async def crystallize(agent):
output = await agent.execute("powershell/credentials/get_lapspasswords")
results = output["results"]
parsed = posh_object_parser(results)
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_domain_controller"
)
results = output["results"]
parsed_obj = posh_object_parser(results)
log.debug(beautify_json(parsed_obj))
return parsed_obj
async def crystallize(agent, gpo_guid):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_gpo_computer",
options={"GUID": gpo_guid},
)
results = output["results"]
parsed = posh_object_parser(results)
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent, group_sid, recurse=True):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_group_member",
options={
"Identity": group_sid,
"Recurse": str(recurse).lower(), # Empire doesn't do any type checking or type conversions...
},
)
results = output["results"]
parsed_obj = posh_object_parser(results)
log.debug(beautify_json(parsed_obj))
return parsed_obj
async def crystallize(agent, group_name="Administrators", recurse=True):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_localgroup",
options={
"GroupName": group_name,
"Recurse": str(recurse),
},
)
results = output["results"]
parsed = posh_object_parser(results)
log.debug(beautify_json(parsed))
return parsed
async def crystallize(agent, computer_name="localhost"):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/get_rdp_session",
options={"ComputerName": computer_name},
)
results = output["results"]
parsed = posh_object_parser(results)
filtered = list(
filter(lambda s: s["sessionname"] not in ["Console", "Services"],
parsed))
log.debug(beautify_json(filtered))
return filtered
async def crystallize(agent):
output = await agent.execute("powershell/privesc/gpp", )
results = output["results"]
parsed = posh_object_parser(results)
for gpo in parsed:
gpo["guid"] = gpo["file"].split("\\")[6][1:-1]
gpo["passwords"] = gpo["passwords"][1:-1].split(", ")
gpo["usernames"] = gpo["usernames"][1:-1].split(", ")
# Gets rid of the "(built-in)" when administrator accounts are found
gpo["usernames"] = [
user.split()[0] if user.lower().find("(built-in)") else user
for user in gpo["usernames"]
]
log.debug(beautify_json(parsed))
return parsed
def test_posh_object_parse():
parsed_output = posh_object_parser(posh_object_example)
assert parsed_output == [
{
"currenttime": "8/2/2020 4:20:36 AM",
"domain": "bahbah.local",
"forest": "bahbah.local",
"highestcommittedusn": "244872",
"ipaddress": "10.0.0.46",
"inboundconnections": "{11700df9-cada-43df-82f7-eccc4821d007}",
"name": "DC2016.bahbah.local",
"osversion": "Windows Server 2016 Datacenter",
"outboundconnections": "{df05a9ea-801e-42ed-ad44-d80119189a95}",
"partitions": "{DC=bahbah,DC=local, CN=Configuration,DC=bahbah,DC=local, CN=Schema,CN=Configuration,DC=bahbah,DC=local, DC=DomainDnsZones,DC=bahbah,DC=local...}",
"roles": "{SchemaRole, NamingRole, PdcRole, RidRole...}",
"sitename": "Default-First-Site-Name",
"syncfromallserverscallback": "",
}
]
async def crystallize(agent, group):
output = await agent.execute(
"powershell/situational_awareness/network/powerview/user_hunter",
timeout=-1,
options={"UserGroupIdentity": group},
)
results = output["results"]
parsed = posh_object_parser(results)
# We really only care about the SessionFromName and ComputerName fields...
sessions = []
sessions.extend([
session["computername"] for session in parsed
if session["computername"]
])
sessions.extend([
session["sessionfromname"] for session in parsed
if session["sessionfromname"]
])
log.debug(beautify_json(sessions))
return sessions