Awesome
MiscTools
CsExec
Command Exec / Lateral movement via PsExec-like functionality. Must be running in the context of a privileged user.
CsExec.exe <targetMachine> <serviceName> <serviceDisplayName> <binPath>
Also see TikiService.
CsPosh
Command Exec / Lateral Movement via PowerShell. Creates a PowerShell runspace on a remote target. Must be running in the context of a privileged user.
Usage:
-t, --target=VALUE Target machine
-c, --code=VALUE Code to execute
-e, --encoded Indicates that provided code is base64 encoded
-o, --outstring Append Out-String to code
-r, --redirect Redirect stderr to stdout
-d, --domain=VALUE Domain for alternate credentials
-u, --username=VALUE Username for alternate credentials
-p, --password=VALUE Password for alternate credentials
-h, -?, --help Show Help
CsWMI
Command Exec / Lateral Movement via WMI. Must be running in the context of a privileged user.
Current methods: ProcessCallCreate
.
CsWMI.exe <targetMachine> <command> <method>
Also see The Return of Aggressor
CsDCOM
Command Exec / Lateral Movement via DCOM. Must be running in the context of a privileged user.
Current Methods: MMC20.Application
, ShellWindows
, ShellBrowserWindow
, ExcelDDE
.
Usage:
-t, --target=VALUE Target Machine
-b, --binary=VALUE Binary: powershell.exe
-a, --args=VALUE Arguments: -enc <blah>
-m, --method=VALUE Method: MMC20Application, ShellWindows,
ShellBrowserWindow, ExcelDDE
-h, -?, --help Show Help
CsEnv
Add user/machine/process environment variables.
CsEnv.exe <variableName> <value> <target>
Credits
Most code blatently stolen and adapted from: