Default Invoke-PrivEscAudit to return objects for parsing

Author: hackjammer

Privesc/PowerUp.ps1

@@ -4670,9 +4670,14 @@ Required Dependencies: None
 
 Executes all functions that check for various Windows privilege escalation opportunities.
 
+.PARAMETER Format
+
+String. Format to decide on what is returned from the command, an Object Array, List, or HTML Report.
+
 .PARAMETER HTMLReport
 
-Switch. Write a HTML version of the report to SYSTEM.username.html.
+DEPRECATED - Switch. Write a HTML version of the report to SYSTEM.username.html. 
+Superseded by the Format parameter.
 
 .EXAMPLE
 
@@ -4682,25 +4687,26 @@ Runs all escalation checks and outputs a status report for discovered issues.
 
 .EXAMPLE
 
-Invoke-PrivescAudit -HTMLReport
+Invoke-PrivescAudit -Format HTML
 
 Runs all escalation checks and outputs a status report to SYSTEM.username.html
 detailing any discovered issues.
 
-.OUTPUTS
-
-System.String
 #>
 
     [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
-    [OutputType('System.String')]
     [CmdletBinding()]
     Param(
+        [ValidateSet('Object','List','HTML')]
+        [String]
+        $Format = 'Object',
         [Switch]
         $HTMLReport
     )
 
-    if ($HTMLReport) {
+    if($HTMLReport){ $Format = 'HTML' }
+
+    if ($Format -eq 'HTML') {
         $HtmlReportFile = "$($Env:ComputerName).$($Env:UserName).html"
         $Header = "<style>"
         $Header = $Header + "BODY{background-color:peachpuff;}"
@@ -4711,153 +4717,101 @@ System.String
         ConvertTo-HTML -Head $Header -Body "<H1>PowerUp report for '$($Env:ComputerName).$($Env:UserName)'</H1>" | Out-File $HtmlReportFile
     }
 
-    # initial admin checks
-
-    "`n[*] Running Invoke-AllChecks"
-
-    $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
-
-    if ($IsAdmin){
-        "[+] Current user already has local administrative privileges!"
-
-        if ($HTMLReport) {
-            ConvertTo-HTML -Head $Header -Body "<H2>User Has Local Admin Privileges!</H2>" | Out-File -Append $HtmlReportFile
+    Write-Verbose "Running Invoke-PrivescAudit"
+
+    $Checks = @(
+        # Initial admin checks
+        @{
+            Type    = 'User Has Local Admin Privileges'
+            Command = { if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")){ New-Object PSObject } }
+        },
+        @{
+            Type        = 'User In Local Group with Admin Privileges'
+            Command     = { if ((Get-ProcessTokenGroup | Select-Object -ExpandProperty SID) -contains 'S-1-5-32-544'){ New-Object PSObject } }
+            AbuseScript = { 'Invoke-WScriptUACBypass -Command "..."' }
+        },
+        @{
+            Type       = 'Process Token Privileges'
+            Command    = { Get-ProcessTokenPrivilege -Special | Where-Object {$_} }
+        },
+        # Service checks
+        @{
+            Type    = 'Unquoted Service Paths'
+            Command = { Get-UnquotedService }
+        },
+        @{
+            Type    = 'Modifiable Service Files'
+            Command = { Get-ModifiableServiceFile }
+        },
+        @{
+            Type    = 'Modifiable Services'
+            Command = { Get-ModifiableService }
+        },
+        # DLL hijacking
+        @{
+            Type        = '%PATH% .dll Hijacks'
+            Command     = { Find-PathDLLHijack }
+            AbuseScript = { "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'" }
+        },
+        # Registry checks
+        @{
+            Type        = 'AlwaysInstallElevated Registry Key'
+            Command     = { if (Get-RegistryAlwaysInstallElevated){ New-Object PSObject } }
+            AbuseScript = { 'Write-UserAddMSI' }
+        },
+        @{
+            Type    = 'Registry Autologons'
+            Command = { Get-RegistryAutoLogon }
+        },
+        @{
+            Type    = 'Modifiable Registry Autorun'
+            Command = { Get-ModifiableRegistryAutoRun }
+        },
+        # Other checks
+        @{
+            Type    = 'Modifiable Scheduled Task Files'
+            Command = { Get-ModifiableScheduledTaskFile }
+        },
+        @{
+            Type    = 'Unattended Install Files'
+            Command = { Get-UnattendedInstallFile }
+        },
+        @{
+            Type    = 'Encrypted web.config Strings'
+            Command = { Get-WebConfig | Where-Object {$_} }
+        },
+        @{
+            Type    = 'Encrypted Application Pool Passwords'
+            Command = { Get-ApplicationHost | Where-Object {$_} }
+        },
+        @{
+            Type    = 'McAfee SiteList.xml files'
+            Command = { Get-SiteListPassword | Where-Object {$_} }
+        },
+        @{
+            Type    = 'Cached GPP Files'
+            Command = { Get-CachedGPPPassword | Where-Object {$_} }
         }
-    }
-    else{
-        "`n`n[*] Checking if user is in a local group with administrative privileges..."
-
-        $CurrentUserSids = Get-ProcessTokenGroup | Select-Object -ExpandProperty SID
-        if ($CurrentUserSids -Contains 'S-1-5-32-544') {
-            "[+] User is in a local group that grants administrative privileges!"
-            "[+] Run 'Invoke-WScriptUACBypass -Command `"...`"' to elevate privileges to admin."
-            if ($HTMLReport) {
-                ConvertTo-HTML -Head $Header -Body "<H2> User In Local Group With Administrative Privileges</H2>" | Out-File -Append $HtmlReportFile
+    )
+
+    ForEach($Check in $Checks){
+        Write-Verbose "Checking for $($Check.Type)..."
+        $Results = . $Check.Command
+        $Results | Where-Object {$_} | ForEach-Object {
+            $_ | Add-Member Noteproperty 'Check' $Check.Type
+            if ($Check.AbuseScript){
+                $_ | Add-Member Noteproperty 'AbuseFunction' (. $Check.AbuseScript)
             }
         }
-    }
-
-    "`n`n[*] Checking current process token permissions..."
-    $Results = Get-ProcessTokenPrivilege -Special | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    # Service checks
-
-    "`n`n[*] Checking for unquoted service paths..."
-    $Results = Get-UnquotedService
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unquoted Service Paths</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking service executable and argument permissions..."
-    $Results = Get-ModifiableServiceFile
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Service File Permissions</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking service permissions..."
-    $Results = Get-ModifiableService
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifiable Services</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-
-    # DLL hijacking
-
-    "`n`n[*] Checking %PATH% for potentially hijackable DLL locations..."
-    $Results = Find-PathDLLHijack
-    $Results | Where-Object {$_} | Foreach-Object {
-        $AbuseString = "Write-HijackDll -DllPath '$($_.ModifiablePath)\wlbsctrl.dll'"
-        $_ | Add-Member Noteproperty 'AbuseFunction' $AbuseString
-        $_
-    } | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>%PATH% .dll Hijacks</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-
-    # registry checks
-
-    "`n`n[*] Checking for AlwaysInstallElevated registry key..."
-    if (Get-RegistryAlwaysInstallElevated) {
-        $Out = New-Object PSObject
-        $Out | Add-Member Noteproperty 'AbuseFunction' "Write-UserAddMSI"
-        $Results = $Out
-
-        $Results | Format-List
-        if ($HTMLReport) {
-            $Results | ConvertTo-HTML -Head $Header -Body "<H2>AlwaysInstallElevated</H2>" | Out-File -Append $HtmlReportFile
+        switch($Format){
+            Object { $Results }
+            List   { "`n`n[*] Checking for $($Check.Type)..."; $Results | Format-List }
+            HTML   { $Results | ConvertTo-HTML -Head $Header -Body "<H2>$($Check.Type)</H2>" | Out-File -Append $HtmlReportFile }
         }
     }
 
