Skip to content

Actions

Jump to bottom
Simeon Kakpovi edited this page Sep 11, 2023 · 1 revision

Intro

Actions allow you to take define specific actions that the actor should take at various stages of the game. You can configure this events by passing options in the yaml file.

Run Process Commands

This module provides a way to create process events based on a list of command arguments. The resulting events are written to the ProcessEvent logs.

TODO: Add the ability to inject actor IP or domain.

Yaml Schema

  • run_process_commands
  • process: (required) This is the process command line.
  • name: (optional) This is the name of the process.
  • time_delay: (optional) Specifies the time delay; defaults to minutes.
  • replacements: (optional) A dictionary containing values to be replaced.
  • obfuscation: (optional) A list of obfuscation techniques to be applied to the command. Obfuscation techniques are primarily intended for C2 (Command and Control) commands.

Example

- run_process_commands:
  - name: bitsadmin.exe
    process: bitsadmin /transfer myDownloadJob /download /priority normal "https://download.winzip.com/gl/nkln/winzip24-home.exe"
    time_delay: minutes
  - name: winzip24-home.exe
    process: winzip24-home.exe
    time_delay: seconds
  - name: winzip.exe
    process: winzip64.exe -min -a -s "hello" archive.zip *
    obfuscation:
      - base64
      - variable_obfuscate

Create Files

This function generates file creation events based on a list of file arguments. The resulting events are written to the FileCreationEvent logs.

Yaml Schema

  • create_files
  • path: (required) The path of the file to be created.
  • sha256: (optional) Highly recommended. The SHA-256 hash of the file's contents.
  • size: (optional) The size of the file.
  • time_delay: (optional) Specifies the time delay; defaults to minutes.

Example

- create_files:
  - path: C:\\ProgramData\\BluePhoenix\\mimikatz.exe
    sha256: 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f
    size: 9999
    time_delay: minutes
  - path: C:\\Users\\Admin\\modifiedplink.exe
    sha256: d2626aab4a95836b17c9abae2e7fdca20f052fcc0e599a8ad16ea6deabcc0b22
  - path: E:\\Exfil\\qdata.zip

Download Files

This function facilitates downloading files from URLs and generating corresponding web browsing events. The resulting events are written to the FileCreationEvent logs and NetworkEvents.

Yaml Schema

  • download_files
  • path: (required) The path of the file to be created.
  • sha256: (required) Highly recommended. The SHA-256 hash of the downloaded file's contents.
  • url: (required) The URL from which the file is downloaded.
  • size: (optional) The size of the downloaded file; defaults to a random size.
  • time_delay: (optional) Specifies the time delay; defaults to minutes.

Example

- download_files:
  - url: https://www.7-zip.org/a/7z2002-x64.exe
    path: C:\\ProgramData\\BluePhoenix\\7z2002-x64.exe
    sha256: 614ca7b627533e22aa3e5c3594605dc6fe6f000b0cc2b845ece47ca60673ec7f
    size: 9999
    time_delay: seconds

Encrypt Files

This function generates encrypted files on a victim host based on a specified file extension format.

Yaml Schema

  • encrypt_files
  • ext: (required) The file extension for the encrypted files.
  • count: (optional) The number of encrypted files to create.
  • time_delay: (optional) Specifies the time delay; defaults to minutes.

Example

- encrypt_files:
  - ext: .crypt
    count: 50
Clone this wiki locally