This repository was archived by the owner on Jan 21, 2021. It is now read-only.
PowerView: Invoke-UserHunter -Poll #173
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
added 2 commits
August 13, 2016 12:00
Repeatedly poll a set of target computers for user sessions. This could be a useful technique for building a much better picture of current sessions, but without having to communicate with every host. The -Poll parameter is used to specify the duration for which polling should occur. Each target computer is dedicated with a thread with -Delay and -Jitter specifying how long to sleep between each session enumeration attempt of an individual host.
The PowerShell.BeginInvoke<TInput, TOutput>(PSDataCollection<TInput>, PSDataCollection<TOutput>) method[1] is used to collect output from each job into a buffer. This can be read whilst the jobs are still running. Being able to return partial results is particularly useful for long running background threads, such as Invoke-UserHunter -Poll. PowerShell 2.0 doesn't play nicely with generic methods. The technique described in [2] is used to allow this version of BeginInvoke() to be used. [1] https://msdn.microsoft.com/en-us/library/dd182440(v=vs.85).aspx [2] http://www.leeholmes.com/blog/2007/06/19/invoking-generic-methods-on-non-generic-classes-in-powershell/
|
The modified Invoke-ThreadedFunction may need some testing with other functions with a -Threads parameter. I've only looked at Invoke-UserHunter. Also note that the previous code appeared to timeout a background thread after 60 seconds. This is obviously unwanted if you're running a hunting session for multiple hours. However, it also didn't actually work. EndInvoke() actually waits for the thread to complete before returning results. I may look at timing out background threads in another pull request if this feature is desired. |
|
Awesome, great update! Thanks man, landed. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a polling mode to Invoke-UserHunter to allow repeated session enumeration of a set of target hosts. This is useful for building up a more detailed picture of where user's are logged in, but without enumerating all hosts. For example:
will request session information from the domain controllers every 30 seconds for an hour. The results are passed through a filter to drop all of the computer accounts.
This works by spinning up one thread for each target host to run the host enumeration script block. Therefore, I've also modified Invoke-ThreadedFunction so that results are returned as they are generated, rather than just waiting until the thread completes. This is useful for long duration session hunting: you want to know where a target user is situated ASAP, not after several hours of polling the DCs.