-    "`n`n[*] Checking for Autologon credentials in registry..."
-    $Results = Get-RegistryAutoLogon
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autologons</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-
-    "`n`n[*] Checking for modifidable registry autoruns and configs..."
-    $Results = Get-ModifiableRegistryAutoRun
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Registry Autoruns</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    # other checks
-
-    "`n`n[*] Checking for modifiable schtask files/configs..."
-    $Results = Get-ModifiableScheduledTaskFile
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Modifidable Schask Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for unattended install files..."
-    $Results = Get-UnattendedInstallFile
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Unattended Install Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for encrypted web.config strings..."
-    $Results = Get-Webconfig | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted 'web.config' String</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for encrypted application pool and virtual directory passwords..."
-    $Results = Get-ApplicationHost | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Encrypted Application Pool Passwords</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for plaintext passwords in McAfee SiteList.xml files..."
-    $Results = Get-SiteListPassword | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>McAfee's SiteList.xml's</H2>" | Out-File -Append $HtmlReportFile
-    }
-
-    "`n`n[*] Checking for cached Group Policy Preferences .xml files..."
-    $Results = Get-CachedGPPPassword | Where-Object {$_}
-    $Results | Format-List
-    if ($HTMLReport) {
-        $Results | ConvertTo-HTML -Head $Header -Body "<H2>Cached GPP Files</H2>" | Out-File -Append $HtmlReportFile
-    }
-    "`n"
-
-    if ($HTMLReport) {
-        "[*] Report written to '$HtmlReportFile' `n"
+    if ($Format -eq 'HTML') {
+        Write-Verbose "[*] Report written to '$HtmlReportFile' `n"
     }
 }
 
@@ -5012,5 +4966,4 @@ $Kernel32 = $Types['kernel32']
 $NTDll    = $Types['ntdll']
 
 Set-Alias Get-CurrentUserTokenGroupSid Get-ProcessTokenGroup
-Set-Alias Get-UnquotedService Get-UnquotedService
 Set-Alias Invoke-AllChecks Invoke-PrivescAudit