PowerShellMafia
diff --git a/‎.gitattributes‎
Lines changed: 63 additions & 0 deletions b/‎.gitattributes‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 2 additions & 0 deletions b/‎.gitignore‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎Exfiltration/Get-VaultCredential.ps1‎
Lines changed: 0 additions & 401 deletions b/‎Exfiltration/Get-VaultCredential.ps1‎
Lines changed: 0 additions & 401 deletions
diff --git a/‎Exfiltration/VolumeShadowCopyTools.ps1‎
Lines changed: 0 additions & 292 deletions b/‎Exfiltration/VolumeShadowCopyTools.ps1‎
Lines changed: 0 additions & 292 deletions
@@ -0,0 +1,63 @@
+###############################################################################
+# Set default behavior to automatically normalize line endings.
+###############################################################################
+* text=auto
+
+###############################################################################
+# Set default behavior for command prompt diff.
+#
+# This is need for earlier builds of msysgit that does not have it on by
+# default for csharp files.
+# Note: This is only used by command line
+###############################################################################
+#*.cs     diff=csharp
+
+###############################################################################
+# Set the merge driver for project and solution files
+#
+# Merging from the command prompt will add diff markers to the files if there
+# are conflicts (Merging from VS is not affected by the settings below, in VS
+# the diff markers are never inserted). Diff markers may cause the following 
+# file extensions to fail to load in VS. An alternative would be to treat
+# these files as binary and thus will always conflict and require user
+# intervention with every merge. To do so, just uncomment the entries below
+###############################################################################
+#*.sln       merge=binary
+#*.csproj    merge=binary
+#*.vbproj    merge=binary
+#*.vcxproj   merge=binary
+#*.vcproj    merge=binary
+#*.dbproj    merge=binary
+#*.fsproj    merge=binary
+#*.lsproj    merge=binary
+#*.wixproj   merge=binary
+#*.modelproj merge=binary
+#*.sqlproj   merge=binary
+#*.wwaproj   merge=binary
+
+###############################################################################
+# behavior for image files
+#
+# image files are treated as binary by default.
+###############################################################################
+#*.jpg   binary
+#*.png   binary
+#*.gif   binary
+
+###############################################################################
+# diff behavior for common document formats
+# 
+# Convert binary document formats to text before diffing them. This feature
+# is only available from the command line. Turn it on by uncommenting the 
+# entries below.
+###############################################################################
+#*.doc   diff=astextplain
+#*.DOC   diff=astextplain
+#*.docx  diff=astextplain
+#*.DOCX  diff=astextplain
+#*.dot   diff=astextplain
+#*.DOT   diff=astextplain
+#*.pdf   diff=astextplain
+#*.PDF   diff=astextplain
+#*.rtf   diff=astextplain
+#*.RTF   diff=astextplain
@@ -212,3 +212,5 @@ pip-log.txt
 
 #Mr Developer
 .mr.developer.cfg
+*.pssproj
+*.sln
@@ -1,292 +0,0 @@
-function Get-VolumeShadowCopy
-{
-<#
-.SYNOPSIS
-
-    Lists the device paths of all local volume shadow copies.
-
-    PowerSploit Function: Get-VolumeShadowCopy
-    Author: Matthew Graeber (@mattifestation)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
-    Version: 2.0.0
-#>
-
-    $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
-
-    if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
-    {
-        Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
-    }
-
-    Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | ForEach-Object { $_.DeviceObject }
-}
-
-function New-VolumeShadowCopy
-{
-<#
-.SYNOPSIS
-
-    Creates a new volume shadow copy.
-
-    PowerSploit Function: New-VolumeShadowCopy
-    Author: Jared Atkinson (@jaredcatkinson)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
-    Version: 2.0.0
-
-.DESCRIPTION
-
-    New-VolumeShadowCopy creates a volume shadow copy for the specified volume.
-
-.PARAMETER Volume
-
-    Volume used for the shadow copy. This volume is sometimes referred to as the original volume. 
-    The Volume parameter can be specified as a volume drive letter, mount point, or volume globally unique identifier (GUID) name.
-
-.PARAMETER Context
-
-    Context that the provider uses when creating the shadow. The default is "ClientAccessible".
-
-.EXAMPLE
-
-    New-VolumeShadowCopy -Volume C:\
-
-    Description
-    -----------
-    Creates a new VolumeShadowCopy of the C drive
-#>
-    Param(
-        [Parameter(Mandatory = $True)]
-        [ValidatePattern('^\w:\\')]
-        [String]
-        $Volume,
-
-        [Parameter(Mandatory = $False)]
-        [ValidateSet("ClientAccessible")]
-        [String]
-        $Context = "ClientAccessible"
-    )
-
-    $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
-
-    if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
-    {
-        Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
-    }
-
-    # Save VSS Service initial state
-    $running = (Get-Service -Name VSS).Status
-
-    $class = [WMICLASS]"root\cimv2:win32_shadowcopy"
-
-    $return = $class.create("$Volume", "$Context")
-
-    switch($return.returnvalue)
-    {
-        1 {Write-Error "Access denied."; break}
-        2 {Write-Error "Invalid argument."; break}
-        3 {Write-Error "Specified volume not found."; break}
-        4 {Write-Error "Specified volume not supported."; break}
-        5 {Write-Error "Unsupported shadow copy context."; break}
-        6 {Write-Error "Insufficient storage."; break}
-        7 {Write-Error "Volume is in use."; break}
-        8 {Write-Error "Maximum number of shadow copies reached."; break}
-        9 {Write-Error "Another shadow copy operation is already in progress."; break}
-        10 {Write-Error "Shadow copy provider vetoed the operation."; break}
-        11 {Write-Error "Shadow copy provider not registered."; break}
-        12 {Write-Error "Shadow copy provider failure."; break}
-        13 {Write-Error "Unknown error."; break}
-        default {break}
-    }
-
-    # If VSS Service was Stopped at the start, return VSS to "Stopped" state
-    if($running -eq "Stopped")
-    {
-        Stop-Service -Name VSS
-    }
-}
-
-function Remove-VolumeShadowCopy
-{
-<#
-.SYNOPSIS
-
-    Deletes a volume shadow copy.
-
-    PowerSploit Function: Remove-VolumeShadowCopy
-    Author: Jared Atkinson (@jaredcatkinson)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
-    Version: 2.0.0
-
-.DESCRIPTION
-
-    Remove-VolumeShadowCopy deletes a volume shadow copy from the system.
-
-.PARAMETER InputObject
-
-    Specifies the Win32_ShadowCopy object to remove
-
-.PARAMETER DevicePath
-
-    Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
-
-.EXAMPLE
-
-    Get-VolumeShadowCopy | Remove-VolumeShadowCopy
-
-    Description
-    -----------
-    Removes all volume shadow copy
-
-.EXAMPLE
-
-    Remove-VolumeShadowCopy -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
-
-    Description
-    -----------
-    Removes the volume shadow copy at the 'DeviceObject' path \\?\GLOBALROOT\DeviceHarddiskVolumeShadowCopy4
-#>
-    [CmdletBinding(SupportsShouldProcess = $True)]
-    Param(
-        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
-        [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
-        [String]
-        $DevicePath
-    )
-
-    PROCESS
-    {
-        if($PSCmdlet.ShouldProcess("The VolumeShadowCopy at DevicePath $DevicePath will be removed"))
-        {
-            (Get-WmiObject -Namespace root\cimv2 -Class Win32_ShadowCopy | Where-Object {$_.DeviceObject -eq $DevicePath}).Delete()
-        }
-    }
-}
-
-function Mount-VolumeShadowCopy
-{
-<#
-.SYNOPSIS
-
-    Mounts a volume shadow copy.
-
-    PowerSploit Function: Mount-VolumeShadowCopy
-    Author: Matthew Graeber (@mattifestation)
-    License: BSD 3-Clause
-    Required Dependencies: None
-    Optional Dependencies: None
-    Version: 2.0.0
-
-.DESCRIPTION
-
-    Mount-VolumeShadowCopy mounts a volume shadow copy volume by creating a symbolic link.
-
-.PARAMETER Path
-
-    Specifies the path to which the symbolic link for the mounted volume shadow copy will be saved.
