Collection of PowerShell cmdlets for use on offensive domain controllers
This toolkit contains the following tools to help utilize an offensively-provisioned domain controller in penetration tests and red team engagements to the fullest:
Invoke-ReverseBastion: By far the most powerful tool of the bunch, this cmdlet automates the process of setting up a bastion forest in the attack domain and adding a target domain to it.Find-InterestingRemoteAcl: Uses the built-in AD cmdlets together with New-PSDrive and Get-Acl to remotely enumerate ACLs on one domain from another, all while using Microsoft-signed tools to avoid detectionGen-RDPFile: Uses a multi-line template to automate the process of establishing one-click access to a remote machineAdd-TargetDnsForwarder: Simplifies the proces of adding a conditional forwarder for resolving a remote domain without needing to manually edit configuration filesAdd-RemoteDnsWildcardRecord: Automates the process of adding a*record to a remote DCEnter-PlaintextWinRMSession: Wrapper aroundEnter-PSSessionthat reduces the number of steps necessary to connect from 3 to 1Add-RemoteMachineAccount: Creates a machine account on a target domain from the attack domain, if the MAQ on the target domain is nonzero. Doing it remotely ensures that AV/EDR solutions don't have time to block the tools before the machine account is created.Invoke-DnsKrbRelay: Uses DNS records like those previously created usingAdd-RemoteDnsWildcardRecordto launch new PowerShell processes with logon type 9 automatically as the target users by listening for tickets and passing themInvoke-PSNetOnly: Creates a new PowerShell process with logon type 9 (LOGON_TYPE_NEW_CREDENTIALS), the same logon type thatrunas /netonlyandRubeus /createnetonlyuse, with aPSCredentialobject instead of a NT hash and/or interactive password prompt. This allows further use of tools like Rubeus and SharpHound remotely from the attack domain where Windows Defender can't touch them.- More to come