Cyberdefense/DeepBlueCLI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Metsploit psexec-specific privilege requests for Event ID 4672 detection, tweak Mimikatz detection message

Browse Source
This commit is contained in:
Joshua Wright
2019-05-03 11:39:43 -04:00
parent e3cb0142c6
commit 7cbb5748e4
1 changed files with 19 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
DeepBlue.ps1
View File

@ -149,7 +149,25 @@ function Main {
-And $privileges -Match "SeSystemEnvironmentPrivilege" `
-And $privileges -Match "SeImpersonatePrivilege" `
-And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") {
$obj.Message = "Mimikatz token::elevate Privilege Escalation"
$obj.Message = "Mimikatz token::elevate Privilege Use"
$obj.Results = "Username: $username`n"
$obj.Results += "Domain: $domain`n"
$obj.Results += "User SID: $securityid`n"
$pprivileges = $privileges -replace "`n",", " -replace "\s+"," "
$obj.Results += "Privileges: $pprivileges"
Write-Output($obj)
}
# This unique privilege list is used by Metasploit exploit/windows/smb/psexec (v5.0.4 tested)
If ($privileges -Match "SeSecurityPrivilege" `
-And $privileges -Match "SeBackupPrivilege" `
-And $privileges -Match "SeRestorePrivilege" `
-And $privileges -Match "SeTakeOwnershipPrivilege" `
-And $privileges -Match "SeDebugPrivilege" `
-And $privileges -Match "SeSystemEnvironmentPrivilege" `
-And $privileges -Match "SeLoadDriverPrivilege" `
-And $privileges -Match "SeImpersonatePrivilege" `
-And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") {
$obj.Message = "Metasploit psexec Privilege Use"
$obj.Results = "Username: $username`n"
$obj.Results += "Domain: $domain`n"
$obj.Results += "User SID: $securityid`n"