Public/Invoke-Phase07PrivilegeEscalation.ps1
|
<#
.SYNOPSIS Runs Phase 07 of the AS2Go attack simulation: Privilege Escalation. .DESCRIPTION Invoke-ASPhase07PrivilegeEscalation executes the privilege escalation phase in the AS2Go workflow. It initializes phase context, optionally shows visuals, and presents an attack selection menu that can be run interactively or in unattended mode using an automatic recommendation. Depending on the selected option, the phase can trigger attacks and actions such as: - Pass-the-Hash (PtH) - Pass-the-Ticket (PtT) - Kerberoasting - Misconfigured Certificate Template attack (ESC1) - Credential theft through memory access - Enabling memory access settings - Privilege escalation to SYSTEM (for example via PsExec workflow) .PARAMETER UnAttended Runs the phase without interactive confirmation prompts. .PARAMETER Continue Reserved switch for workflow continuation handling. .PARAMETER EnableLogging Enables extended logging for this phase execution. .PARAMETER SkipImages Skips visual phase assets (for example, phase HTML images/pages). .PARAMETER SkipClearHost Prevents clearing the console during phase execution. .PARAMETER AS2GoDemo Runs the phase in AS2Go demo mode and skips selected setup interactions. .EXAMPLE Invoke-ASPhase07PrivilegeEscalation Runs Phase 07 interactively and lets you choose an escalation technique. .EXAMPLE Invoke-ASPhase07PrivilegeEscalation -UnAttended -EnableLogging Runs Phase 07 without prompts and with logging enabled. .EXAMPLE Invoke-ASPhase07PrivilegeEscalation -SkipImages -SkipClearHost Runs Phase 07 without phase visuals and without clearing the host. .NOTES Alias: P07, ESC Part of: AS2Go attack phase orchestration #> function Invoke-Phase07PrivilegeEscalation { ################################################################################ ###### ##### ###### Attack Phase - Privilege Escalation ##### ###### ##### ################################################################################ #https://www.beyondtrust.com/blog/entry/privilege-escalation-attack-defense-explained #https://www.microsoft.com/en-us/security/blog/2019/05/09/detecting-credential-theft-through-memory-access-modelling-with-microsoft-defender-atp/ [Alias("P07", "ESC")] Param ( [switch]$UnAttended, [switch]$Continue, [Switch]$EnableLogging, [switch]$SkipImages, [switch]$SkipClearHost, [switch]$AS2GoDemo ) $CurrentFunction = Get-FunctionName Write-Log -Message "### Start Function $CurrentFunction ###" $StartRunTime = (Get-Date).ToString($Script:DateFormatLog) #################### main code | out- host ##################### If (-not $AS2GoDemo) { Set-NewColorSchema -NewStage $Script:InitialStart Get-AS2GoSettings } If (-not $SkipClearHost) { Clear-Host } Update-WindowTitle -NewTitle $Script:Phase07 Set-KeyValue -key "LastStage" -NewValue $Script:Phase07 If (-not $SkipImages) { Show-Phases -Phase "phase_007.html" } Do { # If ($skipstep) { break } If (-not $SkipClearHost) { Clear-Host } Set-NewColorSchema -NewStage $Script:InitialStart $PrivilegeEscalation = New-PrivilegeEscalationRecommendation -computer $env:COMPUTERNAME Write-Host "____________________________________________________________________`n" Write-Host " Privilege Escalation - Choose your Attack " Write-Host "____________________________________________________________________`n" Write-Host " H " -ForegroundColor Yellow -NoNewline; Write-Host "- for a Pass-the-Hash Attack" Write-Host " T " -ForegroundColor Yellow -NoNewline; Write-Host "- for a Pass-the-Ticket Attack" Write-Host " K " -ForegroundColor Yellow -NoNewline; Write-Host "- for a Kerberoasting Attack" Write-Host " C " -ForegroundColor Yellow -NoNewline; Write-Host "- for a for Misconfigured Certificate Template Attack (ESC1)" Write-Host " X " -ForegroundColor Yellow -NoNewline; Write-Host "- for a PsExec Attack, eg. to System account" Write-Host " M " -ForegroundColor Yellow -NoNewline; Write-Host "- for a Credential Theft through Memory Access" Write-Host " E " -ForegroundColor Yellow -NoNewline; Write-Host "- to enable the Memory Access" Write-host "`n S " -ForegroundColor Yellow -NoNewline; Write-Host "- to skip this step" If ($UnAttended) { $answer = $PrivilegeEscalation } else { $question = "Enter or confirm your attack here! Default " $answer = Get-Answer -question $question -defaultValue $PrivilegeEscalation } If ($answer -eq $PtH) { #Starting Pass-the-Hash (PtH) Attack on VictimPC If (-not $SkipImages) { Show-Phases -Phase "phase_007_PtH.html" } Start-PtHAttack } elseif ($answer -eq $PtT) { If (-not $SkipImages) { Show-Phases -Phase "phase_007_PtT.html" } Start-PtTAttack } elseif ($answer -eq "C" ) { # If (-not $SkipImages) { Show-Phases -Phase phase_007_PtT.html } New-AuthenticationCertificatesAttack } elseif ($answer -eq $KrA) { #If (-not $SkipImages) { Show-Phases -Phase phase_007_PtT.html } New-KerberoastingAttack } elseif ($answer -eq $CfM) { #If (-not $SkipImages) { Show-Phases -Phase phase_007_PtT.html } New-CredentialTheftThroughMemoryAccess } elseif ($answer -eq "E") { #If (-not $SkipImages) { Show-Phases -Phase phase_007_PtT.html } Set-UseLogonCredential } elseif ($answer -eq "X") { # If (-not $SkipImages) { Show-Phases -Phase phase_007_PtT.html } New-PrivilegesEscalationtoSystem } else { Write-Host "`n`n [x] Privilege Escalation was skipped" -ForegroundColor red } If (-not $SkipClearHost) { Clear-Host } Write-Host "____________________________________________________________________`n" Write-Host " ??? REPEAT | Privilege Escalation ??? " Write-Host "____________________________________________________________________`n" # End "Do ... Until" Loop? If ($UnAttended) { $repeat = $no } else { $question = "Would you like to repeat this attack phase? Please enter Y or N. Default " $repeat = Get-Answer -question $question -defaultValue $no } } Until ($repeat -eq $no) ######################## main code ############################ $runtime = Get-RunTime -StartRunTime $StartRunTime Write-Log -Message " Run Time: $runtime [h] ###" Write-Log -Message "### End Function $CurrentFunction ###" } |