Automatically install CrackMapExec (CME) using a Python3 Pipx module. CrackMapExec (a.k.a CME) is a post-exploitation
tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME
follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's
functionality and allowing it to evade most endpoint protection/IDS/IPS solutions.
Obtain a Chisel server payload on the target server using an installation script. The script will automatically detect
and install the correct version of Chisel 1.7.6 for the target platform.
Automatically install proxychains using correct repository for RPM or DEB packages. ProxyChains is a UNIX program, that
hooks network-related libc functions in dynamically linked programs via a preloaded DLL (dlsym(), LD_PRELOAD) and redirects
the connections through SOCKS4a/5 or HTTP proxies.
Launches a Chisel server with a user specified port and logs to a chisel_server.log file the /tmp directory. Requires
Chisel be installed before the TTP will run unless a variant is selected.
Using PneumaEX, launch a Chisel client and connect to a specified Chisel server. This will take arguments as though you
are sending them to the command-line client. Supported flags are: Server (https://chisel-demo.herokuapp.com), Remotes ("3000",
"<server-address>:9312 socks", "R:2222:localhost:22"), Fingerprint ("rHb55mcxf6vSckL2AezFV09rLs7pfPpavVu++MF7AhQ="),
Proxy, Auth, TLSSkipVerify (default: false).
hostnamectl is used to control the system hostname and its related settings and so it can be used to view hostname and other things like kernel version, machine id and boot id and Linux Distro installed in a linux computer.
BloodHound uses .NET API calls in the SharpHound ingestor component to pull Active Directory data. This uses an existing
XOR'd SharpHound payload on disk to load and run BloodHound in memory. This bypasses the Anti-malware scanning interface (AMSI)
in the current powershell process to allow loading of SharpHound.
Sometimes it's useful to store payloads on a system for use later in an operation. In order to avoid detection by AV/EDR
products, a simple XOR can be applied to the bytes before saving the item to disk. This imports a payload and XORs it
to a random file on disk.
Most computers have a microphone which is always-on/active. This procedure installs popular recording software, then runs it
to record 30 seconds of audio on the computer. Supports installing a Hush module and recording using in-memory JXA.
Dynamically load and install a module that can download payloads onto the target system. A JXA agent will only request
this module if a TTP requiring a payload is used by the agent.
Dynamically load and install a module that enables an agent to run shell commands. A JXA agent will only request
this module if a TTP requiring a shell command is used.
PSTools is a popular Windows toolset for doing standard sysadmin activities. It is often installed on Windows computers
so administrators can work easier. This procedure simply downloads and uncompresses it on disk.
PowerCat is a tool that uses native PowerShell components to allow an attacker to tansfer files, send and serve reverses shells, and relays similar to NetCat over TCP, SMB, and UDP. This procedure downloads PowerCat from Github, then uses it to open a connection to a remote server using PowerShell.
PowerShell is installed by default on Windows computers. It is often abused by hackers, so it is usually heavily
monitored by security products. There is a separate open-source project called PowerShell Core which is not monitored.
This procedure downloads, installs and restarts a PowerShell agent under PowerShell Core.
Devices, such as USB drives, often hold important documents, as they've been intentionally copied to the drive at some
point. This procedure determines what files are on external drives.
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform
a wide range of tasks related to penetration testing. This procedure uses PowerSploit to dump credentials from
memory via PowerShell by invoking a remote Mimikatz script.
LSASS is a Windows process for enforcing security policies. It is stored in memory and it can be dumped to disk,
often done as a precuror to analyzing the dump with a credential dumper like Mimikatz.