Skip to content

Instantly share code, notes, and snippets.

@holisticinfosec

holisticinfosec/sim_toolsmith_demo.xml

Created February 22, 2021 00:07
Show Gist options
  • Save holisticinfosec/1783b83a858d589752b7da3a3b0c2645 to your computer and use it in GitHub Desktop.
Save holisticinfosec/1783b83a858d589752b7da3a3b0c2645 to your computer and use it in GitHub Desktop.
Download ZIP
Sim toolsmith demo
Raw
sim_toolsmith_demo.xml
<?xml version="1.0" encoding="utf-8"?>
<sim>
<delete>false</delete>
<errordirectory>C:\Users\Public\Documents\</errordirectory>
<task>
<config>
<name>PowerShell_test</name>
<loop>3</loop>
<pause>1000</pause>
</config>
<actions>
<powershell>ipconfig /all | Set-Clipboard </powershell>
</actions>
</task>
<task>
<config>
<name>Check_IP</name>
<loop>1</loop>
<pause>1000</pause>
</config>
<actions>
<process>"C:\Windows\System32\cmd.exe"</process>
<!-- Plaintext to type -->
<plain>ipconfig /all</plain>
<special>{ENTER}</special>
<plain>dir C:\tools /a /od /b /s | findstr cobaltstrike.exe</plain>
<special>{ENTER}</special>
<sleep>2000</sleep>
<!-- Kill any processes associated with this task. -->
<kill>true</kill>
</actions>
</task>
<task>
<config>
<name>Google_Search</name>
<loop>1</loop>
<pause>2000</pause>
</config>
<actions>
<!-- Starts default browser to go to Google -->
<process>https://google.com</process>
<!-- Plaintext that is typed into Google -->
<plain>exploit payload examples</plain>
<special>{ENTER}</special>
<sleep>2000</sleep>
<special>{TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB}</special>
<special>{ENTER}</special>
<!-- Kill any processes associated with this task. -->
<kill>true</kill>
</actions>
</task>
<task>
<config>
<name>PowerShell_Dump_SecurityEventLog</name>
<loop>1</loop>
<pause>1000</pause>
</config>
<actions>
<process>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</process>
<sleep>2000</sleep>
<plain>C:\coding\powershell\ExportEventLogs\ExportSecurityEvents.ps1</plain>
<special>{ENTER}</special>
<!-- Kill any processes associated with this task. -->
<kill>true</kill>
</actions>
</task>
<task>
<config>
<name>Notepad_victimIP</name>
<loop>1</loop>
<pause>1000</pause>
</config>
<actions>
<process>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</process>
<sleep>2000</sleep>
<plain>ipconfig /all | Set-Clipboard</plain>
<special>{ENTER}</special>
<process>C:\Windows\notepad.exe</process>
<sleep>2000</sleep>
<getclipboard></getclipboard>
<special>{ENTER} {ENTER} {ENTER}</special>
<plain>This is the IP info for victim computer.</plain>
<special>{CONTROL}+{SHIFT}+s</special>
<plain>victimIP</plain>
<special>{ENTER}</special>
<!-- Kill any processes associated with this task. -->
<kill>true</kill>
</actions>
</task>
<task>
<config>
<name>Open_tabs</name>
<loop>1</loop>
<pause>5000</pause>
</config>
<actions>
<process>https://google.com</process>
<plain>Cobalt Strike</plain>
<special>{ENTER}</special>
<special>{CONTROL}+t</special>
<plain>windows exploits</plain>
<special>{ENTER}</special>
<sleep>2000</sleep>
<special>{ARROWDOWN} {ARROWDOWN} {ARROWDOWN}</special>
<special>{CONTROL}+t</special>
<plain>google.com</plain>
<special>{ENTER}</special>
<sleep>2000</sleep>
<plain>cobalt strike payloads</plain>
<!-- Kill any processes associated with this task. -->
<kill>true</kill>
</actions>
</task>
</sim>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment