Created
February 22, 2021 00:07
-
-
Save holisticinfosec/1783b83a858d589752b7da3a3b0c2645 to your computer and use it in GitHub Desktop.
Sim toolsmith demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<sim> | |
<delete>false</delete> | |
<errordirectory>C:\Users\Public\Documents\</errordirectory> | |
<task> | |
<config> | |
<name>PowerShell_test</name> | |
<loop>3</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<powershell>ipconfig /all | Set-Clipboard </powershell> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Check_IP</name> | |
<loop>1</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<process>"C:\Windows\System32\cmd.exe"</process> | |
<!-- Plaintext to type --> | |
<plain>ipconfig /all</plain> | |
<special>{ENTER}</special> | |
<plain>dir C:\tools /a /od /b /s | findstr cobaltstrike.exe</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Google_Search</name> | |
<loop>1</loop> | |
<pause>2000</pause> | |
</config> | |
<actions> | |
<!-- Starts default browser to go to Google --> | |
<process>https://google.com</process> | |
<!-- Plaintext that is typed into Google --> | |
<plain>exploit payload examples</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<special>{TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB}</special> | |
<special>{ENTER}</special> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>PowerShell_Dump_SecurityEventLog</name> | |
<loop>1</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<process>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</process> | |
<sleep>2000</sleep> | |
<plain>C:\coding\powershell\ExportEventLogs\ExportSecurityEvents.ps1</plain> | |
<special>{ENTER}</special> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Notepad_victimIP</name> | |
<loop>1</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<process>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</process> | |
<sleep>2000</sleep> | |
<plain>ipconfig /all | Set-Clipboard</plain> | |
<special>{ENTER}</special> | |
<process>C:\Windows\notepad.exe</process> | |
<sleep>2000</sleep> | |
<getclipboard></getclipboard> | |
<special>{ENTER} {ENTER} {ENTER}</special> | |
<plain>This is the IP info for victim computer.</plain> | |
<special>{CONTROL}+{SHIFT}+s</special> | |
<plain>victimIP</plain> | |
<special>{ENTER}</special> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Open_tabs</name> | |
<loop>1</loop> | |
<pause>5000</pause> | |
</config> | |
<actions> | |
<process>https://google.com</process> | |
<plain>Cobalt Strike</plain> | |
<special>{ENTER}</special> | |
<special>{CONTROL}+t</special> | |
<plain>windows exploits</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<special>{ARROWDOWN} {ARROWDOWN} {ARROWDOWN}</special> | |
<special>{CONTROL}+t</special> | |
<plain>google.com</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<plain>cobalt strike payloads</plain> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
</sim> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment