#
Payloads
In
#
Payloads Explained
2016_United_States_presidential_election_-_Wikipedia.html
: Staging payload for ADFS.cod.3aka.scr.exe
: Sandcat payload to complete RTLO execution.dmevals.local.pfx
: Staged private key used for Get-PrivateKey discovery.File-Collection.ps1
: PowerShell script to collect the following:- *.doc
- *.xps
- *.xls
- *.ppt
- *.pps
- *.wps
- *.wpd
- *.ods
- *.odt
- *.lwp
- *.jtd
- *.zip
- *.rar
- *.docx
- *.url
- *.xlsx
- *.pptx
- *.ppsx
- *.pst
- *.ost
- psw
- pass
- login
- admin
- sifr
- sifer
- *vpn
- *.jpg
- *.txt
- *.lnk
Get-Screenshot.ps1
: PowerShell Empire Script script to take screenshots.Invoke-BypassUACTokenManipulation.ps1
: PowerShell Empire script to bypass UAC.Invoke-Mimikatz.ps1
: PowerShell Empire PowerShell script to execute Mimikatz.Invoke-PSInject.ps1
: PowerShell Empire PowerShell script to execute base64 encoded PowerShell code.invoke-winrmsession.ps1
: PoshC2 script to create winrm sessions.make_lnk.ps1
: Payload generation script to create masqumasquerading .lnk filem.exe
: Mimikatz executable.MITRE-ATTACK-EVALS.HTML
: Staged .html only used for Discovery.Modified-SysInternalsSuite.zip
: Utilities used in persistence mechanisms that are stored within a SysInternals directory.
Note, none of the utilities here are actually Windows SysInternals tools. The SysInternals is downloaded from Microsoft during Day-1 A execution.
monkey.png
: Stenography png with encoded payload.powerview.ps1
: Powerview functions to execute reflective loading.ps.ps1
: Process enumeration.rar.exe
: Archive utility.sandcat.go-windows
: Sandcat binary.sandcat.go-windows-upx
: UPX packed Sandcat binary.schemas.ps1
: Payload generation script using alternate data streams.setup.py
: Setup utility to update all payloads with appropriate IP:PORT.StealToken.ps1
: Steal a process' token.stepFifteen_wmi.ps1
: WMI persistence.stepFourteen_bypassUAC.ps1
: UAC bypass via sdclt.exe.stepFourteen_credDump.ps1
: WMI Based credential dump.stepSeventeen_email.ps1
: Outlook e-mail enumeration.stepSeventeen_zip.ps1
: Zip up a directory.stepSixteen_SID.ps1
: Get SID of user.stepThirteen.ps1
: Discovery functions.stepTwelve.ps1
: Detect AntiVirus.timestomp.ps1
: Timestomp a file.update.ps1
: Update sandcat payload.upload.ps1
: CALDERA upload utility.wipe.ps1
: Reflectivly load sdelete64.exe.