-
-.PARAMETER DevicePath
-
-    Specifies the volume shadow copy 'DeviceObject' path. This path can be retrieved with the Get-VolumeShadowCopy PowerSploit function or with the Win32_ShadowCopy object.
-
-.EXAMPLE
-
-    Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path C:\VSS
-
-    Description
-    -----------
-    Create a mount point in 'C:\VSS' for each volume shadow copy volume
-
-.EXAMPLE
-
-    Mount-VolumeShadowCopy -Path C:\VSS -DevicePath '\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy4'
-
-.EXAMPLE
-
-    Get-WmiObject Win32_ShadowCopy | % { $_.DeviceObject -Path C:\VSS -DevicePath $_ }
-#>
-
-    Param (
-        [Parameter(Mandatory = $True)]
-        [ValidateNotNullOrEmpty()]
-        [String]
-        $Path,
-
-        [Parameter(Mandatory = $True, ValueFromPipeline = $True)]
-        [ValidatePattern('^\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy[0-9]{1,3}$')]
-        [String[]]
-        $DevicePath
-    )
-
-    BEGIN
-    {
-        $UserIdentity = ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent())
-
-        if (-not $UserIdentity.IsInRole([Security.Principal.WindowsBuiltInRole]'Administrator'))
-        {
-            Throw 'You must run Get-VolumeShadowCopy from an elevated command prompt.'
-        }
-
-        # Validate that the path exists before proceeding
-        Get-ChildItem $Path -ErrorAction Stop | Out-Null
-
-        $DynAssembly = New-Object System.Reflection.AssemblyName('VSSUtil')
-        $AssemblyBuilder = [AppDomain]::CurrentDomain.DefineDynamicAssembly($DynAssembly, [Reflection.Emit.AssemblyBuilderAccess]::Run)
-        $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('VSSUtil', $False)
-
-        # Define [VSS.Kernel32]::CreateSymbolicLink method using reflection
-        # (i.e. none of the forensic artifacts left with using Add-Type)
-        $TypeBuilder = $ModuleBuilder.DefineType('VSS.Kernel32', 'Public, Class')
-        $PInvokeMethod = $TypeBuilder.DefinePInvokeMethod('CreateSymbolicLink',
-                                                            'kernel32.dll',
-                                                            ([Reflection.MethodAttributes]::Public -bor [Reflection.MethodAttributes]::Static),
-                                                            [Reflection.CallingConventions]::Standard,
-                                                            [Bool],
-                                                            [Type[]]@([String], [String], [UInt32]),
-                                                            [Runtime.InteropServices.CallingConvention]::Winapi,
-                                                            [Runtime.InteropServices.CharSet]::Auto)
-        $DllImportConstructor = [Runtime.InteropServices.DllImportAttribute].GetConstructor(@([String]))
-        $SetLastError = [Runtime.InteropServices.DllImportAttribute].GetField('SetLastError')
-        $SetLastErrorCustomAttribute = New-Object Reflection.Emit.CustomAttributeBuilder($DllImportConstructor,
-                                                                                         @('kernel32.dll'),
-                                                                                         [Reflection.FieldInfo[]]@($SetLastError),
-                                                                                         @($true))
-        $PInvokeMethod.SetCustomAttribute($SetLastErrorCustomAttribute)
-
-        $Kernel32Type = $TypeBuilder.CreateType()
-    }
-
-    PROCESS
-    {
-        foreach ($Volume in $DevicePath)
-        {
-            $Volume -match '^\\\\\?\\GLOBALROOT\\Device\\(?<LinkName>HarddiskVolumeShadowCopy[0-9]{1,3})$' | Out-Null
-            
-            $LinkPath = Join-Path $Path $Matches.LinkName
-
-            if (Test-Path $LinkPath)
-            {
-                Write-Warning "'$LinkPath' already exists."
-                continue
-            }
-
-            if (-not $Kernel32Type::CreateSymbolicLink($LinkPath, "$($Volume)\", 1))
-            {
-                Write-Error "Symbolic link creation failed for '$Volume'."
-                continue
-            }
-
-            Get-Item $LinkPath
-        }
-    }
-
-    END
-    {
-
-    }
-}