-
Notifications
You must be signed in to change notification settings - Fork 10
Commands Examples
Scott Sutherland edited this page Apr 25, 2022
·
22 revisions
All subfolders from this project must be present in the directory you execute PowerHunt from.
| Description | Command |
|---|---|
| Current User | Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 |
| Provided Password |
Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -DomainController 10.1.1.1 -Username domain\user -Password 'SecretPasswordHere!' |
| Provided Credential |
Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -DomainController 10.1.1.1 -Credential domain\user |
| Description | Command |
|---|---|
| Active Directory (Default) | Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -DomainController 10.1.1.1 -Username domain\user -Password 'SecretPasswordHere!' |
| Single Computer | Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -ComputerName Desktop123 -Username domain\user -Password 'SecretPasswordHere!' |
| Computer List | Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -ComputerList c:\temp\computers.txt -Username domain\user -Password 'SecretPasswordHere!' |
| Description | Command |
|---|---|
| Only run collection modules. | Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -CollectOnly |
| Only run analysis modules and target a pre-existing collection directory. | Invoke-PowerHunt -OutputDirectory "c:\temp" -AnalyzeOnly -OfflinePath c:\temp\Hunt-032120222126 |
Invoke-PowerHunt -OutputDirectory "c:\temp\new" -Threads 100 =========================================== PowerHunt =========================================== [+][03/24/2022 20:34] Authentication Mode: Credential [+][03/24/2022 20:34] Output Directory: c:\temp\new\Hunt-03242022203403 [+][03/24/2022 20:34] Start active testing ------------------------------------------- ENABLING POWERSHELL REMOTING ------------------------------------------- [+][03/24/2022 20:34] Confirmed local administrative privileges. [+][03/24/2022 20:34] Checking if PS Remoting is enabled... [+][03/24/2022 20:34] PS Remoting appears to be enabled. [+][03/24/2022 20:34] Local PowerShell Remoting requirements met. ------------------------------------------- DISCOVERY: DOMAIN COMPUTERS - LDAP QUERY ------------------------------------------- [+][03/24/2022 20:34] Attempting to access domain controller... [+][03/24/2022 20:34] Successful connection to domain controller: WIN-72A3HMP6OLO.DEMO.LOCAL [+][03/24/2022 20:34] Performing LDAP query for computers associated with the DEMO.LOCAL domain [+][03/24/2022 20:34] - 3 computers found [+][03/24/2022 20:34] Output directory: c:\temp\new\Hunt-03242022203403 ------------------------------------------- DISCOVERY: PING SCANNING ------------------------------------------- [+][03/24/2022 20:34] Pinging 3 computers [+][03/24/2022 20:34] - 3 computers responded to ping requests. ------------------------------------------- DISCOVERY: PORT SCANNING (5985/5986) ------------------------------------------- [+][03/24/2022 20:34] Checking if TCP Port 5985 (NonSSL) is open on 3 computers [+][03/24/2022 20:34] - 3 computers have TCP port 5985 open. [+][03/24/2022 20:34] Checking if TCP Port 5986 (SSL) is open on 3 computers [+][03/24/2022 20:34] - 0 computers have TCP port 5986 open. [+][03/24/2022 20:34] Creating PS Remoting Target List. [+][03/24/2022 20:34] - 3 computers will be targeted. ------------------------------------------- COLLECTION: ESTABLISH PS REMOTING SESSIONS ------------------------------------------- [+][03/24/2022 20:34] - Attempting to establish PS Remoting sessions with 3 computers. [+][03/24/2022 20:34] - 3 PS Remoting sessions were established. ------------------------------------------- COLLECTION: RUN ALL MODULES ------------------------------------------- [+][03/24/2022 20:34] 22 collection modules will be run against 3 sessions. [+][03/24/2022 20:34] - (1 of 22) collect-connections [+][03/24/2022 20:34] - (2 of 22) collect-environmental-paths [+][03/24/2022 20:34] - (3 of 22) collect-environmental-variables [+][03/24/2022 20:34] - (4 of 22) collect-events-1102 [+][03/24/2022 20:34] - (5 of 22) collect-events-4732 [+][03/24/2022 20:34] - (6 of 22) collect-group-members [+][03/24/2022 20:34] - (7 of 22) collect-groups [+][03/24/2022 20:34] - (8 of 22) collect-installed-software-antispyware [+][03/24/2022 20:34] - (9 of 22) collect-installed-software-antivirus [+][03/24/2022 20:34] - (10 of 22) collect-installed-software-firewall [+][03/24/2022 20:34] - (11 of 22) collect-installed-software [+][03/24/2022 20:34] - (12 of 22) collect-mapped-drives [+][03/24/2022 20:34] - (13 of 22) collect-named-pipes [+][03/24/2022 20:34] - (14 of 22) collect-network-interfaces [+][03/24/2022 20:34] - (15 of 22) collect-processes [+][03/24/2022 20:35] - (16 of 22) collect-services [+][03/24/2022 20:35] - (17 of 22) collect-startup-files-allusers [+][03/24/2022 20:35] - (18 of 22) collect-startup-registry-run [+][03/24/2022 20:35] - (19 of 22) collect-tasks [+][03/24/2022 20:35] - (20 of 22) collect-users [+][03/24/2022 20:35] - (21 of 22) collect-wmi-providers [+][03/24/2022 20:35] - (22 of 22) collect-wmi-subscriptions ------------------------------------------- ANALYSIS: RUN ALL MODULES ------------------------------------------- [+][03/24/2022 20:35] 45 analysis modules will be run against 22 data sources. [+][03/24/2022 20:35] Data Source (1 of 22): connections [+][03/24/2022 20:35] 1 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 1) analyze-connections [+][03/24/2022 20:35] Data Source (2 of 22): environmental-paths [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (3 of 22): environmental-variables [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (4 of 22): events-1102 [+][03/24/2022 20:35] 1 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 1) analyze-events-1102 [+][03/24/2022 20:35] Data Source (5 of 22): events-4732 [+][03/24/2022 20:35] 5 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 5) analyze-events-4732-add-user-by-remotecomputer [+][03/24/2022 20:35] - (2 of 5) analyze-events-4732-add-user-by-workgroup [+][03/24/2022 20:35] - (3 of 5) analyze-events-4732-add-user-computeraccount [+][03/24/2022 20:35] - (4 of 5) analyze-events-4732-add-user [+][03/24/2022 20:35] - (5 of 5) analyze-events-4732 [+][03/24/2022 20:35] Data Source (6 of 22): group-members [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (7 of 22): groups [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (8 of 22): installed-software-antispyware [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (9 of 22): installed-software-antivirus [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (10 of 22): installed-software-firewall [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (11 of 22): installed-software [+][03/24/2022 20:35] 3 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 3) analyze-installed-software-mgmt [+][03/24/2022 20:35] - (2 of 3) analyze-installed-software-offsec [+][03/24/2022 20:35] - (3 of 3) analyze-installed-software [+][03/24/2022 20:35] Data Source (12 of 22): mapped-drives [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (13 of 22): named-pipes [+][03/24/2022 20:35] 2 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 2) analyze-named-pipes-known-bad [+][03/24/2022 20:35] - (2 of 2) analyze-named-pipes [+][03/24/2022 20:35] Data Source (14 of 22): network-interfaces [+][03/24/2022 20:35] 0 analysis modules exist for this data source. [+][03/24/2022 20:35] Data Source (15 of 22): processes [+][03/24/2022 20:35] 1 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 1) analyze-processes [+][03/24/2022 20:35] Data Source (16 of 22): services [+][03/24/2022 20:35] 8 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 8) analyze-services-badpath [+][03/24/2022 20:35] - (2 of 8) analyze-services-dotnet [+][03/24/2022 20:35] - (3 of 8) analyze-services-lolbas [+][03/24/2022 20:35] - (4 of 8) analyze-services-mgmt-software [+][03/24/2022 20:35] - (5 of 8) analyze-services-offsec-software [+][03/24/2022 20:35] - (6 of 8) analyze-services-outlier-file-owner [+][03/24/2022 20:35] - (7 of 8) analyze-services-unsigned [+][03/24/2022 20:35] - (8 of 8) analyze-services [+][03/24/2022 20:35] Data Source (17 of 22): startup-files-allusers [+][03/24/2022 20:35] 7 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 7) analyze-startup-files-allusers-dotnet [+][03/24/2022 20:35] - (2 of 7) analyze-startup-files-allusers-lolbas [+][03/24/2022 20:35] - (3 of 7) analyze-startup-files-allusers-mgmt-software [+][03/24/2022 20:35] - (4 of 7) analyze-startup-files-allusers-offsec-software [+][03/24/2022 20:35] - (5 of 7) analyze-startup-files-allusers-outlier-file-owner [+][03/24/2022 20:35] - (6 of 7) analyze-startup-files-allusers-unsigned [+][03/24/2022 20:35] - (7 of 7) analyze-startup-files-allusers [+][03/24/2022 20:35] Data Source (18 of 22): startup-registry-run [+][03/24/2022 20:35] 8 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 8) analyze-startup-registry-run-badpath [+][03/24/2022 20:35] - (2 of 8) analyze-startup-registry-run-dotnet [+][03/24/2022 20:35] - (3 of 8) analyze-startup-registry-run-lolbas [+][03/24/2022 20:35] - (4 of 8) analyze-startup-registry-run-mgmt-software [+][03/24/2022 20:35] - (5 of 8) analyze-startup-registry-run-offsec-software [+][03/24/2022 20:35] - (6 of 8) analyze-startup-registry-run-outlier-file-owner [+][03/24/2022 20:35] - (7 of 8) analyze-startup-registry-run-unsigned [+][03/24/2022 20:35] - (8 of 8) analyze-startup-registry-run [+][03/24/2022 20:35] Data Source (19 of 22): tasks [+][03/24/2022 20:35] 7 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 7) analyze-tasks-dotnet [+][03/24/2022 20:35] - (2 of 7) analyze-tasks-lolbas [+][03/24/2022 20:35] - (3 of 7) analyze-tasks-mgmt-software [+][03/24/2022 20:35] - (4 of 7) analyze-tasks-offsec-software [+][03/24/2022 20:35] - (5 of 7) analyze-tasks-outlier-file-owner [+][03/24/2022 20:35] - (6 of 7) analyze-tasks-unsigned [+][03/24/2022 20:35] - (7 of 7) analyze-tasks [+][03/24/2022 20:35] Data Source (20 of 22): users [+][03/24/2022 20:35] 7 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 7) analyze-startup-files-allusers-dotnet [+][03/24/2022 20:35] - (2 of 7) analyze-startup-files-allusers-lolbas [+][03/24/2022 20:35] - (3 of 7) analyze-startup-files-allusers-mgmt-software [+][03/24/2022 20:35] - (4 of 7) analyze-startup-files-allusers-offsec-software [+][03/24/2022 20:35] - (5 of 7) analyze-startup-files-allusers-outlier-file-owner [+][03/24/2022 20:35] - (6 of 7) analyze-startup-files-allusers-unsigned [+][03/24/2022 20:35] - (7 of 7) analyze-startup-files-allusers [+][03/24/2022 20:35] Data Source (21 of 22): wmi-providers [+][03/24/2022 20:35] 1 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 1) analyze-wmi-providers [+][03/24/2022 20:35] Data Source (22 of 22): wmi-subscriptions [+][03/24/2022 20:35] 1 analysis modules found, loading data source. [+][03/24/2022 20:35] - (1 of 1) analyze-wmi-subscriptions ------------------------------------------- SHUTDOWN ------------------------------------------- [+][03/24/2022 20:35] - Stopping active testing [+][03/24/2022 20:35] - Terminating 3 PowerShell Remoting sessions. [+][03/24/2022 20:35] - All sessions terminated. [+][03/24/2022 20:35] - Test duration: 00:01:56.1561099