Mr-Un1k0d3r/RedTeamPowershellScripts Mr-Un1k0d3r/RedTeamPowershellScripts

  • Stars
    star
    878
  • Rank 51,998 (Top 2 %)
  • Language
    PowerShell
  • License
    Other
  • Created about 8 years ago
  • Updated over 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Mr-Un1k0d3r/RedTeamPowershellScripts
github

Mr-Un1k0d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Various PowerShell scripts that may be useful during red team exercise

Red Team Powershell Scripts

Search-EventForUser.ps1: Powershell script that search through the Windows event logs for specific user(s)
Search-FullNameToSamAccount.ps1: Full name to SamAccountName
Search-UserPassword.ps1: Search LDAP for userPassword field
Remote-WmiExecute.ps1: Execute command remotely using WMI
Take-Screenshot.ps1: Take a screenshot (PNG)
Get-BrowserHomepage.ps1: Get browser homepage
Get-IEBookmarks.ps1: List all Internet Explorer bookmarks URLs
Invoke-ADPasswordBruteForce.ps1: Test users password
Utility.ps1: Contain several cmdlets
Run-As.ps1: Run a process as another user (credentials)
Get-ProcessList.ps1: List processes, owner and command line arguments
Remote-RegisterProtocolHandler.ps1: Use protocol handler to run your command to bypass some detection
Add-UserLogonScript: Add a logon script to a specific user

Search-EventForUser.ps1 Usage

module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser "MrUn1k0d3r"

module-import .\Search-EventForUser.ps1; "MrUn1k0d3r" | Search-EventForUser

module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -ComputerName DC01

module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -FindDC true

module-import .\Search-EventForUser.ps1; "god", "mom" | Search-EventForUser -FindDC true

module-import .\Search-EventForUser.ps1; "god", "mom" | Search-EventForUser -FindDC true -Username DOMAIN\admin -Password "123456"

The -User parameter support single user or a list of users from pipeline

Search-FullNameToSamAccount.ps1 Usage

module-import .\Search-FullNameToSamAccount.ps1; Search-FullNameToSamAccount -Filter *god*

module-import .\Search-FullNameToSamAccount.ps1; "god", "mom" | Search-FullNameToSamAccount

Search-UserPassword.ps1 Usage

module-import .\Search-UserPassword.ps1; Search-UserPassword -Username *god*

module-import .\Search-UserPassword.ps1; "god", "mom" | Search-UserPassword

Remote-WmiExecute.ps1 Usage

module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload "cmd.exe /c whoami"

Take-Screenshot.ps1 Usage

module-import .\Take-Screenshot.ps1; Take-Screenshot -Path C:\test.png

Get-BrowserHomepage.ps1 Usage

module-import .\Get-BrowserHomepage.ps1; Get-BrowserHomepage

Get-IEBookmarks.ps1 Usage

module-import .\Get-IEBookmarks.ps1; Get-IEBookmarks

Invoke-ADPasswordBruteForce.ps1 Usage

module-import .\Invoke-ADPasswordBruteForce; Invoke-ADPasswordBruteForce -Username "mr.un1k0d3r" -Password "password"

module-import .\Invoke-ADPasswordBruteForce; "neo","morpheus" | Invoke-ADPasswordBruteForce -Password "password"

module-import .\Invoke-ADPasswordBruteForce; "neo","morpheus" | Invoke-ADPasswordBruteForce -Password "password" -Domain MATRIX

Utility.ps1

Contain de following cmdlets

Search-EventForUser
Search-EventForUserByDomain
Search-EventForUserByIP
Search-FullNameToSamAccount
Ldap-GetProperty
Search-UserPassword
Dump-UserEmail
Dump-Computers
Dump-UserName

Run-As.ps1

module-import .\Run-As.ps1; Run-As -Username RingZer0\Mr.Un1k0d3r -Password "IShouldNotLeakThisPasswordOnTheInternet" -Process "C:\Evil.exe"

COM-Utility.ps1

Contain de following cmdlets

Invoke-COM-ScheduleService
Invoke-COM-XMLHTTP
Invoke-COM-ShellBrowserWindow
Invoke-COM-WindowsScriptHost
Invoke-COM-ProcessChain 
Invoke-COM-ShellApplication

Get-ProcessList.ps1 Usage

module-import .\Get-ProcessList.ps1; Get-ProcessList

Remote-RegisterProtocolHandler.ps1 Usage

This cmdlet create a protocol handler that will call your payload. The idea is to avoid detection since the command that will be execute will look like the following one:

explorer ms-browse://

Where ms-browser is the custom handler you registered and will execute your command

module-import .\Remote-RegisterProtocolHandler.ps1; Remote-RegisterProtocolHandler -ComputerName host -Payload "command to run"
module-import .\Remote-RegisterProtocolHandler.ps1; Remote-RegisterProtocolHandler -ComputerName host -Payload "command to run" -Handler ms-handler-name

Todo

  1. Take-Screenshot.ps1:
  • Handle multiple screens

Credit

Mr.Un1k0d3r RingZer0 Team

Tazz0 RingZer0 Team

More Repositories

1

EDRs

C
1,857
star
2

PowerLessShell

Run PowerShell command without invoking powershell.exe
Python
1,413
star
3

DKMC

DKMC - Dont kill my cat - Malicious payload evasion tool
Python
1,323
star
4

SCShell

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
C
1,268
star
5

MaliciousMacroGenerator

Malicious Macro Generator
Visual Basic
811
star
6

ThunderShell

Python / C# Unmanaged PowerShell based RAT
Python
770
star
7

RedTeamCSharpScripts

C# Script used for Red Team
C#
706
star
8

RedTeamCCode

Red Team C code repo
C
464
star
9

CatMyPhish

Search for categorized domain
Python
418
star
10

PoisonHandler

lateral movement techniques that can be used during red team exercises
PowerShell
264
star
11

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team
C#
234
star
12

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
C#
229
star
13

Windows-SignedBinary

Python
224
star
14

.NetConfigLoader

.net config loader
223
star
15

Shellcoding

Shellcoding utilities
C
209
star
16

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts
PowerShell
203
star
17

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\
C
199
star
18

AMSI-ETW-Patch

Patch AMSI and ETW
C#
196
star
19

DLLsForHackers

Dll that can be used for side loading and other attack vector.
Python
175
star
20

MaliciousDLLGenerator

DLL Generator for side loading attack
C
163
star
21

SCT-obfuscator

Cobalt Strike SCT payload obfuscator
Python
142
star
22

RedTeamScripts

Repo with various Red Team scripts
Python
137
star
23

Elevate-System-Trusted-BOF

C
132
star
24

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie
C
129
star
25

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp
Python
128
star
26

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike
C#
80
star
27

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload
PowerShell
74
star
28

SearchIPOwner

Search public IP owner through ARIN
Python
51
star
29

RedTeamFSharp

Red Team Toolset written in F# (Experimental)
F#
26
star
30

SideChannelAttack

Side Channel script
Python
24
star
31

BOFCode

Bunch of BOF files
C
13
star
32

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog
HTML
9
star
33

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs
Python
5
star