Out-File): name="InputObject"; value=""UPDATE_HISTORY","TA0004 - Privilege Escalation","Last Windows Update date","Get information about the latest Windows update. Note that this check might be unreliable.","None","
Time TimeRaw
---- -------
2024-04-17 - 12:48:36 4/17/2024 12:48:36 PM
""
ParameterBinding(Out-File): name="InputObject"; value=""MISC_HIJACKABLE_DLL","TA0004 - Privilege Escalation","Known ghost DLLs","Get information about services that are known to be prone to ghost DLL hijacking. Note that their exploitation requires the current user to have write permissions on at least one system-wide PATH folder.","None","
Name : cdpsgshims.dll
Description : Loaded by the Connected Devices Platform Service (CDPSvc) upon startup.
RunAs : NT AUTHORITY\LocalService
RebootRequired : True
Link : https://nafiez.github.io/security/eop/2019/11/05/windows-service-host-process-eop.html
Name : WptsExtensions.dll
Description : Loaded by the Task Scheduler service (Schedule) upon startup.
RunAs : LocalSystem
RebootRequired : True
Link : http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html
Name : SprintCSP.dll
Description : Loaded by the Storage Service (StorSvc) when the RPC procedure 'SvcRebootToFlashingMode' is invoked.
RunAs : LocalSystem
RebootRequired : False
Link : https://github.com/blackarrowsec/redteam-research/tree/master/LPE%20via%20StorSvc
""
ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_PATH_FOLDERS","TA0004 - Privilege Escalation","PATH folder permissions","Check whether the current user has any write permissions on the system-wide PATH folders. If so, the system could be vulnerable to privilege escalation through ghost DLL hijacking.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""SCHTASKS_IMAGE_PERMISSIONS","TA0004 - Privilege Escalation","Scheduled task binary permissions","Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks.","None","""
ParameterBinding(Out-File): name="InputObject"; value=""CONFIG_MSI","TA0004 - Privilege Escalation","AlwaysInstallElevated","Check whether the 'AlwaysInstallElevated' policy is enabled system-wide and for the current user. If so, the current user may install a Windows Installer package with elevated (SYSTEM) privileges.","None","
LocalMachineKey : HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer
LocalMachineValue : AlwaysInstallElevated
LocalMachineData : (null)
Description : AlwaysInstallElevated is not enabled in HKLM.
""
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
123,414
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:55:43.004
winlog.event_data.param3:
CommandInvocation(Write-TxtReport): "Write-TxtReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.txt" ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0043 - Reconnaissance | | NAME | User identity | +----------+---------------------------------------------------+ | Get information about the current user (name, domain name) | | and its access token (SID, integrity level, authentication | | ID). | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational Name : FERRUMFOX\maslov-o SID : S-1-5-21-2213792943-3978625667-3641601853-1107 IntegrityLevel : Medium Mandatory Level (S-1-16-8192) SessionId : 3 TokenId : 00000000-00dcb008 AuthenticationId : 00000000-0028e629 OriginId : 00000000-000003e7 ModifiedId : 00000000-0028ea90 Source : User32 (00000000-0028e5b1) " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0043 - Reconnaissance | | NAME | User groups | +----------+---------------------------------------------------+ | Get information about the groups the current user belongs to | | (name, type, SID). | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational Name Type SID ---- ---- --- FERRUMFOX\Domain Users Group S-1-5-21-2213792943-3978625667-3641601853-513 Everyone WellKnownGroup S-1-1-0 BUILTIN\Remote Desktop Users Alias S-1-5-32-555 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\REMOTE INTERACTIVE LOGON WellKnownGroup S-1-5-14 NT AUTHORITY\INTERACTIVE WellKnownGroup S-1-5-4 NT AUTHORITY\Authenticated Users WellKnownGroup S-1-5-11 NT AUTHORITY\This Organization WellKnownGroup S-1-5-15 NT AUTHORITY\LogonSessionId_0_2679955 LogonSession S-1-5-5-0-2679955 LOCAL WellKnownGroup S-1-2-0 Authentication authority asserted identity WellKnownGroup S-1-18-1 Mandatory Label\Medium Mandatory Level Label S-1-16-8192 " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0043 - Reconnaissance | | NAME | User restricted SIDs | +----------+---------------------------------------------------+ | Get information about potential restricted SIDs applied to | | the current user. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found) " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0004 - Privilege Escalation | | NAME | User privileges | +----------+---------------------------------------------------+ | Check whether the current user has privileges (e.g., | | SeImpersonatePrivilege) that can be leveraged for privilege | | escalation to SYSTEM. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (not vulnerable) Name State Description Exploitable ---- ----- ----------- ----------- SeShutdownPrivilege Disabled Shut down the system False SeChangeNotifyPrivilege Enabled Bypass traverse checking False SeUndockPrivilege Disabled Remove computer from docking station False SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False SeTimeZonePrivilege Disabled Change the time zone False " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0006 - Credential Access | | NAME | User environment variables | +----------+---------------------------------------------------+ | Check whether any environment variables contain sensitive | | information such as credentials or secrets. Note that this | | check follows a keyword-based approach and thus might not be | | completely reliable. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found) " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0004 - Privilege Escalation | | NAME | Non-default services | +----------+---------------------------------------------------+ | Get information about third-party services. It does so by | | parsing the target executable's metadata and checking | | whether the publisher is Microsoft. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational Name : GoogleChromeElevationService DisplayName : Google Chrome Elevation Service (GoogleChromeElevationService) ImagePath : "C:\Program Files\Google\Chrome\Application\123.0.6312.124\elevation_service.exe" User : LocalSystem StartMode : Manual Name : gupdate DisplayName : Google Update Service (gupdate) ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc User : LocalSystem StartMode : Automatic Name : gupdatem DisplayName : Google Update Service (gupdatem) ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc User : LocalSystem StartMode : Manual Name : ssh-agent DisplayName : OpenSSH Authentication Agent ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe User : LocalSystem StartMode : Disabled Name : vm-agent DisplayName : vm-agent ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent.exe" -d -l "c:\Program Files (x86)\virtio\monitor\vm-agent.log" User : LocalSystem StartMode : Automatic Name : VmAgentDaemon DisplayName : VMTools Daemon Service ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent-daemon.exe" -s User : LocalSystem StartMode : Automatic Name : winlogbeat DisplayName : Winlogbeat ImagePath : "C:\Program Files\winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\winlogbeat" --path.data "C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true User : LocalSystem StartMode : Automatic " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0004 - Privilege Escalation | | NAME | Third-party Kernel drivers | +----------+---------------------------------------------------+ | Get information about third-party kernel drivers. It does so | | by parsing the driver's metadata and checking whether the | | publisher is Microsoft. | +--------------------------------------------------------------+"
event.original:
Pipeline execution details for command line: "TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName } . Context Information: DetailSequence=1 DetailTotal=8 SequenceNumber=244874 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName } Details: CommandInvocation(Write-TxtReport): "Write-TxtReport" CommandInvocation(Out-File): "Out-File" ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.txt" ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0043 - Reconnaissance | | NAME | User identity | +----------+---------------------------------------------------+ | Get information about the current user (name, domain name) | | and its access token (SID, integrity level, authentication | | ID). | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational Name : FERRUMFOX\maslov-o SID : S-1-5-21-2213792943-3978625667-3641601853-1107 IntegrityLevel : Medium Mandatory Level (S-1-16-8192) SessionId : 3 TokenId : 00000000-00dcb008 AuthenticationId : 00000000-0028e629 OriginId : 00000000-000003e7 ModifiedId : 00000000-0028ea90 Source : User32 (00000000-0028e5b1) " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0043 - Reconnaissance | | NAME | User groups | +----------+---------------------------------------------------+ | Get information about the groups the current user belongs to | | (name, type, SID). | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational Name Type SID ---- ---- --- FERRUMFOX\Domain Users Group S-1-5-21-2213792943-3978625667-3641601853-513 Everyone WellKnownGroup S-1-1-0 BUILTIN\Remote Desktop Users Alias S-1-5-32-555 BUILTIN\Users Alias S-1-5-32-545 NT AUTHORITY\REMOTE INTERACTIVE LOGON WellKnownGroup S-1-5-14 NT AUTHORITY\INTERACTIVE WellKnownGroup S-1-5-4 NT AUTHORITY\Authenticated Users WellKnownGroup S-1-5-11 NT AUTHORITY\This Organization WellKnownGroup S-1-5-15 NT AUTHORITY\LogonSessionId_0_2679955 LogonSession S-1-5-5-0-2679955 LOCAL WellKnownGroup S-1-2-0 Authentication authority asserted identity WellKnownGroup S-1-18-1 Mandatory Label\Medium Mandatory Level Label S-1-16-8192 " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0043 - Reconnaissance | | NAME | User restricted SIDs | +----------+---------------------------------------------------+ | Get information about potential restricted SIDs applied to | | the current user. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found) " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0004 - Privilege Escalation | | NAME | User privileges | +----------+---------------------------------------------------+ | Check whether the current user has privileges (e.g., | | SeImpersonatePrivilege) that can be leveraged for privilege | | escalation to SYSTEM. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (not vulnerable) Name State Description Exploitable ---- ----- ----------- ----------- SeShutdownPrivilege Disabled Shut down the system False SeChangeNotifyPrivilege Enabled Bypass traverse checking False SeUndockPrivilege Disabled Remove computer from docking station False SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False SeTimeZonePrivilege Disabled Change the time zone False " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0006 - Credential Access | | NAME | User environment variables | +----------+---------------------------------------------------+ | Check whether any environment variables contain sensitive | | information such as credentials or secrets. Note that this | | check follows a keyword-based approach and thus might not be | | completely reliable. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found) " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0004 - Privilege Escalation | | NAME | Non-default services | +----------+---------------------------------------------------+ | Get information about third-party services. It does so by | | parsing the target executable's metadata and checking | | whether the publisher is Microsoft. | +--------------------------------------------------------------+" ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational Name : GoogleChromeElevationService DisplayName : Google Chrome Elevation Service (GoogleChromeElevationService) ImagePath : "C:\Program Files\Google\Chrome\Application\123.0.6312.124\elevation_service.exe" User : LocalSystem StartMode : Manual Name : gupdate DisplayName : Google Update Service (gupdate) ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc User : LocalSystem StartMode : Automatic Name : gupdatem DisplayName : Google Update Service (gupdatem) ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc User : LocalSystem StartMode : Manual Name : ssh-agent DisplayName : OpenSSH Authentication Agent ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe User : LocalSystem StartMode : Disabled Name : vm-agent DisplayName : vm-agent ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent.exe" -d -l "c:\Program Files (x86)\virtio\monitor\vm-agent.log" User : LocalSystem StartMode : Automatic Name : VmAgentDaemon DisplayName : VMTools Daemon Service ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent-daemon.exe" -s User : LocalSystem StartMode : Automatic Name : winlogbeat DisplayName : Winlogbeat ImagePath : "C:\Program Files\winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program Files\winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\winlogbeat" --path.data "C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E logging.files.redirect_stderr=true User : LocalSystem StartMode : Automatic " ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+ | CATEGORY | TA0004 - Privilege Escalation | | NAME | Third-party Kernel drivers | +----------+---------------------------------------------------+ | Get information about third-party kernel drivers. It does so | | by parsing the driver's metadata and checking whether the | | publisher is Microsoft. | +--------------------------------------------------------------+"
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:55:43.004
winlog.keywords:
Classic
winlog.channel:
Windows PowerShell
winlog.api:
wineventlog
winlog.record_id:
123,385
winlog.event_data.param1:
"TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2:
DetailSequence=1 DetailTotal=8 SequenceNumber=244874 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= "TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.opcode:
Info
winlog.event_id:
800
winlog.task:
Pipeline Execution Details
winlog.provider_name:
PowerShell
log.level:
information
host.name:
maslov-o-pc.ferrumfox.corp
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.platform:
windows
host.os.name:
Windows 10 Pro
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:55:46.267
event.code:
800
_id:
r5Ig7I4BjcmPCGzWrQfT
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:55:43.004
@version
1
_id
r5Ig7I4BjcmPCGzWrQfT
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:55:46.267
event.kind
event
event.original
Pipeline execution details for command line: "TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName }
.
Context Information:
DetailSequence=1
DetailTotal=8
SequenceNumber=244874
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName }
Details:
CommandInvocation(Write-TxtReport): "Write-TxtReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.txt"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0043 - Reconnaissance |
| NAME | User identity |
+----------+---------------------------------------------------+
| Get information about the current user (name, domain name) |
| and its access token (SID, integrity level, authentication |
| ID). |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational
Name : FERRUMFOX\maslov-o
SID : S-1-5-21-2213792943-3978625667-3641601853-1107
IntegrityLevel : Medium Mandatory Level (S-1-16-8192)
SessionId : 3
TokenId : 00000000-00dcb008
AuthenticationId : 00000000-0028e629
OriginId : 00000000-000003e7
ModifiedId : 00000000-0028ea90
Source : User32 (00000000-0028e5b1)
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0043 - Reconnaissance |
| NAME | User groups |
+----------+---------------------------------------------------+
| Get information about the groups the current user belongs to |
| (name, type, SID). |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational
Name Type SID
---- ---- ---
FERRUMFOX\Domain Users Group S-1-5-21-2213792943-3978625667-3641601853-513
Everyone WellKnownGroup S-1-1-0
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
BUILTIN\Users Alias S-1-5-32-545
NT AUTHORITY\REMOTE INTERACTIVE LOGON WellKnownGroup S-1-5-14
NT AUTHORITY\INTERACTIVE WellKnownGroup S-1-5-4
NT AUTHORITY\Authenticated Users WellKnownGroup S-1-5-11
NT AUTHORITY\This Organization WellKnownGroup S-1-5-15
NT AUTHORITY\LogonSessionId_0_2679955 LogonSession S-1-5-5-0-2679955
LOCAL WellKnownGroup S-1-2-0
Authentication authority asserted identity WellKnownGroup S-1-18-1
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0043 - Reconnaissance |
| NAME | User restricted SIDs |
+----------+---------------------------------------------------+
| Get information about potential restricted SIDs applied to |
| the current user. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found)
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0004 - Privilege Escalation |
| NAME | User privileges |
+----------+---------------------------------------------------+
| Check whether the current user has privileges (e.g., |
| SeImpersonatePrivilege) that can be leveraged for privilege |
| escalation to SYSTEM. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (not vulnerable)
Name State Description Exploitable
---- ----- ----------- -----------
SeShutdownPrivilege Disabled Shut down the system False
SeChangeNotifyPrivilege Enabled Bypass traverse checking False
SeUndockPrivilege Disabled Remove computer from docking station False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False
SeTimeZonePrivilege Disabled Change the time zone False
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0006 - Credential Access |
| NAME | User environment variables |
+----------+---------------------------------------------------+
| Check whether any environment variables contain sensitive |
| information such as credentials or secrets. Note that this |
| check follows a keyword-based approach and thus might not be |
| completely reliable. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found)
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0004 - Privilege Escalation |
| NAME | Non-default services |
+----------+---------------------------------------------------+
| Get information about third-party services. It does so by |
| parsing the target executable's metadata and checking |
| whether the publisher is Microsoft. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational
Name : GoogleChromeElevationService
DisplayName : Google Chrome Elevation Service (GoogleChromeElevationService)
ImagePath : "C:\Program Files\Google\Chrome\Application\123.0.6312.124\elevation_service.exe"
User : LocalSystem
StartMode : Manual
Name : gupdate
DisplayName : Google Update Service (gupdate)
ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
User : LocalSystem
StartMode : Automatic
Name : gupdatem
DisplayName : Google Update Service (gupdatem)
ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
User : LocalSystem
StartMode : Manual
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : vm-agent
DisplayName : vm-agent
ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent.exe" -d -l "c:\Program Files
(x86)\virtio\monitor\vm-agent.log"
User : LocalSystem
StartMode : Automatic
Name : VmAgentDaemon
DisplayName : VMTools Daemon Service
ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent-daemon.exe" -s
User : LocalSystem
StartMode : Automatic
Name : winlogbeat
DisplayName : Winlogbeat
ImagePath : "C:\Program Files\winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program
Files\winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\winlogbeat" --path.data
"C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E
logging.files.redirect_stderr=true
User : LocalSystem
StartMode : Automatic
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0004 - Privilege Escalation |
| NAME | Third-party Kernel drivers |
+----------+---------------------------------------------------+
| Get information about third-party kernel drivers. It does so |
| by parsing the driver's metadata and checking whether the |
| publisher is Microsoft. |
+--------------------------------------------------------------+"
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
"TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param2
DetailSequence=1
DetailTotal=8
SequenceNumber=244874
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= "TXT" { Write-TxtReport -AllResults $ResultArrayList | Out-File $ReportFileName }
winlog.event_data.param3
CommandInvocation(Write-TxtReport): "Write-TxtReport"
CommandInvocation(Out-File): "Out-File"
ParameterBinding(Out-File): name="FilePath"; value="PrivescCheck_MASLOV-O-PC.txt"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0043 - Reconnaissance |
| NAME | User identity |
+----------+---------------------------------------------------+
| Get information about the current user (name, domain name) |
| and its access token (SID, integrity level, authentication |
| ID). |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational
Name : FERRUMFOX\maslov-o
SID : S-1-5-21-2213792943-3978625667-3641601853-1107
IntegrityLevel : Medium Mandatory Level (S-1-16-8192)
SessionId : 3
TokenId : 00000000-00dcb008
AuthenticationId : 00000000-0028e629
OriginId : 00000000-000003e7
ModifiedId : 00000000-0028ea90
Source : User32 (00000000-0028e5b1)
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0043 - Reconnaissance |
| NAME | User groups |
+----------+---------------------------------------------------+
| Get information about the groups the current user belongs to |
| (name, type, SID). |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational
Name Type SID
---- ---- ---
FERRUMFOX\Domain Users Group S-1-5-21-2213792943-3978625667-3641601853-513
Everyone WellKnownGroup S-1-1-0
BUILTIN\Remote Desktop Users Alias S-1-5-32-555
BUILTIN\Users Alias S-1-5-32-545
NT AUTHORITY\REMOTE INTERACTIVE LOGON WellKnownGroup S-1-5-14
NT AUTHORITY\INTERACTIVE WellKnownGroup S-1-5-4
NT AUTHORITY\Authenticated Users WellKnownGroup S-1-5-11
NT AUTHORITY\This Organization WellKnownGroup S-1-5-15
NT AUTHORITY\LogonSessionId_0_2679955 LogonSession S-1-5-5-0-2679955
LOCAL WellKnownGroup S-1-2-0
Authentication authority asserted identity WellKnownGroup S-1-18-1
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0043 - Reconnaissance |
| NAME | User restricted SIDs |
+----------+---------------------------------------------------+
| Get information about potential restricted SIDs applied to |
| the current user. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found)
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0004 - Privilege Escalation |
| NAME | User privileges |
+----------+---------------------------------------------------+
| Check whether the current user has privileges (e.g., |
| SeImpersonatePrivilege) that can be leveraged for privilege |
| escalation to SYSTEM. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (not vulnerable)
Name State Description Exploitable
---- ----- ----------- -----------
SeShutdownPrivilege Disabled Shut down the system False
SeChangeNotifyPrivilege Enabled Bypass traverse checking False
SeUndockPrivilege Disabled Remove computer from docking station False
SeIncreaseWorkingSetPrivilege Disabled Increase a process working set False
SeTimeZonePrivilege Disabled Change the time zone False
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0006 - Credential Access |
| NAME | User environment variables |
+----------+---------------------------------------------------+
| Check whether any environment variables contain sensitive |
| information such as credentials or secrets. Note that this |
| check follows a keyword-based approach and thus might not be |
| completely reliable. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational (nothing found)
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0004 - Privilege Escalation |
| NAME | Non-default services |
+----------+---------------------------------------------------+
| Get information about third-party services. It does so by |
| parsing the target executable's metadata and checking |
| whether the publisher is Microsoft. |
+--------------------------------------------------------------+"
ParameterBinding(Out-File): name="InputObject"; value="[*] Status: Informational
Name : GoogleChromeElevationService
DisplayName : Google Chrome Elevation Service (GoogleChromeElevationService)
ImagePath : "C:\Program Files\Google\Chrome\Application\123.0.6312.124\elevation_service.exe"
User : LocalSystem
StartMode : Manual
Name : gupdate
DisplayName : Google Update Service (gupdate)
ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /svc
User : LocalSystem
StartMode : Automatic
Name : gupdatem
DisplayName : Google Update Service (gupdatem)
ImagePath : "C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /medsvc
User : LocalSystem
StartMode : Manual
Name : ssh-agent
DisplayName : OpenSSH Authentication Agent
ImagePath : C:\Windows\System32\OpenSSH\ssh-agent.exe
User : LocalSystem
StartMode : Disabled
Name : vm-agent
DisplayName : vm-agent
ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent.exe" -d -l "c:\Program Files
(x86)\virtio\monitor\vm-agent.log"
User : LocalSystem
StartMode : Automatic
Name : VmAgentDaemon
DisplayName : VMTools Daemon Service
ImagePath : "c:\Program Files (x86)\virtio\monitor\vm-agent-daemon.exe" -s
User : LocalSystem
StartMode : Automatic
Name : winlogbeat
DisplayName : Winlogbeat
ImagePath : "C:\Program Files\winlogbeat\winlogbeat.exe" --environment=windows_service -c "C:\Program
Files\winlogbeat\winlogbeat.yml" --path.home "C:\Program Files\winlogbeat" --path.data
"C:\ProgramData\winlogbeat" --path.logs "C:\ProgramData\winlogbeat\logs" -E
logging.files.redirect_stderr=true
User : LocalSystem
StartMode : Automatic
"
ParameterBinding(Out-File): name="InputObject"; value="+----------+---------------------------------------------------+
| CATEGORY | TA0004 - Privilege Escalation |
| NAME | Third-party Kernel drivers |
+----------+---------------------------------------------------+
| Get information about third-party kernel drivers. It does so |
| by parsing the driver's metadata and checking whether the |
| publisher is Microsoft. |
+--------------------------------------------------------------+"
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
123,385
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:55:42.353
winlog.event_data.Payload:
CommandInvocation(Write-Host): "Write-Host" ParameterBinding(Write-Host): name="ForegroundColor"; value="White" ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
event.original:
CommandInvocation(Write-Host): "Write-Host" ParameterBinding(Write-Host): name="ForegroundColor"; value="White" ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃" Context: Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.4291 Host ID = caab5788-d9f9-4f40-956d-226e78d129dc Host Application = powershell -ep bypass Engine Version = 5.1.19041.4291 Runspace ID = 9ee7a641-1d35-49fa-af70-6bfa6a8bad42 Pipeline ID = 74 Command Name = Write-Host Command Type = Cmdlet Script Name = Command Path = Sequence Number = 244257 User = FERRUMFOX\maslov-o Connected User = Shell ID = Microsoft.PowerShell User Data:
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:55:42.353
winlog.provider_name:
Microsoft-Windows-PowerShell
winlog.channel:
Microsoft-Windows-PowerShell/Operational
winlog.record_id:
855,469
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.user.name:
maslov-o
winlog.user.type:
User
winlog.user.identifier:
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.domain:
FERRUMFOX
winlog.provider_guid:
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.event_data.ContextInfo:
Severity = Informational Host Name = ConsoleHost Host Version = 5.1.19041.4291 Host ID = caab5788-d9f9-4f40-956d-226e78d129dc Host Application = powershell -ep bypass Engine Version = 5.1.19041.4291 Runspace ID = 9ee7a641-1d35-49fa-af70-6bfa6a8bad42 Pipeline ID = 74 Command Name = Write-Host Command Type = Cmdlet Script Name = Command Path = Sequence Number = 244257 User = FERRUMFOX\maslov-o Connected User = Shell ID = Microsoft.PowerShell
winlog.task:
Executing Pipeline
winlog.opcode:
To be used when operation is just executing a method
winlog.activity_id:
{eafc05f8-8ffa-0000-6801-ffeafa8fda01}
winlog.version:
1
winlog.api:
wineventlog
winlog.event_id:
4,103
winlog.process.thread.id:
2,996
winlog.process.pid:
2,340
log.level:
information
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.name:
maslov-o-pc.ferrumfox.corp
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.platform:
windows
host.os.name:
Windows 10 Pro
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
Microsoft-Windows-PowerShell
event.action:
Executing Pipeline
event.kind:
event
event.created:
Apr 17, 2024 @ 12:55:53.313
event.code:
4,103
_id:
UpIg7I4BjcmPCGzWxjFz
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:55:42.353
@version
1
_id
UpIg7I4BjcmPCGzWxjFz
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Executing Pipeline
event.code
4,103
event.created
Apr 17, 2024 @ 12:55:53.313
event.kind
event
event.original
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="ForegroundColor"; value="White"
ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
Context:
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.4291
Host ID = caab5788-d9f9-4f40-956d-226e78d129dc
Host Application = powershell -ep bypass
Engine Version = 5.1.19041.4291
Runspace ID = 9ee7a641-1d35-49fa-af70-6bfa6a8bad42
Pipeline ID = 74
Command Name = Write-Host
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 244257
User = FERRUMFOX\maslov-o
Connected User =
Shell ID = Microsoft.PowerShell
User Data:
event.provider
Microsoft-Windows-PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.activity_id
{eafc05f8-8ffa-0000-6801-ffeafa8fda01}
winlog.api
wineventlog
winlog.channel
Microsoft-Windows-PowerShell/Operational
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.ContextInfo
Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.4291
Host ID = caab5788-d9f9-4f40-956d-226e78d129dc
Host Application = powershell -ep bypass
Engine Version = 5.1.19041.4291
Runspace ID = 9ee7a641-1d35-49fa-af70-6bfa6a8bad42
Pipeline ID = 74
Command Name = Write-Host
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 244257
User = FERRUMFOX\maslov-o
Connected User =
Shell ID = Microsoft.PowerShell
winlog.event_data.Payload
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="ForegroundColor"; value="White"
ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
winlog.event_id
4,103
winlog.opcode
To be used when operation is just executing a method
winlog.process.pid
2,340
winlog.process.thread.id
2,996
winlog.provider_guid
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.provider_name
Microsoft-Windows-PowerShell
winlog.record_id
855,469
winlog.task
Executing Pipeline
winlog.user.domain
FERRUMFOX
winlog.user.identifier
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.name
maslov-o
winlog.user.type
User
winlog.version
1
Apr 17, 2024 @ 12:55:42.351
winlog.event_data.param1:
Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
winlog.event_data.param3:
CommandInvocation(Write-Host): "Write-Host" ParameterBinding(Write-Host): name="ForegroundColor"; value="White" ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
winlog.event_data.param2:
DetailSequence=1 DetailTotal=1 SequenceNumber=244256 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
event.original:
Pipeline execution details for command line: Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)" . Context Information: DetailSequence=1 DetailTotal=1 SequenceNumber=244256 UserId=FERRUMFOX\maslov-o HostName=ConsoleHost HostVersion=5.1.19041.4291 HostId=caab5788-d9f9-4f40-956d-226e78d129dc HostApplication=powershell -ep bypass EngineVersion=5.1.19041.4291 RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42 PipelineId=74 ScriptName= CommandLine= Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)" Details: CommandInvocation(Write-Host): "Write-Host" ParameterBinding(Write-Host): name="ForegroundColor"; value="White" ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:55:42.351
winlog.keywords:
Classic
winlog.record_id:
123,063
winlog.api:
wineventlog
winlog.channel:
Windows PowerShell
winlog.opcode:
Info
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.event_id:
800
winlog.task:
Pipeline Execution Details
winlog.provider_name:
PowerShell
log.level:
information
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.name:
maslov-o-pc.ferrumfox.corp
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.platform:
windows
host.os.name:
Windows 10 Pro
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
PowerShell
event.action:
Pipeline Execution Details
event.kind:
event
event.created:
Apr 17, 2024 @ 12:55:45.751
event.code:
800
_id:
fZIg7I4BjcmPCGzWqgOF
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:55:42.351
@version
1
_id
fZIg7I4BjcmPCGzWqgOF
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Pipeline Execution Details
event.code
800
event.created
Apr 17, 2024 @ 12:55:45.751
event.kind
event
event.original
Pipeline execution details for command line: Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
.
Context Information:
DetailSequence=1
DetailTotal=1
SequenceNumber=244256
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
Details:
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="ForegroundColor"; value="White"
ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
event.provider
PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
information
type
wineventlog
winlog.api
wineventlog
winlog.channel
Windows PowerShell
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.param1
Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
winlog.event_data.param2
DetailSequence=1
DetailTotal=1
SequenceNumber=244256
UserId=FERRUMFOX\maslov-o
HostName=ConsoleHost
HostVersion=5.1.19041.4291
HostId=caab5788-d9f9-4f40-956d-226e78d129dc
HostApplication=powershell -ep bypass
EngineVersion=5.1.19041.4291
RunspaceId=9ee7a641-1d35-49fa-af70-6bfa6a8bad42
PipelineId=74
ScriptName=
CommandLine= Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
winlog.event_data.param3
CommandInvocation(Write-Host): "Write-Host"
ParameterBinding(Write-Host): name="ForegroundColor"; value="White"
ParameterBinding(Write-Host): name="Object"; value="┃ ~~~ PrivescCheck Summary ~~~ ┃"
winlog.event_id
800
winlog.keywords
Classic
winlog.opcode
Info
winlog.provider_name
PowerShell
winlog.record_id
123,063
winlog.task
Pipeline Execution Details
Apr 17, 2024 @ 12:53:12.474
winlog.event_data.ScriptBlockText:
Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML
event.original:
Creating Scriptblock text (1 of 1): Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML ScriptBlock ID: 8cb22ec9-13dc-4900-a7a7-42c7e3f043fa Path:
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:53:12.474
winlog.provider_name:
Microsoft-Windows-PowerShell
winlog.record_id:
1,807
winlog.channel:
Microsoft-Windows-PowerShell/Operational
winlog.event_data.ScriptBlockId:
8cb22ec9-13dc-4900-a7a7-42c7e3f043fa
winlog.event_data.MessageTotal:
1
winlog.event_data.MessageNumber:
1
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.user.name:
maslov-o
winlog.user.identifier:
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.type:
User
winlog.user.domain:
FERRUMFOX
winlog.opcode:
On create calls
winlog.task:
Execute a Remote Command
winlog.provider_guid:
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.activity_id:
{eafc05f8-8ffa-0000-10d8-fceafa8fda01}
winlog.version:
1
winlog.api:
wineventlog
winlog.event_id:
4,104
winlog.process.thread.id:
2,996
winlog.process.pid:
2,340
log.level:
verbose
host.name:
maslov-o-pc.ferrumfox.corp
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.platform:
windows
host.os.name:
Windows 10 Pro
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
Microsoft-Windows-PowerShell
event.action:
Execute a Remote Command
event.kind:
event
event.created:
Apr 17, 2024 @ 12:53:13.031
event.code:
4,104
_id:
Zo8e7I4BjcmPCGzWUpLd
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:53:12.474
@version
1
_id
Zo8e7I4BjcmPCGzWUpLd
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Execute a Remote Command
event.code
4,104
event.created
Apr 17, 2024 @ 12:53:13.031
event.kind
event
event.original
Creating Scriptblock text (1 of 1):
Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML
ScriptBlock ID: 8cb22ec9-13dc-4900-a7a7-42c7e3f043fa
Path:
event.provider
Microsoft-Windows-PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
verbose
type
wineventlog
winlog.activity_id
{eafc05f8-8ffa-0000-10d8-fceafa8fda01}
winlog.api
wineventlog
winlog.channel
Microsoft-Windows-PowerShell/Operational
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.MessageNumber
1
winlog.event_data.MessageTotal
1
winlog.event_data.ScriptBlockId
8cb22ec9-13dc-4900-a7a7-42c7e3f043fa
winlog.event_data.ScriptBlockText
Invoke-PrivescCheck -Extended -Report PrivescCheck_$($env:COMPUTERNAME) -Format TXT,CSV,HTML,XML
winlog.event_id
4,104
winlog.opcode
On create calls
winlog.process.pid
2,340
winlog.process.thread.id
2,996
winlog.provider_guid
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.provider_name
Microsoft-Windows-PowerShell
winlog.record_id
1,807
winlog.task
Execute a Remote Command
winlog.user.domain
FERRUMFOX
winlog.user.identifier
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.name
maslov-o
winlog.user.type
User
winlog.version
1
Apr 17, 2024 @ 12:52:46.078
winlog.event_data.ScriptBlockText:
default { Write-Warning "`nReport format not implemented: $($Format.ToUpper())`n" } } } } } end { if ((-not $Extended) -and (-not $Force) -and (-not $Silent)) { Write-Warning "To get more info, run this script with the option '-Extended'." } } } function Invoke-Check { [CmdletBinding()] param( [object] $Check ) $Check.Severity = $Check.Severity -as $SeverityLevelEnum $IsVulnerabilityCheck = $Check.Severity -ne $SeverityLevelEnum::None if ($IsVulnerabilityCheck) { $Result = Invoke-Expression -Command "$($Check.Command) -BaseSeverity $([UInt32] $Check.BaseSeverity)" $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result.Result if ($Check.Severity) { $Check.Severity = $Result.Severity } } else { $Result = Invoke-Expression -Command "$($Check.Command)" $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result } if ($Check.Format -eq "Table") { $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-Table | Out-String) } elseif ($Check.Format -eq "List") { $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-List | Out-String) } [void] $ResultArrayList.Add($Check) $Check } function Write-CheckBanner { [OutputType([string])] [CmdletBinding()] param( [object] $Check, [switch] $Ascii ) function Split-Description { param([string]$Description) $DescriptionSplit = New-Object System.Collections.ArrayList $TempOld = "" $TempNew = "" $Description.Split(' ') | ForEach-Object { $TempNew = "$($TempOld) $($_)".Trim() if ($TempNew.Length -gt 60) { [void]$DescriptionSplit.Add($TempOld) $TempOld = "$($_)" } else { $TempOld = $TempNew } } if ($TempOld) { [void]$DescriptionSplit.Add($TempOld) } $DescriptionSplit } $HeavyVertical = [char] $(if ($Ascii) { '|' } else { 0x2503 }) $HeavyHorizontal = [char] $(if ($Ascii) { '-' } else { 0x2501 }) $HeavyVerticalAndRight = [char] $(if ($Ascii) { '+' } else { 0x2523 }) $HeavyVerticalAndLeft = [char] $(if ($Ascii) { '+' } else { 0x252B }) $HeavyDownAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x2533 }) $HeavyUpAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x253B }) $HeavyDownAndLeft = [char] $(if ($Ascii) { '+' } else { 0x2513 }) $HeavyDownAndRight = [char] $(if ($Ascii) { '+' } else { 0x250F }) $HeavyUpAndRight = [char] $(if ($Ascii) { '+' } else { 0x2517 }) $HeavyUpAndLeft = [char] $(if ($Ascii) { '+' } else { 0x251B }) $Result = "" $Result += "$($HeavyDownAndRight)$("$HeavyHorizontal" * 10)$($HeavyDownAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyDownAndLeft)`n" $Result += "$($HeavyVertical) CATEGORY $($HeavyVertical) $($Check.Category)$(' ' * (49 - $Check.Category.Length)) $($HeavyVertical)`n" $Result += "$($HeavyVertical) NAME $($HeavyVertical) $($Check.DisplayName)$(' ' * (49 - $Check.DisplayName.Length)) $($HeavyVertical)`n" $Result += "$($HeavyVerticalAndRight)$("$HeavyHorizontal" * 10)$($HeavyUpAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyVerticalAndLeft)`n" Split-Description -Description $Check.Description | ForEach-Object { $Result += "$($HeavyVertical) $($_)$(' '*(60 - ([String]$_).Length)) $($HeavyVertical)`n" } $Result += "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)" $Result } function Write-CheckResult { [OutputType([string])] [CmdletBinding()] param( [object] $CheckResult ) $IsVulnerabilityCheck = $CheckResult.BaseSeverity -ne $SeverityLevelEnum::None $Severity = $(if ($CheckResult.Severity) { $CheckResult.Severity} else { $SeverityLevelEnum::None }) -as $SeverityLevelEnum $ResultOutput = "[*] Status:" if ($Severity -eq $SeverityLevelEnum::None) { $ResultOutput += " Informational" if ($IsVulnerabilityCheck) { $ResultOutput += " (not vulnerable)" } else { if (-not $CheckResult.ResultRaw) { $ResultOutput += " (nothing found)" } } } else { $ResultOutput += " Vulnerable - $($Severity)" } $ResultOutput += "`n" switch ($CheckResult.Format) { "Table" { $ResultOutput += $CheckResult.ResultRaw | Format-Table -AutoSize | Out-String } "List" { $ResultOutput += $CheckResult.ResultRaw | Format-List | Out-String } default { Write-Warning "Unknown format: $($CheckResult.Format)" } } $ResultOutput } function Write-TxtReport { [CmdletBinding()] param( [object[]] $AllResults ) $AllResults | ForEach-Object { Write-CheckBanner -Check $_ -Ascii Write-CheckResult -CheckResult $_ } } function Write-CsvReport { [CmdletBinding()] param( [object[]] $AllResults ) $AllResults | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Csv -NoTypeInformation } function Write-XmlReport { [CmdletBinding()] param( [object[]] $AllResults ) $AuthorizedXmlCharactersRegex = "[^\x09\x0A\x0D\x20-\xD7FF\xE000-\xFFFD\x10000\x10FFFF]" $AllResults | ForEach-Object { $_.ResultRawString = [System.Text.RegularExpressions.Regex]::Replace($_.ResultRawString, $AuthorizedXmlCharactersRegex, "") $_ } | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Xml -As String } function Write-HtmlReport { [OutputType([string])] [CmdletBinding()] param( [object[]] $AllResults ) $JavaScript = @" var cells = document.getElementsByTagName('td'); for (var i=0; i<cells.length; i++) { var bg_color = null; if (cells[i].innerHTML == "Low") { bg_color = "bg_blue"; } else if (cells[i].innerHTML == "Medium") { bg_color = "bg_orange"; } else if (cells[i].innerHTML == "High") { bg_color = "bg_red"; } else if (cells[i].innerHTML == "None") { bg_color = "bg_grey"; } if (bg_color) { cells[i].innerHTML = "<span class=\"label " + bg_color + "\">" + cells[i].innerHTML + "</span>"; } // If a cell is too large, we need to make it scrollable. But 'td' elements are not // scrollable so, we need make it a 'div' first and apply the 'scroll' (c.f. CSS) style to make // it scrollable. cells[i].innerHTML = "<div class=\"scroll\">" + cells[i].innerHTML + "</div>"; } "@ $Css = @" body { font: 1.2em normal Arial,sans-serif; } table { border-collapse: collapse; width: 100%; border: 2px solid grey; } th { color: white; background: grey; text-align: center; padding: 5px 0; } td { text-align: center; padding: 5px 5px 5px 5px; max-width: 800px; } tbody td:nth-child(3) { text-align: left; } /* Render output results with 'pre' style */ tbody td:nth-child(5) { white-space: pre; margin: 1em 0px; padding: .2rem .4rem; font-size: 87.5%; font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace; text-align: left; } tbody tr:nth-child(odd) { background: whitesmoke; } .scroll { max-height: 200px; max-width: 800px; overflow: auto; } .label { color: white; margin: 8px; padding: 6px; display: block; width: 60px; border-radius: 5px; } .bg_green { background-color: green; } .bg_blue { background-color: royalblue; } .bg_orange { background-color: orange; } .bg_red { background-color: red; } .bg_grey { background-color: grey; } "@ $Html = @" <html lang="en-US"> <title>PrivescCheck Report</title> <head> <style> $($Css) </style> </head> <body> BODY_TO_REPLACE <script> $($JavaScript) </script> </body> </html> "@ $TableHtml = $AllResults | Sort-Object -Property "Category" | ConvertTo-Html -Property "Category","DisplayName","Description","Severity","ResultRawString" -Fragment $Html = $Html.Replace("BODY_TO_REPLACE", $TableHtml) $Html } function Get-SeverityColor { param ( [UInt32] $Severity ) switch ($Severity -as $SeverityLevelEnum) { $SeverityLevelEnum::Low { "DarkCyan" } $SeverityLevelEnum::Medium { "DarkYellow" } $SeverityLevelEnum::High { "Red" } default { Write-Warning "Get-SeverityColor > Unhandled severity level: $($Severity)" } } } function Write-ShortReport { [CmdletBinding()] param() $HeavyVertical = [char] 0x2503 $HeavyHorizontal = [char] 0x2501 $HeavyDownAndLeft = [char] 0x2513 $HeavyDownAndRight = [char] 0x250F $HeavyUpAndRight = [char] 0x2517 $HeavyUpAndLeft = [char] 0x251B $RightwardsArrow = [char] 0x2192 Write-Host -ForegroundColor White "$($HeavyDownAndRight)$("$HeavyHorizontal" * 62)$($HeavyDownAndLeft)" Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)" Write-Host -ForegroundColor White "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)" $AllVulnerabilities = $ResultArrayList | Where-Object { $_.Severity -ne $SeverityLevelEnum::None } $Categories = $AllVulnerabilities | Select-Object -ExpandProperty "Category" | Sort-Object -Unique if ($null -eq $AllVulnerabilities) { Write-Host -ForegroundColor White "No vulnerability found!" return } foreach ($Category in $Categories) { $Vulnerabilities = $AllVulnerabilities | Where-Object { $_.Category -eq $Category } Write-Host -ForegroundColor White " $($Category)" foreach ($Vulnerability in $Vulnerabilities) { $SeverityColor = Get-SeverityColor -Severity $($Vulnerability.Severity -as $SeverityLevelEnum) Write-Host -NoNewline -ForegroundColor White " -" Write-Host -NoNewLine " $($Vulnerability.DisplayName) $($RightwardsArrow)" Write-Host -ForegroundColor $SeverityColor " $($Vulnerability.Severity -as $SeverityLevelEnum)" } } Write-Host "" }
event.original:
Creating Scriptblock text (3 of 3): default { Write-Warning "`nReport format not implemented: $($Format.ToUpper())`n" } } } } } end { if ((-not $Extended) -and (-not $Force) -and (-not $Silent)) { Write-Warning "To get more info, run this script with the option '-Extended'." } } } function Invoke-Check { [CmdletBinding()] param( [object] $Check ) $Check.Severity = $Check.Severity -as $SeverityLevelEnum $IsVulnerabilityCheck = $Check.Severity -ne $SeverityLevelEnum::None if ($IsVulnerabilityCheck) { $Result = Invoke-Expression -Command "$($Check.Command) -BaseSeverity $([UInt32] $Check.BaseSeverity)" $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result.Result if ($Check.Severity) { $Check.Severity = $Result.Severity } } else { $Result = Invoke-Expression -Command "$($Check.Command)" $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result } if ($Check.Format -eq "Table") { $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-Table | Out-String) } elseif ($Check.Format -eq "List") { $Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-List | Out-String) } [void] $ResultArrayList.Add($Check) $Check } function Write-CheckBanner { [OutputType([string])] [CmdletBinding()] param( [object] $Check, [switch] $Ascii ) function Split-Description { param([string]$Description) $DescriptionSplit = New-Object System.Collections.ArrayList $TempOld = "" $TempNew = "" $Description.Split(' ') | ForEach-Object { $TempNew = "$($TempOld) $($_)".Trim() if ($TempNew.Length -gt 60) { [void]$DescriptionSplit.Add($TempOld) $TempOld = "$($_)" } else { $TempOld = $TempNew } } if ($TempOld) { [void]$DescriptionSplit.Add($TempOld) } $DescriptionSplit } $HeavyVertical = [char] $(if ($Ascii) { '|' } else { 0x2503 }) $HeavyHorizontal = [char] $(if ($Ascii) { '-' } else { 0x2501 }) $HeavyVerticalAndRight = [char] $(if ($Ascii) { '+' } else { 0x2523 }) $HeavyVerticalAndLeft = [char] $(if ($Ascii) { '+' } else { 0x252B }) $HeavyDownAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x2533 }) $HeavyUpAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x253B }) $HeavyDownAndLeft = [char] $(if ($Ascii) { '+' } else { 0x2513 }) $HeavyDownAndRight = [char] $(if ($Ascii) { '+' } else { 0x250F }) $HeavyUpAndRight = [char] $(if ($Ascii) { '+' } else { 0x2517 }) $HeavyUpAndLeft = [char] $(if ($Ascii) { '+' } else { 0x251B }) $Result = "" $Result += "$($HeavyDownAndRight)$("$HeavyHorizontal" * 10)$($HeavyDownAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyDownAndLeft)`n" $Result += "$($HeavyVertical) CATEGORY $($HeavyVertical) $($Check.Category)$(' ' * (49 - $Check.Category.Length)) $($HeavyVertical)`n" $Result += "$($HeavyVertical) NAME $($HeavyVertical) $($Check.DisplayName)$(' ' * (49 - $Check.DisplayName.Length)) $($HeavyVertical)`n" $Result += "$($HeavyVerticalAndRight)$("$HeavyHorizontal" * 10)$($HeavyUpAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyVerticalAndLeft)`n" Split-Description -Description $Check.Description | ForEach-Object { $Result += "$($HeavyVertical) $($_)$(' '*(60 - ([String]$_).Length)) $($HeavyVertical)`n" } $Result += "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)" $Result } function Write-CheckResult { [OutputType([string])] [CmdletBinding()] param( [object] $CheckResult ) $IsVulnerabilityCheck = $CheckResult.BaseSeverity -ne $SeverityLevelEnum::None $Severity = $(if ($CheckResult.Severity) { $CheckResult.Severity} else { $SeverityLevelEnum::None }) -as $SeverityLevelEnum $ResultOutput = "[*] Status:" if ($Severity -eq $SeverityLevelEnum::None) { $ResultOutput += " Informational" if ($IsVulnerabilityCheck) { $ResultOutput += " (not vulnerable)" } else { if (-not $CheckResult.ResultRaw) { $ResultOutput += " (nothing found)" } } } else { $ResultOutput += " Vulnerable - $($Severity)" } $ResultOutput += "`n" switch ($CheckResult.Format) { "Table" { $ResultOutput += $CheckResult.ResultRaw | Format-Table -AutoSize | Out-String } "List" { $ResultOutput += $CheckResult.ResultRaw | Format-List | Out-String } default { Write-Warning "Unknown format: $($CheckResult.Format)" } } $ResultOutput } function Write-TxtReport { [CmdletBinding()] param( [object[]] $AllResults ) $AllResults | ForEach-Object { Write-CheckBanner -Check $_ -Ascii Write-CheckResult -CheckResult $_ } } function Write-CsvReport { [CmdletBinding()] param( [object[]] $AllResults ) $AllResults | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Csv -NoTypeInformation } function Write-XmlReport { [CmdletBinding()] param( [object[]] $AllResults ) $AuthorizedXmlCharactersRegex = "[^\x09\x0A\x0D\x20-\xD7FF\xE000-\xFFFD\x10000\x10FFFF]" $AllResults | ForEach-Object { $_.ResultRawString = [System.Text.RegularExpressions.Regex]::Replace($_.ResultRawString, $AuthorizedXmlCharactersRegex, "") $_ } | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Xml -As String } function Write-HtmlReport { [OutputType([string])] [CmdletBinding()] param( [object[]] $AllResults ) $JavaScript = @" var cells = document.getElementsByTagName('td'); for (var i=0; i<cells.length; i++) { var bg_color = null; if (cells[i].innerHTML == "Low") { bg_color = "bg_blue"; } else if (cells[i].innerHTML == "Medium") { bg_color = "bg_orange"; } else if (cells[i].innerHTML == "High") { bg_color = "bg_red"; } else if (cells[i].innerHTML == "None") { bg_color = "bg_grey"; } if (bg_color) { cells[i].innerHTML = "<span class=\"label " + bg_color + "\">" + cells[i].innerHTML + "</span>"; } // If a cell is too large, we need to make it scrollable. But 'td' elements are not // scrollable so, we need make it a 'div' first and apply the 'scroll' (c.f. CSS) style to make // it scrollable. cells[i].innerHTML = "<div class=\"scroll\">" + cells[i].innerHTML + "</div>"; } "@ $Css = @" body { font: 1.2em normal Arial,sans-serif; } table { border-collapse: collapse; width: 100%; border: 2px solid grey; } th { color: white; background: grey; text-align: center; padding: 5px 0; } td { text-align: center; padding: 5px 5px 5px 5px; max-width: 800px; } tbody td:nth-child(3) { text-align: left; } /* Render output results with 'pre' style */ tbody td:nth-child(5) { white-space: pre; margin: 1em 0px; padding: .2rem .4rem; font-size: 87.5%; font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace; text-align: left; } tbody tr:nth-child(odd) { background: whitesmoke; } .scroll { max-height: 200px; max-width: 800px; overflow: auto; } .label { color: white; margin: 8px; padding: 6px; display: block; width: 60px; border-radius: 5px; } .bg_green { background-color: green; } .bg_blue { background-color: royalblue; } .bg_orange { background-color: orange; } .bg_red { background-color: red; } .bg_grey { background-color: grey; } "@ $Html = @" <html lang="en-US"> <title>PrivescCheck Report</title> <head> <style> $($Css) </style> </head> <body> BODY_TO_REPLACE <script> $($JavaScript) </script> </body> </html> "@ $TableHtml = $AllResults | Sort-Object -Property "Category" | ConvertTo-Html -Property "Category","DisplayName","Description","Severity","ResultRawString" -Fragment $Html = $Html.Replace("BODY_TO_REPLACE", $TableHtml) $Html } function Get-SeverityColor { param ( [UInt32] $Severity ) switch ($Severity -as $SeverityLevelEnum) { $SeverityLevelEnum::Low { "DarkCyan" } $SeverityLevelEnum::Medium { "DarkYellow" } $SeverityLevelEnum::High { "Red" } default { Write-Warning "Get-SeverityColor > Unhandled severity level: $($Severity)" } } } function Write-ShortReport { [CmdletBinding()] param() $HeavyVertical = [char] 0x2503 $HeavyHorizontal = [char] 0x2501 $HeavyDownAndLeft = [char] 0x2513 $HeavyDownAndRight = [char] 0x250F $HeavyUpAndRight = [char] 0x2517 $HeavyUpAndLeft = [char] 0x251B $RightwardsArrow = [char] 0x2192 Write-Host -ForegroundColor White "$($HeavyDownAndRight)$("$HeavyHorizontal" * 62)$($HeavyDownAndLeft)" Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)" Write-Host -ForegroundColor White "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)" $AllVulnerabilities = $ResultArrayList | Where-Object { $_.Severity -ne $SeverityLevelEnum::None } $Categories = $AllVulnerabilities | Select-Object -ExpandProperty "Category" | Sort-Object -Unique if ($null -eq $AllVulnerabilities) { Write-Host -ForegroundColor White "No vulnerability found!" return } foreach ($Category in $Categories) { $Vulnerabilities = $AllVulnerabilities | Where-Object { $_.Category -eq $Category } Write-Host -ForegroundColor White " $($Category)" foreach ($Vulnerability in $Vulnerabilities) { $SeverityColor = Get-SeverityColor -Severity $($Vulnerability.Severity -as $SeverityLevelEnum) Write-Host -NoNewline -ForegroundColor White " -" Write-Host -NoNewLine " $($Vulnerability.DisplayName) $($RightwardsArrow)" Write-Host -ForegroundColor $SeverityColor " $($Vulnerability.Severity -as $SeverityLevelEnum)" } } Write-Host "" } ScriptBlock ID: 2d27b53a-8cab-4a94-9d96-32263cc3b8dc Path:
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:52:46.078
winlog.provider_name:
Microsoft-Windows-PowerShell
winlog.channel:
Microsoft-Windows-PowerShell/Operational
winlog.record_id:
1,692
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.provider_guid:
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.event_data.ScriptBlockId:
2d27b53a-8cab-4a94-9d96-32263cc3b8dc
winlog.event_data.MessageTotal:
3
winlog.event_data.MessageNumber:
3
winlog.user.name:
maslov-o
winlog.user.type:
User
winlog.user.identifier:
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.domain:
FERRUMFOX
winlog.task:
Execute a Remote Command
winlog.opcode:
On create calls
winlog.activity_id:
{eafc05f8-8ffa-0001-34d2-fceafa8fda01}
winlog.version:
1
winlog.api:
wineventlog
winlog.event_id:
4,104
winlog.process.thread.id:
2,996
winlog.process.pid:
2,340
log.level:
warning
host.name:
maslov-o-pc.ferrumfox.corp
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.name:
Windows 10 Pro
host.os.platform:
windows
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
Microsoft-Windows-PowerShell
event.action:
Execute a Remote Command
event.kind:
event
event.created:
Apr 17, 2024 @ 12:52:46.676
event.code:
4,104
_id:
k48d7I4BjcmPCGzW7JFb
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:52:46.078
@version
1
_id
k48d7I4BjcmPCGzW7JFb
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Execute a Remote Command
event.code
4,104
event.created
Apr 17, 2024 @ 12:52:46.676
event.kind
event
event.original
Creating Scriptblock text (3 of 3):
default { Write-Warning "`nReport format not implemented: $($Format.ToUpper())`n" }
}
}
}
}
end {
if ((-not $Extended) -and (-not $Force) -and (-not $Silent)) {
Write-Warning "To get more info, run this script with the option '-Extended'."
}
}
}
function Invoke-Check {
[CmdletBinding()] param(
[object] $Check
)
$Check.Severity = $Check.Severity -as $SeverityLevelEnum
$IsVulnerabilityCheck = $Check.Severity -ne $SeverityLevelEnum::None
if ($IsVulnerabilityCheck) {
$Result = Invoke-Expression -Command "$($Check.Command) -BaseSeverity $([UInt32] $Check.BaseSeverity)"
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result.Result
if ($Check.Severity) { $Check.Severity = $Result.Severity }
}
else {
$Result = Invoke-Expression -Command "$($Check.Command)"
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result
}
if ($Check.Format -eq "Table") {
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-Table | Out-String)
}
elseif ($Check.Format -eq "List") {
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-List | Out-String)
}
[void] $ResultArrayList.Add($Check)
$Check
}
function Write-CheckBanner {
[OutputType([string])]
[CmdletBinding()] param(
[object] $Check,
[switch] $Ascii
)
function Split-Description {
param([string]$Description)
$DescriptionSplit = New-Object System.Collections.ArrayList
$TempOld = ""
$TempNew = ""
$Description.Split(' ') | ForEach-Object {
$TempNew = "$($TempOld) $($_)".Trim()
if ($TempNew.Length -gt 60) {
[void]$DescriptionSplit.Add($TempOld)
$TempOld = "$($_)"
}
else {
$TempOld = $TempNew
}
}
if ($TempOld) {
[void]$DescriptionSplit.Add($TempOld)
}
$DescriptionSplit
}
$HeavyVertical = [char] $(if ($Ascii) { '|' } else { 0x2503 })
$HeavyHorizontal = [char] $(if ($Ascii) { '-' } else { 0x2501 })
$HeavyVerticalAndRight = [char] $(if ($Ascii) { '+' } else { 0x2523 })
$HeavyVerticalAndLeft = [char] $(if ($Ascii) { '+' } else { 0x252B })
$HeavyDownAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x2533 })
$HeavyUpAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x253B })
$HeavyDownAndLeft = [char] $(if ($Ascii) { '+' } else { 0x2513 })
$HeavyDownAndRight = [char] $(if ($Ascii) { '+' } else { 0x250F })
$HeavyUpAndRight = [char] $(if ($Ascii) { '+' } else { 0x2517 })
$HeavyUpAndLeft = [char] $(if ($Ascii) { '+' } else { 0x251B })
$Result = ""
$Result += "$($HeavyDownAndRight)$("$HeavyHorizontal" * 10)$($HeavyDownAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyDownAndLeft)`n"
$Result += "$($HeavyVertical) CATEGORY $($HeavyVertical) $($Check.Category)$(' ' * (49 - $Check.Category.Length)) $($HeavyVertical)`n"
$Result += "$($HeavyVertical) NAME $($HeavyVertical) $($Check.DisplayName)$(' ' * (49 - $Check.DisplayName.Length)) $($HeavyVertical)`n"
$Result += "$($HeavyVerticalAndRight)$("$HeavyHorizontal" * 10)$($HeavyUpAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyVerticalAndLeft)`n"
Split-Description -Description $Check.Description | ForEach-Object {
$Result += "$($HeavyVertical) $($_)$(' '*(60 - ([String]$_).Length)) $($HeavyVertical)`n"
}
$Result += "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)"
$Result
}
function Write-CheckResult {
[OutputType([string])]
[CmdletBinding()] param(
[object] $CheckResult
)
$IsVulnerabilityCheck = $CheckResult.BaseSeverity -ne $SeverityLevelEnum::None
$Severity = $(if ($CheckResult.Severity) { $CheckResult.Severity} else { $SeverityLevelEnum::None }) -as $SeverityLevelEnum
$ResultOutput = "[*] Status:"
if ($Severity -eq $SeverityLevelEnum::None) {
$ResultOutput += " Informational"
if ($IsVulnerabilityCheck) {
$ResultOutput += " (not vulnerable)"
}
else {
if (-not $CheckResult.ResultRaw) {
$ResultOutput += " (nothing found)"
}
}
}
else {
$ResultOutput += " Vulnerable - $($Severity)"
}
$ResultOutput += "`n"
switch ($CheckResult.Format) {
"Table" { $ResultOutput += $CheckResult.ResultRaw | Format-Table -AutoSize | Out-String }
"List" { $ResultOutput += $CheckResult.ResultRaw | Format-List | Out-String }
default { Write-Warning "Unknown format: $($CheckResult.Format)" }
}
$ResultOutput
}
function Write-TxtReport {
[CmdletBinding()] param(
[object[]] $AllResults
)
$AllResults | ForEach-Object {
Write-CheckBanner -Check $_ -Ascii
Write-CheckResult -CheckResult $_
}
}
function Write-CsvReport {
[CmdletBinding()] param(
[object[]] $AllResults
)
$AllResults | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Csv -NoTypeInformation
}
function Write-XmlReport {
[CmdletBinding()] param(
[object[]] $AllResults
)
$AuthorizedXmlCharactersRegex = "[^\x09\x0A\x0D\x20-\xD7FF\xE000-\xFFFD\x10000\x10FFFF]"
$AllResults | ForEach-Object {
$_.ResultRawString = [System.Text.RegularExpressions.Regex]::Replace($_.ResultRawString, $AuthorizedXmlCharactersRegex, "")
$_
} | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Xml -As String
}
function Write-HtmlReport {
[OutputType([string])]
[CmdletBinding()] param(
[object[]] $AllResults
)
$JavaScript = @"
var cells = document.getElementsByTagName('td');
for (var i=0; i<cells.length; i++) {
var bg_color = null;
if (cells[i].innerHTML == "Low") {
bg_color = "bg_blue";
} else if (cells[i].innerHTML == "Medium") {
bg_color = "bg_orange";
} else if (cells[i].innerHTML == "High") {
bg_color = "bg_red";
} else if (cells[i].innerHTML == "None") {
bg_color = "bg_grey";
}
if (bg_color) {
cells[i].innerHTML = "<span class=\"label " + bg_color + "\">" + cells[i].innerHTML + "</span>";
}
// If a cell is too large, we need to make it scrollable. But 'td' elements are not
// scrollable so, we need make it a 'div' first and apply the 'scroll' (c.f. CSS) style to make
// it scrollable.
cells[i].innerHTML = "<div class=\"scroll\">" + cells[i].innerHTML + "</div>";
}
"@
$Css = @"
body {
font: 1.2em normal Arial,sans-serif;
}
table {
border-collapse: collapse;
width: 100%;
border: 2px solid grey;
}
th {
color: white;
background: grey;
text-align: center;
padding: 5px 0;
}
td {
text-align: center;
padding: 5px 5px 5px 5px;
max-width: 800px;
}
tbody td:nth-child(3) {
text-align: left;
}
/* Render output results with 'pre' style */
tbody td:nth-child(5) {
white-space: pre;
margin: 1em 0px;
padding: .2rem .4rem;
font-size: 87.5%;
font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;
text-align: left;
}
tbody tr:nth-child(odd) {
background: whitesmoke;
}
.scroll {
max-height: 200px;
max-width: 800px;
overflow: auto;
}
.label {
color: white;
margin: 8px;
padding: 6px;
display: block;
width: 60px;
border-radius: 5px;
}
.bg_green { background-color: green; }
.bg_blue { background-color: royalblue; }
.bg_orange { background-color: orange; }
.bg_red { background-color: red; }
.bg_grey { background-color: grey; }
"@
$Html = @"
<html lang="en-US">
<title>PrivescCheck Report</title>
<head>
<style>
$($Css)
</style>
</head>
<body>
BODY_TO_REPLACE
<script>
$($JavaScript)
</script>
</body>
</html>
"@
$TableHtml = $AllResults | Sort-Object -Property "Category" | ConvertTo-Html -Property "Category","DisplayName","Description","Severity","ResultRawString" -Fragment
$Html = $Html.Replace("BODY_TO_REPLACE", $TableHtml)
$Html
}
function Get-SeverityColor {
param (
[UInt32] $Severity
)
switch ($Severity -as $SeverityLevelEnum) {
$SeverityLevelEnum::Low { "DarkCyan" }
$SeverityLevelEnum::Medium { "DarkYellow" }
$SeverityLevelEnum::High { "Red" }
default { Write-Warning "Get-SeverityColor > Unhandled severity level: $($Severity)" }
}
}
function Write-ShortReport {
[CmdletBinding()] param()
$HeavyVertical = [char] 0x2503
$HeavyHorizontal = [char] 0x2501
$HeavyDownAndLeft = [char] 0x2513
$HeavyDownAndRight = [char] 0x250F
$HeavyUpAndRight = [char] 0x2517
$HeavyUpAndLeft = [char] 0x251B
$RightwardsArrow = [char] 0x2192
Write-Host -ForegroundColor White "$($HeavyDownAndRight)$("$HeavyHorizontal" * 62)$($HeavyDownAndLeft)"
Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
Write-Host -ForegroundColor White "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)"
$AllVulnerabilities = $ResultArrayList | Where-Object { $_.Severity -ne $SeverityLevelEnum::None }
$Categories = $AllVulnerabilities | Select-Object -ExpandProperty "Category" | Sort-Object -Unique
if ($null -eq $AllVulnerabilities) {
Write-Host -ForegroundColor White "No vulnerability found!"
return
}
foreach ($Category in $Categories) {
$Vulnerabilities = $AllVulnerabilities | Where-Object { $_.Category -eq $Category }
Write-Host -ForegroundColor White " $($Category)"
foreach ($Vulnerability in $Vulnerabilities) {
$SeverityColor = Get-SeverityColor -Severity $($Vulnerability.Severity -as $SeverityLevelEnum)
Write-Host -NoNewline -ForegroundColor White " -"
Write-Host -NoNewLine " $($Vulnerability.DisplayName) $($RightwardsArrow)"
Write-Host -ForegroundColor $SeverityColor " $($Vulnerability.Severity -as $SeverityLevelEnum)"
}
}
Write-Host ""
}
ScriptBlock ID: 2d27b53a-8cab-4a94-9d96-32263cc3b8dc
Path:
event.provider
Microsoft-Windows-PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
warning
type
wineventlog
winlog.activity_id
{eafc05f8-8ffa-0001-34d2-fceafa8fda01}
winlog.api
wineventlog
winlog.channel
Microsoft-Windows-PowerShell/Operational
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.MessageNumber
3
winlog.event_data.MessageTotal
3
winlog.event_data.ScriptBlockId
2d27b53a-8cab-4a94-9d96-32263cc3b8dc
winlog.event_data.ScriptBlockText
default { Write-Warning "`nReport format not implemented: $($Format.ToUpper())`n" }
}
}
}
}
end {
if ((-not $Extended) -and (-not $Force) -and (-not $Silent)) {
Write-Warning "To get more info, run this script with the option '-Extended'."
}
}
}
function Invoke-Check {
[CmdletBinding()] param(
[object] $Check
)
$Check.Severity = $Check.Severity -as $SeverityLevelEnum
$IsVulnerabilityCheck = $Check.Severity -ne $SeverityLevelEnum::None
if ($IsVulnerabilityCheck) {
$Result = Invoke-Expression -Command "$($Check.Command) -BaseSeverity $([UInt32] $Check.BaseSeverity)"
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result.Result
if ($Check.Severity) { $Check.Severity = $Result.Severity }
}
else {
$Result = Invoke-Expression -Command "$($Check.Command)"
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRaw" -Value $Result
}
if ($Check.Format -eq "Table") {
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-Table | Out-String)
}
elseif ($Check.Format -eq "List") {
$Check | Add-Member -MemberType "NoteProperty" -Name "ResultRawString" -Value $($Check.ResultRaw | Format-List | Out-String)
}
[void] $ResultArrayList.Add($Check)
$Check
}
function Write-CheckBanner {
[OutputType([string])]
[CmdletBinding()] param(
[object] $Check,
[switch] $Ascii
)
function Split-Description {
param([string]$Description)
$DescriptionSplit = New-Object System.Collections.ArrayList
$TempOld = ""
$TempNew = ""
$Description.Split(' ') | ForEach-Object {
$TempNew = "$($TempOld) $($_)".Trim()
if ($TempNew.Length -gt 60) {
[void]$DescriptionSplit.Add($TempOld)
$TempOld = "$($_)"
}
else {
$TempOld = $TempNew
}
}
if ($TempOld) {
[void]$DescriptionSplit.Add($TempOld)
}
$DescriptionSplit
}
$HeavyVertical = [char] $(if ($Ascii) { '|' } else { 0x2503 })
$HeavyHorizontal = [char] $(if ($Ascii) { '-' } else { 0x2501 })
$HeavyVerticalAndRight = [char] $(if ($Ascii) { '+' } else { 0x2523 })
$HeavyVerticalAndLeft = [char] $(if ($Ascii) { '+' } else { 0x252B })
$HeavyDownAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x2533 })
$HeavyUpAndHorizontal = [char] $(if ($Ascii) { '+' } else { 0x253B })
$HeavyDownAndLeft = [char] $(if ($Ascii) { '+' } else { 0x2513 })
$HeavyDownAndRight = [char] $(if ($Ascii) { '+' } else { 0x250F })
$HeavyUpAndRight = [char] $(if ($Ascii) { '+' } else { 0x2517 })
$HeavyUpAndLeft = [char] $(if ($Ascii) { '+' } else { 0x251B })
$Result = ""
$Result += "$($HeavyDownAndRight)$("$HeavyHorizontal" * 10)$($HeavyDownAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyDownAndLeft)`n"
$Result += "$($HeavyVertical) CATEGORY $($HeavyVertical) $($Check.Category)$(' ' * (49 - $Check.Category.Length)) $($HeavyVertical)`n"
$Result += "$($HeavyVertical) NAME $($HeavyVertical) $($Check.DisplayName)$(' ' * (49 - $Check.DisplayName.Length)) $($HeavyVertical)`n"
$Result += "$($HeavyVerticalAndRight)$("$HeavyHorizontal" * 10)$($HeavyUpAndHorizontal)$("$HeavyHorizontal" * 51)$($HeavyVerticalAndLeft)`n"
Split-Description -Description $Check.Description | ForEach-Object {
$Result += "$($HeavyVertical) $($_)$(' '*(60 - ([String]$_).Length)) $($HeavyVertical)`n"
}
$Result += "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)"
$Result
}
function Write-CheckResult {
[OutputType([string])]
[CmdletBinding()] param(
[object] $CheckResult
)
$IsVulnerabilityCheck = $CheckResult.BaseSeverity -ne $SeverityLevelEnum::None
$Severity = $(if ($CheckResult.Severity) { $CheckResult.Severity} else { $SeverityLevelEnum::None }) -as $SeverityLevelEnum
$ResultOutput = "[*] Status:"
if ($Severity -eq $SeverityLevelEnum::None) {
$ResultOutput += " Informational"
if ($IsVulnerabilityCheck) {
$ResultOutput += " (not vulnerable)"
}
else {
if (-not $CheckResult.ResultRaw) {
$ResultOutput += " (nothing found)"
}
}
}
else {
$ResultOutput += " Vulnerable - $($Severity)"
}
$ResultOutput += "`n"
switch ($CheckResult.Format) {
"Table" { $ResultOutput += $CheckResult.ResultRaw | Format-Table -AutoSize | Out-String }
"List" { $ResultOutput += $CheckResult.ResultRaw | Format-List | Out-String }
default { Write-Warning "Unknown format: $($CheckResult.Format)" }
}
$ResultOutput
}
function Write-TxtReport {
[CmdletBinding()] param(
[object[]] $AllResults
)
$AllResults | ForEach-Object {
Write-CheckBanner -Check $_ -Ascii
Write-CheckResult -CheckResult $_
}
}
function Write-CsvReport {
[CmdletBinding()] param(
[object[]] $AllResults
)
$AllResults | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Csv -NoTypeInformation
}
function Write-XmlReport {
[CmdletBinding()] param(
[object[]] $AllResults
)
$AuthorizedXmlCharactersRegex = "[^\x09\x0A\x0D\x20-\xD7FF\xE000-\xFFFD\x10000\x10FFFF]"
$AllResults | ForEach-Object {
$_.ResultRawString = [System.Text.RegularExpressions.Regex]::Replace($_.ResultRawString, $AuthorizedXmlCharactersRegex, "")
$_
} | Sort-Object -Property "Category" | Select-Object Id,Category,DisplayName,Description,Severity,ResultRawString | ConvertTo-Xml -As String
}
function Write-HtmlReport {
[OutputType([string])]
[CmdletBinding()] param(
[object[]] $AllResults
)
$JavaScript = @"
var cells = document.getElementsByTagName('td');
for (var i=0; i<cells.length; i++) {
var bg_color = null;
if (cells[i].innerHTML == "Low") {
bg_color = "bg_blue";
} else if (cells[i].innerHTML == "Medium") {
bg_color = "bg_orange";
} else if (cells[i].innerHTML == "High") {
bg_color = "bg_red";
} else if (cells[i].innerHTML == "None") {
bg_color = "bg_grey";
}
if (bg_color) {
cells[i].innerHTML = "<span class=\"label " + bg_color + "\">" + cells[i].innerHTML + "</span>";
}
// If a cell is too large, we need to make it scrollable. But 'td' elements are not
// scrollable so, we need make it a 'div' first and apply the 'scroll' (c.f. CSS) style to make
// it scrollable.
cells[i].innerHTML = "<div class=\"scroll\">" + cells[i].innerHTML + "</div>";
}
"@
$Css = @"
body {
font: 1.2em normal Arial,sans-serif;
}
table {
border-collapse: collapse;
width: 100%;
border: 2px solid grey;
}
th {
color: white;
background: grey;
text-align: center;
padding: 5px 0;
}
td {
text-align: center;
padding: 5px 5px 5px 5px;
max-width: 800px;
}
tbody td:nth-child(3) {
text-align: left;
}
/* Render output results with 'pre' style */
tbody td:nth-child(5) {
white-space: pre;
margin: 1em 0px;
padding: .2rem .4rem;
font-size: 87.5%;
font-family: SFMono-Regular,Menlo,Monaco,Consolas,"Liberation Mono","Courier New",monospace;
text-align: left;
}
tbody tr:nth-child(odd) {
background: whitesmoke;
}
.scroll {
max-height: 200px;
max-width: 800px;
overflow: auto;
}
.label {
color: white;
margin: 8px;
padding: 6px;
display: block;
width: 60px;
border-radius: 5px;
}
.bg_green { background-color: green; }
.bg_blue { background-color: royalblue; }
.bg_orange { background-color: orange; }
.bg_red { background-color: red; }
.bg_grey { background-color: grey; }
"@
$Html = @"
<html lang="en-US">
<title>PrivescCheck Report</title>
<head>
<style>
$($Css)
</style>
</head>
<body>
BODY_TO_REPLACE
<script>
$($JavaScript)
</script>
</body>
</html>
"@
$TableHtml = $AllResults | Sort-Object -Property "Category" | ConvertTo-Html -Property "Category","DisplayName","Description","Severity","ResultRawString" -Fragment
$Html = $Html.Replace("BODY_TO_REPLACE", $TableHtml)
$Html
}
function Get-SeverityColor {
param (
[UInt32] $Severity
)
switch ($Severity -as $SeverityLevelEnum) {
$SeverityLevelEnum::Low { "DarkCyan" }
$SeverityLevelEnum::Medium { "DarkYellow" }
$SeverityLevelEnum::High { "Red" }
default { Write-Warning "Get-SeverityColor > Unhandled severity level: $($Severity)" }
}
}
function Write-ShortReport {
[CmdletBinding()] param()
$HeavyVertical = [char] 0x2503
$HeavyHorizontal = [char] 0x2501
$HeavyDownAndLeft = [char] 0x2513
$HeavyDownAndRight = [char] 0x250F
$HeavyUpAndRight = [char] 0x2517
$HeavyUpAndLeft = [char] 0x251B
$RightwardsArrow = [char] 0x2192
Write-Host -ForegroundColor White "$($HeavyDownAndRight)$("$HeavyHorizontal" * 62)$($HeavyDownAndLeft)"
Write-Host -ForegroundColor White "$($HeavyVertical)$(" " * 17)~~~ PrivescCheck Summary ~~~$(" " * 17)$($HeavyVertical)"
Write-Host -ForegroundColor White "$($HeavyUpAndRight)$("$HeavyHorizontal" * 62)$($HeavyUpAndLeft)"
$AllVulnerabilities = $ResultArrayList | Where-Object { $_.Severity -ne $SeverityLevelEnum::None }
$Categories = $AllVulnerabilities | Select-Object -ExpandProperty "Category" | Sort-Object -Unique
if ($null -eq $AllVulnerabilities) {
Write-Host -ForegroundColor White "No vulnerability found!"
return
}
foreach ($Category in $Categories) {
$Vulnerabilities = $AllVulnerabilities | Where-Object { $_.Category -eq $Category }
Write-Host -ForegroundColor White " $($Category)"
foreach ($Vulnerability in $Vulnerabilities) {
$SeverityColor = Get-SeverityColor -Severity $($Vulnerability.Severity -as $SeverityLevelEnum)
Write-Host -NoNewline -ForegroundColor White " -"
Write-Host -NoNewLine " $($Vulnerability.DisplayName) $($RightwardsArrow)"
Write-Host -ForegroundColor $SeverityColor " $($Vulnerability.Severity -as $SeverityLevelEnum)"
}
}
Write-Host ""
}
winlog.event_id
4,104
winlog.opcode
On create calls
winlog.process.pid
2,340
winlog.process.thread.id
2,996
winlog.provider_guid
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.provider_name
Microsoft-Windows-PowerShell
winlog.record_id
1,692
winlog.task
Execute a Remote Command
winlog.user.domain
FERRUMFOX
winlog.user.identifier
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.name
maslov-o
winlog.user.type
User
winlog.version
1
Apr 17, 2024 @ 12:52:46.078
winlog.event_data.ScriptBlockText:
function Invoke-PrivescCheck { [CmdletBinding()] param( [switch] $Extended = $false, [switch] $Experimental = $false, [switch] $Force = $false, [switch] $Silent = $false, [string] $Report, [ValidateSet("TXT","HTML","CSV","XML")] [string[]] $Format ) begin { $AllChecksCsv = @" "Id", "Command", "Category", "DisplayName", "Severity", "Format", "Extended", "RunIfAdmin", "Experimental", "Description" "USER_USER", "Invoke-UserCheck", "TA0043 - Reconnaissance", "User identity", "None", "List", "False", "True", "False", "Get information about the current user (name, domain name) and its access token (SID, integrity level, authentication ID)." "USER_GROUPS", "Invoke-UserGroupsCheck", "TA0043 - Reconnaissance", "User groups", "None", "Table", "False", "True", "False", "Get information about the groups the current user belongs to (name, type, SID)." "USER_RESTRICTED_SIDS", "Invoke-UserRestrictedSidsCheck", "TA0043 - Reconnaissance", "User restricted SIDs", "None", "Table", "True", "True", "False", "Get information about potential restricted SIDs applied to the current user." "USER_PRIVILEGES", "Invoke-UserPrivilegesCheck", "TA0004 - Privilege Escalation", "User privileges", "High", "Table", "False", "False", "False", "Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM." "USER_ENV", "Invoke-UserEnvCheck", "TA0006 - Credential Access", "User environment variables", "None", "Table", "False", "True", "False", "Check whether any environment variables contain sensitive information such as credentials or secrets. Note that this check follows a keyword-based approach and thus might not be completely reliable." "SERVICE_INSTALLED", "Invoke-InstalledServicesCheck", "TA0004 - Privilege Escalation", "Non-default services", "None", "List", "False", "True", "False", "Get information about third-party services. It does so by parsing the target executable's metadata and checking whether the publisher is Microsoft." "SERVICE_THIRD_PARTY", "Invoke-ThirdPartyDriversCheck", "TA0004 - Privilege Escalation", "Third-party Kernel drivers", "None", "List", "True", "True", "False", "Get information about third-party kernel drivers. It does so by parsing the driver's metadata and checking whether the publisher is Microsoft." "SERVICE_VULN_DRIVER", "Invoke-VulnerableDriverCheck", "TA0004 - Privilege Escalation", "Vulnerable Kernel drivers", "High", "List", "False", "True", "False", "Check whether known vulnerable kernel drivers are installed. It does so by computing the file hash of each driver and comparing the value against the list provided by loldrivers.io." "SERVICE_PERMISSIONS", "Invoke-ServicesPermissionsCheck", "TA0004 - Privilege Escalation", "Service permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service through the Service Control Manager (SCM)." "SERVICE_PERMISSIONS_REGISTRY", "Invoke-ServicesPermissionsRegistryCheck", "TA0004 - Privilege Escalation", "Service registry permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the configuration of a service in the registry." "SERVICE_IMAGE_PERMISSIONS", "Invoke-ServicesImagePermissionsCheck", "TA0004 - Privilege Escalation", "Service binary permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service's binary or its folder." "SERVICE_UNQUOTED_PATH_INFO", "Invoke-ServicesUnquotedPathCheck -Info", "TA0004 - Privilege Escalation", "Service unquoted paths (info)", "None", "List", "True", "False", "False", "Check whether there are services configured with an unquoted path that contains spaces." "SERVICE_UNQUOTED_PATH", "Invoke-ServicesUnquotedPathCheck", "TA0004 - Privilege Escalation", "Service unquoted paths", "High", "List", "False", "False", "False", "Check whether there are services configured with an exploitable unquoted path that contains spaces." "SERVICE_SCM_PERMISSIONS", "Invoke-SCMPermissionsCheck", "TA0004 - Privilege Escalation", "Service Control Manager permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the Service Control Manager (SCM)." "APP_INSTALLED", "Invoke-InstalledProgramsCheck", "TA0043 - Reconnaissance", "Non-default applications", "None", "Table", "True", "True", "False", "Get information about non-default and third-party applications by searching the registry and the default install locations." "APP_MODIFIABLE", "Invoke-ModifiableProgramsCheck", "TA0004 - Privilege Escalation", "Application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on non-default or third-party applications." "APP_PROGRAMDATA", "Invoke-ProgramDataCheck", "TA0004 - Privilege Escalation", "Non-default ProgramData folders", "None", "List", "True", "False", "True", "Check whether the current user has any write permissions on a non-default "ProgramData" folder. This check is purely informative and the results require manual analysis." "APP_STARTUP_INFO", "Invoke-ApplicationsOnStartupCheck -Info", "TA0004 - Privilege Escalation", "Startup applications (info)", "None", "List", "True", "True", "False", "Get information about system-wide applications that are run at startup for all users." "APP_STARTUP", "Invoke-ApplicationsOnStartupCheck", "TA0004 - Privilege Escalation", "Startup application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on system-wide applications that are run at startup for all users." "APP_PROCESSES", "Invoke-RunningProcessCheck", "TA0043 - Reconnaissance", "Running processes", "None", "Table", "True", "True", "False", "Get information about the currently running processes that are not owned by the current user. Processes such as 'svchost.exe' are filtered out." "SCHTASKS_IMAGE_PERMISSIONS", "Invoke-ScheduledTasksImagePermissionsCheck", "TA0004 - Privilege Escalation", "Scheduled task binary permissions", "High", "List", "True", "False", "False", "Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks." "SCHTASKS_UNQUOTED_PATH", "Invoke-ScheduledTasksUnquotedPathCheck", "TA0004 - Privilege Escalation", "Scheduled task unquoted paths", "Medium", "List", "True", "False", "True", "Check whether there are scheduled tasks configured with an exploitable unquoted path. Note that low-privileged users cannot list all the scheduled tasks." "CREDS_SENSITIVE_HIVE_FILES", "Invoke-SensitiveHiveFileAccessCheck", "TA0006 - Credential Access", "Hive file permissions", "Medium", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files in the system folder (CVE-2021-36934 - HiveNightmare)." "CREDS_SENSITIVE_HIVE_FILES_VSS", "Invoke-SensitiveHiveShadowCopyCheck", "TA0006 - Credential Access", "Hive file shadow copy permissions", "High", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files stored in volume shadow copies (CVE-2021-36934 - HiveNightmare)." "CREDS_UNATTEND", "Invoke-UnattendFilesCheck", "TA0006 - Credential Access", "Unattend file credentials", "Medium", "List", "False", "True", "False", "Check whether there are any 'unattend' files and whether they contain clear-text credentials." "CREDS_WINLOGON", "Invoke-WinlogonCheck", "TA0006 - Credential Access", "WinLogon credentials", "Medium", "List", "False", "True", "False", "Check whether the 'WinLogon' registry key contains clear-text credentials. Note that entries with an empty password field are filtered out." "CREDS_CRED_FILES", "Invoke-CredentialFilesCheck", "TA0006 - Credential Access", "Credential files", "None", "List", "True", "False", "False", "Get information about the current user's CREDENTIAL files." "CREDS_VAULT_CRED", "Invoke-VaultCredCheck", "TA0006 - Credential Access", "Vault credentials (creds)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text Windows passwords." "CREDS_VAULT_LIST", "Invoke-VaultListCheck", "TA0006 - Credential Access", "Vault credentials (list)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text web passwords." "CREDS_GPP", "Invoke-GPPPasswordCheck", "TA0006 - Credential Access", "GPP passwords", "Medium", "List", "False", "True", "False", "Check whether there are cached Group Policy Preference (GPP) files that contain clear-text passwords." "CREDS_PS_HIST", "Invoke-PowerShellHistoryCheck", "TA0006 - Credential Access", "PowerShell history", "None", "List", "True", "True", "False", "Check whether the current user's PowerShell history contains any clear-text credentials. Note that this check follows a keyword-based approach and thus might not be completely reliable." "CREDS_SCCM_NAA", "Invoke-CcmNaaCredentialsCheck", "TA0006 - Credential Access", "SCCM Network Access Account (NAA)", "Medium", "List", "False", "True", "False", "Check whether SCCM NAA credentials are stored in the WMI repository. If so, the username and password DPAPI blobs are returned, but can only be decrypted using the SYSTEM's DPAPI user key." "HARDEN_UAC", "Invoke-UacCheck", "TA0008 - Lateral Movement", "UAC settings", "Low", "List", "False", "True", "False", "Check whether User Access Control (UAC) is enabled and whether it filters the access token of local administrator accounts when they authenticate remotely." "HARDEN_LSA_PROTECTION", "Invoke-LsaProtectionCheck", "TA0006 - Credential Access", "LSA Protection", "Low", "List", "False", "True", "False", "Check whether LSA protection is enabled. Note that when LSA protection is enabled, 'lsass.exe' runs as a Protected Process Light (PPL) and thus can only be accessed by other protected processes with an equivalent or higher protection level." "HARDEN_CREDENTIAL_GUARD", "Invoke-CredentialGuardCheck", "TA0006 - Credential Access", "Credential Guard", "Low", "List", "False", "True", "False", "Check whether Credential Guard is supported and enabled. Note that when Credential Guard is enabled, credentials are stored in an isolated process ('LsaIso.exe') that cannot be accessed, even if the kernel is compromised." "HARDEN_BIOS_MODE", "Invoke-BiosModeCheck", "TA0003 - Persistence", "UEFI & Secure Boot", "Low", "Table", "False", "True", "False", "Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI." "HARDEN_LAPS", "Invoke-LapsCheck", "TA0008 - Lateral Movement", "LAPS", "Medium", "List", "False", "True", "False", "Check whether LAPS is configured and enabled. Note that this applies to domain-joined machines only." "HARDEN_PS_TRANSCRIPT", "Invoke-PowershellTranscriptionCheck", "TA0005 - Defense Evasion", "PowerShell transcription", "None", "List", "True", "True", "False", "Check whether PowerShell Transcription is configured and enabled." "HARDEN_BITLOCKER", "Invoke-BitLockerCheck", "TA0001 - Initial Access", "BitLocker configuration", "Medium", "List", "False", "True", "False", "Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed." "HARDEN_APPLOCKER_POLICY", "Invoke-AppLockerPolicyCheck", "TA0005 - Defense Evasion", "AppLocker policy", "Low", "List", "True", "False", "False", "Check whether an AppLocker policy is defined and, if so, whether it contains rules that can be exploited, in the context of the curr
event.original:
Creating Scriptblock text (1 of 3): function Invoke-PrivescCheck { [CmdletBinding()] param( [switch] $Extended = $false, [switch] $Experimental = $false, [switch] $Force = $false, [switch] $Silent = $false, [string] $Report, [ValidateSet("TXT","HTML","CSV","XML")] [string[]] $Format ) begin { $AllChecksCsv = @" "Id", "Command", "Category", "DisplayName", "Severity", "Format", "Extended", "RunIfAdmin", "Experimental", "Description" "USER_USER", "Invoke-UserCheck", "TA0043 - Reconnaissance", "User identity", "None", "List", "False", "True", "False", "Get information about the current user (name, domain name) and its access token (SID, integrity level, authentication ID)." "USER_GROUPS", "Invoke-UserGroupsCheck", "TA0043 - Reconnaissance", "User groups", "None", "Table", "False", "True", "False", "Get information about the groups the current user belongs to (name, type, SID)." "USER_RESTRICTED_SIDS", "Invoke-UserRestrictedSidsCheck", "TA0043 - Reconnaissance", "User restricted SIDs", "None", "Table", "True", "True", "False", "Get information about potential restricted SIDs applied to the current user." "USER_PRIVILEGES", "Invoke-UserPrivilegesCheck", "TA0004 - Privilege Escalation", "User privileges", "High", "Table", "False", "False", "False", "Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM." "USER_ENV", "Invoke-UserEnvCheck", "TA0006 - Credential Access", "User environment variables", "None", "Table", "False", "True", "False", "Check whether any environment variables contain sensitive information such as credentials or secrets. Note that this check follows a keyword-based approach and thus might not be completely reliable." "SERVICE_INSTALLED", "Invoke-InstalledServicesCheck", "TA0004 - Privilege Escalation", "Non-default services", "None", "List", "False", "True", "False", "Get information about third-party services. It does so by parsing the target executable's metadata and checking whether the publisher is Microsoft." "SERVICE_THIRD_PARTY", "Invoke-ThirdPartyDriversCheck", "TA0004 - Privilege Escalation", "Third-party Kernel drivers", "None", "List", "True", "True", "False", "Get information about third-party kernel drivers. It does so by parsing the driver's metadata and checking whether the publisher is Microsoft." "SERVICE_VULN_DRIVER", "Invoke-VulnerableDriverCheck", "TA0004 - Privilege Escalation", "Vulnerable Kernel drivers", "High", "List", "False", "True", "False", "Check whether known vulnerable kernel drivers are installed. It does so by computing the file hash of each driver and comparing the value against the list provided by loldrivers.io." "SERVICE_PERMISSIONS", "Invoke-ServicesPermissionsCheck", "TA0004 - Privilege Escalation", "Service permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service through the Service Control Manager (SCM)." "SERVICE_PERMISSIONS_REGISTRY", "Invoke-ServicesPermissionsRegistryCheck", "TA0004 - Privilege Escalation", "Service registry permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the configuration of a service in the registry." "SERVICE_IMAGE_PERMISSIONS", "Invoke-ServicesImagePermissionsCheck", "TA0004 - Privilege Escalation", "Service binary permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service's binary or its folder." "SERVICE_UNQUOTED_PATH_INFO", "Invoke-ServicesUnquotedPathCheck -Info", "TA0004 - Privilege Escalation", "Service unquoted paths (info)", "None", "List", "True", "False", "False", "Check whether there are services configured with an unquoted path that contains spaces." "SERVICE_UNQUOTED_PATH", "Invoke-ServicesUnquotedPathCheck", "TA0004 - Privilege Escalation", "Service unquoted paths", "High", "List", "False", "False", "False", "Check whether there are services configured with an exploitable unquoted path that contains spaces." "SERVICE_SCM_PERMISSIONS", "Invoke-SCMPermissionsCheck", "TA0004 - Privilege Escalation", "Service Control Manager permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the Service Control Manager (SCM)." "APP_INSTALLED", "Invoke-InstalledProgramsCheck", "TA0043 - Reconnaissance", "Non-default applications", "None", "Table", "True", "True", "False", "Get information about non-default and third-party applications by searching the registry and the default install locations." "APP_MODIFIABLE", "Invoke-ModifiableProgramsCheck", "TA0004 - Privilege Escalation", "Application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on non-default or third-party applications." "APP_PROGRAMDATA", "Invoke-ProgramDataCheck", "TA0004 - Privilege Escalation", "Non-default ProgramData folders", "None", "List", "True", "False", "True", "Check whether the current user has any write permissions on a non-default "ProgramData" folder. This check is purely informative and the results require manual analysis." "APP_STARTUP_INFO", "Invoke-ApplicationsOnStartupCheck -Info", "TA0004 - Privilege Escalation", "Startup applications (info)", "None", "List", "True", "True", "False", "Get information about system-wide applications that are run at startup for all users." "APP_STARTUP", "Invoke-ApplicationsOnStartupCheck", "TA0004 - Privilege Escalation", "Startup application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on system-wide applications that are run at startup for all users." "APP_PROCESSES", "Invoke-RunningProcessCheck", "TA0043 - Reconnaissance", "Running processes", "None", "Table", "True", "True", "False", "Get information about the currently running processes that are not owned by the current user. Processes such as 'svchost.exe' are filtered out." "SCHTASKS_IMAGE_PERMISSIONS", "Invoke-ScheduledTasksImagePermissionsCheck", "TA0004 - Privilege Escalation", "Scheduled task binary permissions", "High", "List", "True", "False", "False", "Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks." "SCHTASKS_UNQUOTED_PATH", "Invoke-ScheduledTasksUnquotedPathCheck", "TA0004 - Privilege Escalation", "Scheduled task unquoted paths", "Medium", "List", "True", "False", "True", "Check whether there are scheduled tasks configured with an exploitable unquoted path. Note that low-privileged users cannot list all the scheduled tasks." "CREDS_SENSITIVE_HIVE_FILES", "Invoke-SensitiveHiveFileAccessCheck", "TA0006 - Credential Access", "Hive file permissions", "Medium", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files in the system folder (CVE-2021-36934 - HiveNightmare)." "CREDS_SENSITIVE_HIVE_FILES_VSS", "Invoke-SensitiveHiveShadowCopyCheck", "TA0006 - Credential Access", "Hive file shadow copy permissions", "High", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files stored in volume shadow copies (CVE-2021-36934 - HiveNightmare)." "CREDS_UNATTEND", "Invoke-UnattendFilesCheck", "TA0006 - Credential Access", "Unattend file credentials", "Medium", "List", "False", "True", "False", "Check whether there are any 'unattend' files and whether they contain clear-text credentials." "CREDS_WINLOGON", "Invoke-WinlogonCheck", "TA0006 - Credential Access", "WinLogon credentials", "Medium", "List", "False", "True", "False", "Check whether the 'WinLogon' registry key contains clear-text credentials. Note that entries with an empty password field are filtered out." "CREDS_CRED_FILES", "Invoke-CredentialFilesCheck", "TA0006 - Credential Access", "Credential files", "None", "List", "True", "False", "False", "Get information about the current user's CREDENTIAL files." "CREDS_VAULT_CRED", "Invoke-VaultCredCheck", "TA0006 - Credential Access", "Vault credentials (creds)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text Windows passwords." "CREDS_VAULT_LIST", "Invoke-VaultListCheck", "TA0006 - Credential Access", "Vault credentials (list)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text web passwords." "CREDS_GPP", "Invoke-GPPPasswordCheck", "TA0006 - Credential Access", "GPP passwords", "Medium", "List", "False", "True", "False", "Check whether there are cached Group Policy Preference (GPP) files that contain clear-text passwords." "CREDS_PS_HIST", "Invoke-PowerShellHistoryCheck", "TA0006 - Credential Access", "PowerShell history", "None", "List", "True", "True", "False", "Check whether the current user's PowerShell history contains any clear-text credentials. Note that this check follows a keyword-based approach and thus might not be completely reliable." "CREDS_SCCM_NAA", "Invoke-CcmNaaCredentialsCheck", "TA0006 - Credential Access", "SCCM Network Access Account (NAA)", "Medium", "List", "False", "True", "False", "Check whether SCCM NAA credentials are stored in the WMI repository. If so, the username and password DPAPI blobs are returned, but can only be decrypted using the SYSTEM's DPAPI user key." "HARDEN_UAC", "Invoke-UacCheck", "TA0008 - Lateral Movement", "UAC settings", "Low", "List", "False", "True", "False", "Check whether User Access Control (UAC) is enabled and whether it filters the access token of local administrator accounts when they authenticate remotely." "HARDEN_LSA_PROTECTION", "Invoke-LsaProtectionCheck", "TA0006 - Credential Access", "LSA Protection", "Low", "List", "False", "True", "False", "Check whether LSA protection is enabled. Note that when LSA protection is enabled, 'lsass.exe' runs as a Protected Process Light (PPL) and thus can only be accessed by other protected processes with an equivalent or higher protection level." "HARDEN_CREDENTIAL_GUARD", "Invoke-CredentialGuardCheck", "TA0006 - Credential Access", "Credential Guard", "Low", "List", "False", "True", "False", "Check whether Credential Guard is supported and enabled. Note that when Credential Guard is enabled, credentials are stored in an isolated process ('LsaIso.exe') that cannot be accessed, even if the kernel is compromised." "HARDEN_BIOS_MODE", "Invoke-BiosModeCheck", "TA0003 - Persistence", "UEFI & Secure Boot", "Low", "Table", "False", "True", "False", "Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI." "HARDEN_LAPS", "Invoke-LapsCheck", "TA0008 - Lateral Movement", "LAPS", "Medium", "List", "False", "True", "False", "Check whether LAPS is configured and enabled. Note that this applies to domain-joined machines only." "HARDEN_PS_TRANSCRIPT", "Invoke-PowershellTranscriptionCheck", "TA0005 - Defense Evasion", "PowerShell transcription", "None", "List", "True", "True", "False", "Check whether PowerShell Transcription is configured and enabled." "HARDEN_BITLOCKER", "Invoke-BitLockerCheck", "TA0001 - Initial Access", "BitLocker configuration", "Medium", "List", "False", "True", "False", "Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed." "HARDEN_APPLOCKER_POLICY", "Invoke-AppLockerPolicyCheck", "TA0005 - Defense Evasion", "AppLocker policy", "Low", "List", "True", "False", "False", "Check whether an AppLocker policy is defined and, if so, whether it contains rules that can be exploited, in the context of the curr ScriptBlock ID: 2d27b53a-8cab-4a94-9d96-32263cc3b8dc Path:
type:
wineventlog
@timestamp:
Apr 17, 2024 @ 12:52:46.078
winlog.process.thread.id:
2,996
winlog.process.pid:
2,340
winlog.record_id:
1,690
winlog.channel:
Microsoft-Windows-PowerShell/Operational
winlog.computer_name:
maslov-o-pc.ferrumfox.corp
winlog.opcode:
On create calls
winlog.user.name:
maslov-o
winlog.user.identifier:
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.type:
User
winlog.user.domain:
FERRUMFOX
winlog.event_data.ScriptBlockId:
2d27b53a-8cab-4a94-9d96-32263cc3b8dc
winlog.event_data.MessageTotal:
3
winlog.event_data.MessageNumber:
1
winlog.task:
Execute a Remote Command
winlog.provider_guid:
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.activity_id:
{eafc05f8-8ffa-0001-34d2-fceafa8fda01}
winlog.version:
1
winlog.api:
wineventlog
winlog.event_id:
4,104
winlog.provider_name:
Microsoft-Windows-PowerShell
log.level:
warning
host.id:
47d68211-05ac-417f-b800-36a9b19f714b
host.name:
maslov-o-pc.ferrumfox.corp
host.hostname:
maslov-o-pc
host.architecture:
x86_64
host.ip:
10.181.21.46
host.os.platform:
windows
host.os.name:
Windows 10 Pro
host.os.version:
10.0
host.os.kernel:
10.0.19041.4291 (WinBuild.160101.0800)
host.os.build:
19045.4291
host.os.family:
windows
host.mac:
fa:16:3e:8a:ea:03
@version:
1
event.provider:
Microsoft-Windows-PowerShell
event.action:
Execute a Remote Command
event.kind:
event
event.created:
Apr 17, 2024 @ 12:52:46.676
event.code:
4,104
_id:
kY8d7I4BjcmPCGzW7JFb
_type:
_doc
_index:
cyberpolygon-ferrumfox-win
_score:
-
Expanded document
View surrounding documents
View single document
@timestamp
Apr 17, 2024 @ 12:52:46.078
@version
1
_id
kY8d7I4BjcmPCGzW7JFb
_index
cyberpolygon-ferrumfox-win
_score
-
_type
_doc
event.action
Execute a Remote Command
event.code
4,104
event.created
Apr 17, 2024 @ 12:52:46.676
event.kind
event
event.original
Creating Scriptblock text (1 of 3):
function Invoke-PrivescCheck {
[CmdletBinding()] param(
[switch] $Extended = $false,
[switch] $Experimental = $false,
[switch] $Force = $false,
[switch] $Silent = $false,
[string] $Report,
[ValidateSet("TXT","HTML","CSV","XML")]
[string[]] $Format
)
begin {
$AllChecksCsv = @"
"Id", "Command", "Category", "DisplayName", "Severity", "Format", "Extended", "RunIfAdmin", "Experimental", "Description"
"USER_USER", "Invoke-UserCheck", "TA0043 - Reconnaissance", "User identity", "None", "List", "False", "True", "False", "Get information about the current user (name, domain name) and its access token (SID, integrity level, authentication ID)."
"USER_GROUPS", "Invoke-UserGroupsCheck", "TA0043 - Reconnaissance", "User groups", "None", "Table", "False", "True", "False", "Get information about the groups the current user belongs to (name, type, SID)."
"USER_RESTRICTED_SIDS", "Invoke-UserRestrictedSidsCheck", "TA0043 - Reconnaissance", "User restricted SIDs", "None", "Table", "True", "True", "False", "Get information about potential restricted SIDs applied to the current user."
"USER_PRIVILEGES", "Invoke-UserPrivilegesCheck", "TA0004 - Privilege Escalation", "User privileges", "High", "Table", "False", "False", "False", "Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM."
"USER_ENV", "Invoke-UserEnvCheck", "TA0006 - Credential Access", "User environment variables", "None", "Table", "False", "True", "False", "Check whether any environment variables contain sensitive information such as credentials or secrets. Note that this check follows a keyword-based approach and thus might not be completely reliable."
"SERVICE_INSTALLED", "Invoke-InstalledServicesCheck", "TA0004 - Privilege Escalation", "Non-default services", "None", "List", "False", "True", "False", "Get information about third-party services. It does so by parsing the target executable's metadata and checking whether the publisher is Microsoft."
"SERVICE_THIRD_PARTY", "Invoke-ThirdPartyDriversCheck", "TA0004 - Privilege Escalation", "Third-party Kernel drivers", "None", "List", "True", "True", "False", "Get information about third-party kernel drivers. It does so by parsing the driver's metadata and checking whether the publisher is Microsoft."
"SERVICE_VULN_DRIVER", "Invoke-VulnerableDriverCheck", "TA0004 - Privilege Escalation", "Vulnerable Kernel drivers", "High", "List", "False", "True", "False", "Check whether known vulnerable kernel drivers are installed. It does so by computing the file hash of each driver and comparing the value against the list provided by loldrivers.io."
"SERVICE_PERMISSIONS", "Invoke-ServicesPermissionsCheck", "TA0004 - Privilege Escalation", "Service permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service through the Service Control Manager (SCM)."
"SERVICE_PERMISSIONS_REGISTRY", "Invoke-ServicesPermissionsRegistryCheck", "TA0004 - Privilege Escalation", "Service registry permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the configuration of a service in the registry."
"SERVICE_IMAGE_PERMISSIONS", "Invoke-ServicesImagePermissionsCheck", "TA0004 - Privilege Escalation", "Service binary permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service's binary or its folder."
"SERVICE_UNQUOTED_PATH_INFO", "Invoke-ServicesUnquotedPathCheck -Info", "TA0004 - Privilege Escalation", "Service unquoted paths (info)", "None", "List", "True", "False", "False", "Check whether there are services configured with an unquoted path that contains spaces."
"SERVICE_UNQUOTED_PATH", "Invoke-ServicesUnquotedPathCheck", "TA0004 - Privilege Escalation", "Service unquoted paths", "High", "List", "False", "False", "False", "Check whether there are services configured with an exploitable unquoted path that contains spaces."
"SERVICE_SCM_PERMISSIONS", "Invoke-SCMPermissionsCheck", "TA0004 - Privilege Escalation", "Service Control Manager permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the Service Control Manager (SCM)."
"APP_INSTALLED", "Invoke-InstalledProgramsCheck", "TA0043 - Reconnaissance", "Non-default applications", "None", "Table", "True", "True", "False", "Get information about non-default and third-party applications by searching the registry and the default install locations."
"APP_MODIFIABLE", "Invoke-ModifiableProgramsCheck", "TA0004 - Privilege Escalation", "Application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on non-default or third-party applications."
"APP_PROGRAMDATA", "Invoke-ProgramDataCheck", "TA0004 - Privilege Escalation", "Non-default ProgramData folders", "None", "List", "True", "False", "True", "Check whether the current user has any write permissions on a non-default "ProgramData" folder. This check is purely informative and the results require manual analysis."
"APP_STARTUP_INFO", "Invoke-ApplicationsOnStartupCheck -Info", "TA0004 - Privilege Escalation", "Startup applications (info)", "None", "List", "True", "True", "False", "Get information about system-wide applications that are run at startup for all users."
"APP_STARTUP", "Invoke-ApplicationsOnStartupCheck", "TA0004 - Privilege Escalation", "Startup application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on system-wide applications that are run at startup for all users."
"APP_PROCESSES", "Invoke-RunningProcessCheck", "TA0043 - Reconnaissance", "Running processes", "None", "Table", "True", "True", "False", "Get information about the currently running processes that are not owned by the current user. Processes such as 'svchost.exe' are filtered out."
"SCHTASKS_IMAGE_PERMISSIONS", "Invoke-ScheduledTasksImagePermissionsCheck", "TA0004 - Privilege Escalation", "Scheduled task binary permissions", "High", "List", "True", "False", "False", "Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks."
"SCHTASKS_UNQUOTED_PATH", "Invoke-ScheduledTasksUnquotedPathCheck", "TA0004 - Privilege Escalation", "Scheduled task unquoted paths", "Medium", "List", "True", "False", "True", "Check whether there are scheduled tasks configured with an exploitable unquoted path. Note that low-privileged users cannot list all the scheduled tasks."
"CREDS_SENSITIVE_HIVE_FILES", "Invoke-SensitiveHiveFileAccessCheck", "TA0006 - Credential Access", "Hive file permissions", "Medium", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files in the system folder (CVE-2021-36934 - HiveNightmare)."
"CREDS_SENSITIVE_HIVE_FILES_VSS", "Invoke-SensitiveHiveShadowCopyCheck", "TA0006 - Credential Access", "Hive file shadow copy permissions", "High", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files stored in volume shadow copies (CVE-2021-36934 - HiveNightmare)."
"CREDS_UNATTEND", "Invoke-UnattendFilesCheck", "TA0006 - Credential Access", "Unattend file credentials", "Medium", "List", "False", "True", "False", "Check whether there are any 'unattend' files and whether they contain clear-text credentials."
"CREDS_WINLOGON", "Invoke-WinlogonCheck", "TA0006 - Credential Access", "WinLogon credentials", "Medium", "List", "False", "True", "False", "Check whether the 'WinLogon' registry key contains clear-text credentials. Note that entries with an empty password field are filtered out."
"CREDS_CRED_FILES", "Invoke-CredentialFilesCheck", "TA0006 - Credential Access", "Credential files", "None", "List", "True", "False", "False", "Get information about the current user's CREDENTIAL files."
"CREDS_VAULT_CRED", "Invoke-VaultCredCheck", "TA0006 - Credential Access", "Vault credentials (creds)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text Windows passwords."
"CREDS_VAULT_LIST", "Invoke-VaultListCheck", "TA0006 - Credential Access", "Vault credentials (list)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text web passwords."
"CREDS_GPP", "Invoke-GPPPasswordCheck", "TA0006 - Credential Access", "GPP passwords", "Medium", "List", "False", "True", "False", "Check whether there are cached Group Policy Preference (GPP) files that contain clear-text passwords."
"CREDS_PS_HIST", "Invoke-PowerShellHistoryCheck", "TA0006 - Credential Access", "PowerShell history", "None", "List", "True", "True", "False", "Check whether the current user's PowerShell history contains any clear-text credentials. Note that this check follows a keyword-based approach and thus might not be completely reliable."
"CREDS_SCCM_NAA", "Invoke-CcmNaaCredentialsCheck", "TA0006 - Credential Access", "SCCM Network Access Account (NAA)", "Medium", "List", "False", "True", "False", "Check whether SCCM NAA credentials are stored in the WMI repository. If so, the username and password DPAPI blobs are returned, but can only be decrypted using the SYSTEM's DPAPI user key."
