Chris Ross xorrior

## wmic_cmds.txt
Host Enumeration:

--- OS Specifics ---
wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

wmic computersystem LIST full

--- Anti-Virus ---

wmic /namespace:\\root\securitycenter2 path antivirusproduct

## PELoader.cs
using System;
using System.IO;
using System.IO.Compression;
using System.Text;
using System.Collections.Generic;
using System.Configuration.Install;
using System.Runtime.InteropServices;


## New-RegSvr32BatchFile.ps1
function New-RegSvr32BatchFile
{
    <#
    .SYNOPSIS
    Generates a batch file which will contain a certutil encoded, cab compressed payload.

    .DESCRIPTION
    The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.

    Create payload:

## messagebox.m
//
//  MyInstallerPane.m
//  messagebox
//
//  Created by Chris Ross on 1/23/18.
//  Copyright © 2018 testplugin. All rights reserved.
//

/*
This should be in MyInstallerPane.h

## PowerShellDSCLateralMovement.ps1
# This idea originated from this blog post on Invoke DSC Resources directly:
# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

<#
$MOFContents = @'
instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
{
    ResourceID = "[Script]ScriptExample";
    GetScript = "\"$(Get-Date): I am being GET\"     | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
    TestScript = "\"$(Get-Date): I am being TESTED\" | Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";

## keylogger.py
import zipfile
import io
import sys
import os, imp
import base64
import threading

moduleRepo = {}
_meta_cache = {}

## emond-examples.txt
Fswatch command
fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/

Output when event is triggered
'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}'

osquery.results.log output from event.
{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"}

## bad.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<array>
	<dict>
		<key>name</key>
		<string>empire rules</string>
		<key>enabled</key>
		<true/>
		<key>eventTypes</key>

## New-InstallUtilBatchFile.ps1
function New-InstallUtilBatchFile
{
    <##>
    #You must provide an encoded payload using certutil -encode for the InFilePath.
    #certutil -encode payload.exe payload.txt
    #For compiling w/ a managed powershell runner
    # C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:payload.exe payload.cs
    [CmdletBinding()]
    param
    (

## PowerView-3.0-tricks.ps1
# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
#   tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
#   https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

# New function naming schema:
#   Verbs:
#       Get : retrieve full raw data sets
#       Find : ‘find’ specific data entries in a data set
	Host Enumeration:

	--- OS Specifics ---
	wmic os LIST Full (* To obtain the OS Name, use the "caption" property)

	wmic computersystem LIST full

	--- Anti-Virus ---

	wmic /namespace:\\root\securitycenter2 path antivirusproduct
	using System;
	using System.IO;
	using System.IO.Compression;
	using System.Text;
	using System.Collections.Generic;
	using System.Configuration.Install;
	using System.Runtime.InteropServices;
	function New-RegSvr32BatchFile
	{
	<#
	.SYNOPSIS
	Generates a batch file which will contain a certutil encoded, cab compressed payload.

	.DESCRIPTION
	The batch file will decode and decompress the cab file, then execute the dll within with regsvr32. You may modify the bat file to execute whatever you want.

	Create payload:
	//
	// MyInstallerPane.m
	// messagebox
	//
	// Created by Chris Ross on 1/23/18.
	// Copyright © 2018 testplugin. All rights reserved.
	//

	/*
	This should be in MyInstallerPane.h
	# This idea originated from this blog post on Invoke DSC Resources directly:
	# https://blogs.msdn.microsoft.com/powershell/2015/02/27/invoking-powershell-dsc-resources-directly/

	<#
	$MOFContents = @'
	instance of MSFT_ScriptResource as $MSFT_ScriptResource1ref
	{
	ResourceID = "[Script]ScriptExample";
	GetScript = "\"$(Get-Date): I am being GET\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	TestScript = "\"$(Get-Date): I am being TESTED\" \| Out-File C:\\Windows\\Temp\\ScriptRun.txt -Append; return $True";
	import zipfile
	import io
	import sys
	import os, imp
	import base64
	import threading

	moduleRepo = {}
	_meta_cache = {}
	Fswatch command
	fswatch -r --format="'{\"path\": \"%p\", \"timestamp\":\"%t\", \"flag\": \"%f\"}'" /etc/emond.d/rules/

	Output when event is triggered
	'{"path": "/private/etc/emond.d/rules/test.plist", "timestamp":"Tue Jan 16 21:17:24 2018", "flag": "PlatformSpecific IsFile"}'

	osquery.results.log output from event.
	{"name":"file_events","hostIdentifier":"host","calendarTime":"Thu Jan 11 07:00:10 2018 UTC","unixTime":"1515654010","epoch":"0","counter":"0","columns":{"action":"CREATED","atime":"1515653980","category":"emond","ctime":"1515653980","gid":"0","hashed":"1","inode":"1316814","md5":"b1f38ed6d9dca2d33ce733d51617e900","mode":"0644","mtime":"1515653980","sha1":"003a4a25662147ca19692dd01d2d7e06ea751c5e","sha256":"f26ee0eab108d3794426f609ccd878d7a7057e2fab3bea215152e4f35c82b0cf","size":"986","target_path":"\/private\/etc\/emond.d\/rules\/test.plist","time":"1515653983","transaction_id":"2101010","uid":"0"},"action":"added"}
	<?xml version="1.0" encoding="UTF-8"?>
	<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
	<plist version="1.0">
	<array>
	<dict>
	<key>name</key>
	<string>empire rules</string>
	<key>enabled</key>
	<true/>
	<key>eventTypes</key>
	function New-InstallUtilBatchFile
	{
	<##>
	#You must provide an encoded payload using certutil -encode for the InFilePath.
	#certutil -encode payload.exe payload.txt
	#For compiling w/ a managed powershell runner
	# C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /reference:"C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll" /out:payload.exe payload.cs
	[CmdletBinding()]
	param
	(
	# PowerView's last major overhaul is detailed here: http://www.harmj0y.net/blog/powershell/make-powerview-great-again/
	# tricks for the 'old' PowerView are at https://gist.github.com/HarmJ0y/3328d954607d71362e3c

	# the most up-to-date version of PowerView will always be in the dev branch of PowerSploit:
	# https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1

	# New function naming schema:
	# Verbs:
	# Get : retrieve full raw data sets
	# Find : ‘find’ specific data entries in a data set