Sim toolsmith demo
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<?xml version="1.0" encoding="utf-8"?> | |
<sim> | |
<delete>false</delete> | |
<errordirectory>C:\Users\Public\Documents\</errordirectory> | |
<task> | |
<config> | |
<name>PowerShell_test</name> | |
<loop>3</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<powershell>ipconfig /all | Set-Clipboard </powershell> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Check_IP</name> | |
<loop>1</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<process>"C:\Windows\System32\cmd.exe"</process> | |
<!-- Plaintext to type --> | |
<plain>ipconfig /all</plain> | |
<special>{ENTER}</special> | |
<plain>dir C:\tools /a /od /b /s | findstr cobaltstrike.exe</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Google_Search</name> | |
<loop>1</loop> | |
<pause>2000</pause> | |
</config> | |
<actions> | |
<!-- Starts default browser to go to Google --> | |
<process>https://google.com</process> | |
<!-- Plaintext that is typed into Google --> | |
<plain>exploit payload examples</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<special>{TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB} {TAB}</special> | |
<special>{ENTER}</special> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>PowerShell_Dump_SecurityEventLog</name> | |
<loop>1</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<process>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</process> | |
<sleep>2000</sleep> | |
<plain>C:\coding\powershell\ExportEventLogs\ExportSecurityEvents.ps1</plain> | |
<special>{ENTER}</special> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Notepad_victimIP</name> | |
<loop>1</loop> | |
<pause>1000</pause> | |
</config> | |
<actions> | |
<process>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</process> | |
<sleep>2000</sleep> | |
<plain>ipconfig /all | Set-Clipboard</plain> | |
<special>{ENTER}</special> | |
<process>C:\Windows\notepad.exe</process> | |
<sleep>2000</sleep> | |
<getclipboard></getclipboard> | |
<special>{ENTER} {ENTER} {ENTER}</special> | |
<plain>This is the IP info for victim computer.</plain> | |
<special>{CONTROL}+{SHIFT}+s</special> | |
<plain>victimIP</plain> | |
<special>{ENTER}</special> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
<task> | |
<config> | |
<name>Open_tabs</name> | |
<loop>1</loop> | |
<pause>5000</pause> | |
</config> | |
<actions> | |
<process>https://google.com</process> | |
<plain>Cobalt Strike</plain> | |
<special>{ENTER}</special> | |
<special>{CONTROL}+t</special> | |
<plain>windows exploits</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<special>{ARROWDOWN} {ARROWDOWN} {ARROWDOWN}</special> | |
<special>{CONTROL}+t</special> | |
<plain>google.com</plain> | |
<special>{ENTER}</special> | |
<sleep>2000</sleep> | |
<plain>cobalt strike payloads</plain> | |
<!-- Kill any processes associated with this task. --> | |
<kill>true</kill> | |
</actions> | |
</task> | |
</sim> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment