Deobfuscation with PowerShell Logging

by Vince
in Blog
Hits: 1058

There are a number of tools used for obfuscating PowerShell and one of the more famous tools, Invoke Obfuscation, I've written about a few times.  But with PowerShell logging becoming more popular, I wonder why the bother to obfuscate.  As far as I can tell, it no longer helps with evasion and if it's not captured in some form, what's the point? 

To see what I'm talking about, we need to enable logging and script block logging:

Read more

Windows Scheduler Credential Stealer

by Vince
in Blog
Hits: 905

In the one-liner below, we are able to pop a credentials box and attempt to steal credentials.  If we remove the pipe and what follows, we would see the output at the command line.  With the pipe and what follows, we output it into a file.  And since Public is public, we can easily write into that location.

Read more

CrackMapExec : The Basics

by Vince
in Blog
Hits: 968

The description states:  "CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions."

This is one of those tools that I've used from time to time when another one of my tools wasn't doing what I wanted it to do.  That happened recently and I decided to make a big cheat sheet with a list of commands.  The following is a subset,  the basics, and if you're not familiar with this tool, it might be worth exploring.

Read more