Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
An example of an unsafe admin script that "gets the job done". DON'T DO THIS!
This is an example of how to hack together a script to achieve an objective, but it's a
terrible way to do it. This script was used as a scheduled task in an exercise scenario
to make a plausible mechanism for lateral movement and privilege escalation.
- Don't store passwords in the clear
- Don't run scripts with password-based SSH
- Don't use Posh-SSH to do windows admin tasks, use PS remoting over SSH
Not only does this script store a password in the clear, it passes it to the remote systems
where it can be captured by mimikatz.
Check out this reference for all the ways you can endanger your creds
$username = "jimmy.doe@example.lan"
$password = ConvertTo-SecureString "gh0stinthemach1ne!" -AsPlainText -Force
$daysago = 30
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
$datestr = (Get-Date).AddDays(-$daysago).ToString()
for ( $i = 1; $i -le 10; $i++) {
$hostname = "workstation" + ( $i.ToString("00"))
$session = New-SSHSession -ComputerName $hostname -Credential $creds -AcceptKey
$stream = New-SSHShellStream -SessionId $session.SessionId
if ($session.Connected){
# Clear logon banner
$stream.Read() | Out-Null
# It's better to clear event logs using the built-in controls in the event service
$paths = ("C:\Windows\System32\winevt\Logs", "C:\Windows\Temp")
foreach( $path in $paths ) {
$command = "Get-ChildItem -Path '$path' -Recurse -Force | Where-Object {$_.LastWriteTime -lt '$datestr' } | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue;"
Write-Output "Completed $hostname"
} else {
throw [System.InvalidOperationException]"Could not connect to SSH host: $hostname";
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment