__ ___ _
\ \ / (_) | |
\ \ /\ / / _ _ __ __| | _____ _____
\ \/ \/ / | | '_ \ / _` |/ _ \ \ /\ / / __|
\ /\ / | | | | | (_| | (_) \ V V /\__ \
\/ \/ |_|_| |_|\__,_|\___/ \_/\_/ |___/
_ __ _
/\ | | / _| | |
/ \ _ __| |_ ___| |_ __ _ ___| |_
/ /\ \ | '__| __/ _ \ _/ _` |/ __| __|
/ ____ \| | | || __/ || (_| | (__| |_
/_/ \_\_| \__\___|_| \__,_|\___|\__|
_____ _
/ ____| | |
| | __ ___ _ __ ___ _ __ __ _| |_ ___ _ __
| | |_ |/ _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__|
| |__| | __/ | | | __/ | | (_| | || (_) | |
\_____|\___|_| |_|\___|_| \__,_|\__\___/|_|
Generating Windows malware Artefacts for detection testing
Wag is not a TTP simulator like Redcanary, it is a simple artefact generator. but why ?
- test your sysmon configuration
- test your EDR
It is not designed to generate IOC like ip, hash ...
See Artefacts file
- repport bug
- fix some code
- add new artefact
- add more example
wag.exe <COMMAND>
Example can be found here cli_help
- Alternate data stream
- BYOVD: load a driver
- file drop from executable
- mutex
- named pipe
- ppid spoofing
- Stealer browers information (only open file)
- Stealer cryto wallet (only open file)
- Stealer file of interrest
- WMI action