static public void CreateSchTaskOnHosts(int nhost, int sleep, bool cleanup) { var rand = new Random(); int computertype = rand.Next(1, 6); List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); List <Task> tasklist = new List <Task>(); Console.WriteLine("[*] Starting Scheduled Task based Lateral Movement simulation from {0} running as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); } foreach (Computer computer in targethosts) { if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { Computer temp = computer; LateralMovementHelper.CreateRemoteScheduledTask(temp, "powershell.exe", cleanup); /* * tasklist.Add(Task.Factory.StartNew(() => * { * LateralMovementHelper.CreateRemoteScheduledTask(computer, command, cleanup); * })); * if (sleep > 0) Thread.Sleep(sleep * 1000); */ } } //Task.WaitAll(tasklist.ToArray()); }
static public void ExecuteWmiOnHosts(int computertype, int nhost, int sleep, string command) { List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); List <Task> tasklist = new List <Task>(); Console.WriteLine("[*] Starting WMI Based Lateral Movement attack from {0} running as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); } foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.WmiCodeExecution(temp, command); })); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); }
static public void CreateRemoteServiceOnHosts(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021.002"); if (playbook_task.variation == 1) { logger.TimestampInfo("Using sc.exe to execute this technique against remote hosts"); } else if (playbook_task.variation == 2) { logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique against remote hosts"); } List <Computer> host_targets = new List <Computer>(); List <Task> tasklist = new List <Task>(); if (playbook_task.serviceName.Equals("random")) { string chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456789".ToLower(); Random random = new Random(); logger.TimestampInfo("Using random Service Name"); playbook_task.serviceName = new string(Enumerable.Repeat(chars, 8).Select(s => s[random.Next(s.Length)]).ToArray()); } try { host_targets = Targets.GetHostTargets(playbook_task, logger); foreach (Computer computer in host_targets) { Computer temp = computer; if (!computer.ComputerName.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { if (playbook_task.variation == 1) { LateralMovementHelper.CreateRemoteServiceCmdline(temp, playbook_task, logger); } else if (playbook_task.variation == 2) { LateralMovementHelper.CreateRemoteServiceApi(temp, playbook_task, logger); } })); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void WinRmCodeExec(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021.006"); if (playbook_task.variation == 1) { logger.TimestampInfo("Using powershell.exe to execute this technique against remote hosts"); } else if (playbook_task.variation == 2) { logger.TimestampInfo("Using the System.Management.Automation .NET namespace to execute this technique"); } List <Computer> host_targets = new List <Computer>(); List <Task> tasklist = new List <Task>(); try { host_targets = Targets.GetHostTargets(playbook_task, logger); foreach (Computer computer in host_targets) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { if (playbook_task.variation == 1) { LateralMovementHelper.WinRMCodeExecutionPowerShell(temp, playbook_task, logger); } else if (playbook_task.variation == 2) { LateralMovementHelper.WinRMCodeExecutionNET(temp, playbook_task, logger); } })); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void CreateRemoteServiceOnHosts_Old(int nhost, int tsleep, bool cleanup, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021"); logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique"); try { var rand = new Random(); int computertype = rand.Next(1, 6); logger.TimestampInfo(String.Format("Querying LDAP for random targets...")); List <Computer> targethosts = Targets.GetHostTargets_old(computertype, nhost, logger); logger.TimestampInfo(String.Format("Obtained {0} target computers", targethosts.Count)); List <Task> tasklist = new List <Task>(); //Console.WriteLine("[*] Starting Service Based Lateral Movement attack from {0} as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); if (tsleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", tsleep)); } foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.CreateRemoteServiceApi_Old(temp, cleanup, logger); })); if (tsleep > 0) { Thread.Sleep(tsleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void WinRmCodeExec(int nhost, int tsleep, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1021.006"); logger.TimestampInfo("Using the System.Management.Automation .NET namespace to execute this technique"); try { var rand = new Random(); int computertype = rand.Next(1, 6); logger.TimestampInfo(String.Format("Querying LDAP for random targets...")); List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); logger.TimestampInfo(String.Format("Obtained {0} target computers", targethosts.Count)); List <Task> tasklist = new List <Task>(); //Console.WriteLine("[*] Starting WinRM Based Lateral Movement attack from {0} running as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); if (tsleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", tsleep)); } foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.WinRMCodeExecution(temp, "powershell.exe", logger); })); if (tsleep > 0) { Thread.Sleep(tsleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ModifyRemoteServiceOnHosts(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1021.002"); logger.TimestampInfo("Using the Win32 API CreateService function to execute this technique against remote hosts"); List <Computer> host_targets = new List <Computer>(); List <Task> tasklist = new List <Task>(); try { host_targets = Targets.GetHostTargets(playbook_task, logger); foreach (Computer computer in host_targets) { Computer temp = computer; if (!computer.ComputerName.ToUpper().Contains(Environment.MachineName.ToUpper())) { //LateralMovementHelper.ModifyRemoteServiceApi(temp, playbook_task, logger); tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.ModifyRemoteServiceApi(temp, playbook_task, logger); })); if (playbook_task.task_sleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep)); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecuteWmiOnHosts(int computertype, int nhost, int sleep, string command, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1047"); try { logger.TimestampInfo(String.Format("Querying LDAP for random targets...")); List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); logger.TimestampInfo(String.Format("Obtained {0} target computers", targethosts.Count)); List <Task> tasklist = new List <Task>(); //Console.WriteLine("[*] Starting WMI Based Lateral Movement attack from {0} running as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep); } foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.WmiCodeExecution(temp, command, logger); })); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void CreateRemoteServiceOnHosts(int computertype, int nhost, int sleep, Boolean cleanup, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1021"); try { List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); List <Task> tasklist = new List <Task>(); //Console.WriteLine("[*] Starting Service Based Lateral Movement attack from {0} as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.CreateRemoteService(temp, cleanup, logger); })); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void CreateRemoteServiceOnHosts(int computertype, int nhost, int sleep, Boolean cleanup) { List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); List <Task> tasklist = new List <Task>(); Console.WriteLine("[*] Starting Service Based Lateral Movement attack from {0} as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.CreateRemoteService(temp, cleanup); })); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); }