Click Scripts

Click Scripting is a feature which allows users to automate execution of bulk commands. Unlike the ‘Autoruns’ feature which lets a user to auto-execute several commands on the first connection of badger, Click Scripts are basically a list of multiple commands which can be chained together to execute one command after the other at any point of time. This helps with automated execution of commands belonging to different Tactics and Techniques of MITRE ATT&CK which can be pretty useful during Purple Team engagements. Below is an example of some discovery based commands which are grouped into a single click script called ‘Discovery’.

To add a new click script, select ‘C4 Profiler->Clickscripts’. This will open a new dialog box where we can add a new script using the ‘+’ icon. Once a script script has been added, new commands can be added to it by selecting the script and then clicking on the button highlighted in the below figure.

After adding the scripts, the Click Script Runner can be loaded by right clicking a badger and selecting ‘Load ClickScript’. This will open a new tab where different scripts can be run by a single click as show in the earlier figure. Click Scripts can also be added directly into the C4 profile in a simple key value format as below.

"click_script": {
    "Credential Dumping": [
        "samdump",
        "shadowclone",
        "dcsync"
    ],
    "Discovery": [
        "id",
        "pwd",
        "ipstats",
        "psreflect echo $psversiontable",
        "net users",
        "scquery"
    ]
}