Automatically install CrackMapExec (CME) using a Python3 Pipx module. CrackMapExec (a.k.a CME) is a post-exploitation
tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME
follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's
functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
Automatically install proxychains using correct repository for RPM or DEB packages. ProxyChains is a UNIX program, that
hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects
the connections through SOCKS4a/5 or HTTP proxies.
Using PneumaEX, launch a Chisel client and connect to a specified Chisel server. This will take arguments as though you
are sending them to the command-line client. Supported flags are: Server (https://chisel-demo.herokuapp.com), Remotes ("3000",
"<server-address>:9312 socks", "R:2222:localhost:22"), Fingerprint ("rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ="),
Proxy, Auth, TLSSkipVerify (default: false).
hostnamectl is used to control the system hostname and its related settings and so it can be used to view hostname and other things like kernel version, machine id and boot id and Linux Distro installed in a linux computer.
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing
XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI)
in the current powershell process to allow loading of SharpHound.
Sometimes it's useful to store payloads on a system for use later in an operation. In order to avoid detection by AV/EDR
products, a simple XOR can be applied to the bytes before saving the item to disk. This imports a payload and XORs it
to a random file on disk.
Most computers have a microphone which is always-on/active. This procedure installs popular recording software, then runs it
to record 30 seconds of audio on the computer. Supports installing a Hush module and recording using in-memory JXA.
PSTools is a popular Windows toolset for doing standard sysadmin activities. It is often installed on Windows computers
so administrators can work easier. This procedure simply downloads and uncompresses it on disk.
PowerCat is a tool that uses native PowerShell components to allow an attacker to tansfer files, send and serve reverses shells, and relays similar to NetCat over TCP, SMB, and UDP. This procedure downloads PowerCat from Github, then uses it to open a connection to a remote server using PowerShell.
PowerShell is installed by default on Windows computers. It is often abused by hackers, so it is usually heavily
monitored by security products. There is a separate open-source project called PowerShell Core which is not monitored.
This procedure downloads, installs and restarts a PowerShell agent under PowerShell Core.
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform
a wide range of tasks related to penetration testing. This procedure uses PowerSploit to dump credentials from
memory via PowerShell by invoking a remote Mimikatz script.
About PreludePrelude hardens an organization's defenses by continuously “asking” it questions through the form of safe cyberattacks. These attacks respond immediately to the latest vulnerabilities and cyber events, turning complex technical descriptions into deployable “questions”.Our mission is to increase the reach, frequency and usage of advanced security for all organizations.