96 lines
3.4 KiB
PowerShell
96 lines
3.4 KiB
PowerShell
function New-HoneyHash {
|
|
<#
|
|
.SYNOPSIS
|
|
|
|
Inject artificial credentials into LSASS. Inspired by Mark Baggett's article:
|
|
https://isc.sans.edu/diary/Detecting+Mimikatz+Use+On+Your+Network/19311/
|
|
|
|
Author: Matthew Graeber (@mattifestation)
|
|
License: BSD 3-Clause
|
|
Required Dependencies: None
|
|
Optional Dependencies: None
|
|
|
|
.DESCRIPTION
|
|
|
|
New-HoneyHash is a simple wrapper for advapi32!CreateProcessWithLogonW
|
|
that specifies the LOGON_NETCREDENTIALS_ONLY flag. New-HoneyHash will
|
|
prompt you for a password. Enter a fake password at the password prompt.
|
|
|
|
.PARAMETER Domain
|
|
|
|
Specifies the fake domain.
|
|
|
|
.PARAMETER Username
|
|
|
|
Specifies the fake user name.
|
|
|
|
.PARAMETER Password
|
|
|
|
Specified the fake password.
|
|
|
|
.EXAMPLE
|
|
|
|
New-HoneyHash -Domain linux.org -Username root
|
|
#>
|
|
[CmdletBinding()]
|
|
Param (
|
|
[Parameter(Mandatory = $True, Position = 0)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$Domain,
|
|
|
|
[Parameter(Mandatory = $True, Position = 1)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$Username,
|
|
|
|
[Parameter(Mandatory = $True, Position = 1)]
|
|
[ValidateNotNullOrEmpty()]
|
|
[String]
|
|
$Password
|
|
)
|
|
|
|
$PSPassword = $Password | ConvertTo-SecureString -asPlainText -Force
|
|
|
|
$SystemModule = [Microsoft.Win32.IntranetZoneCredentialPolicy].Module
|
|
$NativeMethods = $SystemModule.GetType('Microsoft.Win32.NativeMethods')
|
|
$SafeNativeMethods = $SystemModule.GetType('Microsoft.Win32.SafeNativeMethods')
|
|
$CreateProcessWithLogonW = $NativeMethods.GetMethod('CreateProcessWithLogonW', [Reflection.BindingFlags] 'NonPublic, Static')
|
|
$LogonFlags = $NativeMethods.GetNestedType('LogonFlags', [Reflection.BindingFlags] 'NonPublic')
|
|
$StartupInfo = $NativeMethods.GetNestedType('STARTUPINFO', [Reflection.BindingFlags] 'NonPublic')
|
|
$ProcessInformation = $SafeNativeMethods.GetNestedType('PROCESS_INFORMATION', [Reflection.BindingFlags] 'NonPublic')
|
|
|
|
$Flags = [Activator]::CreateInstance($LogonFlags)
|
|
$Flags.value__ = 2 # LOGON_NETCREDENTIALS_ONLY
|
|
$StartInfo = [Activator]::CreateInstance($StartupInfo)
|
|
$ProcInfo = [Activator]::CreateInstance($ProcessInformation)
|
|
|
|
$Credential = New-Object System.Management.Automation.PSCredential("$($Domain)\$($UserName)",$PSPassword)
|
|
|
|
$PasswordPtr = [System.Runtime.InteropServices.Marshal]::SecureStringToCoTaskMemUnicode($Credential.Password)
|
|
$StrBuilder = New-Object System.Text.StringBuilder
|
|
$null = $StrBuilder.Append('cmd.exe')
|
|
|
|
$Result = $CreateProcessWithLogonW.Invoke($null, @([String] $UserName,
|
|
[String] $Domain,
|
|
[IntPtr] $PasswordPtr,
|
|
($Flags -as $LogonFlags), # LOGON_NETCREDENTIALS_ONLY
|
|
$null,
|
|
[Text.StringBuilder] $StrBuilder,
|
|
0x08000000, # Don't display a window
|
|
$null,
|
|
$null,
|
|
$StartInfo,
|
|
$ProcInfo))
|
|
|
|
if (-not $Result) {
|
|
throw 'Unable to create process as user.'
|
|
}
|
|
|
|
if ($ProcInfo.dwProcessId) {
|
|
# Kill the cmd.exe process
|
|
Stop-Process -Id $ProcInfo.dwProcessId
|
|
}
|
|
|
|
'"Honey hash" injected into LSASS successfully! Use Mimikatz to confirm.'
|
|
} |