"HARDEN_UAC", "Invoke-UacCheck", "TA0008 - Lateral Movement", "UAC settings", "Low", "List", "False", "True", "False", "Check whether User Access Control (UAC) is enabled and whether it filters the access token of local administrator accounts when they authenticate remotely."
"HARDEN_LSA_PROTECTION", "Invoke-LsaProtectionCheck", "TA0006 - Credential Access", "LSA Protection", "Low", "List", "False", "True", "False", "Check whether LSA protection is enabled. Note that when LSA protection is enabled, 'lsass.exe' runs as a Protected Process Light (PPL) and thus can only be accessed by other protected processes with an equivalent or higher protection level."
"HARDEN_CREDENTIAL_GUARD", "Invoke-CredentialGuardCheck", "TA0006 - Credential Access", "Credential Guard", "Low", "List", "False", "True", "False", "Check whether Credential Guard is supported and enabled. Note that when Credential Guard is enabled, credentials are stored in an isolated process ('LsaIso.exe') that cannot be accessed, even if the kernel is compromised."
"HARDEN_BIOS_MODE", "Invoke-BiosModeCheck", "TA0003 - Persistence", "UEFI & Secure Boot", "Low", "Table", "False", "True", "False", "Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI."
"HARDEN_LAPS", "Invoke-LapsCheck", "TA0008 - Lateral Movement", "LAPS", "Medium", "List", "False", "True", "False", "Check whether LAPS is configured and enabled. Note that this applies to domain-joined machines only."
"HARDEN_PS_TRANSCRIPT", "Invoke-PowershellTranscriptionCheck", "TA0005 - Defense Evasion", "PowerShell transcription", "None", "List", "True", "True", "False", "Check whether PowerShell Transcription is configured and enabled."
"HARDEN_BITLOCKER", "Invoke-BitLockerCheck", "TA0001 - Initial Access", "BitLocker configuration", "Medium", "List", "False", "True", "False", "Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed."
"HARDEN_APPLOCKER_POLICY", "Invoke-AppLockerPolicyCheck", "TA0005 - Defense Evasion", "AppLocker policy", "Low", "List", "True", "False", "False", "Check whether an AppLocker policy is defined and, if so, whether it contains rules that can be exploited, in the context of the curr
ScriptBlock ID: 2d27b53a-8cab-4a94-9d96-32263cc3b8dc
Path:
event.provider
Microsoft-Windows-PowerShell
host.architecture
x86_64
host.hostname
maslov-o-pc
host.id
47d68211-05ac-417f-b800-36a9b19f714b
host.ip
10.181.21.46
host.mac
fa:16:3e:8a:ea:03
host.name
maslov-o-pc.ferrumfox.corp
host.os.build
19045.4291
host.os.family
windows
host.os.kernel
10.0.19041.4291 (WinBuild.160101.0800)
host.os.name
Windows 10 Pro
host.os.platform
windows
host.os.version
10.0
log.level
warning
type
wineventlog
winlog.activity_id
{eafc05f8-8ffa-0001-34d2-fceafa8fda01}
winlog.api
wineventlog
winlog.channel
Microsoft-Windows-PowerShell/Operational
winlog.computer_name
maslov-o-pc.ferrumfox.corp
winlog.event_data.MessageNumber
1
winlog.event_data.MessageTotal
3
winlog.event_data.ScriptBlockId
2d27b53a-8cab-4a94-9d96-32263cc3b8dc
winlog.event_data.ScriptBlockText
function Invoke-PrivescCheck {
[CmdletBinding()] param(
[switch] $Extended = $false,
[switch] $Experimental = $false,
[switch] $Force = $false,
[switch] $Silent = $false,
[string] $Report,
[ValidateSet("TXT","HTML","CSV","XML")]
[string[]] $Format
)
begin {
$AllChecksCsv = @"
"Id", "Command", "Category", "DisplayName", "Severity", "Format", "Extended", "RunIfAdmin", "Experimental", "Description"
"USER_USER", "Invoke-UserCheck", "TA0043 - Reconnaissance", "User identity", "None", "List", "False", "True", "False", "Get information about the current user (name, domain name) and its access token (SID, integrity level, authentication ID)."
"USER_GROUPS", "Invoke-UserGroupsCheck", "TA0043 - Reconnaissance", "User groups", "None", "Table", "False", "True", "False", "Get information about the groups the current user belongs to (name, type, SID)."
"USER_RESTRICTED_SIDS", "Invoke-UserRestrictedSidsCheck", "TA0043 - Reconnaissance", "User restricted SIDs", "None", "Table", "True", "True", "False", "Get information about potential restricted SIDs applied to the current user."
"USER_PRIVILEGES", "Invoke-UserPrivilegesCheck", "TA0004 - Privilege Escalation", "User privileges", "High", "Table", "False", "False", "False", "Check whether the current user has privileges (e.g., SeImpersonatePrivilege) that can be leveraged for privilege escalation to SYSTEM."
"USER_ENV", "Invoke-UserEnvCheck", "TA0006 - Credential Access", "User environment variables", "None", "Table", "False", "True", "False", "Check whether any environment variables contain sensitive information such as credentials or secrets. Note that this check follows a keyword-based approach and thus might not be completely reliable."
"SERVICE_INSTALLED", "Invoke-InstalledServicesCheck", "TA0004 - Privilege Escalation", "Non-default services", "None", "List", "False", "True", "False", "Get information about third-party services. It does so by parsing the target executable's metadata and checking whether the publisher is Microsoft."
"SERVICE_THIRD_PARTY", "Invoke-ThirdPartyDriversCheck", "TA0004 - Privilege Escalation", "Third-party Kernel drivers", "None", "List", "True", "True", "False", "Get information about third-party kernel drivers. It does so by parsing the driver's metadata and checking whether the publisher is Microsoft."
"SERVICE_VULN_DRIVER", "Invoke-VulnerableDriverCheck", "TA0004 - Privilege Escalation", "Vulnerable Kernel drivers", "High", "List", "False", "True", "False", "Check whether known vulnerable kernel drivers are installed. It does so by computing the file hash of each driver and comparing the value against the list provided by loldrivers.io."
"SERVICE_PERMISSIONS", "Invoke-ServicesPermissionsCheck", "TA0004 - Privilege Escalation", "Service permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service through the Service Control Manager (SCM)."
"SERVICE_PERMISSIONS_REGISTRY", "Invoke-ServicesPermissionsRegistryCheck", "TA0004 - Privilege Escalation", "Service registry permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the configuration of a service in the registry."
"SERVICE_IMAGE_PERMISSIONS", "Invoke-ServicesImagePermissionsCheck", "TA0004 - Privilege Escalation", "Service binary permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on a service's binary or its folder."
"SERVICE_UNQUOTED_PATH_INFO", "Invoke-ServicesUnquotedPathCheck -Info", "TA0004 - Privilege Escalation", "Service unquoted paths (info)", "None", "List", "True", "False", "False", "Check whether there are services configured with an unquoted path that contains spaces."
"SERVICE_UNQUOTED_PATH", "Invoke-ServicesUnquotedPathCheck", "TA0004 - Privilege Escalation", "Service unquoted paths", "High", "List", "False", "False", "False", "Check whether there are services configured with an exploitable unquoted path that contains spaces."
"SERVICE_SCM_PERMISSIONS", "Invoke-SCMPermissionsCheck", "TA0004 - Privilege Escalation", "Service Control Manager permissions", "High", "List", "False", "False", "False", "Check whether the current user has any write permissions on the Service Control Manager (SCM)."
"APP_INSTALLED", "Invoke-InstalledProgramsCheck", "TA0043 - Reconnaissance", "Non-default applications", "None", "Table", "True", "True", "False", "Get information about non-default and third-party applications by searching the registry and the default install locations."
"APP_MODIFIABLE", "Invoke-ModifiableProgramsCheck", "TA0004 - Privilege Escalation", "Application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on non-default or third-party applications."
"APP_PROGRAMDATA", "Invoke-ProgramDataCheck", "TA0004 - Privilege Escalation", "Non-default ProgramData folders", "None", "List", "True", "False", "True", "Check whether the current user has any write permissions on a non-default "ProgramData" folder. This check is purely informative and the results require manual analysis."
"APP_STARTUP_INFO", "Invoke-ApplicationsOnStartupCheck -Info", "TA0004 - Privilege Escalation", "Startup applications (info)", "None", "List", "True", "True", "False", "Get information about system-wide applications that are run at startup for all users."
"APP_STARTUP", "Invoke-ApplicationsOnStartupCheck", "TA0004 - Privilege Escalation", "Startup application permissions", "Medium", "List", "True", "False", "False", "Check whether the current user has any write permissions on system-wide applications that are run at startup for all users."
"APP_PROCESSES", "Invoke-RunningProcessCheck", "TA0043 - Reconnaissance", "Running processes", "None", "Table", "True", "True", "False", "Get information about the currently running processes that are not owned by the current user. Processes such as 'svchost.exe' are filtered out."
"SCHTASKS_IMAGE_PERMISSIONS", "Invoke-ScheduledTasksImagePermissionsCheck", "TA0004 - Privilege Escalation", "Scheduled task binary permissions", "High", "List", "True", "False", "False", "Check whether the current user has any write permissions on a scheduled task's binary or its folder. Note that low-privileged users cannot list all the scheduled tasks."
"SCHTASKS_UNQUOTED_PATH", "Invoke-ScheduledTasksUnquotedPathCheck", "TA0004 - Privilege Escalation", "Scheduled task unquoted paths", "Medium", "List", "True", "False", "True", "Check whether there are scheduled tasks configured with an exploitable unquoted path. Note that low-privileged users cannot list all the scheduled tasks."
"CREDS_SENSITIVE_HIVE_FILES", "Invoke-SensitiveHiveFileAccessCheck", "TA0006 - Credential Access", "Hive file permissions", "Medium", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files in the system folder (CVE-2021-36934 - HiveNightmare)."
"CREDS_SENSITIVE_HIVE_FILES_VSS", "Invoke-SensitiveHiveShadowCopyCheck", "TA0006 - Credential Access", "Hive file shadow copy permissions", "High", "List", "False", "False", "False", "Check whether the current user has read permissions on the SAM/SYSTEM/SECURITY files stored in volume shadow copies (CVE-2021-36934 - HiveNightmare)."
"CREDS_UNATTEND", "Invoke-UnattendFilesCheck", "TA0006 - Credential Access", "Unattend file credentials", "Medium", "List", "False", "True", "False", "Check whether there are any 'unattend' files and whether they contain clear-text credentials."
"CREDS_WINLOGON", "Invoke-WinlogonCheck", "TA0006 - Credential Access", "WinLogon credentials", "Medium", "List", "False", "True", "False", "Check whether the 'WinLogon' registry key contains clear-text credentials. Note that entries with an empty password field are filtered out."
"CREDS_CRED_FILES", "Invoke-CredentialFilesCheck", "TA0006 - Credential Access", "Credential files", "None", "List", "True", "False", "False", "Get information about the current user's CREDENTIAL files."
"CREDS_VAULT_CRED", "Invoke-VaultCredCheck", "TA0006 - Credential Access", "Vault credentials (creds)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text Windows passwords."
"CREDS_VAULT_LIST", "Invoke-VaultListCheck", "TA0006 - Credential Access", "Vault credentials (list)", "None", "List", "True", "True", "False", "Check whether the current user's credential vault contains any clear-text web passwords."
"CREDS_GPP", "Invoke-GPPPasswordCheck", "TA0006 - Credential Access", "GPP passwords", "Medium", "List", "False", "True", "False", "Check whether there are cached Group Policy Preference (GPP) files that contain clear-text passwords."
"CREDS_PS_HIST", "Invoke-PowerShellHistoryCheck", "TA0006 - Credential Access", "PowerShell history", "None", "List", "True", "True", "False", "Check whether the current user's PowerShell history contains any clear-text credentials. Note that this check follows a keyword-based approach and thus might not be completely reliable."
"CREDS_SCCM_NAA", "Invoke-CcmNaaCredentialsCheck", "TA0006 - Credential Access", "SCCM Network Access Account (NAA)", "Medium", "List", "False", "True", "False", "Check whether SCCM NAA credentials are stored in the WMI repository. If so, the username and password DPAPI blobs are returned, but can only be decrypted using the SYSTEM's DPAPI user key."
"HARDEN_UAC", "Invoke-UacCheck", "TA0008 - Lateral Movement", "UAC settings", "Low", "List", "False", "True", "False", "Check whether User Access Control (UAC) is enabled and whether it filters the access token of local administrator accounts when they authenticate remotely."
"HARDEN_LSA_PROTECTION", "Invoke-LsaProtectionCheck", "TA0006 - Credential Access", "LSA Protection", "Low", "List", "False", "True", "False", "Check whether LSA protection is enabled. Note that when LSA protection is enabled, 'lsass.exe' runs as a Protected Process Light (PPL) and thus can only be accessed by other protected processes with an equivalent or higher protection level."
"HARDEN_CREDENTIAL_GUARD", "Invoke-CredentialGuardCheck", "TA0006 - Credential Access", "Credential Guard", "Low", "List", "False", "True", "False", "Check whether Credential Guard is supported and enabled. Note that when Credential Guard is enabled, credentials are stored in an isolated process ('LsaIso.exe') that cannot be accessed, even if the kernel is compromised."
"HARDEN_BIOS_MODE", "Invoke-BiosModeCheck", "TA0003 - Persistence", "UEFI & Secure Boot", "Low", "Table", "False", "True", "False", "Check whether UEFI and Secure Boot are supported and enabled. Note that Secure Boot requires UEFI."
"HARDEN_LAPS", "Invoke-LapsCheck", "TA0008 - Lateral Movement", "LAPS", "Medium", "List", "False", "True", "False", "Check whether LAPS is configured and enabled. Note that this applies to domain-joined machines only."
"HARDEN_PS_TRANSCRIPT", "Invoke-PowershellTranscriptionCheck", "TA0005 - Defense Evasion", "PowerShell transcription", "None", "List", "True", "True", "False", "Check whether PowerShell Transcription is configured and enabled."
"HARDEN_BITLOCKER", "Invoke-BitLockerCheck", "TA0001 - Initial Access", "BitLocker configuration", "Medium", "List", "False", "True", "False", "Check whether BitLocker is enabled on the system drive and requires a second factor of authentication (PIN or startup key). Note that this check might yield a false positive if a third-party drive encryption software is installed."
"HARDEN_APPLOCKER_POLICY", "Invoke-AppLockerPolicyCheck", "TA0005 - Defense Evasion", "AppLocker policy", "Low", "List", "True", "False", "False", "Check whether an AppLocker policy is defined and, if so, whether it contains rules that can be exploited, in the context of the curr
winlog.event_id
4,104
winlog.opcode
On create calls
winlog.process.pid
2,340
winlog.process.thread.id
2,996
winlog.provider_guid
{a0c1853b-5c40-4b15-8766-3cf1c58f985a}
winlog.provider_name
Microsoft-Windows-PowerShell
winlog.record_id
1,690
winlog.task
Execute a Remote Command
winlog.user.domain
FERRUMFOX
winlog.user.identifier
S-1-5-21-2213792943-3978625667-3641601853-1107
winlog.user.name
maslov-o
winlog.user.type
User
winlog.version
1