{"id":13390818,"url":"https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts","last_synced_at":"2025-03-13T15:32:09.783Z","repository":{"id":41519365,"uuid":"72670268","full_name":"Mr-Un1k0d3r/RedTeamPowershellScripts","owner":"Mr-Un1k0d3r","description":"Various PowerShell scripts that may be useful during red team exercise","archived":false,"fork":false,"pushed_at":"2022-04-28T17:38:00.000Z","size":113,"stargazers_count":922,"open_issues_count":0,"forks_count":258,"subscribers_count":41,"default_branch":"master","last_synced_at":"2024-08-01T14:18:45.751Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Mr-Un1k0d3r.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-11-02T18:40:46.000Z","updated_at":"2024-07-30T14:29:13.000Z","dependencies_parsed_at":"2022-09-21T11:50:30.044Z","dependency_job_id":null,"html_url":"https://github.com/Mr-Un1k0d3r/RedTeamPowershellScripts","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamPowershellScripts","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamPowershellScripts/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamPowershellScripts/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Mr-Un1k0d3r%2FRedTeamPowershellScripts/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Mr-Un1k0d3r","download_url":"https://codeload.github.com/Mr-Un1k0d3r/RedTeamPowershellScripts/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221380083,"owners_count":16809017,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-30T14:01:27.108Z","updated_at":"2024-10-25T03:30:43.567Z","avatar_url":"https://github.com/Mr-Un1k0d3r.png","language":"PowerShell","readme":"# Red Team Powershell Scripts\n\n```\nSearch-EventForUser.ps1: Powershell script that search through the Windows event logs for specific user(s)\nSearch-FullNameToSamAccount.ps1: Full name to SamAccountName\nSearch-UserPassword.ps1: Search LDAP for userPassword field\nRemote-WmiExecute.ps1: Execute command remotely using WMI\nTake-Screenshot.ps1: Take a screenshot (PNG)\nGet-BrowserHomepage.ps1: Get browser homepage\nGet-IEBookmarks.ps1: List all Internet Explorer bookmarks URLs\nInvoke-ADPasswordBruteForce.ps1: Test users password\nUtility.ps1: Contain several cmdlets\nRun-As.ps1: Run a process as another user (credentials)\nGet-ProcessList.ps1: List processes, owner and command line arguments\nRemote-RegisterProtocolHandler.ps1: Use protocol handler to run your command to bypass some detection\nAdd-UserLogonScript: Add a logon script to a specific user\n```\n\n# Search-EventForUser.ps1 Usage\n```\nmodule-import .\\Search-EventForUser.ps1; Search-EventForUser -TargetUser \"MrUn1k0d3r\"\n\nmodule-import .\\Search-EventForUser.ps1; \"MrUn1k0d3r\" | Search-EventForUser\n\nmodule-import .\\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -ComputerName DC01\n\nmodule-import .\\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -FindDC true\n\nmodule-import .\\Search-EventForUser.ps1; \"god\", \"mom\" | Search-EventForUser -FindDC true\n\nmodule-import .\\Search-EventForUser.ps1; \"god\", \"mom\" | Search-EventForUser -FindDC true -Username DOMAIN\\admin -Password \"123456\"\n```\nThe -User parameter support single user or a list of users from pipeline\n\n# Search-FullNameToSamAccount.ps1 Usage\n```\nmodule-import .\\Search-FullNameToSamAccount.ps1; Search-FullNameToSamAccount -Filter *god*\n\nmodule-import .\\Search-FullNameToSamAccount.ps1; \"god\", \"mom\" | Search-FullNameToSamAccount\n```\n\n# Search-UserPassword.ps1 Usage\n```\nmodule-import .\\Search-UserPassword.ps1; Search-UserPassword -Username *god*\n\nmodule-import .\\Search-UserPassword.ps1; \"god\", \"mom\" | Search-UserPassword\n```\n\n# Remote-WmiExecute.ps1 Usage\n```\nmodule-import .\\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload \"cmd.exe /c whoami\"\n```\n\n# Take-Screenshot.ps1 Usage\n```\nmodule-import .\\Take-Screenshot.ps1; Take-Screenshot -Path C:\\test.png\n```\n\n# Get-BrowserHomepage.ps1 Usage\n```\nmodule-import .\\Get-BrowserHomepage.ps1; Get-BrowserHomepage\n```\n\n# Get-IEBookmarks.ps1 Usage\n```\nmodule-import .\\Get-IEBookmarks.ps1; Get-IEBookmarks\n```\n\n# Invoke-ADPasswordBruteForce.ps1 Usage\n```\nmodule-import .\\Invoke-ADPasswordBruteForce; Invoke-ADPasswordBruteForce -Username \"mr.un1k0d3r\" -Password \"password\"\n\nmodule-import .\\Invoke-ADPasswordBruteForce; \"neo\",\"morpheus\" | Invoke-ADPasswordBruteForce -Password \"password\"\n\nmodule-import .\\Invoke-ADPasswordBruteForce; \"neo\",\"morpheus\" | Invoke-ADPasswordBruteForce -Password \"password\" -Domain MATRIX\n```\n\n# Utility.ps1\n\nContain de following cmdlets\n```\nSearch-EventForUser\nSearch-EventForUserByDomain\nSearch-EventForUserByIP\nSearch-FullNameToSamAccount\nLdap-GetProperty\nSearch-UserPassword\nDump-UserEmail\nDump-Computers\nDump-UserName\n```\n\n# Run-As.ps1\n\n```\nmodule-import .\\Run-As.ps1; Run-As -Username RingZer0\\Mr.Un1k0d3r -Password \"IShouldNotLeakThisPasswordOnTheInternet\" -Process \"C:\\Evil.exe\"\n```\n\n# COM-Utility.ps1\n\nContain de following cmdlets\n```\nInvoke-COM-ScheduleService\nInvoke-COM-XMLHTTP\nInvoke-COM-ShellBrowserWindow\nInvoke-COM-WindowsScriptHost\nInvoke-COM-ProcessChain \nInvoke-COM-ShellApplication\n```\n\n# Get-ProcessList.ps1 Usage\n\n```\nmodule-import .\\Get-ProcessList.ps1; Get-ProcessList\n```\n\n# Remote-RegisterProtocolHandler.ps1 Usage\n\nThis cmdlet create a protocol handler that will call your payload. The idea is to avoid detection since the command that will be execute will look like the following one:\n\n`explorer ms-browse://`\n\nWhere `ms-browser` is the custom handler you registered and will execute your command\n\n```\nmodule-import .\\Remote-RegisterProtocolHandler.ps1; Remote-RegisterProtocolHandler -ComputerName host -Payload \"command to run\"\nmodule-import .\\Remote-RegisterProtocolHandler.ps1; Remote-RegisterProtocolHandler -ComputerName host -Payload \"command to run\" -Handler ms-handler-name \n```\n\n# Todo\n\n1. Take-Screenshot.ps1:\n  * Handle multiple screens\n\n# Credit\nMr.Un1k0d3r RingZer0 Team\n\nTazz0 RingZer0 Team\n","funding_links":[],"categories":["PowerShell"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FRedTeamPowershellScripts","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FMr-Un1k0d3r%2FRedTeamPowershellScripts","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FMr-Un1k0d3r%2FRedTeamPowershellScripts/lists"}