adding T1018 technique

PurpleSharp/Lib/Targets.cs

@@ -128,9 +128,10 @@ public static List<User> GetRandomUsernames(int count, Random random)
 
         public static List<User> GetUserTargets(PlaybookTask playbook_task, Logger logger)
         {
+            PrincipalContext context;
+            string dc;
             List<User> targetusers = new List<User>();
-            PrincipalContext context = new PrincipalContext(ContextType.Domain);
-            string dc = context.ConnectedServer;
+
 
             switch (playbook_task.user_target_type)
             {
@@ -144,6 +145,8 @@ public static List<User> GetUserTargets(PlaybookTask playbook_task, Logger logge
                     break;
 
                 case 2:
+                    context = new PrincipalContext(ContextType.Domain);
+                    dc = context.ConnectedServer;
                     logger.TimestampInfo("Targeting random domain users");
                     targetusers = Ldap.GetADUsers(playbook_task.user_target_total, logger, dc, true);
                     logger.TimestampInfo(String.Format("Obtained {0} user records", targetusers.Count));
@@ -168,6 +171,8 @@ public static List<User> GetUserTargets(PlaybookTask playbook_task, Logger logge
                     break;
 
                 case 6:
+                    context = new PrincipalContext(ContextType.Domain);
+                    dc = context.ConnectedServer;
                     logger.TimestampInfo("Targeting disabled users");
                     targetusers = Ldap.GetADUsers(playbook_task.user_target_total, logger, dc, false);
                     logger.TimestampInfo(String.Format("Obtained {0} user records", targetusers.Count));

PurpleSharp/Program.cs

@@ -57,7 +57,7 @@ public static void Main(string[] args)
             string[] privelege_escalation = new string[] { "T1053.005", "T1543.003", "T1547.001", "T1546.003", "T1055.002", "T1055.004" };
             string[] defense_evasion = new string[] { "T1218.010", "T1218.005", "T1218.003", "T1218.011", "T1070.001", "T1220", "T1055.002", "T1055.003", "T1055.004", "T1140", "T1197", "T1218.009", "T1218.004", "T1134.004" };
             string[] credential_access = new string[] { "T1110.003", "T1558.003", "T1003.001" };
-            string[] discovery = new string[] { "T1135", "T1046", "T1087.001", "T1087.002", "T1007", "T1033", "T1049", "T1016", "T1083", "T1482", "T1201","T1069.001", "T1069.002", "T1012", "T1518.001", "T1082", "T1124" };
+            string[] discovery = new string[] { "T1135", "T1046", "T1087.001", "T1087.002", "T1007", "T1033", "T1049", "T1016", "T1018", "T1083", "T1482", "T1201","T1069.001", "T1069.002", "T1012", "T1518.001", "T1082", "T1124" };
             string[] lateral_movement = new string[] { "T1021", "T1021.006", "T1047" };
             string[] supported_techniques = execution.Union(persistence).Union(privelege_escalation).Union(defense_evasion).Union(credential_access).Union(discovery).Union(lateral_movement).ToArray();
 
@@ -317,7 +317,11 @@ public static void Main(string[] args)
                                 foreach (PlaybookTask task in playbook.tasks)
                                 {
                                     ExecutePlaybookTask(task, log);
-                                    if (playbook.playbook_sleep > 0 && task != lastTask) Thread.Sleep(1000 * playbook.playbook_sleep);
+                                    if (playbook.playbook_sleep > 0 && task != lastTask)
+                                    {
+                                        logger.TimestampInfo(String.Format("Sleeping {0} seconds until next task...", playbook.playbook_sleep));
+                                        Thread.Sleep(1000 * playbook.playbook_sleep);
+                                    }
                                 }
                                 logger.TimestampInfo("Playbook Finished");
                                 if (engagement.sleep > 0 && !playbook.Equals(lastPlaybook))
@@ -1055,6 +1059,12 @@ public static void ExecutePlaybookTask(PlaybookTask playbook_task, string log)
                     Simulations.Discovery.SystemNetworkConfigurationDiscovery(log);
                     break;
 
+                // Remote System Discovery
+                case "T1018":
+                    if (playbook_task.variation == 1) Simulations.Discovery.RemoteSystemDiscoveryCmd(log);
+                    else if (playbook_task.variation == 2) Simulations.Discovery.RemoteSystemDiscoveryPowerShell(log);
+                    break;
+
                 //T1083 File and Directory Discovery
                 case "T1083":
                     Simulations.Discovery.FileAndDirectoryDiscovery(log);

PurpleSharp/Simulations/CredAccess.cs

@@ -58,7 +58,7 @@ public static void RemoteDomainPasswordSpray(PlaybookTask playbook_task, string
             Logger logger = new Logger(currentPath + log);
             logger.SimulationHeader("T1110.003");
             logger.TimestampInfo(String.Format("Remote Domain Brute Force using the WNetAddConnection2 Win32 API function"));
-            bool Kerberos = true;
+            bool Kerberos = false;
             List<Computer> host_targets = new List<Computer>();
             List<User> user_targets = new List<User>();
             List<Task> tasklist = new List<Task>();
@@ -68,9 +68,11 @@ public static void RemoteDomainPasswordSpray(PlaybookTask playbook_task, string
             {
                 if (playbook_task.user_target_type == 99) domain = ".";
                 // Executing a remote authentication with Kerberos will not connect to the remote host, just the DC.
+                Kerberos = false;
+
                 host_targets = Targets.GetHostTargets(playbook_task, logger);
                 user_targets = Targets.GetUserTargets(playbook_task, logger);
-                if (playbook_task.protocol.ToUpper().Equals("NTLM")) Kerberos = false;
+                //if (playbook_task.protocol.ToUpper().Equals("NTLM")) Kerberos = false;
                 if (playbook_task.task_sleep > 0) logger.TimestampInfo(String.Format("Sleeping {0} seconds between attempt", playbook_task.task_sleep));
 
                 if (playbook_task.host_target_type == 1 || playbook_task.host_target_type == 2)

PurpleSharp/Simulations/Discovery.cs

@@ -192,7 +192,7 @@ public static void DomainAccountDiscoveryCmd(string log)
         public static void DomainAccountDiscoveryPowerShell(string log)
         {
             string currentPath = AppDomain.CurrentDomain.BaseDirectory;
-            Lib.Logger logger = new Lib.Logger(currentPath + log);
+            Logger logger = new Logger(currentPath + log);
             logger.SimulationHeader("T1087.002");
             logger.TimestampInfo("Using PowerShell to execute the technique");
 
@@ -201,7 +201,8 @@ public static void DomainAccountDiscoveryPowerShell(string log)
                 string cleanPws = String.Format("Get-ADUser -Filter * | Select-Object SamAccountNAme");
                 logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
                 var cleanPwsBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
-                ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
+                ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
+                //ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
                 logger.SimulationFinished();
             }
             catch (Exception ex)
@@ -276,7 +277,8 @@ public static void SystemUserDiscovery(string log)
             logger.SimulationHeader("T1033");
             try
             {
-                ExecutionHelper.StartProcessApi("", "whoami", logger);
+                //ExecutionHelper.StartProcessApi("", "whoami", logger);
+                ExecutionHelper.StartProcessNET("cmd.exe", "/c whoami", logger);
                 logger.SimulationFinished();
             }
             catch(Exception ex)
@@ -347,7 +349,8 @@ public static void DomainTrustDiscoveryCmd(string log)
 
             try
             {
-                ExecutionHelper.StartProcessApi("","nltest /domain_trusts", logger);
+                ExecutionHelper.StartProcessNET("nltest.exe", "/domain_trusts", logger);
+                //ExecutionHelper.StartProcessApi("","nltest /domain_trusts", logger);
                 logger.SimulationFinished();
             }
             catch (Exception ex)
@@ -426,13 +429,15 @@ public static void DomainGroupDiscoveryCmd(PlaybookTask playbook_task, string lo
                 {
                     foreach (string group in playbook_task.groups)
                     {
-                        ExecutionHelper.StartProcessApi("", String.Format("net group \"{0}\" /domain", group), logger);
+                        ExecutionHelper.StartProcessNET("net.exe", String.Format("group \"{0}\" /domain", group), logger);
+                        //ExecutionHelper.StartProcessApi("", String.Format("net group \"{0}\" /domain", group), logger);
                     }
                     logger.SimulationFinished();
                 }
                 else
                 {
-                    ExecutionHelper.StartProcessApi("", "net group /domain", logger);
+                    ExecutionHelper.StartProcessNET("net.exe", String.Format("group /domain"), logger);
+                    //ExecutionHelper.StartProcessApi("", "net group /domain", logger);
                     logger.SimulationFinished();
 
                 }
@@ -458,7 +463,8 @@ public static void DomainGroupDiscoveryPowerShell(PlaybookTask playbook_task, st
                         string cleanPws = String.Format("Get-AdGroup -Filter {{Name -like '{0}'}} | Get-ADGroupMember | Select SamAccountName", group);
                         logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
                         var plainTextBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
-                        ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
+                        //ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
+                        ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(plainTextBytes)), logger);
                     }
                     logger.SimulationFinished();
                 }
@@ -554,14 +560,16 @@ public static void SecuritySoftwareDiscovery(string log)
         public static void SystemInformationDiscovery(string log)
         {
             string currentPath = AppDomain.CurrentDomain.BaseDirectory;
-            Lib.Logger logger = new Lib.Logger(currentPath + log);
+            Logger logger = new Logger(currentPath + log);
             logger.SimulationHeader("T1082");
             logger.TimestampInfo("Using the command line to execute the technique");
 
             try
             {
-                ExecutionHelper.StartProcessApi("", "systeminfo", logger);
-                ExecutionHelper.StartProcessApi("", "net config workstation", logger);
+                //ExecutionHelper.StartProcessApi("", "systeminfo", logger);
+                //ExecutionHelper.StartProcessApi("", "net config workstation", logger);
+                ExecutionHelper.StartProcessNET("cmd.exe /c", "systeminfo", logger);
+                //ExecutionHelper.StartProcessNET("net.exe", "config workstation", logger);
 
                 logger.SimulationFinished();
             }
@@ -590,6 +598,45 @@ public static void SystemTimeDiscovery(string log)
                 logger.SimulationFailed(ex);
             }
         }
-
+        public static void RemoteSystemDiscoveryCmd(string log)
+        {
+            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
+            Logger logger = new Logger(currentPath + log);
+            logger.SimulationHeader("T1018");
+            logger.TimestampInfo("Using the command line to execute the technique");
+
+            try
+            {
+                ExecutionHelper.StartProcessNET("cmd.exe", "/c net view", logger);
+                logger.SimulationFinished();
+            }
+            catch (Exception ex)
+            {
+                logger.SimulationFailed(ex);
+            }
+        }
+
+        public static void RemoteSystemDiscoveryPowerShell(string log)
+        {
+            string currentPath = AppDomain.CurrentDomain.BaseDirectory;
+            Logger logger = new Logger(currentPath + log);
+            logger.SimulationHeader("T1018");
+            logger.TimestampInfo("Using PowerShell to execute the technique");
+
+            try
+            {
+                string cleanPws = String.Format("Get-ADComputer -Filter  {{enabled -eq $true}} | Select-Object Name, DNSHostName, OperatingSystem, LastLogonDate");
+                logger.TimestampInfo(String.Format("Using plaintext PowerShell command: {0}", cleanPws));
+                var cleanPwsBytes = System.Text.Encoding.Unicode.GetBytes(cleanPws);
+                ExecutionHelper.StartProcessNET("powershell.exe", String.Format("-enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
+                //ExecutionHelper.StartProcessApi("", String.Format("powershell.exe -enc {0}", Convert.ToBase64String(cleanPwsBytes)), logger);
+                logger.SimulationFinished();
+            }
+            catch (Exception ex)
+            {
+                logger.SimulationFailed(ex);
+            }
+        }
+
     }
 }

PurpleSharp/Simulations/ExecutionHelper.cs

@@ -68,7 +68,7 @@ public static void StartProcessNET(string binary, string cmdline, Logger logger)
 
                 string standard_output;
                 int i = 0;
-                while ((standard_output = process.StandardOutput.ReadLine()) != null && i < 5)
+                while ((standard_output = process.StandardOutput.ReadLine()) != null && i < 10)
                 {
                     if (!standard_output.Trim().Equals(""))
                     {