diff --git a/DeepBlue.ps1 b/DeepBlue.ps1 index 656cb26..11c4884 100644 --- a/DeepBlue.ps1 +++ b/DeepBlue.ps1 @@ -136,6 +136,27 @@ function Main { #$adminlogons.Set_Item($username,$securitysid) #$adminlogons($username)+=($securitysid) } + # This unique privilege list is used by Mimikatz 2.2.0 + If ($privileges -Match "SeAssignPrimaryTokenPrivilege" ` + -And $privileges -Match "SeTcbPrivilege" ` + -And $privileges -Match "SeSecurityPrivilege" ` + -And $privileges -Match "SeTakeOwnershipPrivilege" ` + -And $privileges -Match "SeLoadDriverPrivilege" ` + -And $privileges -Match "SeBackupPrivilege" ` + -And $privileges -Match "SeRestorePrivilege" ` + -And $privileges -Match "SeDebugPrivilege" ` + -And $privileges -Match "SeAuditPrivilege" ` + -And $privileges -Match "SeSystemEnvironmentPrivilege" ` + -And $privileges -Match "SeImpersonatePrivilege" ` + -And $privileges -Match "SeDelegateSessionUserImpersonatePrivilege") { + $obj.Message = "Mimikatz token::elevate Privilege Escalation" + $obj.Results = "Username: $username`n" + $obj.Results += "Domain: $domain`n" + $obj.Results += "User SID: $securityid`n" + $pprivileges = $privileges -replace "`n",", " -replace "\s+"," " + $obj.Results += "Privileges: $pprivileges" + Write-Output($obj) + } } ElseIf ($event.id -eq 4720){ # A user account was created. diff --git a/evtx/mimikatz-privilegedebug-tokenelevate-hashdump.evtx b/evtx/mimikatz-privilegedebug-tokenelevate-hashdump.evtx new file mode 100755 index 0000000..7f6132c Binary files /dev/null and b/evtx/mimikatz-privilegedebug-tokenelevate-hashdump.evtx differ