PenTest/privilege-escalation-awesome-scripts-suite
1
0
Fork 0
mirror of https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite.git synced 2025-12-09 02:21:28 +00:00
Code Issues Projects Releases Wiki Activity
Files
c2a22ad0ac54cc98d9aa69079e6622f1eb41a094
privilege-escalation-awesom…/winPEAS/winPEASexe/winPEAS/Info/EventsInfo/PowerShell/PowerShell.cs
makikvues fb17429f67 - refactoring / cleanup - moved all native external methods to /Native folder/classes 
- added new event checks - Explicit Logon Events, Logon Events, PowerShell Events, Process Creation Events
- added PrintSecurityPackagesCredentials check
- added Windows Defender enumeration
2021-02-03 21:54:20 +01:00

90 lines
3.5 KiB
C#
Raw Blame History

using System.Collections.Generic;
using winPEAS.Helpers;
namespace winPEAS.Info.EventsInfo.PowerShell
{
internal class PowerShell
{
public static IEnumerable<PowerShellEventInfo> GetPowerShellEventInfos()
{
// adapted from @djhohnstein's EventLogParser project
// https://github.com/djhohnstein/EventLogParser/blob/master/EventLogParser/EventLogHelpers.cs
// combined with scraping from https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/windows-commands
var context = 3; // number of lines around the match to display
string[] powerShellLogs = { "Microsoft-Windows-PowerShell/Operational", "Windows PowerShell" };
// Get our "sensitive" cmdline regexes from a common helper function.
var powerShellRegex = Common.GetInterestingProcessArgsRegex();
foreach (var logName in powerShellLogs)
{
var query = "*[System/EventID=4104]";
var logReader = MyUtils.GetEventLogReader(logName, query);
for (var eventDetail = logReader.ReadEvent(); eventDetail != null; eventDetail = logReader.ReadEvent())
{
var scriptBlock = eventDetail.Properties[2].Value.ToString();
foreach (var reg in powerShellRegex)
{
var m = reg.Match(scriptBlock);
if (!m.Success)
{
continue;
}
var contextLines = new List<string>();
var scriptBlockParts = scriptBlock.Split('\n');
for (var i = 0; i < scriptBlockParts.Length; i++)
{
if (!scriptBlockParts[i].Contains(m.Value))
{
continue;
}
var printed = 0;
for (var j = 1; i - j > 0 && printed < context; j++)
{
if (scriptBlockParts[i - j].Trim() == "")
{
continue;
}
contextLines.Add(scriptBlockParts[i - j].Trim());
printed++;
}
printed = 0;
contextLines.Add(m.Value.Trim());
for (var j = 1; printed < context && i + j < scriptBlockParts.Length; j++)
{
if (scriptBlockParts[i + j].Trim() == "")
{
continue;
}
contextLines.Add(scriptBlockParts[i + j].Trim());
printed++;
}
break;
}
var contextJoined = string.Join("\n", contextLines.ToArray());
yield return new PowerShellEventInfo(
eventDetail.TimeCreated,
eventDetail.Id,
$"{eventDetail.UserId}",
m.Value,
contextJoined
);
}
}
}
}
}
}
Reference in New Issue View Git Blame Copy Permalink