Greater Visibility Through PowerShell Logging

UPDATE Feb. 29: This post has been updated with new configuration recommendations due to the Feb. 24 rerelease of PowerShell 5, and now includes a link to a parsing script that users may find valuable. Introduction Mandiant is continuously investigating attacks that leverage PowerShell throughout...

p0wnedShell - PowerShell Runspace Post Exploitation Toolkit

p0wnedShell is an offensive PowerShell host application written in C that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment .NET. It has a lot of offensive PowerShell modules and binaries included to make the process of Post...

Veeam Backup & Replication add-on for Kaseya compatibility with Veeam Backup & Replication 9.x

The Kaseya plug-in for Veeam Backup & Replication was discontinued in 2019 and is no longer available nor supported by Veeam. Challenge Veeam Backup & Replication add-on for Kaseya needs to support Veeam Backup & Replication 9.x monitoring. Cause The names of Veeam Backup & Replication services...

Windows 2008 GPP exploit-vulnerability warning-the black bar safety net

The test environment Windows 7 ordinary members of the domain Windows 2008 domain controller The first deployment of the GPP, here my deployment strategy is to the domain members are added to a test user, the password is test123 ! Add a local user ! Then came the Group Policy Management ! Will th...

Microsoft Windows PowerShell Script Information Disclosure

An information disclosure exploitation can be executed via a malicious Microsoft Windows PowerShell script. Successful exploitation would allow a remote attacker to copy restricted files with privileged information from the affected system...

Uncovering Active PowerShell Data Stealing Campaigns

Loved by administrators, Windows PowerShell enables users to effectively perform automation and administrative tasks on local and remote systems. However, its power, ease of use, and widespread use has also made it attractive to attackers. Researchers first began demonstrating attacks involving...

USBTracker - Script to track USB devices events and artifacts in a Windows OS

USBTracker is a quick & dirty coded incident response and forensics Python script to dump USB related information and artifacts from a Windows OS vista and later. Special recommandations USBTracker read some protected log files and needs to be run with administrator permissions. The most simple w...

Offensive Powershell Console: PSPunch

PSPunch combines some of the best projects in the infosec powershell community into a self contained executable. It’s designed to evade antivirus and Incident Response teams. 1. It doesn’t rely on powershell.exe. Instead it calls powershell directly through the dotNet framework. 2. The modules th...

Sysaid Helpdesk Software 14.4.32 b25 - SQL 注入

No description provided by source. Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi Date: 28.11.2015 Exploit Author: hland Vendor Homepage: https://www.sysaid.com/ Version: v14.4.32 b25 Tested on: Windows 7, Windows 10 Blog post:...

Sysaid Helpdesk Software 14.4.32 b25 - SQL Injection Vulnerability

Exploit for windows platform in category remote exploits Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi Date: 28.11.2015 Exploit Author: hland Vendor Homepage: https://www.sysaid.com/ Version: v14.4.32 b25 Tested on: Windows 7, Windows 10 Blog post:...

SysAid Help Desk Software 14.4.32 b25 - SQL Injection (Metasploit)

SysAid Help Desk Software 14.4.32 b25 - SQL Injection Metasploit Exploit Title: Sysaid Helpdesk Software Unauthenticated SQLi Date: 28.11.2015 Exploit Author: hland Vendor Homepage: https://www.sysaid.com/ Version: v14.4.32 b25 Tested on: Windows 7, Windows 10 Blog post:...

Powercat - Netcat: The Powershell Version

Installation powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts. Load The Function From Downloaded .ps1 File: . .\powercat.p...

Windows Local Privilege Escalation: PowerUp

PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. The privesc/powerup/allchecks modul...

PowerShell Incident Response: Psrecon

Psrecon is an open source script that you can use to gather data from a remote Windows host using PowerShell v2 or later, organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushe...

Remote execution of a PowerShell script fails when the VeeamBackup SQL database is on a remote SQL Server.

Challenge When using a PowerShell script that is intended to remotely execute a command upon the Veeam server, it may fail if the SQL instance that Veeam Backup & Replication is configured to use is on a different server. This KB article applies only if the following two statements are true. 1. A...

ManageEngine EventLog Analyzer - Remote Code Execution (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' class Metasploit3 'ManageEngine EventLog Analyzer Remote Code Execution', 'Description' = %q This module exploits a SQL query functionality in...

CrackMapExec - A swiss army knife for pentesting Windows/Active Directory environments

CrackMapExec is your one-stop-shop for pentesting Windows/Active Directory environments! From enumerating logged on users and spidering SMB shares to executing psexec style attacks and auto-injecting Mimikatz into memory using Powershell! The biggest improvements over the above tools are: Pure...

Powershell Netcat: PowerCat

powercat is a powershell function. First you need to load the function before you can execute it. You can put one of the below commands into your powershell profile so powercat is automatically loaded when powershell starts. What’s netcat anyway ? netcat often abbreviated to nc is a computer...

Windows Multiple - Registry Only Persistence Exploit

Exploit for windows platform in category local exploits This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'msf/core' require 'msf/core/exploit/powershell' require 'msf/core/post/file' class Metasploit4 'Windows...

Windows Escalate UAC Protection Bypass (ScriptHost Vulnerability) Exploit

Usage Info msf use exploit/windows/local/bypassuacvbs msf exploitbypassuacvbs show targets ...targets... msf exploitbypassuacvbs set TARGET msf exploitbypassuacvbs show options ...show and set options... msf exploitbypassuacvbs exploit This module requires Metasploit: http://metasploit.com/downlo...