From 015463416f9b277b86c344f089cac934009dccd4 Mon Sep 17 00:00:00 2001 From: Matt Grandy <15634696+mattgrandy@users.noreply.github.com> Date: Wed, 14 Jul 2021 12:16:47 -0600 Subject: [PATCH] Added all functions to README --- README.md | 47 +++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 45 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 427522a..1338ac4 100755 --- a/README.md +++ b/README.md @@ -29,9 +29,52 @@ CIMplant.exe -s [remote IP address] -c cat -f c:\users\user\desktop\file.txt CIMplant.exe -s [remote IP address] -u [username] -d [domain] -p [password] -c cat -f c:\users\test\desktop\file.txt CIMplant.exe -s [remote IP address] -u [username] -d [domain] -p [password] -c command_exec --execute "dir c:\\" ``` -### Some Helpful Commands -![image](https://github.com/FortyNorthSecurity/CIMplant/raw/main/Extras/CIMplant-Help.gif) +## Functions + +### File Operations: + cat - Reads the contents of a file + copy - Copies a file from one location to another + download** - Download a file from the targeted machine + ls - File/Directory listing of a specific directory + search - Search for a file on a user + upload** - Upload a file to the targeted machine + +### Lateral Movement Facilitation + command_exec** - Run a command line command and receive the output. Run with nops flag to disable PowerShell + disable_wdigest - Sets the registry value for UseLogonCredential to zero + enable_wdigest - Adds registry value UseLogonCredential + disable_winrm** - Disables WinRM on the targeted system + enable_winrm** - Enables WinRM on the targeted system + reg_mod - Modify the registry on the targeted machine + reg_create - Create the registry value on the targeted machine + reg_delete - Delete the registry on the targeted machine + remote_posh** - Run a PowerShell script on a remote machine and receive the output + sched_job - Not implimented due to the Win32_ScheduledJobs accessing an outdated API + service_mod - Create, delete, or modify system services + +#### Process Operations + process_kill - Kill a process via name or process id on the targeted machine + process_start - Start a process on the targeted machine + ps - Process listing + +### System Operations + active_users - List domain users with active processes on the targeted system + basic_info - Used to enumerate basic metadata about the targeted system + drive_list - List local and network drives + ifconfig - Receive IP info from NICs with active network connections + installed_programs - Receive a list of the installed programs on the targeted machine + logoff - Log users off the targeted machine + reboot (or restart) - Reboot the targeted machine + power_off (or shutdown) - Power off the targeted machine + vacant_system - Determine if a user is away from the system + edr_query - Query the local or remote system for EDR vendors + +### Log Operations + logon_events - Identify users that have logged onto a system + + * All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM) + ** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method) ### Some Example Usage Commands