AS2Go

2026.5.6.502

Public/Invoke-Phase12DomainCompromisePersistence.ps1

                                <#

.SYNOPSIS

Runs Phase 12 of the AS2Go attack simulation: Domain Compromise and Persistence.

.DESCRIPTION

Invoke-ASPhase12DomainCompromisePersistence executes the final attack phase in the AS2Go workflow.

It prepares the phase context, shows the phase banner, and starts the Phase 12 action chain after

interactive confirmation (or automatically in unattended mode).

The phase demonstrates persistence and impact actions such as:

- Creating a persistent backdoor domain account

- User account manipulation (disable/reset)

- Tier 0 group membership manipulation

- Group Policy Template tampering

- Encrypting backup files on a domain controller

- Exporting a DPAPI master key

- Forging a Kerberos Golden Ticket

- Rebooting available domain machines

.PARAMETER UnAttended

Runs the phase without interactive confirmation prompts.

.PARAMETER Continue

Reserved switch for workflow continuation handling.

.PARAMETER EnableLogging

Enables extended logging for this phase execution.

.PARAMETER SkipImages

Skips visual phase assets (for example, phase HTML images/pages).

.PARAMETER SkipClearHost

Prevents clearing the console during phase execution.

.PARAMETER AS2GoDemo

Runs the phase in AS2Go demo mode and skips selected setup interactions.

.PARAMETER DelevoperMode

Developer convenience mode.

When set, this switch enables logging and automatically skips images and host clearing.

.EXAMPLE

Invoke-ASPhase12DomainCompromisePersistence

Runs Phase 12 interactively.

.EXAMPLE

Invoke-ASPhase12DomainCompromisePersistence -UnAttended -EnableLogging

Runs Phase 12 without prompts and with logging enabled.

.EXAMPLE

Invoke-ASPhase12DomainCompromisePersistence -DelevoperMode

Runs Phase 12 with developer defaults (logging on, images skipped, no clear-host).

.NOTES

Alias: P12, Compromise

Part of: AS2Go attack phase orchestration

#>

function Invoke-Phase12DomainCompromisePersistence {

    ################################################################################

    #####                                                                      ##### 

    #####    Run the Attack Phase - Domain Compromise & Persistence            #####                               

    #####                                                                      #####

    ################################################################################

    [Alias("P12", "Compromise")]

    Param (  

        [switch]$UnAttended,

        [switch]$Continue,

        [Switch]$EnableLogging,

        [switch]$SkipImages,

        [switch]$SkipClearHost,

        [switch]$AS2GoDemo,

        [switch]$DelevoperMode

    )

    $CurrentFunction = Get-FunctionName

    Write-Log -Message "### Start Function $CurrentFunction ###"

    $StartRunTime = (Get-Date).ToString($Script:DateFormatLog)

    #################### main code | out- host #####################

    If ($DelevoperMode) {

        $SkipImages = $true

        $SkipClearHost = $true

        $EnableLogging = $true

    }

    If ($SkipSensitiveDataAccess) {

        Write-Log -Message "Skipped Attack Phase - $($Script:Phase12).toupper()"

    }

    else {

        If (-not $SkipClearHost) { Clear-Host }

        If (-not $AS2GoDemo) { 

            Set-NewColorSchema -NewStage $Script:InitialStart

            Get-AS2GoSettings

        }

        Update-WindowTitle -NewTitle $Script:Phase12 

        Set-KeyValue -key "LastStage" -NewValue $Script:Phase12

        If (-not $SkipImages) { Show-Phases -Phase "phase_012.html" }

        $NextStep = "B"

        Set-NewColorSchema -NewStage $Script:InitialStart

        If (-not $SkipClearHost) { Clear-Host }

        Invoke-Output -T Header -M "Attack Phase - $($Script:Phase12.toupper())"

        Invoke-Output -T Bullet "Create a persistent backdoor domain account"

        Invoke-Output -T Bullet "Perform user account manipulation (disable accounts and/or reset passwords)"

        Invoke-Output -T Bullet "Perform Tier 0 group membership manipulation (remove all admins except backdoor and break-glass accounts)"

        Invoke-Output -T Bullet "Tamper with Group Policy Template (GPT) files to push malicious settings"

        Invoke-Output -T Bullet "Encrypt backup files stored on the domain controller"

        Invoke-Output -T Bullet "Export the DPAPI master key for offline decryption of secrets"

        Invoke-Output -T Bullet "Forge a Kerberos Golden Ticket for long-term domain persistence"

        Invoke-Output -T Bullet "Reboot all available machines in the domain"

        If ($UnAttended) {

            $answer = $Yes

        }

        else {

            $answer = Show-DecisionPrompt

        }

        If ($answer -eq $yes) {

            If (-not $AS2GoDemo) { 

                Invoke-ForestOverview 

                Get-ForestInfo 

            }

            Start-Phase12DomainCompromise 

        }

    }

    ######################## main code ############################

    $runtime = Get-RunTime -StartRunTime $StartRunTime

    Write-Log -Message "    Run Time: $runtime [h] ###"

    Write-Log -Message "### End Function $CurrentFunction ###"

}