Press "Enter" to skip to content

Month: July 2018

GhostPack

Anyone who has followed myself or my teammates at SpecterOps for a while knows that we’re fairly big fans of PowerShell. I’ve been involved in offensive PowerShell for about 4 years, @mattifestation was the founder of PowerSploit and various defensive projects, @jaredcatkinson has been writing defensive PowerShell for years, and many of my teammates (@tifkin_, @enigma0x3, rvrsh3ll, @xorrior, @andrewchiles, and others) have written various security-related PowerShell projects over the past several years, totaling thousands of lines of code. By now, the reason for choosing PowerShell should be fairly self-evident; the language is Turing-complete, built into modern Windows operating systems, and…

The PowerView PowerUsage Series #5

This is the fifth post in my “PowerView PowerUsage” series, and follows the same Scenario/Solution/Explanation pattern as the previous entries. The original post contains a constantly updated list of the entire series. The Scenario You discovered on an engagement that most user workstations contain the user’s Active Directory samaccount name, e.g. John Smith’s (jsmith@domain.local) machine is named something like jsmith-workstation.domain.local. You want to find all user->workstation mappings, exported as a CSV. The Solution The Explanation To start off, we enumerate all user samaccountnames in the environment, using the -Properties parameter of Get-DomainUser to again “optimize to the left.” This signals the…