public static void WmiRemoteCodeExecutionCmdline(Computer computer, PlaybookTask playbook_task, Logger logger) { string target = ""; if (!computer.Fqdn.Equals("")) { target = computer.Fqdn; } else if (!computer.ComputerName.Equals("")) { target = computer.ComputerName; } else { target = computer.IPv4; } string startProcess = string.Format(@"/node:""{0}"" process call create ""{1}"" ", target, playbook_task.command); string results = ExecutionHelper.StartProcessNET("wmic.exe", startProcess, logger); if (results.Contains("Access is denied")) { throw new Exception(); } }
public static void CreateRemoteScheduledTaskCmdline(Computer computer, PlaybookTask playbook_task, Logger logger) { string target = ""; if (!computer.Fqdn.Equals("")) { target = computer.Fqdn; } else if (!computer.ComputerName.Equals("")) { target = computer.ComputerName; } else { target = computer.IPv4; } string createTask = string.Format(@"/create /s {0} /sc ONCE /st 13:30 /tn ""{1}"" /tr {2} /rl HIGHEST /ru SYSTEM", target, playbook_task.taskName, playbook_task.taskPath); string runTask = string.Format(@"/run /s {0} /tn ""{1}""", target, playbook_task.taskName);; string deleteTask = string.Format(@"/delete /s {0} /tn ""{1}"" /F", target, playbook_task.taskName); string results = ExecutionHelper.StartProcessNET("schtasks.exe", createTask, logger); if (!results.Contains("Access is denied")) { ExecutionHelper.StartProcessNET("schtasks.exe", runTask, logger); if (playbook_task.cleanup) { ExecutionHelper.StartProcessNET("schtasks.exe", deleteTask, logger); } } else { throw new Exception(); } }
// From https://stackoverflow.com/questions/23481394/programmatically-install-windows-service-on-remote-machine // and https://stackoverflow.com/questions/37983453/how-to-deploy-windows-service-on-remote-system-using-c-sharp-programatically public static void CreateRemoteServiceCmdline(Computer computer, PlaybookTask playbook_task, Logger logger) { string target = ""; if (!computer.Fqdn.Equals("")) { target = computer.Fqdn; } else if (!computer.ComputerName.Equals("")) { target = computer.ComputerName; } else { target = computer.IPv4; } string createService = string.Format(@"\\{0} create ""{1}"" binpath= ""{2}""", target, playbook_task.serviceName, playbook_task.servicePath); string runService = string.Format(@"\\{0} start ""{1}""", target, playbook_task.serviceName);; string deleteService = string.Format(@"\\{0} delete ""{1}""", target, playbook_task.serviceName); string results = ExecutionHelper.StartProcessNET("sc.exe", createService, logger); if (!results.Contains("Access is denied")) { ExecutionHelper.StartProcessNET("sc.exe", runService, logger); if (playbook_task.cleanup) { ExecutionHelper.StartProcessNET("sc.exe", deleteService, logger); } } else { throw new Exception(); } }
public static void WinRMCodeExecutionPowerShell(Computer computer, PlaybookTask playbook_task, Logger logger) { string target = ""; if (!computer.Fqdn.Equals("")) { target = computer.Fqdn; } else if (!computer.ComputerName.Equals("")) { target = computer.ComputerName; } else { target = computer.IPv4; } string cleanPws = String.Format("Invoke-Command -ComputerName {0} -ScriptBlock {{ {1} }}", target, playbook_task.command); logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws)); var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws); string results = ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(plainTextBytes)), logger); if (results.Contains("AccessDenied")) { throw new Exception(); } }
public static void DomainGroupDiscoveryPowerShell(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1069.002"); logger.TimestampInfo("Using PowerShell to execute the technique"); try { if (playbook_task.groups.Length > 0) { foreach (string group in playbook_task.groups) { string cleanPws = String.Format("Get-AdGroup -Filter {{Name -like '{0}'}} | Get-ADGroupMember | Select SamAccountName", group); logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws)); var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws); //ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(plainTextBytes)), logger); ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(plainTextBytes)), logger); } logger.SimulationFinished(); } else { string cleanPws = String.Format("Get-AdGroup -Filter {{Name -like 'Domain Admins'}} | Get-ADGroupMember | Select SamAccountName"); logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws)); var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws); ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(plainTextBytes)), logger); logger.SimulationFinished(); } } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainGroupDiscoveryCmd(PlaybookTask playbook_task, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1069.002"); logger.TimestampInfo("Using the command line to execute technique"); try { if (playbook_task.groups.Length > 0) { foreach (string group in playbook_task.groups) { ExecutionHelper.StartProcessNET("net.exe", String.Format("group \"{0}\" /domain", group), logger); //ExecutionHelper.StartProcessApi("", String.Format("net group \"{0}\" /domain", group), logger); } logger.SimulationFinished(); } else { ExecutionHelper.StartProcessNET("net.exe", String.Format("group /domain"), logger); //ExecutionHelper.StartProcessApi("", "net group /domain", logger); logger.SimulationFinished(); } } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecuteWmiCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1047"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemUserDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1033"); try { //ExecutionHelper.StartProcessApi("", "whoami", logger); ExecutionHelper.StartProcessNET("cmd.exe", "/c whoami", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemoteSystemDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1018"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessNET("cmd.exe", "/c net view", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainTrustDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1482"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessNET("nltest.exe", "/domain_trusts", logger); //ExecutionHelper.StartProcessApi("","nltest /domain_trusts", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void LocalAccountDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1087.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { //ExecutionHelper.StartProcessApi("", "net user", logger); ExecutionHelper.StartProcessNET("net.exe", "user", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemoteSystemDiscoveryPowerShell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1018"); logger.TimestampInfo("Using PowerShell to execute the technique"); try { string cleanPws = String.Format("Get-ADComputer -Filter {{enabled -eq $true}} | Select-Object Name, DNSHostName, OperatingSystem, LastLogonDate"); logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws)); var cleanPwsBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws); ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger); //ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemInformationDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1082"); logger.TimestampInfo("Using the command line to execute the technique"); try { //ExecutionHelper.StartProcessApi("", "systeminfo", logger); //ExecutionHelper.StartProcessApi("", "net config workstation", logger); ExecutionHelper.StartProcessNET("cmd.exe /c", "systeminfo", logger); //ExecutionHelper.StartProcessNET("net.exe", "config workstation", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainAccountDiscoveryPowerShell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1087.002"); logger.TimestampInfo("Using PowerShell to execute the technique"); try { string cleanPws = String.Format("Get-ADUser -Filter * | Select-Object SamAccountNAme"); logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws)); var cleanPwsBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws); ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger); //ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }