Created
December 3, 2021 15:38
-
-
Save dcode/aecef269100e408ce2f56f83caef401c to your computer and use it in GitHub Desktop.
An example of an unsafe admin script that "gets the job done". DON'T DO THIS!
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
This is an example of how to hack together a script to achieve an objective, but it's a | |
terrible way to do it. This script was used as a scheduled task in an exercise scenario | |
to make a plausible mechanism for lateral movement and privilege escalation. | |
- Don't store passwords in the clear | |
- Don't run scripts with password-based SSH | |
- Don't use Posh-SSH to do windows admin tasks, use PS remoting over SSH | |
Not only does this script store a password in the clear, it passes it to the remote systems | |
where it can be captured by mimikatz. | |
Check out this reference for all the ways you can endanger your creds | |
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/reference-tools-logon-types | |
#> | |
$username = "jimmy.doe@example.lan" | |
$password = ConvertTo-SecureString "gh0stinthemach1ne!" -AsPlainText -Force | |
$daysago = 30 | |
$creds = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password) | |
$datestr = (Get-Date).AddDays(-$daysago).ToString() | |
for ( $i = 1; $i -le 10; $i++) { | |
$hostname = "workstation" + ( $i.ToString("00")) | |
$session = New-SSHSession -ComputerName $hostname -Credential $creds -AcceptKey | |
$stream = New-SSHShellStream -SessionId $session.SessionId | |
if ($session.Connected){ | |
# Clear logon banner | |
$stream.Read() | Out-Null | |
# It's better to clear event logs using the built-in controls in the event service | |
$paths = ("C:\Windows\System32\winevt\Logs", "C:\Windows\Temp") | |
foreach( $path in $paths ) { | |
$command = "Get-ChildItem -Path '$path' -Recurse -Force | Where-Object {$_.LastWriteTime -lt '$datestr' } | Remove-Item -Force -Recurse -ErrorAction SilentlyContinue;" | |
$stream.WriteLine($command) | |
$stream.Read() | |
} | |
Write-Output "Completed $hostname" | |
} else { | |
throw [System.InvalidOperationException]"Could not connect to SSH host: $hostname"; | |
} | |
$session.Disconnect() | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment