public static void WmiRemoteCodeExecutionCmdline(Computer computer, PlaybookTask playbook_task, Logger logger)
{
string target = "";
if (!computer.Fqdn.Equals(""))
{
target = computer.Fqdn;
}
else if (!computer.ComputerName.Equals(""))
{
target = computer.ComputerName;
}
else
{
target = computer.IPv4;
}
string startProcess = string.Format(@"/node:""{0}"" process call create ""{1}"" ", target, playbook_task.command);
string results = ExecutionHelper.StartProcessNET("wmic.exe", startProcess, logger);
if (results.Contains("Access is denied"))
{
throw new Exception();
}
}
public static void CreateRemoteScheduledTaskCmdline(Computer computer, PlaybookTask playbook_task, Logger logger)
{
string target = "";
if (!computer.Fqdn.Equals(""))
{
target = computer.Fqdn;
}
else if (!computer.ComputerName.Equals(""))
{
target = computer.ComputerName;
}
else
{
target = computer.IPv4;
}
string createTask = string.Format(@"/create /s {0} /sc ONCE /st 13:30 /tn ""{1}"" /tr {2} /rl HIGHEST /ru SYSTEM", target, playbook_task.taskName, playbook_task.taskPath);
string runTask = string.Format(@"/run /s {0} /tn ""{1}""", target, playbook_task.taskName);;
string deleteTask = string.Format(@"/delete /s {0} /tn ""{1}"" /F", target, playbook_task.taskName);
string results = ExecutionHelper.StartProcessNET("schtasks.exe", createTask, logger);
if (!results.Contains("Access is denied"))
{
ExecutionHelper.StartProcessNET("schtasks.exe", runTask, logger);
if (playbook_task.cleanup)
{
ExecutionHelper.StartProcessNET("schtasks.exe", deleteTask, logger);
}
}
else
{
throw new Exception();
}
}
// From https://stackoverflow.com/questions/23481394/programmatically-install-windows-service-on-remote-machine
// and https://stackoverflow.com/questions/37983453/how-to-deploy-windows-service-on-remote-system-using-c-sharp-programatically
public static void CreateRemoteServiceCmdline(Computer computer, PlaybookTask playbook_task, Logger logger)
{
string target = "";
if (!computer.Fqdn.Equals(""))
{
target = computer.Fqdn;
}
else if (!computer.ComputerName.Equals(""))
{
target = computer.ComputerName;
}
else
{
target = computer.IPv4;
}
string createService = string.Format(@"\\{0} create ""{1}"" binpath= ""{2}""", target, playbook_task.serviceName, playbook_task.servicePath);
string runService = string.Format(@"\\{0} start ""{1}""", target, playbook_task.serviceName);;
string deleteService = string.Format(@"\\{0} delete ""{1}""", target, playbook_task.serviceName);
string results = ExecutionHelper.StartProcessNET("sc.exe", createService, logger);
if (!results.Contains("Access is denied"))
{
ExecutionHelper.StartProcessNET("sc.exe", runService, logger);
if (playbook_task.cleanup)
{
ExecutionHelper.StartProcessNET("sc.exe", deleteService, logger);
}
}
else
{
throw new Exception();
}
}
public static void WinRMCodeExecutionPowerShell(Computer computer, PlaybookTask playbook_task, Logger logger)
{
string target = "";
if (!computer.Fqdn.Equals(""))
{
target = computer.Fqdn;
}
else if (!computer.ComputerName.Equals(""))
{
target = computer.ComputerName;
}
else
{
target = computer.IPv4;
}
string cleanPws = String.Format("Invoke-Command -ComputerName {0} -ScriptBlock {{ {1} }}", target, playbook_task.command);
logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
string results = ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
if (results.Contains("AccessDenied"))
{
throw new Exception();
}
}
public static void DomainGroupDiscoveryPowerShell(PlaybookTask playbook_task, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1069.002");
logger.TimestampInfo("Using PowerShell to execute the technique");
try
{
if (playbook_task.groups.Length > 0)
{
foreach (string group in playbook_task.groups)
{
string cleanPws = String.Format("Get-AdGroup -Filter {{Name -like '{0}'}} | Get-ADGroupMember | Select SamAccountName", group);
logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
//ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
}
logger.SimulationFinished();
}
else
{
string cleanPws = String.Format("Get-AdGroup -Filter {{Name -like 'Domain Admins'}} | Get-ADGroupMember | Select SamAccountName");
logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
logger.SimulationFinished();
}
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomainGroupDiscoveryCmd(PlaybookTask playbook_task, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1069.002");
logger.TimestampInfo("Using the command line to execute technique");
try
{
if (playbook_task.groups.Length > 0)
{
foreach (string group in playbook_task.groups)
{
ExecutionHelper.StartProcessNET("net.exe", String.Format("group \"{0}\" /domain", group), logger);
//ExecutionHelper.StartProcessApi("", String.Format("net group \"{0}\" /domain", group), logger);
}
logger.SimulationFinished();
}
else
{
ExecutionHelper.StartProcessNET("net.exe", String.Format("group /domain"), logger);
//ExecutionHelper.StartProcessApi("", "net group /domain", logger);
logger.SimulationFinished();
}
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecuteWmiCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1047");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemUserDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1033");
try
{
//ExecutionHelper.StartProcessApi("", "whoami", logger);
ExecutionHelper.StartProcessNET("cmd.exe", "/c whoami", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void RemoteSystemDiscoveryCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1018");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("cmd.exe", "/c net view", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomainTrustDiscoveryCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1482");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("nltest.exe", "/domain_trusts", logger);
//ExecutionHelper.StartProcessApi("","nltest /domain_trusts", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void LocalAccountDiscoveryCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1087.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
//ExecutionHelper.StartProcessApi("", "net user", logger);
ExecutionHelper.StartProcessNET("net.exe", "user", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void RemoteSystemDiscoveryPowerShell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1018");
logger.TimestampInfo("Using PowerShell to execute the technique");
try
{
string cleanPws = String.Format("Get-ADComputer -Filter {{enabled -eq $true}} | Select-Object Name, DNSHostName, OperatingSystem, LastLogonDate");
logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
var cleanPwsBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
//ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemInformationDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1082");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
//ExecutionHelper.StartProcessApi("", "systeminfo", logger);
//ExecutionHelper.StartProcessApi("", "net config workstation", logger);
ExecutionHelper.StartProcessNET("cmd.exe /c", "systeminfo", logger);
//ExecutionHelper.StartProcessNET("net.exe", "config workstation", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomainAccountDiscoveryPowerShell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1087.002");
logger.TimestampInfo("Using PowerShell to execute the technique");
try
{
string cleanPws = String.Format("Get-ADUser -Filter * | Select-Object SamAccountNAme");
logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
var cleanPwsBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
//ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}