dcode/cleanup_workstations.ps1

## cleanup_workstations.ps1
<#
This is an example of how to hack together a script to achieve an objective, but it's a
terrible way to do it. This script was used as a scheduled task in an exercise scenario
to make a plausible mechanism for lateral movement and privilege escalation.

- Don't store passwords in the clear
- Don't run scripts with password-based SSH
- Don't use Posh-SSH to do windows admin tasks, use PS remoting over SSH

Not only does this script store a password in the clear, it passes it to the remote systems
where it can be captured by mimikatz.

Check out this reference for all the ways you can endanger your creds
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
#>

$username = "jimmy.doe@example.lan"
$password = ConvertTo-SecureString "gh0stinthemach1ne!" -AsPlainText -Force
$daysago = 30

$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
$datestr = (Get-Date).AddDays(-$daysago).ToString()

for ( $i = 1; $i -le 10; $i++) {

    $hostname = "workstation" + ( $i.ToString("00"))
    $session = New-SSHSession -ComputerName $hostname -Credential $creds -AcceptKey
    $stream = New-SSHShellStream -SessionId $session.SessionId

    if ($session.Connected){

        # Clear logon banner
        $stream.Read() | Out-Null

        # It's better to clear event logs using the built-in controls in the event service
        $paths = ("C:\Windows\System32\winevt\Logs", "C:\Windows\Temp")
        foreach( $path in $paths ) {
            $command = "Get-ChildItem -Path '$path' -Recurse -Force | Where-Object {$_.LastWriteTime -lt '$datestr' } | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue;"
            $stream.WriteLine($command)
            $stream.Read()
        }

        Write-Output "Completed $hostname"

    } else {
        throw [System.InvalidOperationException]"Could not connect to SSH host: $hostname";
    }

    $session.Disconnect()
}
	<#
	This is an example of how to hack together a script to achieve an objective, but it's a
	terrible way to do it. This script was used as a scheduled task in an exercise scenario
	to make a plausible mechanism for lateral movement and privilege escalation.

	- Don't store passwords in the clear
	- Don't run scripts with password-based SSH
	- Don't use Posh-SSH to do windows admin tasks, use PS remoting over SSH

	Not only does this script store a password in the clear, it passes it to the remote systems
	where it can be captured by mimikatz.

	Check out this reference for all the ways you can endanger your creds
	https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types
	#>

	$username = "jimmy.doe@example.lan"
	$password = ConvertTo-SecureString "gh0stinthemach1ne!" -AsPlainText -Force
	$daysago = 30

	$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password)
	$datestr = (Get-Date).AddDays(-$daysago).ToString()

	for ( $i = 1; $i -le 10; $i++) {

	$hostname = "workstation" + ( $i.ToString("00"))
	$session = New-SSHSession -ComputerName $hostname -Credential $creds -AcceptKey
	$stream = New-SSHShellStream -SessionId $session.SessionId

	if ($session.Connected){

	# Clear logon banner
	$stream.Read() \| Out-Null

	# It's better to clear event logs using the built-in controls in the event service
	$paths = ("C:\Windows\System32\winevt\Logs", "C:\Windows\Temp")
	foreach( $path in $paths ) {
	$command = "Get-ChildItem -Path '$path' -Recurse -Force \| Where-Object {$_.LastWriteTime -lt '$datestr' } \| Remove-Item -Force -Recurse -ErrorAction SilentlyContinue;"
	$stream.WriteLine($command)
	$stream.Read()
	}

	Write-Output "Completed $hostname"

	} else {
	throw [System.InvalidOperationException]"Could not connect to SSH host: $hostname";
	}

	$session.Disconnect()
	}