0xthirteen/MoveKit

Movekit is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type.

MoveKit is an extension of Cobalt Strike's built-in lateral movement capabilities, allowing users to leverage the execute_assembly function with SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading template files for a specific execution type. To use the script, users need to load the MoveKit.cna aggressor script, compile the SharpMove and SharpRDP assemblies, and have Mono installed.

The Move menu in the menubar provides multiple selections for users to choose from. These include executing a command on a remote system through WMI, DCOM, Task Scheduler, RDP, or SCM, using the Command execution mechanism to download and execute files, dropping a file on the system and executing it, writing a file without executing it, and setting default settings for faster use with beacon commands. Beacon commands are used to read the default settings and use a few command line arguments.

The location field is the trickiest part of the project. Depending on the selection, it can be a URL, Windows directory, Linux path, or the word 'local'. If it is a URL, the beacon host will make a web request to the URL and grab the file. If it is a Windows directory, the file will be uploaded to the beacon host and read from the file system. If it is a Linux path or 'local', the payload will be dynamically compiled into the assembly being executed.

The kit contains different file movement techniques, execution triggers, and payload types. File movement types include SMB to flat file, WMI to flat file, WMI to Registry Key Value, and WMI to Custom WMI Class property. Command trigger types include WMI, SCM, RDP, DCOM (Multiple), Scheduled Tasks, Modify Scheduled Task, Modify Service binpath, and Shellcode only execution. Hijacks include Service DLL Hijack and DCOM Server Hijack.

The kit also allows users to use a pre-built payload by selecting the Custom (Prebuilt) option. However, it is recommended not to use the default templates with the project. To replace a template, the template must be named the technique and the source code must contain the string $PAYLOAD$.

Operational considerations include that task scheduler and SCM services will be created and deleted, the AMSI bypass will only work for WSH not PowerShell, and files will be dropped

📓 0xthirteen/MoveKit

👉🏽 Movekit is an extension of built in Cobalt Strike lateral movement by leveraging the execute_assembly function with the SharpMove and SharpRDP .NET assemblies. The aggressor script handles payload creation by reading the template files for a specific execution type. 👉🏽 MoveKit extends Cobalt Strike's lateral movement capabilities with SharpMove and SharpRDP .NET assemblies. 👉🏽 The aggressor script handles payload creation using template files for specific execution types. 👉🏽 Users need to load the MoveKit.cna script, compile SharpMove and SharpRDP assemblies, and have Mono installed. 👉🏽 The Move menu offers various options for remote system command execution and file manipulation. 👉🏽 Command execution mechanism allows downloading and executing files remotely. 👉🏽 Users can drop a file on the system and execute it or write a file without executing. 👉🏽 Default settings can be set for faster use with beacon commands. 👉🏽 Beacon commands are utilized to read default settings and use command line arguments. 👉🏽 The location field can be a URL, Windows directory, Linux path, or 'local'. 👉🏽 Kit includes different file movement techniques, execution triggers, payload types, and operational considerations.

🔗 source link: https://github.com/0xthirteen/MoveKit

🔗 summarized content: https://hut.threathunterz.com/battlefield-intel/tradecraft-tools/0xthirteenmovekit

#MoveKit #CobaltStrike #lateralmovement #payloadcreation #filemovement