async def test_events(empire, agents):
agent = agents[0]
r = await empire.events.all()
print(beautify_json(r))
r = await empire.events.agent(agent)
print(beautify_json(r))
async def crystallize(agent):
output = await agent.execute("powershell/credentials/get_lapspasswords")
results = output["results"]
parsed = posh_object_parser(results)
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_domain_controller"
)
results = output["results"]
parsed_obj = posh_object_parser(results)
log.debug(beautify_json(parsed_obj))
return parsed_obj
async def crystallize(agent, gpo_guid):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_gpo_computer",
options={"GUID": gpo_guid},
)
results = output["results"]
parsed = posh_object_parser(results)
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent, computer_name="localhost"):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_loggedon",
options={"ComputerName": computer_name},
)
results = output["results"]
parsed = posh_table_parser(results)
filtered = list(filter(lambda s: not s["username"].endswith("$"), parsed))
log.debug(beautify_json(filtered))
return filtered
async def test_modules(empire, agents):
agent = agents[0]
modules = await empire.modules.search("get_domain_sid")
assert len(modules) > 0
module = await empire.modules.get("powershell/management/get_domain_sid")
assert module
r = await empire.modules.execute(module, agent)
print(beautify_json(r))
assert r["results"] != None and not r["results"].startswith("Job started")
async def crystallize(agent):
"""
I really wish there was another module we can use for this instead of just parsing tasklist output
However, I also wish that I could ride a giraffe to work so maybe my expectations should be lower.
"""
output = await agent.shell("ps")
results = output["results"]
processes = []
try:
if results.startswith("error running command"):
raise KyberCrystalException(
"Tasklist command decided not to work right now, please try again later..."
)
blocks = list(filter(len, results.splitlines()))
for row in blocks[2:]:
if len(row.split()) == 1:
prev_value = processes[-1]["username"]
processes[-1]["username"] = prev_value + row.split()[0]
continue
parts = list(filter(len, re.sub(r"\s{2,}", "__", row).split("__")))
pid, arch = parts[1].split()
pname = parts[0]
if len(parts) == 4:
username = parts[2]
memusage = parts[3]
elif len(parts) == 3:
memusage = re.findall(r"\s(.*\d\sMB)", parts[2])[0]
username = parts[2].split()[0]
processes.append({
"processname": pname,
"pid": pid,
"arch": arch,
"username": username,
"memusage": memusage,
})
except Exception as e:
log.error(f"Error parsing tasklist output: {e} output:\n {results}")
log.error(traceback.format_exc())
for proc in processes:
if proc["username"] == "N/A":
proc["username"] = ""
log.debug(beautify_json(processes))
return processes
async def crystallize(agent, group_sid, recurse=True):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_group_member",
options={
"Identity": group_sid,
"Recurse": str(recurse).lower(), # Empire doesn't do any type checking or type conversions...
},
)
results = output["results"]
parsed_obj = posh_object_parser(results)
log.debug(beautify_json(parsed_obj))
return parsed_obj
async def crystallize(agent, group_name="Administrators", recurse=True):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_localgroup",
options={
"GroupName": group_name,
"Recurse": str(recurse),
},
)
results = output["results"]
parsed = posh_object_parser(results)
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent, computer_name="localhost"):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_rdp_session",
options={"ComputerName": computer_name},
)
results = output["results"]
parsed = posh_object_parser(results)
filtered = list(
filter(lambda s: s["sessionname"] not in ["Console", "Services"],
parsed))
log.debug(beautify_json(filtered))
return filtered
async def crystallize(agent):
output = await agent.execute("powershell/privesc/gpp", )
results = output["results"]
parsed = posh_object_parser(results)
for gpo in parsed:
gpo["guid"] = gpo["file"].split("\\")[6][1:-1]
gpo["passwords"] = gpo["passwords"][1:-1].split(", ")
gpo["usernames"] = gpo["usernames"][1:-1].split(", ")
# Gets rid of the "(built-in)" when administrator accounts are found
gpo["usernames"] = [
user.split()[0] if user.lower().find("(built-in)") else user
for user in gpo["usernames"]
]
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent, group):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/user_hunter",
timeout=-1,
options={"UserGroupIdentity": group},
)
results = output["results"]
parsed = posh_object_parser(results)
# We really only care about the SessionFromName and ComputerName fields...
sessions = []
sessions.extend([
session["computername"] for session in parsed
if session["computername"]
])
sessions.extend([
session["sessionfromname"] for session in parsed
if session["sessionfromname"]
])
log.debug(beautify_json(sessions))
return sessions
async def test_shell(empire, agents):
agent = agents[0]
r = await empire.agents.shell("tasklist", agent)
print(beautify_json(r))
async def test_agent_results(empire, agents):
agent = agents[0]
r = await empire.agents.results(agent)
print(beautify_json(r))
