@cyberstrike-io/cyberstrike 1.1.14 → 1.1.15-beta.0

package/skill/macos-postexploit/SKILL.md

@@ -0,0 +1,125 @@
+---
+name: macos-postexploit
+description: macOS post-exploitation for credential harvesting, DTrace monitoring, TCC bypass, and stealth operations via native tools
+category: post-exploitation
+tags: [macos, post-exploitation, credential-access, defense-evasion, keychain, dtrace, tcc, xprotect, gatekeeper]
+tech_stack: [macos, python, dtrace, security-cli, osascript]
+cwe_ids: [CWE-269, CWE-522, CWE-693, CWE-312]
+chains_with: [T1555.001, T1056.001, T1059.004, T1562.001, T1070.002, T1553.001]
+prerequisites: [T1068, T1548]
+version: "1.0"
+---
+
+# macOS Post-Exploitation Methodology
+
+macOS post-exploitation uses native tools (`security`, `dtrace`, `xattr`, `log`), Python with PyObjC/Quartz frameworks, and direct SQLite access for credential extraction. After gaining root or user-level access on a macOS target, these tools provide credential harvesting, runtime monitoring, and operational security capabilities.
+
+## Prerequisites
+
+Before deploying machook tools, verify:
+
+1. **Root access** — most operations require root (except `xprotect_check`, `gatekeeper_bypass` for user-owned files, `ssh_keys` for current user)
+2. **SIP status** — DTrace tools require SIP disabled (`csrutil disable` from Recovery Mode)
+3. **Python3** — available via Xcode CLT or Homebrew
+4. **PyObjC** — required for `keylog_mac` (CGEventTap); install via `pip3 install pyobjc-framework-Quartz`
+
+```bash
+# Quick prerequisite check
+csrutil status                           # SIP status (DTrace needs disabled)
+sw_vers                                  # macOS version
+security list-keychains                  # available keychains
+python3 -c "import Quartz; print('OK')"  # PyObjC for keylogging
+ls /Library/Apple/System/Library/CoreServices/XProtect.bundle  # XProtect present
+```
+
+## Kill Chain Phases
+
+### Phase 1 — Situational Awareness (First 60 seconds)
+
+Understand the defensive landscape before deploying hooks.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Check XProtect | `machook xprotect_check` | Enumerate XProtect/MRT signatures to know what triggers detection |
+| Check SIP | `csrutil status` | Determine if DTrace monitoring is available |
+| SSH keys | `machook ssh_keys` | Find SSH private keys — often leads to lateral movement |
+| Keychain list | `security list-keychains` | See available keychains before dumping |
+
+### Phase 2 — Credential Harvesting
+
+Extract credentials from macOS-specific stores.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Keychain dump | `machook keychain_dump` | Extract all passwords from login/system Keychain via `security` command |
+| Browser creds | `machook chrome_creds` | Extract Chrome/Safari saved passwords and cookies with AES decryption |
+| SSH keys | `machook ssh_keys` | Find private keys for all users — id_rsa, id_ed25519, etc. |
+| TCC bypass | `machook tcc_bypass` | Bypass TCC to access camera, microphone, files without user consent |
+| Keystroke capture | `machook keylog_mac --duration 120` | Log keystrokes via CGEventTap with application context |
+
+**Keychain extraction** uses the macOS `security` command to enumerate and dump keychain items. Root access allows dumping without per-item authorization prompts. The login keychain contains WiFi passwords, website credentials, certificates, and application tokens.
+
+**Chrome credential extraction** copies the locked Login Data SQLite database, retrieves the Safe Storage key from Keychain, derives the AES decryption key via PBKDF2, and decrypts each stored password. Safari passwords are stored in Keychain and extracted via `security find-internet-password`.
+
+**TCC bypass** targets the TCC.db database (`~/Library/Application Support/com.apple.TCC/TCC.db`) to grant access to protected resources without user consent dialogs.
+
+### Phase 3 — Monitoring (SIP disabled required)
+
+DTrace provides kernel-level visibility into the target system.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Process monitoring | `machook dtrace_exec --duration 60` | Trace all process executions — detect cron, security scans, admin activity |
+| Network monitoring | `machook dtrace_net --duration 60` | Monitor all network connections — identify internal services, C2 |
+| File monitoring | `machook dtrace_file --duration 60` | Monitor file access — detect what admin tools read/write |
+
+### Phase 4 — Stealth
+
+Reduce the forensic footprint.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Gatekeeper bypass | `machook gatekeeper_bypass --path /path` | Remove quarantine xattr to allow unsigned tool execution |
+| Clear logs | `machook log_clear` | Clear unified logging, ASL, audit logs, crash reports, shell history |
+
+### Phase 5 — Cleanup (MANDATORY)
+
+Always run cleanup before exiting a target.
+
+```
+machook cleanup_mac
+```
+
+The cleanup tool:
+1. Finds and removes LaunchAgents/LaunchDaemons matching CyberStrike patterns
+2. Kills any running DTrace or machook-related processes
+3. Removes temporary files and copied databases
+4. Clears machook-specific entries from shell history
+
+## Detection Considerations
+
+macOS post-exploitation tools are detectable by:
+- **Endpoint Security Framework (ESF)** — EDR agents using `es_new_client()` for process/file/auth events
+- **Unified Logging** — `log show --predicate 'process == "security"'` for Keychain access
+- **TCC audit** — TCC access logged in Console.app, `tccutil` events visible
+- **SIP** — When enabled, blocks DTrace system-wide tracing and TCC.db modification
+- **XProtect** — Scans downloaded executables against YARA rules
+- **Gatekeeper** — Checks code signing and quarantine attributes
+- **CrowdStrike Falcon / Jamf Protect** — macOS-specific EDR detects suspicious `security` command usage and CGEventTap creation
+
+## Program Reference
+
+| Program | Technique | MITRE ATT&CK |
+|---------|-----------|---------------|
+| keychain_dump | macOS Keychain extraction via security CLI | T1555.001 — Keychain |
+| chrome_creds | Browser credential decryption (Chrome/Safari) | T1555.003 — Credentials from Web Browsers |
+| ssh_keys | SSH private key discovery and exfiltration | T1552.004 — Private Keys |
+| tcc_bypass | TCC database manipulation for resource access | T1548 — Abuse Elevation Control Mechanism |
+| keylog_mac | Keystroke capture via CGEventTap | T1056.001 — Keylogging |
+| dtrace_exec | Process execution tracing via DTrace | T1057 — Process Discovery |
+| dtrace_net | Network connection tracing via DTrace | T1049 — System Network Connections Discovery |
+| dtrace_file | File access tracing via DTrace | T1083 — File and Directory Discovery |
+| xprotect_check | XProtect/MRT signature enumeration | T1518.001 — Security Software Discovery |
+| gatekeeper_bypass | Quarantine xattr removal | T1553.001 — Gatekeeper Bypass |
+| log_clear | Unified log, ASL, and audit log clearing | T1070.002 — Clear Linux or Mac System Logs |
+| cleanup_mac | Artifact removal and process cleanup | T1070 — Indicator Removal |

package/skill/windows-postexploit/SKILL.md

@@ -0,0 +1,113 @@
+---
+name: windows-postexploit
+description: Windows userland post-exploitation for credential harvesting, monitoring, AMSI/ETW bypass, and stealth operations
+category: post-exploitation
+tags: [windows, post-exploitation, credential-access, defense-evasion, lsass, dpapi, etw, amsi, sam, keylogging]
+tech_stack: [windows, powershell, python, ctypes, win32api]
+cwe_ids: [CWE-269, CWE-522, CWE-693, CWE-312]
+chains_with: [T1003, T1003.001, T1003.002, T1056.001, T1059.001, T1562.001, T1562.006, T1070.001, T1555, T1555.003]
+prerequisites: [T1068, T1548.002]
+version: "1.0"
+---
+
+# Windows Post-Exploitation Methodology
+
+Windows post-exploitation uses userland APIs (no kernel driver signing needed) for credential harvesting, monitoring, and stealth. After gaining Administrator access on a Windows target, these tools provide comprehensive credential extraction and operational security capabilities.
+
+## Prerequisites
+
+Before deploying winhook tools, verify:
+
+1. **Administrator access** — most operations require elevated privileges
+2. **OS version** — Windows 10/11 or Server 2016+ for ETW features
+3. **PowerShell** — available natively on all modern Windows
+4. **Python3** — required for ctypes-based tools (ETW, keylogging, DPAPI, clipboard)
+5. **AV/EDR status** — run `amsi_bypass` and `etw_blind` first if Defender/EDR is active
+
+```powershell
+# Quick prerequisite check
+whoami /priv                              # verify SeDebugPrivilege
+Get-MpComputerStatus | Select RealTimeProtectionEnabled  # Defender status
+Get-Process lsass                         # verify LSASS accessible
+reg query "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v RunAsPPL  # PPL status
+```
+
+## Kill Chain Phases
+
+### Phase 1 — AV/EDR Evasion (First priority)
+
+Neutralize monitoring before performing credential operations.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Bypass AMSI | `winhook amsi_bypass` | Patch AmsiScanBuffer to allow undetected PowerShell execution |
+| Blind ETW | `winhook etw_blind` | Patch EtwEventWrite to prevent EDR from receiving telemetry |
+| Exclude paths | `winhook defender_exclude --path C:\Tools` | Add Defender exclusion for tool staging directory |
+
+### Phase 2 — Credential Harvesting
+
+Extract credentials from multiple sources.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| LSASS dump | `winhook lsass_dump` | Dump LSASS memory for NTLM hashes, Kerberos tickets, plaintext passwords |
+| SAM extraction | `winhook sam_dump` | Extract registry hives for offline cracking with secretsdump/hashcat |
+| DPAPI secrets | `winhook dpapi_extract` | Decrypt browser passwords, WiFi keys, Windows Vault credentials |
+| Credential phishing | `winhook credential_prompt` | Spawn fake Windows credential dialog to capture user password |
+| Keystroke capture | `winhook keylog_win --duration 120` | Log keystrokes with active window context |
+| Clipboard monitoring | `winhook clipboard_sniff --duration 60` | Capture copied passwords, tokens, and sensitive data |
+
+**LSASS dumping** uses either `comsvcs.dll MiniDump` (default, uses a signed Windows DLL) or direct `MiniDumpWriteDump` from `dbghelp.dll`. The comsvcs method is preferred as it uses a Microsoft-signed binary.
+
+**DPAPI decryption** calls `CryptUnprotectData` from `crypt32.dll` to decrypt Chrome/Edge Login Data, WiFi passwords, and Windows Credential Vault entries. No additional tools needed — uses the current user's DPAPI master key.
+
+**SAM extraction** uses `reg save` to dump SAM, SYSTEM, and SECURITY hives. These can be processed offline with `impacket-secretsdump -sam SAM -system SYSTEM -security SECURITY LOCAL`.
+
+### Phase 3 — Monitoring
+
+Understand the target environment and detect defensive measures.
+
+| Action | Command | Purpose |
+|--------|---------|---------|
+| Process monitoring | `winhook etw_process --duration 60` | Track process creation via ETW — detect security tools, scheduled tasks |
+| Network monitoring | `winhook etw_network --duration 60` | Track connections via ETW — identify C2 channels, internal services |
+
+### Phase 4 — Cleanup (MANDATORY)
+
+Always run cleanup before exiting a target.
+
+```
+winhook cleanup_win
+```
+
+The cleanup tool:
+1. Clears Security, System, Application, and PowerShell event logs
+2. Removes temporary files matching CyberStrike patterns
+3. Removes any Defender exclusions that were added
+4. Reports on AMSI/ETW patches (require process restart to fully restore)
+
+## Detection Considerations
+
+Windows post-exploitation tools are detectable by:
+- **Sysmon** — Event IDs 1 (process create), 10 (process access for LSASS), 13 (registry)
+- **Windows Event Log** — Event ID 4688 (process creation), 4624/4625 (logon), 1102 (log cleared)
+- **EDR** — LSASS access monitoring, credential prompt anomaly detection
+- **PPL (Protected Process Light)** — LSASS PPL blocks direct memory dumps (check RunAsPPL registry key)
+- **Credential Guard** — Isolates LSASS in virtualization-based security (blocks comsvcs/minidump)
+
+## Program Reference
+
+| Program | Technique | MITRE ATT&CK |
+|---------|-----------|---------------|
+| lsass_dump | LSASS memory dump via MiniDumpWriteDump | T1003.001 — LSASS Memory |
+| sam_dump | Registry hive extraction (SAM/SYSTEM/SECURITY) | T1003.002 — Security Account Manager |
+| dpapi_extract | DPAPI secret decryption via CryptUnprotectData | T1555.003 — Credentials from Web Browsers |
+| credential_prompt | Fake credential dialog via CredUI | T1056.002 — GUI Input Capture |
+| keylog_win | Keystroke capture via SetWindowsHookEx | T1056.001 — Keylogging |
+| etw_process | Process monitoring via ETW provider | T1057 — Process Discovery |
+| etw_network | Network monitoring via ETW provider | T1049 — System Network Connections Discovery |
+| clipboard_sniff | Clipboard monitoring via Win32 API | T1115 — Clipboard Data |
+| amsi_bypass | AMSI patching in memory | T1562.001 — Disable or Modify Tools |
+| etw_blind | ETW patching to blind EDR | T1562.006 — Indicator Blocking |
+| defender_exclude | Windows Defender exclusion management | T1562.001 — Disable or Modify Tools |
+| cleanup_win | Event log clearing and artifact removal | T1070.001 — Clear Windows Event Logs |