async def test_events(empire, agents): agent = agents[0] r = await empire.events.all() print(beautify_json(r)) r = await empire.events.agent(agent) print(beautify_json(r))
async def crystallize(agent): output = await agent.execute("powershell/credentials/get_lapspasswords") results = output["results"] parsed = posh_object_parser(results) log.debug(beautify_json(parsed)) return parsed
async def crystallize(agent): output = await agent.execute( "powershell/situational_awareness/network/powerview/get_domain_controller" ) results = output["results"] parsed_obj = posh_object_parser(results) log.debug(beautify_json(parsed_obj)) return parsed_obj
async def crystallize(agent, gpo_guid): output = await agent.execute( "powershell/situational_awareness/network/powerview/get_gpo_computer", options={"GUID": gpo_guid}, ) results = output["results"] parsed = posh_object_parser(results) log.debug(beautify_json(parsed)) return parsed
async def crystallize(agent, computer_name="localhost"): output = await agent.execute( "powershell/situational_awareness/network/powerview/get_loggedon", options={"ComputerName": computer_name}, ) results = output["results"] parsed = posh_table_parser(results) filtered = list(filter(lambda s: not s["username"].endswith("$"), parsed)) log.debug(beautify_json(filtered)) return filtered
async def test_modules(empire, agents): agent = agents[0] modules = await empire.modules.search("get_domain_sid") assert len(modules) > 0 module = await empire.modules.get("powershell/management/get_domain_sid") assert module r = await empire.modules.execute(module, agent) print(beautify_json(r)) assert r["results"] != None and not r["results"].startswith("Job started")
async def crystallize(agent): """ I really wish there was another module we can use for this instead of just parsing tasklist output However, I also wish that I could ride a giraffe to work so maybe my expectations should be lower. """ output = await agent.shell("ps") results = output["results"] processes = [] try: if results.startswith("error running command"): raise KyberCrystalException( "Tasklist command decided not to work right now, please try again later..." ) blocks = list(filter(len, results.splitlines())) for row in blocks[2:]: if len(row.split()) == 1: prev_value = processes[-1]["username"] processes[-1]["username"] = prev_value + row.split()[0] continue parts = list(filter(len, re.sub(r"\s{2,}", "__", row).split("__"))) pid, arch = parts[1].split() pname = parts[0] if len(parts) == 4: username = parts[2] memusage = parts[3] elif len(parts) == 3: memusage = re.findall(r"\s(.*\d\sMB)", parts[2])[0] username = parts[2].split()[0] processes.append({ "processname": pname, "pid": pid, "arch": arch, "username": username, "memusage": memusage, }) except Exception as e: log.error(f"Error parsing tasklist output: {e} output:\n {results}") log.error(traceback.format_exc()) for proc in processes: if proc["username"] == "N/A": proc["username"] = "" log.debug(beautify_json(processes)) return processes
async def crystallize(agent, group_sid, recurse=True): output = await agent.execute( "powershell/situational_awareness/network/powerview/get_group_member", options={ "Identity": group_sid, "Recurse": str(recurse).lower(), # Empire doesn't do any type checking or type conversions... }, ) results = output["results"] parsed_obj = posh_object_parser(results) log.debug(beautify_json(parsed_obj)) return parsed_obj
async def crystallize(agent, group_name="Administrators", recurse=True): output = await agent.execute( "powershell/situational_awareness/network/powerview/get_localgroup", options={ "GroupName": group_name, "Recurse": str(recurse), }, ) results = output["results"] parsed = posh_object_parser(results) log.debug(beautify_json(parsed)) return parsed
async def crystallize(agent, computer_name="localhost"): output = await agent.execute( "powershell/situational_awareness/network/powerview/get_rdp_session", options={"ComputerName": computer_name}, ) results = output["results"] parsed = posh_object_parser(results) filtered = list( filter(lambda s: s["sessionname"] not in ["Console", "Services"], parsed)) log.debug(beautify_json(filtered)) return filtered
async def crystallize(agent): output = await agent.execute("powershell/privesc/gpp", ) results = output["results"] parsed = posh_object_parser(results) for gpo in parsed: gpo["guid"] = gpo["file"].split("\\")[6][1:-1] gpo["passwords"] = gpo["passwords"][1:-1].split(", ") gpo["usernames"] = gpo["usernames"][1:-1].split(", ") # Gets rid of the "(built-in)" when administrator accounts are found gpo["usernames"] = [ user.split()[0] if user.lower().find("(built-in)") else user for user in gpo["usernames"] ] log.debug(beautify_json(parsed)) return parsed
async def crystallize(agent, group): output = await agent.execute( "powershell/situational_awareness/network/powerview/user_hunter", timeout=-1, options={"UserGroupIdentity": group}, ) results = output["results"] parsed = posh_object_parser(results) # We really only care about the SessionFromName and ComputerName fields... sessions = [] sessions.extend([ session["computername"] for session in parsed if session["computername"] ]) sessions.extend([ session["sessionfromname"] for session in parsed if session["sessionfromname"] ]) log.debug(beautify_json(sessions)) return sessions
async def test_shell(empire, agents): agent = agents[0] r = await empire.agents.shell("tasklist", agent) print(beautify_json(r))
async def test_agent_results(empire, agents): agent = agents[0] r = await empire.agents.results(agent) print(beautify_json(r))