Public/Start-AS2GoDemo.ps1
|
<# .SYNOPSIS Attack scenario to GO - along the kill-chain (AS2Go) Requirements: - Certify.exe - Mimikatz.exe - Rubeus.exe - NetSess.exe - PsExec.exean - OpenSSL.exe - AS2Go-encryption.ps1 .DESCRIPTION AS2Go is an acronym for Attack Scenario To Go. AS2Go is written in PowerShell and goes along the cyber kill-chain (with stops like Reconnaissance, Lateral Movement, Sensitive Data Access & Exfiltration, and Domain Dominance) My goal is to create expressive and representative Microsoft Defender for Endpoint & Microsoft Defender for Identity alerts or, rather, Microsoft 365 Defender & Microsoft Sentinel incidents. .NOTES last update: 2023-10-16 File Name : AS2Go.ps1 | Version 3.0.x Author : Holger Zimmermann | me@mrhozi.com | @HerrHozi .EXAMPLE PS> cd C:\temp\AS2GO PS> .\AS2Go.ps1 .EXAMPLE PS> .\AS2Go.ps1 Purpose: Run the script with user interactions .EXAMPLE PS> .\AS2Go.ps1 -Continue Purpose: Continue the use case or does not start the use case from the beginning .EXAMPLE PS> .\AS2Go.ps1 -SkipImages Purpose: Do not show the images in the browser .EXAMPLE PS> .\AS2Go.ps1 -SkipClearHost Purpose: Skip to clear the screen, after each major steps, e.g. for troubleshooting .EXAMPLE PS> .\AS2Go.ps1 -SkipCompromisedAccount Purpose: Skip the selection or confirmation, which account are you using .EXAMPLE PS> .\AS2Go.ps1 -SkipPasswordSpray Purpose: Skip the complete Password Spray Attack .EXAMPLE PS> .\AS2Go.ps1 -SkipPwSpayWithRubeus Purpose: Skip the Password Spray Attack with Rubeus.exe .EXAMPLE PS> .\AS2Go.ps1 -SkipReconnaissance Purpose: Skip the attack phase Reconnaissance .EXAMPLE PS> .\AS2Go.ps1 -SkipSensitiveDataAccess Purpose: Skip the attack phase Access Sensitive Data .EXAMPLE PS> .\AS2Go.ps1 -SkipDataExfiltration Purpose: Skip the attack phase Data Exfiltration .EXAMPLE PS> .\AS2Go.ps1 -SkipDomainPersistence Purpose: Skip the attack phase Domain Persistence .EXAMPLE PS> .\AS2Go.ps1 -SkipDataExfiltration Purpose: Skip the attack phase Data Exfiltration .EXAMPLE PS> .\AS2Go.ps1 -SkipPrivilegeEscalation Purpose: Skip the attack phase Privilege Escalation .EXAMPLE PS> .\AS2Go.ps1 -EnableLogging Purpose: Enable the logging function. By default, the log file is .\AS2Go.ps1.log .EXAMPLE PS> .\AS2Go.ps1 -EnableLogging -Continue -SkipImages -SkipPasswordSpray -SkipReconnaissance -SkipCompromisedAccount Purpose: Of course, a combination of multiple switches is also possible. This commands starts direct the Priviledge Escalation. .EXAMPLE PS> .\AS2Go.ps1 -Continue -EnableLogging -SkipImages -SkipPasswordSpray -SkipCompromisedAccount -SkipReconnaissance -SkipSensitiveDataAccess -SkipPopup Purpose: Of course, a combination of multiple switches is also possible. This commands starts direct the Priviledge Escalation. .LINK https://herrHoZi.com https://github.com/herrhozi https://www.crowdstrike.com/cybersecurity-101/kerberoasting/ https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/from-misconfigured-certificate-template-to-domain-admin https://learn.microsoft.com/en-us/defender-for-identity/playbook-reconnaissance https://github.com/GhostPack/Certify https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/protected-users-security-group https://www.thehacker.recipes/ad/movement/kerberos/pass-the-certificate https://www.thehacker.recipes/ad/movement/ad-cs/certificate-templates #> Function Start-2GoDemo { Param ( [switch]$UnAttended, [switch]$Continue, [Switch]$EnableLogging, [switch]$SkipImages, [switch]$SkipClearHost, [switch]$SkipPopup, [switch]$SkipPasswordSpray, [switch]$SkipCompromisedAccount, [switch]$SkipPwSpayWithRubeus, [switch]$SkipReconnaissance, [switch]$SkipPrivilegeEscalation, [switch]$SkipSensitiveDataAccess, [switch]$SkipDataExfiltration, [switch]$SkipDomainPersistence, [switch]$SkipForgeAuthCertificates, [switch]$SkipKerberoastingAttack, [switch]$DeveloperMode, [switch]$Simulation ) #[bool]$showStep = $true # show the steps in an image #[bool]$skipstep = $false # show the steps in an image Write-Log -Message "." Write-Log -Message "." Write-Log -Message "<< -- UniversalTime [UTC]" Write-Log -Message " " Write-Log -Message "##################################################################" Write-Log -Message "# #" Write-Log -Message " Starting Module $ASModuleName [Version $($ASModuleManifest.Version)] " Write-Log -Message "# #" Write-Log -Message "##################################################################" Write-Log -Message " " Write-Log -Message " >> Using PowerShell version $($PSVersionTable.PSVersion.tostring())" Write-Log -Message " " Write-Log -Message "Victim PC run on Windows $Script:WinVersion" # clean-up AS2Go Folder New-Item -Path $Script:DefautCleanUpFolder -ItemType Directory -ErrorAction Ignore | Out-Null try { Get-ChildItem ??-*.* | Move-Item -Destination $Script:DefautCleanUpFolder -Force | Out-Null Write-Log -Message " >> Cleaned up AS2Go working folder, moved old files to $($Script:DefautCleanUpFolder)" } catch { } Invoke-Output -T Header -M "Attack Scenario to GO - along the kill-chain (AS2Go)" $MoAD = Confirm-PoSHModuleAvailabliy -PSModule "ActiveDirectory" $MoGPO = Confirm-PoSHModuleAvailabliy -PSModule "GroupPolicy" # check the correct directory and requirements $Script:ASTools = Get-KeyValue -key "Tools" $FileVersionM = Get-FileVersion -fullname "$($Script:ASTools)\mimikatz.exe" $FileVersionP = Get-FileVersion -fullname "$($Script:ASTools)\PsExec.exe" $FileVersionR = Get-FileVersion -fullname "$($Script:ASTools)\Rubeus.exe" $FileVersionN = Get-FileVersion -fullname "$($Script:ASTools)\NetSess.exe" $FileVersionC = Get-FileVersion -fullname "$($Script:ASTools)\Certify.exe" #$FileVersionO = Get-FileVersion -fullname "C:\Program Files\OpenSSL-Win64\bin\openssl.exe" if ($MoGPO -eq "failed" -or $MoAD -eq "failed" -or $FileVersionM -eq "failed" -or $FileVersionP -eq "failed" -or $FileVersionR -eq "failed" -or $FileVersionN -eq "failed" -or $FileVersionC -eq "failed" -or $FileVersionO -eq "failed") { [bool]$PreCheckFailed = $true } If ($PreCheckFailed -eq $true) { Write-host "`n Pre-Check failed! Please install the missing requirements and restart the module" -ForegroundColor $Script:FGCIInfo -NoNewline $confirmed = Read-Host Write-Log -Message " >> Confirmed the warning with - $confirmed" } $demo = Get-KeyValue -key "DemoTitle" Update-WindowTitle -NewTitle $demo # If (-not $SkipClearHost){Clear-Host} Set-NewColorSchema -NewStage $PtT $laststage = Get-KeyValue -key "LastStage" If ($UnAttended) { if ($Continue) { $Begin = $no } else { $Begin = $yes } } else { if ($Continue) { $StartValue = $no } else { $StartValue = $yes } $question = "Starts the attack scenario from the beginning? Default " $Begin = Get-Answer -question $question -defaultValue $StartValue } If ($Begin -eq $yes) { Set-KeyValue -key "LastStage" -NewValue $Script:Phase50 Set-NewColorSchema -NewStage $Script:InitialStart If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " $ASModuleName Version $($ASModuleManifest.Version) " Write-Host " " Write-Host " Attack Scenario to Go | along the kill-chain " -ForegroundColor yellow Write-Host " " Write-Host " created by Holger Zimmermann | last update $ASModuleLastUpdate " Write-Host " " Write-Host " Used tools & requirements: " Write-Host " " Write-Host " ● PoSH modules: ActiveDirectory & GroupPolicy " Write-Host " " Write-Host " ● NetSess.exe $FileVersionN " Write-Host " ● Mimikatz.exe $FileVersionM " Write-Host " " Write-Host " ● Rubeus.exe $FileVersionR " Write-Host " ● Certify.exe $FileVersionC " Write-Host " ● OpenSSL.exe $FileVersionO " Write-Host " " Write-Host " ● PsExec.exe $FileVersionP " Write-Host "____________________________________________________________________`n" $TimeStamp = (Get-Date).toString("yyyy-MM-dd HH:mm:ss") $lastVictim = Get-KeyValue -key "LastVictim" $lastRun = Get-KeyValue -key "LastStart" $lastDuration = Get-KeyValue -key "LastDuration" Write-Host "`n Current Date & Time: $TimeStamp" Write-Host "" Write-Host " Last Run: " -NoNewline Write-Host $lastRun -NoNewline -ForegroundColor $Script:FGCHighLight Write-Host " | " -NoNewline Write-Host $lastDuration -NoNewline -ForegroundColor $Script:FGCHighLight Write-Host " | Last Victim: " -NoNewline Write-Host "[$lastVictim]" -ForegroundColor $Script:FGCHighLight Write-Host "`n" #Update AS2Go.json config file Set-KeyValue -key "LastStart" -NewValue $TimeStamp If ($DeveloperMode) { Invoke-Output -T Header -M "Auf geht es" Invoke-Output CodeSnippet "`$pwd" Invoke-Output Error "Fehler 40" Invoke-Output Warning "bghkdfgl" $answer = Invoke-Output Input "Wie viel Bier" Invoke-Output Info $answer Invoke-Output Success "Super!" Invoke-Output TextMaker "Nicht so viel" "Bier!" return } If ($UnAttended -eq $false) { pause } ################################################################################ ###### ##### ###### Setting update ##### ###### ##### ################################################################################ If (-not $SkipClearHost) { Clear-Host } If ($UnAttended -eq $false) { Get-AS2GoSettings } ################################################################################ ###### ##### ###### Attack Phase - Brute Force Account ##### ###### ##### ################################################################################ #region Attack Phase - Brute Force Account If ($SkipPasswordSpray ) { Write-Log -Message "Skipped Attack Phase - Brute Force Account" } else { Invoke-Phase04BruteForceAttack -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo -Simulation:$Simulation } } else { $Script:PrivledgeAccount = $yes Set-NewColorSchema -NewStage $PtH #read values from AS2Go.json config file } #read values from AS2Go.json config file Get-AS2GoSettings -ReadOnly $UseCase = Get-KeyValue -key "usecase" If (-not $SkipClearHost) { Clear-Host } If ($Begin -eq $yes) { $MyInfo = " In this demo, I use the following three user accounts " $MyFGC = $Script:FGCHighLight } else { $MyInfo = " Still using these three (3) user accounts " $MyFGC = "Darkblue" If ($DeveloperMode) { [bool]$SkipImages = $true [bool]$skipstep = $True Write-Host "" Write-Warning " Running AS2Go in Developer Mode!`n" Write-Log -Message "Running AS2Go in Developer Mode" } } Update-WindowTitle -NewTitle "Used Accounts" Invoke-Output -T Header -M $MyInfo $Global:ASVictim = $env:UserName $suffix = $Global:ASVictim.Substring(3) If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { $question = " -> Enter or confirm your account suffix! Default " $suffix = Get-Answer -question $question -defaultValue $suffix } if ($Global:ASVictim -match "^VI-|^HD-|^DA-") { $Global:ASVictim = "VI-$suffix" $Global:ASHelpDeskUser = "HD-$suffix" $Global:ASDomainAdmin = "DA-$suffix" } else { $Global:ASVictim = $env:UserName } #If (-not $SkipClearHost){Clear-Host} Write-Host "" Write-Host " Compromised Account -- " -NoNewline Write-Host $Global:ASVictim -ForegroundColor $fgcC -NoNewline Write-Host " | Tier 2 Account" Write-Host " Helpdesk User -- $Global:ASHelpDeskUser | Tier 1 Account" Write-Host " Domain Admin -- $Global:ASDomainAdmin | Tier 0 Account" If ($Begin -eq $yes) { $infoV = Get-ComputerInformation -computer $Script:ASVictimMaschine $infoS = Get-ComputerInformation -computer $Script:ASSAW $infoD = Get-ComputerInformation -computer $Script:ASDC Write-Host "" Write-Host " Victim Maschine -- $infoV | Tier 2 Maschine" Write-Host " Admin Maschine -- $infoS | Tier 0 Maschine" Write-Host " Domain Controller -- $infoD | Tier 0 Maschine" try { Write-Output $Global:ASHelpDeskUser | Set-Clipboard } catch { Write-Output $Global:ASHelpDeskUser | clip } If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { $wshell = New-Object -ComObject Wscript.Shell $Output = $wshell.Popup("Do NOT forget to simulate helpdesk support by ""$Global:ASHelpDeskUser"" on your Victim PC!", 0, "Simulate helpdesk support on Victim PC - hd.cmd", 0 + 64) } } else { If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { $wshell = New-Object -ComObject Wscript.Shell $Output = $wshell.Popup("Do NOT forget to simulate domain activities by ""$Global:ASDomainAdmin"" on your Admin PC!", 0, "Simulate domain activities on Admin PC", 0 + 64) } } Write-Host "" Set-KeyValue -key "LastVictim" -NewValue $Global:ASVictim If (($UnAttended -ne $true) -and ($SkipPopup -ne $true)) { Start-Sleep 2 } else { Pause } # only for PosH Script testing hozi MyDebugHelp If ($DeveloperMode) { # function to test #Restart-VictimMachines Write-host "START Run directy" -ForegroundColor Red #Restart-VictimMachines #write-host $mydebug #Invoke-Command -ScriptBlock {.\certify.exe find /vulnerable} Write-host "END Run directy" -ForegroundColor Red Write-Log -Message "Running dedicated function from Developer Mode section" pause } #endregion Attack Phase - Brute Force Account ################################################################################ ###### ##### ###### Attack Phase - COMPROMISED User Account ##### ###### ##### ################################################################################ #region Attack Phase - COMPROMISED User Account Update-WindowTitle -NewTitle $Script:Phase05 #Set-KeyValue -key "LastStage" -NewValue $Script:Phase06 If (-not $SkipImages) { Show-Phases -Phase "phase_000.html" } Do { If ($SkipCompromisedAccount) { break } If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Attack Phase - COMPROMISED User Account" If ($UnAttended) { $answer = $Script:PrivledgeAccount } else { $question = "Was this a PRIVLEDGE(!) Account?`n Enter [Y] to confirm or [N] for a non-sensitive user! Default " $answer = Get-Answer -question $question -defaultValue $Script:PrivledgeAccount } If ($answer -eq $yes) { Write-Log -Message "Starting with a PRIVLEDGE(!) COMPROMISED User Account" $UserPic = "phase_008.html" $Account = "PRIVLEDGE(!) Compromised " $Script:PrivledgeAccount = $yes $PrivilegeEscalation = $PtT $reconnaissance = $yes Set-NewColorSchema -NewStage $PtH #Color Schema for the next command #$fgcS = "Black" # Switch #$fgcC = "Darkblue" # Command #$fgcF = "Black" #$fgcV = "DarkMagenta" # Value #$fgcH = "Darkblue" } else { Write-Log -Message "Starting with a non-sensitive COMPROMISED User Account" $UserPic = "phase_005.html" $Account = "non-sensitive Compromised" $Script:PrivledgeAccount = $no $PrivilegeEscalation = $PtH $reconnaissance = $no Set-NewColorSchema -NewStage $Script:InitialStart } #Pause If (-not $SkipImages) { Show-Phases -Phase $UserPic } Start-NetSess -server $Script:ASDC If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " Starting with $Account User Account " Write-Host "____________________________________________________________________`n" $currentUser = $Global:ASVictim $currentUser = $env:UserName Write-Host -NoNewline " Command: " Write-Highlight -Text ("Get-ADUser ", "-Identity ", "$currentUser") -Color $fgcC, $fgcS, $fgcV If ($UnAttended) { If ($UseRUBEUS) { $answer = $yes }else { $answer = $no } } else { $question = "Would you like to run this step - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { Write-Host "`n`n" $error.Clear() Try { $attributes = @("AccountExpirationDate", "CannotChangePassword", "CanonicalName", "cn", "Created", "Department", "Description", "DisplayName", "EmployeeNumber", "Enabled", "Country", "l", "Manager", "MemberOf", "MobilePhone", "userAccountControl", "UserPrincipalName", "LastBadPasswordAttempt", "title") get-aduser -Identity $currentUser -Properties $attributes | Format-List | Out-String -ErrorAction Stop } catch { $message = $_ Write-Host " "$message.CategoryInfo.Reason:" " -NoNewline $message.Exception Write-Host "" Write-host " Account restrictions are preventing this user from signing in." -ForegroundColor $fgcH Write-HosT " Probably helpdesk user '$Global:ASHelpDeskUser' is member of the 'Protected Users' Group!`n`n" -ForegroundColor $fgcH pause #Stop-AS2GoDemo } Write-Host "" Pause If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " Displays a list of currently cached Kerberos tickets " Write-Host "____________________________________________________________________`n" Write-Host "" Write-Host -NoNewline " Command: " Write-Highlight -Text ('klist') -Color $fgcC Write-Host "" If ($UnAttended) { Start-Sleep 1 } else { Pause } Write-Host "" klist If ($UnAttended) { Start-Sleep 1 } else { Pause } If (-not $SkipClearHost) { Clear-Host } } elseIf ($answer -eq $exit) { Stop-AS2GoDemo } else { } # If ($skipstep) {break} Invoke-Output -T Header -M "??? REPEAT | Attack Phase - COMPROMISED User Account ???" If ($UnAttended) { $repeat = $no } else { $question = "Do you need to update more settings - Y or N? Default " $repeat = Get-Answer -question $question -defaultValue $no } } Until ($repeat -eq $no) #endregion Attack Phase - COMPROMISED User Account ################################################################################ ###### ##### ###### Attack Phase - RECONNAISSANCE ##### ###### ##### ################################################################################ #region Attack Phase - RECONNAISSANCE If ($SkipReconnaissance) { Write-Log -Message "Skipped Attack Phase - RECONNAISSANCE" } else { Invoke-Phase06Reconnaissance -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase RECONNAISSANCE ################################################################################ ###### ##### ###### Attack Phase - Privilege Escalation ##### ###### ##### ################################################################################ #https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained #https://www.microsoft.com/en-us/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/ #region Attack Phase - Privilege Escalation If ($SkipPrivilegeEscalation) { Write-Log -Message "Skipped Attack Phase - Privilege Escalation" } else { Invoke-Phase07PrivilegeEscalation -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase - Privilege Escalation ################################################################################ ###### ##### ###### Attack Phase - RECONNAISSANCE ##### ###### ##### ################################################################################ #region Attack Phase - RECONNAISSANCE If ($SkipReconnaissance) { Write-Log -Message "Skipped Attack Phase - RECONNAISSANCE Priviledged" } else { Invoke-Phase09ReconnaissancePriviledged -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase RECONNAISSANCE ################################################################################ ###### ##### ###### Attack Phase - ACCESS SENSITIVE DATA ##### ###### ##### ################################################################################ #region Attack Phase - ACCESS SENSITIVE DATA If ($SkipSensitiveDataAccess) { Write-Log -Message "Skipped Attack Phase - ACCESS SENSITIVE DATA " } else { Invoke-Phase10AccessSensitiveData -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo Invoke-Phase11ExfiltrateSensitiveData -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase - ACCESS SENSITIVE DATA ################################################################################ ###### ##### ###### Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE ##### ###### ##### ################################################################################ #region Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE If ($SkipDomainPersistence) { Write-Log -Message "Skipped Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE" } else { Invoke-Phase12DomainCompromisePersistence -EnableLogging:$EnableLogging -SkipImages:$SkipImages -SkipClearHost:$SkipClearHost -UnAttended:$UnAttended -AS2GODemo } #endregion Attack Phase - DOMAIN COMPROMISED AND PERSISTENCE ################################################################################ ###### ##### ###### CLEAN UP ##### ###### ##### ################################################################################ Stop-AS2GoDemo <# Ideen enter-pssession -ComputerName Ch01-DSP-MGMT try { #https://www.hackingarticles.in/credential-dumping-wdigest/ $UseLogonCredential = Get-ItemPropertyValue -Name UseLogonCredential -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest Write-Host $UseLogonCredential } catch { Write-Host Get-ItemPropertyValue : Property UseLogonCredential does not exist at path -ForegroundColor yellow } try { $UseLogonCredential = Get-ItemPropertyValue -Name UseLogonCredential -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest } catch { Write-Host Get-ItemPropertyValue : Property UseLogonCredential does not exist at path -ForegroundColor yellow } Get-ChildItem ??-*.* | Move-Item -Destination .\Clean-up -Force #> } |